Table of Contents
Advertisement
Table 57. System Security details (continued)
Option
TPM Advanced Settings
AMD DRTM
Power Button
AC Power Recovery
AC Power Recovery Delay
User Defined Delay (120s to 600
s)
UEFI Variable Access
SMM Security Mitigation
Secure Boot
Secure Boot Policy
Secure Boot Mode
Description
When set to Enabled, the storage and endorsement hierarchies can be used.
When set to Disabled, the storage and endorsement hierarchies cannot be used.
When set to Clear, the storage and endorsement hierarchies are cleared of any values
and then reset to Enabled.
TPM PPI Bypass Provision When set to Enabled, allows the Operating System
to bypass Physical Presence Interface(PPI) prompts when issuing PPI Advanced
Configuration and Power Interface (ACPI) provisioning operations.
TPM PPI Bypass Clear When set to Enabled, allows the Operating System to bypass
Physical Presence Interface(PPI) prompts when issuing PPI Advanced Configuration and
Power Interface (ACPI) clear operations.
TPM2 Algorithm Selection Allows the user to change the cryptographic algorithms
used in the Trusted Platform Module (TPM). The available options are dependant on the
TPM firmware.
To enable TPM2 Algorithm Selection, Intel(R) TXT technology must be disabled.
Enable/Disable AMD Dynamic Root of Trust Measurement (DRTM)
To enable AMD DRTM, below configurations must be enabled:
1. TPM2.0 must be enabled and the hash algorithm must be set to SHA256.
2. Transparent SME (TSME) must be enabled.
Enables or disables the power button on the front of the system. This option is set to
Enabled by default.
Sets how the system behaves after AC power is restored to the system. This option is
set to Last by default.
Sets the time delay for the system to power up after AC power is restored to the system.
This option is set to Immediate by default.
Controls the duration for which the power-on process is delayed after the AC power
supply is restored. The value is only effective if AC Power Recovery Delay is set to User
Defined. The valid range is between 120s and 600s.
Provides varying degrees of securing UEFI variables. When set to Standard (the
default), UEFI variables are accessible in the operating system per the UEFI specification.
When set to Controlled, selected UEFI variables are protected in the environment and
new UEFI boot entries are forced to be at the end of the current boot order.
This option enables or disables additional UEFI SMM Security Mitigation protections.
This option is available only in UEFI boot mode. The operating system can use this
feature to help protect the secure environment created by virtualization based
security. Enabling this feature provides additional UEFI SMM Security Mitigation
protections. However, this feature may cause compatibility issue or loss of functionality
with some legacy tools or applications.
Enables Secure Boot, where the BIOS authenticates each pre-boot image by using the
certificates in the Secure Boot Policy. Secure Boot is set to Disabled by default.
When Secure Boot policy is set to Standard, the BIOS uses the system manufacturer's
key and certificates to authenticate pre-boot images. When Secure Boot policy is set to
Custom, the BIOS uses the user-defined key and certificates. Secure Boot policy is set
to Standard by default.
Configures how the BIOS uses the Secure Boot Policy Objects (PK, KEK, db, dbx). If
the current mode is set to Deployed Mode, the available options are User Mode and
Deployed Mode.
Pre-operating system management applications
57
Advertisement
Table of Contents
