locked
can't boot up after enabling secureboot by enrolling db/dbx/pk/kek RRS feed

  • Question

  • I was doing WHCK testing  and came to secure boot logo test case . The system can't boot up after I provisioned db/dbx/KEK/PK.  The certificates used for generating db/kek are "db_MSFTproductionWindowsSigningCA2011.cer" and "KEK_MSFTproductionKekCA.cer".
    What can I do next to boot up my system ?
    Thursday, December 6, 2012 9:01 AM

All replies

  • which build that you are testing it on? is it Windows 8 RTM ?

    Thursday, December 6, 2012 7:41 PM
  • You may also need "db_MSFTproductionUEFIsigningCA.cer" in "db".  This is required for most add-on UEFI hardware and software, for example, plug in video and storage adapters.  Test case 00-EnableSecureBoot in the RTM and earlier builds of the Secure Boot Manual Logo Test did not automatically install this certificate, but a patch has shipped to address this. 

    Best Regards,

    J Cox [MSFT]

    “This posting is provided AS IS with no warranties, and confers no rights.”

    • Edited by JJ Cox Thursday, December 6, 2012 10:09 PM
    Thursday, December 6, 2012 8:39 PM
  • As far as I know,  per device debug policy needs to be provisioned after production db/dbx/kek/pk are enrolled. So how can I generate per device debug policy? Is there any tool needed for this?

    Friday, December 7, 2012 9:26 AM
  • By the way , according to the OEM who supplied drivers to us , the drivers in the device were not production signed. In this case , how can I boot up the system after I enrolled production db/dbx/kek/pk?
    Monday, December 10, 2012 3:11 AM
  • dear zy,

    This conversation is beginning to infringe upon NDA type subject. Please discontinue discussing this type of information and get in touch with your NDA contacts for further assistance.


    Best Regards, J Cox [Microsoft] “This posting is provided AS IS with no warranties, and confers no rights.”


    • Edited by JJ Cox Monday, December 10, 2012 6:36 PM
    Monday, December 10, 2012 6:36 PM