An OEM using Intel® DAL will configure their platforms during manufacturing using the Converged Security Engine (CSE) firmware provided tools so that only Intel DAL trusted applications signed by the OEM will be able to run on them.
The OEM Key Manifest (KM) stores the hash of the OEM Intel DAL public key. The complete public key is stored in the OEM S-SD ACP. During the Security Domain installation, the hash of the complete public key is calculated and compared against the value in the OEM Key Manifest. The OEM Key Manifest is signed by the OEM root key and verified by CSE firmware during platform initialization; therefore only the OEM that owns the platform owner can set the OEM Intel DAL Key hash during platform manufacturing.
In order to ease development and validation on pre-production platforms and emulators, this check is performed only on production SoCs. In addition, the platform ownership verification is disabled for Security Domains that are restricted to a single platform.
OEM Signing Enabled" flag should be checked in the Emulauncher settings in order to allow loading of S-SDs on the emulation.