Among Intel’s CES 2021 announcements this afternoon, the chip giant is using the annual show to launch their updated vPro platform for their latest-generation “Tiger Lake” Core processors. vPro is Intel’s advanced security and manageability technologies for business use, and it is one of the company’s major differentiating features for corporate environments, particularly tightly-managed enterprise installations. Essentially the business-focused offshoot of the Core lineup, Intel typically rolls out an updated vPro platform few months after a new generation of Core CPUs is released, and once again Intel is right on schedule with today’s release.

As a quick refresher, vPro combines Intel’s corporate management and security technologies under a single umbrella. So this includes features such as Intel’s Active Management Technology (AMT) as well as well as security functionality, which these days Intel combines into their Intel Hardware Shield and covers things such as Intel’s Trusted Execution Technology (TXT) and hardware memory encryption. Overall, vPro is not a specific Intel hardware product, but rather is a platform-within-a-platform from Intel, enabled by combining supported CPUs and chipsets into a complete system with an appropriate BIOS – essentially a form of upselling for businesses.

For the latest iteration of the platform, Intel is both bringing vPro forward to cover their 11th generation Tiger Lake processors, as well as introducing some new vPro functionality. In particular, the Tiger Lake generation will see the implementation of Intel’s previously-announced Control-Flow Enforcement Technology (CET), which as alluded to by the name, hardens the instruction flow within a system to prevent hijacking (exploiting security vulnerabilities) by malware.

Starting things off on the hardware side of matters, Intel is releasing some new Tiger Lake mobile CPU SKUs as well as promoting some other, existing SKUs to being vPro-capable. All of these are based on the same silicon that Intel has been minting for the last several months, but are officially enrolled as part of the vPro platform. Meanwhile, since Intel has only launched their 28W-and-under Tiger Lake UP3/UP4 chips so far, this is a pretty brief list at the moment, but expect it in time to be expanded to cover Intel’s 35W/45W chips as well, once those hit the market.

Intel 11th Gen Core "Tiger Lake" vPro
Mobile Processors
AnandTech Cores L3
MB
Base
MHz
1C
MHz
nT
MHz
Xe
EUs
Xe
MHz
DDR4 LP4x
UP3-Series (12-28W)
i7-1185G7 4C / 8T 12 3000 4800 4300 96 1350 3200 4266
i5-1145G7 4C / 8T 8 2600 4400 4000 80 1300 3200 4266
UP4-Series (7-15W)
i7-1180G7 4C / 8T 12 1300 4600 3700 96 1100 - 4266
i5-1140G7 4C / 8T 8 1100 4200 4500 80 1100 - 4266

Among the four vPro chips, everything except the top SKU is a new part. Along with promoting the high-end i7-1185G7 to vPro status, Intel is adding the i5-1145G7, which operates in the same 12-28W(ish) power range, albeit with reduced clockspeeds and fewer Xe GPU EUs than the i7. Meanwhile for Intel’s two “UP4” SKUs, with TDPs from 7 to 15 Watts, Intel has cooked up two new parts. At the top is the i7-1180G7, which replaces the i7-1160G7 as Intel’s flagship part for this TDP range, and boasting slightly higher clockspeeds in turn. Below that is the new i5-1140G7, which cuts back on clockspeeds as well as on the Xe GPU.

Notably, all of these SKUs are still relatively high-end, featuring 4 CPU cores and a “G7” GPU configuration, meaning at least 80 Xe EUs. Intel hasn’t posted pricing for the new SKUs, but given that they’re designed to go hand-in-hand with vPro, temper expectations accordingly.

From a performance standpoint, these new parts should be comparable to the existing Tiger Lake mobile SKUs that Intel launched last year. Intel treats vPro as its own platform as far as promotional material goes, so Intel is looking to sell new Tiger Lake vPro laptops to current customers on older hardware, as well as any customers who may be on the AMD alternative.

Finally, like Intel’s 10th Gen Comet Lake vPro platform, 11th Gen vPro can also be used in EVO-class laptops, which is Intel’s co-branding program for thin & light laptops with the latest features. vPro EVO laptops will have the same requirements regarding features such as Thunderbolt and CNVi-based Wi-Fi 6, as well as battery runtime.

New To 11th Gen vPro: Control-Flow Execution Technology & Hardware Counters

As previously mentioned, Intel’s Tiger Lake vPro platform is not purely a port of 10th Gen vPro’s features, but also includes a couple of new security features thanks to Tiger Lake. Chief among these is Control-Flow Execution Technology (CET), which Intel announced back in June of 2020.

At a high level, CET is designed to protect programs against Return Oriented Programming (ROP) and ROP-like code attacks. ROP attacks are frequently the exploit du jour these days, as via careful planning, they can use existing, signed code in a malicious manner by manipulating return addresses. This allows them to succeed in the face of techniques like the no-execute (NX) bit, which flags user-space code as non-executable.

To do this, Intel is implementing a pair of strategies: Indirect Branch Tracking (IBT) and the Shadow Stack (SS). The latter of which is arguably the most capable, and also the easiest to understand: since ROP attacks require modifying the stack memory, SS keeps a second copy of the stack that can’t be modified, thereby making it possible to catch when the two are in disagreement. Meanwhile Indirect Branch Tracking is focused more on Call/Jump Oriented Programming attacks, which are similar in scope, but abuse call and jump instructions rather than returns. True to its name, IBT tracks indirect branches so that software can see if it’s being hijacked and sent to another memory address.

CET, in turn, will be the cornerstone of Windows’ upcoming Hardware-enforced Stack Protection capabilities. Of note, programs need to opt-in to this protection, so it won’t immediately fix all that ails CPUs in the world of security, but it’s something that is a promising layer of defense against an increasingly common class of attacks.

Finally, Tiger Lake comes with one more security upgrade for vPro: additional hardware CPU counters. In particular, Intel is looking to put an end to malicious cryptominers stealing hardware cycles, as well as other types of malware (e.g. ransomware) that has a similar high CPU load. To do this, Intel is offering some new CPU performance counters, allowing threat detection software to identify these telltale CPU usage spikes and to take appropriate action.

Source: Intel

Related Reading

Comments Locked

1 Comments

View All Comments

  • abufrejoval - Wednesday, January 13, 2021 - link

    While I am glad, shadow stacks and the other control flow integrity extensions are finally becoming available four years after the first published specification, I wonder if MKTME or per VM memory encryption is coming to end-user devices, too.

    AMD seems to reserve the feature to EPYCs, only, which I think is rather short sighted. The ability to run VMs in secured enclaves e.g. for corporate vs. private or banking/insurance/e-government/e-health/home-IoT etc. is going to be a key catalyst and differentiator.

    AFAIK the potential is all there in the silicon for Zen 3 and Intel's gen11 and it's BIOS and process limitations from now on to make it happen.

    MKTME may be an 'enterprise' class feature, but it takes secured enclaves on both sides to really make it happen. I see mobile SoCs picking up this feature and if the desktop wants to retain relevant, it needs to seed this capability, not put it behind a pay wall.

Log in

Don't have an account? Sign up now