Manualshelf

Secure Boot Customization Guide - Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP ProBook 650 G3 Notebook PC
11121314151617181920
Technical whitepaper
© Copyright 2017 HP Development Company, L.P.
Format-SecureBootUEFI Command Line Parameter
Meaning
-Name PK Indicates that you are working with the Platform Key (PK)
-SignatureOwner DEF16466-F946-4E71-BE22-CF8B1B7B36A0 The hexadecimal number is a GUID that uniquely identifies you
to the platform. You can generate a GUID using the Microsoft
GuidGen.exe tool, among other means.
-ContentFilePath .\PK_SigList.bin This file is created to hold the content that is generated by
Format-SecureBootUEFI, i.e. the formatted content.
-FormatWithCert Tells Format-SecureBootUEFI to integrate the entire certificate
into the formatted content.
-Certificate .\PK.CER Indicates the path to the desired certificate, in this case, the PK
certificate.
-SignableFilePath .\PK_SigList_Serialization_for_PK.bin Specifies the file that should be signed after formatting.
-Time 2016-02-01T13:30:00Z Specifies the current date and time, which must be specified.
Table 1 List of switches useful for Format-SecureBootUEFI command to format the Platform Key (PK)
If successful, the command should produce output similar to the following:
Figure 12 Successful PK format
It is the SignableFilePath file, in this case, PK_SigList_Serialization_for_PK.bin, which is submitted to your HSM solution for
signing. This file should be signed using the private key for your new PK. A proper signing command for
PK_SigList_Serialization_for_PK.bin, if using a PFX file
2
, is as follows. In this case, signtool must be in your path:
Figure 13 Command line to create signed PK
Replace <password> with the actual private key password for your PFX file. The result of the above command is a signed PK
serialized into a file called PK_SigList_Serialization_for_PK.bin.p7. You should, of course, use the signed file that provided
by your HSM provider.
Once you have the signed PK, it is ready for import to your platform. Importing is done with the Set-SecureBootUEFI
command inside Windows PowerShell. There are two steps possible here. The first step simply creates a valid time-
authenticated variable package which could be imported using a simple UEFI SetVariable() command. This package is then
saved to a file called PK_NewKey_Import_PK.bin. This step is worth running even if you plan to use Windows tools to import
2
This would be the approach if you used self-signing certificates, but it is strongly recommended that you perform the same action in the
context of your own HSM provider.
signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData
/a /f .\PK.PFX /p <password> PK_SigList_Serialization_for_PK.bin