Secure Boot Platform Key?

Similar Messages

• ??? about - Key management/Clear secure boot keys/Key ownership - in BIOS

  Hi!
  Could anybody explain the options in BIOS
  Key management
  Clear secure boot keys - Don't clear
  Key ownership - HP keys
  Waht does mean "keys"... what is this? I don't have any idea...
  What will happen if I change it to CLEAR?
  Thank you.
  P.S. I tried to Google some info but unsuccessfully...

  Hi,
  HP has not published and posted any official documentation pertaining to operating system signature keys.
  Review this Microsoft article.
  HP DV9700, t9300, Nvidia 8600, 4GB, Crucial C300 128GB SSD
  HP Photosmart Premium C309G, HP Photosmart 6520
  HP Touchpad, HP Chromebook 11
  Custom i7-4770k,Z-87, 8GB, Vertex 3 SSD, Samsung EVO SSD, Corsair HX650,GTX 760
  Custom i7-4790k,Z-97, 16GB, Vertex 3 SSD, Plextor M.2 SSD, Samsung EVO SSD, Corsair HX650, GTX 660TI
  Windows 7/8 UEFI/Legacy mode, MBR/GPT

• Secure Boot State On in Error?

  I am running Windows Server 2012 R2 Essentials as a VM on Hyper-V Server 2012 R2 (server core).  In checking MSINFO32 I see "Secure Boot State" is "On" for Essentials, but given my current configuration I believe this should be "Off?"
  I setup a new Hyper-V Server 2012 R2 (server core) using an Areca ARC-1224-8i RAID controller.  It was unclear to me whether or not the Areca RAID controller would support UEFI or not, but since Secure Boot was desirable I decided to try a UEFI installation.
   I created two volumes on the RAID controller.  C drive of 80 Gb and D drive of the remainder (about 9 Tb).  I checked the file C:\Windows\Panther\setupact.log and saw the message which told me this was an EFI installation/boot.
  After Hyper-V was installed I then setup Essentials as a VM on the D drive.
  When I ran MSINFO32 in both Hyper-V and Essentials and I saw the Secure Boot State was On which was expected (and desired) for both OS levels.
  Several days later I started having problems.  The system seemed to have crashed and during multiple attempts to reboot the Hyper-V server couldn't seem to detect the RAID controller.  If I tried a new Hyper-V installation and loaded the RAID driver
  the RAID controller was seen, but when Hyper-V itself tried to boot it seemed as though the RAID driver was not being loaded and thus the RAID controller could not be found (and along with it my C boot drive was missing)?
  Since I had some suspicion that the RAID controller might not support UEFI I decided to re-install Hyper-V, but this time using the Legacy BIOS.  After the installation was completed I again verified the setupact.log and saw BIOS rather than EFI (as
  expected).
  I then re-attached my Essentials VM (which was left untouched on the D drive) and got everything running again.
  But now when I check MSINFO32 within Hyper-V it showed Secure Boot State Off (expected given that UEFI was not used).  But when checking MSINFO32 within Essentials it showed Secure Boot State On.
  I thought one purpose of Secure Boot was to create a chain of trust.  Given that Hyper-V can no longer verify this chain (since UEFI is not used) I would have expected any VM running above Hyper-V to be in the same state, i.e., Secure Boot State Off?
  When the underlying Hyper-V layer changed I would have expected that to change Essentials view of the world?  So it looks to me as though this is not being handled correctly?
  Thanks for any assistance you can provide.
  P.S.  In case this makes any difference I am using a motherboard with a TPM and both the C and D drives were encrypted with BitLocker.  The C drive used a TPM key and the D drive had a password and was setup to autounlock.
  After I re-installed Hyper-V on the C drive I then manually entered the BitLocker password in order to access the Essentials VM on the D drive.
  Theokrat

