Intel beefs up security in vPro

Latest version of the PC platform includes new virtualisation security and improved AMT capabilities

Intel has officially launched an updated vPro desktop platform for businesses. Previously codenamed Weybridge, the upgrade adds new hardware security features designed to protect against malicious code and enhances the platform’s built-in Active Management Technology (AMT).

Launched last year, the vPro brand combines Core 2 Duo chips, AMT, and Intel’s VT hardware support for virtualisation. Weybridge builds on this, adding Trusted Execution Technology (TXT) and Virtualisation Technology for Directed I/O (VT-d) to provide better isolation for virtual machines.

The updated platform supports these features through three new Core 2 Duo processors, the Q35 Express motherboard chipset and an Intel gigabit Ethernet adaptor chip.

In conjunction with a Trusted Platform Module (TPM) security chip and a supported operating system, TXT enables a PC to be audited at boot-up and compared with a known “good state” to ensure it has not been compromised, Intel said. TXT also provides protection for memory buffers, preventing malicious code snooping on information belonging to other applications.

Intel technical marketing manager David Hollway said TXT combined with VT-d enforces separation of virtual machines, so long as the virtual machine manager (VMM) layer supports these technologies.

“With virtual machines, it becomes important that user-side software cannot interfere with the VMM. If you can subvert the VMM, the [virtual machine] has no way of detecting that,” he said. Intel’s hypervisor, which the firm has licensed to Symantec, supports the technology.

AMT has also been updated in the new platform so that it can be configured down the wire, Hollway said, and this can be back-ported to older vPro systems. “It’s now possible to leave a machine unprovisioned, and push the client across the network. There’s no need to go into the firmware.”

Intel is hoping the updated vPro will enjoy greater success than the first incarnation. Vendors such as Fujitsu Siemens, Lenovo and HP are preparing to ship systems, according to Hollway, and even Dell is now backing it, following Intel’s decision to comply with the Distributed Management Task Force’s Dash interoperability specifications.

However, Neil MacDonald of analyst firm Gartner said that vPro had not been very successful so far because features such as the ability to deploy virtual appliances in a separate service partition were poorly supported.

“When people buy vPro they are getting something capable of supporting these features, but they aren’t included,” he said. This will not be fixed unless Intel can provide a low-cost route to building virtual appliances, but this would probably involve Linux and risk upsetting Microsoft, he added.

Buyers also do not need a vPro system to get some of its more enterprise-friendly features, MacDonald said. The Bitlocker feature in Windows Vista can provide trusted boot-up, for example.

“AMT is also a cool technology, but it existed before vPro. Including it is more of a marketing exercise on Intel’s part,” he added.