Developer Guide

  • 10/27/2020
  • Public Content

Platform Binding Key (Pbind)

Trusted applications do not usually have flash memory allocated to them. However, a mechanism is still needed to allow trusted applications to store data on the host side securely.
For that purpose, special secure encryption and signing APIs with “platform-binding keys” are exposed to the trusted application. The keys themselves are stored securely in VM storage and are not exposed to the trusted application. Each key is unique to the machine, trusted application and algorithm. A trusted application can encrypt and sign the data that it needs to store and then pass it to the host application to store on the host’s non-volatile storage. If there is any concern regarding replay attacks of malware replacing non-volatile data with an old version, the trusted application can use the monotonic counter APIs to add this information to the data and verify that the data is the correct version.
On platforms prior to 7th gen Intel® Core™ microarchitecture code named Kaby Lake (Intel® Management Engine (Intel® ME) 11.5) and Intel Atom® SoC code named Broxton (Intel® Trusted Execution Engine (Intel® TXE 3.0), the Pbind key is lost after clear-CMOS/coin battery removal and after the Return To Factory Defaults (RTFD) operation.
Supported from API level 1

Product and Performance Information


Performance varies by use, configuration and other factors. Learn more at