Secure Boot Customization Guide - Technical whitepaper

Technical whitepaper

2 Setting up a customized Secure Boot environment 22

2.7.2 DBX

To import the previously backed-up DBX file, you should follow the same procedure as for the DB, except that you need to

substitute the desired proscribed certificates for DBX. The default set of HP-proscribed certificates is provided here as an

attachment, immediately following.

Again, these certificates need to be formatted properly using the Format-SecureBootUEFI

command.

Format-SecureBootUEFI Command Line Parameter

Meaning

-Name DBX Indicates that you are working with the Secure Boot DBX.

-Time

2016-02-01T13:30:00Z

Specifies the current date and time, which must be specified.

-SignatureOwner DEF16466-F946-4E71-BE22-CF8B1B7B36A0 The hexadecimal number is a GUID that uniquely identifies

you to the platform. Since this represents the signature

owner, it should be the same GUID used to import the PK.

-ContentFilePath .\HpDbx_SigList.bin Specifies the name of the file which contains the unsigned,

unformatted collection of DB certificates.

-CertificateFilePath .\ HP_DBX_Default1.DER, .\ HP_DBX_Default2.DER These are the two HP default DER-encoded certificate files.

Each filename is separated by a comma (,) on the command

line.

-FormatWithCert Tells Format-SecureBootUEFI to integrate the entire

certificate into the formatted content.

-SignableFilePath .\ HpDbx_SigList_Serialization_for_DBX.bin Specifies the file that should be signed after formatting.

Table 10 Command line switches to format DBX

If the command succeeds, you should see something like the following.

Figure 24 Successful output

Here, the file to submit to your HSM solution for signing is the signature list serialization file, in this case,

HpDbx_SigList_Serialization_for_DBX.bin. This file should be signed using the private key for your new KEK. A proper

HP_Default_DBX_Certificates.zip