Intel vPro technology is an umbrella marketing term used by Intel for a large collection of computer hardware technologies, including VT-x , VT-d , Trusted Execution Technology (TXT), and Intel Active Management Technology (AMT). When the vPro brand was launched (circa 2007), it was identified primarily with AMT, thus some journalists still consider AMT to be the essence of vPro.
117-421: Intel vPro is a brand name for a set of PC hardware features. PCs that support vPro have a vPro-enabled processor, a vPro-enabled chipset, and a vPro-enabled BIOS as their main elements. A vPro PC includes: The 12th generation of Intel Core processors introduced four distinct platforms: vPro Essentials, vPro Enterprise for Windows, vPro Enterprise for Chrome and vPro Evo Design. The difference of vPro Essentials
234-775: A cloud service for example. Homomorphic encryption and secure multi-party computation are emerging techniques to compute encrypted data; these techniques are general and Turing complete but incur high computational and/or communication costs. In response to encryption of data at rest, cyber-adversaries have developed new types of attacks. These more recent threats to encryption of data at rest include cryptographic attacks, stolen ciphertext attacks , attacks on encryption keys, insider attacks , data corruption or integrity attacks, data destruction attacks, and ransomware attacks. Data fragmentation and active defense data protection technologies attempt to counter some of these attacks, by distributing, moving, or mutating ciphertext so it
351-461: A digital signature contained in the firmware image before executing it, using the public key of the keypair , the OEM/ODM public key is fused into the system's Platform Controller Hub (PCH) by the system manufacturer (not by Intel). As a result, Intel Boot Guard, when activated, makes it impossible for end users to install replacement firmware (such as Coreboot ) or modded BIOS . Intel Boot Guard
468-562: A kernel . In the era of DOS , the BIOS provided BIOS interrupt calls for the keyboard, display, storage, and other input/output (I/O) devices that standardized an interface to application programs and the operating system. More recent operating systems do not use the BIOS interrupt calls after startup. Most BIOS implementations are specifically designed to work with a particular computer or motherboard model, by interfacing with various devices especially system chipset . Originally, BIOS firmware
585-463: A network adapter attempts booting by a procedure that is defined by its option ROM or the equivalent integrated into the motherboard BIOS ROM. As such, option ROMs may also influence or supplant the boot process defined by the motherboard BIOS ROM. With the El Torito optical media boot standard , the optical drive actually emulates a 3.5" high-density floppy disk to the BIOS for boot purposes. Reading
702-450: A 128-bit or higher key, like AES, will not be able to be brute-forced because the total amount of keys is 3.4028237e+38 possibilities. The most likely option for cracking ciphers with high key size is to find vulnerabilities in the cipher itself, like inherent biases and backdoors or by exploiting physical side effects through Side-channel attacks . For example, RC4 , a stream cipher, was cracked due to inherent biases and vulnerabilities in
819-533: A BIOS upgrade that fails could brick the motherboard. Unified Extensible Firmware Interface (UEFI) is a successor to the legacy PC BIOS, aiming to address its technical limitations. UEFI firmware may include legacy BIOS compatibility to maintain compatibility with operating systems and option cards that do not support UEFI native operation. Since 2020, all PCs for Intel platforms no longer support Legacy BIOS. The last version of Microsoft Windows to officially support running on PCs which use legacy BIOS firmware
936-477: A Core 2 processor, without vPro features built in. However, vPro features require a PC with at least a Core 2 processor. The technologies of current versions of vPro are built into PCs with some versions of Core 2 Duo or Core 2 Quad processors (45 nm), and more recently with some versions of Core i5 and Core i7 processors. Intel AMT is part of the Intel Management Engine that is built into PCs with
1053-602: A ROM chip) that contains a BIOS extension ROM. The motherboard BIOS typically contains code for initializing and bootstrapping integrated display and integrated storage. The initialization process can involve the execution of code related to the device being initialized, for locating the device, verifying the type of device, then establishing base registers, setting pointers , establishing interrupt vector tables, selecting paging modes which are ways for organizing available registers in devices, setting default values for accessing software routines related to interrupts , and setting
1170-516: A SLIC can be preactivated with an OEM product key, and they verify an XML formatted OEM certificate against the SLIC in the BIOS as a means of self-activating (see System Locked Preinstallation , SLP). If a user performs a fresh install of Windows, they will need to have possession of both the OEM key (either SLP or COA) and the digital certificate for their SLIC in order to bypass activation. This can be achieved if
1287-504: A challenge to today's encryption technology. For example, RSA encryption uses the multiplication of very large prime numbers to create a semiprime number for its public key. Decoding this key without its private key requires this semiprime number to be factored, which can take a very long time to do with modern computers. It would take a supercomputer anywhere between weeks to months to factor in this key. However, quantum computing can use quantum algorithms to factor this semiprime number in
SECTION 10
#17328559376801404-410: A challenging problem. A single error in system design or execution can allow successful attacks. Sometimes an adversary can obtain unencrypted information without directly undoing the encryption. See for example traffic analysis , TEMPEST , or Trojan horse . Integrity protection mechanisms such as MACs and digital signatures must be applied to the ciphertext when it is first created, typically on
1521-474: A firmware update from your equipment manufacturer when available, or to follow the steps detailed in the mitigation guide. Many vPro features, including AMT, are implemented in the Intel Management Engine (ME), a distinct processor in the chipset running MINIX 3 , which has been found to have numerous security vulnerabilities . Unlike for AMT, there is generally no official, documented way to disable
1638-485: A firmware vulnerability in certain systems that utilize Intel Active Management Technology (Intel AMT), Intel Standard Manageability (Intel ISM), or Intel Small Business Technology (Intel SBT). The vulnerability is potentially very serious, and could enable a network attacker to remotely gain access to businesses PCs and workstations that use these technologies. We urge people and companies using business PCs and devices that incorporate Intel AMT, Intel ISM or Intel SBT to apply
