Visible to Intel only — GUID: GUID-594DFCB9-DFF4-4472-9FB4-5D592D98463F
For API Level 1 - Intel® ME 7.x - Sandy Bridge
For API Level 1.1 - Intel® ME 8.x lite - Sandy Bridge
For API Level 2 - Intel® ME 8.0 - Ivy Bridge
For API Level 3 - Intel® ME 8.1 - Ivy Bridge
For API Level 3 - SEC1.0, SEC1.1, SEC1.2, SEC2.0
For API Level 4 - Intel® ME 9.5, Intel ME 9.5.55 - Haswell
For API Level 4 - Intel® ME 9.1, Intel ME 9.1.35 - Haswell
For API Level 5 - Intel® ME 10.0.0 - Haswell
For API Level 6 - Intel® ME 10.0.20 - Broadwell
For API Level 7 - ME 11.0 - Skylake_LP and Skylake_H
For API Level 8 - TXE3.0 - Broxton, ME 11.5/11.8 - Kabylake_LP, Kabylake_H
For API Level 9 - Intel® ME 12.0 - Cannon Lake
Trusted Application Validation Guidelines
Validating the Manifest
Memory and Performance
Error Handling and Recovery
Functional Validation and Multi-Instance Support
Pack and DALP Generation and Validation
Host-Side Software Validation Guidelines
Trusted Application Management Flows
Error Handling and Recovery Flows
Multi-Instance and Interoperability Testing of Trusted Application Management
General and Platform-Related Events
End-to-End and Setup Validation Guidelines
Cross Trusted Application Interoperability Functional Testing
Creating a New Project
Importing an Existing Project
Converting an Existing Project
Building and Packaging Your Project and Running in Emulated Environment
Running Your Project
Running and Testing on Emulation and on Silicon
Debugging Trusted Applications
Preparing and Submitting Your Project for Signing
Signing an Applet
Signing New Versions
Visible to Intel only — GUID: GUID-594DFCB9-DFF4-4472-9FB4-5D592D98463F
Linux Support
- Supported Platforms and Distributions
- Client API
- Intel Kernel DAL Interfaces
- Intel DAL Host Interface Daemon Installation
Intel has developed the Intel® Dynamic Application Loader (Intel® DAL) Host Interface Daemon (also known as JHI), which contains the APIs that enable a Linux* operating system to communicate with Intel DAL. The daemon is available both in a standalone software package and as part of the Linux* Yocto 64-bit distribution.
The use of a Linux operating system does not affect the structure and code of applets running in the DAL. Applet development is the same, and should be conducted on Windows*, regardless of the target's operating system. The host application that you will use to communicate with the DAL must be compiled for use on Linux.
Note: The PAVP library is not yet available on Linux, and therefore the Protected Trusted Display APIs are not available for use by your host application. In addition, the iCLS Client is also not available in Linux, so if you want to provision an EPID you will need to do so through the DAL directly.
The SDK provides a Linux-based Generic Host Application, as well as a sample host application that can be used as a template for your host application development. See Linux Tools for more details.
Supported Platforms and Distributions
Intel DAL is supported on the Broxton IOTG hardware platform.
The Intel DAL Host Interface Daemon provides your host application's interface with the DAL. It is included with the 64-bit Yocto Linux distribution, kernel version 4.x.
The daemon is open-source and can be installed on any other Linux distribution, but these installations are not officially supported. For instructions on downloading the software package, see below.
Note: Instructions for installing Linux Yocto or any other Linux distribution are outside the scope of this documentation.
Client API
The JHI Daemon exposes two client APIs:
- Legacy JHI API: Provides the same API as the Windows JHI C++ API. Exposed via the libjhi.so shared library.
- TEE Management API: Provides the same API as the Windows TEE Management API. Exposed via the libteemanagement.so shared library.
The following diagram displays the high-level architecture of the communication between the Intel DAL layer and the host application via the Intel DAL Host Interface daemon.
Intel Kernel DAL Interfaces
The Intel® Management Engine Interface and Dynamic Application Loader (Intel® ME DAL) is a kernel component that provides both user space and kernel space communication interfaces with the Intel DAL client in CSE firmware, enabling the direct usage of DAL by Linux kernel components.
Intel MEI DAL exposes a user space interface via the /dev/dal character device. This interface is used by the JHI daemon to communicate with Intel DAL firmware and supports a single consumer only.
In addition, Intel MEI DAL exposes a kernel space interface that contains a minimal set of functions for session communication with an applet and supports multiple concurrent consumers.
Both the user space and kernel space interfaces can be used simultaneously; Intel® MEI DAL supports concurrent usages coming both from kernel space and user space.
Intel DAL Host Interface Daemon Installation
The Intel® DAL Host Interface Daemon is installed as part of the Intel IOTG Yocto distribution. The Intel DAL Host Interface process (jhid) runs as a daemon and the Trusted Application repository is placed in the /var/lib/intel/dal/applet_repository folder.
The JHI source code is published publicly on GitHub*. You can download the source and run the following commands to build the JHI package and install it:
cmake .
make
make install
Note: Before you install the JHI package on your Linux distribution of choice, make sure that the paths at the end of CMakeLists.txt are compatible with your Linux setup.
Changing the JHI Communication Interface
The Intel® JHI Daemon allows you to configure the transport type for connecting with Intel DAL firmware by changing the /etc/jhi/jhi.conf configuration file to specify the communication interface (HECI MEI device, MEI DAL device, or IP socket).
After changing the configuration, you need to restart the JHI Daemon, using the command systemctl restart jhi to apply the change.