- Generate the capsule. For scripts and instructions, see: https://github.com/quic/cbsp-boot-utilities/tree/main/uefi_capsule_generation.
- Obtain the git clone link
cbsp-boot-utilities/uefi_capsule_generation/directory at https://github.com/quic/cbsp-boot-utilities.git.
| Linux | Windows |
|---|---|
|
|
Sign the capsule
To sign capsule-based system firmware updates using the instructions from the Tianocore GitHub, follow these steps:- Generate signing keys:
- Use OpenSSL command line utilities to create a new self-signed X.509 certificate chain. This involves generating a private key and a corresponding public certificate.
- The system uses the private key to sign the firmware update capsules, and the UEFI firmware uses the public certificate to verify the signature.
- Sign the firmware update capsule:
- Use the signing keys to sign the firmware update capsule. This process authenticates the capsule and ensures it hasn’t been tampered with.
- The signing process involves creating a hash of the firmware update payload and then encrypting this hash with the private key to create a digital signature.
- Place these certificates in a folder named `Certificates’. Sample files available in this folder might include
QcFMPCert.pem,QcFMPRoot.pub.pem, andQcFMPSub.pub.pem.
- Verify the capsule:
- The UEFI firmware uses the public certificate to verify the digital signature on the capsule. If the signature is valid and matches the trusted certificate, the firmware update process will proceed.
- The boot devicetree (DT) provides the root certificate—either
QcFMPRoot.cerorNewRoot.cerat the following node:/sw/uefi/uefiplat/QcCapsuleRootCert. - This boot DT is part of the
xbl_config.elfbinary and can be updated using the QDTE tool. - Capsule update can only be performed if the root certificate is already present on the device, specifically within the boot DT node in xbl_config.elf.
- Ensure the certificate is correctly embedded in the binary(xbl_config.elf) and available on the device before initiating any capsule update process.

