Secure Boot

Secure Boot is a server security feature that is implemented in the BIOS and does not require special hardware. Secure Boot ensures that each component launched during the boot process is digitally signed and that the signature is validated against a set of trusted certificates embedded in the UEFI BIOS. Secure Boot validates the software identity of the following components in the boot process:

  • UEFI drivers loaded from PCIe cards

  • UEFI drivers loaded from mass storage devices

  • Preboot UEFI Shell applications

  • OS UEFI boot loaders

When Secure Boot is enabled:

  • Firmware components and operating systems with boot loaders must have an appropriate digital signature to execute during the boot process.

  • Operating systems must support Secure Boot and have an EFI boot loader signed with one of the authorized keys to boot. For more information about supported operating systems, see the UEFI System Utilities and Shell Release Notes on the Hewlett Packard Enterprise website (http://www.hpe.com/info/ProLiantUEFI/docs.).

You can customize the certificates embedded in the UEFI BIOS by adding or removing your own certificates, either from a management console directly attached to the server, or by remotely connecting to the server using the iLO 4 Remote Console.

You can use the secboot command in the Embedded UEFI Shell to display Secure Boot databases, keys, and security reports.