Validating a certificate of origin
With Windows Trusted Boot architecture and its establishment of a root of trust with Secure Boot, the customer is protected from malicious code executing in the boot path by ensuring that only signed, certified “known good” code and boot loaders can execute before the operating system itself loads.
The PKI establishes authenticity and trust in a system.
It is intended as guidance beyond certification requirements, to assist in building efficient and secure processes for creating and managing Secure Boot Keys.
This is important because UEFI Secure Boot is based on the usage of Public Key Infrastructure to authenticate code before allowed to execute.
The reader is expected to know the fundamentals of UEFI, basic understanding of Secure Boot (Chapter 27 of the UEFI specification), and PKI security model.
Requirements, tests, and tools validating Secure Boot on Windows are available today through the Windows Hardware Certification Kit (HCK).
The UEFI (Unified Extensible Firmware Interface) specification defines a firmware execution authentication process called Secure Boot.
This paper does not introduce new requirements or represent an official Windows program.
Vishal Manan, Architect, OEM Consulting, [email protected] van der Hoeven, Architect, OEM Consulting, [email protected] document helps guide OEMs and ODMs in creation and management of the Secure Boot keys and certificates in a manufacturing environment.