Intel AMT and KVM Remote Control

**Disclaimer:  This blog is very old and may not be relevant anymore.  It lives for historical purposes.  For up-to-date information about Intel vPro Technology, visit the Business Client Home Page.  (June 2013)

Intel® vPro™ technology now adds the capability to do KVM Remote Control out of band.  Now an IT Professional can remotely control the keyboard, video, and mouse (KVM) of a system with Intel AMT 6.0. 

For those of you who have been anxiously awaiting the release of Intel® Active Management Technology 6.0 which includes KVM Remote Control, you probably already know that the 6.0 version of the SDK is out on our Community Site and you might have even started trying it out.  You might also be interested in viewing two short videos created by RealVNC showing how the new KVM Remote Control feature works (hence the need for fuzzy slippers and popcorn!)   The videos are included in an article that discusses Out-of-band KVM, Remote Reboot, Remote Power On/Off, IDE Redirection and Security.

Here is quick overview of KVM Remote Control:

KVM is a means for controlling a platform remotely using a remote keyboard and mouse and being able to see the managed platform’s screen output at a remote monitor. KVM stands for Keyboard, Video and Mouse. Usually the term KVM is associated with an analog switchbox that selects the KVM connectors of one of several managed platforms and routes them to a single connector where a keyboard, mouse, and video monitor are connected. While this described KVM architecture applies to short distances using analog cables, KVM over IP, or networked KVM, is a means for controlling a platform from a distant management console.

Starting with Release 6.0, Intel AMT adds remote KVM (over IP)  to the existing redirection features Serial Over LAN (SOL) and Redirected IDE (IDE-R). The KVM capability is enabled in the same way that SOL/IDE-R is enabled – with network administration commands. KVM first must be enabled in the Intel MEBx and the listener enabled (as with SOL/IDE-R) before it can be enabled remotely.

Protocol:  KVM Remote Control is based on the RealVNC Limited* Remote Frame Buffer (RFB) protocol. In fact, off-the-shelf viewers based on the RFB protocol work in conjunction with Intel AMT without modification.

User Consent:  The Intel AMT implementation includes an option in the MEBx for “user opt-in”: When a remote console initiates a KVM session, the local PC user must agree to allow remote KVM before the session can start.

Intel AMT KVM Remote Control Features:

  • KVM can be enabled or disabled remotely, unless KVM is disabled via the MEBx.
  • Intel AMT can accept a KVM connection on the IANA-defined VNC port (5900) or on the Intel AMT redirection ports (16994/5). The connection on the 5900 port requires only the RFB password for authentication, while the redirection ports add the usual Intel AMT authentication mechanisms.
  • The KVM server supports RFB versions 3.8 or before and version 4.0. RFB version 4.0 offers some performance, usability and extensibility enhancements.
  • Intel AMT emulates a standard USB keyboard and mouse. Note that the local keyboard and mouse at the platform supporting Intel AMT are still active during a KVM session.
  • When PC user opt-in is enabled, the firmware generates a “sprite” (a pop-up graphic displayed to the PC user directly, even if the graphics driver is disabled) with a one-time password (OTP) that the KVM client must send to complete establishment of a session. The PC user has to tell the IT operator what the password is, say, by telephone or text message. Note that any sprites displayed to the local operator are not echoed to the KVM client.
  • The Intel AMT Access Monitor feature can record the following events in the Access Monitor Audit Log:

Auditable KVM Events

A KVM session started or ended
KVM was enabled or disabled
VNC password authentication failed three times in a row
KVM Opt-in was enabled or disabled
KVM password was changed
KVM operator consent succeeded
KVM operator consent failed three times in a row

    • If there is no connection activity for a configurable pre-defined period (defined as no keyboard or mouse activity), the server at the PC will drop the connection.

    • There can be only one RFB session per server (i.e. per Intel AMT-enabled PC) at a time.

    • If there are three consecutive failed login attempts, the Intel AMT will delay subsequent attempts and log the occurrence.

Choosing a Display Mode:

The RealVNC API library supports two ways to display the screen being viewed remotely:

    • Default desktop mode – the server library detects display changes and returns them to the client, which will display the results locally.

    • Graphics drawing mode – the server returns bitmap changes to the client application which then needs to use local graphics functions to paint the pixels to the screen.

The default desktop mode has better performance and is used by standalone viewers.

An embedded viewer integrated into a GUI application or displayed in a web browser will need to use the graphics drawing mode. This is necessary as the client library does not have full control of the view space.

Secure Session Support:

If the Intel AMT device supports TLS, the KVM proxy or user application can establish a TLS session with it before opening a KVM session thus ensuring that all relevant network communications are secure.

The KVM proxy library uses OpenSSL version 0.9.8k.

 From the TLS protocol point of view, the Intel AMT device is an SSL server and the KVM client is an SSL client. When establishing a TLS session, the client attempts to verify the validity of the SSL certificate it receives from the Intel AMT device. In order to perform the verification, the library must be provided with trusted Certification Authority (CA) certificates that were used to sign the SSL server-provided certificate. The location of the trusted CA certificates is passed to the proxy library using the KVM_Init() or KVM_SetCertificates() function or via the certificates option in the tray icon GUI or the sample control application GUI. If this file name is not provided, the application may not be able to verify SSL certificates, and thus will not be able to establish TLS sessions.

Additional Intel AMT Support for KVM:

EAC posture:  The NAC and NAP posture formats are extended to include an indication showing whether KVM is enabled or disabled.

IMSS:  IMSS (tray icon) has the following features in support of KVM:

    • It displays the enabled/disabled status of the KVM feature.

    • It indicates if there is an active KVM session.

    • It notifies the user that a KVM session is starting and provide an option the stop the session.

    • It allows selecting the language of the “opt-in” sprite, within the limits that the Intel AMT firmware supports.

    • It enables setting the size of the sprite screen.

 Finally, when would we want to Use the KVM Remote Control Feature?

KVM is useful when the host processor is or will be active and a remote IT operator wants to control the client platform. For example,

    • The platform displays a blue screen and the IT operator wants to see it.

    • The operating system is unresponsive or is in repair mode, so other remote display applications that run using the operating system are not available.

    • The platform is “asleep” (S3 state) and the IT operator wishes to wake up the platform and work with it.

    • The platform needs to be booted, and requires a combination of BIOS (text) and operating system (graphics) interaction. The IT operator can observe the full flow when rebooting.

That's all I've got for now!

Here are some links to some other blogs:

For more complete information about compiler optimizations, see our Optimization Notice.