Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Integrated Dell Remote Access Controller 9 (iDRAC9) Version User's Guide

Secure Boot Configuration from BIOS Settings (F2)

UEFI Secure Boot is a technology that eliminates a major security void that may occur during a handoff between the UEFI firmware and UEFI operating system (OS). In UEFI Secure Boot, each component in the chain is validated and authorized against a specific certificate before it is allowed to load or run. Secure Boot removes the threat and provides software identity checking at every step of the boot—Platform firmware, Option Cards, and OS BootLoader.

The Unified Extensible Firmware Interface (UEFI) Forum—an industry body that develops standards for pre-boot software—defines Secure Boot in the UEFI specification. Computer system vendors, expansion card vendors, and operating system providers collaborate on this specification to promote interoperability. As a portion of the UEFI specification, Secure Boot represents an industry-wide standard for security in the pre-boot environment.

When enabled, UEFI Secure Boot prevents the unsigned UEFI device drivers from being loaded, displays an error message, and does not allow the device to function. You must disable Secure Boot to load the unsigned device drivers.

On the Dell 14th generation and later versions of PowerEdge servers, you can enable or disable the Secure Boot feature by using different interfaces (RACADM, WSMAN, REDFISH, and LC-UI).

Acceptable file formats

The Secure Boot policy contains only one key in PK, but multiple keys may reside in KEK. Ideally, either the platform manufacturer or platform owner maintains the private key corresponding to the public PK. Third parties (such as OS providers and device providers) maintain the private keys corresponding to the public keys in KEK. In this way, platform owners or third parties may add or remove entries in the db or dbx of a specific system.

The Secure Boot policy uses db and dbx to authorize pre-boot image file execution. For an image file to get executed, it must associate with a key or hash value in db, and not associate with a key or hash value in dbx. Any attempts to update the contents of db or dbx must be signed by a private PK or KEK. Any attempts to update the contents of PK or KEK must be signed by a private PK.

Policy Component Acceptable File Formats Acceptable File Extensions Max records allowed
PK X.509 Certificate (binary DER format only)
  1. .cer 
  2. .der
  3. .crt

X.509 Certificate (binary DER format only)

Public Key Store

  1. .cer 
  2. .der 
  3. .crt 
  4. .pbk 
More than one
DB and DBX

X.509 Certificate (binary DER format only)

EFI image (system BIOS will calculate and import image digest)

  1. .cer 
  2. .der 
  3. .crt 
  4. .efi
More than one
The Secure Boot Settings feature can be accessed by clicking System Security under System BIOS Settings. To go to System BIOS Settings, press F2 when the company logo is displayed during POST.
  • By default, Secure Boot is in the Disabled mode and the Secure Boot policy is set to Standard. If the Secure Boot needs to be activated, the Secure Boot must be configured as Enabled.
  • When the Secure Boot mode is set to Standard, it indicates that the system has default certificates and image digests or hash loaded from the factory. These caters to the security of standard firmware, drivers, option-roms, and boot loaders.
  • In case a new driver or firmware has to be supported on the server then the respective certificate must be enrolled into the DB of Secure Boot certificate store. Therefore, Secure Boot Policy must be configured to Custom.

When the Secure Boot Policy is configured as Custom, it inherits the standard certificates and image digests loaded in the system by default, on which, you can make any modifications as necessary. Secure Boot Policy configured as Custom allows you to perform operations such as View, Export, Import, Delete, Delete All, Reset, and Reset All, by using which, you can configure the Secure Boot Policies according to your requirements.

Configuring the Secure Boot Policy to Custom enables the options to manage the certificate store by using various actions such as Export, Import, Delete, Delete All, Reset, and Rest All on PK, KEK, DB, and DBX. You can select the policy (PK / KEK / DB / DBX) on which you want to make the change and perform appropriate actions by clicking the respective link. Each section will have links to perform the Import, Export, Delete, and Reset operations. Links are enabled based on what is applicable, which depends on the configuration at the point of time. Delete All and Reset All are the operations that have impact on all the policies. Delete All deletes all the certificates and image digests in the Custom policy, and Rest All restores all the certificates and image digests from Standard or Default certificate store.

Rate this content

Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\