Skip to main content

Secure Boot Custom Policy

Table 1. Secure Boot Custom Policy
ItemOptionsDescription
Enroll Efi Image 
Enroll the SHA256 hash of the selected EFI image binary into the Authorized Signature Database (DB).
Note
Select a File system > Select File > Enroll Efi Image > Confirm update of ‘%s1’ with content from the file ‘%s2

  • Yes

  • No

  • %s1 can be PK
  • %s2 is the file name selected
Success > Ok
 
Secure Boot variable

Column shows PK, KEK, DB, and DBX

 
Size

Column shows the number of key bytes

 
Keys

Column shows the number of certificates (integer)

 
Key Source

  • Factory (Default)

  • No Keys

  • Mixed

  • Customized

 
PK 
Enroll a PK (from a Public Key Certificate file format) or delete the existing PK.
Note

  • The system can only have one PK.

    • PK

    • Add

    • Details

    • Delete

  • Select a File system > File systems are listed > Select File > Input File Format > Public Key Certificate > Public Key Certificate > Add > Confirm update of ‘%s1’ with content from the file ‘%s2’

    • Yes

    • No

    • %s1 can be PK
    • %s2 is the file name selected
    Add > Success > Ok

    Add > Failed > Ok

  • Delete Security Key/Database > WARNING: Removing PK will change “Secure Boot Mode” to [Setup Mode] > Ok

  • Delete Security Key/Database > Confirm deletion of ‘PK’ variable from NVRAM
    • Yes
      Note

      Delete Security Key/Database > Success > Ok

    • No

KEK 
Enroll a KEK entry (from a Public Key Certificate file format), or delete an existing entry from the KEK.
Note

  • KEK > Details > Add > Delete one Key/Certificate > Delete this variable

  • Select a File system > File systems are listed > Select File > Input File Format > Public Key Certificate > Authenticated Variable > Confirm update of ‘%s1’ with content from the file ‘%s2’

    • Yes

    • No

    • %s1 can be PK
    • %s2 is the file name selected
    Add > Success > Ok

    Add > Failed > Ok

  • Delete Security Key/Database > Success > Ok

  • Delete Security Key/Database. Press ‘Yes’ to delete the ‘KEK’ variable.
    Warning
    This will delete all Certificates in ‘KEK’!
  • Delete Security Key/Database > Confirm deletion of ‘KEK’ variable form NVRAM
    • Yes
      Note

      Delete Security Key/Database > Success > Ok

    • No

DB 
Enroll a DB entry (from a Public Key Certificate file format or an EFI image file), or delete an existing entry from the DB.
Note

  • DB > Details > Add > Delete one Key/Certificate > Delete this variable

  • Select a File system > File systems are listed > Select File > Input File Format > Public Key Certificate > Authenticated Variable > EFI PE/COFF image > Confirm update of ‘%s1’ with content from the file ‘%s2’

    • Yes

    • No

    • %s1 can be PK
    • %s2 is the file name selected
    Add > Success > OkAdd > Failed > Ok
  • Delete Security Key/Database > Confirm certificate removal from “DB” database
    • Yes
      Note

      Delete Security Key/Database > Success > Ok

    • No

DBX  
Message box information for security boot
Message BoxComment

Secure Boot Violation

An unauthorized EFI image is detected. To use this image, enroll this EFI image or disable secure boot at "Secure Boot Configuration" in Setup Utility.

Ok

This message box is popped up when booting form an unsigned shell.efi or OS with secure boot is enabled.