Visible to Intel only — GUID: GUID-6612BC80-6BA8-4FD2-BB2D-D98C24933952
For API Level 1 - Intel® ME 7.x - Sandy Bridge
For API Level 1.1 - Intel® ME 8.x lite - Sandy Bridge
For API Level 2 - Intel® ME 8.0 - Ivy Bridge
For API Level 3 - Intel® ME 8.1 - Ivy Bridge
For API Level 3 - SEC1.0, SEC1.1, SEC1.2, SEC2.0
For API Level 4 - Intel® ME 9.5, Intel ME 9.5.55 - Haswell
For API Level 4 - Intel® ME 9.1, Intel ME 9.1.35 - Haswell
For API Level 5 - Intel® ME 10.0.0 - Haswell
For API Level 6 - Intel® ME 10.0.20 - Broadwell
For API Level 7 - ME 11.0 - Skylake_LP and Skylake_H
For API Level 8 - TXE3.0 - Broxton, ME 11.5/11.8 - Kabylake_LP, Kabylake_H
For API Level 9 - Intel® ME 12.0 - Cannon Lake
Trusted Application Validation Guidelines
Validating the Manifest
Memory and Performance
Error Handling and Recovery
Functional Validation and Multi-Instance Support
Pack and DALP Generation and Validation
Host-Side Software Validation Guidelines
Trusted Application Management Flows
Error Handling and Recovery Flows
Multi-Instance and Interoperability Testing of Trusted Application Management
General and Platform-Related Events
End-to-End and Setup Validation Guidelines
Cross Trusted Application Interoperability Functional Testing
Creating a New Project
Importing an Existing Project
Converting an Existing Project
Building and Packaging Your Project and Running in Emulated Environment
Running Your Project
Running and Testing on Emulation and on Silicon
Debugging Trusted Applications
Preparing and Submitting Your Project for Signing
Signing an Applet
Signing New Versions
Visible to Intel only — GUID: GUID-6612BC80-6BA8-4FD2-BB2D-D98C24933952
Secure Data Migration Sample
This sample demonstrates how to decrypt data that has been encrypted using the platform-binding (PBind) key and this key has changed during a firmware update that incremented the firmware secure version number (SVN).
This sample is applicable for API level 8 and above.
To demonstrate the complete process, this sample contains two versions of the Trusted Application (TA):
- SecureData TA: The original applet that uses the basic encryption\decryption APIs provided by Intel® Dynamic Application Loader (Intel® DAL).
- SecureDataMigration TA: The modified applet that has a recovery flow to decrypt data that was encrypted using an old PBind key.
Note: The SecureDataMigration TA uses the DataMigration API (com.intel.crypto.DataMigration), which is supported starting Intel® Trusted Execution Engine (Intel® TXE) 3.1.50.x firmware and Intel® Management Engine (Intel® ME) 11.8.x firmware.
Sample flow
- Encrypt data using the PBind key and save it in a file in the file system.
- Decrypt the encrypted data using the SymmetricBlockCipher (com.intel.crypto.SymmetricBlockCipherAlg) API.
- Perform firmware update with a firmware SVN increment (► the PBind key changes).
- Decrypt the encrypted data: Decryption using the SymmetricBlockCipher API fails because the PBind key has changed since the data encryption, so use the Intel® Dynamic Application Loader (Intel® DAL) DataMigration (com.intel.crypto.DataMigration) API to decrypt the data using the old PBind key. In this step, you need to use the SecureDataMigration TA; decryption using the old version of this applet (SecureDataTA) will result in incorrect data format because the key used to encrypt is not the same as the decryption key.
Did you find the information on this page useful?
Feedback Message
Characters remaining: