A "Platform Key" (PK) is an essential component in the UEFI Secure Boot process, establishing a trust relationship between the platform owner and the firmware. Secure Boot protects the system by ensuring only trusted and signed software can run during the boot process, preventing boot-level malware and rootkits. The system initially starts in Setup Mode, where no Platform Key is installed and Secure Boot is disabled. Enrolling the Platform Key switches the system into User Mode, enabling Secure Boot functionality. To enable Secure Boot, the Platform Key must be enrolled through BIOS settings, typically by setting Secure Boot Mode to Custom and enrolling the key or loading default keys. Once enrolled, unauthorized bootloaders are blocked, and the system verifies the authenticity of the operating system during startup, increasing platform security. Secure Boot uses Public Key Infrastructure (PKI) to authenticate firmware, OS loaders, and drivers during boot. The Platform Key is a crucial digital signature stored in the BIOS, generally using RSA with a 2048-bit key and SHA-256 signature. The process protects against malware attacks by allowing only signed, trusted code to run before the OS loads. In summary:
- Platform Key (PK) is a digital signature key that establishes trust in the firmware and system owner.
- Secure Boot ensures only authorized software boots, protecting against malware.
- System transitions from Setup Mode (no PK, Secure Boot disabled) to User Mode (PK enrolled, Secure Boot enabled).
- PK must be enrolled via BIOS/security settings to enable Secure Boot.
- Secure Boot uses PKI to authenticate boot components and OS loaders for security.
This mechanism is widely used in modern PCs and required for Windows 8 and later for improved platform security.