Developer Guide

  • 2022.1
  • 09/08/2022
  • Public

Capsule Create Script

The script is used by the data streams optimizer and the cache configurator on the host system to create a capsule.
  • Slim Bootloader (SBL)
The script supports the Yocto Project*-based board support package.
You can copy and modify the script to support another firmware or OS. The script must meet the following requirements to maintain compatibility with the data streams optimizer:
  • Input: The first parameter is the capsule version. The second parameter is the name of the platform that you work with. Other parameters are paths to raw (non-signed) binary files as command-line arguments. Separate the parameters with a space.
    The binary files have predefined names:
    for the stream subregion,
    for the cache subregion, and
    for the buffer subregion.
    The capsule version is important for Windows* operating systems. The data streams optimizer uses capsule version “1” for Linux* operating systems.
    usage: VERSION PLATFORM BIN_FILE_1 BIN_FILE_2 ... BIN_FILE_N VERSION Capsule version to apply PLATFORM Name of a platform you working with - EHL, TGL-U, TGL-H BIN_FILE_N Path to the binary file
  • Output: The script must print absolute paths to generated capsule files into STDOUT.
  • Error handling: Any nonzero value returned from the script will be interpreted as an error. Any additional logging should be printed to STDERR.
Command line: tools/host_scripts/ 1 ehl /tmp/binary_buffer /tmp/binary_cache STDOUT: /tmp/my_capsule.capsule Return value: 0 STDERR: some-output-there


The UEFI BIOS’s capsule create script uses the BIOS subregion key and capsule signing certificates during capsule creation.
By default, the script looks for the BIOS subregion key in the
directory and the capsule signing certificates in the
directory. For more information about the types of keys and certificates used and how to generate keys and certificates, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS.
If you keep your keys and certificates in different directories, you need to modify the paths to the keys and certificates in the script. For example, if you need to modify the path to the BIOS subregion key, modify the following line:
python3 $TOOLS_PATH/capsule/uefi/siiptool/scripts/ -n tcc -s $TOOLS_PATH/keys/uefi/Signing.key -t rsa -vg $FileGuid -o $tcc_tuning_signed_binary_path $bin_file 1>&2
If you need to modify the path to the certificates, modify the following line:
python3 $TOOLS_PATH/capsule/uefi/siiptool/scripts/ -o $capsule_host_path --signer-private-cert=$cert_folder/TestCert.pem --other-public-cert=$cert_folder/ --trusted-public-cert=$cert_folder/ $tcc_json_path 1>&2
Slim Bootloader
The Slim Bootloader’s capsule create script uses keys located in the
directory by default. See SBL Keys Generation for details on keys generation.
If you keep your keys in a different directory, you need to modify the paths to the keys in the script. For example, you need to modify the following line in the script to change the path to the keys:

Product and Performance Information


Performance varies by use, configuration and other factors. Learn more at