Secure Boot
Configuration from BIOS Settings or F2
UEFI Secure Boot is a technology that eliminates a
major security void that may occur during a handoff between the UEFI
firmware and UEFI operating system (OS). In UEFI Secure Boot, each
component in the chain is validated and authorized against a specific
certificate before it is allowed to load or run. Secure Boot removes
the threat and provides software identity checking at every
step of the boot—Platform firmware, Option Cards, and OS BootLoader.
The Unified Extensible Firmware Interface (UEFI) Forum—an
industry body that develops standards for pre-boot software—defines
Secure Boot in the UEFI specification. Computer system vendors, expansion
card vendors, and operating system providers collaborate on this specification
to promote interoperability. As a portion of the UEFI specification,
Secure Boot represents an industry-wide standard for security in the
pre-boot environment.
When enabled, UEFI Secure Boot prevents the unsigned
UEFI device drivers from being loaded, displays an error message,
and does not allow the device to function. You must disable Secure
Boot to load the unsigned device drivers.
On the Dell 14th generation and later versions
of PowerEdge servers, you can enable or disable the Secure Boot feature
by using different interfaces (RACADM, WSMAN, REDFISH, and LC-UI).
Acceptable file formats
The Secure Boot policy contains only one key in PK, but multiple
keys may reside in KEK. Ideally, either the platform manufacturer
or platform owner maintains the private key corresponding to the public
PK. Third parties (such as OS providers and device providers) maintain
the private keys corresponding to the public keys in KEK. In this
way, platform owners or third parties may add or remove entries in
the db or dbx of a specific system.
The Secure Boot
policy uses db and dbx to authorize pre-boot image file execution.
For an image file to get executed, it must associate with a key or
hash value in db, and not associate with a key or hash value in dbx.
Any attempts to update the contents of db or dbx must be signed by
a private PK or KEK. Any attempts to update the contents of PK or
KEK must be signed by a private PK.
EFI image (system BIOS will calculate and
import image digest)
.cer
.der
.crt
.efi
More than one
The Secure Boot Settings feature can be accessed by clicking
System Security under System BIOS Settings. To go to System BIOS Settings,
press F2 when the company logo is displayed during POST.
By default, Secure Boot is Disabled and the Secure
Boot policy is set to Standard. To configure the Secure Boot Policy, you must enable Secure Boot.
When the Secure Boot mode is set to Standard, it indicates that the system has default
certificates and image digests or hash loaded from the factory. This
caters to the security of standard firmware, drivers, option-roms,
and boot loaders.
To support a new driver or firmware on a server, the respective certificate must be enrolled into the DB of Secure
Boot certificate store. Therefore, Secure Boot Policy must be configured
to Custom.
When the Secure Boot Policy is configured as Custom, it
inherits the standard certificates and image digests loaded in the
system by default, which you can modify.
Secure Boot Policy configured as Custom allows you to perform operations
such as View, Export, Import, Delete, Delete All, Reset, and Reset
All. Using these operations, you can configure the Secure Boot Policies.
Configuring the Secure Boot Policy to
Custom enables the options to manage the certificate store by using
various actions such as Export, Import, Delete, Delete All, Reset,
and Rest All on PK, KEK, DB, and DBX. You can select the policy (PK
/ KEK / DB / DBX) on which you want to make the change and perform
appropriate actions by clicking the respective link. Each section
will have links to perform the Import, Export, Delete, and Reset operations.
Links are enabled based on what is applicable, which depends on the
configuration at the point of time. Delete All and Reset All are the
operations that have impact on all the policies. Delete All deletes
all the certificates and image digests in the Custom policy, and Rest
All restores all the certificates and image digests from Standard
or Default certificate store.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\