Intel AMT & USB Key Problem

Intel AMT & USB Key Problem

Hello!

I have set up a Lab Environment to examine the iAMT Features and possibilities. I have prepared an usb key for PSK with the usbfile-tool. The command was: usbfile -create setup.bin admin Admin22@ -v 1 -rpsk
With IntelUSBKeyProvisioningUtility I have written the setup.bin on a 128MB usb stick. I have reset BIOS and still the AMT won't recognize the USB Key. What made I wrong?

Motherboard: Asus P5E-VM DO
The usbfile.exe i have taken from Intel AMT SDK 6.0

USBKey ProvisioningUtility 1.0.866.1
Bios ist updated to the newest version.

MEBx-Version: v3.0.2.0004

I don't have any option for USB Provisioning in Bios.

Thanks much for help!

P.S. Sorry for my bad english, but I'm from germany!

16 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Hi Kasi,

You can do PSK provisioning with the 2.0 and 2.1 versions of the setup.bin file, so I would suggest that you change the file version to 2.1 when you create the file. The BIOS has to recognize the GUID in the file before it will read the data and give it to the MEBx. In version 2.0, the GUID for the file changed, so some BIOSs don't recognize the ver 1.0 GUID, but they do recognize the 2.x GUID.

Regards,
Roger

Quoting rogerbHi Kasi,

You can do PSK provisioning with the 2.0 and 2.1 versions of the setup.bin file, so I would suggest that you change the file version to 2.1 when you create the file. The BIOS has to recognize the GUID in the file before it will read the data and give it to the MEBx. In version 2.0, the GUID for the file changed, so some BIOSs don't recognize the ver 1.0 GUID, but they do recognize the 2.x GUID.

Regards,
Roger

Hello Roger!

Thanks for your response, but the MEBx still doesn't recognize the setup.bin. I've tried it with every version (1/2/2.1/3). But still another question: Are you sure, that PSK provisioning only functions with 2.0 and 2.1? I ask because you can still create random psk in version 1. I now that PKI provisioning only functions with 2.0 and later.

Hope somebody can help me with my problem.

Greetings,
Kasi

Hi Kasi,

Each version of the provisioning file supports PSK provisioning, but when the version changed to 2.0, the GUID for the file changed. The BIOS has to read the USB key, extract the data from the key, and submit the data to the MEBx through the HECI interface. Some BIOSs don't recognize the version 1 GUID correctly, so they don't extract the data and submit it to the ME. I've always just used the "create_usb_file.bat" batch file to generate the setup.bin file. Also, the specification for provisioning actually specified that the setup.bin file has to be the first file on the key, so if you have other data on the key it might be interferring with the process.

Regards,
Roger

Hello!

I don't have any other data on the usb-stick. I use the USBKey-Provisioning Tool, which formats the USB-Stick and then puts the setup.bin on the stick. I thought it could be a problem with the motherboard? But on Asus there isn't any information about amt...

Greetings,
Kasi

Nobody has any idea, whats the problem is?

How exactly are you trying to create the USB key? In your original post, you said that your used the USBFILE tool to create the setup.bin. That tool doesn't format the key. Did you format the key, or did you use the provided batch file to force the key to be formated? The SETUP.BIN file must be the first file on the key. If it isn't then the BIOS isn't going to be able to validate the the key is used for provisioning. Did you make sure that there weren't any hidden/system files on the key?

Regards,
Roger

Hey Kasi33,as Rogerb has noted before there can be several issues with USB key:1. BIOS must support USB provisioning method. it is BIOS responsibilty to recognize there is a USB drive attached, to search for the "setup.bin" file and to read relevant record from the file. only then it passes control to MEBx for processing the data.2. USB drive must be formatted as FAT16 (if it is FAT32 or NTFS, most BIOS won't recognize it)3. file must be called "setup.bin" (seem to be o.k. in your case)4.file must contain at least one valid record (you can run "USBFile.exe -view setup.bin" to verify this is the case)

Hello and thanks for the response!

I used the .bat to create the usbkey, i also used it with usbfile and then the usb provisioning utility from intel. I tried different versions (1, 2, 2.1, 3), different usb-sticks, different usb-ports and i tried it with psk and with pki. I had the possibility to tried it on a different pc (a amt 6.0 version, also an asus board) but the bios doesn't recognize the setup.bin. I've looked at the bios, there isn't any menue to disable/enable the usb-provisioning in the subsection management engine of the normal bios. Maybe the USB provisioning is not supported on asus boards, because the bios normally recognize the usb (i could choose it to boot from it, but I know, the provisioning is not normal boot).

