BIOS menu
Index
Enable Secure Boot
Disable Secure Boot
Enter Secure Boot key management menu
Add Secure Boot Certificate
Boot EFI file
Remove all Secure Boot keys
Check enrolled keys
Dasharo
Enable Secure Boot in Dasharo
- Enter BIOS Setup Menu
- Enter
Device Managermenu - Enter
Secure Boot Configurationmenu -
Select
Enable Secure Boot/------------------------------------------------------------------------------\ | Secure Boot Configuration | \------------------------------------------------------------------------------/ Enable/Disable the Current Secure Boot State Disabled Secure Boot feature Enable Secure Boot [X] after platform reset Secure Boot Mode <Standard Mode> -
Current Secure Boot Stateshould beEnabledafter rebooting platform
Disable Secure Boot in Dasharo
- Enter BIOS Setup Menu
- Enter
Device Managermenu - Enter
Secure Boot Configurationmenu - Deselect
Enable Secure Boot Current Secure Boot Stateshould beDisabledafter rebooting platform
Enter Secure Boot key management menu in Dasharo
- Enter BIOS Setup Menu
- Enter
Device Managermenu - Enter
Secure Boot Configurationmenu -
Select
Secure Boot Modeand chooseCustom ModeSecure Boot Mode <Standard Mode> /------------------\ | Standard Mode | | Custom Mode | \------------------/ -
Enter
Advanced Secure Boot Keys Managementmenu
Add Secure Boot Certificate in Dasharo
- Enter Secure Boot key management menu
- Enter
DB Optionsmenu - Enter
Enroll Signaturemenu - Enter
Enroll Signature Using Filemenu -
Choose device containing tests. It should be labeled
tests./------------------------------------------------------------------------------\ | File Explorer | \------------------------------------------------------------------------------/ > tests, [PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD( 1,GPT,B629C319-9A22-4D85-9026-904C0422BB9E,0x800,0x4 000)] -
Select correct file and press enter
/------------------------------------------------------------------------------\ | File Explorer | \------------------------------------------------------------------------------/ > ***NEW FILE*** > ***NEW FOLDER*** > <SBO003.001> > <SBO004.001> > <SBO008.001> > <SBO009.001> > <SBO010.001> > <SBO010.002> > <SBO010.003> > <SBO010.004> > <SBO010.005> > <SBO010.006> > <SBO011.001> v /------------------------------------------------------------------------------\/------------------------------------------------------------------------------\ | File Explorer | \------------------------------------------------------------------------------/ > ***NEW FILE*** > ***NEW FOLDER*** > <.> > <..> cert.der hello.efi -
Select
Commit Changes and Exitand press enter/------------------------------------------------------------------------------\ | Enroll Signature | \------------------------------------------------------------------------------/ Commit Changes and > Enroll Signature Using File Exit cert.der Signature GUID _ > Commit Changes and Exit > Discard Changes and Exit /------------------------------------------------------------------------------\
Boot EFI file in Dasharo
- Enter BIOS setup menu
- Enter
One Time Bootmenu -
Choose boot entry you want to boot.
