Manualshelf

Secure Boot Customization Guide - Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP ProBook 430 G4 Notebook PC (ENERGY STAR)
12345678910
Technical whitepaper
© Copyright 2017 HP Development Company, L.P.
F10 setup again and return to the Advanced...Secure Boot Configuration screen. Finally, check the box next to the Clear
Secure Boot keys option and press F10 to Save and Exit.
Figure 4 Place HP PC in Secure Boot setup mode
When the machine reboots, allow it to boot to the Windows desktop. From here, it is possible to install your PK, KEK, DB,
and DBX configuration settings.
2.3 Obtain PK and KEK public keys
In a typical production environment, a Hardware Security Module (HSM) constrains the ability to sign with the PK and KEK
private keys. An HSM is a physical device that stores private keys and from which it is difficult or impossible to steal the
private keys independent of the HSM physical device itself. There are several HSM vendors in the market providing solutions
of greater or lesser security; analyzing the specifics of these vendors is beyond the scope of this document. However, it is
important to note that HP recommends that any infrastructure deployed for digital signing be secured using an HSM device.
Microsoft publishes a good guide on entitled, Secure Boot Key Generation and Signing Using HSM
, which goes over this
process in greater detail.
It is necessary to obtain both the PK and KEK public keys from your security administrator to continue with a customized
configuration for Secure Boot. These keys are required to be in DER format
, and in this case, it is assumed that they have
each been saved to a separate file with a CER extension. Assuming you have PK.cer, which is your new Platform Key, and
KEK.cer, which is your new Key Exchange Key, submit your KEK to your HSM key signing process to be signed by PK’s private
key. Once complete, you are ready for the next step.
2.4 Self-signing certificates
Just for the sake of completeness, this document shows how to use OpenSSL and Microsoft tools to generate a set of self-
signing keys. Such an approach does not provide an adequately secure system, but it is helpful for illustration. The
References section at the end of this document contains URL links that can direct you where to obtain OpenSSL and
Microsoft tools for this purpose.