1755-608: A hard disk that is bootable, but sometimes there is a removable-media drive that has higher boot priority, so the user can cause a removable disk to be booted. In most modern BIOSes, the boot priority order can be configured by the user. In older BIOSes, limited boot priority options are selectable; in the earliest BIOSes, a fixed priority scheme was implemented, with floppy disk drives first, fixed disks (i.e., hard disks) second, and typically no other boot devices supported, subject to modification of these rules by installed option ROMs. The BIOS in an early PC also usually would only boot from
1872-409: A large number of messages. Padding a message's payload before encrypting it can help obscure the cleartext's true length, at the cost of increasing the ciphertext's size and introducing or increasing bandwidth overhead . Messages may be padded randomly or deterministically , with each approach having different tradeoffs. Encrypting and padding messages to form padded uniform random blobs or PURBs
1989-429: A level of security that will be able to counter the threat of quantum computing. Encryption is an important tool but is not sufficient alone to ensure the security or privacy of sensitive information throughout its lifetime. Most applications of encryption protect information only at rest or in transit, leaving sensitive data in clear text and potentially vulnerable to improper disclosure during processing, such as by
2106-558: A message like "No bootable disk found"; some would prompt for a disk to be inserted and a key to be pressed to retry the boot process. A modern BIOS may display nothing or may automatically enter the BIOS configuration utility when the boot process fails. The environment for the boot program is very simple: the CPU is in real mode and the general-purpose and segment registers are undefined, except SS, SP, CS, and DL. CS:IP always points to physical address 0x07C00 . What values CS and IP actually have
2223-525: A message's content and it cannot be tampered with at rest or in transit, a message's length is a form of metadata that can still leak sensitive information about the message. For example, the well-known CRIME and BREACH attacks against HTTPS were side-channel attacks that relied on information leakage via the length of encrypted content. Traffic analysis is a broad class of techniques that often employs message lengths to infer sensitive implementation about traffic flows by aggregating information about
2340-532: A network device or a SCSI adapter) in a cooperative way, it can use the BIOS Boot Specification (BBS) API to register its ability to do so. Once the expansion ROMs have registered using the BBS APIs, the user can select among the available boot options from within the BIOS's user interface. This is why most BBS compliant PC BIOS implementations will not allow the user to enter the BIOS's user interface until
2457-422: A portion of the " upper memory area " (the part of the x86 real-mode address space at and above address 0xA0000) and runs each ROM found, in order. To discover memory-mapped option ROMs, a BIOS implementation scans the real-mode address space from 0x0C0000 to 0x0F0000 on 2 KB (2,048 bytes) boundaries, looking for a two-byte ROM signature : 0x55 followed by 0xAA. In a valid expansion ROM, this signature
SECTION 20
#17328559376802574-657: A potential limitation of today's encryption methods. The length of the encryption key is an indicator of the strength of the encryption method. For example, the original encryption key, DES (Data Encryption Standard), was 56 bits, meaning it had 2^56 combination possibilities. With today's computing power, a 56-bit key is no longer secure, being vulnerable to brute force attacks . Quantum computing uses properties of quantum mechanics in order to process large amounts of data simultaneously. Quantum computing has been found to achieve computing speeds thousands of times faster than today's supercomputers. This computing power presents
2691-460: A reserved block of system RAM at addresses 0x00400–0x004FF with various parameters initialized during the POST. All memory at and above address 0x00500 can be used by the boot program; it may even overwrite itself. The BIOS ROM is customized to the particular manufacturer's hardware, allowing low-level services (such as reading a keystroke or writing a sector of data to diskette) to be provided in
2808-454: A secure tunnel for encrypted AMT communication with the managed service provider when roaming (operating on an open, wired LAN outside the corporate firewall ). Secure communication with AMT can be established if the laptop is powered down or the OS is disabled. The AMT encrypted communication tunnel is designed to allow sys-admins to access a laptop or desktop PC at satellite offices where there
2925-500: A simple boot loader in its ROM.) Versions of MS-DOS , PC DOS or DR-DOS contain a file called variously " IO.SYS ", " IBMBIO.COM ", "IBMBIO.SYS", or "DRBIOS.SYS"; this file is known as the "DOS BIOS" (also known as the "DOS I/O System") and contains the lower-level hardware-specific part of the operating system. Together with the underlying hardware-specific but operating system-independent "System BIOS", which resides in ROM , it represents
3042-607: A software licensing description table (SLIC), a digital signature placed inside the BIOS by the original equipment manufacturer (OEM), for example Dell . The SLIC is inserted into the ACPI data table and contains no active code. Computer manufacturers that distribute OEM versions of Microsoft Windows and Microsoft application software can use the SLIC to authenticate licensing to the OEM Windows Installation disk and system recovery disc containing Windows software. Systems with
3159-454: A standardized way to programs, including operating systems. For example, an IBM PC might have either a monochrome or a color display adapter (using different display memory addresses and hardware), but a single, standard, BIOS system call may be invoked to display a character at a specified position on the screen in text mode or graphics mode . The BIOS provides a small library of basic input/output functions to operate peripherals (such as
3276-404: A storage device involve overwriting the device's whole content with zeros, ones, or other patterns – a process which can take a significant amount of time, depending on the capacity and the type of storage medium. Cryptography offers a way of making the erasure almost instantaneous. This method is called crypto-shredding . An example implementation of this method can be found on iOS devices, where
