Intel vPro

"VPro" redirects here. For the graphics architecture, see SGI VPro.
The current Intel vPro emblem

Intel vPro technology is an umbrella marketing term used by Intel for a large collection of computer hardware technologies, including VT-x, VT-d, Trusted Execution Technology (TXT), and Intel Active Management Technology (AMT).[1] When the vPro brand was launched (circa 2007), it was identified primarily with AMT,[2][3] thus some journalists still consider AMT to be the essence of vPro.[4]

vPro features

Intel vPro is a brand name for a set of PC hardware features. PCs that support vPro have a vPro-enabled processor, a vPro-enabled chipset, and a vPro-enabled BIOS as their main elements.[2][3][5][6][7][8]

A vPro PC includes:

  • Multi-core, multi-threaded Xeon or Core processors.[9][10]
  • Intel Active Management Technology (Intel AMT), a set of hardware-based features targeted at businesses, allow remote access to the PC for management and security tasks, when an OS is down or PC power is off.[6][11] Note that AMT is not the same as Intel vPro; AMT is only one element of a vPro PC.
  • Remote configuration technology for AMT, with certificate-based security. Remote configuration can be performed on "bare-bones" systems, before the OS and/or software management agents are installed.[6][11][12]
  • Wired and wireless (laptop) network connection.[11]
  • Intel Trusted Execution Technology (Intel TXT),[11][13][14][15] which verifies a launch environment and establishes the root of trust, which in turn allows software to build a chain of trust for virtualized environments. Intel TXT also protects secrets during power transitions for both orderly and disorderly shutdowns (a traditionally vulnerable period for security credentials).
  • Support for IEEE 802.1X, Cisco Self Defending Network (SDN), and Microsoft Network Access Protection (NAP) in laptops, and support for 802.1x and Cisco SDN in desktop PCs.[16][17] Support for these security technologies allows Intel vPro to store the security posture of a PC so that the network can authenticate the system before the OS and applications load, and before the PC is allowed access to the network.[13]
  • Intel Virtualization Technology, including Intel VT-x for CPU and memory, and Intel VT-d for I/O, to support virtualized environments (these features are also supported without vPro[18]). Intel VT-x accelerates hardware virtualization which enables isolated memory regions to be created for running critical applications in hardware virtual machines in order to enhance the integrity of the running application and the confidentiality of sensitive data.[13][19] Intel VT-d exposes protected virtual memory address spaces to DMA peripherals attached to the computer via DMA buses, mitigating the threat posed by malicious peripherals.
  • Execute disable bit that, when supported by the OS, can help prevent some types of buffer overflow attacks.[20]

The 12th generation of Intel Core processors introduced four distinct platforms: vPro Essentials, vPro Enterprise for Windows, vPro Enterprise for Chrome and vPro Evo Design.[21] The difference of vPro Essentials is that it does not support some features: Out-of-band KVM remote control, Wireless Intel® AMT, Fast call for help, Intel® Remote Secure Erase with Intel® SSD Pro.[22] Intel processors that support vPro Essentials are using Intel Standard Manageability (a subset of Intel AMT)[23] which supports out-of-band management and can be monitored with the "Access Monitor" feature.[24][25]

Remote management

Intel AMT is the set of management and security features built into vPro PCs that makes it easier for a sys-admin to monitor, maintain, secure, and service PCs.[11] Intel AMT (the management technology) is sometimes mistaken for being the same as Intel vPro (the PC "platform"), because AMT is one of the most visible technologies of an Intel vPro-based PC.

Intel AMT includes:

Hardware-based management has been available in the past, but it has been limited to auto-configuration (of computers that request it) using DHCP or BOOTP for dynamic IP address allocation and disk-less workstations, as well as wake-on-LAN for remotely powering on systems.[26]

VNC-based KVM remote control

Starting with vPro with AMT 6.0, PCs with i5 or i7 processors and embedded Intel graphics, now contains an Intel proprietary embedded VNC server. You can connect out-of-band using dedicated VNC-compatible viewer technology, and have full KVM (keyboard, video, mouse) capability throughout the power cycle—including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from RealVNC also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER).

