Secure Boot Customization Guide - Technical whitepaper
Technical whitepaper
© Copyright 2017 HP Development Company, L.P.
2 Setting up a customized Secure Boot environment 18
If successful, the command should produce output similar to the following:
Figure 18 Successful creation of SetVariable() package
2.6.2 Import KEK Using Windows Tools
There is one more step required to use the Windows tools to import the KEK: writing the KEK itself to Non-volatile Random
Access Memory (NVRAM). Use the Set-SecureBootUEFI
command inside Windows PowerShell for this purpose.
Set-SecureBootUEFI Command Line Parameter
Meaning
-Name KEK Indicates that you are working with the Key Exchange Key (KEK)
-Time 2016-02-01T13:30:00Z Specifies the current date and time, which must be specified.
-ContentFilePath .\KEK_SigList.bin Specifies the name of the file which contains the unsigned, unformatted KEK,
created in a previous step.
-SignedFilePath
.\KEK_SigList_Serialization_for_KEK.bin.p7
Specifies the name of the file which contains the signed, formatted KEK.
Table 6 Command line switches to import KEK
If successful, the command should produce output similar to the following:
Figure 19 Successful import of KEK
At this point, both the new PK and the new PK-signed KEK are on the system, and you officially own the platform. The next
step is to import your DB and DBX files, each of which must be signed by the KEK. For purposes of this example, we shall
simply sign the DB and DBX files previously backed-up as HpDb.BAK and HpDbx.BAK.