Developer Guide

  • 2022.1
  • 09/08/2022
  • Public
Contents

Capsule Create Script

The script is used by the data streams optimizer and the cache configurator on the host system to create a capsule.
  • UEFI BIOS
  • Slim Bootloader (SBL)
The script supports the Yocto Project*-based board support package.
You can copy and modify the script to support another firmware or OS. The script must meet the following requirements to maintain compatibility with the data streams optimizer:
  • Input: The first parameter is the capsule version. The second parameter is the name of the platform that you work with. Other parameters are paths to raw (non-signed) binary files as command-line arguments. Separate the parameters with a space.
    The binary files have predefined names:
    binary_streams
    for the stream subregion,
    binary_cache
    for the cache subregion, and
    binary_buffer
    for the buffer subregion.
    The capsule version is important for Windows* operating systems. The data streams optimizer uses capsule version “1” for Linux* operating systems.
    usage: capsule_create_uefi.sh VERSION PLATFORM BIN_FILE_1 BIN_FILE_2 ... BIN_FILE_N VERSION Capsule version to apply PLATFORM Name of a platform you working with - EHL, TGL-U, TGL-H BIN_FILE_N Path to the binary file
  • Output: The script must print absolute paths to generated capsule files into STDOUT.
  • Error handling: Any nonzero value returned from the script will be interpreted as an error. Any additional logging should be printed to STDERR.
Example:
Command line: tools/host_scripts/capsule_create_uefi.sh 1 ehl /tmp/binary_buffer /tmp/binary_cache STDOUT: /tmp/my_capsule.capsule Return value: 0 STDERR: some-output-there

Security

UEFI BIOS
The UEFI BIOS’s capsule create script uses the BIOS subregion key and capsule signing certificates during capsule creation.
By default, the script looks for the BIOS subregion key in the
./tools/keys/uefi
directory and the capsule signing certificates in the
./tools/cert
directory. For more information about the types of keys and certificates used and how to generate keys and certificates, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS.
If you keep your keys and certificates in different directories, you need to modify the paths to the keys and certificates in the script. For example, if you need to modify the path to the BIOS subregion key, modify the following line:
python3 $TOOLS_PATH/capsule/uefi/siiptool/scripts/subregion_sign.py -n tcc -s $TOOLS_PATH/keys/uefi/Signing.key -t rsa -vg $FileGuid -o $tcc_tuning_signed_binary_path $bin_file 1>&2
If you need to modify the path to the certificates, modify the following line:
python3 $TOOLS_PATH/capsule/uefi/siiptool/scripts/subregion_capsule.py -o $capsule_host_path --signer-private-cert=$cert_folder/TestCert.pem --other-public-cert=$cert_folder/TestSub.pub.pem --trusted-public-cert=$cert_folder/TestRoot.pub.pem $tcc_json_path 1>&2
Slim Bootloader
The Slim Bootloader’s capsule create script uses keys located in the
${TCC_TOOLS_PATH}/keys/sbl
directory by default. See SBL Keys Generation for details on keys generation.
If you keep your keys in a different directory, you need to modify the paths to the keys in the script. For example, you need to modify the following line in the script to change the path to the keys:
cert_folder="$TOOLS_PATH/keys/sbl"

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.