Visible to Intel only — GUID: GUID-6CD4552C-64E6-48A4-9887-7186369D9C2B
For API Level 1 - Intel® ME 7.x - Sandy Bridge
For API Level 1.1 - Intel® ME 8.x lite - Sandy Bridge
For API Level 2 - Intel® ME 8.0 - Ivy Bridge
For API Level 3 - Intel® ME 8.1 - Ivy Bridge
For API Level 3 - SEC1.0, SEC1.1, SEC1.2, SEC2.0
For API Level 4 - Intel® ME 9.5, Intel ME 9.5.55 - Haswell
For API Level 4 - Intel® ME 9.1, Intel ME 9.1.35 - Haswell
For API Level 5 - Intel® ME 10.0.0 - Haswell
For API Level 6 - Intel® ME 10.0.20 - Broadwell
For API Level 7 - ME 11.0 - Skylake_LP and Skylake_H
For API Level 8 - TXE3.0 - Broxton, ME 11.5/11.8 - Kabylake_LP, Kabylake_H
For API Level 9 - Intel® ME 12.0 - Cannon Lake
Trusted Application Validation Guidelines
Validating the Manifest
Memory and Performance
Error Handling and Recovery
Functional Validation and Multi-Instance Support
Pack and DALP Generation and Validation
Host-Side Software Validation Guidelines
Trusted Application Management Flows
Error Handling and Recovery Flows
Multi-Instance and Interoperability Testing of Trusted Application Management
General and Platform-Related Events
End-to-End and Setup Validation Guidelines
Cross Trusted Application Interoperability Functional Testing
Creating a New Project
Importing an Existing Project
Converting an Existing Project
Building and Packaging Your Project and Running in Emulated Environment
Running Your Project
Running and Testing on Emulation and on Silicon
Debugging Trusted Applications
Preparing and Submitting Your Project for Signing
Signing an Applet
Signing New Versions
Visible to Intel only — GUID: GUID-6CD4552C-64E6-48A4-9887-7186369D9C2B
Trusted Application Manifest Fields Optional Properties
The following are optional manifest fields. They enable developers to further detail their trusted applications.
| applet.description | String | 1 <= charLength < 160 | A short description about the applet | Yes | Intel ME 7.x |
| applet.flash.quota | Decimal Integer | Decimal integers in the range [0, 256] | The amount of flash storage available for the applet on the secure environment in bytes. Applets are not usually assigned flash quota but are expected to keep data encrypted on the host machine | Yes | Intel ME 7.x |
| applet.debug.enable | Boolean | Specifies whether debug prints are enabled for the applet. Without it - debug prints will not be seen on the applet. Production applets are not signed with this field set to true | Yes | Intel ME 7.x | |
| applet.timeout | Deciaml Integer | Before API level 5: 0 = no timeout. From API level 5: 0 is not a legal value. For no timeout do not define the field. |
Specifies the watchdog timeout (in milliseconds) in which the applet is required to respond to a request. The applet is unloaded if this timeout is exceeded. This field use is encouraged to prevent applets from becoming unresponsive; applet testing should be done with it. | No | Intel ME 7.x |
| applet.debugger.timeout | Decimal Integer | Specifies the timeout (in milliseconds) in which the VM waits for the debugger to connect before it initializes the applet. Useful if needed to debug initialization flows in the applet. Production applets will not be signed with this field. | No | Intel ME 7.x | |
| applet.written.by.intel | Boolean | Describes whether this applet was written by an Intel Business Unit or an external vendor. This will be checked in the certification flow. | No | Intel ME 7.x | |
| applet.event.register | Set of Decimal Integers | See Set Format below (e.g. {1,2,5}) |
Specifies the list of event codes that can be received by this applet. | No | Intel ME 8.x, Intel TXE 1.x |
| applet.event.post | Set of Decimal Integers | See Set Format below (e.g. {1,2,5}) |
Specifies the list of event codes that can be posted by this applet. Note: the following values are reserved for FW use: 2, 3, 4, 5. |
No | Intel ME 8.x, Intel TXE 1.x |
