Deploying Secure Boot: Key Creation and Management

ManualsBrandsIntel ManualsOtherIntel Desktop Board DH77KC

1

2

3

4

5

6

7

8

9

Keys Required for Secure Boot

Key/db Name

Variable

Owner

Details

PKpub

PK

OEM

PK – 1 only. Must be RSA 2048 or stronger

Microsoft KEK CA

KEK

Microsoft

Allows updates to db and dbx:

Microsoft Windows

Production CA

db

Microsoft

This CA in the Signature Database (db)

allows Windows 8 to boot

Forbidden Signature

Database

dbx

Microsoft

List of known bad Keys, CAs or images

from Microsoft

+ Required for Secure Firmware Updates

Key/db Name

Owner

Details

Secure firmware update

key

OEM

Recommendation is to have this key be different

from PK. Must be RSA 2048 or stronger

UEFI Summer Summit – July 2012 www.uefi.org