Secure Boot Customization Guide - Technical whitepaper
Technical whitepaper
© Copyright 2017 HP Development Company, L.P.
2 Setting up a customized Secure Boot environment 19
2.7 Install the New KEK-signed DB and DBX
2.7.1 DB
The simplest way to get to the default HP DB configuration using the Windows command line tools is to create a Signature
List serialization file using the three HP default certificates. If you wish to omit one or more or exclusively use your DER-
encoded certificates, you can do that, of course. The following command parameters create a signable signature list file
using the three default HP DB certificates, embedded in this document. The command parameters below assume that you
have unpacked the three DB certificates into your local working directory.
The first step uses the Format-SecureBootUEFI
command.
Format-SecureBootUEFI Command Line Parameter
Meaning
-Name DB Indicates that you are working with the Secure Boot DB.
-Time
2016-02-01T13:30:00Z
Specifies the current date and time, which must be specified.
-SignatureOwner DEF16466-F946-4E71-BE22-CF8B1B7B36A0 The hexadecimal number is a GUID that uniquely identifies
you to the platform. Since this represents the signature
owner, it should be the same GUID used to import the PK.
-ContentFilePath .\HpDb_SigList.bin Specifies the name of the file which contains the unsigned,
unformatted collection of DB certificates.
-CertificateFilePath .\ HPDB2013.der, .\ MsUEFCA2011_2011-06-
27.cer, .\ MsWinProDb2011_2011-10-19.cer
These are the three HP default DER-encoded certificate files.
Each filename is separated by a comma (,) on the command
line.
-FormatWithCert Tells Format-SecureBootUEFI to integrate the entire
certificate into the formatted content.
-SignableFilePath .\ HpDb_SigList_Serialization_for_DB.bin Specifies the file that should be signed after formatting.
Table 7 Command line switches to create signature list for three default DB
If the command succeeds, you should see something like the following.
Figure 20 Successful output
HpDb.zip