On the host system, the cache configurator creates and signs a
. A capsule is a binary used to change a system’s tuning configuration by updating certain areas of the firmware, known as “subregions.” For the UEFI BIOS, the tool uses software called
subregion capsule tool
to create the capsule and
subregion sign tool
to sign the capsule payload (subregion or tuning config data). For the Slim Bootloader, the tool uses Slim Bootloader tools to create and sign the capsule payload (subregion or tuning config data). The subregion data and the capsule must always be signed when generated to ensure the integrity of the generated capsule. The signed capsule and its payload (signed subregion data) will be authenticated by the boot firmware before it is consumed. When using an Intel provided BIOS binary with Intel® CRB/RVP, the authentication can be turned off, since users may not have the ability to provision their keys. But nevertheless, the cache configurator always signs the capsule, so you need to have test keys for signing. For details about the signing mechanism, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS
. For the Slim Bootloader see Security Features
section of the Slim Bootloader documentation.