[Freedombox-discuss] Without software collusion
blibbet at gmail.com
Thu Jun 28 20:21:11 UTC 2012
> To me, that also speaks volumes.
It speaks a bit how defensive and verbose Intel is w/r/t vPro usage of
How does Intel AMT use UUIDs? What functionality do UUIDs enable and not
enable on Intel AMT-enabled platforms?
Universal unique identifiers (UUIDs) are artifacts used by Intel AMT for
a number of purposes, including the provisioning process, the security
of the system (for example, passwords, keys, and TLS certificates), and
to ensure that IT administrators are able to accurately connect to and
manage a particular user’s system within an enterprise.
Intel has not created any UUIDs to enable the functioning of Intel AMT,
nor are UUIDs something new to Intel AMT. UUIDs are present in virtually
all modern PCs, and are commonly installed by OEMs on all platforms,
without relation to Intel AMT. Indeed, UUIDs are currently utilized by
applications found on many PCs to isolate unique system information in
order to provide expected functionality, such as the delivery of
Operating System or virus control system updates. Intel AMT uses
platform UUIDs in a very similar fashion – the primary difference being
that in order to enable Intel AMT to access the UUID OOB, the UUID is
copied to the flash memory repository.
It is important to note that the UUIDs on Intel AMT-enabled systems
cannot be used by Intel to track users or their PCs, nor do they allow
Intel to access user systems via a back door into the platform, nor do
they allow Intel to force firmware down to the platform without user
consent. Any UUID stored in flash by Intel AMT is only accessible to
authorized IT administrators for a particular Intel AMT-enabled
platform. The list of authorized IT administrators is configured by the
end customer IT during a protected process using either enterprise
certificates or physical presence at the Intel AMT system (via BIOS menu
or USB key) to establish trust, and thus occurs entirely with consoles
residing on trusted servers designated as such by the end customer IT.
In other words, neither UUIDs nor any other information can be
communicated to or from any party external to the end customer via Intel
AMT unless the end customer expressly configures this. To identify
authorized administrators for a particular system, see the Intel AMT
Software Developer Kit (SDK) documentation available at
softwarecommunity.intel.com/communities/manageability, which provides an
API to retrieve the ACLs or the Kerberos authorized accounts.
More information about the Freedombox-discuss