New-HPSureAdminFirmwareUpdatePayload



Summary

Creates a payload for authorizing a firmware update

Syntax

New-HPSureAdminFirmwareUpdatePayload [-File] <FileInfo> [[-Nonce] <UInt32>] [[-TargetUUID] <Guid>] [[-SingleUse]] [[-OutputFile] <FileInfo>] [[-Quiet]] [[-Bitlocker] <String>] [[-Force]] [-RemoteSigningServiceKeyID] <String> [-RemoteSigningServiceURL] <String> [[-CacheAccessToken]] [<CommonParameters>]

New-HPSureAdminFirmwareUpdatePayload [-File] <FileInfo> [-SigningKeyCertificate] <X509Certificate2> [[-Nonce] <UInt32>] [[-TargetUUID] <Guid>] [[-SingleUse]] [[-OutputFile] <FileInfo>] [[-Quiet]] [[-Bitlocker] <String>] [[-Force]] [<CommonParameters>]

New-HPSureAdminFirmwareUpdatePayload [-File] <FileInfo> [-SigningKeyFile] <FileInfo> [[-SigningKeyPassword] <String>] [[-Nonce] <UInt32>] [[-TargetUUID] <Guid>] [[-SingleUse]] [[-OutputFile] <FileInfo>] [[-Quiet]] [[-Bitlocker] <String>] [[-Force]] [<CommonParameters>]

Description

This command uses the provided key to sign and authorize a firmware update only to the specified file. There are three signing options to choose from: - Signing Key File (and Password) using -SigningKeyFile and -SigningKeyPassword parameters - Signing Key Certificate using -SigningKeyCertificate parameter - Remote Signing using -RemoteSigningServiceKeyID and -RemoteSigningServiceURL parameters

Please note that using a Key File with Password in PFX format is recommended over using an X509 Certificate object because a private key in a certificate is not password protected.

This command writes the created payload to the pipeline or to the file specified in the OutputFile parameter. This payload can then be passed to the Update-HPFirmware command.

Security note: Payloads should only be created on secure servers. Once created, the payload may be transferred to a client and applied via the Update-HPFirmware command.

Parameters

Name Argument Description
File <FileInfo> Specifies the firmware update binary (.BIN) file
SigningKeyFile <FileInfo> Specifies the path to the Secure Platform Management signing key as a PFX file. If the PFX file is protected by a password (recommended),
the SigningKeyPassword parameter should also be provided.
SigningKeyPassword <String> Specifies the Secure Platform Management signing key file password, if required.
SigningKeyCertificate <X509Certificate2> Specifies the Secure Platform Management signing key certificate as an X509Certificate object
Nonce <UInt32> Specifies a Nonce. If nonce is specified, the Secure Platform Management subsystem will only accept commands with a nonce greater or equal to the last nonce sent. This approach helps to prevent replay attacks. If not specified, the nonce is inferred from the current local time. The current local time as the nonce works in most cases. However, this approach has a resolution of seconds, so when performing parallel operations or a high volume of operations, it is possible for the same counter to
be interpreted for more than one command. In these cases, the caller should use its own nonce derivation and provide it through this parameter.
TargetUUID <Guid> Specifies the computer UUID on which to perform this operation. If not specified the payload generated will work on any computer.
SingleUse If specified, the payload cannot be replayed. This happens because the nonce must be higher than ActionsCounter and this counter is updated and incremented every time a command generated with SingleUse flag is accepted by the BIOS.
If not specified, the payload can be replayed as many times as desired until a payload generated with a nonce higher than
SettingsCounter is received. This happens because SettingsCounter is not incremented by the BIOS when accepting commands.
OutputFile <FileInfo> Specifies the file to write output to instead of writing the output to the pipeline
Quiet If specified, this command will suppress non-essential messages during execution.
Bitlocker <String> Specifies the behavior to the BitLocker check prompt (if any). The value must be one of the following values:
- stop: (default option) stops execution if BitLocker is detected but not suspended, and prompts
- ignore: skips the BitLocker check
- suspend: suspends BitLocker if active and continues with execution
Force If specified, this command will force the BIOS update even if the target BIOS is already installed.
RemoteSigningServiceKeyID <String> Specifies the Signing Key ID to be used
RemoteSigningServiceURL <String> Specifies the (Key Management Service) KMS server URL (I.e.: https://.azurewebsites.net/)
CacheAccessToken If specified, the access token is cached in msalcache.dat file and user credentials will not be asked again until the credentials expire.
This parameter should be specified for caching the access token when performing multiple operations on the KMS server.
If access token is not cached, the user must re-enter credentials on each call of this command.

Notes

  • Supported on Windows Power Shell v5.
  • An HP BIOS with HP Sure Admin support is required for applying the payloads generated by this command.

Examples


PS C:\> New-HPSureAdminFirmwareUpdatePayload -File bios.bin -SigningKeyFile "$path\signing_key.pfx" -SigningKeyPassword "s3cr3t" -OutputFile PayloadFile.dat PS C:\> Update-HPFirmware -File bios.bin -PayloadFile PayloadFile.dat

See also