Table 59. System Security details(continued)
Option Description
NOTE: BIOS update requires HECI devices to be operational and DUP updates
require IPMI interface to be operational. This setting needs to be set to Enabled to
avoid updating errors.
SMM Security Mitigation Enables or disables the UEFI SMM security mitigation protections. It is set to Disabled
by default.
Secure Boot Enables Secure Boot, where the BIOS authenticates each pre-boot image by using the
certificates in the Secure Boot Policy. Secure Boot is set to Disabled by default.
Secure Boot Policy Allows selecting the Secure Boot Policy. When set to Standard, the BIOS uses the
key and certificates from the system manufacturer to authenticate pre-boot images.
When set to Linux(R) Boot, VMware(R) Boot, or Microsoft(R) Boot, the Secure
Boot Policy includes only certificates necessary for the corresponding operating system.
When set to
Custom, the BIOS uses the user-customized key and certificates. Note: If
Custom mode is selected, the Secure Boot Custom Policy Settings menu is displayed.
Note: Changing the default security certificates may cause the system to fail booting
from certain boot options.
Secure Boot policy is set to Standard by default.
Secure Boot Mode Configures how the BIOS uses the Secure Boot Policy Objects (PK, KEK, db, dbx).
If the current mode is set to Deployed Mode, the available options are User Mode and
Deployed Mode. If the current mode is set to User Mode, the available options are
User Mode, Audit Mode, and Deployed Mode.
Below are the details of different boot modes available in the Secure Boot Mode
option.
User Mode In User Mode, PK must be installed, and BIOS performs
signature verification on programmatic attempts to update
policy objects. The BIOS allows unauthenticated programmatic
transitions between modes.
Audit mode In Audit Mode, PK is not present. BIOS does not authenticate
programmatic update to the policy objects and transitions
between modes. The BIOS performs a signature verification on
pre-boot images and logs the results in the image Execution
Information Table, but executes the images whether they pass
or fail verification. Audit Mode is useful for programmatic
determination of a working set of policy objects.
Deployed Mode Deployed Mode is the most secure mode. In Deployed Mode,
PK must be installed and the BIOS performs signature verification
on programmatic attempts to update policy objects. Deployed
Mode restricts the programmatic mode transitions.
Secure Boot Policy Summary Specifies the list of certificates and hashes that secure boot uses to authenticate
images.
Secure Boot Custom Policy
Settings
Configures the Secure Boot Custom Policy. To enable this option, set the Secure Boot
Policy to Custom option.
UEFI CA Certificate Scope This field specifies how Secure Boot uses the UEFI CA certificate in the Authorized
Signature Database (db). When this field is set to Device Firmware and OS, Secure Boot
will apply the UEFI CA certificate to all images, including device firmware, operating
system loaders, and UEFI applications. When this field is set to Device Firmware,
Secure Boot will apply the UEFI CA certificate only to device boot firmware, such as
UEFI drivers for RAID or NIC devices. In this case, operating system loaders and UEFI
applications will not execute if they are signed only by the UEFI CA key, even though the
UEFI CA certificate is in db. This field is configurable only when the Secure Boot Policy is
Pre-operating system management applications 57
To Next Page