Manualshelf

Secure Boot Customization Guide - Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP EliteDesk 800 G3 Small Form Factor PC
11121314151617181920
Technical whitepaper
© Copyright 2017 HP Development Company, L.P.
Again, the file to submit to your HSM solution for signing is the signature list serialization file, in this case,
HpDb_SigList_Serialization_for_DB.bin. This file should be signed using the private key for your new KEK. A proper signing
command for HpDb_SigList_Serialization_for_DB.bin, if using a PFX file
4
, is as follows. In this case, signtool must be in your
path:
Figure 21 Command line to sign the signature list with private key
Replace <password> with the actual private key password for your PFX file. The result of the above command is a KEK-
signed DB serialized into a file HpDb_SigList_Serialization_for_DB.bin.p7. Use the signed file that is provided by your HSM
provider.
Once you have the KEK-signed DB, it is ready for import to your platform. Importing is done with the Set-SecureBootUEFI
command inside Windows PowerShell. As with the PK and KEK steps previously detailed, we will demonstrate the creation
of a valid time-authenticated SetVariable() binary package and demonstrate how to import the newly signed DB into your
platform.
2.7.1.1 DB: Create a Valid SetVariable() Package
Set-SecureBootUEFI Command Line Parameter
Meaning
-Name DB Indicates that you are working with the Secure Boot certificate database (DB).
-Time 2016-02-01T13:30:00Z Specifies the current date and time, which must be specified.
-ContentFilePath .\HpDb_SigList.bin Specifies the name of the file which contains the unsigned, formatted DB,
which is the previously backed-up DB in this case.
-SignedFilePath .\
HpDb_SigList_Serialization_for_DB.bin.p7
Specifies the name of the file which contains the signed, formatted DB.
-OutputFilePath .\HpDb_Output_for_DB.bin Specifies the file which will contain the output of the command upon
successful completion.
Table 8 Command line switches to create SetVariable() package for DB
This command creates a valid SetVariable() package for use in direct import to the BIOS using a SetVariable() call, contained
in the file called HpDb_Output_for_DB.bin and is also useful for archival purposes.
4
This would be the approach if you used self-signing certificates, but it is strongly recommended that you perform the same action in the
context of your own HSM provider.
signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData
/a /f .\KEK.PFX /p <password> HpDb_SigList_Serialization_for_DB.bin