BIOS menu
Index
Enable Secure Boot
Disable Secure Boot
Enter Secure Boot key management menu
Add Secure Boot Certificate
Boot EFI file
Remove all Secure Boot keys
Check enrolled keys
Dasharo
Enable Secure Boot in Dasharo
- Enter BIOS Setup Menu
- Enter
Device Manager
menu - Enter
Secure Boot Configuration
menu -
Select
Enable Secure Boot
/------------------------------------------------------------------------------\ | Secure Boot Configuration | \------------------------------------------------------------------------------/ Enable/Disable the Current Secure Boot State Disabled Secure Boot feature Enable Secure Boot [X] after platform reset Secure Boot Mode <Standard Mode>
-
Current Secure Boot State
should beEnabled
after rebooting platform
Disable Secure Boot in Dasharo
- Enter BIOS Setup Menu
- Enter
Device Manager
menu - Enter
Secure Boot Configuration
menu - Deselect
Enable Secure Boot
Current Secure Boot State
should beDisabled
after rebooting platform
Enter Secure Boot key management menu in Dasharo
- Enter BIOS Setup Menu
- Enter
Device Manager
menu - Enter
Secure Boot Configuration
menu -
Select
Secure Boot Mode
and chooseCustom Mode
Secure Boot Mode <Standard Mode> /------------------\ | Standard Mode | | Custom Mode | \------------------/
-
Enter
Advanced Secure Boot Keys Management
menu
Add Secure Boot Certificate in Dasharo
- Enter Secure Boot key management menu
- Enter
DB Options
menu - Enter
Enroll Signature
menu - Enter
Enroll Signature Using File
menu -
Choose device containing tests. It should be labeled
tests
./------------------------------------------------------------------------------\ | File Explorer | \------------------------------------------------------------------------------/ > tests, [PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD( 1,GPT,B629C319-9A22-4D85-9026-904C0422BB9E,0x800,0x4 000)]
-
Select correct file and press enter
/------------------------------------------------------------------------------\ | File Explorer | \------------------------------------------------------------------------------/ > ***NEW FILE*** > ***NEW FOLDER*** > <SBO003.001> > <SBO004.001> > <SBO008.001> > <SBO009.001> > <SBO010.001> > <SBO010.002> > <SBO010.003> > <SBO010.004> > <SBO010.005> > <SBO010.006> > <SBO011.001> v /------------------------------------------------------------------------------\
/------------------------------------------------------------------------------\ | File Explorer | \------------------------------------------------------------------------------/ > ***NEW FILE*** > ***NEW FOLDER*** > <.> > <..> cert.der hello.efi
-
Select
Commit Changes and Exit
and press enter/------------------------------------------------------------------------------\ | Enroll Signature | \------------------------------------------------------------------------------/ Commit Changes and > Enroll Signature Using File Exit cert.der Signature GUID _ > Commit Changes and Exit > Discard Changes and Exit /------------------------------------------------------------------------------\
Boot EFI file in Dasharo
- Enter BIOS setup menu
- Enter
One Time Boot
menu -
Choose boot entry you want to boot.
