The UEFI BIOS’s capsule create script uses the BIOS subregion key and capsule signing certificates during capsule creation.
By default, the script looks for the BIOS subregion key in the
directory and the capsule signing certificates in the
directory. For more information about the types of keys and certificates used and how to generate keys and certificates, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS
If you keep your keys and certificates in different directories, you need to modify the paths to the keys and certificates in the script.
For example, if you need to modify the path to the BIOS subregion key, modify the following line:
python3 $TOOLS_PATH/capsule/uefi/siiptool/scripts/subregion_sign.py -n tcc -s $TOOLS_PATH/keys/uefi/Signing.key -t rsa -vg $FileGuid -o $tcc_tuning_signed_binary_path $bin_file 1>&2
If you need to modify the path to the certificates, modify the following line:
python3 $TOOLS_PATH/capsule/uefi/siiptool/scripts/subregion_capsule.py -o $capsule_host_path --signer-private-cert=$cert_folder/TestCert.pem --other-public-cert=$cert_folder/TestSub.pub.pem --trusted-public-cert=$cert_folder/TestRoot.pub.pem $tcc_json_path 1>&2
The Slim Bootloader’s capsule create script uses keys located in the
directory by default.
See SBL Keys Generation
for details on keys generation.
If you keep your keys in a different directory, you need to modify the paths to the keys in the script.
For example, you need to modify the following line in the script to change the path to the keys: