Secure Boot Objects
Secure Boot Objects are essential files that either contain the initial defaults for a platform or the update files that can apply the most recent DB (Database) or DBX (Revoked Signatures Database) during Secure Boot Maintenance in the lifecycle of a device.
Typically, an Original Equipment Manufacturer (OEM) selects the defaults for a device when the firmware is built. These defaults are what the firmware will revert to if Secure Boot is ever reset (disabled and re-enabled).
During Secure Boot Enablement, which may occur during manufacturing, these defaults are used. The OEM might offer multiple 'templates' for a user to choose from, although many implementations only have a single template. In practice, this process can vary depending on the implementation.
For more details on globally defined variables and their properties, you can refer to the Globally Defined Variables.
There are two forms of Secure Boot Objects.
- Signed Objects (A.K.A. Authenticated Variable)
- These contain the EFI_SIGNATURE_LIST
- Historically these were available on uefi.org/revocationlistfile
- Authenticated variables are used when a platform has Secure Boot enabled and a running operating system.
- The Public Key of the signer of the authenticated variable must be trusted. For DB and DBX, the signer must be in the KEK (Key Exchange Key). For KEK, the signer must be in the PK (Platform Key).
- Unsigned (A.K.A. EFI_SIGNATURE_LIST)
- Historically, these are the result of using SplitDbx.ps1 on a Signed Object.
- These may be used by firmware or by the OS if Secure Boot is disabled.
Understanding these Secure Boot Objects and their types is crucial for maintaining the integrity and security of a platform's boot process.