Secure Boot
Secure boot is functionality built into UEFI’s specification. Physical Presence must be asserted if you are going to enable UEFI Secure Boot. When Secure Boot is enabled and properly configured, it protects computers against attacks and infections from malware that installs rootkits and boot kits.
Secure Boot detects when software like the boot loader and key operating system files and other things like option ROMs have been tampered with. It does this by validating each component’s digital signature. Any component whose digital signature verification fails is not loaded during the boot process. Depending upon the OS and drivers you are using on the server it may not always be possible to enable secure boot.
Start the System Setup Utility. See Get started.
On the Security menu, select . Ensure that Secure Boot is set to Enable.
Use this submenu to set the Secure Boot parameter.
Submenu item | Option | Description |
---|---|---|
System Mode | Setup | Show the system mode. |
Vendor Keys | Modified | Show the vendor keys. |
Physical Presence | Not Asserted | N/A |
Secure Boot | Disable | Enable | Secure Boot feature is Active if Secure Boot is Enable, Platform Key(PK) is enrolled and the System is in User mode. The mode change requires platform reset. The default option is Disable. |
Secure Boot Customization | Custom | Standard | Secure Boot options: Standard or Custom. In Custom mode, Secure Boot Policy variables can be configured by a physically present user without full authentication. The default option is Custom. |
Restore Factory Keys | Yes | No | Force System to User Mode. Install factory default Secure Boot key databases. The default option is Yes. |
Restore To Setup Mode | Yes | No | Delete all Secure Boot key databases from NVRAM. The default option is Yes. |
Key Management | N/A | Enables expert users to modify Secure Boot Policy variables without full authentication. See the submenu. |