[Freedombox-discuss] Without software collusion

Lee Fisher blibbet at gmail.com
Thu Jun 28 20:21:11 UTC 2012

> To me, that also speaks volumes.

It speaks a bit how defensive and verbose Intel is w/r/t vPro usage of 


How does Intel AMT use UUIDs? What functionality do UUIDs enable and not 
enable on Intel AMT-enabled platforms?

Universal unique identifiers (UUIDs) are artifacts used by Intel AMT for 
a number of purposes, including the provisioning process, the security 
of the system (for example, passwords, keys, and TLS certificates), and 
to ensure that IT administrators are able to accurately connect to and 
manage a particular user’s system within an enterprise.

Intel has not created any UUIDs to enable the functioning of Intel AMT, 
nor are UUIDs something new to Intel AMT. UUIDs are present in virtually 
all modern PCs, and are commonly installed by OEMs on all platforms, 
without relation to Intel AMT. Indeed, UUIDs are currently utilized by 
applications found on many PCs to isolate unique system information in 
order to provide expected functionality, such as the delivery of 
Operating System or virus control system updates. Intel AMT uses 
platform UUIDs in a very similar fashion – the primary difference being 
that in order to enable Intel AMT to access the UUID OOB, the UUID is 
copied to the flash memory repository.

It is important to note that the UUIDs on Intel AMT-enabled systems 
cannot be used by Intel to track users or their PCs, nor do they allow 
Intel to access user systems via a back door into the platform, nor do 
they allow Intel to force firmware down to the platform without user 
consent. Any UUID stored in flash by Intel AMT is only accessible to 
authorized IT administrators for a particular Intel AMT-enabled 
platform. The list of authorized IT administrators is configured by the 
end customer IT during a protected process using either enterprise 
certificates or physical presence at the Intel AMT system (via BIOS menu 
or USB key) to establish trust, and thus occurs entirely with consoles 
residing on trusted servers designated as such by the end customer IT. 
In other words, neither UUIDs nor any other information can be 
communicated to or from any party external to the end customer via Intel 
AMT unless the end customer expressly configures this. To identify 
authorized administrators for a particular system, see the Intel AMT 
Software Developer Kit (SDK) documentation available at 
softwarecommunity.intel.com/communities/manageability, which provides an 
API to retrieve the ACLs or the Kerberos authorized accounts.


More information about the Freedombox-discuss mailing list