/------------------------------------------------------------------------------\ | One Time Boot | \------------------------------------------------------------------------------/ SBO013.001/hello.efi Device Path : SBO013.001/LockDown.efi HD(1,GPT,B629C319-9A22 SBO011.001/hello.efi -4D85-9026-904C0422BB9 SBO010.006/hello.efi E,0x800,0x4000)/SBO003 SBO010.005/hello.efi .001\hello.efi SBO010.004/hello.efi SBO010.003/hello.efi SBO010.002/hello.efi SBO010.001/hello.efi SBO009.001/hello.efi SBO008.001/hello.efi SBO004.001/hello.efi SBO003.001/hello.efi v /------------------------------------------------------------------------------\
Remove all Secure Boot keys in Dasharo
- Enter Secure Boot key management menu
- Select
Erase all Secure Boot Keys
and press enter -
Accept prompt
/---------------------------------------------------------------------\ | INFO | |---------------------------------------------------------------------| |Secure Boot Keys & databases will be erased and Secure Boot disabled.| | Are you sure? | | | | [ Yes ] [ No ] | \---------------------------------------------------------------------/
Check enrolled keys in Dasharo
- Enter Secure Boot key management menu
- Enter
<x> Options
where<x>
is key type you want to verify - Select
Delete Signature
. -
You should see GUIDs of enrolled keys
/------------------------------------------------------------------------------\ | Delete Signature | \------------------------------------------------------------------------------/ 8BE4DF61-93CA-11D2-AA0D-00 [ ] PKCS7_GUID E098032B8C
-
Press
ESC
to exit
AMI
Enable Secure Boot in AMI
- Enter BIOS Setup Menu
- Go to
Security
tab - Enter
Secure Boot
menu -
Set
Secure Boot
Option toEnabled
Aptio Setup - AMI Security ┌────────────────────────────────────────────────────┐ │ System Mode User │ │ │ │ Secure Boot [Enabled] │ │ Active │ │ │ │ Secure Boot Mode [Custom] │ │► Restore Factory Keys │ │► Reset To Setup Mode ┌─── Secure Boot ────┐ │ │ │ Disabled │ │ │► Key Management │ Enabled │ │ │ └────────────────────┘ │ │ │ │ │ └────────────────────────────────────────────────────┘
-
Secure Boot should be
Active
after saving changes and rebooting
Disable Secure Boot in AMI
- Enter BIOS Setup Menu
- Go to
Security
tab - Enter
Secure Boot
menu - Set
Secure Boot
Option toDisabled
- Secure Boot should be
Not Active
after saving changes and rebooting
Enter Secure Boot key management menu in AMI
- Enter BIOS Setup Menu
- Go to
Security
tab - Enter
Secure Boot
menu - Make sure that
Secure Boot Mode
is set toCustom
- Enter
Key Management
menu
Add Secure Boot Certificate in AMI
To add DB certificate:
- Enter Secure Boot key management menu
-
Enter
Authorized Signatures (db)
menu│ Secure Boot variable | Size| Keys| Key │ Source │► Platform Key (PK)| 1575| 1| Factory │► Key Exchange Keys (KEK)| 3066| 2| Factory │► Authorized Signatures (db)| 6133| 4| Factory
-
Choose
Append
┌───────────────────────────────────┐ │ Authorized Signatures (db) │ │───────────────────────────────────│ │ Details │ │ Export │ │ Update │ │ Append │ │ Delete │ └───────────────────────────────────┘
-
Choose
No
to load from external media┌──────────────── Append ─────────────────┐ │ │ │ Press 'Yes' to load factory default 'db' │ │ or 'No' to load it from a │ │ file on external media │ │ │ ├──────────────────────────────────────────┤ │ Yes No │ └──────────────────────────────────────────┘
-
Choose filesystem containing certificate you want to enroll. In case of pendrive path should contain
USB
┌────────────────────────────────────────────────────────────────────────────┐ │ Select a File system │ │────────────────────────────────────────────────────────────────────────────│ │ PciRoot(0x0)/Pci(0x14,0x0)/USB(0x4,0x2)/HD(1,GPT,B629C319-9A22-4D85-9026-9 │ │ PciRoot(0x0)/Pci(0x1A,0x0)/eMMC(0x0)/HD(2,GPT,8DF343A2-42D9-4198-BB66-C87A │ └────────────────────────────────────────────────────────────────────────────┘
-
Select correct file
┌──────────────────────┐ │ Select File │ │──────────────────────│ │ add-boot-options.sh ▲│ │ <SBO013.002> █│ │ <SBO013.001> █│ │ <SBO011.001> █│ │ <SBO010.006> █│ │ <SBO010.005> █│ │ <SBO010.004> █│ │ <SBO010.003> █│ │ <SBO010.002> █│ │ <SBO010.001> █│ │ <SBO009.001> ░│ │ <SBO008.001> ▼│ └──────────────────────┘
┌────────────────────┐ │ Select File │ │────────────────────│ │ <.> │ │ <..> │ │ hello.efi │ │ cert.der │ └────────────────────┘
-
Select
Public Key Certificate
┌──────────────────────────┐ │ Input File Format │ │──────────────────────────│ │ Public Key Certificate │ │ Authenticated Variable │ │ EFI PE/COFF Image │ └──────────────────────────┘
-
Accept default owner GUID
┌──────────────────────────────────────────────────┐ │ Enter Certificate Owner GUID │ │──────────────────────────────────────────────────│ │ GUID [26DC4851-195F-4AE1-9A19-FBF883BBB35E] │ └──────────────────────────────────────────────────┘
-
Select
Yes
to enroll certificate┌───────────────── Append ─────────────────┐ │ │ │ Press 'Yes' to update 'db' with content │ │ from cert.der │ │ │ ├───────────────────────────────────────────┤ │ Yes No │ └───────────────────────────────────────────┘
If everything went ok you should see
┌── Append ───┐
│ │
│ Success │
│ │
├──────────────┤
│ Ok │
└──────────────┘
and that number of keys changed
► Authorized Signatures (db)| 6960| 5| Mixed
Boot EFI file in AMI
- Enter BIOS setup menu
- Enter
Save & Exit
tab -
Choose boot entry you want to boot.
