Intel® vPro™ Technology

Mobile Manageability in Low-Power and Operating-System-Absent States

How Intel® vPro™ Technology Handles Mobile Characteristics

With the advent of Intel® vPro™ technology, all of the drawbacks of previous manageability solutions that we just discussed were addressed. Intel vPro technology was able to accomplish this by using a mix of hardware, firmware, and software solutions.

Before continuing in our exploration of Intel vPro technology, it is worth mentioning a couple of important facts:

• As of 2006 (first mobile platform–2007), the core logic of Intel vPro technology has been run on firmware on a dedicated auxiliary processor residing in Intel’s chipsets. The firmware running on that processor is known as the Intel® Management Engine, or Intel® ME for short. A diagram showing the general architecture of a system running Intel vPro technology is depicted in Figure 1.

Figure 1: General architecture of a system supporting Intel® vPro™ technology
Source: Intel Corporation, 2008
click image for larger view

• To save power, the Intel ME has a mode in which it shuts off completely, even though from a functional perspective it should remain accessible to the network. This is relevant to Sx/AC states only. The main reason ME shuts off is so that the platform complies with power-related regulations, such as Energy Star* [6]. Going forward in this article, we refer therefore to the Intel ME power state in such cases as “M-Off with wakes.” Note that “M-Off with wakes” is not relevant to Sx/DC states, in which the Intel ME is required to shut off and remain inaccessible.

The Intel® vPro™ Technology Solution for Dynamic IP
The Intel vPro technology solution for dynamic IP networks (see “Dynamic IP” section) is to use a combination of hardware, firmware, and software.

It should be noted that as of 2008, Intel ME firmware on mobile computers operates only on an IP address that is shared with the host OS. Thus, in an OS-present state, it is the host OS stack that is responsible for acquiring and maintaining a DHCP lease. Even so, Intel ME firmware tracks the acquisition of DHCP leases by the host OS, by using dedicated hardware filters that are located within the network adapter (for Intel® LAN), or by relying on software messages from the driver located in the host OS (for Intel® WLAN). This tracking system is depicted in Figure 2.

Figure 2: DHCP packets and their tracking by Intel® ME firmware in OS-present state
Source: Intel Corporation, 2008
click image for larger view

In an OS-absent state (for example, Sx states), it is Intel ME firmware that directly maintains DHCP leases. This is shown in Figure 3.

Figure 3: DHCP packets and their tracking by Intel® ME firmware in OS-absent states (including Sx states)
Source: Intel Corporation, 2008
click image for larger view

In an OS-absent state, whether the OS software or the Intel ME firmware previously acquired the latest DHCP lease, Intel ME firmware takes note of when the lease will expire.

When the lease expires in an OS-absent state, Intel ME firmware identifies this occurrence by receiving a timer interrupt or even by waking up (in case it is in an “M-Off with wakes” power state). This operation triggers the Intel ME firmware to autonomously renew its lease, without the need to wake the host OS. In such a way, Intel vPro technology can continuously maintain its IP presence on the network, even in Sx states.

The Intel® vPro™ Technology Solution for Re-Associating with WLAN Access Points
The Intel vPro technology solution for re-associating with the WLAN AP (see the section “Re-Associating with WLAN Access Points”) is to use a combination of the Intel ME firmware and the firmware that is located within the Intel® WLAN device.

After a transition to an OS-absent state (including Sx states), the Intel ME firmware starts communicating directly with the Intel WLAN device by using a dedicated link, and it is able to establish an association with a WLAN AP. Following that, it is the firmware running on the WLAN device that actually maintains the association with the AP. Once the Intel WLAN firmware identifies that the association was lost, it sends a message to the Intel ME firmware, and this generates an interrupt to the Intel ME firmware (or generates a wake, in case the Intel ME firmware is in an “M-Off with wakes” power state). This triggers the Intel ME firmware to autonomously re-associate with a new WLAN AP. Thus, Intel ME firmware can maintain and re-establish associations with WLAN APs in Sx states without having to wake the host OS.

The Intel® vPro™ Technology Solution for 802.1x Networks
The Intel vPro technology solution for 802.1x networks (see the section “802.1x Networks”) is to use a combination of hardware, firmware, and software.

Intel vPro technology handles the issue of 802.1x networks similar to how it handles dynamic IP networks; that is, it allows the host OS logic to retain control of 802.1x authentication in OS-present states, and it uses Intel ME firmware to take control of 802.1x authentication in OS-absent states (including Sx states). One important difference, however, from Intel vPro technology’s handling of dynamic IP networks is that in the case of 802.1x networks, Intel ME firmware does not require hardware or software assistance in tracking the content of 802.1x-related traffic: it requires software or hardware assistance only in order to track the existence of such traffic (in order to determine whether it should take control of the 802.1x authentication logic or not). In order for Intel vPro technology to be able to control the 802.1x logic in OS-absent states, the IT user needs to pre-configure 802.1x credentials during the Intel vPro technology provisioning process.

