Contact Us

UEFI Secure Boot Tutorial

Brian Richardson
UEFI Secure Boot Tutorial

Intel recently posted the "Practical UEFI Secure Boot" video series to YouTube, which address common questions about using this feature with Microsoft Windows 8 & Linux.
http://www.youtube.com/playlist?list=PLk2sjg_-F-McRbCBoVRkP1sYMbmDf6zJM

Information referenced by the videos is included below.

Required Security Credentials
Key Exchange Key (KEK): http://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt
There are two DB entries - one for Windows and one for the UEFI Certificate Authority (CA).

Windows DB: http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
UEFI DB: http://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt

The UEFI DB entry allows binaries signed against the UEFI certificate authority to run when secure boot is enabled. This includes UEFI drivers, option ROMs and various Linux bootloaders. The Microsoft DB entries are specific to Microsoft Windows 8.

The GUID associated with these certificates is 77fa9abd-0359-4d32-bd60-28f4e78f784b

Generating a PK using OpenSSL
openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt
openssl x509 -in PK.crt -out PK.cer -outform DER

For more information on signing UEFI code for use with Secure Boot, refer to the "Signing UEFI Applications and Drivers for UEFI Secure Boot" document at tianocore.org.