Not all i5 & i7 Processors with vPro may support KVM capability. This depends on the OEM's BIOS settings as well as if a discrete graphics card is present. Only Intel integrated HD graphics support KVM ability.[27][better source needed]

Wireless communication

Intel vPro supports encrypted wired and wireless LAN wireless communication for all remote management features for PCs inside the corporate firewall.[11] Intel vPro supports encrypted communication for some remote management features for wired and wireless LAN PCs outside the corporate firewall.[11][28]

vPro laptop wireless communication

Laptops with vPro include a gigabit network connection and support IEEE 802.11 a/g/n wireless protocols.[11][28][29]

AMT wireless communication

Intel vPro PCs support wireless communication to the AMT features.[11][29]

For wireless laptops on battery power, communication with AMT features can occur when the system is awake and connected to the corporate network. This communication is available if the OS is down or management agents are missing.[11][28]

AMT out-of-band communication and some AMT features are available for wireless or wired laptops connected to the corporate network over a host OS-based virtual private network (VPN) when laptops are awake and working properly.[11]

A wireless connection operates at two levels: the wireless network interface (WLAN) and the interface driver executing on the platform host. The network interface manages the RF communications connection.

If the user turns off the wireless transmitter/receiver using either a hardware or software switch, Intel AMT cannot use the wireless interface under any conditions until the user turns on the wireless transmitter/receiver.

Intel AMT Release 2.5/2.6 can send and receive management traffic via the WLAN only when the platform is in the S0 power state (the computer is on and running). It does not receive wireless traffic when the host is asleep or off. If the power state permits it, Intel AMT Release 2.5/2.6 can continue to send and receive out-of-band traffic when the platform is in an Sx state, but only via a wired LAN connection, if one exists.

Release 4.0 and later releases support wireless out-of-band manageability in Sx states, depending on the power setting and other configuration parameters.

Release 7.0 supports wireless manageability on desktop platforms.

When a wireless connection is established on a host platform, it is based on a wireless profile that sets up names, passwords and other security elements used to authenticate the platform to the wireless Access Point. The user or the IT organization defines one or more profiles using a tool such as Intel PROSet/Wireless Software. In release 2.5/6, Intel AMT must have a corresponding wireless profile to receive out-of-band traffic over the same wireless link. The network interface API allows defining one or more wireless profiles using the same parameters as the Intel PROSet/Wireless Software. See Wireless Profile Parameters. On power-up of the host, Intel AMT communicates with the wireless LAN driver on the host. When the driver and Intel AMT find matching profiles, the driver routes traffic addressed to the Intel AMT device for manageability processing. With certain limitations, Intel AMT Release 4.0/1 can send and receive out-of-band traffic without an Intel AMT configured wireless profile, as long as the host driver is active and the platform is inside the enterprise.

In release 4.2, and on release 6.0 wireless platforms, the WLAN is enabled by default both before and after configuration. That means that it is possible to configure Intel AMT over the WLAN, as long as the host WLAN driver has an active connection. Intel AMT synchronizes to the active host profile. It assumes that a configuration server configures a wireless profile that Intel AMT uses in power states other than S0.

When there is a problem with the wireless driver and the host is still powered up (in an S0 power state only), Intel AMT can continue to receive out-of-band manageability traffic directly from the wireless network interface.

For Intel AMT to work with a wireless LAN, it must share IP addresses with the host. This requires the presence of a DHCP server to allocate IP addresses and Intel AMT must be configured to use DHCP.

Encrypted communication while roaming

Intel vPro PCs support encrypted communication while roaming.[11][29][30]

vPro PCs version 4.0 or higher support security for mobile communications by establishing a secure tunnel for encrypted AMT communication with the managed service provider when roaming (operating on an open, wired LAN outside the corporate firewall).[11] Secure communication with AMT can be established if the laptop is powered down or the OS is disabled.[11] The AMT encrypted communication tunnel is designed to allow sys-admins to access a laptop or desktop PC at satellite offices where there is no on-site proxy server or management server appliance.

