45
User's Manual |
CS631
Chapter 3
BIOS SETTINGS
Factory Key Provision
Enable or disable the provision factory default keys on next re-start. This will only take place
when the “System Mode” in the previous menu is in “Setup”, which can be achieved by moveing
the cursor to the “Reset To Setup Mode” and press Enter.
Restore Factory Keys
Force system to User Mode. Configure NVRAM to contain OEM-defined factory default Secure
Boot keys.
Reset To Setup Mode
Clear the database from the NVRAM, including all the keys and signatures installed in the Key
Management menu. Press Enter and a prompt will show up for you to confirm.
Export Secure Boot variables
Export the Secure Boot settings (i.e. all keys and signatures) as files to the root directory of
a file system device. Press Enter and select a storage device listed in the pop-up menu. The
saved files will be named automatically according to the type of key/signature as listed below.
•
“PK” for Platform Keys
•
“KEK” for Key Exchange Keys
•
“db” for Authorized Signatures
•
“dbx” for Forbidden Signatures
Enroll Efi Image
Allow the image to run in Secure Boot mode. Enroll SHA256 Hash certificate of a PE image into
Authorized Signature Database (db). Press Enter and select a storage device listed in the pop-
up menu, select a directory, and then select the EFI Image document.
Remove ‘UEFI CA’ from DB
Remove Microsoft UEFI CA from the Authorized Signature database. For systems that support
Device Guard, Microsoft UEFI CA must NOT be included in the Authorized Signature database.
Restore DB defaults
Press Enter to restore the database variable to factory defaults.
Manually configure the following keys and signatures. Move the cursor to the field and press
Enter, and then a pop-up menu will show up.
Platform Key(PK), Key Exchange Keys, Authorized Signatures, Forbidden Signatures, Autho-
rized TimeStamps, OsRecovery Signatures
Details
List the information of enrolled keys and signatures
Export
Save the key or signature as a file to the root directory of a file system. The
saved files will be named automatically according to the type of key/signa-
ture as previously listed in the “Export Secure Boot Variables”.
Update
Load factory default database
Append
Enroll keys and signatures from a file system
Delete
Delet keys and signatures
Aptio Setup Utility - Copyright (C) 2019 American Megatrends, Inc.
→←: Select Screen
↑↓: Select Item
Enter: Select
+/- : Change Opt.
F1: General Help
F2: Previous Values
F9: Optimized Defaults
F10: Save & Exit
ESC: Exit
Security
Version 2.20.1271. Copyright (C) 2019 American Megatrends, Inc.
Provision factory default
keys on next re-boot only
when System in Setup
Mode
Factory Key Provision
►
Restore Factory Keys
►
Reset To Setup Mode
►
Export Secure Boot variables
►
Enroll Efi Image
Device Guard Ready
►
Remove ‘UEFI CA’ from DB
►
Restore DB defaults
Secure Boot variable |Size|Keys| Key Source
►
Platform Key(PK) | 0| 0| No
►
Key Exchange Keys | 0| 0| No
►
Authorized Signatures | 0| 0| No
►
Forbidden Signatures | 0| 0| No
►
Authorized TimeStamps| 0| 0| No
►
OsRecovery Signatures | 0| 0| No
[Disabled]
X
Security
X
Secure Boot
X
Key Management