The Forbidden Signature database (dbx) contains hashes of malicious/vulnerable components and compromised keys/certificates that will not be allowed to execute.įinally, the Secure Firmware Update Key (which is not shown in your screen shot) is used to verify any attempted firmware update was approved by the OEM for installation on that particular motherboard. The Authorized Signatures database (db) contains public keys and certificates that represent trusted components and OS loaders. The Authorized/Forbidden Signature keys are used to protect access to the allowed/disallowed images databases. The Key Exchange Key (KEKpub) is used to establish a trust relationship between the PC’s firmware and an OS/application during secure boot.Įach OS (and potentially each 3rd party application which needs to communicate with the firmware during secure boot) will store a public KEK key into the firmware during initial setup/first boot. If it gets comprised, the OEM will normally issue a firmware update to change it. The Platform Key (PKpub) is installed into the firmware by the OEM during manufacture. Those are the public keys/signatures used to verify the encryption used for secure boot and they’re stored in non-volatile memory on the motherboard itself.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |