Intel vPro Update Aims to Virtualize Threats, Sell More Than Just Processors

Intel today announced a new version of vPro technology, its bundle of processor, chipset, NIC and software aimed at enterprise desktop PCs. Most of what it does can be achieved through other means, but Intel is hoping that the convenience of bundling so many capabilities together will help it extend beyond making CPUs --- as well as give business customers an incentive to choose Intel over AMD.

First launched in September last year, vPro combines the hardware-assisted virtualization in new CPUs with Active Management technology (AMT), a separate component built into the chipset or network card. Essentially a remote management agent implemented in hardware, AMT allows network administrators to perform functions ranging from inventory a PC's software to reimaging its OS, even when the machine is switched off. Hardware-assisted virtualization is the same technology used in servers that run VMWare or Xen, but aimed at security rather than flexibility. The theory is that isolating security software inside a separate VM can protect it from malware that infects the user's OS.
The update this week adds TXT (Trusted Execution Technology, formerly known under the codename LaGrande), which uses the AMT component to verify (through signed code) that software has not been altered. This is supposed to add another layer of security, protecting against attacks on the VM itself as well as the Xen hypervisor on which it runs. TXT can also use the AMT hardware to authenticate to Cisco NAC (Network Admission Control) when a PC's main OS is corrupted or not running, important for management in NAC-protected networks.

But using the full capabilities of vPro will require software support, and that's lagging behind the hardware. Although vPro is aimed at extending Intel's reach --- it wants to sell more chipsets, networking and graphics cards in addition to processors --- it isn't entering the security software market. It has partnered with other vendors including CA, Cisco Systems, CheckPoint, LANDesk, Novell, Symantec and Trend Micro, all of whom offer support for AMT, but not yet virtualization. Nearly a year after vPro first shipped, the only software that uses its virtualization capabilities is Lenovo's Antidote Delivery Manager, designed to work with Lenovo PCs.
According to LANDesk, the main problem with vPro support is software licensing: Running security software on a separate VM means that it requires its own OS. In last year's version of vPro, this was Windows CE, which entails buying another license from Microsoft. To avoid this, Intel in May partnered with Red Hat to develop a Linux-based environment for security and management software, though that poses its own problems: Porting Windows XP security software to Linux is harder than porting it to Windows CE. Intel plans to offer an SDK that IT managers can use to develop their own Linux-based management software for vPro, which could put Intel into competition with its management and security partners.