Developer Guide

  • 2021.2
  • 06/11/2021
  • Public
Contents

Capsule Create Script

The script is used by the data streams optimizer and the cache configurator on the host system to create a capsule.
  • UEFI BIOS
The script supports the Yocto Project*-based board support package.
You can copy and modify the script to support another firmware or OS. The script must meet the following requirements to maintain compatibility with the data streams optimizer:
  • Input: The first parameter is a capsule version. Other parameters are paths to raw (nonsigned) binary files as command-line arguments separated by a space. The binary files have predefined names:
    binary_streams
    for the stream subregion,
    binary_cache
    for the cache subregion, and
    binary_buffer
    for the buffer subregion.
    Capsule version is important for Windows* operating systems. The data streams optimizer uses capsule version “1” for Linux* operating systems.
    usage: capsule_create_uefi.sh VERSION BIN_FILE_1 BIN_FILE_2 ... BIN_FILE_N VERSION Capsule version to apply BIN_FILE_N Path to the binary file
  • Output: The script must print absolute paths to generated capsule files into STDOUT.
  • Error handling: Any nonzero value returned from the script will be interpreted as an error. Any additional logging should be printed to STDERR.
Example:
Command line: tools/host_scripts/capsule_create_uefi.sh 1 /tmp/binary_buffer /tmp/binary_cache STDOUT: /tmp/my_capsule.capsule Return value: 0 STDERR: some-output-there

Security

The capsule create script uses the BIOS subregion key and capsule signing certificates during capsule creation.
By default, the script looks for the BIOS subregion key in the
./tools/keys/uefi
directory and the capsule signing certificates in the
./tools/cert
directory. For more information about the types of keys and certificates used and how to generate keys and certificates, see the white paper Intel® Time Coordinated Computing (Intel® TCC) Security for UEFI BIOS.
If you keep your keys and certificates in different directories, you need to modify the paths to the keys and certificates in the script. For example, if you need to modify the path to the BIOS subregion key, modify the following line:
python3 $TOOLS_PATH/capsule/uefi/siiptool/scripts/subregion_sign.py -n tcc -s $TOOLS_PATH/keys/uefi/Signing.key -t rsa -vg $FileGuid -o $tcc_tuning_signed_binary_path $bin_file 1>&2
If you need to modify the path to the certificates, modify the following line:
python3 $TOOLS_PATH/capsule/uefi/siiptool/scripts/subregion_capsule.py -o $capsule_host_path --signer-private-cert=$cert_folder/TestCert.pem --other-public-cert=$cert_folder/TestSub.pub.pem --trusted-public-cert=$cert_folder/TestRoot.pub.pem $tcc_json_path 1>&2

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.