Page 2
This product, including software and documentation, is the property of Supermicro and/or its licensors, and is supplied only under a license. Any use or reproduction of this product is not allowed, except as expressly permitted by the terms of said license.
Page 3
This user's guide provides detailed instructions on how to configure Secure Boot settings in the UEFI BIOS for the X12 motherboards that are based on the 3rd Gen Intel® Xeon® Scalable Processors. Please note that all Supermicro's products are intended to be installed, configured, and serviced by professional technicians only.
Page 4
Super Secure Boot Configuration Instructions for the X12 Motherboards User's Guide Contacting Supermicro Headquarters Address: Super Micro Computer, Inc. 980 Rock Ave. San Jose, CA 95131 U.S.A. Tel: +1 (408) 503-8000 Fax: +1 (408) 503-8008 Email: marketing@supermicro.com (General Information) support@supermicro.com (Technical Support) Website: www.supermicro.com...
Super Secure Boot Configuration Instructions for the X12 Motherboards User's Guide Configuring Secure Boot Settings Secure Boot, a feature available in the Unified Extensible Firmware Interface (UEFI) BIOS, supports Secure Boot by preventing drivers and OS loaders from booting up without an acceptable digital signature.
Secure Boot Settings Section 2 Secure Boot/Secure Boot Mode/CSM Support To use the Secure Boot feature, you will need to have a set of platform key (PK) pre-registered in the platform on which your system is operating. You will also need to enable the Secure Boot feature, set Secure Boot mode to Custom, and disable CMS support in the BIOS Setup utility.
Super Secure Boot Configuration Instructions for the X12 Motherboards User's Guide Section 3 Secure Boot Settings To properly configure the Secure Boot settings, please follow the steps below. Step 1. Set Secure Boot Mode to Standard. Press Yes to install the manufacturer default keys as needed.
Page 9
Secure Boot Settings Step 2. For the changes to take effect, press <F4> to save the settings and exit the BIOS Setup utility. Step 3. Press <Del> during system boot to enter the BIOS Setup utility. Navigate to the Security tab to enter the Secure Boot menu. Set CSM Support to Disabled as mentioned in Section 1.
Page 10
Super Secure Boot Configuration Instructions for the X12 Motherboards User's Guide Step 4. Press <Del> during system boot to enter the BIOS Setup utility. Navigate to the Security tab and enter the Secure Boot menu. Set Secure Boot to Enabled.
Secure Boot Settings Section 4 Key Management Settings The Key Management menu, which is only available when Secure Boot Mode is set to Custom, allows Secure Boot keys to be installed via an external device and to be used for secure system boot.
Page 12
Super Secure Boot Configuration Instructions for the X12 Motherboards User's Guide Restore Factory Keys Select Yes and press <Enter> to restore the manufacturer default Secure Boot keys. This will also reset the system to User mode. The options are Yes and No.
Page 13
Secure Boot Settings Export Secure Boot Variables Use this feature to export the Secure Boot values to the files in a root folder that resides in a file system device. Enroll Efi Image This feature enrolls SHA256 hash binary data in the Authorized Signature Database (DB) and allows the image to run in Secure Boot mode.
Page 14
Super Secure Boot Configuration Instructions for the X12 Motherboards User's Guide Device Guard Ready Remove 'UEFI CA' from DB (Database) (available when the system is not in Device Guard Ready) Select Yes and press <Enter> to remove the Microsoft UEFI CA certificate from the database (DB).
Secure Boot Settings Important keys and signatures used in Secure Boot Platform Key (PK) The Platform Key (PK), which is pre-installed in the system firmware during manufacturing, provides the full control of key hierarchy in Secure Boot. The options are Details, Export, Update, and Delete.
Page 16
Super Secure Boot Configuration Instructions for the X12 Motherboards User's Guide Export: Use the arrow keys to select Export and press <Enter>. This option saves the current PKs to a FAT-formatted USB flash drive. Press <Enter> and the following screen will appear.
Page 17
Secure Boot Settings Update: Use the arrow keys to select Update. This will load the manufacturer defaults or load PKs from a file in an external device. Press <Enter> and the following screen will appear.
Page 18
Super Secure Boot Configuration Instructions for the X12 Motherboards User's Guide To load the manufacturer defaults, select Yes and press <Enter>. The following screen will appear. To load PKs from a file in an external device, select No and press <Enter>.
Page 19
Secure Boot Settings When the following screens appear, select the USB flash drive that contains the desired file and press <Enter>.
Page 20
Super Secure Boot Configuration Instructions for the X12 Motherboards User's Guide Press <Enter> and the following screen will appear. Delete: Use the arrow keys to select Delete and press <Enter> to clear the current PKs and reset the system to Setup mode.
Page 21
Secure Boot Settings Key Exchange Key The Key Exchange Key (KEK), which is held by the operating system vendor, can be updated by the holder of the PK and is used in Secure Boot to protect the data base that contains signatures from being illegal accessed.
Page 22
Super Secure Boot Configuration Instructions for the X12 Motherboards User's Guide Press <Enter> and the following screen will appear. To load the manufacturer defaults, select Yes and press <Enter>. The following screen will appear. To load KEKs from a file in an external device, select to No and press <Enter>. Refer to...
Page 23
Secure Boot Settings Delete: Use the arrow keys to select Delete and press <Enter>. Select Yes and press <Enter> to clear the current KEKs. Select No and press <Enter> to delete only one certificate from the key database.
Page 24
Super Secure Boot Configuration Instructions for the X12 Motherboards User's Guide Authorized Signatures Authorized Signature Database (DB) contains authorized signing certificates and digital signatures. The options are Details, Export, Update, Append, and Delete. Select Details to display detailed information of Authorized Signatures. Select Export to save the current DB to a FAT-formatted USB flash drive.
Page 25
Secure Boot Settings Forbidden Signatures Forbidden Signature Database (DBX) contains forbidden certificates and digital signatures. The options are Details, Export, Update, Append, and Delete. Select Details to display detailed information of Forbidden Signatures. Select Export to save the current DBX to a FAT-formatted USB flash drive.
Page 26
Super Secure Boot Configuration Instructions for the X12 Motherboards User's Guide Authorized TimeStamps Authorized Timestamp Database (DBT) issues and checks signed timestamp certificates. The options are Details, Export, Update, Append, and Delete. Select Details to display detailed information of Authorized timestamps. Select Export to save the current DBT to a FAT-formatted USB flash drive.
Page 27
Secure Boot Settings OsRecovery Signatures OsRecovery Signatures Database (DBR) contains recovery variables that are authorized by Secure Boot. The options are Details, Export, Update, Append, and Delete. Select Details to display detailed information of OsRecovery Signatures. Select Export to save the current DBR to a FAT-formatted USB flash drive.