To ensure the integrity of your download, HPE recommends verifying your results with
this SHA-256 Checksum value:
Reboot is optional after installation. Updates will be effective after reboot. Hardware stability will be maintained without reboot.
The files in the Zip are for updating the UEFI Secure Boot DBX on HPE systems. They can be run from the EFI shell. The files are as follows:
This is an EFI shell script which applies the DBX update included on HPE systems by attempting to apply the secure variable update signed wih the HP 2013 KEK and then attempting to apply the same update signed with the HPE 2016 KEK.
This is the EFI application that can take a signed variable update for the Secure Boot DBX and apply it. The usage is "HpeDbxAppend.efi -f [filename]" where filename is the name of the signed DBX variable update binary.
This is the current DBX update for HPE systems signed with the HP 2013 KEK which was used in products previously.
This is the current DBX update for HPE systems signed with the HPE 2016 KEK which is used in current products.
To apply the included DBX updates to an HPE server, place the files on the EFI system partition or on some other media attached to the server. Boot to the EFI shell via System Utilities or any other method. Run the UpdateDbxScript.nsh shell script. The script will attempt to apply both update files. As a result of this update the expected behaviour is that one file will pass and the other will fail depending on which Key Encryption Key (KEK) is in the UEFI Secure Boot database of the server.
The files to be installed are signed by HPE and are verified by UEFI Secure Boot as part of the update process.
Note: If Shell Script Verification is supported and enabled on the server, the UpdateDbxScript.nsh will need to be enrolled before it can be run. Follow the product documentation to enroll the script if necessary.