Search results
- 20.71Add to watchlist-0.07 (-0.34%)As of Tue. Apr 23, 2024 9:43 AM EDT · Delayed Quote (USD) · Market open
- Open20.90High20.90Low20.69
- Mkt Cap18.43BP/E (TTM)8.37Div & Yield1.41 & 6.77%
- Prev. Close20.7852 Wk. Low13.9052 Wk. High22.67
Related stocks
Sep 18, 2018 · I think you're supposed to change it from Custom back to Standard mode before enabling UEFI boot. dc2000 : larrycumming : there should somewhere in uefi/bios you can click install default Pk keys. You know if I click "key management" and then "Platform Key (PK)" and then pick "Set new" it creates it but then if click that PK again and go into ...
- there should somewhere in uefi/bios you can click install default Pk keys The Provision Factory Defaults should be the way to reinstall Microsoft k...
- Problem Solved with my asus. U have to insert flash drive with OS first. Then enrol platform pk to save the variable into flashdrive so that on boo...
- "TEST AMI" are the default keys shipped with your motherboard. Do you have a TPM installed? I think you're supposed to change it from Custom back t...
- I think you need to also make sure you enable UEFI boot mode and disable legacy devices.
- Overview
- 1. Secure Boot, Windows and Key Management
- 2. Key Management Solutions
- 3. Summary and Resources
- Appendix A – Secure Boot PKI checklist for manufacturing
- Appendix B – Secure Boot APIs
- Appendix C – Federal Bridge Certification Authority Certificate Policy Assurance Mappings
- Related topics
This document helps guide OEMs and ODMs in creation and management of the Secure Boot keys and certificates in a manufacturing environment. It addresses questions related to creation, storage and retrieval of Platform Keys (PKs), secure firmware update keys, and third party Key Exchange Keys (KEKs).
Windows requirements for UEFI and Secure Boot can be found in the Windows Hardware Certification Requirements. This paper does not introduce new requirements or represent an official Windows program. It is intended as guidance beyond certification requirements, to assist in building efficient and secure processes for creating and managing Secure Boot Keys. This is important because UEFI Secure Boot is based on the usage of Public Key Infrastructure to authenticate code before allowed to execute.
The reader is expected to know the fundamentals of UEFI, basic understanding of Secure Boot (Chapter 27 of the UEFI specification), and PKI security model.
Requirements, tests, and tools validating Secure Boot on Windows are available today through the Windows Hardware Certification Kit (HCK). However, these HCK resources do not address creation and management of keys for Windows deployments. This paper addresses key management as a resource to help guide partners through deployment of the keys used by the firmware. It is not intended as prescriptive guidance and does not include any new requirements.
On this page:
•1. Secure Boot, Windows and Key Management contains information on boot security and PKI architecture as it applies to Windows and Secure Boot.
The UEFI (Unified Extensible Firmware Interface) specification defines a firmware execution authentication process called Secure Boot. As an industry standard, Secure Boot defines how platform firmware manages certificates, authenticates firmware, and how the operating system interfaces with this process.
Secure Boot is based on the Public Key Infrastructure (PKI) process to authenticate modules before they are allowed to execute. These modules can include firmware drivers, option ROMs, UEFI drivers on disk, UEFI applications, or UEFI boot loaders. Through image authentication before execution, Secure Boot reduces the risk of pre-boot malware attacks such as rootkits. Microsoft relies on UEFI Secure Boot in Windows 8 and above as part of its Trusted Boot security architecture to improve platform security for our customers. Secure Boot is required for Windows 8 and above client PCs, and for Windows Server 2016 as defined in the Windows Hardware Compatibility Requirements.
The Secure Boot process works as follows and as shown in Figure 1:
1.Firmware Boot Components: The firmware verifies the OS loader is trusted (Windows or another trusted operating system.)
2.Windows boot components: BootMgr, WinLoad, Windows Kernel Startup. Windows boot components verify the signature on each component. Any non-trusted components will not be loaded and instead will trigger Secure Boot remediation.
•Antivirus and Antimalware Software initialization: This software is checked for a special signature issued by Microsoft verifying that it is a trusted boot critical driver, and will launch early in the boot process.
2.1 Metrics used
The following metrics can help you select a HSM PC based on the requirements of UEFI specification 2.3.1 Errata C and your needs. Public Key Infrastructure (PKI) related •Does it support RSA 2048 or higher? - The UEFI specification 2.3.1 Errata C recommends the keys to be RSA-2048 or better. •Does it have the ability to generate keys and sign? •How many keys can it store? Does it store keys on HSM or an attached server? •Authentication method for key retrieval. Some PCs support multiple authentication entities to be present for key retrieval. Pricing •What is the price point? HSMs can range in price from $1,500 to $70,000 depending on available features. Manufacturing environment •Speed of operation on factory floor. Crypto processors can speed up key creation and access. •Ease of setup, deployment, maintenance. •Skillset and training required? •Network access for backup and High Availability Standards and Compliance •What level of FIPS compliance does it have? Is it tamper resistant? •Support for other standards, for example, MS crypto APIs. •Does it meet government and other agency requirements? Reliability and disaster recovery •Does it allow for Key Backup? Backups can be stored both onsite in a safe location that is a different physical location than the CA computer and HSM and /or at an offsite location. •Does it allow for High Availability for disaster recovery? Public Key Infrastructure (PKI) related •Does it support RSA 2048 or higher? - The UEFI specification 2.3.1 Errata C recommends the keys to be RSA-2048 or better. •Does it have the ability to generate keys and sign? •How many keys can it store? Does it store keys on HSM or an attached server? •Authentication method for key retrieval. Some PCs support multiple authentication entities to be present for key retrieval.