3393-899: A sys-admin to monitor, maintain, secure, and service PCs. Intel AMT (the management technology) is sometimes mistaken for being the same as Intel vPro (the PC "platform"), because AMT is one of the most visible technologies of an Intel vPro-based PC. Intel AMT includes: Hardware-based management has been available in the past, but it has been limited to auto-configuration (of computers that request it) using DHCP or BOOTP for dynamic IP address allocation and disk-less workstations, as well as wake-on-LAN for remotely powering on systems. Starting with vPro with AMT 6.0, PCs with i5 or i7 processors and embedded Intel graphics, now contains an Intel proprietary embedded VNC server . You can connect out-of-band using dedicated VNC-compatible viewer technology, and have full KVM (keyboard, video, mouse) capability throughout
3510-473: A tool such as Intel PROSet/Wireless Software. In release 2.5/6, Intel AMT must have a corresponding wireless profile to receive out-of-band traffic over the same wireless link. The network interface API allows defining one or more wireless profiles using the same parameters as the Intel PROSet/Wireless Software. See Wireless Profile Parameters. On power-up of the host, Intel AMT communicates with
3627-451: A way that, ideally, only authorized parties can decode. This process converts the original representation of the information, known as plaintext , into an alternative form known as ciphertext . Despite its goal, encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm . It
Intel vPro - Misplaced Pages Continue
3744-472: Is Windows 10 as Windows 11 requires a UEFI-compliant system (except for IoT Enterprise editions of Windows 11 since version 24H2 ). The term BIOS (Basic Input/Output System) was created by Gary Kildall and first appeared in the CP/M operating system in 1975, describing the machine-specific part of CP/M loaded during boot time that interfaces directly with the hardware . (A CP/M machine usually has only
3861-401: Is a brand name for a set of Intel technology features that can be built into the hardware of the laptop or desktop PC. The set of technologies are targeted at businesses, not consumers. A PC with the vPro brand often includes Intel AMT , Intel Virtualization Technology (Intel VT), Intel Trusted Execution Technology (Intel TXT), a gigabit network connection, and so on. There may be a PC with
3978-693: Is another somewhat different example of using encryption on data at rest. Encryption is also used to protect data in transit, for example data being transferred via networks (e.g. the Internet, e-commerce ), mobile telephones , wireless microphones , wireless intercom systems, Bluetooth devices and bank automatic teller machines . There have been numerous reports of data in transit being intercepted in recent years. Data should also be encrypted when transmitted across networks in order to protect against eavesdropping of network traffic by unauthorized users. Conventional methods for permanently deleting data from
4095-406: Is bootable by attempting to load the first sector ( boot sector ). If the sector cannot be read, the BIOS proceeds to the next device. If the sector is read successfully, some BIOSes will also check for the boot sector signature 0x55 0xAA in the last two bytes of the sector (which is 512 bytes long), before accepting a boot sector and considering the device bootable. When a bootable device is found,
4212-461: Is constantly evolving to prevent eavesdropping attacks. One of the first "modern" cipher suites, DES , used a 56-bit key with 72,057,594,037,927,936 possibilities; it was cracked in 1999 by EFF's brute-force DES cracker , which required 22 hours and 15 minutes to do so. Modern encryption standards often use stronger key sizes, such as AES (256-bit mode), TwoFish , ChaCha20-Poly1305 , Serpent (configurable up to 512-bit). Cipher suites that use
4329-474: Is enabled as a feature in vPro PCs version 4.0 and higher, the feature will not be fully usable until the infrastructure is in place and functional. vPro security technologies and methodologies are designed into the PC's chipset and other system hardware. During deployment of vPro PCs, security credentials, keys, and other critical information are stored in protected memory (not on the hard disk drive ), and erased when no longer needed. According to Intel, it
4446-449: Is followed by a single byte indicating the number of 512-byte blocks the expansion ROM occupies in real memory, and the next byte is the option ROM's entry point (also known as its "entry offset"). If the ROM has a valid checksum, the BIOS transfers control to the entry address, which in a normal BIOS extension ROM should be the beginning of the extension's initialization routine. At this point,
4563-412: Is more difficult to identify, steal, corrupt, or destroy. The question of balancing the need for national security with the right to privacy has been debated for years, since encryption has become critical in today's digital society. The modern encryption debate started around the '90s when US government tried to ban cryptography because, according to them, it would threaten national security. The debate
4680-500: Is no on-site proxy server or management server appliance . Secure communications outside the corporate firewall depend on adding a new element—a management presence server (Intel calls this a "vPro-enabled gateway")—to the network infrastructure. This requires integration with network switch manufacturers, firewall vendors, and vendors who design management consoles to create infrastructure that supports encrypted roaming communication . So although encrypted roaming communication
4797-556: Is not well defined. Some BIOSes use a CS:IP of 0x0000:0x7C00 while others may use 0x07C0:0x0000 . Because boot programs are always loaded at this fixed address, there is no need for a boot program to be relocatable. DL may contain the drive number, as used with interrupt 13h , of the boot device. SS:SP points to a valid stack that is presumably large enough to support hardware interrupts, but otherwise SS and SP are undefined. (A stack must be already set up in order for interrupts to be serviced, and interrupts must be enabled in order for
Intel vPro - Misplaced Pages Continue
4914-465: Is performed each time the system is powered up. Without reprogrammable microcode, an expensive processor swap would be required; for example, the Pentium FDIV bug became an expensive fiasco for Intel as it required a product recall because the original Pentium processor's defective microcode could not be reprogrammed. Operating systems can update main processor microcode also. Some BIOSes contain
5031-477: Is polarized around two opposing views. Those who see strong encryption as a problem making it easier for criminals to hide their illegal acts online and others who argue that encryption keep digital communications safe. The debate heated up in 2014, when Big Tech like Apple and Google set encryption by default in their devices. This was the start of a series of controversies that puts governments, companies and internet users at stake. Encryption, by itself, can protect
