Developer Guide

  • 2022.1
  • 09/08/2022
  • Public

SBL Security Signing Process and Requirements

Changes made to the system configuration by the Data Streams Optimizer and Cache Configurator tools also apply for the Slim Bootloader firmware. For the Slim Bootloader, a security signing process is enforced to prevent unauthorized updates.
In production environments, you must provide your public key to your Platform Owner to be enrolled in the Slim Bootloader.
In preproduction environments, you can enroll your keys with the associated Slim Bootloader configuration. The process of Slim Bootloader keys generation is described in Keys Generation section.

Security Overview

Slim Bootloader uses a verified boot flow to maintain the secure boot and secure update mechanism. While booting, Slim Bootloader cryptographycally verifies each subsequent component before it is executed. If verification fails, the boot process also fails and will be stopped.
For the Slim Bootloader chain of trust see Verified Boot Flow To build the Slim Bootloader you need to use several cryptographic keys. Take care to securely manage those keys. See Key Management section for more details on keys used for Slim Bootloader.
The signing process of the Slim Bootloader is very similar to the UEFI BIOS.
  1. When the tool generates configuration data, it signs the data with a private
    Container Component Key.
  2. The tool encapsulates the configuration data in a capsule. A capsule is a binary that updates specific areas of the firmware, known as
    Container Components
  3. The tool signs the capsule with the private
    Container Def Key.
  4. The tool moves the capsule to the target.
The tool uses the Capsule Create Script to perform the signing process.

Tuning Config Keys and Authentication

The process of updating platform parameters uses Containers to securely store tuning data and securely apply it on the target machine. See Container Security for more details on the container security process. Tuning data is signed with the
Container Component Key
and the public key hash is stored in the container header.

Capsule Keys and Authentication

Once the tuning parameters are placed into a Container and signed, it should be placed into a capsule. The process of capsule creation is described in Generating capsule . Capsules can contain multiple components, including configuration data, firmware update blobs, etc. You can find more information about capsule structure in Capsule Definition . After a capsule file is created, it is transferred to the target machine for application. To apply a new tuning configuration, Slim Bootloader follows the Firmware Update procedure, described in Firmware Update .

Product and Performance Information


Performance varies by use, configuration and other factors. Learn more at