Skip to main content
Capsule generation tools create capsule files that update firmware on devices. They package firmware updates into a format that can be installed directly on hardware. These tools work on both Linux and Windows, offering flexibility for different development environments. To keep updates secure and verified, they use OpenSSL for generating and signing certificates. Prerequisites to run the capsule Before you begin, do the following: The following tools are required for Linux and Windows.
LinuxWindows
  • OpenSSL: A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
  • Python3: A programming language that’s widely used for scripting and automation.
  • Git: Version control system.
  • OpenSSL: A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
  • Python3: A programming language that’s widely used for scripting and automation.
  • Visual Studio with C++ Development Tool: An integrated development environment (IDE) from Microsoft, which includes tools for C++ development.
  • Git: Version control system.

Sign the capsule

To sign capsule-based system firmware updates using the instructions from the Tianocore GitHub, follow these steps:
  1. Generate signing keys:
    • Use OpenSSL command line utilities to create a new self-signed X.509 certificate chain. This involves generating a private key and a corresponding public certificate.
    • The system uses the private key to sign the firmware update capsules, and the UEFI firmware uses the public certificate to verify the signature.
  2. Sign the firmware update capsule:
    • Use the signing keys to sign the firmware update capsule. This process authenticates the capsule and ensures it hasn’t been tampered with.
    • The signing process involves creating a hash of the firmware update payload and then encrypting this hash with the private key to create a digital signature.
    • Place these certificates in a folder named `Certificates’. Sample files available in this folder might include QcFMPCert.pem, QcFMPRoot.pub.pem, and QcFMPSub.pub.pem.
  3. Verify the capsule:
    • The UEFI firmware uses the public certificate to verify the digital signature on the capsule. If the signature is valid and matches the trusted certificate, the firmware update process will proceed.
    • The boot devicetree (DT) provides the root certificate—either QcFMPRoot.cer or NewRoot.cer at the following node: /sw/uefi/uefiplat/QcCapsuleRootCert.
    • This boot DT is part of the xbl_config.elf binary and can be updated using the QDTE tool.
    • Capsule update can only be performed if the root certificate is already present on the device, specifically within the boot DT node in xbl_config.elf.
    • Ensure the certificate is correctly embedded in the binary(xbl_config.elf) and available on the device before initiating any capsule update process.
This verification step ensures the system applies only authorized firmware updates.