Developer Guide

  • 2021.2
  • 06/11/2021
  • Public
Contents

Security Signing Process and Requirements

The Data Streams Optimizer and Cache Configurator tools change the configuration of the system. A security signing process is enforced to prevent unauthorized updates.
In production environments, you must provide your public key to your OEM to be enrolled in the BIOS.
In preproduction environments, you can enroll your keys or use the provided test keys with associated BIOS configuration.

Security Overview

To change the system configuration, the tools take certain actions on the host and target:
The following diagram shows the signing process on the host:
  1. When the tool generates configuration data, it signs the data with a private tuning_config key.
  2. The tool encapsulates the configuration data in a capsule. A capsule is a binary that updates certain areas of the firmware, known as “subregions.”
  3. The tool signs the capsule with the private capsule key.
  4. The tool moves the capsule to the target.
The tool uses the Capsule Create Script to perform the signing process.
The following diagram shows the authentication process on the target:
  1. When the BIOS receives the capsule from the host, it verifies the capsule with the public capsule key.
  2. If verification is successful, the BIOS updates the configuration data on the SPI flash.
  3. After the reboot, the BIOS verifies that the configuration data with the public tuning_config key.
  4. If verification is successful, the BIOS programs the configuration data.

Tuning Config Keys and Authentication

The
Intel® TCC Authentication
option in the reference BIOS enables or disables authentication of the configuration data.
The option offers the following levels of authentication:
  • Most Secure – OEM-Enrolled Key (for use by OEMs only)
  • Less Secure – Non-OEM-Enrolled Key (for use by non-OEM users in preproduction environments)
  • Not Secure – Authentication Disabled (for initial exploration in preproduction environments)
In a production environment, you must generate your own tuning config keys and enable authentication by using the
OEM Enrolled Key
option in the BIOS. For details, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS.
In a preproduction environment, you have two options:
  • Option A: Use the provided test key for signing and disable authentication for initial exploration via the
    Authentication Disabled
    option in the BIOS. If you have completed Default Setup, you have already implemented this option.
  • Option B: Generate your own keys. Use your private key for signing. Use the
    Non-OEM Enrolled Key
    option in the BIOS to enroll your public key for authentication. For details, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS. This option is not available on systems running the PR1 release of the Yocto Project*-based BSP for Intel Atom® x6000E Series processors.

Capsule Keys and Authentication

In production environments, you must generate your own capsule keys. Only OEMs have the authority to enroll the authentication key, so you will need to share your public key with your OEM for enrollment. For details, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS.
In preproduction environments, you can use the provided test keys. If you completed the Default Setup, the key is already installed on the host. On the target, the authentication key is present in the BIOS by default.

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.