This section intends to summarize the above sections and show a step by step approach:
1.Establish a secure CA or identify a partner to securely generate and store keys
If you are not using a 3rd party solution:
2.Install and configure the HSM software on the HSM server. Check your HSM reference manual for installation instructions. The server will either be connected to a standalone or network HSM.
For info about HSM configuration, see Section 2.2.1, 2.3 and Appendix C.
Most HSMs offer FIPS 140-2 level 2 and 3 compliance. Configure the HSM for either level 2 or level 3 compliance. Level 3 compliance has stricter requirements around authentication and key access and hence is more secure. Level 3 is recommended.
Setting up Secure Boot
1.Define security strategy (identify threats, define proactive and reactive strategy) as per the white paper in section 4. 2.Identify security team as per the white paper in section 4. 3.Establish a secure CA or identify a partner (recommended solution) to securely generate and store keys. 4.Identify policy for how frequently you will be rekeying keys. This may depend on if you have any special customer requirements like governments or other agencies. 5.Have a contingency plan in case the Secure Boot Key is compromised. 6.Identify how many PK and other keys will you be generating as per section 1.3.3 and 1.5. This will be based on customer base, key storage solution and security of PCs. You can skip steps 7-8 if you are using the recommended solution of using a 3rd party for key management. 7.Procure server and hardware for key management. – network or standalone HSM per section 2.2.1. Consider whether you will need one or several HSMs for high availability and your key back up strategy. 8.Identify at least 3-4 team members who will have an authentication token for authentication on HSM. 9.Use HSM or 3rd party to pre-generate Secure Boot-related keys and certificates. The keys will depend on the PC type: SoC, Windows RT or non-Windows RT. For more info, see Sections 1.3 through 1.5. 10.Populate the firmware with the appropriate keys. 11.Enroll the Secure Boot Platform Key to enable Secure Boot. See Appendix B for more details. 12.Execute any proprietary tests and HCK Secure Boot tests as per instructions. See Appendix B for more details. 13.Ship the PC. The PKpriv will likely never be used again, keep it safe.
Servicing (Updating firmware)
You may need to update firmware for several reasons such as updating an UEFI component or fixing Secure Boot key compromise or periodic rekeying of Secure Boot keys. For more info, see Section 1.3.5 and section 1.3.6.
1.Secure Boot API
The following APIs are related to UEFI/Secure Boot:
2.GetFirmwareEnvironmentVariableEx: Retrieves the value of the specified firmware environment variable.
3.SetFirmwareEnvironmentVariableEx: Sets the value of the specified firmware environment variable.
4.GetFirmwareType: Retrieves the firmware type.
1.Setting PK
1.Rudimentary
This level provides the lowest degree of assurance concerning identity of the individual. One of the primary functions of this level is to provide data integrity to the information being signed. This level is relevant to environments in which the risk of malicious activity is considered to be low. It is not suitable for transactions requiring authentication, and is generally insufficient for transactions requiring confidentiality, but may be used for the latter where certificates having higher levels of assurance are unavailable.
2.Basic
This level provides a basic level of assurance relevant to environments where there are risks and consequences of data compromise, but they are not considered to be of major significance. This may include access to private information where the likelihood of malicious access is not high. It is assumed at this security level that users are not likely to be malicious.
3.Medium
This level is relevant to environments where risks and consequences of data compromise are moderate. This may include transactions having substantial monetary value or risk of fraud, or involving access to private information where the likelihood of malicious access is substantial.
Secure Boot Key Generation and Signing Using HSM (Example)
UEFI Validation Option ROM Validation Guidance
Find the latest KeyCorp (KEY-PK) stock quote, history, news and other vital information to help you with your stock trading and investing.
- 21.79 x 800
- 21.65
- 18.16 x 1200
- 21.66
This trust relationship enables the platform firmware and one or more operating systems to exchange information in a secure manner. The trust relationship uses two types of asymmetric key pairs: Platform Key (PK) The platform key establishes a trust relationship between the platform owner and the platform firmware.
Get the latest KeyCorp (KEY-PK) stock news and headlines to help you in your trading and investing decisions.
- 23.08 x 800
- 20.49
- 12.00 x 1000
- 20.58
Jun 1, 2011 · Identify roles. Procure server and hardware for key management. Recommended solution – network or standalone HSM. Consider whether you will need one or several HSM’s for high availability and also your key back up strategy. Set policy for how frequently will you be rekeying keys. Have a contingency plan for Secure Boot Key compromise.
Feb 13, 2024 · Set the registry key to Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name “AvailableUpdates” -Value 0x40. Run the following scheduled task as Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”. Reboot the machine twice after running these commands to confirm that the machine is ...
