Intel® Dynamic Application Loader (Intel® DAL) Developer Guide
ID
773482
Date
3/24/2023
Public
For API Level 1 - Intel® ME 7.x - Sandy Bridge
For API Level 1.1 - Intel® ME 8.x lite - Sandy Bridge
For API Level 2 - Intel® ME 8.0 - Ivy Bridge
For API Level 3 - Intel® ME 8.1 - Ivy Bridge
For API Level 3 - SEC1.0, SEC1.1, SEC1.2, SEC2.0
For API Level 4 - Intel® ME 9.5, Intel ME 9.5.55 - Haswell
For API Level 4 - Intel® ME 9.1, Intel ME 9.1.35 - Haswell
For API Level 5 - Intel® ME 10.0.0 - Haswell
For API Level 6 - Intel® ME 10.0.20 - Broadwell
For API Level 7 - ME 11.0 - Skylake_LP and Skylake_H
For API Level 8 - TXE3.0 - Broxton, ME 11.5/11.8 - Kabylake_LP, Kabylake_H
For API Level 9 - Intel® ME 12.0 - Cannon Lake
Trusted Application Validation Guidelines
Validating the Manifest
Memory and Performance
Error Handling and Recovery
Functional Validation and Multi-Instance Support
Pack and DALP Generation and Validation
Host-Side Software Validation Guidelines
Trusted Application Management Flows
Error Handling and Recovery Flows
Multi-Instance and Interoperability Testing of Trusted Application Management
General and Platform-Related Events
End-to-End and Setup Validation Guidelines
Cross Trusted Application Interoperability Functional Testing
Creating a New Project
Importing an Existing Project
Converting an Existing Project
Building and Packaging Your Project and Running in Emulated Environment
Running Your Project
Running and Testing on Emulation and on Silicon
Debugging Trusted Applications
Preparing and Submitting Your Project for Signing
Signing an Applet
Signing New Versions
Intel® EPID 1.1 Signing Sample
This sample demonstrates how to use Intel® Dynamic Application Loader (Intel® DAL) for signing data with the Intel® Enhanced Privacy ID (Intel® EPID) signing algorithm.
This sample is applicable for API level 4 and above.
The sample does the following:
- Makes the platform prove its membership in a specific Intel EPID group.
- Verifies that specific data was signed by an Intel® DAL platform with membership in a specific Intel EPID group.
Note:Intel EPID 1.1 Provisioning is a prerequisite for Intel EPID signing.
Note: Before running the sample, make sure the server is running. To run the server, locate the SDK installation on your disk and double-click \DALsdk\Samples\DALSamplesServer\DALSamplesServer.sln Then run the project.
The components of the sample:
- Trusted Application - indicates whether the Intel EPID 1.1 provisioning process was already performed on this platform; sets the nonce that will be signed as a part of the signature; and signs the received message using the key currently stored by the instance.
- Host Application - communicates with the trusted application and server.
- Server - verifies the signature according to the platform Intel EPID groupID.
Sample Flow
- The host creates, stores and sends the nonce that will be signed as part of the signature to the trusted application in order to avoid replay attacks.
- The trusted application sets the nonce.
- The trusted application checks whether the Intel EPID 1.1 provisioning process was already performed on this platform. If yes, the host sends the message to the TA for signing.
- The TA signs the received message using the key currently stored by the instance, and sends the created signature to the host. The platform proves its membership to the specific Intel EPID group by signing with the Intel EPID data that was provisioned earlier.
- The host creates a copy of the TA ID as a GUID format byte array.
- The host sends the adapted message to the server: Adapted message = message + data structure prepended to the message before signing + signature + platform Intel EPID group ID
- The server prepares:
- The specific Intel EPID group certification
- Mathematical parameters
- A task information structure
- The adapted message that it received from the host
- The server uses the above information to verify that the signature was really created by an Intel® platform.