Visible to Intel only — GUID: GUID-B1A6E857-A98D-42E8-A21E-5D7161767817
For API Level 1 - Intel® ME 7.x - Sandy Bridge
For API Level 1.1 - Intel® ME 8.x lite - Sandy Bridge
For API Level 2 - Intel® ME 8.0 - Ivy Bridge
For API Level 3 - Intel® ME 8.1 - Ivy Bridge
For API Level 3 - SEC1.0, SEC1.1, SEC1.2, SEC2.0
For API Level 4 - Intel® ME 9.5, Intel ME 9.5.55 - Haswell
For API Level 4 - Intel® ME 9.1, Intel ME 9.1.35 - Haswell
For API Level 5 - Intel® ME 10.0.0 - Haswell
For API Level 6 - Intel® ME 10.0.20 - Broadwell
For API Level 7 - ME 11.0 - Skylake_LP and Skylake_H
For API Level 8 - TXE3.0 - Broxton, ME 11.5/11.8 - Kabylake_LP, Kabylake_H
For API Level 9 - Intel® ME 12.0 - Cannon Lake
Trusted Application Validation Guidelines
Validating the Manifest
Memory and Performance
Error Handling and Recovery
Functional Validation and Multi-Instance Support
Pack and DALP Generation and Validation
Host-Side Software Validation Guidelines
Trusted Application Management Flows
Error Handling and Recovery Flows
Multi-Instance and Interoperability Testing of Trusted Application Management
General and Platform-Related Events
End-to-End and Setup Validation Guidelines
Cross Trusted Application Interoperability Functional Testing
Creating a New Project
Importing an Existing Project
Converting an Existing Project
Building and Packaging Your Project and Running in Emulated Environment
Running Your Project
Running and Testing on Emulation and on Silicon
Debugging Trusted Applications
Preparing and Submitting Your Project for Signing
Signing an Applet
Signing New Versions
Visible to Intel only — GUID: GUID-B1A6E857-A98D-42E8-A21E-5D7161767817
Applets
An Intel® Dynamic Application Loader (Intel® DAL) trusted application, or applet, is part of an embedded solution and as such it runs in an environment with scarce execution resources. The overall design should be that, as far as possible, the host application performs the bulk of the processing and logic flow, invoking the functionality as needed for specific tasks to only implement the special functionality that this trusted environment can provide.
For security reasons, the Intel DAL environment will only allow an applet to be installed if it has been signed by Intel. See Preparing and Submitting Your Project for Signing for details.
Intel DAL memory resources are scarce. Trusted applications should be loaded when they have a need to accomplish a task and their sessions should be closed as soon as the task is complete. This restriction directly impacts the number of simultaneously loaded trusted applications into the memory available to Intel DAL. Therefore, all trusted applications should follow the following steps:
- Load trusted application (open session).
- Run tasks.
- Unload (close session) as soon as possible.
Failure to follow this can result in Intel DAL running out of memory and refusing to load trusted applications.
The SDK in Intel DAL assumes that you know how to develop Java* code. The following guidelines apply specifically to developing trusted applications that will run in the Intel DAL environment. Some of the parameters addressed here will change as a function of the platform version, possibly including, for example, available memory, function speed, and the maximum number of trusted applications.
Trusted applications should not depend on an endless loop construct (for example, a while (true) loop), as the Virtual Machine (VM) will not interrupt or stop a running trusted application. This can be problematic if a host-based application attempts to stop the trusted application via the client service command, or the client service tries to stop the trusted application for some reason. Instead, the trusted application should wait for an event (even an event that will never occur). This will give the client application the window to stop the trusted application when necessary.
Warning:Do not include secret data in the trusted application. There is no encryption on the trusted application binary.
Applet Manifest
Every applet contains an Applet Manifest, which serves as its metadata, determining the size of the applet's heap and the Intel DAL features that the applet is allowed to access.
Applet - Host Application Relationship
All trusted applications include an invokeCommand function that expects a function number and associated data. Therefore, trusted applications must be broken down into a collection of actions, each with a function number. See the SDK samples for further examples of this.
public int invokeCommand(int commandID, byte[] request)
{
int retVal = APPLET_SUCCESS;
final byte[] myResponse = { 'O', 'K' };
switch(commandID) {
case 1:
DebugPrint.printString("Hello World!");
setResponse(myResponse, 0, myResponse.length);
break;
case 2:
DebugPrint.printString("Got commandId 2, will respond with an identical byte array.");
setResponse(data, 0, data.length);
break;
default:
DebugPrint.printString("Got commandId: "+commandID+".");
setResponse(myResponse, 0, myResponse.length);
break;
}
return retVal;
}
Host applications communicate with trusted applications using the Intel® DAL Host Interface Service (Intel® DAL HIS) - a DLL whose API is used to install trusted applications and to establish sessions between a host application and a trusted application. A host application uses the Intel DAL Host Interface Service function to call the trusted application function. The function call identifies the trusted application, the session, and which trusted application function to invoke. It sends data when the trusted application function requires data. It returns a status and, when necessary, data.
Host applications perform most of the work for a certain task. The host application depends on a trusted application to take advantage of the functions that can only be performed by the trusted application and the capabilities in the firmware and hardware that the trusted application can invoke.
Note: See Security Guidelines for details on the trusted application's security responsibilities and those of the host application.
It is the responsibility of the host application and trusted application to protect sensitive data in transit. There is no encryption on the trusted application binary, so secret data should not be transmitted in a trusted application. Any modification to the trusted application binary by a 3rd party will result in a failed signature verification when loading the trusted application to the Intel® Management Engine (Intel® ME).