The capsule create script uses the BIOS subregion key and capsule signing certificates during capsule creation.
By default, the script looks for the BIOS subregion key in the
directory and the capsule signing certificates in the
directory. For more information about the types of keys and certificates used and how to generate keys and certificates, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS
If you keep your keys and certificates in different directories, you need to modify the paths to the keys and certificates in the script.
For example, if you need to modify the path to the BIOS subregion key, modify the following line:
python3 $TOOLS_PATH/capsule/uefi/siiptool/scripts/subregion_sign.py -n tcc -s $TOOLS_PATH/keys/uefi/Signing.key -t rsa -vg $FileGuid -o $tcc_tuning_signed_binary_path $bin_file 1>&2
If you need to modify the path to the certificates, modify the following line:
python3 $TOOLS_PATH/capsule/uefi/siiptool/scripts/subregion_capsule.py -o $capsule_host_path --signer-private-cert=$cert_folder/TestCert.pem --other-public-cert=$cert_folder/TestSub.pub.pem --trusted-public-cert=$cert_folder/TestRoot.pub.pem $tcc_json_path 1>&2