Users Guide
Secure Boot Configuration from BIOS Settings or F2
UEFI Secure Boot is a technology that eliminates a major security void that may occur during a handoff between the UEFI
firmware and UEFI operating system (OS). In UEFI Secure Boot, each component in the chain is validated and authorized
against a specific certificate before it is allowed to load or run. Secure Boot removes the threat and provides software identity
checking at every step of the boot—Platform firmware, Option Cards, and OS BootLoader.
The Unified Extensible Firmware Interface (UEFI) Forum—an industry body that develops standards for pre-boot software—
defines Secure Boot in the UEFI specification. Computer system vendors, expansion card vendors, and operating system
providers collaborate on this specification to promote interoperability. As a portion of the UEFI specification, Secure Boot
represents an industry-wide standard for security in the pre-boot environment.
When enabled, UEFI Secure Boot prevents the unsigned UEFI device drivers from being loaded, displays an error message, and
does not allow the device to function. You must disable Secure Boot to load the unsigned device drivers.
On the Dell 14
th
generation and later versions of PowerEdge servers, you can enable or disable the Secure Boot feature by using
different interfaces (RACADM, WSMAN, REDFISH, and LC-UI).
Acceptable file formats
The Secure Boot policy contains only one key in PK, but multiple keys may reside in KEK. Ideally, either the platform
manufacturer or platform owner maintains the private key corresponding to the public PK. Third parties (such as OS providers
and device providers) maintain the private keys corresponding to the public keys in KEK. In this way, platform owners or third
parties may add or remove entries in the db or dbx of a specific system.
The Secure Boot policy uses db and dbx to authorize pre-boot image file execution. For an image file to get executed, it must
associate with a key or hash value in db, and not associate with a key or hash value in dbx. Any attempts to update the contents
of db or dbx must be signed by a private PK or KEK. Any attempts to update the contents of PK or KEK must be signed by a
private PK.
Table 14. Acceptable file formats
Policy Component Acceptable File Formats Acceptable File Extensions Max records allowed
PK X.509 Certificate (binary DER
format only)
1. .cer
2.
.der
3. .crt
One
KEK
X.509 Certificate (binary DER
format only)
Public Key Store
1. .cer
2.
.der
3. .crt
4.
.pbk
More than one
DB and DBX
X.509 Certificate (binary DER
format only)
EFI image (system BIOS will
calculate and import image
digest)
1. .cer
2.
.der
3. .crt
4.
.efi
More than one
The Secure Boot Settings feature can be accessed by clicking System Security under System BIOS Settings. To go to System
BIOS Settings, press F2 when the company logo is displayed during POST.
● By default, Secure Boot is Disabled and the Secure Boot policy is set to Standard. To configure the Secure Boot Policy, you
must enable Secure Boot.
● When the Secure Boot mode is set to Standard, it indicates that the system has default certificates and image digests or
hash loaded from the factory. This caters to the security of standard firmware, drivers, option-roms, and boot loaders.
88
Setting up managed system