cancel
Showing results for 
Search instead for 
Did you mean: 
mb447
New member
1 0 0 0
Message 1 of 1
261
Flag Post

System does not boot after configuring customized Secure Boot environment

HP Recommended
HP Z4 G4 Workstation
Linux

I'm trying to set up a customized Secure Boot environment [1] on an HP Z4 G4 Workstation system, product number 1JP11AV, with UEFI firmware P61 v2.40, and with Red Hat Enterprise Linux 7.6 installed.
The steps I took were as follows:

  • From the UEFI firmware menu:
    • Enabled Secure Boot
    • Clear the TPM
    • Boot into Linux
  • Using the efi-updatevar utility:
    • Write my own KEK-signed DB (including only my own certificate; not the MS UEFI CA cert, or any HP certs)
    • Write my PK-signed KEK
    • Write the PK itself
  • Reboot the system

At this point, the system no longer starts up. There is no output on the display, there are no blinking LEDs or audible beeps to help diagnose the problem. Removing the graphics card or the RAM does not change the situation in any way. The situation also does not change after attempting to reset the CMOS by pressing the button, or removing the RTC battery.
The system board was already replaced once, and as my assumption was that this was an issue with the original system board, I tried the same steps with the new board - unfortunately with the same results. I've used the same steps on an older Dell system, but that one had much older UEFI firmware that didn't verify signatures on any other devices (e.g., graphics card or network interface).

 

The HPE Secure Boot Customization guide [1] lists in the assumptions "The default Signature Database (DB) will be modified in such a way that all database entries are imported, from customized, or user specified Keys", but it does not specifically say that all database entries SHALL be imported. Is this a known restriction? In any case, I would assume that, if some expected certificates are missing, the system would show an error and allow an administrator to get into the BIOS/UEFI firmware menu to address the situation.

 

[1] https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00068482en_us&docLocale=en_US

Warning Be alert for scammers posting fake support phone numbers and/or email addresses on the community. If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation