Some question about secure boot platform key generation and privision RRS feed

  • Question

  • Dear Sir/Madam, 

    I use certreq.exe -new request.inf PK.cer to generate a Platform Key and it can be used to enable secure boot.

    My question is: 

    1. How to get the private key part? 

    2. According to UEFI spec, don't need to use PK sign KEK, PK is used to enter usermode to inject KEK. but from MS doc, PK is used to sign KEK, why? 

    3. How to get the following two script and how to use it? 

    • subcreate_set_PK_example_initial_provisioning_example.ps1. Used by the signtool to sign the PK comes later in the servicing case.

    • subcreate_set_PK_service_example.ps1. Since we are dealing with the HSM case, the following line applies in the script applies.

    Thanks a lot. 

    - Shirley 



    Thursday, June 20, 2019 8:33 AM