| applet.shared.session.support | Boolean | Specifies whether this applet supports using the same shared session for several SW applications, i.e. allows different host applications to communicate the same applet session simultaneously. Removed in API level 8. |
Yes | Intel ME 8.x | |
| applet.cpu.whitelist.flag | Boolean | Specifies whether the CPU list specified in the applet manifest is a whitelist (allow these CPUs) or a blacklist (disqualify these CPUs). Note: If this property exists, the applet.cpu.list must exists as well and vice versa. |
No | Intel ME 8.x, (Intel TXE 1.x?) | |
| applet.cpu.list | Set of Integers | See Set Format below (e.g. {1,2,5}) |
Set of integer representations of different CPU brands to filter. Note: if this property exists, then the property "applet.cpu.whitelist.flag" must exist as well and vice versa. |
No | Intel ME 8.x, (Intel TXE 1.x?) |
| applet.pch.whitelist.flag | Boolean | Specifies whether the PCH list specified in the applet manifest is a whitelist (allow these PCHs) or a blacklist (disqualify these PCHs). Note: if this property exists, then the property "applet.pch.list" must exist as well and vice versa. |
No | Intel ME 8.x, (Intel TXE 1.x?) | |
| applet.pch.list | Set of Integers | See Set Format below (e.g. {1,2,5}) |
Set of number representations of different PCH brands to filter. Note: if this property exists, then the property "applet.pch.whitelist.flag" must exists as well and vice versa. |
No | Intel ME 8.x, (Intel TXE 1.x?) |
| applet.feature.set | Integer | A bitmask specifying the feature-set required by the FW in order to successfully install the applet. The values of the bits may change between platforms and versions. Removed in API level 7. |
No | Intel ME 8.x, Intel TXE 1.x | |
| applet.feature.set.permission | Integer | A bitmask specifying the feature-set applet is allowed to change. Removed in API level 7. |
No | Intel ME 8.x, Intel TXE 1.x | |
| applet.platform.id | 32 bit Hexadecimal | Specifies the Platform ID for a production platform. Use for signing a trusted application for a single production platform only - for test purposes. Note that a trusted application signed with this field will load ONLY on the given platform. |
No | Intel ME 9.5, Intel Atom® SoC formerly codenamed Bay Trail-I, Intel TXE 2.0 | |
| ipt.restriction.enable | Boolean | Specifies whether the applet should be limited to specific platforms/CPUs (Intel® vPro™ technology or Ultrabook™). Relevant only for Intel ME 8.x. | No | Intel ME 8.x | |
| applet.instance.debuggable | Boolean | Specifies whether the applet instance Java code is debuggable | No | Intel ME 10.0 | |
| applet.entry_class | String | <package name>.<class name> | If multiple subclasses of IntelApplet are included in one applet package, this property should be used to specify the full name of the main entry applet class, including the package name. Mandatory since API level 7. |
No | Intel ME 10.0 |
| applet.library.version | Integer | Specifies that the applet requires the platform JAR library which is exactly the same as the one compiled in the FW. If the applet library and the platform library are not the same, the applet will not be loaded. Note: For API level 6 this value must be 2. |
No | Intel ME 10.0 | |
| applet.service.consumed | Set of UUIDs | See Set Format below (e.g. {UUID1, UUID2}) |
A list of UUIDs which represents the UUIDs of service trusted applications the TA allows to communicate with. Note: using this property requires to use the ServiceClient APIs. |
No | Intel ME 11.0 |
| applet.service.sessions | Integer | Specifies the number of allowed open sessions for a single instance of the TA. Note: using this property requires to inherit from ServiceApplet class and vice versa. |
No | Intel ME 11.0 | |
| applet.single.instance | Boolean | Specifies whether or not this applet supports only a single instantiation of the applet execution in DAL firmware, i.e. opening a new session if one already exists will result in an error. | No | Intel ME 11.5 |