The purpose of this article is to provide a common method for installing both the Microsoft and ggCircuit Secure Boot certificates to UEFI keystores on a computer system.
Flash Drive Preparation
- Download KeyTool.zip and extract it to the root of any flash drive.
Name the drive something memorable such as "ggDrive" or "KEYTOOL" to make it easy to differentiate between the USB drive and any other drives installed in this PC.
NOTE:
Make sure the directory structure of the flash drive looks like the following after extracting the contents of KeyTool.zip to it.
G:\>dir /S
Volume in drive G is ggDrive
Volume Serial Number is GGCI-RCUIT
Directory of G:\
08/20/2024 06:50 PM <DIR> EFI
08/20/2024 06:42 PM 2,056 GG.auth
08/20/2024 06:42 PM 781 GG.cer
08/20/2024 06:42 PM 1,462 MicCorKEK2KCA2023.cer
08/20/2024 06:42 PM 1,462 MicCorUEFCA2011_2011-06-27.cer
08/20/2024 06:42 PM 1,462 microsoft uefi ca 2023.cer
08/20/2024 06:42 PM 1,454 MicWinUEFICA2023.cer
08/20/2024 06:42 PM 1,499 MS_CA_2011.cer
08/20/2024 06:42 PM 1,516 MS_KEK_2011.cer
6 File(s) 8,768 bytes
Directory of G:\EFI
08/20/2024 06:50 PM <DIR> .
08/20/2024 06:50 PM <DIR> ..
08/20/2024 06:42 PM <DIR> BOOT
0 File(s) 0 bytes
Directory of G:\EFI\BOOT
08/20/2024 06:50 PM <DIR> .
08/20/2024 06:50 PM <DIR> ..
08/20/2024 06:42 PM 136,192 BOOTX64.efi
1 File(s) 136,192 bytes
Total Files Listed:
7 File(s) 144,960 bytes
6 Dir(s) 1,435,224,072,192 bytes free
G:\>
Certificate Installation
- Plug the flash drive into a computer and access the computer's BIOS setup menu by pressing <F2>, <Del>, or <ESC> according to the manufacturer's instructions.
- Put the platform in setup mode (this can be accomplished by deleting the "Platform Key (PK)", or by clearing secure boot keys.)
- Boot your PC from the flash drive containing KeyTool.efi which permits adding the keys to your BIOS. Typically this involves pressing <F8> to access to the boot menu.
- When KeyTool loads, choose the second menu item “Edit Keys”.
-
Key Exchange Key Database (KEK)
- Choose "The Key Exchange Key Database (KEK)".
- Select "Add New Key".
- Navigate to and select the file “GG.cer”.
- Repeat the process for the files “MicCorKEK2KCA2023.cer ” and “MS_KEK_2011.cer”.
- Choose "The Key Exchange Key Database (KEK)".
-
Allowed Signatures Database (db)
-
- Select "The Allowed Signatures Database (db)".
- Select "Add New Key".
Navigate to and select the file “MicWinUEFICA2023.cer ”.
Repeat the process for the files “MS_CA_2011.cer ”, "MicCorUEFCA2011_2011-06-27.cer", "microsoft uefi ca 2023.cer" and “GG.cer”.
- Select "The Allowed Signatures Database (db)".
-
Platform Key (PK)
- Select "The Platform Key (PK)".
- Select "The Platform Key (PK)".
-
- Choose "Replace Key(s)".
- Navigate to and select the file “GG.auth”.
- Choose "Replace Key(s)".
Final BIOS Configuration
- Press <CTRL> + <ALT> + <DEL> to reboot the computer.
- Unplug the USB drive.
- Boot into BIOS (usually by pressing <F10>, <ESC>, or <DEL> during startup).
- In BIOS, navigate to "Boot Options".
- Enable "Secure Boot" (some manufacturers may refer to this as "Windows UEFI Mode").
NOTE:
In some cases, setting the PK value will automatically enable secure boot, on other platforms this step must be manually performed as outlined above.
NOTE:
If you boot to Windows and run msinfo32.exe, you should see the BIOS mode is “UEFI” and the Secure Boot State is “On”.
You may also confirm Secure Boot status by utilizing the "Confirm-SecureBootUEFI" powershell cmdlet. If this cmdlet returns "true" then secure boot is enabled.