Secure Boot configuration
Secure Boot is integrated in the UEFI specification on which the Hewlett Packard Enterprise implementation of UEFI is based. Secure Boot is implemented in the BIOS and does not require special hardware. Secure Boot ensures that each component launched during the boot process is digitally signed. Secure Boot also ensures that the signature is validated against a set of trusted certificates embedded in the UEFI BIOS. Secure Boot validates the software identity of the following components in the boot process:
- UEFI drivers loaded from PCIe cards
- UEFI drivers loaded from mass storage devices
- Preboot UEFI shell applications
- OS UEFI boot loaders
When enabled, only firmware components and operating systems with boot loaders that have an appropriate digital signature can execute during the boot process. Only operating systems that support Secure Boot and have an EFI boot loader signed with one of the authorized keys can boot. For more information about supported operating systems, see the UEFI System Utilities and Shell release notes for your server on the Hewlett Packard Enterprise website.
A physically present user can customize the certificates embedded in the UEFI BIOS by adding or removing their own certificates.
When Secure Boot is enabled, the System Maintenance Switch does not restore all manufacturing defaults when set to the ON position. For security reasons, the following are not restored to defaults when the System Maintenance Switch is in the ON position: