Visible to Intel only — GUID: GUID-C0DEB334-BD97-4B07-AF9D-965A9D284C3B
For API Level 1 - Intel® ME 7.x - Sandy Bridge
For API Level 1.1 - Intel® ME 8.x lite - Sandy Bridge
For API Level 2 - Intel® ME 8.0 - Ivy Bridge
For API Level 3 - Intel® ME 8.1 - Ivy Bridge
For API Level 3 - SEC1.0, SEC1.1, SEC1.2, SEC2.0
For API Level 4 - Intel® ME 9.5, Intel ME 9.5.55 - Haswell
For API Level 4 - Intel® ME 9.1, Intel ME 9.1.35 - Haswell
For API Level 5 - Intel® ME 10.0.0 - Haswell
For API Level 6 - Intel® ME 10.0.20 - Broadwell
For API Level 7 - ME 11.0 - Skylake_LP and Skylake_H
For API Level 8 - TXE3.0 - Broxton, ME 11.5/11.8 - Kabylake_LP, Kabylake_H
For API Level 9 - Intel® ME 12.0 - Cannon Lake
Trusted Application Validation Guidelines
Validating the Manifest
Memory and Performance
Error Handling and Recovery
Functional Validation and Multi-Instance Support
Pack and DALP Generation and Validation
Host-Side Software Validation Guidelines
Trusted Application Management Flows
Error Handling and Recovery Flows
Multi-Instance and Interoperability Testing of Trusted Application Management
General and Platform-Related Events
End-to-End and Setup Validation Guidelines
Cross Trusted Application Interoperability Functional Testing
Creating a New Project
Importing an Existing Project
Converting an Existing Project
Building and Packaging Your Project and Running in Emulated Environment
Running Your Project
Running and Testing on Emulation and on Silicon
Debugging Trusted Applications
Preparing and Submitting Your Project for Signing
Signing an Applet
Signing New Versions
Visible to Intel only — GUID: GUID-C0DEB334-BD97-4B07-AF9D-965A9D284C3B
TCB Recovery Flow
The Intel® Converged Security and Management Engine (Intel® CSME) firmware is the root of trust for the Trust Computing Base (TCB) of Intel® architecture-based systems. When the Intel® firmware in a system is updated with new Intel CSME firmware with incremented Secure Version Number (SVN), the Intel® Enhanced Privacy ID (Intel® EPID) group is changed and a re-key process is required to recover TCB trust.
The re-key process is performed automatically by the Capability Licensing Service (iCLS) software service that is running on the client machine (This software is delivered with the Intel® Management Engine (Intel® ME) / Intel® Trusted Execution Engine (Intel® TXE) software package.) When a re-key process is needed, the end-user system auto-connects to Intel back-end servers, where the local iCLS service communicates to the back end to perform TCB recovery, creating new Intel EPID key and completing the re-key process. Once TCB Recovery is successfully completed, the platform will contain a new Intel EPID key; re-provisioning is not needed.
Note: The iCLS local service requires an internet connection to connect to the iCLS server for performing the re-key process. This connection uses standard TLS over port 443. If the end user system is inside an intranet (e.g., IT organization), you may need to provide a proxy to allow iCLS to properly connect to the Intel iCLS server back end over the internet. This can be achieved by editing the "%ProgramData%\Intel\iCLS Client\conf\iclsProxy.conf" file, or by setting up a proxy in Windows*. (Starting with iCLS version 1.48.197.0 and above, all supported proxy detection settings (autoproxy scripts configuration and autoproxy detection) are enabled. In previous iCLS versions, only manual proxy setting is supported.)