Secure Boot Customization Guide - Technical whitepaper
Technical whitepaper
© Copyright 2017 HP Development Company, L.P.
2 Setting up a customized Secure Boot environment 27
There is one more step required to use the Windows tools to import the KEK: writing the KEK itself to Non-volatile Random
Access Memory (NVRAM). Use the Set-SecureBootUEFI command inside Windows PowerShell for this purpose
Set-SecureBootUEFI Command Line Parameter
Meaning
-Name DB Indicates that you are working with the Secure Boot certificate
database (DB).
-Time 2016-02-01T13:30:00Z Specifies the current date and time, which must be specified.
-ContentFilePath .\NewHpDb_SigList.bin Specifies the name of the file which contains the unsigned,
unformatted DB, created in a previous step.
-SignedFilePath .\ NewHpDb_SigList_Serialization_for_DB.bin.p7 Specifies the name of the file which contains the signed,
formatted DB. Signed in the previous step.
Table 15 Command line switches to import the KEK-signed DB certificate
If successful, the command should produce output similar to the following:
Figure 31 Successful import
2.9.2 DBX
To append a new DBX certificate, follow the instructions itemized under the DB heading immediately above, but use DB for
the -Name parameter on the command line. Doing so adds a certificate to the Secure Boot DBX rather than to the Secure
Boot DB.