Intel Launches 11th Gen vPro For Tiger Lake Mobile CPUs, Adds CET Security Tech

Among Intel’s CES 2021 announcements this afternoon, the chip giant is using the annual show to launch their updated vPro platform for their latest-generation “Tiger Lake” Core processors. vPro is Intel’s advanced security and manageability technologies for business use, and it is one of the company’s major differentiating features for corporate environments, particularly tightly-managed enterprise installations. Essentially the business-focused offshoot of the Core lineup, Intel typically rolls out an updated vPro platform few months after a new generation of Core CPUs is released, and once again Intel is right on schedule with today’s release.

As a quick refresher, vPro combines Intel’s corporate management and security technologies under a single umbrella. So this includes features such as Intel’s Active Management Technology (AMT) as well as well as security functionality, which these days Intel combines into their Intel Hardware Shield and covers things such as Intel’s Trusted Execution Technology (TXT) and hardware memory encryption. Overall, vPro is not a specific Intel hardware product, but rather is a platform-within-a-platform from Intel, enabled by combining supported CPUs and chipsets into a complete system with an appropriate BIOS – essentially a form of upselling for businesses.

For the latest iteration of the platform, Intel is both bringing vPro forward to cover their 11^th generation Tiger Lake processors, as well as introducing some new vPro functionality. In particular, the Tiger Lake generation will see the implementation of Intel’s previously-announced Control-Flow Enforcement Technology (CET), which as alluded to by the name, hardens the instruction flow within a system to prevent hijacking (exploiting security vulnerabilities) by malware.

Starting things off on the hardware side of matters, Intel is releasing some new Tiger Lake mobile CPU SKUs as well as promoting some other, existing SKUs to being vPro-capable. All of these are based on the same silicon that Intel has been minting for the last several months, but are officially enrolled as part of the vPro platform. Meanwhile, since Intel has only launched their 28W-and-under Tiger Lake UP3/UP4 chips so far, this is a pretty brief list at the moment, but expect it in time to be expanded to cover Intel’s 35W/45W chips as well, once those hit the market.

Among the four vPro chips, everything except the top SKU is a new part. Along with promoting the high-end i7-1185G7 to vPro status, Intel is adding the i5-1145G7, which operates in the same 12-28W(ish) power range, albeit with reduced clockspeeds and fewer Xe GPU EUs than the i7. Meanwhile for Intel’s two “UP4” SKUs, with TDPs from 7 to 15 Watts, Intel has cooked up two new parts. At the top is the i7-1180G7, which replaces the i7-1160G7 as Intel’s flagship part for this TDP range, and boasting slightly higher clockspeeds in turn. Below that is the new i5-1140G7, which cuts back on clockspeeds as well as on the Xe GPU.

Notably, all of these SKUs are still relatively high-end, featuring 4 CPU cores and a “G7” GPU configuration, meaning at least 80 Xe EUs. Intel hasn’t posted pricing for the new SKUs, but given that they’re designed to go hand-in-hand with vPro, temper expectations accordingly.

From a performance standpoint, these new parts should be comparable to the existing Tiger Lake mobile SKUs that Intel launched last year. Intel treats vPro as its own platform as far as promotional material goes, so Intel is looking to sell new Tiger Lake vPro laptops to current customers on older hardware, as well as any customers who may be on the AMD alternative.

Finally, like Intel’s 10^th Gen Comet Lake vPro platform, 11^th Gen vPro can also be used in EVO-class laptops, which is Intel’s co-branding program for thin & light laptops with the latest features. vPro EVO laptops will have the same requirements regarding features such as Thunderbolt and CNVi-based Wi-Fi 6, as well as battery runtime.

New To 11^th Gen vPro: Control-Flow Execution Technology & Hardware Counters

As previously mentioned, Intel’s Tiger Lake vPro platform is not purely a port of 10^th Gen vPro’s features, but also includes a couple of new security features thanks to Tiger Lake. Chief among these is Control-Flow Execution Technology (CET), which Intel announced back in June of 2020.

At a high level, CET is designed to protect programs against Return Oriented Programming (ROP) and ROP-like code attacks. ROP attacks are frequently the exploit du jour these days, as via careful planning, they can use existing, signed code in a malicious manner by manipulating return addresses. This allows them to succeed in the face of techniques like the no-execute (NX) bit, which flags user-space code as non-executable.

To do this, Intel is implementing a pair of strategies: Indirect Branch Tracking (IBT) and the Shadow Stack (SS). The latter of which is arguably the most capable, and also the easiest to understand: since ROP attacks require modifying the stack memory, SS keeps a second copy of the stack that can’t be modified, thereby making it possible to catch when the two are in disagreement. Meanwhile Indirect Branch Tracking is focused more on Call/Jump Oriented Programming attacks, which are similar in scope, but abuse call and jump instructions rather than returns. True to its name, IBT tracks indirect branches so that software can see if it’s being hijacked and sent to another memory address.

CET, in turn, will be the cornerstone of Windows’ upcoming Hardware-enforced Stack Protection capabilities. Of note, programs need to opt-in to this protection, so it won’t immediately fix all that ails CPUs in the world of security, but it’s something that is a promising layer of defense against an increasingly common class of attacks.

Finally, Tiger Lake comes with one more security upgrade for vPro: additional hardware CPU counters. In particular, Intel is looking to put an end to malicious cryptominers stealing hardware cycles, as well as other types of malware (e.g. ransomware) that has a similar high CPU load. To do this, Intel is offering some new CPU performance counters, allowing threat detection software to identify these telltale CPU usage spikes and to take appropriate action.

Source: Intel

Related Reading

• Interview with Intel CEO Bob Swan
• Intel at CES 2021: Overview
• Intel at CES 2021: Press Event Live Blog
• Intel Ice Lake Xeon in Production
• Intel 11^th Gen Desktop Rocket Lake Core i9-11900K ‘Preview’
• Intel 11^th Gen Tiger Lake-U Boosted to 35W
• Intel 11^th Gen Tiger Lake-H with 8 cores
• Intel 11^th Gen Tiger Lake Goes vPro
• Intel’s Next Gen Tremont Atom in Jasper Lake for Q1