  Sophia,
  Sorry for the delay.  Since I'm working other problems with this server it took a while before I could double check the configuration.
  In case it matters on this server I'm using an Asus Z87-WS motherboard.
  I'm setup for BIOS rather than UEFI boot.  There is a "Secure Boot" menu.
  Secure Boot State - Disabled
  Platform Key (PK) state - Unloaded
  OS Type - Windows UEFI Mode
  Then on the "Advanced Trusted Computing" menu I have -
  Security Device Support - Enabled
  TPM State - Enabled
  Pending Operation - None
  Current Status Information - Enabled
  TPM Enabled Status - Activated
  TPM Owner Status - Unowned
  When I initially installed the software (on my new RAID6 controller) I was in the process of enabling BitLocker when I ran into problems with the RAID6 controller.  I don't believe the state of the TPM should have any influence on the Secure Boot state
  anomaly I'm asking about?
  When I checked C:\Windows\Panther\Setupact.log there is a line in that file that confirms a BIOS boot.  When I logged onto Hyper-V Server 2012 R2 and ran MSINFO32 (as noted above) there is a line that also shows BIOS and Secure Boot state as Off (which
  is expected).  But within the VM running Essentials 2012 R2 when I run MSINFO32 I see a Secure Boot state of On (which is unexpected).  I don't recall off hand if MSINFO32 within Essentials showed BIOS or UEFI for the boot?  I think it was BIOS,
  but would have to double check.  (I won't be able to do that until I get issues with my RAID controller fixed.  Or until I give up and try some other method to setup the hard drives and re-install Essentials.)
  Thanks for your help.
  Theokrat

• T450s downgrade Win 8.1 Pro to Win 7 Pro Secure Boot Process?

  Hi all, New owner of a T450S with 8.1 Pro. I have a Windows 7 Pro OEM disc (no serial number) that I can put on a USB thumb drive. Prior to owning a secure boot machine I would just format the hard and install Win 7. With secure boot and the downgrade I'm not sure how this works. 1. Is the serial number that I have backwards compatable? Can I just format, install and use the 8.1 Pro serial number on my Lenovo? 2. I believe I will have to disable secure boot but I'm not sure. Any help or link to a tutorial would be appreciated. ThanksChrissy  

  @ the OP,
  The article ColonelOneill linked says "You’ll need to activate by phone. Call up the phone number displayed in the activation window and explain that you’re exercising your Windows 8 Pro downgrade rights. Have your Windows 8 Pro key ready; you’ll need it to prove your PC has downgrade rights."
  Here's a link to Microsoft's description of how to activate a downgrade:  Understanding downgrade rights
  Z.

• Windows 8.1 Ent eval enabled Secure Boot I think

  I want to get my laptop back to its original format.
  Currently dual booting Windows7/8.1
  During the installation of Windows 8.1 Enterprise evaluation it paused to say it was going to enable secure boot.  I did'nt think much of it I thought I could change it back from the bios.  Did it flash my firmware?  I checked the system status
  with msinfo32.exe; was legacy mode and with powershell; secure boot not supported.  I don't have any options to disable secure boot in the bios nor from within Windows -"I know how to disable it in windows 8.1".  I can't boot a foreign
  operating system, but I can boot a Microsoft OS which sounds like secure boot to me.  I want to get it back to running Windows 7 dual booting with Linux.  I use both at work and need both.  I made the mistake by loading the Eval on my primary
  laptop.  I read I need to revert back to Windows 7 completely, formating and re-installing the OS.  Will this clear my secure boot simulation issue?  I have not changed the partitions or removed any O/S's.   What's the best way
  to proceed?

