Visible to Intel only — GUID: GUID-F0390B44-5570-438A-99AF-1C995EBE7685
For API Level 1 - Intel® ME 7.x - Sandy Bridge
For API Level 1.1 - Intel® ME 8.x lite - Sandy Bridge
For API Level 2 - Intel® ME 8.0 - Ivy Bridge
For API Level 3 - Intel® ME 8.1 - Ivy Bridge
For API Level 3 - SEC1.0, SEC1.1, SEC1.2, SEC2.0
For API Level 4 - Intel® ME 9.5, Intel ME 9.5.55 - Haswell
For API Level 4 - Intel® ME 9.1, Intel ME 9.1.35 - Haswell
For API Level 5 - Intel® ME 10.0.0 - Haswell
For API Level 6 - Intel® ME 10.0.20 - Broadwell
For API Level 7 - ME 11.0 - Skylake_LP and Skylake_H
For API Level 8 - TXE3.0 - Broxton, ME 11.5/11.8 - Kabylake_LP, Kabylake_H
For API Level 9 - Intel® ME 12.0 - Cannon Lake
Trusted Application Validation Guidelines
Validating the Manifest
Memory and Performance
Error Handling and Recovery
Functional Validation and Multi-Instance Support
Pack and DALP Generation and Validation
Host-Side Software Validation Guidelines
Trusted Application Management Flows
Error Handling and Recovery Flows
Multi-Instance and Interoperability Testing of Trusted Application Management
General and Platform-Related Events
End-to-End and Setup Validation Guidelines
Cross Trusted Application Interoperability Functional Testing
Creating a New Project
Importing an Existing Project
Converting an Existing Project
Building and Packaging Your Project and Running in Emulated Environment
Running Your Project
Running and Testing on Emulation and on Silicon
Debugging Trusted Applications
Preparing and Submitting Your Project for Signing
Signing an Applet
Signing New Versions
Visible to Intel only — GUID: GUID-F0390B44-5570-438A-99AF-1C995EBE7685
Architecture
A Trusted Execution Environment (TEE) is a separate execution environment, consisting of firmware and hardware, that runs alongside, and provides security services for, the Rich Execution Environment (REE). The TEE isolates access to its hardware and software resources from the REE and its applications. Intel® Dynamic Application Loader (Intel® DAL) is a specific TEE with the Intel® Converged Security Engine (Intel® CSE) which is a general TEE.
The TEE offers safe execution of authorized security software and firmware known as Trusted Applications (TAs). TAs can be developed in Java* and downloaded to the TEE in run time. Inside the TEE, each TA is independent from the others. The TEE also enforces protection, confidentiality, integrity and access rights of the resources and data belonging to those TAs. A TA cannot access the security assets of another TA without authorization.
TAs are given controlled access to security resources and services via the TEE Internal API. These services may include: cryptography, secure storage, secure I/O. The TEE Internal API is provided in Java (via Intel DAL APIs). There is a possibility that Intel may extend it to C in the future.
A TA is typically accompanied by a Trusted Application Host Client, which is host software that exposes the TA services as a rich, operating system-friendly API.
The TA life cycle is managed by the Intel DAL Admin Framework that resides in the Intel CSE firmware. The TEE Management Application is an executable that implements the host side of the management protocol.
The TEE Client API is a low level communication interface designed to enable host software running in the REE to access and exchange data with the TAs running inside the TEE.
The following diagram shows the high level architecture of a generic Trusted Execution Environment (TEE).
For more details on Intel DAL components, click the appropriate link below:
- Applets: What they are, how they work, installation on end user's machine, and the Applet Manifest
- Host Applications: What they are, how they work, how they send information to the host-applet interface
- Host-Applet Interface: How it works, including TEE management and accounting for multiple versions of the applet
- Host Interface Service: Using it on Linux* and Android*