Intel® Dynamic Application Loader (Intel® DAL) Developer Guide
ID
773482
Date
3/24/2023
Public
For API Level 1 - Intel® ME 7.x - Sandy Bridge
For API Level 1.1 - Intel® ME 8.x lite - Sandy Bridge
For API Level 2 - Intel® ME 8.0 - Ivy Bridge
For API Level 3 - Intel® ME 8.1 - Ivy Bridge
For API Level 3 - SEC1.0, SEC1.1, SEC1.2, SEC2.0
For API Level 4 - Intel® ME 9.5, Intel ME 9.5.55 - Haswell
For API Level 4 - Intel® ME 9.1, Intel ME 9.1.35 - Haswell
For API Level 5 - Intel® ME 10.0.0 - Haswell
For API Level 6 - Intel® ME 10.0.20 - Broadwell
For API Level 7 - ME 11.0 - Skylake_LP and Skylake_H
For API Level 8 - TXE3.0 - Broxton, ME 11.5/11.8 - Kabylake_LP, Kabylake_H
For API Level 9 - Intel® ME 12.0 - Cannon Lake
Trusted Application Validation Guidelines
Validating the Manifest
Memory and Performance
Error Handling and Recovery
Functional Validation and Multi-Instance Support
Pack and DALP Generation and Validation
Host-Side Software Validation Guidelines
Trusted Application Management Flows
Error Handling and Recovery Flows
Multi-Instance and Interoperability Testing of Trusted Application Management
General and Platform-Related Events
End-to-End and Setup Validation Guidelines
Cross Trusted Application Interoperability Functional Testing
Creating a New Project
Importing an Existing Project
Converting an Existing Project
Building and Packaging Your Project and Running in Emulated Environment
Running Your Project
Running and Testing on Emulation and on Silicon
Debugging Trusted Applications
Preparing and Submitting Your Project for Signing
Signing an Applet
Signing New Versions
Applet Attestation Using Intel® Enhanced Privacy ID (Intel® EPID)
SIGMA is a proprietary Intel algorithm for establishing a secure session between a trusted platform component (e.g., Intel® Management Engine (Intel® MEI)) and a remote server without any previous root of trust. The protocol is exposed to trusted applications to allow initial provisioning of the trusted application in a secure manner. It assures the verifier that the communication originated from an Intel DAL applet running on Intel® Converged Security Engine (Intel® CSE), but does not provide any information identifying the specific platform, thus maintaining the platform owner's privacy.
- SIGMA 1.0 supported since Intel ME 7.1, SIGMA 1.1 since Intel ME 8.0
- Allows the establishment of a session with zero-additional information for the trusted application (when one-time provisioning of the Intel® Enhanced Privacy ID (Intel® EPID) key has taken place)
- Allows mutual authentication of the trusted application and the remote server
- Supports client revocation
- Supports server revocation using OCSP (from SIGMA 1.1)
- Use SIGMA 1.1 when possible (not SIGMA 1.0).
- Use the Signature Revocation List (SIGRL) (recommended but not mandatory)
Class documentation: com.intel.crypto.SigmaAlg, com.intel.crypto.SigmaAlgEx, com.intel.crypto.SigmaAlgEx2
See the Sigma Sample for more details.