List the secure boot trust stores:

```bash
apt-get install -y efitools
efi-readvar
```

To take ownership of the system by following the next steps.

Create our own Platform Key (PK), Key Exchange Key (KEK), and Code Signing CAs:

```bash
mkdir my
cd my
for t in pk kek sign; do
  openssl req \
    -newkey rsa:2048 -nodes \
      -keyout my-$t-key.pem \
    -new -x509 -sha256 -days 3650 -subj "/CN=My Secure Boot $t CA $(date --utc +%Y-%m-%d)" \
      -out my-$t-crt.pem
  openssl x509 -inform pem -in my-$t-crt.pem -outform der -out my-$t-crt.der
  #openssl x509 -noout -text -in my-$t-crt.pem
done
```

Create the secure boot databases:

```bash
owner=$(uuidgen --namespace @dns --name ruilopes.com --sha1) # this maps to b106ba30-44aa-5858-86f5-e6985f9aa99f.
#owner=00000000-0000-0000-0000-000000000000
# PK:  can change the existing PK and update the KEK.
# KEK: can update the db and dbx databases and sign binaries.
for t in pk kek sign; do
  cert-to-efi-sig-list -g $owner my-$t-crt.pem my-$t.esl
done
#sign-efi-sig-list -g $owner -t "$(date --utc +%Y-%m-%d)" -k my-pk-key.pem -c my-pk-crt.pem PK my-pk.esl my-pk.auth
sign-efi-sig-list -g $owner -k my-pk-key.pem -c my-pk-crt.pem PK my-pk.esl my-pk.auth
sign-efi-sig-list -g $owner -k my-pk-key.pem -c my-pk-crt.pem PK /dev/null rm_my-pk.auth
sign-efi-sig-list -g $owner -k my-pk-key.pem -c my-pk-crt.pem KEK my-kek.esl my-kek.auth
sign-efi-sig-list -g $owner -k my-kek-key.pem -c my-kek-crt.pem db my-sign.esl my-sign.auth
```

Load the databases:

```bash
efi-updatevar -f my-pk.auth PK  # XXX fails with Failed to update PK: Invalid argument
efi-updatevar -f my-pk.auth KEK
efi-updatevar -f my-pk.auth db

efi-updatevar -f my-kek.auth KEK
efi-updatevar -f my-sign.auth db
efi-updatevar -f my-pk.auth PK # XXX fails with Failed to update PK: Invalid argument
```