Visible to Intel only — GUID: GUID-4F2A6B18-52D6-460C-9EF6-5D1A0E81BDCD
For API Level 1 - Intel® ME 7.x - Sandy Bridge
For API Level 1.1 - Intel® ME 8.x lite - Sandy Bridge
For API Level 2 - Intel® ME 8.0 - Ivy Bridge
For API Level 3 - Intel® ME 8.1 - Ivy Bridge
For API Level 3 - SEC1.0, SEC1.1, SEC1.2, SEC2.0
For API Level 4 - Intel® ME 9.5, Intel ME 9.5.55 - Haswell
For API Level 4 - Intel® ME 9.1, Intel ME 9.1.35 - Haswell
For API Level 5 - Intel® ME 10.0.0 - Haswell
For API Level 6 - Intel® ME 10.0.20 - Broadwell
For API Level 7 - ME 11.0 - Skylake_LP and Skylake_H
For API Level 8 - TXE3.0 - Broxton, ME 11.5/11.8 - Kabylake_LP, Kabylake_H
For API Level 9 - Intel® ME 12.0 - Cannon Lake
Trusted Application Validation Guidelines
Validating the Manifest
Memory and Performance
Error Handling and Recovery
Functional Validation and Multi-Instance Support
Pack and DALP Generation and Validation
Host-Side Software Validation Guidelines
Trusted Application Management Flows
Error Handling and Recovery Flows
Multi-Instance and Interoperability Testing of Trusted Application Management
General and Platform-Related Events
End-to-End and Setup Validation Guidelines
Cross Trusted Application Interoperability Functional Testing
Creating a New Project
Importing an Existing Project
Converting an Existing Project
Building and Packaging Your Project and Running in Emulated Environment
Running Your Project
Running and Testing on Emulation and on Silicon
Debugging Trusted Applications
Preparing and Submitting Your Project for Signing
Signing an Applet
Signing New Versions
Visible to Intel only — GUID: GUID-4F2A6B18-52D6-460C-9EF6-5D1A0E81BDCD
Intel® EPID 1.1 Provisioning Sample
This sample demonstrates how to use Intel® DAL for implementing the Intel® Enhanced Privacy ID (Intel® EPID) provisioning on a platform, meaning, to concatenate the Intel EPID group ID currently stored on the platform into the full Intel EPID algorithm's relevant data. For more information on Intel DAL security, see the Security Guidelines.
This sample is applicable for API level 4 and above.
Note: Before running the sample, make sure the server is running. To run the server, locate the SDK installation on your disk and double-click \DALsdk\Samples\DALSamplesServer\DALSamplesServer.sln. Then run the project.
When the platform is produced, the following are burned into it:
- Intel EPID public group ID
- Specific platform private key
Note: All of the Intel EPID group members share the same Intel EPID group ID. Each platform has a unique private key.
Those two things are not enough to enable using Intel EPID for security functions (e.g., for signing and SIGMA). To use the Intel EPID feature, you need to perform the provisioning step on the platform. This step provides the platform with all the required signed data and saves the data to the flash memory.
Note: On a real platform, provisioning is performed only once unless a new image is burned on the platform. In emulation, provisioning only needs to be performed once, unless the clear flash data checkbox is selected and the emulation is restarted.
The data is given to a platform according to its Intel EPID group ID, so the provisioning data is the same for all the Intel EPID group members. The provisioning data that the platform receives from the server is signed by Intel. The provisioning data consists of a certificate and mathematical parameters that are read from the files transferred from the server.
The files' content is signed. The last 64 bytes of each file are the signature. When the firmware receives the data, it verifies that the data was signed by Intel, decrypts the data, and saves it.
Intel EPID provisioning is a one-time process. Once the provisioning has been performed, the new stored data is used in the relevant crypto usages, such as the Intel EPID signing process and SIGMA algorithms.
Note: The Intel EPID provisioning process is performed automatically by Intel® Capability Licensing Service version 1.47.715.0 and later (Intel Capability Licensing Service runs on the client machine as part of the Intel® Management Engine (Intel® ME) \ Intel® Trusted Execution Engine (Intel® TXE) software package).
Sample Flow
- The trusted application indicates whether the Intel EPID provisioning process was already performed on the platform. If the platform was not yet provisioned, you can proceed to the next steps.
- The trusted application provides the host application with the trusted application's platform Intel EPID group ID, thereby proving its membership in the specific Intel EPID group. When forwarded to the server, this will allow it to obtain the full provisioning data from the server.
- The host application sends the platform Intel EPID group ID to the server.
- The server generates the provisioning data, including the certificate and the mathematical parameters according to the platform Intel EPID group ID, and sends it to the host application, which forwards the information to the trusted application.
- The trusted application performs the Intel EPID provisioning process on the current platform, using the provisioning data it received.