The Intel® Converged Security and Management Engine (Intel® CSME) firmware is the root of trust for the Trust Computing Base (TCB) of Intel® architecture-based systems. When the Intel® firmware in a system is updated with new Intel CSME firmware with incremented Secure Version Number (SVN), the Intel® Enhanced Privacy ID (Intel® EPID) group is changed and a re-key process is required to recover TCB trust.
The re-key process is performed automatically by the Capability Licensing Service (iCLS) software service that is running on the client machine (This software is delivered with the Intel® Management Engine (Intel® ME) / Intel® Trusted Execution Engine (Intel® TXE) software package.) When a re-key process is needed, the end-user system auto-connects to Intel back-end servers, where the local iCLS service communicates to the back end to perform TCB recovery, creating new Intel EPID key and completing the re-key process. Once TCB Recovery is successfully completed, the platform will contain a new Intel EPID key; re-provisioning is not needed.
Note:The iCLS local service requires an internet connection to connect to the iCLS server for performing the re-key process. This connection uses standard TLS over port 443. If the end user system is inside an intranet (e.g., IT organization), you may need to provide a proxy to allow iCLS to properly connect to the Intel iCLS server back end over the internet. This can be achieved by editing the “%ProgramData%\Intel\iCLS Client\conf\iclsProxy.conf” file, or by setting up a proxy in Windows*. (Starting with iCLS version 126.96.36.199 and above, all supported proxy detection settings (autoproxy scripts configuration and autoproxy detection) are enabled. In previous iCLS versions, only manual proxy setting is supported.)