I plan to buy new motherboard and TPM to increase security against rootkits and bootkits, firmware replacing and unallowed changes. I am not advanced computer user. I have looked through manual for Asus motherboard M5a97plus to place in existing computer. Its secure boot function has possibility to change settings of (Platform Key) and (Key Exchange Key or Key Enrollment Key) db management (authorized signatures daTabaSE). I shall use on single computer with no networkI want to know such things:
1. Can I create PK and KEk keys?
2. Should I create them to improve computer security?
3. Are they created automatically or somebody should create them if I can not?
4. Can TPm module give me additional security? The function of PK, Kek, DB management are described so:
a. The Platform Key locks and secures the firmware from any non-permissible changes. The system verifies the PK before your system enters the OS.
B. The Kek manages the signature database and revoked signature database.
c. THe database lists the signers or images of Uefi applications, operating system loaders and UEFI drivers that you can load on the single computer.
5. Are the signers and images mentioned in point 4.c. made by Microsoft, software or hard ware manufacturers?
6. Can motherboard with these functions block the loading of the system or some components if it will find mismatch with original images, firmware etc.