/------------------------------------------------------------------------------\ | One Time Boot | \------------------------------------------------------------------------------/ SBO013.001/hello.efi Device Path : SBO013.001/LockDown.efi HD(1,GPT,B629C319-9A22 SBO011.001/hello.efi -4D85-9026-904C0422BB9 SBO010.006/hello.efi E,0x800,0x4000)/SBO003 SBO010.005/hello.efi .001\hello.efi SBO010.004/hello.efi SBO010.003/hello.efi SBO010.002/hello.efi SBO010.001/hello.efi SBO009.001/hello.efi SBO008.001/hello.efi SBO004.001/hello.efi SBO003.001/hello.efi v /------------------------------------------------------------------------------\
Remove all Secure Boot keys in Dasharo
- Enter Secure Boot key management menu
- Select
Erase all Secure Boot Keysand press enter -
Accept prompt
/---------------------------------------------------------------------\ | INFO | |---------------------------------------------------------------------| |Secure Boot Keys & databases will be erased and Secure Boot disabled.| | Are you sure? | | | | [ Yes ] [ No ] | \---------------------------------------------------------------------/
Check enrolled keys in Dasharo
- Enter Secure Boot key management menu
- Enter
<x> Optionswhere<x>is key type you want to verify - Select
Delete Signature. -
You should see GUIDs of enrolled keys
/------------------------------------------------------------------------------\ | Delete Signature | \------------------------------------------------------------------------------/ 8BE4DF61-93CA-11D2-AA0D-00 [ ] PKCS7_GUID E098032B8C -
Press
ESCto exit
AMI
Enable Secure Boot in AMI
- Enter BIOS Setup Menu
- Go to
Securitytab - Enter
Secure Bootmenu -
Set
Secure BootOption toEnabledAptio Setup - AMI Security ┌────────────────────────────────────────────────────┐ │ System Mode User │ │ │ │ Secure Boot [Enabled] │ │ Active │ │ │ │ Secure Boot Mode [Custom] │ │► Restore Factory Keys │ │► Reset To Setup Mode ┌─── Secure Boot ────┐ │ │ │ Disabled │ │ │► Key Management │ Enabled │ │ │ └────────────────────┘ │ │ │ │ │ └────────────────────────────────────────────────────┘ -
Secure Boot should be
Activeafter saving changes and rebooting
Disable Secure Boot in AMI
- Enter BIOS Setup Menu
- Go to
Securitytab - Enter
Secure Bootmenu - Set
Secure BootOption toDisabled - Secure Boot should be
Not Activeafter saving changes and rebooting
Enter Secure Boot key management menu in AMI
- Enter BIOS Setup Menu
- Go to
Securitytab - Enter
Secure Bootmenu - Make sure that
Secure Boot Modeis set toCustom - Enter
Key Managementmenu
Add Secure Boot Certificate in AMI
To add DB certificate:
- Enter Secure Boot key management menu
-
Enter
Authorized Signatures (db)menu│ Secure Boot variable | Size| Keys| Key │ Source │► Platform Key (PK)| 1575| 1| Factory │► Key Exchange Keys (KEK)| 3066| 2| Factory │► Authorized Signatures (db)| 6133| 4| Factory -
Choose
Append┌───────────────────────────────────┐ │ Authorized Signatures (db) │ │───────────────────────────────────│ │ Details │ │ Export │ │ Update │ │ Append │ │ Delete │ └───────────────────────────────────┘ -
Choose
Noto load from external media┌──────────────── Append ─────────────────┐ │ │ │ Press 'Yes' to load factory default 'db' │ │ or 'No' to load it from a │ │ file on external media │ │ │ ├──────────────────────────────────────────┤ │ Yes No │ └──────────────────────────────────────────┘ -
Choose filesystem containing certificate you want to enroll. In case of pendrive path should contain
USB┌────────────────────────────────────────────────────────────────────────────┐ │ Select a File system │ │────────────────────────────────────────────────────────────────────────────│ │ PciRoot(0x0)/Pci(0x14,0x0)/USB(0x4,0x2)/HD(1,GPT,B629C319-9A22-4D85-9026-9 │ │ PciRoot(0x0)/Pci(0x1A,0x0)/eMMC(0x0)/HD(2,GPT,8DF343A2-42D9-4198-BB66-C87A │ └────────────────────────────────────────────────────────────────────────────┘ -
Select correct file
┌──────────────────────┐ │ Select File │ │──────────────────────│ │ add-boot-options.sh ▲│ │ <SBO013.002> █│ │ <SBO013.001> █│ │ <SBO011.001> █│ │ <SBO010.006> █│ │ <SBO010.005> █│ │ <SBO010.004> █│ │ <SBO010.003> █│ │ <SBO010.002> █│ │ <SBO010.001> █│ │ <SBO009.001> ░│ │ <SBO008.001> ▼│ └──────────────────────┘┌────────────────────┐ │ Select File │ │────────────────────│ │ <.> │ │ <..> │ │ hello.efi │ │ cert.der │ └────────────────────┘ -
Select
Public Key Certificate┌──────────────────────────┐ │ Input File Format │ │──────────────────────────│ │ Public Key Certificate │ │ Authenticated Variable │ │ EFI PE/COFF Image │ └──────────────────────────┘ -
Accept default owner GUID
┌──────────────────────────────────────────────────┐ │ Enter Certificate Owner GUID │ │──────────────────────────────────────────────────│ │ GUID [26DC4851-195F-4AE1-9A19-FBF883BBB35E] │ └──────────────────────────────────────────────────┘ -
Select
Yesto enroll certificate┌───────────────── Append ─────────────────┐ │ │ │ Press 'Yes' to update 'db' with content │ │ from cert.der │ │ │ ├───────────────────────────────────────────┤ │ Yes No │ └───────────────────────────────────────────┘
If everything went ok you should see
┌── Append ───┐
│ │
│ Success │
│ │
├──────────────┤
│ Ok │
└──────────────┘
and that number of keys changed
► Authorized Signatures (db)| 6960| 5| Mixed
Boot EFI file in AMI
- Enter BIOS setup menu
- Enter
Save & Exittab -
Choose boot entry you want to boot.
