Visible to Intel only — GUID: GUID-CF9C1C46-F723-456C-AAB9-82CAFC3E20C7
Visible to Intel only — GUID: GUID-CF9C1C46-F723-456C-AAB9-82CAFC3E20C7
Pack Tool
The Intel® Dynamic Application Loader (Intel® DAL) Pack tool is used to:
- Package and sign Java* applet files. The Pack tool accepts a jeff file and a configuration file, and appends the manifest and policy section to the beginning of the file. Afterwards (unless the production flag is set) it signs it with a debug key and produces the final package, which can be uploaded to the Intel® Management Engine (Intel® ME) or Intel® Trusted Execution Engine (Intel® TXE) firmware to run on the virtual machine.
- Package and sign Admin Command Packages (ACPs).
- Extract manifest information from an existing signed package.
- Get the Platform ID (PID) of the current machine - supported beginning with Intel® ME 9.5, including CHV and Intel Atom® SoC (formerly codenamed Bay Trail-I).
- Get the access control value for a specific jeff - supported beginning with Intel ME 11.0.
Beginning with Release 1.16, the Pack tool can work as a stand-alone tool, if the following conditions are met:
- ConfigurationLibrary.jar is included in the PackTool directory.
- jeffp.jar is included in either the PackTool directory or under DALsdk\Plugins\Eclipse.
- bhc.exe (Intel DAL compiler) for each Intel DAL generation is included in either the PackTool directory or under DALsdk\Platform\<PLATFORM>\ PlatformTools\BhcTool.
- dal.jar for each DAL generation is included in either the PackTool directory or under DALsdk\Platform\<PLATFORM>\ PlatformTools.
Command-Line Arguments for Package Option
Required arguments | Meaning |
---|---|
Pack | Specifies that the desired action is to package and sign an applet. |
-jeff <jeff file> | The jeff file to package (cannot be an empty file). |
-conf <conf file> | The configuration file to apply to the jeff file. See below for further details on format. |
Optional arguments | Meaning |
---|---|
-sigParams <signature parameters file> | xml file containing the signature parameters to apply to the applet. (See below for further details on format.) |
-encrypt <encryption key file> | XML file containing the encryption key parameters with which to to encrypt the JEFF byte-code. (See below for further details on format.) |
-svl <svl file> | A file containing a list of applet security versions. Applets whose security version is equal to or lower than the version specified will not be installed. Removed in API level 7. Use the UpdateSVL command instead for API level 7 and later. |
-signing | Specifies that the applet is packaged for production. When this argument is inserted, the value of debug.enable in the configuration file must be False. |
-addpid | Specifies the Platform ID for a production platform. Adds the platform ID value to the manifest file specified in the -conf argument before packaging the pack file. Use for signing a trusted application for a single production platform only (for test purposes). Note: A trusted application signed with this field will load ONLY on the specified platform. This is supported from Intel ME 9.5 and requires the tool to be run with administrative permissions. |
-temp <temp folder location> | Specifies where to create the Temp folder for the packing flow. |
-help | Displays help for the the command line arguments. |
-out <out file> | Specifies a file to which the output result will be copied. If not specified, the output file will be located in the Out directory from which the tool was invoked. |
Configuration File Format
The configuration file format contains properties with the format property:value. There can be empty lines (new line is "\n" or "\r\n") and/or white spaces (spaces and tabs) between:
- line start
- property
- value
- end of line (Those whitespaces will be trimmed).
The supported properties can be found in the Trusted Application Manifest.
