Method to prioritize available certificates when loading Option ROMs Disclosure Number: IPCOM000239015D
Publication Date: 2014-Oct-01
Document File: 2 page(s) / 30K

Disclosed is a set of methods to allow a user to prioritize bootable devices based on certificates during secure boot.

Method to prioritize available certificates when loading Option ROMs

Secure boot prevents unauthorized operating systems and software from loading during the startup process.

For example, a database has certificates A, B, and C. The user wants to boot from a particularly signed device(s) first. Assume the following:

 A = Microsoft signing

 B = The user's signing

 C = SUSE Solid Driver signing

However, when a Peripheral Component Interconnect (PCI) scan is performed on the system, each device's Option Read Only Memory (ROM) is validated against each of the certificates; thus, as long as it validates, it is loadable.

Currently, when a PCI scan is done on a system, each device found is listed whether or not it is signed Option ROM. Additionally, there is no notion of limiting the pool of UEFI certificates beyond going to custom mode and removing certificates. In custom mode, the user can remove Key Exchange Keys (KEKs), databases (dbs), and forbidden databases (dbxs). The user goes through the list of devices, and the first one found in the scan is then validated. If it is signed by a particularly signed device (e.g., A, B, or
C), then it loads and executes. Therefore, there is no prioritization being done for certificates. No consideration is given to the certificate used to validate. If the system finds any one match, it can be loaded and executed.

The novel solution presented herein allows a user to prioritize bootable devices based on certificates. The core idea comprises three methods:

1. Prioritize the use of certificates in loading Option ROMs. When Option ROMs are loaded, the boot sequence decides from which hard disk to boot...