Users Guide
The Secure Boot policy uses db and dbx to authorize pre-boot image file execution. For an image file to get executed, it must associate
with a key or hash value in db, and not associate with a key or hash value in dbx. Any attempts to update the contents of db or dbx must
be signed by a private PK or KEK. Any attempts to update the contents of PK or KEK must be signed by a private PK.
Table 14. Acceptable file formats
Policy Component Acceptable File Formats Acceptable File Extensions Max records allowed
PK X.509 Certificate (binary DER
format only)
1. .cer
2. .der
3. .crt
One
KEK
X.509 Certificate (binary DER
format only)
Public Key Store
1. .cer
2. .der
3. .crt
4. .pbk
More than one
DB and DBX
X.509 Certificate (binary DER
format only)
EFI image (system BIOS will
calculate and import image
digest)
1.
.cer
2. .der
3. .crt
4. .efi
More than one
The Secure Boot Settings feature can be accessed by clicking System Security under System BIOS Settings. To go to System BIOS
Settings, press F2 when the company logo is displayed during POST.
• By default, Secure Boot is Disabled and the Secure Boot policy is set to Standard. To configure the Secure Boot Policy, you must
enable Secure Boot.
• When the Secure Boot mode is set to Standard, it indicates that the system has default certificates and image digests or hash loaded
from the factory. This caters to the security of standard firmware, drivers, option-roms, and boot loaders.
• To support a new driver or firmware on a server, the respective certificate must be enrolled into the DB of Secure Boot certificate
store. Therefore, Secure Boot Policy must be configured to Custom.
When the Secure Boot Policy is configured as Custom, it inherits the standard certificates and image digests loaded in the system by
default, which you can modify. Secure Boot Policy configured as Custom allows you to perform operations such as View, Export, Import,
Delete, Delete All, Reset, and Reset All. Using these operations, you can configure the Secure Boot Policies.
Configuring the Secure Boot Policy to Custom enables the options to manage the certificate store by using various actions such as
Export, Import, Delete, Delete All, Reset, and Rest All on PK, KEK, DB, and DBX. You can select the policy (PK / KEK / DB / DBX) on
which you want to make the change and perform appropriate actions by clicking the respective link. Each section will have links to perform
the Import, Export, Delete, and Reset operations. Links are enabled based on what is applicable, which depends on the configuration at the
point of time. Delete All and Reset All are the operations that have impact on all the policies. Delete All deletes all the certificates and
image digests in the Custom policy, and Rest All restores all the certificates and image digests from Standard or Default certificate store.
BIOS recovery
The BIOS recovery feature allows you to manually recover the BIOS from a stored image. The BIOS is checked when the system is
powered-on and if a corrupt or compromised BIOS is detected, an error message is displayed. You can then initiate the process of BIOS
recovery using RACADM. To perform a manual BIOS recovery, see the iDRAC RACADM Command Line Interface Reference Guide
available at www.dell.com/idracmanuals.
78
Setting up managed system