Secure Boot Investigation Playbook
A firmware engineer playbook for Secure Boot failures involving PK, KEK, db, dbx, SetupMode, signatures, and EFI_SECURITY_VIOLATION.
An EFI application runs on one machine but fails on another.
The only clue is EFI_SECURITY_VIOLATION or a silent return to the boot menu.
Do not start by resigning everything. First, classify Secure Boot state.
Check SecureBoot and SetupMode
A platform can have SecureBoot disabled, enabled, or be in setup mode depending on PK state.
Check PK and KEK
PK controls platform owner state. KEK authorizes updates to signature databases.
Check allowed signatures
db contains trusted certificates or hashes.
Check revoked signatures
dbx can block an image even when it otherwise looks trusted.
Check the EFI binary signature
Verify whether the image is signed, by whom, and whether the chain matches db.
Check boot path and error handling
Confirm whether BDS logs EFI_SECURITY_VIOLATION, skips the option, or falls back.
Shell checks
Shell> dmpstore SecureBoot
Shell> dmpstore SetupMode
Shell> dmpstore PK
Shell> dmpstore KEK
Shell> dmpstore db
Shell> dmpstore dbxSymptom map
| Item | Value | Note |
|---|---|---|
| SecureBoot=0 | Policy disabled | Signature enforcement may not be active even if keys exist. |
| SetupMode=1 | No platform key enrolled | Platform is in setup mode; key enrollment state matters. |
| PK missing | No platform owner key | Usually means setup mode, not normal user mode. |
| Image unsigned | Expected block when enforcement active | Needs signing or policy change. |
| Hash/cert in dbx | Revoked image | dbx can override an otherwise trusted chain. |
| EFI_SECURITY_VIOLATION | Authentication failed | Check image signature, db/dbx, and BDS error handling. |
Debug Diary: USB boot works only after disabling Secure Boot
dmpstore SecureBoot: 1
SetupMode: 0
PK/KEK/db present
USB loader unsigned
BDS returns EFI_SECURITY_VIOLATION
Root cause: expected policy block, not storage failureNow the fix is clear: sign the loader with a trusted key, enroll the right key, use a trusted loader, or change platform policy for the target use case.
Related notes
- EFI_SECURITY_VIOLATION
- Secure Boot Keys
- db vs dbx
- Secure Boot Setup Mode
- Secure Boot User Mode
- dmpstore Deep Dive
Found this useful?
Save it or share it with someone learning firmware, BIOS/UEFI, and embedded systems.
Nội dung liên quan
Một số bài viết, ghi chú hoặc project có liên quan đến nội dung bạn vừa đọc.
dmpstore Deep Dive
How to use UEFI Shell dmpstore to inspect boot variables, Secure Boot variables, setup variables, and NVRAM state during firmware debug.
Boot Failure Playbook
A firmware engineer playbook for debugging missing boot options, invalid BootOrder, broken Device Paths, and BDS boot failures.
CHIPSEC Firmware Validation
How CHIPSEC fits into firmware security validation for BIOS write protection, SMM protections, SPI configuration, and Secure Boot checks.
Biến note thành bài viết hoàn chỉnh
Notes là nơi ghi nhanh khái niệm.