Skip to main content

Secure Boot Custom Policy

ItemDescription
Enroll Efi Image

Enroll the SHA256 hash of the selected EFI image binary into the Authorized Signature Database (DB).

To Enroll:

  1. Select the file system that you are going to enroll.

  2. If this change is confirmed, select Yes. Select No to cancel it.

  3. You can check if the change is successful or not from the pop-up message box.

Note
A message box will pop up when booting from an unsigned shell.efi or OS when secure boot is enabled:
Secure Boot Violation
An unauthorized EFI image is detected. To use this image, please enroll this EFI image or disable secure boot at
"Secure Boot Configuration" in Setup Utility.
Ok

When selecting each Secure Boot variable, you will be able to add/delete it or view the details of it.

Secure Boot variableSizeKeys#Key SourceDescription
PK

Number of bytes

Number of certificates (integer)

  • Factory Default (Default)

  • No Key

  • Customized

Enroll a PK (from a Public Key Certificate file format) or delete the existing PK.

Note

There will be only one PK in the system. If a PK already exists, it will not be available for you to add another unless the exiting one is removed.

KEK

Number of bytes

Number of certificates (integer)

  • Factory Default (Default)

  • No Key

  • Customized

Enroll a KEK entry (from a Public Key Certificate file format), or delete an existing entry from the KEK.

DB

Number of bytes

Number of certificates (integer)

  • Factory Default (Default)

  • No Key

  • Customized

Enroll a DB entry (from a Public Key Certificate file format or an EFI image file), or delete an existing entry from the DB.

DBX

Number of bytes

Number of certificates (integer)

  • Factory Default (Default)

  • No Key

  • Customized

Enroll a DBX entry (from a Public Key Certificate file format or an EFI image file), or delete an existing entry from the DBX.

Add or Delete Secure Boot Variables

The following steps provide the information about the steps of adding/deleting the key items.

Table 1. PK
Add a PKDelete a PK

  1. Select Add. Available file systems will be then displayed for you to select.

  2. Message boxWhat it means
    Input File Format
    Public Key Certificate
    Authenticated Variable
    		Select the file format.

  3. If this change is confirmed, select Yes. Select No to cancel it.

  4. You can check if the change is successful or not from the pop-up message box.

  1. Select Delete. A warning message will be then displayed

    Delete PK
    WARNING: Removing PK will change “Secure Boot
    Mode” to [Setup Mode].
    Ok

  2. If the deletion is confirmed, select Yes. Select No to cancel it.

  3. You can check if the change is successful or not from the pop-up message box.

Table 2. KEK
Add a KEKDelete a KEK

  1. Select Add. Available file systems will be then displayed for you to select.

  2. Message boxWhat it means
    Input File Format
    Public Key Certificate
    Authenticated Variable
    		Select the file format.

  3. If this change is confirmed, select Yes. Select No to cancel it.

  4. You can check if the change is successful or not from the pop-up message box.

  1. Select Delete.

  2. If the deletion is confirmed, select Yes. Select No to cancel it.

  3. You can check if the change is successful or not from the pop-up message box.

Table 3. DB
Add a DBDelete a DB

  1. Select Add. Available file systems will be then displayed for you to select.

  2. Message boxWhat it means
    Input File Format
    Public Key Certificate
    Authenticated Variable
    EFI PE/COFF image
    		Select the file format.

  3. If this change is confirmed, select Yes. Select No to cancel it.

  4. You can check if the change is successful or not from the pop-up message box.

  1. Select Delete.

  2. If the deletion is confirmed, select Yes. Select No to cancel it.

  3. You can check if the change is successful or not from the pop-up message box.

Table 4. DBX
Add a DBXDelete a DBX

  1. Select Add. Available file systems will be then displayed for you to select.

  2. Message boxWhat it means
    Input File Format
    Public Key Certificate
    Authenticated Variable
    EFI PE/COFF image
    		Select the file format.

  3. If this change is confirmed, select Yes. Select No to cancel it.

  4. You can check if the change is successful or not from the pop-up message box.

  1. Select Delete.

  2. If the deletion is confirmed, select Yes. Select No to cancel it.

  3. You can check if the change is successful or not from the pop-up message box.

Details of the Key

When selecting Details while viewing a key item, the detail of it will be then displayed:

PK / KEK / DB / DBX
ListSig.TypeCountSizeOwner GUIDCertificate Legend
The key information of each section above will be listed here.