Secure Boot Customization Guide - Technical whitepaper
Technical whitepaper
© Copyright 2017 HP Development Company, L.P.
1 Introduction 7
1 Introduction
This document offers an overview of how to configure Secure Boot in a customized environment, specifically one in which
the machine owner claims ownership of the machine by installing his own Secure Boot Platform Key. Doing this requires the
platform owner to configure Secure Boot further to allow the machine to boot. This guide makes several assumptions:
1. The default HP Platform Key (PK) will be replaced with a new PK that is exclusively under the control of the
platform owner.
2. The default HP Key Exchange Key (KEK) will be replaced with a new KEK that has been signed with the PK
mentioned in #1, above.
3. The default Signature Database (DB) will be modified in such a way that all database entries are imported because
they have been signed with the platform owner’s KEK mentioned in #2, above. The default DB may or may not be
included, but if it does include the default DB, then the default DB will be exported and re-signed with the platform
owner’s KEK before being imported again into the DB. Then any additional keys to place into the DB will also be
signed with the platform owner’s KEK.
4. The default Forbidden Signature Database (DBX) will be modified in such a way that all database entries are
imported because they have been signed with the platform owner’s KEK mentioned in #2, above. The default DBX
may or may not be included, but if it does include the default DBX, then the default DBX will be exported and re-
signed with the platform owner’s KEK before being imported again into the DBX. Then any additional keys to place
into the DBX will also be signed with the platform owner’s KEK.
This document assumes the reader is familiar with Secure Boot architecture. For a good overview, please reference
Microsoft’s Windows 8.1 Secure Boot Key Creation and Management Guidance.