Supermicro X12 - User Manual

This document outlines the secure boot configuration instructions for Supermicro X12 motherboards, designed for system integrators, IT technicians, and knowledgeable end-users. It focuses on enabling and managing the Secure Boot feature within the Unified Extensible Firmware Interface (UEFI) BIOS.

Function Description

Secure Boot is a critical security feature integrated into the UEFI BIOS. Its primary function is to enhance system security by preventing unauthorized drivers and operating system loaders from booting. This is achieved by ensuring that all boot loaders are digitally signed and validated before the system starts. If a boot loader lacks an acceptable digital signature or if the signature is invalid, Secure Boot will prevent it from loading, thereby protecting the system from malicious software, rootkits, and other unauthorized code that might attempt to compromise the boot process. The X12 motherboards, based on 3rd Gen Intel® Xeon® Scalable Processors, leverage this feature to provide a more secure computing environment. Proper configuration of Secure Boot settings is essential for the secure operation of the machine.

Usage Features

The configuration process for Secure Boot involves several key steps within the UEFI BIOS Setup utility.

1. Setting Boot Mode to UEFI: Secure Boot is a UEFI-specific feature, so the first step is to ensure that the system's boot mode is set to UEFI. This is done by accessing the BIOS Setup utility (typically by pressing <Del> during system boot), navigating to the "Boot" tab, and selecting "UEFI" from the "Boot Mode Select" options. After making this change, the settings must be saved, and the system rebooted for the changes to take effect.

2. Enabling Secure Boot and CSM Support: After setting the boot mode to UEFI, the next step is to enable the Secure Boot feature itself. Within the BIOS Setup utility, under the "Security" tab, users will find the "Secure Boot" menu. Here, "Secure Boot" needs to be set to "Enabled." Concurrently, "CSM Support" (Compatibility Support Module) must be disabled. Disabling CSM ensures that the system operates exclusively in UEFI mode, which is a prerequisite for Secure Boot. Once these settings are adjusted, saving and exiting the BIOS Setup utility will apply the changes. It's important to note that once Secure Boot is enabled, CSM Support will become disabled automatically, and the legacy platform will no longer be supported. Only authorized UEFI applications, such as UEFI OS, AOC UEFI FW, and UEFI PXE server, will be allowed to run on the platform.

3. Secure Boot Mode Configuration: Within the "Secure Boot" menu, users can set the "Secure Boot Mode" to either "Standard" or "Custom."

   • Standard Mode: In this mode, the manufacturer's default Secure Boot keys are installed. When setting the mode to "Standard," the system will prompt the user to confirm the installation of these default keys. This simplifies the setup process for most users, as it pre-provisions the necessary keys for secure operation with commonly used operating systems. When in "Standard" mode, the "Key Management" menu, which allows for advanced key manipulation, will not be available.
   • Custom Mode: This mode provides advanced users with the flexibility to configure Secure Boot policy variables manually. In "Custom" mode, Secure Boot policy variables can be configured by a physically present user without requiring full authentication. This mode is essential for users who wish to use their own Secure Boot keys or manage specific certificates.

4. Key Management Settings (Custom Mode Only): The "Key Management" menu is accessible only when "Secure Boot Mode" is set to "Custom." This menu allows for the installation, export, update, append, and deletion of various Secure Boot keys and signatures. The key hierarchy in Secure Boot includes:

   • Platform Key (PK): This key provides full control over the key hierarchy. Users can view its details, export it to a FAT-formatted USB flash drive, update it (either by loading manufacturer defaults or from an external file), or delete it (which resets the system to Setup mode).
   • Key Exchange Key (KEK): Held by the operating system vendor, the KEK protects the signature database from illegal access. Options include viewing details, exporting, updating (loading manufacturer defaults or from an external file), appending (adding new keys), or deleting (clearing all KEKs or deleting a single certificate).
   • Authorized Signatures (DB): This database contains authorized signing certificates and digital signatures. Users can view details, export the current DB to a USB drive, update it (loading manufacturer defaults or from an external file), append variables to the existing DB, or delete entries (clearing the entire DB or a single certificate).
   • Forbidden Signatures (DBX): This database contains forbidden certificates and digital signatures, preventing them from booting. Similar to DB, users can view details, export, update, append, or delete entries from DBX.
   • Authorized TimeStamps (DBT): This database issues and checks signed timestamp certificates. Options include viewing details, exporting, updating, appending, or deleting entries from DBT.
   • OsRecovery Signatures (DBR): This database contains recovery variables authorized by Secure Boot. Users can view details, export, update, append, or delete entries from DBR.

Maintenance Features

The Secure Boot configuration includes several features that aid in maintaining the integrity and security of the boot process:

1. Restore Factory Keys: This option, available under "Key Management," allows users to restore the manufacturer's default Secure Boot keys. Selecting "Yes" will install these keys and reset the system to User mode, ensuring a known secure state. This is useful if custom keys become corrupted or if the user wishes to revert to the default security configuration.

2. Reset To Setup Mode: When the system is in User mode, this feature allows users to clear all Secure Boot values and reset the system to Setup mode. This is a more drastic reset than restoring factory keys and can be used to completely reconfigure Secure Boot from scratch.

3. Export Secure Boot Variables: This feature enables users to export the current Secure Boot values (PK, KEK, DB, DBX, DBT, DBR) to files in a root folder on a file system device, typically a FAT-formatted USB flash drive. This is crucial for backup purposes, allowing users to restore their specific Secure Boot configurations if needed.

4. Enroll EFI Image: This feature allows users to enroll SHA256 hash binary data into the Authorized Signature Database (DB). This enables specific PE images (e.g., custom boot loaders or drivers) to run in Secure Boot mode, providing flexibility for specialized system configurations while maintaining security.

5. Device Guard Ready Options:

   • Remove 'UEFI CA' from DB: This option allows for the removal of the Microsoft UEFI CA certificate from the database, particularly relevant when the system is not in Device Guard Ready mode. This provides control over which Certificate Authorities are trusted during the boot process.
   • Restore DB defaults: This feature restores the DB variables to the manufacturer's default settings, which can be useful for troubleshooting or reverting unwanted changes to the authorized signature database.

These features collectively provide comprehensive control over the Secure Boot environment, allowing for both simplified default configurations and advanced, customized security management. The emphasis on digital signatures and key management ensures that the X12 motherboards maintain a robust defense against unauthorized boot processes, contributing to overall system integrity and reliability.