Secure communications outside the corporate firewall depend on adding a new element—a management presence server (Intel calls this a "vPro-enabled gateway")—to the network infrastructure.[11] This requires integration with network switch manufacturers, firewall vendors, and vendors who design management consoles to create infrastructure that supports encrypted roaming communication. So although encrypted roaming communication is enabled as a feature in vPro PCs version 4.0 and higher, the feature will not be fully usable until the infrastructure is in place and functional.

vPro security

vPro security technologies and methodologies are designed into the PC's chipset and other system hardware. During deployment of vPro PCs, security credentials, keys, and other critical information are stored in protected memory (not on the hard disk drive), and erased when no longer needed.

Security and privacy concerns

According to Intel, it is possible to disable AMT through the BIOS settings, however, there is apparently no way for most users to detect outside access to their PC via the vPro hardware-based technology.[31] Moreover, Sandy Bridge and future chips will have, "...the ability to remotely kill and restore a lost or stolen PC via 3G ... if that laptop has a 3G connection"[32]

On May 1, [2017] Intel published a security advisory regarding a firmware vulnerability in certain systems that utilize Intel Active Management Technology (Intel AMT), Intel Standard Manageability (Intel ISM), or Intel Small Business Technology (Intel SBT). The vulnerability is potentially very serious, and could enable a network attacker to remotely gain access to businesses PCs and workstations that use these technologies. We urge people and companies using business PCs and devices that incorporate Intel AMT, Intel ISM or Intel SBT to apply a firmware update from your equipment manufacturer when available, or to follow the steps detailed in the mitigation guide.[33][34]

Many vPro features, including AMT, are implemented in the Intel Management Engine (ME), a distinct processor in the chipset running MINIX 3, which has been found to have numerous security vulnerabilities. Unlike for AMT, there is generally no official, documented way to disable the Management Engine (ME); it is always on unless it is not enabled at all by the OEM.[35][36]

Security features

Intel vPro supports industry-standard methodologies and protocols, as well as other vendors' security features:[6][11][13][37]

Intel Boot Guard

Intel Boot Guard is a processor feature that prevents the computer from running firmware (UEFI) images not released by the system manufacturer (OEM or ODM). When turned on, the processor verifies a digital signature contained in the firmware image before executing it, using the public key of the keypair, the OEM/ODM public key is fused into the system's Platform Controller Hub (PCH)[a] by the system manufacturer (not by Intel). As a result, Intel Boot Guard, when activated, makes it impossible for end users to install replacement firmware (such as Coreboot) or modded BIOS.[40][41]

Intel Boot Guard was first released in Haswell processors in June 2013.

Technologies and methodologies

Intel vPro uses several industry-standard security technologies and methodologies to secure the remote vPro communication channel. These technologies and methodologies also improve security for accessing the PC's critical system data, BIOS settings, Intel AMT management features, and other sensitive features or data; and protect security credentials and other critical information during deployment (setup and configuration of Intel AMT) and vPro use.[11][42]

vPro hardware requirements

The first release of Intel vPro was built with an Intel Core 2 Duo processor.[6] The current versions of Intel vPro are built into systems with 10 nm Intel 10th Generation Core i5 & i7 processors.

PCs with Intel vPro require specific chipsets. Intel vPro releases are usually identified by their AMT version.[6][11]

Laptop PC requirements

Laptops with Intel vPro require:

