Manualshelf

Secure Boot Customization Guide - Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP EliteDesk 800 G3 Small Form Factor PC
19202122232425262728
Technical whitepaper
© Copyright 2017 HP Development Company, L.P.
signing command for HpDbx_SigList_Serialization_for_DBX.bin, if using a PFX file
5
, is as follows. In this case, signtool must
be in your path:
Figure 25 Command line to sign DBX using PFX file
Replace <password> with the actual private key password for your PFX file. The result of the above command is a KEK-
signed DB serialized into a file HpDbx_SigList_Serialization_for_DBX.bin.p7. Use the signed file that is provided by your HSM
provider.
Once you have the KEK-signed DBX, it is ready for import to your platform. Importing is done with the Set-SecureBootUEFI
command inside Windows PowerShell. As with the PK and KEK steps previously detailed, we will demonstrate the creation
of a valid time-authenticated SetVariable() binary package and demonstrate how to import the newly signed DBX into your
platform.
2.7.2.1 DBX: Create a Valid SetVariable() Package
Set-SecureBootUEFI Command Line Parameter
Meaning
-Name DBX Indicates that you are working with the Secure Boot DBX.
-Time 2016-02-01T13:30:00Z Specifies the current date and time, which must be specified.
-ContentFilePath .\HpDbx_SigList.bin Specifies the name of the file which contains the unsigned, formatted DBX,
which is the previously backed-up DBX in this case.
-SignedFilePath .\
HpDbx_SigList_Serialization_for_DBX.bin.p7
Specifies the name of the file which contains the signed, formatted DBX.
-OutputFilePath .\HpDbx_Output_for_DBX.bin Specifies the file which will contain the output of the command upon
successful completion.
Table 11 Command line switches to create SetVariable() package
This command creates a valid SetVariable() package for use in direct import to the BIOS using a SetVariable() call, contained
in the file called HpDbx_Output_for_DBX.bin and is also useful for archival purposes.
If successful, the command should produce output similar to the following:
Figure 26 Successful creation of variable package
5
This would be the approach if you used self-signing certificates, but it is strongly recommended that you perform the same action in the
context of your own HSM provider.
signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData
/a /f .\KEK.PFX /p <password> HpDbx_SigList_Serialization_for_DBX.bin