│ Boot Override █│ │ ubuntu (eMMC PJ3032) █│ │ SBO003.001/hello.efi (PiKVM CD-ROM Drive 0606) ░│ │ SBO004.001/hello.efi (PiKVM CD-ROM Drive 0606) ░│ │ SBO008.001/hello.efi (PiKVM CD-ROM Drive 0606) ░│
Remove all Secure Boot keys in AMI
- Enter Secure Boot Key Management menu
- Choose
Reset To Setup Modeand chooseYes - In case you are asked if you want to
reset without savingyou can chooseNo -
After that there should be no keys enrolled
┌────────────────────────────────────────────────────┬ │ Vendor Keys Modified │ │ │ │ Factory Key Provision [Disabled] │ │► Restore Factory Keys │ │► Reset To Setup Mode │ │► Enroll Efi Image │ │► Export Secure Boot variables │ │ │ │ Secure Boot variable | Size| Keys| Key │ │ Source │ │► Platform Key (PK)| 0| 0| No Keys │ │► Key Exchange Keys (KEK)| 0| 0| No Keys │ │► Authorized Signatures (db)| 0| 0| No Keys │ │► Forbidden Signatures(dbx)| 0| 0| No Keys │ │► Authorized TimeStamps(dbt)| 0| 0| No Keys │ │► OsRecovery Signatures(dbr)| 0| 0| No Keys │ └────────────────────────────────────────────────────┘
Check enrolled keys in AMI
- Enter Secure Boot Key Management menu
-
Enter correct menu depending on which key you want to check
| Secure Boot variable | Size| Keys| Key | Source |> Platform Key (PK)| 1575| 1| Factory |> Key Exchange Keys (KEK)| 3066| 2| Factory |> Authorized Signatures (db)| 6133| 4| Factory |> Forbidden Signatures(dbx)|17836| 371| Factory |> Authorized TimeStamps(dbt)| 0| 0| No Keys |> OsRecovery Signatures(dbr)| 0| 0| No Keys -
Select
Details/-----------------------------------\ | Authorized Signatures (db) | |-----------------------------------| | Details | | Export | | Update | | Append | | Delete | \-----------------------------------/ -
You can select key if you want to see whole GUID
┌────────────────────────────────────────────────────────────────────────────┐ │ Authorized Signatures (db) │ │────────────────────────────────────────────────────────────────────────────│ │ List| Sig.Type|Count| Size| Owner GUID | Certificate Legend │ │ 1| X.509 | 1| 1448| 77FA9ABD-...| Microsoft UEFI CA 2023 │ │ 2| X.509 | 1| 1454| 77FA9ABD-...| Windows UEFI CA 2023 │ │ 3| X.509 | 1| 1556| 77FA9ABD-...| Microsoft Corporation UEFI CA 20 │ │ 4| X.509 | 1| 1499| 77FA9ABD-...| Microsoft Windows Production PCA │ │ 5| X.509 | 1| 783| 26DC4851-...| 3mdeb_test │ └────────────────────────────────────────────────────────────────────────────┘┌── Owner GUID | Certificate Legend ──┐ │ │ │ 26DC4851-195F-4AE1-9A19-FBF883BBB35E │ │ 3mdeb_test │ │ │ └──────────────────────────────────────┘