DFI CS631-C246/Q370 User Manual page 51

Security Secure Boot
X X
X Key Management
Aptio Setup Utility - Copyright (C) 2019 American Megatrends, Inc.
Security
Factory Key Provision [Disabled]
► Restore Factory Keys
► Reset To Setup Mode
► Export Secure Boot variables
► Enroll Efi Image
Device Guard Ready
► Remove 'UEFI CA' from DB
► Restore DB defaults
Secure Boot variable |Size|Keys| Key Source
► Platform Key(PK) | 0| 0| No
► Key Exchange Keys | 0| 0| No
► Authorized Signatures | 0| 0| No
► Forbidden Signatures | 0| 0| No
► Authorized TimeStamps| 0| 0| No
► OsRecovery Signatures | 0| 0| No
Version 2.20.1271. Copyright (C) 2019 American Megatrends, Inc.
Factory Key Provision
Enable or disable the provision factory default keys on next re-start. This will only take place
when the "System Mode" in the previous menu is in "Setup", which can be achieved by moveing
the cursor to the "Reset To Setup Mode" and press Enter.
Restore Factory Keys
Force system to User Mode. Configure NVRAM to contain OEM-defined factory default Secure
Boot keys.
Reset To Setup Mode
Clear the database from the NVRAM, including all the keys and signatures installed in the Key
Management menu. Press Enter and a prompt will show up for you to confirm.
Export Secure Boot variables
Export the Secure Boot settings (i.e. all keys and signatures) as files to the root directory of
a file system device. Press Enter and select a storage device listed in the pop-up menu. The
saved files will be named automatically according to the type of key/signature as listed below.
User's Manual | CS631
•
•
Provision factory default
keys on next re-boot only
•
w h e n S y s t e m i n S e t u p
Mode
•
Enroll Efi Image
Allow the image to run in Secure Boot mode. Enroll SHA256 Hash certificate of a PE image into
Authorized Signature Database (db). Press Enter and select a storage device listed in the pop-
→←: Select Screen
up menu, select a directory, and then select the EFI Image document.
↑↓: Select Item
Enter: Select
+/- : Change Opt.
Remove 'UEFI CA' from DB
F1: General Help
F2: Previous Values
Remove Microsoft UEFI CA from the Authorized Signature database. For systems that support
F9: Optimized Defaults
F10: Save & Exit
Device Guard, Microsoft UEFI CA must NOT be included in the Authorized Signature database.
ESC: Exit
Restore DB defaults
Press Enter to restore the database variable to factory defaults.
Manually configure the following keys and signatures. Move the cursor to the field and press
Enter, and then a pop-up menu will show up.
Platform Key(PK), Key Exchange Keys, Authorized Signatures, Forbidden Signatures, Autho-
rized TimeStamps, OsRecovery Signatures
Details
Export
Update
Append
Delete
"PK" for Platform Keys
"KEK" for Key Exchange Keys
"db" for Authorized Signatures
"dbx" for Forbidden Signatures
List the information of enrolled keys and signatures
Save the key or signature as a file to the root directory of a file system. The
saved files will be named automatically according to the type of key/signa-
ture as previously listed in the "Export Secure Boot Variables".
Load factory default database
Enroll keys and signatures from a file system
Delet keys and signatures
Chapter 3
BIOS SETTINGS
45