Secureboot policy update

You can use the ASU to enroll keys and signatures to a related key and signature database in uEFI. The enroll command will fail if the secureboot of the target uEFI is not in custom mode.

Command syntax

asu secureboot <operation> [keytype] [owner] [-f keyfile] [connection options]

Command

<operation> Can be: enrollkek, enrolldb, enrolldbx

[keytype] Can be: SHA256, RSA2048, RSA2048SHA256, SHA1, RSA2048SHA1, X509, SHA224, SHA348, SHA512, PKCS7

keytype Refers to key and signature types, not just the key type. For kek, only three key types are supported for enrollment: rsa2048, x509, and pkcs7.

For db and dbx, those 10 key types are all supported for enrollment.

[owner] A GUID identifier of the key or signature.

Valid format is 45678-9012-3456-7890-12345678aaaa
Valid length is 32 characters, excluding the separator -
Valid characters are 0-9, A/a-F/f

[-f keyfile] Key or signature file path

Command example

c:\asu\asu.exe   secureboot enrollkey x509
12345678-9012-3456-7890-12345678aaaa  -f  KeyFile.cer --host 
9.111.68.20 --user USERID --password PASSW0RD
Lenovo Advanced Settings Utility version 9.51.xxx
Licensed Materials - Property of Lenovo
(C) Copyright Lenovo Corp. 2007-2014 All Rights Reserved
Start to update policy of SecureBoot
Connected to IMM at IP address 9.111.68.20
Command has been sent successfully, and will take effect after reboot uefi.

After the previous command is executed successfully, the key file is transferred to the IMM datastore. When uEFI reboots, it updates the key file from the IMM datastore to the uEFI key database. Because of this, you must reboot uEFI for the ASU enroll key command to take effect.