5148-585: Is possible to decrypt the message without possessing the key but, for a well-designed encryption scheme, considerable computational resources and skills are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients but not to unauthorized users. Historically, various forms of encryption have been used to aid in cryptography. Early encryption techniques were often used in military messaging. Since then, new techniques have emerged and become commonplace in all areas of modern computing. Modern encryption schemes use
5265-409: Is possible to disable AMT through the BIOS settings, however, there is apparently no way for most users to detect outside access to their PC via the vPro hardware-based technology. Moreover, Sandy Bridge and future chips will have, "...the ability to remotely kill and restore a lost or stolen PC via 3G ... if that laptop has a 3G connection" On May 1, [2017] Intel published a security advisory regarding
5382-485: Is rebooting. When interrupt 19h is called, the BIOS attempts to locate boot loader software on a "boot device", such as a hard disk , a floppy disk , CD , or DVD . It loads and executes the first boot software it finds, giving it control of the PC. The BIOS uses the boot devices set in Nonvolatile BIOS memory ( CMOS ), or, in the earliest PCs, DIP switches . The BIOS checks each device in order to see if it
5499-480: Is running. The interrupt vectors corresponding to the BIOS interrupts have been set to point at the appropriate entry points in the BIOS, hardware interrupt vectors for devices initialized by the BIOS have been set to point to the BIOS-provided ISRs, and some other interrupts, including ones that BIOS generates for programs to hook, have been set to a default dummy ISR that immediately returns. The BIOS maintains
5616-415: Is still very limited. Quantum computing currently is not commercially available, cannot handle large amounts of code, and only exists as computational devices, not computers. Furthermore, quantum computing advancements will be able to be used in favor of encryption as well. The National Security Agency (NSA) is currently preparing post-quantum encryption standards for the future. Quantum encryption promises
5733-472: Is that it does not support some features: Out-of-band KVM remote control, Wireless Intel® AMT, Fast call for help, Intel® Remote Secure Erase with Intel® SSD Pro. Intel processors that support vPro Essentials are using Intel Standard Manageability (a subset of Intel AMT) which supports out-of-band management and can be monitored with the "Access Monitor" feature. Intel AMT is the set of management and security features built into vPro PCs that makes it easier for
5850-663: Is unique among PCs in having two ROM cartridge slots on the front. Cartridges in these slots map into the same region of the upper memory area used for option ROMs, and the cartridges can contain option ROM modules that the BIOS would recognize. The cartridges can also contain other types of ROM modules, such as BASIC programs, that are handled differently. One PCjr cartridge can contain several ROM modules of different types, possibly stored together in one ROM chip. The 8086 and 8088 start at physical address FFFF0h. The 80286 starts at physical address FFFFF0h. The 80386 and later x86 processors start at physical address FFFFFFF0h. When
5967-608: The CPU , chipset , RAM , motherboard , video card , keyboard , mouse , hard disk drive , optical disc drive and other hardware , including integrated peripherals . Early IBM PCs had a routine in the POST that would download a program into RAM through the keyboard port and run it. This feature was intended for factory test or diagnostic purposes. After the motherboard BIOS completes its POST, most BIOS versions search for option ROM modules, also called BIOS extension ROMs, and execute them. The motherboard BIOS scans for extension ROMs in
SECTION 50
#17328559376806084-850: The Computer Security Institute reported that in 2007, 71% of companies surveyed used encryption for some of their data in transit, and 53% used encryption for some of their data in storage. Encryption can be used to protect data "at rest", such as information stored on computers and storage devices (e.g. USB flash drives ). In recent years, there have been numerous reports of confidential data, such as customers' personal records, being exposed through loss or theft of laptops or backup drives; encrypting such files at rest helps protect them if physical security measures fail. Digital rights management systems, which prevent unauthorized use or reproduction of copyrighted material and protect software against reverse engineering (see also copy protection ),
6201-453: The OS is down or management agents are missing. AMT out-of-band communication and some AMT features are available for wireless or wired laptops connected to the corporate network over a host OS-based virtual private network (VPN) when laptops are awake and working properly. A wireless connection operates at two levels: the wireless network interface (WLAN) and the interface driver executing on
6318-541: The System BIOS , ROM BIOS , BIOS ROM or PC BIOS ) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process (power-on startup). The firmware comes pre-installed on the computer's motherboard . The name originates from the Basic Input/Output System used in the CP/M operating system in 1975. The BIOS firmware
6435-423: The "first sector" of a CD-ROM or DVD-ROM is not a simply defined operation like it is on a floppy disk or a hard disk. Furthermore, the complexity of the medium makes it difficult to write a useful boot program in one sector. The bootable virtual floppy disk can contain software that provides access to the optical medium in its native format. If an expansion ROM wishes to change the way the system boots (such as from
6552-430: The 1980s under MS-DOS , when programmers observed that using the BIOS video services for graphics display were very slow. To increase the speed of screen output, many programs bypassed the BIOS and programmed the video display hardware directly. Other graphics programmers, particularly but not exclusively in the demoscene , observed that there were technical capabilities of the PC display adapters that were not supported by
6669-424: The BIOS after completing its initialization process. Once (and if) an option ROM returns, the BIOS continues searching for more option ROMs, calling each as it is found, until the entire option ROM area in the memory space has been scanned. It is possible that an option ROM will not return to BIOS, pre-empting the BIOS's boot sequence altogether. After the POST completes and, in a BIOS that supports option ROMs, after
