Security Tab#

Use the left or right arrow keys to select the Security tab. Use the up or down arrow keys to select items on the left pane of the tab. Use the Enter key to display available submenus for a selected item.

UEFI Security tab overview screen Security tab settings with password options

Security Tab

Setting

Description

Disable Block Sid and Freeze Lock

Override to allow SID authentication of TCG Storage device and to skip freeze lock command for SAT3 device. Modified value will be applicable only for next boot.

Administrator Password

Selecting this option enables users to set the Administrator password.

User Password

Selecting this option enables users to set the User password.

Media Sanitization#

Media Sanitization device selection screen

Device Name : Select the Device Name

Media Sanitization method type selection

Method Type : Select the Method Type

Media Sanitization specification selection

Specification: Select the Specification

Start device sanitization screen

Start This Device Sanitization : Start sanitizing will set up the configuration

Secure Boot#

Select Secure Boot to configure boot mode and manage keys.

Secure Boot configuration screen

Secure Boot: Allows users to enable and disable the secure boot feature. The default is Enabled. The secure boot feature is active when secure boot is enabled, Platform Key (PK) is enrolled, and the system is in User mode. A mode change requires a platform reset.

Restore Factory Keys: Forces the system to User mode and installs factory-default secure boot key databases.

Reset To Setup Mode: Delete the NVRAM content of all UEFI secure boot keys.

Expert Key Management: Enables a user to configure key management settings.

Expert Key Management#

Expert Key Management screen with secure boot variables

The expert key management accesses these formats:

  • Public Key Certificate: EFI Signature List, EFI CERT X509 (DER Encoded), EFI CERT RSA2048 (Bin), EFI SERT SHAXXX

  • Authenticated UEFI Variable

  • Authenticated UEFI Variable

  • Key Source: Factory, External, Mixed

Settings for key management:

  • Factory Key Provision: If enabled, install factory-default Secure Boot keys after platform reset. This applies only when the system is in setup mode.

  • Restore Factory Keys: To force the system to user mode, configure NVRAM to contain OEM-defined factory default secure boot keys.

  • Reset to Setup Mode: Delete all secure boot key databases from NVRAM.

  • Enroll EFI Image: Enables the image to run in secure boot mode. Enroll the SHA256 Hash certificate of a PE image into Authorized Signature database.

  • Export Secure Boot variables: Copy the NVRAM content of secure boot variables to files in a root folder on a file system device.

Secure Boot Variables

  • Platform Key (PK): Enables users to configure PK settings. Users can update the settings using a value from factory defaults or from a file in the file system.

  • Key Exchange Key (KEK): Enables users to configure KEK settings. Users can update or append this using value from factory defaults or from a file in the file system.

  • Authorized Signatures: Enables users to configure Authorized Signatures settings. Users can update or append this using value from factory defaults or from a file in the file system.

  • Forbidden Signatures: Enables users to configure Forbidden Signatures settings. Users can update or append this using value from factory defaults or from a file in the file system.

  • Authorized TimeStamps: Enables users to configure the settings of the Authorized TimeStamps. Users can update or append this using a value from factory defaults or from a file in the file system.

  • OsRecovery Signatures: Enables users to configure the settings of the OsRecovery Signatures. Users can update or append this using a value from factory defaults or from a file in the file system.

Device Signatures:

TCG Storage Security Configuration#

The TCG Storage Security Configuration screen is available when the TCG Storage device is selected.

This allows access to Set, Modify and Clear TCG Storage device Admin and User Password. The Admin Password must be installed first to enable TCG Storage Security. User Password can be created only when Admin password is installed. TCG Storage device can be locked and unlocked using Admin password alone, User password acts as optional credential to unlock the Device in POST. Set Admin/User Password options are greyed out when System enters Setup after Boot fail as Device security is frozen. Power-off, Power-on and press hot key to enter setup.

TCG Storage Security Configuration screen