Intel vPro technology contains its own 802.1x supplicant logic. That logic initiates 802.1x authentication on switching to an OS-absent state, on receiving an 802.1x challenge, on the expiration of a 802.1x authentication period, and on re-establishment of the network link (to deal with cases where a challenge was issued during link down). In the latter case, the hardware is involved: a link-up event triggers an interrupt or a wake to the Intel ME firmware (in case it is in an “M-Off with wakes” power state).

In all these cases, Intel ME firmware performs 802.1x re-authentication on its own without having to wake the host OS.

The Intel® vPro™ Technology Solution for Computers Behind Security-Enabled Networks Outside the Control of IT Departments
The Intel vPro technology solution for security-enabled networks outside of the IT department’s control (see the section “Computers Behind Security-Enabled Networks Outside the Control of IT Departments”) is to use a combination of firmware and software.

The method by which Intel vPro technology deals with mobile computers that leave the corporate premises is shown in Figure 4.

Figure 4: Intel® vPro™ technology architecture for remote connectivity (client-initiated remote access)
Source: Intel Corporation, 2008
click image for larger view

Intel ME firmware contains logic that, on various triggers, establishes a connection to the corporate network. For Sx states, the only trigger for establishing a connection is a periodic timer. However, the connection may also be established in an S0 state by a user-initiated request for assistance, and then be maintained on entering Sx states.

The connection is not established directly with the IT user’s management console software, but instead is established with a Manageability Presence Server (MPS). The MPS is located in the corporate network’s “de-militarized zone” (or DMZ—a sub-network that exposes this and other external services to the Internet). In its turn, the MPS alerts the internal IT management software that a computer, enabled with Intel vPro technology, is now connected and available for any commands that the IT user wants to send to it.

This combination of firmware and software (running the MPS) is what allows computers running Intel vPro technology on remote networks to be available for IT commands even in Sx states, circumventing any need to wake the host’s OS and establish a Virtual Private Network (VPN) connection.

The Intel® vPro™ Technology Solution for Switching Between AC and DC Power Sources
The Intel vPro technology solution for switching between an AC power source and a DC power source (see the section “Switching Between AC and DC Power Sources”) is to use a combination of Intel hardware, Intel ME firmware, OEM hardware, and OEM firmware (running as part of a dedicated Embedded Controller (EC), developed by OEMs).

As mentioned earlier, the Intel vPro technology core logic runs as part of the Intel ME firmware, which resides within Intel’s chipsets. Intel’s ME firmware can only read and set pins that are inputs to or outputs from the chipset, respectively. On the other hand, consider these points:

• The logic for reading the power source state is a platform logic, external to the chipset (either within the OEM’s EC or directly on the OEM’s motherboard).
• The logic for shutting off the power to most of the chipset is a platform logic, external to the chipset (either within the OEM’s EC or directly on the OEM’s motherboard).

Because of these two points, we have the following situation:

• A hardware input is required from the OEM’s EC or motherboard into the chipset to indicate the current power source to Intel ME firmware. Intel ME firmware can use that input in Sx states for determining when to shut itself down or power itself up (the latter requiring hardware assistance), and when to indicate to the OEM’s EC/motherboard that power to the chipset is no longer required.
• A hardware output from the chipset to the OEM’s EC or motherboard is required, so that Intel ME firmware can indicate to the OEM’s EC firmware/motherboard logic when it may shut down the power to the chipset.

The hardware connections and resultant firmware requirements have been defined by Intel to the OEMs in an ME-EC interface specification. A hardware depiction of that interface is summarized in Figure 5.

Figure 5: Intel® ME and chipset’s hardware interface with the OEM’s embedded controller/motherboard logic
Source: Intel Corporation, 2008
click image for larger view

The resultant overall platform behavior, due to the interface, is summarized in Table 1.

Table 1: Intel® ME Firmware Behavior in Low-power States
Source: Intel Corporation, 2008

Power State and Source	Intel® ME Firmware Behavior
S3/AC, S4/AC, S5/AC	If Intel® ME firmware needs to remain active or go into an “M-Off with wakes” mode, it knows to inform the OEM’s EC/motherboard that power to the chipset needs to remain on. Otherwise, it knows to inform the OEM’s EC/motherboard that it may power down the chipset.
S3/DC	Intel ME firmware knows to shut itself down.
S4/DC, S5/DC	Intel ME firmware knows to shut itself down and to inform the OEM’s EC/motherboard that it may power down the chipset.
Power cycle resets, i.e. S0 to S5 to S0 transitions (AC or DC)	Intel ME firmware knows to inform the OEM’s EC/motherboard that power to the chipset needs to remain on so that the power cycle can be completed back to S0.

Back to Top