6786-601: The BIOS to carry out most input/output tasks within the PC. Calling real mode BIOS services directly is inefficient for protected mode (and long mode ) operating systems. BIOS interrupt calls are not used by modern multitasking operating systems after they initially load. In the 1990s, BIOS provided some protected mode interfaces for Microsoft Windows and Unix-like operating systems, such as Advanced Power Management (APM), Plug and Play BIOS , Desktop Management Interface (DMI), VESA BIOS Extensions (VBE), e820 and MultiProcessor Specification (MPS). Starting from
6903-408: The BIOS transfers control to the loaded sector. The BIOS does not interpret the contents of the boot sector other than to possibly check for the boot sector signature in the last two bytes. Interpretation of data structures like partition tables and BIOS Parameter Blocks is done by the boot program in the boot sector itself or by other programs loaded through the boot process. A non-disk device such as
7020-630: The BIOS. Code in option ROMs runs before the BIOS boots the operating system from mass storage . These ROMs typically test and initialize hardware, add new BIOS services, or replace existing BIOS services with their own services. For example, a SCSI controller usually has a BIOS extension ROM that adds support for hard drives connected through that controller. An extension ROM could in principle contain operating system, or it could implement an entirely different boot process such as network booting . Operation of an IBM-compatible computer system can be completely changed by removing or inserting an adapter card (or
7137-604: The Core i series was code-named Nehalem, and the second generation of the line was code-named Sandy Bridge. Intel Centrino 2 was a branding of a package of technologies that included Wi-Fi and, originally, the Intel Core 2 Duo. The Intel Centrino 2 brand was applied to mobile PCs, such as laptops and other small devices. Core 2 and Centrino 2 have evolved to use Intel's latest 45-nm manufacturing processes, have multi-core processing, and are designed for multithreading . Intel vPro
SECTION 60
#17328559376807254-696: The IBM BIOS and could not be taken advantage of without circumventing it. Since the AT-compatible BIOS ran in Intel real mode , operating systems that ran in protected mode on 286 and later processors required hardware device drivers compatible with protected mode operation to replace BIOS services. In modern PCs running modern operating systems (such as Windows and Linux ) the BIOS interrupt calls are used only during booting and initial loading of operating systems. Before
7371-619: The Intel vPro brand. Intel AMT is a set of remote management and security hardware features that let a sys-admin with AMT security privileges access system information and perform specific remote operations on the PC. These operations include remote power up/down (via wake-on-LAN ), remote / redirected boot (via integrated device electronics redirect, or IDE-R ), console redirection (via serial over LAN ), and other remote management and security features. BIOS In computing , BIOS ( / ˈ b aɪ ɒ s , - oʊ s / , BY -oss, -ohss ; Basic Input/Output System , also known as
7488-472: The Management Engine (ME); it is always on unless it is not enabled at all by the OEM. Intel vPro supports industry-standard methodologies and protocols , as well as other vendors' security features: Intel Boot Guard is a processor feature that prevents the computer from running firmware ( UEFI ) images not released by the system manufacturer ( OEM or ODM ). When turned on, the processor verifies
7605-410: The OEM's BIOS settings as well as if a discrete graphics card is present. Only Intel integrated HD graphics support KVM ability. Intel vPro supports encrypted wired and wireless LAN wireless communication for all remote management features for PCs inside the corporate firewall . Intel vPro supports encrypted communication for some remote management features for wired and wireless LAN PCs outside
7722-467: The WLAN is enabled by default both before and after configuration. That means that it is possible to configure Intel AMT over the WLAN, as long as the host WLAN driver has an active connection. Intel AMT synchronizes to the active host profile. It assumes that a configuration server configures a wireless profile that Intel AMT uses in power states other than S0. When there is a problem with the wireless driver and
7839-614: The Wheel Cipher or the Jefferson Disk , although never actually built, was theorized as a spool that could jumble an English message up to 36 characters. The message could be decrypted by plugging in the jumbled message to a receiver with an identical cipher. A similar device to the Jefferson Disk, the M-94 , was developed in 1917 independently by US Army Major Joseph Mauborne. This device
7956-542: The analogue to the " CP/M BIOS ". The BIOS originally proprietary to the IBM PC has been reverse engineered by some companies (such as Phoenix Technologies ) looking to create compatible systems. With the introduction of PS/2 machines, IBM divided the System BIOS into real- and protected-mode portions. The real-mode portion was meant to provide backward compatibility with existing operating systems such as DOS, and therefore
8073-414: The attacker can both inspect and tamper with encrypted data by performing a man-in-the-middle attack anywhere along the message's path. The common practice of TLS interception by network operators represents a controlled and institutionally sanctioned form of such an attack, but countries have also attempted to employ such attacks as a form of control and censorship. Even when encryption correctly hides
8190-500: The boot sequence by inserting its own boot actions into it, by preventing the BIOS from detecting certain devices as bootable, or both. Before the BIOS Boot Specification was promulgated, this was the only way for expansion ROMs to implement boot capability for devices not supported for booting by the native BIOS of the motherboard. The user can select the boot priority implemented by the BIOS. For example, most computers have
8307-454: The card is not supported by the motherboard BIOS and the card needs to be initialized or made accessible through BIOS services before the operating system can be loaded (usually this means it is required in the boot process). An additional advantage of ROM on some early PC systems (notably including the IBM PCjr) was that ROM was faster than main system RAM. (On modern systems, the case is very much
8424-586: The cipher. In the context of cryptography, encryption serves as a mechanism to ensure confidentiality . Since data may be visible on the Internet, sensitive information such as passwords and personal communication may be exposed to potential interceptors . The process of encrypting and decrypting messages involves keys . The two main types of keys in cryptographic systems are symmetric-key and public-key (also known as asymmetric-key). Many complex cryptographic algorithms often use simple modular arithmetic in their implementations. In symmetric-key schemes,