  • For Intel AMT release 9.0 (4th Generation Intel Core i5 and Core i7):
    • 22 nm Intel 4th Generation Core i7 Mobile processors[46]
    • 22 nm Intel 4th Generation Core i5 Mobile processors[47]
    • Mobile QM87 chipsets[48]
  • For Intel AMT release 8.0 (3rd Generation Intel Core i5 and Core i7):
    • 32 & 45 nm Intel 3rd Generation Core i7 Mobile processors[49]
    • 32 & 45 nm Intel 3rd Generation Core i5 Mobile processors[50]
    • Mobile QM77 & Q77 chipsets[48]
  • For Intel AMT release 4.1 (Intel Centrino 2 with vPro technology):[51]
    • 45 nm Intel Core2 Duo processor T, P sequence 8400, 8600, 9400, 9500, 9600; small form factor P, L, U sequence 9300 and 9400, and Quad processor Q9100
    • Mobile 45 nm Intel GS45, GM47, GM45 and PM45 Express chipsets (Montevina with Intel Anti-Theft Technology) with 1066 FSB, 6 MB L2 cache, ICH10M-enhanced
  • For Intel AMT release 4.0 (Intel Centrino 2 with vPro technology):[7][11]
    • 45 nm Intel Core2 Duo processor T, P sequence 8400, 8600, 9400, 9500, 9600; small form factor P, L, U sequence 9300 and 9400, and Quad processor Q9100
    • Mobile 45 nm Intel GS45, GM47, GM45 and PM45 Express chipsets (Montevina) with 1066 FSB, 6 MB L2 cache, ICH9M-enhanced
  • For Intel AMT release 2.5 and 2.6 (Intel Centrino with vPro technology):[6][8][52]
    • Intel Core2 Duo processor T, L, and U 7000 sequence3, 45 nm Intel Core2 Duo processor T8000 and T9000
    • Mobile Intel 965 (Broadwater-Q) Express chipset with ICH8M-enhanced

Note that AMT release 2.5 for wired/wireless laptops and AMT release 3.0 for desktop PCs are concurrent releases.

Desktop PC requirements

Desktop PCs with vPro (called "Intel Core 2 with vPro technology") require:

  • For AMT release 5.0:[53]
    • Intel Core2 Duo processor E8600, E8500, and E8400; 45 nm Intel Core2 Quad processor Q9650, Q9550, and Q9400
    • Intel Q45 (Eaglelake-Q) Express chipset with ICH10DO
  • For AMT release 3.0, 3.1, and 3.2:[6][7][11]
    • Intel Core2 Duo processor E6550, E6750, and E6850; 45 nm Intel Core2 Duo processor E8500, E8400, E8300 and E8200; 45 nm Intel Core2 Quad processor Q9550, Q9450 and Q9300
    • Intel Q35 (Bearlake-Q) Express chipset with ICH9DO

Note that AMT release 2.5 for wired/wireless laptops and AMT release 3.0 for desktop PCs are concurrent releases.

  • For AMT release 2.0, 2.1 and 2.2:[6][8][52]
    • Intel Core 2 Duo processor E6300, E6400, E6600, and E6700
    • Intel Q965 (Averill) Express chipset with ICH8DO

vPro, AMT, Core i relationships

There are numerous Intel brands. However, the key differences between vPro (an umbrella marketing term), AMT (a technology under the vPro brand), Intel Core i5 and Intel Core i7 (a branding of a package of technologies), and Core i5 and Core i7 (a processor) are as follows:

The Core i7, the first model of the i series was launched in 2008, and the less-powerful i5 and i3 models were introduced in 2009 and 2010, respectively. The microarchitecture of the Core i series was code-named Nehalem, and the second generation of the line was code-named Sandy Bridge.

Intel Centrino 2 was a branding of a package of technologies that included Wi-Fi and, originally, the Intel Core 2 Duo.[5] The Intel Centrino 2 brand was applied to mobile PCs, such as laptops and other small devices. Core 2 and Centrino 2 have evolved to use Intel's latest 45-nm manufacturing processes, have multi-core processing, and are designed for multithreading.

Intel vPro is a brand name for a set of Intel technology features that can be built into the hardware of the laptop or desktop PC.[11] The set of technologies are targeted at businesses, not consumers. A PC with the vPro brand often includes Intel AMT, Intel Virtualization Technology (Intel VT), Intel Trusted Execution Technology (Intel TXT), a gigabit network connection, and so on. There may be a PC with a Core 2 processor, without vPro features built in. However, vPro features require a PC with at least a Core 2 processor. The technologies of current versions of vPro are built into PCs with some versions of Core 2 Duo or Core 2 Quad processors (45 nm), and more recently with some versions of Core i5 and Core i7 processors.

