Developer Guide

  • 10/27/2020
  • Public Content
Contents

Platform Binding Key (Pbind)

Trusted applications do not usually have flash memory allocated to them. However, a mechanism is still needed to allow trusted applications to store data on the host side securely.
For that purpose, special secure encryption and signing APIs with “platform-binding keys” are exposed to the trusted application. The keys themselves are stored securely in VM storage and are not exposed to the trusted application. Each key is unique to the machine, trusted application and algorithm. A trusted application can encrypt and sign the data that it needs to store and then pass it to the host application to store on the host’s non-volatile storage. If there is any concern regarding replay attacks of malware replacing non-volatile data with an old version, the trusted application can use the monotonic counter APIs to add this information to the data and verify that the data is the correct version.
Warning:
On platforms prior to 7th gen Intel® Core™ microarchitecture code named Kaby Lake (Intel® Management Engine (Intel® ME) 11.5) and Intel Atom® SoC code named Broxton (Intel® Trusted Execution Engine (Intel® TXE 3.0), the Pbind key is lost after clear-CMOS/coin battery removal and after the Return To Factory Defaults (RTFD) operation.
Supported from API level 1

Product and Performance Information

1

Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.

Notice revision #20110804