Security
This menu allows you to configure system security settings.
Secure Boot Configuration
Item | Options | Description |
Secure Boot Status |
| Display the current secure boot status. Disabled is the default setting. |
Secure Boot Mode |
| The system will do secure boot authentication when this item is set to [User Mode] and secure boot is enabled. User Mode is the default setting. |
Secure Boot Setting |
| When enabled, the Secure Boot feature is Active, Platform Key (PK) is enrolled, and the system is in user mode. The mode change requires platform reset. Disabled is the default setting. Note When you attempt to enable secure boot while CSM is enabled, there is a prompt: WARNING: Legacy BIOS will be disabled when secure boot is enabled. |
Secure Boot Policy |
| Secure Boot policy options: [Factory Policy]: Factory default keys will be used after reboot. [Custom Policy]: Customized keys will be used after reboot. [Delete All Keys]: PK, KEK, DB, and DBX will be deleted after reboot. [Delete PK]: PK will be deleted after reboot. [Reset All Keys to Default]: All keys will be set to factory defaults and "Secure Boot Policy" will be [Factory Policy] after reboot. Note
|
View Secure Boot Keys | N/A | View the details of PK (Platform Key), KEK (Key Exchange Key), DB (Authorized Signature Database) and DBX (Forbidden Signature Database). |
Secure Boot Custom Policy | N/A | Customize PK, KEK, DB, and DBX. This page is available when "Secure Boot Policy" is [Custom Policy]. |
View Secure Boot Keys
| Item | Options | Description |
| PK | N/A | View Certificate in PK (Platform Key). Note The system can only have one PK. |
| KEK | N/A | View all Certificates in KEK (Key Exchange Key). |
| DB | N/A | View all Certificates in DB (Authorized Signature Database). |
| DBX | N/A | View all Certificates in DBX (Forbidden Signature Database). |
Secure Boot Custom Policy
| Item | Options | Description |
| Enroll Efi Image | N/A | Enroll the SHA256 hash of the selected EFI image binary into the Authorized Signature Database (DB). |
Trusted Platform Module (TPM 2.0)
| Item | Options | Description |
| TPM 2.0 | N/A | Configure the TPM 2.0 Setup options. |
| Update to TPM 2.0 firmware version 7.2.2.0 | N/A | Note The latest TPM toggling configuration only supports TPM 2.0 firmware update from version 7.2.1.0 to version 7.2.2.0; therefore, this setting is not available for other TPM versions. When you are trying to degrade to TPM 1.2 or an earlier version of TPM 2.0, the following message will be displayed:Note: This action is irreversible, you won't be able to change to TPM 1.2 or an earlier firmware version of TPM 2.0. The updated firmware will be effective after system reboot. |
| Item | Options | Description |
| TPM Status | N/A | |
| TPM Vendor | N/A | Display the TPM Vendor. |
| TPM Firmware Version | N/A | Display the current firmware version of the TPM device. |
| TPM Settings | N/A | |
| TPM2 Operation |
| Select [Clear] to clear TPM data. This will erase the contents of the TPM. System reboot is required. |
| SHA-1 PCR Bank | For Ice Lake processor:
| Enable/Disable SHA-1 PCR Bank. |
Update TPM Firmware from TPM 2.0 to TPM 1.2
| Item | Options | Description |
| TPM 1.2 | Configure the TPM 1.2 Setup options. | |
| TPM Version | N/A | |
| Update to TPM2.0 compliant | Note
|
In latest TPM toggling configuration, only support updating TPM 2.0 firmware version 7.2.1.0 to 7.2.2.0, so this setting will disappear with other TPM version.
| Item | Options | Description |
| TPM Status | N/A | |
| TPM Vendor | Display TPM Vendor. | |
| TPM Firmware Version | Display the current firmware version of the TPM device. | |
| TPM Device State | Dynamic String depend on current TPM status. | Display the current state of the TPM Device. |
| TPM Ownership | Dynamic String depend on current TPM status. | Display the current status of ownership. |
| TPM Device |
| Enable/Disable the TPM device. |
| TPM State |
| Activate/Deactivate the TPM device. |
| TPM Operation |
| Select [Clear] to clear TPM data. WARNING: This will erase the contents of the TPM. System reboot required. |