Intel AMT is part of the Intel Management Engine that is built into PCs with the Intel vPro brand. Intel AMT is a set of remote management and security hardware features that let a sys-admin with AMT security privileges access system information and perform specific remote operations on the PC.[6] These operations include remote power up/down (via wake-on-LAN), remote / redirected boot (via integrated device electronics redirect, or IDE-R), console redirection (via serial over LAN), and other remote management and security features.

See also

Notes

  1. ^ In some Intel CPUs, PCH and the processor are integrated into the same package.[39]

References

  1. ^ "Intel vPro Technology Reference Guide (Updated for Intel AMT 8)" (PDF). Intel. August 16, 2012. Archived from the original (PDF) on 2015-03-20. Retrieved 2014-09-14.
  2. ^ a b "Remote Pc Management with Intel's vPro". Tom's Hardware Guide. 26 April 2007. Retrieved 2007-11-21.
  3. ^ a b "A new dawn for remote management? A first glimpse at Intel's vPro platform". ars technica. 6 February 2007. Retrieved 2007-11-07.
  4. ^ "Intel vPro: Three Generations Of Remote Management". Tom's Hardware. 26 September 2011.
  5. ^ a b "Intel Centrino 2 Explained". CNET. Archived from the original on 2012-11-05. Retrieved 2008-07-15.
  6. ^ a b c d e f g h i j k l m n o p q r "Architecture Guide: Intel Active Management Technology". Intel. 2008-06-26. Archived from the original on 2012-07-22. Retrieved 2008-08-12.
  7. ^ a b c "Intel vPro Chipset Lures MSPs, System Builders". ChannelWeb. 27 August 2007.
  8. ^ a b c "Intel Mostly Launches Centrino 2 Notebook Platform". ChannelWeb. 15 July 2008.
  9. ^ admin (30 March 2015). "Business Client - Overview". software.intel.com.
  10. ^ S, Ganesh T. "Intel Expands Compute Stick Family with Cherry Trail and Core M Models". www.anandtech.com.
  11. ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab ac ad ae af ag ah ai aj ak al am "Intel Active Management Technology (Intel AMT) Start Here Guide" (PDF). Intel. Retrieved 2013-03-18.
  12. ^ "Intel Centrino 2 with vPro Technology". Intel. Archived from the original on 2008-03-15. Retrieved 2008-06-30.
  13. ^ a b c d e f "New Intel vPro Processor Technology Fortifies Security for Business PCs (news release)". Intel. Archived from the original on 2007-09-12. Retrieved 2007-08-07.
  14. ^ a b "Intel Trusted Execution Technology" (PDF). Intel. 2007. Retrieved 2008-07-15.
  15. ^ a b "Intel Trusted Execution Technology: A Primer". Intel. 2007-12-10. Archived from the original on 2008-09-24. Retrieved 2008-08-17.
  16. ^ a b "Intel Software Network, engineer / developers forum". Intel. Archived from the original on 2011-08-13. Retrieved 2008-08-09.
  17. ^ a b "Cisco Security Solutions with Intel Centrino Pro and Intel vPro Processor Technology" (PDF). Intel. 2007.
  18. ^ Processor without vPro having Intel VT support: "Intel® Core™ i7-1165G7 Processor".
  19. ^ "The Benefits of Intel Centrino with vPro Technology in the Enterprise" (PDF). Wipro Technologies. 1 September 2007. Archived from the original (PDF) on 21 December 2008.
  20. ^ "Execute Disable Bit and Enterprise Security". Intel. Retrieved 2008-08-10.
  21. ^ "Intel 12th gen vPro branches into four distinct platforms across Windows and Chrome, Control Flow Enforcement now coming to desktops for the first time".
  22. ^ "What Are the Differences between Intel® vPro™ Essentials and Intel® vPro™ Enterprise?".
  23. ^ "Intel expands the scope of vPro processors with the 12th-gen lineup".
  24. ^ "About Intel AMT > Support for Other Intel Platforms".
  25. ^ "Intel AMT Features > Access Monitor".