  Hi,
  I want to explain that, Secure Boot is indepent with system, you can disable it in UEFI interface.
  To disable Secure Boot, you can follow the steps below:
  1.Before disabling Secure Boot, consider whether it is necessary. From time to time, your manufacturer may update the list of trusted hardware, drivers, and operating systems for your PC. To check for updates, go to Windows Update, or check your manufacturer's
  website.
  2.Open the PC BIOS menu. You can often access this menu by pressing a key during the bootup sequence, such as F1, F2, F12, or Esc.
  Or, from Windows, hold the Shift key while selecting Restart. Go to Troubleshoot > Advanced Options: UEFI Firmware Settings.
  3.Find the Secure Boot setting, and if possible, set it to Disabled. This option is usually in either the Security tab, the Boot tab, or the Authentication tab.
  4.Save changes and exit. The PC reboots.
  I found an aticle that teach how to install dual-boot Windows 7 and Ubuntu 12.04 on a PC with UEFI hardware:
  http://www.linuxbsdos.com/2012/10/11/dual-boot-windows-7-and-ubuntu-12-04-on-a-pc-with-uefi-hardware/
  Hope this helps.
  Roger Lu
  TechNet Community Support

• X220 BIOS/Firmware - does it support "Secure Boot" under Windows 8?

  I am getting ready to install W8x64 Pro.  I have a X220 with the latest BIOS (1.36 if I recall correctly) using Windows 7x64 currently.  I have run the Upgrade Assistant and it says: "Secure Boot isn't compatible with your PC."  "Your firmware doesn't support Secure Boot so you won't be able to use it in Windows 8."
  Assuming when I install W8x64 bit I have "Boot to UEFI First" and "UEFI BIOS Only" set in the BIOS - and the SSD formatted as a GPT SSD - should Secure Boot work?
  The 1.36 BIOS is not listed as Windows 8 compatible.  I see there is a BIOS for the X230 that is W8 compatible but I am not going to install it.
  At any rate - for any of you X220 users - you can click on "System Information" in W8 or type in "msinfo32" in the run script and it will say whether "Secure Boot" is Unsupported or On.
  Here is a Lenovo link for installing W7 using UEFI but it does not mention whether you would be able to be in "Secure Mode" at the end. 
  http://support.lenovo.com/en_US/downloads/detail.page?DocID=HT051844
  Kent

  Latest firmware is supposed to support Windows 8. But I don't know what support is supposed to mean... I'd say that if you've installed under UEFI and still doesn't enable, it doesn't.
  Thou now that I think of... After I installed using UEFI, I had to go back to the BIOS and change some setting. Reset-some-key or something. I can't restart the computer now but whenever I restart it I'll let you know which setting it was. (it can be several days)
  Good luck.
  If I helped you, please give me some kudos! ^^

• Secure Boot Status: DISABLED. Cannot enable Secure Boot via BIOS.

  BIOS Security Page displays:
  Secure Boot ENABLED
  Secure Boot Status DISABLED
  I have attempted to ENABLE Secure Boot multiple times but Secure Boot Status remains DISABLED
  This problem occured after BIOS Upgrade to v3.07
  I have Lenovo G510 Laptop
  Windows 8.1
  BIOS Version 79CN48WW (v3.07)
  I have tried the recommended solution of "Reset to Setup Mode" and "Restore Factory Keys".
  This did not solve the problem, Secure Boot Status still indicates DISABLED.
  Please suggest an alternative solution to this problem.

  I was scared to attempt the recommended solution of "Reset to Setup Mode" and "Restore Factory Keys", but it actually worked for me!
  U430p

• Secure boot Software Reset

  Hi All
  Is it posible in any way to allow a system reset when booted in secure boot mode?
  Our setup on Zynq 7020
  1) eFuse AES key set
  2) eFuse AES only set
  3) encrypted FSBL in QSPI flash
  4) Fully encrypted boot.bin including linux ramdisk loaded
  We need a method to reboot the system from linux once running, any attempt made results in a secure lockdown.
  What I would like to happen is basicaly a software triggered Power On Reset.
  Is this posible from within the Zynq?
  I haven't managed to find anything in the Technical Reference Manual
  Regards
  Alex
   