│ Boot Override █│ │ ubuntu (eMMC PJ3032) █│ │ SBO003.001/hello.efi (PiKVM CD-ROM Drive 0606) ░│ │ SBO004.001/hello.efi (PiKVM CD-ROM Drive 0606) ░│ │ SBO008.001/hello.efi (PiKVM CD-ROM Drive 0606) ░│
Remove all Secure Boot keys in AMI
- Enter Secure Boot Key Management menu
- Choose
Reset To Setup Mode
and chooseYes
- In case you are asked if you want to
reset without saving
you can chooseNo
-
After that there should be no keys enrolled
┌────────────────────────────────────────────────────┬ │ Vendor Keys Modified │ │ │ │ Factory Key Provision [Disabled] │ │► Restore Factory Keys │ │► Reset To Setup Mode │ │► Enroll Efi Image │ │► Export Secure Boot variables │ │ │ │ Secure Boot variable | Size| Keys| Key │ │ Source │ │► Platform Key (PK)| 0| 0| No Keys │ │► Key Exchange Keys (KEK)| 0| 0| No Keys │ │► Authorized Signatures (db)| 0| 0| No Keys │ │► Forbidden Signatures(dbx)| 0| 0| No Keys │ │► Authorized TimeStamps(dbt)| 0| 0| No Keys │ │► OsRecovery Signatures(dbr)| 0| 0| No Keys │ └────────────────────────────────────────────────────┘
Check enrolled keys in AMI
- Enter Secure Boot Key Management menu
-
Enter correct menu depending on which key you want to check
| Secure Boot variable | Size| Keys| Key | Source |> Platform Key (PK)| 1575| 1| Factory |> Key Exchange Keys (KEK)| 3066| 2| Factory |> Authorized Signatures (db)| 6133| 4| Factory |> Forbidden Signatures(dbx)|17836| 371| Factory |> Authorized TimeStamps(dbt)| 0| 0| No Keys |> OsRecovery Signatures(dbr)| 0| 0| No Keys
-
Select
Details
/-----------------------------------\ | Authorized Signatures (db) | |-----------------------------------| | Details | | Export | | Update | | Append | | Delete | \-----------------------------------/
-
You can select key if you want to see whole GUID
┌────────────────────────────────────────────────────────────────────────────┐ │ Authorized Signatures (db) │ │────────────────────────────────────────────────────────────────────────────│ │ List| Sig.Type|Count| Size| Owner GUID | Certificate Legend │ │ 1| X.509 | 1| 1448| 77FA9ABD-...| Microsoft UEFI CA 2023 │ │ 2| X.509 | 1| 1454| 77FA9ABD-...| Windows UEFI CA 2023 │ │ 3| X.509 | 1| 1556| 77FA9ABD-...| Microsoft Corporation UEFI CA 20 │ │ 4| X.509 | 1| 1499| 77FA9ABD-...| Microsoft Windows Production PCA │ │ 5| X.509 | 1| 783| 26DC4851-...| 3mdeb_test │ └────────────────────────────────────────────────────────────────────────────┘
┌── Owner GUID | Certificate Legend ──┐ │ │ │ 26DC4851-195F-4AE1-9A19-FBF883BBB35E │ │ 3mdeb_test │ │ │ └──────────────────────────────────────┘