  26. ^ "A new dawn for remote management? A first glimpse at Intel's vPro platform". ars technica. 6 February 2007. Retrieved 2007-07-26.
  27. ^ "Intel® Active Management Technology SDK".
  28. ^ a b c "Understanding Intel AMT over wired vs. wireless (video)". Intel. Archived from the original on March 26, 2008. Retrieved 2008-08-14.
  29. ^ a b c "New Intel-Based Laptops Advance All Facets of Notebook PCs". Intel. Archived from the original on 2008-07-17. Retrieved 2008-07-15.
  30. ^ "Intel Active Management Technology Setup and Configuration Service, Version 5.0" (PDF). Intel. Archived from the original (PDF) on 2008-09-04. Retrieved 2008-08-04.(see CIRA configuration discussion)
  31. ^ Hodgin, Rick C. (2008-09-24). "Big Brother potentially exists right now in our PCs, compliments of Intel's vPro". TG Daily. Archived from the original on 2009-10-27. Retrieved 2014-02-26.
  32. ^ Hachman, Mark (2010-09-14). "Intel's 'Sandy Bridge' Chip to Include vPro Business Features". PC Magazine. quoting Jeff Marek, director of business client engineering for Intel.
  33. ^ "Intel® AMT Critical Firmware Vulnerability". Intel.
  34. ^ "Report claims Intel CPUs contain enormous security flaw - ExtremeTech". www.extremetech.com.
  35. ^ "Positive Technologies Blog: Disabling Intel ME 11 via undocumented mode". Archived from the original on 2017-08-28. Retrieved 2017-08-30.
  36. ^ "Intel Patches Major Flaws in the Intel Management Engine". Extreme Tech.
  37. ^ "Intel vPro Technology". Intel. Retrieved 2008-07-14.
  38. ^ "How To Enable BitLocker With Intel PTT and No TPM For Better Security". Legit Reviews. 2019-05-08. Retrieved 2020-09-11.
  39. ^ Smith, Ryan (August 11, 2014). "Intel Broadwell Architecture Preview: A Glimpse into Core M". AnandTech. Retrieved February 25, 2015.
  40. ^ Hoffman, Chris (February 13, 2015). "How Intel and PC makers prevent you from modifying your laptop's firmware". PC World. Retrieved February 25, 2015.
  41. ^ Garrett, Matthew (February 16, 2015). "Intel Boot Guard, Coreboot and user freedom". mjg59.dreamwidth.org. Retrieved February 25, 2015.
  42. ^ "Intel Active Management Technology Setup and Configuration Service Installation and User Manual" (PDF). Intel. Archived from the original (PDF) on 2010-08-21. Retrieved 2008-07-14.
  43. ^ "Advanced Encryption Standard (AES) Instructions Set". Intel. Archived from the original on 2008-09-24. Retrieved 2008-08-05.
  44. ^ a b "Hardening Measures Built into Intel Active Management Technology". Intel. 2007-12-10. Archived from the original on 2008-03-20. Retrieved 2008-08-01.
  45. ^ "Intel vPro Technology FAQ". Intel. Archived from the original on March 15, 2008. Retrieved 2008-07-12.
  46. ^ "4th Generation Intel Core i7 Processors". Ark.intel.com. Retrieved 2014-02-26.
  47. ^ "4th Generation Intel Core i5 Processors". Ark.intel.com. Retrieved 2014-02-26.
  48. ^ a b "ARK | Intel QM87 Chipset (Intel DH82QM87 PCH)". Ark.intel.com. Retrieved 2014-02-26.
  49. ^ "ARK | Processor Feature Filter". Ark.intel.com. Retrieved 2014-02-26.
  50. ^ "ARK | Processor Feature Filter". Ark.intel.com. Retrieved 2014-02-26.
  51. ^ "New Intel Centrino Atom Processor Technology Ushers in 'Best Internet Experience in Your Pocket'". Intel. 2008-04-02. Archived from the original on 2008-04-17. Retrieved 2008-08-07.
  52. ^ a b "Intel Centrino Pro and Intel vPro Processor Technology" (PDF). Intel. 2007. Retrieved 2008-08-07.
  53. ^ "Gelsinger Speaks To Intel And High-Tech Industry's Rapid Technology Cadence". Intel. 2007-09-18. Archived from the original on 2008-04-17. Retrieved 2008-08-16.