UEFI Security Signing Process and Requirements
- When the tool generates configuration data, it signs the data with a private tuning_config key.
- The tool encapsulates the configuration data in a capsule. A capsule is a binary that updates certain areas of the firmware, known as “subregions.”
- The tool signs the capsule with the private capsule key.
- The tool moves the capsule to the target.
- When the BIOS receives the capsule from the host, it verifies the capsule with the public capsule key.
- If verification is successful, the BIOS updates the configuration data on the SPI flash.
- After the reboot, the BIOS verifies that the configuration data with the public tuning_config key.
- If verification is successful, the BIOS programs the configuration data.
Tuning Config Keys and Authentication
- Most Secure – OEM-Enrolled Key (for use by OEMs only)
- Less Secure – Non-OEM-Enrolled Key (for use by non-OEM users in preproduction environments)
- Not Secure – Authentication Disabled (for initial exploration in preproduction environments)
- Option A: Use the provided test key for signing and disable authentication for initial exploration via theAuthentication Disabledoption in the BIOS. If you have completed Default Setup, you have already implemented this option.
- Option B: Generate your own keys. Use your private key for signing. Use theNon-OEM Enrolled Keyoption in the BIOS to enroll your public key for authentication. For details, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS. This option is not available on systems running the PR1 release of the Yocto Project*-based BSP for Intel Atom® x6000E Series processors.