Encryption Key Setup
if (command.counter < current counter) reject command else if (command.counter > current counter) current counter = command.counter process command
Encrypted Trusted Application Generation
- 0: Default value. Means that the JEFF bytecode is not encrypted.
- 1-5: The ID of the DEK with which the JEFF bytecode is encrypted.
- The Pack Tool generates the applet ACP with theta_encryptedproperty set to0(not encrypted).
- The Pack Tool signs on the ACP with the Intel debug key.
- The OEM does the following:
- Encrypts the bytecode in place using the DEK key and IV.
- Appends the MAC and IV to the ACP.
- Assigns the value of theta_encryptedproperty to the key ID of the DEK.
- Calculates the hash of the new applet and replaces the hash in the ACP.
- Signs the ACP in the same way as a regular ACP (with the OEM DAL signing key).