Command-Line Arguments for UninstallJTA Admin Command
Required arguments | |
---|---|
UninstallJTA | Specifies that the desired action is to create admin command for uninstalling a specific Java Trusted Application. |
-uuid <UUID> | Specifies the UUID of the Java Trusted Application to be uninstalled. UUID format is: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. |
Optional Arguments | Meaning |
---|---|
-out <out file> | Specifies a file to which the output result will be copied. |
-temp <temp folder location> | Specifies the temp folder for the Pack Tool. |
-help | Displays the command line arguments help. |
Command-Line Arguments for UpdateSVL Admin Command
Required Arguments | Meaning |
---|---|
UpdateSVL | Specifies that the desired action is to create admin command for updating the security version list with new UUIDs and their security versions. |
-conf <svl conf file> | The configuration file to add the admin command. Currently this file must contain only one line: svl.platform: CSE |
-svl <svl file> | The SVL file with list of UUIDs and their security versions. The format of the list is: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx SVN |
Optional Arguments | |
---|---|
-sigParams <signature parameters file> | An xml file containing the signature parameters to apply to the UpdateSvl ACP. (See elaboration on format below.) |
-out <out file> | Specifies a file to which the output result will be copied. |
Specifies a file to which the output result will be copied. | Specifies the temp folder for the Pack Tool. |
-help | Displays the command line arguments help. |
Command-Line Arguments for InstallSD Admin Command
Required Arguments | Meaning |
---|---|
InstallSD | Specifies that the desired action is to package and sign an InstallSD ACP. |
-conf <S-SD manifest file> | The configuration file to apply to the S-SD. The supported properties can be found in OEM Signing. Format: same as that of the applet manifest. |
-sigParams <signature parameters file> | An xml file containing the signature parameters of the SD signing key. (See elaboration on format below.) |
Optional arguments | Meaning |
---|---|
-outKeyHash <public key hash output> | Specifies the exact location and name of the output file to write the OEM public key hash to. |
-out <out file> | Specifies a file to which the output result will be copied. |
-temp <temp folder location> | Specifies the temp folder for the Pack Tool. |
-help | Displays the command line arguments help. |
Command-Line Arguments for UninstallSD Admin Command
Required arguments | Meaning |
---|---|
UninstallSD | Specifies that the desired action is to package and sign an UninstallSD ACP. |
-UUID <uuid> | Specifies the UUID of the Sub-Security Domain to be uninstalled. UUID format is: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
Optional arguments | Meaning |
---|---|
-sigParams <signature parameters file> | xml file containing the signature parameters to apply to the UninstallSD ACP. (See elaboration on format below.) |
-out <out file> | Specifies a file to which the output result will be copied. |
-temp <temp folder location> | Specifies the temp folder for the Pack Tool. |
-help | Displays the command line arguments help |
Command-Line Arguments for Unpackage Option
Required arguments | Meaning |
---|---|
Unpack | Specifies that the desired action is to extract manifest information from given package. |
-pack <pack file> | The pack file to parse. The pack file cannot be an empty file. |
-version <version> | The version of firmware for which the package was signed. (Format: major.minor) |
Optional arguments | Meaning |
---|---|
-ac <admin command name> | Specifies the admin command type to parse. This is one of the following: installsd uninstallsd uninstalljta updatesvl pack [default] |
-outKeyHash <public key hash output> | Specifies the exact location and name of the OEM public key hash output file to which to write the public key hash. This argument is applicable only to the InstallSD ACP. |
-verbose | Prints out additional information. |
-out <out file> | Specifies a file to which the output result will be copied. |
-help | Displays the command line arguments help. |
Command-Line Arguments for Get PID Option
Required arguments | Meaning |
---|---|
GetPID | Specifies that the desired action is to get the Platform ID of the current machine. |
Optional arguments | Meaning |
---|---|
-help |
Displays the command line arguments help. |
This command requires admin privileges to run.
Command Line Arguments for Get Access Control Option
Required arguments | Meaning |
---|---|
get-access-control | Specifies that the desired action is to get the access control value of a specific .jeff file. |
-jeff <jeff file> | The jeff file whose access control value is needed. The jeff file cannot be an empty file. |
Optional arguments | Meaning |
---|---|
-version <version> | The version of firmware for which the jeff was built. (Format: Major.Minor) Default value: 11.0. |
-help |
Displays the command line arguments help. |
Signature Parameters File
The signature parameters file is an XML file with the following format:
XML file format for InstallSD
<?xml version="1.0" encoding="UTF-8"?> <SignatureParameters> <sig_alg></sig_alg> <sig_key_type></sig_key_type> <sig_key_public></sig_key_public> </SignatureParameters>
XML format for other ACPs
<?xml version="1.0" encoding="UTF-8"?> <SignatureParameters> <sig_sd_id></sig_sd_id> <sig_alg></sig_alg> <sig_key_type></sig_key_type> <sig_key_priv></sig_key_priv> </SignatureParameters>
Parameters Format
- The values inside the <sig_key_public> and <sig_key_priv> tags are the OEM Intel DAL public key and OEM Intel DAL private key (respectively) in PEM format (including header and footer).
- The value of <sig_alg> is an unsigned decimal integer. Currently only 4 (bh_sig_alg_pkcs_2048) is supported.
- The value of <sig_key_type> is an unsigned decimal integer. Currently only 4 (OEM dedicated Intel DAL TA signing key) is supported.
- <sig_sd_id> is the SD UUID (sd.id).
Encryption Key Parameters File
The Intel DAL encryption key parameters file is an XML file with the following format:
<?xml version="1.0" encoding="UTF-8"?> <EncryptionKeyParameters> <cipher_alg_type></cipher_alg_type> <enc_key_id></enc_key_id> <enc_key></enc_key> <iv></iv> </EncryptionKeyParameters>
Parameters Format
- The value of <cipher_alg_type> is an unsigned decimal integer, one of the following:
- tee_cipher_aes_gcm_256 = 1
- The value of <enc_key_id> is an unsigned decimal integer, indicating the ID of the symmetric DEK key that the bytecode is encrypted with. Value is 1-5 inclusive.
- <enc_key> is the DEK private key as a 32-byte hexadecimal string (64 hexadecimal characters).
- <iv> is a 12-byte hexadecimal string (24 hexadecimal characters).