3.6.1.1 Key Management
Key management access the following format:
Public Key Certificate: EFI Signature List, EFI CERT X509 (DER Encoded), EFI CERT RSA2048 (Bin), EFI SERT
SHAXXX
Authenticated UEFI Variable
Key Source: Factory, External, Mixed.
Setting for key management:
Factory Key Provision: If enabled, install factory default Secure Boot keys after the platform resets. It is applicable only
when the system is in Setup Mode.
Restore Factory Keys: Force system to User Mode by configuring NVRAM to contain OEM-defined factory default Secure
Boot keys.
Reset to Setup Mode: Delete all Secure Boot key databases from NVRAM.
Secure Boot variables: Copy NVRAM content of Secure Boot variables to files in a root folder on a file system device.
Enroll EFI Image: Allow the image to run in Secure Boot mode. Enroll SHA256 hash certificate of a PE image into
Authorized Signature Database (db).
Secure Boot variable:
1. Platform Key (PK): This feature allows the user to configure the settings of the Platform Keys. User can update it using value from
Factory Defaults or from a file in the file system.
2. Key Exchange Keys: This feature allows the user to configure the settings of the Key Exchange Keys. User can update/append it
using value from Factory Defaults or from a file in the file system.
3. Authorized Signatures: This feature allows the user to configure the settings of the Authorized Signatures. User can update/append it
using the value from Factory Defaults or from a file in the file system.
78