Manualshelf

Secure Boot Customization Guide - Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP EliteDesk 800 G3 Small Form Factor PC
19202122232425262728
Technical whitepaper
© Copyright 2017 HP Development Company, L.P.
certificate in DER format. The first step is to format this certificate for Secure Boot import, using Format-SecureBootUEFI.
Once formatted for import, the certificate must be signed by the KEK, using your HSM solution. Finally, the formatted and
signed certificate must be imported into the DB (or DBX) using
Set-SecureBootUEFI using the Append flag to avoid over-
writing the existing DB.
2.9.1 DB
Obtain your new DB public key as a DER-encoded certificate file. You should obtain this certificate from your HSM provider.
In this case, I assume that the DB file name is DB.CER. The DB key must be formatted using the Format-SecureBootUEFI
command inside Windows PowerShell before being imported.
Format-SecureBootUEFI Command Line Parameter
Meaning
-Name DB Indicates that you are working with the collection of
certificates in your Secure Boot database (DB).
-SignatureOwner DEF16466-F946-4E71-BE22-CF8B1B7B36A0 The hexadecimal number is a GUID that uniquely identifies
you to the platform. Since this represents the signature
owner, it should be the same GUID used to import the PK.
-ContentFilePath .\NewHpDb_SigList.bin This file is created to hold the content that is generated by
Format-SecureBootUEFI, i.e. the formatted content.
-FormatWithCert Tells Format-SecureBootUEFI to integrate the entire
certificate into the formatted content.
-Certificate .\NewDbCert.CER Indicates the path to the desired certificate, in this case, the
DB certificate.
-SignableFilePath .\NewHpDb_SigList_Serialization_for_DB.bin Specifies the file that should be signed after formatting.
-Time
2016-02-05T13:30:00Z
Specifies the current date and time, which must be
specified. The time specified may be different from the -
Time flags used previously because it must be within the
validity range of the new certificate. Moreover, that validity
range might be later than the validity of the original
certificates.
Table 13 Command line switches to format DB key
If successful, the command should produce output similar to the following:
Figure 28 Successful output with formatted DB key