Pack Tool

Intel® Dynamic Application Loader (Intel® DAL) Developer Guide

Download PDF

ID 773482

Date 3/24/2023

Version 1.0

Public

Visible to Intel only — GUID: GUID-CF9C1C46-F723-456C-AAB9-82CAFC3E20C7

View Details

Pack Tool

The Intel® Dynamic Application Loader (Intel® DAL) Pack tool is used to:

Package and sign Java* applet files. The Pack tool accepts a jeff file and a configuration file, and appends the manifest and policy section to the beginning of the file. Afterwards (unless the production flag is set) it signs it with a debug key and produces the final package, which can be uploaded to the Intel® Management Engine (Intel® ME) or Intel® Trusted Execution Engine (Intel® TXE) firmware to run on the virtual machine.
Package and sign Admin Command Packages (ACPs).
Extract manifest information from an existing signed package.
Get the Platform ID (PID) of the current machine - supported beginning with Intel® ME 9.5, including CHV and Intel Atom® SoC (formerly codenamed Bay Trail-I).
Get the access control value for a specific jeff - supported beginning with Intel ME 11.0.

Beginning with Release 1.16, the Pack tool can work as a stand-alone tool, if the following conditions are met:

ConfigurationLibrary.jar is included in the PackTool directory.
jeffp.jar is included in either the PackTool directory or under DALsdk\Plugins\Eclipse.
bhc.exe (Intel DAL compiler) for each Intel DAL generation is included in either the PackTool directory or under DALsdk\Platform\<PLATFORM>\ PlatformTools\BhcTool.
dal.jar for each DAL generation is included in either the PackTool directory or under DALsdk\Platform\<PLATFORM>\ PlatformTools.

Command-Line Arguments for Package Option

Required arguments	Meaning
Pack	Specifies that the desired action is to package and sign an applet.
-jeff <jeff file>	The jeff file to package (cannot be an empty file).
-conf <conf file>	The configuration file to apply to the jeff file. See below for further details on format.

Required arguments

Meaning

Pack

Specifies that the desired action is to package and sign an applet.

-jeff <jeff file>

The jeff file to package (cannot be an empty file).

-conf <conf file>

The configuration file to apply to the jeff file.

See below for further details on format.

Optional arguments	Meaning
-sigParams <signature parameters file>	xml file containing the signature parameters to apply to the applet. (See below for further details on format.)
-encrypt <encryption key file>	XML file containing the encryption key parameters with which to to encrypt the JEFF byte-code. (See below for further details on format.)
-svl <svl file>	A file containing a list of applet security versions. Applets whose security version is equal to or lower than the version specified will not be installed. Removed in API level 7. Use the UpdateSVL command instead for API level 7 and later.
-signing	Specifies that the applet is packaged for production. When this argument is inserted, the value of debug.enable in the configuration file must be False.
-addpid	Specifies the Platform ID for a production platform. Adds the platform ID value to the manifest file specified in the -conf argument before packaging the pack file. Use for signing a trusted application for a single production platform only (for test purposes). Note: A trusted application signed with this field will load ONLY on the specified platform. This is supported from Intel ME 9.5 and requires the tool to be run with administrative permissions.
-temp <temp folder location>	Specifies where to create the Temp folder for the packing flow.
-help	Displays help for the the command line arguments.
-out <out file>	Specifies a file to which the output result will be copied. If not specified, the output file will be located in the Out directory from which the tool was invoked.

Configuration File Format

The configuration file format contains properties with the format property:value. There can be empty lines (new line is "\n" or "\r\n") and/or white spaces (spaces and tabs) between:

line start
property
value
end of line (Those whitespaces will be trimmed).

The supported properties can be found in the Trusted Application Manifest.

Command-Line Arguments for UninstallJTA Admin Command

Required arguments
UninstallJTA	Specifies that the desired action is to create admin command for uninstalling a specific Java Trusted Application.
-uuid <UUID>	Specifies the UUID of the Java Trusted Application to be uninstalled. UUID format is: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

Required arguments

UninstallJTA

Specifies that the desired action is to create admin command for uninstalling a specific Java Trusted Application.

