9
Secure Boot Key management
Figure 3: HP Platform Key Management for notebooks
Figure 4: HP Platform Key Management for desktops
Factory-default HP BIOS will have HP PK, MS KEK, MS db, an empty dbx populated, and the system will be in User Mode.
No new PK enrollment is allowed. Here the HP Platform Key is different from the HP firmware-signing key. For the first
implementation (starting with 2012), the HP PK is a certificate named “Hewlett-Packard UEFI Secure Boot Platform Key”
and is issued by HP IT. The BIOS signing key is RAW-CMIT-BIOS2012. The MS KEK is a certificate named “Microsoft
Corporation KEK CA 2011.” The User Mode section will be grayed out. The information will be listed but not changeable.
The “Clear Secure Boot Keys” selection will also be grayed out. After the user disables Secure Boot, the “Clear Secure
Boot Keys” option will be available.
Comments to this Manuals