Deploying Secure Boot: Key Creation and Management

ManualsBrandsIntel ManualsOtherIntel Desktop Board DX79SR

1

2

3

4

5

6

7

8

9

UEFI Secure Boot Keys

• Platform Key (PK)

– One only

– Allows modification of KEK database

• Key Exchange Key (KEK)

– Can be multiple

– Allows modification of db and dbx

• Authorized Database (db)

– CA, Key, or image hash to allow

• Forbidden Database (dbx)

– CA, Key, or image hash to block

UEFI Summer Summit – July 2012 www.uefi.org