Developer Guide

  • 2022.1
  • 09/08/2022
  • Public
Contents

UEFI Security Signing Process and Requirements

The Data Streams Optimizer and Cache Configurator tools change the configuration of the system. A security signing process is enforced to prevent unauthorized updates.
In production environments, you must provide your public key to your OEM to be enrolled in the BIOS.
In preproduction environments, you can enroll your keys or use the provided test keys with associated BIOS configuration.

Security Overview

To change the system configuration, the tools take certain actions on the host and target:
The following diagram shows the signing process on the host:
  1. When the tool generates configuration data, it signs the data with a private tuning_config key.
  2. The tool encapsulates the configuration data in a capsule. A capsule is a binary that updates certain areas of the firmware, known as “subregions.”
  3. The tool signs the capsule with the private capsule key.
  4. The tool moves the capsule to the target.
The tool uses the Capsule Create Script to perform the signing process.
The following diagram shows the authentication process on the target:
  1. When the BIOS receives the capsule from the host, it verifies the capsule with the public capsule key.
  2. If verification is successful, the BIOS updates the configuration data on the SPI flash.
  3. After the reboot, the BIOS verifies that the configuration data with the public tuning_config key.
  4. If verification is successful, the BIOS programs the configuration data.

Tuning Config Keys and Authentication

The
Intel® TCC Authentication
option in the reference BIOS enables or disables authentication of the configuration data.
The option offers the following levels of authentication:
  • Most Secure – OEM-Enrolled Key (for use by OEMs only)
  • Less Secure – Non-OEM-Enrolled Key (for use by non-OEM users in preproduction environments)
  • Not Secure – Authentication Disabled (for initial exploration in preproduction environments)
In a production environment, you must generate your own tuning config keys and enable authentication by using the
OEM Enrolled Key
option in the BIOS. For details, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS.
If you set secure boot to “setup” mode, you will be able to enter into “chainload efi-secure-boot-lockdown” grub menu:
It automatically loads the UEFI BIOS keys into the UEFI secure boot so that you do not need to insert keys manually. For more information about this feature see the Board Support Package Get Started documents. Yocto Project*-Based Image page for more details.
In a preproduction environment, you have two options:
  • Option A: Use the provided test key for signing and disable authentication for initial exploration via the
    Authentication Disabled
    option in the BIOS. If you have completed Default Setup, you have already implemented this option.
  • Option B: Generate your own keys. Use your private key for signing. Use the
    Non-OEM Enrolled Key
    option in the BIOS to enroll your public key for authentication. For details, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS.
Copy your own tuning config keys to
$TCC_TOOLS_PATH/keys/uefi
directory. These keys will be used to sign binary files with tuning configuration.

Capsule Keys and Authentication

In production environments, you must generate your own capsule keys. Only OEMs have the authority to enroll the authentication key, so you will need to share your public key with your OEM for enrollment. For details, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS.
In preproduction environments, you can use the provided test keys. If you completed the Default Setup, the key is already installed on the host. On the target, the authentication key is present in the BIOS by default.
Copy your own capsule signing certificates to the
$TCC_TOOLS_PATH/cert
directory. These certificates will be used to sign capsule files with tuning configuration.

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.