Visible to Intel only — GUID: GUID-6612BC80-6BA8-4FD2-BB2D-D98C24933952
Visible to Intel only — GUID: GUID-6612BC80-6BA8-4FD2-BB2D-D98C24933952
Secure Data Migration Sample
This sample demonstrates how to decrypt data that has been encrypted using the platform-binding (PBind) key and this key has changed during a firmware update that incremented the firmware secure version number (SVN).
This sample is applicable for API level 8 and above.
To demonstrate the complete process, this sample contains two versions of the Trusted Application (TA):
- SecureData TA: The original applet that uses the basic encryption\decryption APIs provided by Intel® Dynamic Application Loader (Intel® DAL).
- SecureDataMigration TA: The modified applet that has a recovery flow to decrypt data that was encrypted using an old PBind key.
Note: The SecureDataMigration TA uses the DataMigration API (com.intel.crypto.DataMigration), which is supported starting Intel® Trusted Execution Engine (Intel® TXE) 3.1.50.x firmware and Intel® Management Engine (Intel® ME) 11.8.x firmware.
Sample flow
- Encrypt data using the PBind key and save it in a file in the file system.
- Decrypt the encrypted data using the SymmetricBlockCipher (com.intel.crypto.SymmetricBlockCipherAlg) API.
- Perform firmware update with a firmware SVN increment (► the PBind key changes).
- Decrypt the encrypted data: Decryption using the SymmetricBlockCipher API fails because the PBind key has changed since the data encryption, so use the Intel® Dynamic Application Loader (Intel® DAL) DataMigration (com.intel.crypto.DataMigration) API to decrypt the data using the old PBind key. In this step, you need to use the SecureDataMigration TA; decryption using the old version of this applet (SecureDataTA) will result in incorrect data format because the key used to encrypt is not the same as the decryption key.