  I want to re-trigger the FSBL on a Zynq7020 after booting into a secure image using only software. Writing a 1 to register (PSS_RST_CTRL) results in a secure lockdown.
  My FSBL is:
  the_ROM_image:
    [aeskeyfile] aes.nky
    [encryption=aes, bootloader]FSBL.elf
  using the efuse AES key
  After booting the FSBL shows this:
  "User not allowed to do any system resets"
  This is from Xilinx's default FSBL
  Now once I have fully booted into linux, I want to reboot the device all the testing I have done results in secure lockdown. Now this may be the intended operation for a secure boot and it is imposible to do what I want without externaly triggering a Power On Reset.
  If anyone knows if this is possible please let me know.

• MJG's signed Shim for UEFI Secure Boot now available

  There have been a number of posts about EFI and Secure Boot recently, so I thought some people might be interested in this:
  http://mjg59.dreamwidth.org/20303.html
  That's Matthew Garrett's announcement of a signed binary version of his Shim boot loader. Basically, this program will boot on a computer with Secure Boot active in its default mode (with Microsoft's keys in the firmware) and then launch another boot loader (called grubx64.efi, although it could be something other than GRUB in that filename) that you sign with your keys. The end result is something that's more secure than disabling Secure Boot entirely and easier than installing your own Secure Boot keys. I haven't yet tried this version of the binary, so I can't provide help beyond pointing you to MJG's own blog, but I thought some people might want to know about it.
  FWIW, although you could sign and launch my rEFInd boot manager with this version of Shim, the current version (0.4.7) won't be very useful when signed in this way, since it doesn't yet "talk" to Shim. I'm working on changing that, so that rEFInd will launch binaries signed in a way that Shim supports.

  kristof wrote:A signed bootloader is nice, but unless the Arch developers start distributing a version of the kernel that's also signed with a MOK, secure boot isn't being fully utilized.
  Largely true, but:
  Secure Boot is here, and seems likely to stay. Given this fact, all Linux distributions (including Arch) need a way to cope with it. There are basically two choices: Provide instructions on how to deal with it (difficult because of system-to-system differences) or provide signed binaries (a boot loader at a minimum, or preferably a boot loader and kernel).
  It's possible to "provide" a signed binary by generating the key locally and signing it locally. This could be done by scripts in the installation process, for example. Of course, that still leaves a need to get the installer booted on a Secure Boot system, but that could be handled with the Linux Foundation's pre-bootloader.
  To be truly effective, Secure Boot really requires support all the way up the software chain. Signing a kernel does no good if the kernel can load unsigned modules, for instance. Fedora's taking steps to provide such security, but Ubuntu seems to be going with a more relaxed approach. In truth, Linux isn't as bothered by malware as is Linux, so it's unclear that going with a Fedora-esque approach is really helpful; but OTOH, it's conceivable that malware authors will start using Linux as a vector to install boot-time malware if Windows becomes sufficiently locked down, so maybe some paranoia is in order.
  At the moment and as a practical matter, technical Linux users (including most Arch users) will find it quicker and easier to disable Secure Boot than to use shim. As shim and various support tools (signing utilities, boot managers, etc.) mature, though, this may not be the case. It may also be desirable or even necessary to leave Secure Boot enabled, in which case adopting shim now may make sense. Likewise if you want to learn about it now so that you can use it in the future.

• UEFI - Secure Boot & System partition

  What is role of System partition in Windows 8.1 & 7 for configuring UEFI & secure boot. Is it possible to deploy OS using SCCM - OSD configured without System partition and configure UEFI & secure boot. 
  Thanks in advance. 

  Any Ideal if UEFI is compatible with sata or scsi drives ?. is it compatible with SSD ?.. 
  Thanks,
  Jijukar 
  my box has UEFI and it support secure boot, and it only has SATA
  so in short, yes it will work fine
  SSD and hard disks are both fine
  secure boot works best with a trusted platform module if available
  Place your rig specifics into your signature like I have, makes it 100x easier!
  Hardcore Games Legendary is the Only Way to Play!
  Vegan Advocate How can you be an environmentalist and still eat meat?

