Manualshelf

Secure Boot Customization Guide - Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP ProBook 650 G3 Notebook PC
19202122232425262728
Technical whitepaper
© Copyright 2017 HP Development Company, L.P.
Again, it is the SignableFilePath file, in this case, NewHpDb_SigList_Serialization_for_DB.bin, which is submitted to your HSM
solution for signing. This file should be signed using the private key for your new KEK, already imported into the Secure Boot
database. A proper signing command for NewHpDb_SigList_Serialization_for_DB.bin, if using a PFX file
6
, is as follows. In
this case, signtool must be in your path:
Figure 29 Command line to sign signature list for DB
Replace <password> with the actual private key password for your PFX file. The result of the above command is a KEK-
signed DB certificate serialized into a file called NewHpDb_SigList_Serialization_for_DB.bin.p7. Use the signed file that is
provided by your HSM provider.
Once you have the new KEK-signed certificate for your Secure BootDB, it is ready for import to your platform. Importing is
done with the Set-SecureBootUEFI command inside Windows PowerShell.
Set-SecureBootUEFI Command Line Parameter
Meaning
-Name DB Indicates that you are working with the collection of
certificates in your Secure Boot database (DB).
-Time 2016-02-01T13:30:00Z Specifies the current date and time, which must be
specified.
-ContentFilePath .\NewHpDb_SigList.bin Specifies the name of the file which contains the
unsigned, formatted DB certificate.
-SignedFilePath .\NewHpDb_SigList_Serialization_for_DB.bin.p7 Specifies the name of the file which contains the signed,
formatted DB certificate.
-OutputFilePath .\NewHpDb_Output_for_DB.bin Specifies the file which will contain the output of the
command upon successful completion.
Table 14 Command line switches to import KEK-signed certificate
If successful, the command should produce output similar to the following:
Figure 30 Successful import
Note that this command adds another certificate to the Secure Boot database (DB). It does not overwrite the existing set of
certificates. This command creates a valid SetVariable() package in DB_NewKey_ImportDB.bin but does not set that value
into the BIOS.
6
This would be the approach if you used self-signing certificates, but it is strongly recommended that you perform the same action in the
context of your own HSM provider.
signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData
/a /f .\KEK.PFX /p <password> NewHpDb_SigList_Serialization_for_DB.bin