Intel® vPro™ Technology

Extreme Programming with Intel® vPro™ Technology: Pushing the Limits with Innovative Software

Extreme Uses of Third-Party Data Storage

We saved the latest and most creative Intel® Active Management Technology (Intel® AMT) innovation for last. Third-party data storage (3PDS) is 192 KB of platform flash memory that can be read and written, even if a computer is sleeping. Normally when a computer is sleeping, all hard drives and most of the system's memory are off; the 3PDS flash is the only storage space that is still awake and usable. One recreational use of this space could be for a user to save a music file, turn the computer off, and stream the file to a music player while sleeping. However, with only 192 Kb of available space the music would not play for very long. More common usages include storing an installed software list, backup location, or system diagnostic information, useful for computer recovery, into 3PDS. To use 3PDS in this way, a user can build a peer-to-peer file transfer mesh network when a computer with Intel vPro technology is still an active part of the mesh network, even if it is sleeping. Normally, peer-to-peer networks require all members to be fully powered on, but not in this usage scenario.

Figure 7: Searching the partially sleeping mesh (Source: Intel Corporation)

Figure 7 shows how Intel AMT can be used to create mesh presence on the network, even when a computer is sleeping. First, mesh agent software is installed on all members of the peer-to-peer network. Each mesh agent stores into 3PDS the list of known mesh network neighbors and also the list of publically available files. Since we have a limited space, only metadata of the files that can be shared publicly are compressed and stored in 3PDS. Each member of the mesh can read other members' lists of neighbors and files, even if the member is reading this information while the computer is sleeping. Software can then be written to discover all of the nodes by iteratively reading the list of peers from each computer. You can also search for a file, and if the file is discovered on a computer, you can wake up the computer to download the file. 3PDS access control allows other members of the mesh to write newly-discovered peer nodes into 3PDS flash memory. To ensure the network is not corrupted by a bad mesh member, locally-checked peers can be separated from remotely-written unverified peers.

Figure 8: Intel® AMT flash access control (Source: Intel Corporation)

In Figure 8, we separate the flash memory into three distinct blocks: Block A is written by the local agent and is read-only to all other users. This safety measure guarantees that no other nodes tamper with these data. Block B is read/write to everyone and can contain information on new nodes, but it should not be trusted to contain correct information. Block C is visible only to the agent and contains recovery information.

// First, add the enterprise entry into 3PDS
AmtEnterprise[] enterprises = computer.Storage.GetEnterpriseEntries();
bool found = false;
foreach (AmtEnterprise enterprise in enterprises)
{
    if (enterprise.Name.CompareTo("Intel") == 0) found = true;
}
if (found == false || computer.Storage.AddEnterpriseEntry("Intel") == null) return false;

// Now, add the mesh application into prefered partner list
computer.Storage.GetRegisteredApplications();
AmtStorageAlloc[] allocs = computer.Storage.GetStorageAllocations();
found = false;
foreach (AmtStorageAlloc alloc in allocs)
{
    if (alloc.SnrpEntryVendorName.CompareTo("Intel") == 0 && alloc.SnrpEntryApplicationName.CompareTo("Mesh") == 0) found = true;
}
if (found == false || computer.Storage.AddStorageFpaclEntry("Intel", "Mesh", 196608) == null) return false;

Figure 9: Initial setup of 3PDS (Source: Intel Corporation)

// "localBlock" is a byte[] containing data to be written

// Log into 3PDS
AmtStorageWrapper storage = new AmtStorageWrapper(computer, "Intel", "Intel", "Mesh", new Guid(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1));
if (storage.Connect() != AmtStorageWrapper.AmtStorageStatus.SUCCESS) return false;

// Get the list of local blocks & compute target block size
AmtStorageBlock[] blocks = storage.GetOwnBlockList();
uint blocksize = (uint)(localBlock.Length / 4096);
if ((blocksize * 4096) < localBlock.Length) blocksize += 4096;

// Check if we have an existing block that is ok
AmtStorageBlock ablock = null;
if (blocks.Length != 1 || blocks[0].Size != blocksize)
{
    // Clear all local blocks
    foreach (AmtStorageBlock block in blocks) block.Remove();