• G500 Secure Boot Status Disabled cant change

  Hi everybody
  I have Lenovo G500 with Windows 8.1 Profecional
  I use UEFI boot mode, but there is a problem with secure boot.
  In BIOS Page Security I have
    SECURE BOOT                   ENABLED       
    SECURE BOOT STATUS    DISABLED    I cannot change it although I try everythink
  Windows 8.1 tell me in System informacion(msinfo32) I have secure boot off.
  I dont have any watermark in my Desktop.
  I only want to use SECURE BOOT.
  I tryed everythink ,but nothink help me.
  Solved!
  Go to Solution.

  Open the bios menu. If your secure boot is enabled, then in the security tab you will get two more options to "Reset to setup mode" and "Restore Factory Keys". just hit enter on those two options.
  then exit saving changes and enjoy.

• Secure Channel and Key sharing

  Hi all,
  I'm new in this Java Card technology and in the last month i've been studying some documents and guidelines to develop a SIM Toolkit application.
  What i have in hands now will need the share keys for assymmetric encryption, so i will need the share a public key.
  So my main doubts are, when a Secure Channel is established from the card, the other point of the channel is the network operator right? So to establish a secure connection i will need get a secure channel in the install() method and send the random key to use in decryption? For this i read somewhere that there are APDU specific commands for keys.
  Maybe this is a little confusing but there are some concepts about this that aren't clear inside my head ;)
  If someone can provide me some answers or some guideline regarding this i would be very thankful.
  Regards

  Hi Shane,
  Thanks for your answers! So analysing what you said:
  safarmer wrote:
  Hi,
  igosneves wrote:
  What i have in hands now will need the share keys for asymmetric encryption, so i will need the share a public key.This is easy enough to do. When you install the Applet, you should be able to generate a key pair for this. Then when you need to encrypt data to the card, you can first send an APDU to retrieve the public key. Then use it to encrypt the data before sending back to the card.
  Yes, this can be done using APDU but to retrieve they key i have to use a specific APDU created by me? I ask this because i only found APDU for Put Key operation... :P
  igosneves wrote:
  So my main doubts are, when a Secure Channel is established from the card, the other point of the channel is the network operator right? Not sure what you mean by this, but the client application will be the other end of the secure channel. That is, the application communicating with the applet through APDU's.
  Yes that is what i meant to. The client application will be someone that is sending APDUs through a card reader or through an OTA platform am i right?
  And if i want to do something like have a server, generate the key pairs in that server and share the public key to the Applet so that there i can send encrypted SMS from the mobile to the server? The process is the same for sharing keys? The only way to put the key in the card is using card reader or OTA?
  igosneves wrote:
  So to establish a secure connection i will need get a secure channel in the install() method and send the random key to use in decryption? For this i read somewhere that there are APDU specific commands for keys. If you want to use a GP secure session you will need to ensure that the client knows the card platform keys. Since this is not a overly secure model (as you are using a secret key), you may want to focus on using the key pair you mentioned earlier in your post. If the platform keys are compromised it is possible for code to be added/removed from your card. You can either simply use the public key for securing data to the card, or you can use 2 asymmetric key pairs (client and server) to establish a symmetric session key (3TDEA?) for the secure session. You could model this off TLS/SSL.
  Cheers,
  ShaneThanks again,
  Rodrigo

• Secure boot / win 8 / linux

  Could someone please inform me if it is possible to disable secure boot (to install other OSes) on the HP laptops being sold with win 8.
  Many thanks,
  Graham.

