Developer Guide

  • 10/27/2020
  • Public Content
Contents

Sub-Security Domain Life Cycle

In order to provision a Sub-Security Domain, the following new Security Domain related ACPs are supported:
Admin Command
Signed Command?
Comments
Install Security Domain
Signed by Intel only
Intel must sign on every S-SD.
Uninstall Security Domain
Signed by Intel or by the S-SD itself (S-SD can remove itself)
Intel can remove every S-SD from DAL. S-SD can remove only itself and cannot other S-SDs
These ACPs can be created using the Intel® DAL Pack Tool.
When only the pre-installed I-SD exists and Intel DAL is in an unprovisioned state, no OEM Intel DAL trusted applications can be executed on the platform.
The provisioning is done from the host OS by providing the Install Security Domain ACP of the OEM S-SD to Intel DAL. This can be done using the TEE Management library which supports generic ACP command dispatch. When the platform is provisioned, no Intel signed trusted applications are supported.
The unprovisioning is performed from the host OS by providing the Uninstall Security Domain ACP of the already installed OEM S-SD to Intel DAL. In the border case of a trusted application already running, it will not be terminated and will be allowed to complete its execution.
After the Security Domain is uninstalled and before a Security Domain is installed again, Intel DAL will not be able to install or execute any OEM trusted application.

Product and Performance Information

1

Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.

Notice revision #20110804