Manualshelf

Secure Boot Customization Guide - Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP EliteDesk 800 G3 Small Form Factor PC
11121314151617181920
Technical whitepaper
© Copyright 2017 HP Development Company, L.P.
the new PK onto your platform. The second step uses Windows tools to write the new PK directly to your platform BIOS
storage repository.
2.5.1 PK: Create a valid SetVariable() package
Set-SecureBootUEFI Command Line Parameter Meaning
-Name PK Indicates that you are working with the Platform Key (PK)
-Time 2016-02-01T13:30:00Z Specifies the current date and time, which must be specified.
-ContentFilePath .\PK_SigList.bin Specifies the name of the file which contains the unsigned,
formatted PK.
-SignedFilePath .\PK_SigList_Serialization_for_PK.bin.p7 Specifies the name of the file which contains the signed, formatted
PK.
-OutputFilePath .\PK_NewKey_Import_PK.bin Specifies the file which will contain the output of the command
upon successful completion.
Table 2 Command line switches to create SetVariable() package
If successful, the command should produce output similar to the following:
Figure 14 Successful output of properly formatted UEFI variable
This step has produced a properly-formatted UEFI time-authenticated variable which may be used for direct import into
Secure Boot using a simple UEFI SetVariable() command. The file PK_NewKey_Import_PK.bin contains this properly-
formatted UEFI time-authenticated variable artifact.
2.5.2 Import PK using Windows tools
There is one more step required to use the Windows tools to import the KEK: writing the KEK itself to Non-volatile Random
Access Memory (NVRAM). Use the Set-SecureBootUEFI command inside Windows PowerShell for this purpose
Set-SecureBootUEFI Command Line Parameter
Meaning
-Name PK Indicates that you are working with the Platform Key (PK)
-Time 2016-02-01T13:30:00Z Specifies the current date and time, which must be specified.
-ContentFilePath .\PK_SigList.bin Specifies the name of the file which contains the unsigned, unformatted
PK, created in a previous step.
-SignedFilePath .\PK_SigList_Serialization_for_PK.bin.p7 Specifies the name of the file which contains the signed, formatted PK.
Table 3 Command line switches to import PK to Windows