Does any other users has some experiences with these options???? I never messed with these things before......
Firstly: I misunderstood the poster's question at first read. I'm now pretty sure he was asking how to get the 2023 keys into his DEFAULT variables, which can only be done with a BIOS update.
What's happening is BIOS have a "hidden" non-volatile data base with the default keys the OEM ships the system and BIOS with. When you "restore" them it copies them into the active keys area and replaces whatever is there.
But.. I definitely do have experience with what happens when "loading default keys". I pretty much "bricked" one of my systems as far as running in secure boot. That's because I had successfully loaded up the 2023 keys AND changed over to running the 2023 signed boot manager. When I restored defaults... which were only the 2011 kyes... it would no longer boot in secure boot until I recovered the 2011 boot manager.
Other people's systems might have a different response should they do it. Any with a fully updated BIOS (all the 2023 secure boot keys as defaults) might not even notice it. Any who've used MOSBY will lose their unique and privately-owned PK and return to the OEM-owned PK even if they have 2023 keys for defaults.
And no argument at all that BIOS's could call it anything, it's something people should discover, how it works and how to recover. Or better yet, just stay out of Secure Boot section if they don't want to learn these things. Which shouldn't be a problem since I had no idea it existed or what it did before I started this quest to get my system's secure boot keys updated. I don't think I should have need to touch those controls in the future, probably the case with 99% of everyone else.
Some BIOS' also have the commands you found: you can SET NEW KEY in each variable with the system is in SETUP MODE (all keys deleted). You can also APPEND a key, or add one to the variable. You can also DELETE a key, or SAVE it out to a file. I'm not sure what they do exactly, I don't think SAVING a key (for instance) results in what is properly considered a Certificate. And why delete a key if you don't want it useable... isn't that what revoking trust is about by appending it to DBX does?
And more about SET NEW KEY: it's done in SETUP MODE which deletes all keys when performed: PK, KEK, DB and DBX are all deleted and therefore have to all be re-loaded. You have to load the new keys in a specific order (I don't know what that is). And then there is getting certificates prepared to load in: creating and self-signing PK is a task in itself. You can get KEK and DB certificates from Microsoft (assuming you're not rolling your own Chain of Trust) but KEK has to be signed by the PK you created, which is another task in itself. No idea how to do any of those.