  Yeah, this is a problem:
  http://www.zdnet.com/linux-foundation-uefi-secure-boot-key-for-windows-8-pcs-delays-explained-700000...
  Since I don't have an HP with UEFI and Windows 8 I can't try this out for myself but as I understand it right now the only way to dual boot Windows 8 and Linux on a machine with UEFI is to disable secure boot. I suspect HP laptop BIOS may not have that option. Right now it appears the Linux world is waiting for Microsoft to issue some kind of a key to allow dual booting.
  http://www.zdnet.com/microsoft-explains-windows-8-boot-to-quell-linux-fears-3040094017/

• MSI Z87 G45 + MSI R9 280X + Windows 8.1 secure boot difficulties

  After updating to Windows 8.1 Pro I had the "Secure Boot isn't configured properly" watermark as many others. I determined my disk is GPT partitioned, I enabled UEFI on the GPU by moving the physical switch from the 2 position to the 1 position, and enabled Windows 8 Feature + Secure Boot with standard settings in the G45 bios (ver 1.5). After doing save and reboot I'm presented with a blank screen with my monitor showing a "DVI no input" message. I reset the CMOS to allow me to boot again, but after a couple more tries with the secure boot settings such as enabling/disabling Fast Boot I have not been able to get it to work.
  System:
  MSI Z87 G45
  8GB DDR3 1600mhz Crucial ram
  I5-4670k
  MSI R9 280X
  Samsung 840 SSD 250gb
  Asus cd/dvd drive

  I want to know the same thing. I bought a MSI Z87-G45 Gaming motherboard this month and I can't activate Secure Boot on it because it's still in Setup Mode. I have no idea how to put the motherboard into User Mode and Google doesn't help me much further either. How to activate a key? I have a I5-5670K and GTX 770 by the way.

• How to re-enable secure boot ?

  Hi All,
  On my X1 Carbon, I had to move from Win 8.1 pro to 8.1 Ent. I did a fresh install from scratch to only install what I need.
  During my setup, I had to disable Secure boot, to boot on a USB Key, install 8.1 Enterprise. Now that everything is working, I would like to re-enable the secure boot option.
  If I don't it directly in the BIOS, the laptop doesn't book any more.
  ANy idea how to do it ? Do I have to import key from my 8.1 Ent to the Bios or something like this ?
  Thank you
  Christopher
  Solved!
  Go to Solution.

  If you want to install Windows 8.1 in UEFI mode, and thus be able to Secure Boot it, you must set your machine to Secure Boot off, while installing, and in the Startup section of the BIOS, set UEFI/Legacy Boot to UEFI only.
  NB, for a USB device to be able to install a UEFI version, it must be formatted to Fat32. I have no clue why this is required, but it is. I have installed Vista / 7 / 8 in EFI/UEFI mode from a basic Fat32 drive for many years if required.
  I have seen this go wrong on a couple of machines, mainly because the HD is initialized as a MBR drive, and the generic MS Windows 8.1 ISO will not give you an option to initialize it as a GPT or a MBR drive, which the Recovery Media from Lenovo for Windows 8 actually does.
  You can then either use a Windows bootable media to enter Repair/Recovery mode, and formatting your HD through the DISKPART utility or what is simpler, boot up a liveCD image of gParted and clear your drive completely by initializing the drive as GPT, exit the utility and then installing Windows 8.1, which will, due to the UEFI only selection in the Startup procedure, boot up your Windows 8.1 installation in UEFI mode and once finished, you will be able to turn Secure Boot back on.
  Hope this helps!
  Cheers!
  ThinkPad W540 (20BG) - i7-4800MQ/24GB // ThinkPad T440s (20AQ) - i7-4600U/12GB
  ThinkPad T440p (20AW) - i7-4800MQ/16GB // ThinkPad Helix (3698-6EU) - i5-3337U/4GB
  ThinkPad W520 (4282-W4Q) - i7-2720QM/32GB // ThinkPad T400 (2767-W1C) - P9500/8GB
  ThinkPad T61 (7665-CTO) - T7700/4GB // ThinkPad T60p (8741-C2G) - T7400/4GB