-uuid <UUID>

Specifies the UUID of the Java Trusted Application to be uninstalled.

UUID format is: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

Optional Arguments	Meaning
-out <out file>	Specifies a file to which the output result will be copied.
-temp <temp folder location>	Specifies the temp folder for the Pack Tool.
-help	Displays the command line arguments help.

Command-Line Arguments for UpdateSVL Admin Command

Required Arguments	Meaning
UpdateSVL	Specifies that the desired action is to create admin command for updating the security version list with new UUIDs and their security versions.
-conf <svl conf file>	The configuration file to add the admin command. Currently this file must contain only one line: svl.platform: CSE
-svl <svl file>	The SVL file with list of UUIDs and their security versions. The format of the list is: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx SVN

Required Arguments

Meaning

UpdateSVL

Specifies that the desired action is to create admin command for updating the security version list with new UUIDs and their security versions.

-conf <svl conf file>

The configuration file to add the admin command.

Currently this file must contain only one line: svl.platform: CSE

-svl <svl file>

The SVL file with list of UUIDs and their security versions.

The format of the list is:

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx SVN

Optional Arguments
-sigParams <signature parameters file>	An xml file containing the signature parameters to apply to the UpdateSvl ACP. (See elaboration on format below.)
-out <out file>	Specifies a file to which the output result will be copied.
Specifies a file to which the output result will be copied.	Specifies the temp folder for the Pack Tool.
-help	Displays the command line arguments help.

Command-Line Arguments for InstallSD Admin Command

Required Arguments	Meaning
InstallSD	Specifies that the desired action is to package and sign an InstallSD ACP.
-conf <S-SD manifest file>	The configuration file to apply to the S-SD. The supported properties can be found in OEM Signing. Format: same as that of the applet manifest.
-sigParams <signature parameters file>	An xml file containing the signature parameters of the SD signing key. (See elaboration on format below.)

Required Arguments

Meaning

InstallSD

Specifies that the desired action is to package and sign an InstallSD ACP.

-conf <S-SD manifest file>

The configuration file to apply to the S-SD.

The supported properties can be found in OEM Signing.

Format: same as that of the applet manifest.

-sigParams <signature parameters file>

An xml file containing the signature parameters of the SD signing key.

(See elaboration on format below.)

Optional arguments	Meaning
-outKeyHash <public key hash output>	Specifies the exact location and name of the output file to write the OEM public key hash to.
-out <out file>	Specifies a file to which the output result will be copied.
-temp <temp folder location>	Specifies the temp folder for the Pack Tool.
-help	Displays the command line arguments help.

Command-Line Arguments for UninstallSD Admin Command

Required arguments	Meaning
UninstallSD	Specifies that the desired action is to package and sign an UninstallSD ACP.
-UUID <uuid>	Specifies the UUID of the Sub-Security Domain to be uninstalled. UUID format is: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Required arguments

Meaning

UninstallSD

Specifies that the desired action is to package and sign an UninstallSD ACP.

-UUID <uuid>

Specifies the UUID of the Sub-Security Domain to be uninstalled.

UUID format is: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Optional arguments	Meaning
-sigParams <signature parameters file>	xml file containing the signature parameters to apply to the UninstallSD ACP. (See elaboration on format below.)
-out <out file>	Specifies a file to which the output result will be copied.
-temp <temp folder location>	Specifies the temp folder for the Pack Tool.
-help	Displays the command line arguments help

Command-Line Arguments for Unpackage Option

Required arguments	Meaning
Unpack	Specifies that the desired action is to extract manifest information from given package.
-pack <pack file>	The pack file to parse. The pack file cannot be an empty file.
-version <version>	The version of firmware for which the package was signed. (Format: major.minor)

Optional arguments	Meaning
-ac <admin command name>	Specifies the admin command type to parse. This is one of the following: installsd uninstallsd uninstalljta updatesvl pack [default]
-outKeyHash <public key hash output>	Specifies the exact location and name of the OEM public key hash output file to which to write the public key hash. This argument is applicable only to the InstallSD ACP.
-verbose	Prints out additional information.
-out <out file>	Specifies a file to which the output result will be copied.
-help	Displays the command line arguments help.

