CLI Guide

ManualsBrandsDell ManualsConverged InfrastructurePrecision 7920 Rack

391

392

393

394

395

396

397

398

399

400

Table Of Contents

Default Value Not Applicable

Write Privilege Server Control

License Required iDRAC Express or iDRAC Enterprise

Dependency Not applicable

BIOS.SysSecurity.SecureBoot (Read or Write)

Description

Allows enabling of Secure Boot, where the BIOS authenticates each component that is executed during

the boot process using the certificates in the Secure Boot Policy. The following components are validated

in the boot process: - UEFI drivers that are loaded from PCIe cards - UEFI drivers and executables from

mass storage devices - Operating system boot loaders Note: Secure Boot is not available unless the Boot

Mode (in the Boot Settings menu) is set to UEFI. Note: Secure Boot is not available unless the Load

Legacy Video Option ROM setting (in the Miscellaneous Settings menu) is disabled. Note: You should

create a setup password if you enable Secure Boot.

When the value of SecureBootMode is DeployedMode AND the value of SecureBoot is Enabled, BIOS

will append a ProgReadOnlyLocal modifier to SecureBoot, SecureBootPolicy, and SecureBootMode. This

means that inband system management tools will not allow users to change these attributes when these

conditions are true.

Legal Values

● Enabled

● Disabled

Default Value Not Applicable

Write Privilege Server Control

License Required iDRAC Express or iDRAC Enterprise

Dependency Not applicable

BIOS.SysSecurity.SecureBootMode (Read or Write)

Description

This field configures how the BIOS uses the Secure Boot Policy Objects (PK, KEK, db, dbx). In Setup

Mode and Audit Mode, PK is not present, and BIOS does not authenticate programmatic updates to

the policy objects. In User Mode and Deployed Mode, PK is present, and BIOS performs signature

verification on programmatic attempts to update policy objects. Deployed Mode is the most secure mode.

Use Setup, Audit, or User Mode when provisioning the system, then use Deployed Mode for normal

operation. Available mode transitions depend on the current mode and PK presence. Refer to Figure 77

in the UEFI 2.6 specification for more information on transitions between the four modes. In Audit Mode,

the BIOS performs signature verification on pre-boot images and logs results in the Image Execution

Information Table, but executes the images whether they pass or fail verification. Audit Mode is useful for

programmatically determining a working set of policy objects.

When the value of SecureBootMode is DeployedMode AND the value of SecureBoot is Enabled, BIOS

will append a ProgReadOnlyLocal modifier to SecureBoot, SecureBootPolicy, and SecureBootMode. This

means that inband system management tools will not allow users to change these attributes when

these conditions are true. This attribute is always read-write in BIOS Setup and in out-of-band system

management tools.

Legal Values

● SetupMode

● UserMode

● AuditMode

● DeployedMode

Default Value Not Applicable

Write Privilege Server Control

License Required iDRAC Express or iDRAC Enterprise

Dependency Not applicable

400 BIOS Attributes