OCR PBA EFI Setup and Signing Guide

🧩 Introduction

Intel® One-Click Recovery (OCR) supports launching a local Pre-Boot Application (PBA) — typically a signed EFI binary stored on the device’s EFI System Partition (ESP).

This document explains how to create, sign, and register the EFI file so that it can be triggered via Reset to PBA (OCR) from the Console.

⚙️ Overview

This process involves two systems:

System	Purpose
Development / Signing Machine	Used to create and sign the EFI binary (e.g., netboot.xyz).
AMT Device	The managed system where the signed EFI is copied, registered, and later booted using OCR.

🧰 Prerequisites

On the Development / Signing Machine

• Linux or WSL environment
• Internet access to download EFI binaries (e.g., netboot.xyz)
• Installed tools:
  • openssl
  • sbsigntool
  • wget

On the AMT Device

• BIOS must support OCR → Boot to Local PBA
• Secure Boot enabled
• Administrative privileges on Windows (to mount and copy EFI)
• Console configured with TLS connection to the AMT device

🧱 Part 1: On the Development / Signing Machine

1. Install Required Tools

sudo apt update && sudo apt install -y sbsigntool openssl wget

2. Generate Signing Key and Certificate

Create a 2048-bit RSA key pair and a 1-year self-signed certificate:

openssl req -new -x509 -newkey rsa:2048 -keyout netboot.key -out netboot.crt -days 365 -nodes -subj "/CN=OEM PBA Netboot/"

Export the certificate in DER format for BIOS import:

openssl x509 -outform DER -in netboot.crt -out netboot.cer

You’ll now have three files:

• netboot.key —> Private key (keep secure)
• netboot.crt —> Public certificate (PEM format)
• netboot.cer —> Public certificate (DER format, for BIOS import)

3. Download and Sign the EFI Binary

For example, using netboot.xyz:

wget https://github.com/netbootxyz/netboot.xyz/releases/download/2.0.88/netboot.xyz-snp.efi

Sign it with your generated certificate:

sbsign --key netboot.key --cert netboot.crt --output OemPba.efi netboot.xyz-snp.efi

Verify the signature:

sbverify --list OemPba.efi

Expected output includes:

signature 1
issuer: CN=OEM PBA Netboot

✅ At this point, you have a signed EFI (OemPba.efi) and its certificate (netboot.cer) ready to deploy to the AMT device.

💻 Part 2: On the AMT Device

4. Copy the Signed EFI and Certificate to the EFI System Partition

From an elevated Command Prompt in Windows:

mountvol S: /S
copy C:\Users\%USERNAME%\Documents\pbatest\OemPba.efi S:\
copy C:\Users\%USERNAME%\Documents\pbatest\netboot.cer S:\

Verify that:

• S:\OemPba.efi exists
• S:\netboot.cer exists (optional, for Secure Boot DB import)

mountvol S: /S
dir S:\

⚠️ The EFI path and filename must match what your BIOS exposes to AMT (on NUC14/15 /OemPba.efi).

5. Add the Certificate to Secure Boot. Only needed if the EFI is self-signed (not by a trusted CA).

1. Reboot into BIOS Setup.
2. Navigate to Secure Boot → Key Management → Authorized Signatures (db).
3. Add/Enroll netboot.cer from the ESP (S:\netboot.cer).
4. Save and exit BIOS.

This ensures your EFI (OemPba.efi) is allowed to run under Secure Boot.

Part 3: Test Reset to Local PBA

2. In the Console, open a KVM session to the device.
3. Click the ⋯ (three-dot) menu → Reset to PBA (OCR).
4. Select your EFI entry appears in the dropdown (\OemPba.efi).
5. Select it and confirm boot.

The device should reboot and load your signed EFI (for example, the netboot.xyz interface).