8541-512: The code would be to try over 17,000 combinations within 24 hours. The Allies used computing power to severely limit the number of reasonable combinations they needed to check every day, leading to the breaking of the Enigma Machine. Today, encryption is used in the transfer of communication over the Internet for security and commerce. As computing power continues to increase, computer encryption
8658-484: The computer, and if it was lost the system settings could not be changed. The same applied in general to computers with an EISA bus, for which the configuration program was called an EISA Configuration Utility (ECU). A modern Wintel -compatible computer provides a setup routine essentially unchanged in nature from the ROM-resident BIOS setup utilities of the late 1990s; the user can configure hardware options using
8775-458: The concepts of public-key and symmetric-key . Modern encryption techniques ensure security because modern computers are inefficient at cracking the encryption. One of the earliest forms of encryption is symbol replacement, which was first found in the tomb of Khnumhotep II , who lived in 1900 BC Egypt. Symbol replacement encryption is “non-standard,” which means that the symbols require a cipher or key to understand. This type of early encryption
8892-549: The confidentiality of messages, but other techniques are still needed to protect the integrity and authenticity of a message; for example, verification of a message authentication code (MAC) or a digital signature usually done by a hashing algorithm or a PGP signature . Authenticated encryption algorithms are designed to provide both encryption and integrity protection together. Standards for cryptographic software and hardware to perform encryption are widely available, but successfully using encryption to ensure security may be
9009-448: The corporate firewall . Laptops with vPro include a gigabit network connection and support IEEE 802.11 a / g / n wireless protocols . Intel vPro PCs support wireless communication to the AMT features. For wireless laptops on battery power, communication with AMT features can occur when the system is awake and connected to the corporate network . This communication is available if
9126-507: The cryptographic key is kept in a dedicated ' effaceable storage'. Because the key is stored on the same device, this setup on its own does not offer full privacy or security protection if an unauthorized person gains physical access to the device. Encryption is used in the 21st century to protect digital data and information systems. As computing power increased over the years, encryption technology has only become more advanced and secure. However, this advancement in technology has also exposed
9243-440: The device's configuration using default values. In addition, plug-in adapter cards such as SCSI , RAID , network interface cards , and video cards often include their own BIOS (e.g. Video BIOS ), complementing or replacing the system BIOS code for the given component. Even devices built into the motherboard can behave in this way; their option ROMs can be a part of the motherboard BIOS. An add-in card requires an option ROM if
9360-451: The encryption and decryption keys are the same. Communicating parties must have the same key in order to achieve secure communication. The German Enigma Machine used a new symmetric-key each day for encoding and decoding messages. In addition to traditional encryption types, individuals can enhance their security by using VPNs or specific browser settings to encrypt their internet connection, providing additional privacy protection while browsing
9477-490: The encryption and decryption keys. A publicly available public-key encryption application called Pretty Good Privacy (PGP) was written in 1991 by Phil Zimmermann , and distributed free of charge with source code. PGP was purchased by Symantec in 2010 and is regularly updated. Encryption has long been used by militaries and governments to facilitate secret communication. It is now commonly used in protecting information within many kinds of civilian systems. For example,
9594-480: The expansion ROMs have finished executing and registering themselves with the BBS API. Also, if an expansion ROM wishes to change the way the system boots unilaterally, it can simply hook interrupt 19h or other interrupts normally called from interrupt 19h, such as interrupt 13h, the BIOS disk service, to intercept the BIOS boot process. Then it can replace the BIOS boot process with one of its own, or it can merely modify
9711-416: The extension ROM code takes over, typically testing and initializing the hardware it controls and registering interrupt vectors for use by post-boot applications. It may use BIOS services (including those provided by previously initialized option ROMs) to provide a user configuration interface, to display diagnostic information, or to do anything else that it requires. An option ROM should normally return to
9828-465: The first floppy disk drive or the first hard disk drive, even if there were two drives installed. On the original IBM PC and XT, if no bootable disk was found, the BIOS would try to start ROM BASIC with the interrupt call to interrupt 18h . Since few programs used BASIC in ROM, clone PC makers left it out; then a computer that failed to boot from a disk would display "No ROM BASIC" and halt (in response to interrupt 18h). Later computers would display
9945-535: The host is still powered up (in an S0 power state only), Intel AMT can continue to receive out-of-band manageability traffic directly from the wireless network interface. For Intel AMT to work with a wireless LAN, it must share IP addresses with the host. This requires the presence of a DHCP server to allocate IP addresses and Intel AMT must be configured to use DHCP. Intel vPro PCs support encrypted communication while roaming . vPro PCs version 4.0 or higher support security for mobile communications by establishing
10062-415: The key differences between vPro (an umbrella marketing term), AMT (a technology under the vPro brand), Intel Core i5 and Intel Core i7 (a branding of a package of technologies), and Core i5 and Core i7 (a processor) are as follows: The Core i7, the first model of the i series was launched in 2008, and the less-powerful i5 and i3 models were introduced in 2009 and 2010, respectively. The microarchitecture of
10179-403: The keyboard and video display. The modern Wintel machine may store the BIOS configuration settings in flash ROM, perhaps the same flash ROM that holds the BIOS itself. Peripheral cards such as hard disk drive host bus adapters and video cards have their own firmware, and BIOS extension option ROM code may be a part of the expansion card firmware; that code provides additional capabilities in