    // Allocate a new block
    storage.AllocateBlock("MeshData", blocksize, out ablock);

    // Default Permissions
    AmtStorageWrapper.AmtStoragePermissionsGroup group1, group2;
    ablock.AddPermissionGroup(AmtStorageWrapper.AmtStorageGroupPermission.ReadWrite, "ReadWriteGroup", out group1);
    ablock.AddPermissionGroup(AmtStorageWrapper.AmtStorageGroupPermission.ReadOnly, "ReadOnlyGroup", out group2);
    ablock.AddPermissionsGroupMembers(group1, new uint[] { 0xFFFFFFF1 });
    ablock.SetVisibility(false);
}
else
{
    // Use the existing block
    ablock = blocks[0];
}

// Write the block
ablock.WriteBlock(localBlock);

Figure 10: Locally writing to 3PDS and setting permissions (Source: Intel Corporation)

// Get registered Applications
AmtApplication[] apps = computer.Storage.GetRegisteredApplications();
foreach (AmtApplication app in apps)
{
    if (app.EnterpriseName.CompareTo("Intel") == 0 && app.VendorName.CompareTo("Intel") == 0 && app.ApplicationName.CompareTo("Mesh") == 0)
    {
        if (app.UUID.CompareTo(new Guid(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1)) == 0)
        {
            // This is a local block
            AmtStorageBlock[] lblocks = computer.Storage.GetStorageBlocks(app);
            if (lblocks != null && lblocks.Length > 0) localBlock = lblocks[0].ReadBlock();
        }
        else if (app.UUID.CompareTo(new Guid(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)) == 0)
        {
            // This is a remote block
            AmtStorageBlock[] rblocks = computer.Storage.GetStorageBlocks(app);
            if (rblocks != null && rblocks.Length > 0) remoteBlock = rblocks[0].ReadBlock();
        }
    }
}

Figure 11: Remotely reading the 3PDS local and remote blocks (Source: Intel Corporation)

This is what Figures 9, 10, and 11 show: a sample setup, local Block A write with permission setup, and remote read of data using the C# DTK stack. Figure 9 shows how 3PDS must be set up before it can ever be used; this setup must be completed remotely. Figure 10 shows data that are written locally into 3PDS Block A, and Figure 11 reads both Block A and Block B from 3PDS.

Another interesting application of this mesh network concept is a new way to provision Intel AMT when each computer is self-provisioning. First, add a TCP reflector into each mesh node. This allows any computer to use the TCP reflector to connect to itself and provision itself. You can then distribute throughout the mesh the public portion of a trusted administrator certificate. Each computer can encrypt its own Intel AMT administrator account password with this administrator certificate and store the encrypted result into its own 3PDS flash memory.

Figure 12: Certificate-protected Intel® AMT password (Source: Intel Corporation)

Figure 12 shows how each member of the mesh network can read the encrypted administrator password of each of the computers in the mesh, but only the administrator with the private key for the certificate can decrypt the Intel AMT administrator password of each computer.

In a model in which each computer administers its own Intel AMT, it is possible for the OS to be wiped out and re-installed, causing the loss of the local copy of the Intel AMT password. To prevent this from happening, 3PDS can be used in one more creative and useful way—that is, by inserting a 3PDS hidden recovery block (Block C in Figure 8). This block is only visible locally, and the mesh agent stores the Intel AMT administrator password and other general mesh information in this recovery block. If the agent is reinstalled after a complete disk replacement and a reinstalled OS, the agent can resume where it previously left off. Such a 3PDS recovery block has many other uses also.

Depending on how computers are meshed, peer-to-peer mesh networks can be scaled to work with small business networks with a few computers as well as large-scale enterprises with thousands of computers. It is worth noting that Intel AMT cannot handle many concurrent connections, so thorough testing is required before peer-to-peer networks can be implemented in larger networks. Many examples of highly scalable mesh networks are deployed on the Internet, but it requires a lot of development and testing for such solutions to work correctly.

Back to Top