This page explains the OEM Signing feature of Intel® DAL. For a list of fields in the S-SD manifest that lists what an OEM-signed applet is allowed to do, see OEM Signing Manifest.
The only signing authority for Intel DAL Trusted Applications (TAs) is Intel. The exception to this is Intel Atom® Processor E3900 Series (formerly codenamed Apollo Lake)-based platforms based on Intel Atom® SoC formerly codenamed Broxton-P; OEMs manufacturing these platforms are able to sign by themselves on Intel DAL trusted applications and run them on their manufactured platforms.
The signing authority concept is represented using the
Security Domain (SD)abstraction that determines which entity has the authorization to sign on DAL trusted applications on a specific platform and hence control the trusted applications execution on the platform. Intel DAL firmware contains one pre-installed privileged Security Domain that represents Intel signing authority. This security domain is the
Issuer Security Domain (I-SD)that is responsible for the Intel trusted applications and Security Domains life cycle management. The other non-issuer Security Domains are also referred as
Sub-Security Domains (S-SD).