Deploying Secure Boot: Key Creation and Management
Optional Keys for Secure Boot
(non WinRT only)
Key/db Name
Variable
Owner
Notes
Microsoft UEFI driver
signing CA
db
Microsoft
Microsoft signer for 3’rd party UEFI binaries via
DevCenter program
Recommended for non WinRT Systems
Optional for Customization
Key/db Name
Variable
Owner
Notes
OEM or 3’rd party
KEKpub
KEK
OEM/3
rd
party
Allows db/dbx updates e.g. for an alternate OS or
Trusted 3’rd party
OEM or 3’rd party CA
db
OEM/3
rd
party
Allows 3’rd party OS or drivers singed by a
trusted 3’rd party
Image Hashes
db
OEM
Hashes of images on PC that are allowed to
execute even if not signed
Forbidden Signature
Database (dbx)
dbx
OEM/3
rd
party
List of known bad Keys, CAs or images from OEM
or partner
UEFI Summer Summit – July 2012 www.uefi.org