Table of Contents
Advertisement
Option
TPM Information
TPM Status
TPM Command
Intel TXT
Power Button
AC Power Recovery
AC Power Recovery Delay
User Defined Delay (60 s to 240 s)
UEFI Variable Access
Secure ME PCI Cfg Space
Secure Boot
Secure Boot Policy
Secure Boot Mode
Secure Boot Policy Summary
Description
fields if the TPM Status field is set to either On with Pre-boot Measurements or On
without Pre-boot Measurements.
Changes the operational state of the TPM. This option is set to No Change by default.
Specifies the TPM status.
Clears all the contents of the TPM. The TPM Clear option is set to No by default.
CAUTION:
Clearing the TPM results in the loss of all keys in the TPM. The loss
of TPM keys may affect booting to the operating system.
Enables or disables the Intel Trusted Execution Technology (TXT) option. To enable the
Intel TXT option, virtualization technology and TPM Security must be enabled with Pre-
boot measurements. This option is set to Off by default.
Enables or disables the power button on the front of the system. This option is set to
Enabled by default.
Sets how the system behaves after AC power is restored to the system. This option is set
to Last by default.
Sets the time delay for the system to power up after AC power is restored to the system.
This option is set to Immediate by default.
Sets the User Defined Delay option when the User Defined option for AC Power
Recovery Delay is selected.
Provides varying degrees of securing UEFI variables. When set to Standard (the default),
UEFI variables are accessible in the operating system per the UEFI specification. When set
to Controlled, selected UEFI variables are protected in the environment and new UEFI
boot entries are forced to be at the end of the current boot order.
Enabling this setting will hide the PCI configuration space for the Management Engine
(ME) HECI devices.
Enables Secure Boot, where the BIOS authenticates each pre-boot image by using the
certificates in the Secure Boot Policy. Secure Boot is disabled by default.
When Secure Boot policy is set to Standard, the BIOS uses the system manufacturer's key
and certificates to authenticate pre-boot images. When Secure Boot policy is set to
Custom, the BIOS uses the user-defined key and certificates. Secure Boot policy is set to
Standard by default.
Configures how the BIOS uses the Secure Boot Policy Objects (PK, KEK, db, dbx).
•
User Mode: In User Mode, PK must be installed, and BIOS performs signature
verification on programmatic attempts to update policy objects. The BIOS allows
unauthenticated programmatic transitions between modes.
•
Audit Mode: In Audit Mode, PK is not present. The BIOS does not authenticate
programmatic updates to the policy objects, and transitions between modes. Audit
Mode is useful for programmatically determining a working set of policy objects. BIOS
performs signature verification on pre-boot images and logs results in the image
Execution Information Table, but executes the images whether they pass or fail
verification.
•
Deployed Mode: Deployed Mode is the most secure mode. In Deployed Mode, PK
must be installed and the BIOS performs signature verification on programmatic
attempts to update policy objects. Deployed Mode restricts the programmatic mode
transitions
Specifies the list of certificates and hashes that secure boot uses to authenticate images.
Installation and Service Manual
Pre-operating system management applications
31
Advertisement
Table of Contents