Command-Line Arguments for Get PID Option

Required arguments	Meaning
GetPID	Specifies that the desired action is to get the Platform ID of the current machine.

Optional arguments	Meaning
-help	Displays the command line arguments help.

Optional arguments

Meaning

-help

Displays the command line arguments help.

This command requires admin privileges to run.

Command Line Arguments for Get Access Control Option

Required arguments	Meaning
get-access-control	Specifies that the desired action is to get the access control value of a specific .jeff file.
-jeff <jeff file>	The jeff file whose access control value is needed. The jeff file cannot be an empty file.

Optional arguments	Meaning
-version <version>	The version of firmware for which the jeff was built. (Format: Major.Minor) Default value: 11.0.
-help	Displays the command line arguments help.

Optional arguments

Meaning

-version <version>

The version of firmware for which the jeff was built. (Format: Major.Minor)

Default value: 11.0.

-help

Displays the command line arguments help.

Signature Parameters File

The signature parameters file is an XML file with the following format:

XML file format for InstallSD

<?xml version="1.0" encoding="UTF-8"?>
 <SignatureParameters>
            <sig_alg></sig_alg>
            <sig_key_type></sig_key_type>
           <sig_key_public></sig_key_public>
</SignatureParameters>

XML format for other ACPs

 <?xml version="1.0" encoding="UTF-8"?>
 <SignatureParameters>
            <sig_sd_id></sig_sd_id>
            <sig_alg></sig_alg>
            <sig_key_type></sig_key_type>
           <sig_key_priv></sig_key_priv>
</SignatureParameters>

Parameters Format

The values inside the <sig_key_public> and <sig_key_priv> tags are the OEM Intel DAL public key and OEM Intel DAL private key (respectively) in PEM format (including header and footer).
The value of <sig_alg> is an unsigned decimal integer. Currently only 4 (bh_sig_alg_pkcs_2048) is supported.
The value of <sig_key_type> is an unsigned decimal integer. Currently only 4 (OEM dedicated Intel DAL TA signing key) is supported.
<sig_sd_id> is the SD UUID (sd.id).

Encryption Key Parameters File

The Intel DAL encryption key parameters file is an XML file with the following format:

<?xml version="1.0" encoding="UTF-8"?>
<EncryptionKeyParameters>
   <cipher_alg_type></cipher_alg_type>
   <enc_key_id></enc_key_id>
   <enc_key></enc_key>
   <iv></iv>
</EncryptionKeyParameters>

Parameters Format

The value of <cipher_alg_type> is an unsigned decimal integer, one of the following:
- tee_cipher_aes_gcm_256 = 1
The value of <enc_key_id> is an unsigned decimal integer, indicating the ID of the symmetric DEK key that the bytecode is encrypted with. Value is 1-5 inclusive.
<enc_key> is the DEK private key as a 32-byte hexadecimal string (64 hexadecimal characters).
<iv> is a 12-byte hexadecimal string (24 hexadecimal characters).

Select Your Language

Using Intel.com Search

Quick Links

Recent Searches

Advanced Search

Only search in

Intel® Dynamic Application Loader (Intel® DAL) Developer Guide

Pack Tool

Command-Line Arguments for Package Option

Configuration File Format

Command-Line Arguments for UninstallJTA Admin Command

Command-Line Arguments for UpdateSVL Admin Command

Command-Line Arguments for InstallSD Admin Command

Command-Line Arguments for UninstallSD Admin Command

Command-Line Arguments for Unpackage Option

Command-Line Arguments for Get PID Option

Command Line Arguments for Get Access Control Option

Signature Parameters File

XML file format for InstallSD

XML format for other ACPs

Parameters Format

Encryption Key Parameters File