10296-654: The keyboard, rudimentary text and graphics display functions and so forth). When using MS-DOS, BIOS services could be accessed by an application program (or by MS-DOS) by executing an interrupt 13h interrupt instruction to access disk functions, or by executing one of a number of other documented BIOS interrupt calls to access video display , keyboard , cassette, and other device functions. Operating systems and executive software that are designed to supersede this basic firmware functionality provide replacement software interfaces to application software. Applications can also provide these services to themselves. This began even in
10413-527: The operating system's first graphical screen is displayed, input and output are typically handled through BIOS. A boot menu such as the textual menu of Windows, which allows users to choose an operating system to boot, to boot into the safe mode , or to use the last known good configuration, is displayed through BIOS and receives keyboard input through BIOS. Many modern PCs can still boot and run legacy operating systems such as MS-DOS or DR-DOS that rely heavily on BIOS for their console and disk I/O, providing that
10530-425: The option ROM scan is completed and all detected ROM modules with valid checksums have been called, the BIOS calls interrupt 19h to start boot processing. Post-boot, programs loaded can also call interrupt 19h to reboot the system, but they must be careful to disable interrupts and other asynchronous hardware processes that may interfere with the BIOS rebooting process, or else the system may hang or crash while it
10647-444: The platform host. The network interface manages the RF communications connection. If the user turns off the wireless transmitter/receiver using either a hardware or software switch, Intel AMT cannot use the wireless interface under any conditions until the user turns on the wireless transmitter/receiver. Intel AMT Release 2.5/2.6 can send and receive management traffic via the WLAN only when
10764-533: The platform is in the S0 power state (the computer is on and running). It does not receive wireless traffic when the host is asleep or off. If the power state permits it, Intel AMT Release 2.5/2.6 can continue to send and receive out-of-band traffic when the platform is in an Sx state, but only via a wired LAN connection, if one exists. Release 4.0 and later releases support wireless out-of-band manageability in Sx states, depending on
10881-539: The point of successfully initializing a video display adapter. Options on the IBM PC and XT were set by switches and jumpers on the main board and on expansion cards . Starting around the mid-1990s, it became typical for the BIOS ROM to include a "BIOS configuration utility" (BCU ) or "BIOS setup utility", accessed at system power-up by a particular key sequence. This program allowed the user to set system configuration options, of
10998-497: The power cycle—including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from RealVNC also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER). Not all i5 & i7 Processors with vPro may support KVM capability. This depends on
11115-453: The power setting and other configuration parameters. Release 7.0 supports wireless manageability on desktop platforms. When a wireless connection is established on a host platform, it is based on a wireless profile that sets up names, passwords and other security elements used to authenticate the platform to the wireless Access Point. The user or the IT organization defines one or more profiles using
11232-610: The reverse of this, and BIOS ROM code is usually copied ("shadowed") into RAM so it will run faster.) Option ROMs normally reside on adapter cards. However, the original PC, and perhaps also the PC XT, have a spare ROM socket on the motherboard (the "system board" in IBM's terms) into which an option ROM can be inserted, and the four ROMs that contain the BASIC interpreter can also be removed and replaced with custom ROMs which can be option ROMs. The IBM PCjr
11349-437: The same amount of time it takes for normal computers to generate it. This would make all data protected by current public-key encryption vulnerable to quantum computing attacks. Other encryption techniques like elliptic curve cryptography and symmetric key encryption are also vulnerable to quantum computing. While quantum computing could be a threat to encryption security in the future, quantum computing as it currently stands
11466-460: The same device used to compose the message, to protect a message end-to-end along its full transmission path; otherwise, any node between the sender and the encryption agent could potentially tamper with it. Encrypting at the time of creation is only secure if the encryption device itself has correct keys and has not been tampered with. If an endpoint device has been configured to trust a root certificate that an attacker controls, for example, then
11583-672: The stack set up by BIOS is unknown and its location is likewise variable; although the boot program can investigate the default stack by examining SS:SP, it is easier and shorter to just unconditionally set up a new stack. At boot time, all BIOS services are available, and the memory below address 0x00400 contains the interrupt vector table . BIOS POST has initialized the system timers, interrupt controller(s), DMA controller(s), and other motherboard/chipset hardware as necessary to bring all BIOS services to ready status. DRAM refresh for all system DRAM in conventional memory and extended memory, but not necessarily expanded memory, has been set up and
11700-531: The system has a BIOS, or a CSM-capable UEFI firmware. Intel processors have reprogrammable microcode since the P6 microarchitecture. AMD processors have reprogrammable microcode since the K7 microarchitecture. The BIOS contain patches to the processor microcode that fix errors in the initial processor microcode; microcode is loaded into processor's SRAM so reprogramming is not persistent, thus loading of microcode updates
11817-479: The system is initialized, the first instruction of the BIOS appears at that address. If the system has just been powered up or the reset button was pressed (" cold boot "), the full power-on self-test (POST) is run. If Ctrl+Alt+Delete was pressed (" warm boot "), a special flag value stored in nonvolatile BIOS memory (" CMOS ") tested by the BIOS allows bypass of the lengthy POST and memory detection. The POST identifies, tests and initializes system devices such as
11934-405: The system timer-tick interrupt, which BIOS always uses at least to maintain the time-of-day count and which it initializes during POST, to be active and for the keyboard to work. The keyboard works even if the BIOS keyboard service is not called; keystrokes are received and placed in the 15-character type-ahead buffer maintained by BIOS.) The boot program must set up its own stack, because the size of
