Darren Reed wrote: > Some further questions... > > Can the status of ME be controlled from Solaris via dladm? Not with the current implementation. ME isn't a networking device, per se. Please send suggestions to our project alias, intel-amt-iteam at sun.com, with requirements from dladm. > If not, what plans are there for managing it - only through > the LMS daemon? > It is intended to be managed by system management applications which understands WSMAN protocol (XML/SOAP based), so yes, current implementation is to go through the daemon. For additional information on WSMAN see http://www.dmtf.org/standards/wsman
> How do we observe if the operational status of the ME? > Also through WSMAN protocol. See Intel's usage of WSMAN from http://communities.intel.com/openport/blogs/proexpert/2007/09/28/adding-wsman-support-to-intel-amt-commander Additionally, we can write our own tools but that's phase II of the project. Good point, Darren. > And most importantly... > > How does someone disable the ME on the card when a > security vulnerability in it is found? > Each Intel AMT device must be provisioned with at least one username/password pair. Additionally, AMT supports Kerberos v5 (RFC 1510). Not running Solaris, you can turn off ME from most of PC BIOS that we've seen. There are some PCs where ME is not allowed to be disabled at all from the BIOS which could be a security hole once a vulnerability is found. However, this is beyond the scope of this project. -- David Chieu > Darren >