12051-507: The technique of frequency analysis – which was an attempt to crack ciphers systematically, including the Caesar cipher. This technique looked at the frequency of letters in the encrypted message to determine the appropriate shift: for example, the most common letter in English text is E and is therefore likely to be represented by the letter that appears most commonly in the ciphertext. This technique
12168-457: The type formerly set using DIP switches , through an interactive menu system controlled through the keyboard. In the interim period, IBM-compatible PCs—including the IBM AT —held configuration settings in battery-backed RAM and used a bootable configuration program on floppy disk, not in the ROM, to set the configuration options contained in this memory. The floppy disk was supplied with
12285-777: The user performs a restore using a pre-customised image provided by the OEM. Power users can copy the necessary certificate files from the OEM image, decode the SLP product key, then perform SLP activation manually. Some BIOS implementations allow overclocking , an action in which the CPU is adjusted to a higher clock rate than its manufacturer rating for guaranteed capability. Overclocking may, however, seriously compromise system reliability in insufficiently cooled computers and generally shorten component lifespan. Overclocking, when incorrectly performed, may also cause components to overheat so quickly that they mechanically destroy themselves. Some older operating systems , for example MS-DOS , rely on
12402-410: The web. In public-key encryption schemes, the encryption key is published for anyone to use and encrypt messages. However, only the receiving party has access to the decryption key that enables messages to be read. Public-key encryption was first described in a secret document in 1973; beforehand, all encryption schemes were symmetric-key (also called private-key). Although published subsequently,
12519-458: The wireless LAN driver on the host. When the driver and Intel AMT find matching profiles, the driver routes traffic addressed to the Intel AMT device for manageability processing. With certain limitations, Intel AMT Release 4.0/1 can send and receive out-of-band traffic without an Intel AMT configured wireless profile, as long as the host driver is active and the platform is inside the enterprise. In release 4.2, and on release 6.0 wireless platforms,
12636-569: The work of Diffie and Hellman was published in a journal with a large readership, and the value of the methodology was explicitly described. The method became known as the Diffie-Hellman key exchange . RSA (Rivest–Shamir–Adleman) is another notable public-key cryptosystem . Created in 1978, it is still used today for applications involving digital signatures . Using number theory , the RSA algorithm selects two prime numbers , which help generate both
12753-528: The year 2000, most BIOSes provide ACPI , SMBIOS , VBE and e820 interfaces for modern operating systems. After operating systems load, the System Management Mode code is still running in SMRAM. Since 2010, BIOS technology is in a transitional process toward UEFI . Encryption In cryptography , encryption (more specifically, encoding ) is the process of transforming information in
12870-678: Was built with an Intel Core 2 Duo processor. The current versions of Intel vPro are built into systems with 10 nm Intel 10th Generation Core i5 & i7 processors. PCs with Intel vPro require specific chipsets . Intel vPro releases are usually identified by their AMT version. Laptops with Intel vPro require: Note that AMT release 2.5 for wired/wireless laptops and AMT release 3.0 for desktop PCs are concurrent releases. Desktop PCs with vPro (called "Intel Core 2 with vPro technology") require: Note that AMT release 2.5 for wired/wireless laptops and AMT release 3.0 for desktop PCs are concurrent releases. There are numerous Intel brands. However,
12987-646: Was first released in Haswell processors in June 2013. Intel vPro uses several industry-standard security technologies and methodologies to secure the remote vPro communication channel . These technologies and methodologies also improve security for accessing the PC's critical system data, BIOS settings, Intel AMT management features, and other sensitive features or data; and protect security credentials and other critical information during deployment (setup and configuration of Intel AMT) and vPro use. The first release of Intel vPro
13104-433: Was named "CBIOS" (for "Compatibility BIOS"), whereas the "ABIOS" (for "Advanced BIOS") provided new interfaces specifically suited for multitasking operating systems such as OS/2 . The BIOS of the original IBM PC and XT had no interactive user interface. Error codes or messages were displayed on the screen, or coded series of sounds were generated to signal errors when the power-on self-test (POST) had not proceeded to
13221-432: Was originally proprietary to the IBM PC ; it was reverse engineered by some companies (such as Phoenix Technologies ) looking to create compatible systems. The interface of that original system serves as a de facto standard . The BIOS in older PCs initializes and tests the system hardware components ( power-on self-test or POST for short), and loads a boot loader from a mass storage device which then initializes
13338-404: Was rendered ineffective by the polyalphabetic cipher , described by Al-Qalqashandi (1355–1418) and Leon Battista Alberti (in 1465), which varied the substitution alphabet as encryption proceeded in order to confound such analysis. Around 1790, Thomas Jefferson theorized a cipher to encode and decode messages to provide a more secure way of military correspondence. The cipher, known today as
13455-406: Was stored in a ROM chip on the PC motherboard. In later computer systems, the BIOS contents are stored on flash memory so it can be rewritten without removing the chip from the motherboard. This allows easy, end-user updates to the BIOS firmware so new features can be added or bugs can be fixed, but it also creates a possibility for the computer to become infected with BIOS rootkits . Furthermore,
13572-613: Was used in U.S. military communications until 1942. In World War II, the Axis powers used a more advanced version of the M-94 called the Enigma Machine . The Enigma Machine was more complex because unlike the Jefferson Wheel and the M-94, each day the jumble of letters switched to a completely new combination. Each day's combination was only known by the Axis, so many thought the only way to break
13689-476: Was used throughout Ancient Greece and Rome for military purposes. One of the most famous military encryption developments was the Caesar cipher , in which a plaintext letter is shifted a fixed number of positions along the alphabet to get the encoded letter. A message encoded with this type of encryption could be decoded with a fixed number on the Caesar cipher. Around 800 AD, Arab mathematician Al-Kindi developed
#679320