Greetings,
Kasi

Hi Kasi,
Have you tried using the SCS-Lite tool that is on our Community - you can create a USB key with it as well - it also has a user's guide that can hopefully take you through the USB provisioning process step-by-step.You may also want to check out the AMT Configuration Utility that is on the same download page as the SCS Lite tool.

Some other things to check:
When you boot, do you get an option to enter CTRL-P to get into the MEBx menus? If not, is AMT enabled in the BIOS? Which ASUS System are you working with?

Gael

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Hi Kasi,
in addition to Gael questions:
what Intel CPU do you use? is it vPro capable?

Hello and thanks for the answers.

At the moment I have an ASUS Mainboard P7Q57-M Do withIntel Core i5 Processor.

There is a message that I have to press CTRL-P to enter the MEBx. I was still in it. I also had installed on a testserver an infrastructure for the intel scs (at the moment, i don't have this installation, because there was a harddisk-crash). I had an own root certificate, and if I setthe hashof itin the MEBx manually, then I was able to provision the AMT-Client remotely. But I don't want to set the hash (or the PSK) manually so I tried the USB-Key. I also have tried it to create the USB-Key with the intel scs console...

I have also tried the activation wizard which comes with the scs and it functions. The client is fully vPro capable, I have it provisioned in SMB and in Enterprise Mode (at the moment, because i've get another testclient, the MEBx version is 6.0.0.1184). My only problem is: how can I get the hash of my root certificate in the MEBX (entering manually is not an option, because if we have to provision many clients, the work is too much).

I have tried the usb-key on a lenovo laptop, and this laptop finds the setup.bin... Only the ASUS boards don't find it...

Here are the Bios-Settings of the Client-PC for MEBx:
ASF Support Enabled
ME-HECI Enabled
ME-IDER Enabled
ME-KT Enabled
BootBlock HECI Message Disabled
Intel AMT Support Enabled

Greetings,
Kasi

Hi Kasi - you don't want ASF Support Enabled - you want to make sure you select AMT Enabled. (ASF and AMT do not work together - you get one or the other.) If the USB key works on the Lenovo laptop then it sounds like you are doing everything correctly and that it is something with your BIOS setup/ASUS. Try it after disabling ASF support. Also, I have USB keys that work with some OEM systems and not with others so I'm not sure how to tell if your ASUS simply doesn't like your USB Key.

As far as entering your root certificate hash - you do this via teh MEBx menues. Go into the MEBx and into the AMT Configuration Menues. (Make sure you have enabled AMT by selecting the "Manageability Feature Selection" menu and select "Enable." The root certificate hash is in the "Remote Setup and Configuration" path. Go there and select "TLS PKI."It is there you will see an option to "Manage Hashes." Select the "Manage Hashes" option and there you can add your root hash. If you are using a Verisign, Go Daddy, Comodo, or Starfield certificate you would not need to add it.

Gael

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Hello Gael!

I will try tomorrow to disable ASF support in the Bios... And maybe i will look if i can try another usb-stick... But it's not as easy to find a stick which is 512 mb or less...

I know that I can enter the hashes manually in the MEBx... I've tried it and it functions... But thats only for testing purposes an option. If in an productive environment I would have to provision maybe 50 clients, its to much work to enter in all clients the hashes....

Greetings,
Kasi

Ok, you bring up an interesting question. You can enter the hash using the USBFile tool that is in the SDK. You can also enter the PID/PPS keys - but really, what is the point? If you are using the provisioning cert method, you want to do remote provisioning without having to touch the system at all. You would want to purchase the cert from one of the vendors for the hash that is already in the ME (no need for USB key in this case.)

For systems up to AMT 5.0 you can use the USBfile to do local provisioning (to finish the provisioning manually) - that will put them into Small Business Mode.

For AMT 6 systems, this method will put you into Enterprise mode. No need for PID/PPS keys, no need for provisioning cert.

Not sure this helped at all - just wanted to point out that there are a number of ways to accomplish provisioning.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Hello Gael!

Thanks for the answer. I wanted to provision with PID/PPS-Pair, because our company has its own pki with no certpath to a root cert thats in mebx. But this also fails, because the system doesn't recognize the usb-key.Maybe I have understood something wrong. I wanted to provision the clients in Enterprise mode. The provisioning process should be secure and the management after that should be also secure... I thought a secure provisioning can only be with a PID/PPS pair or with a cert which hash issaved in the MEBx. If i don't want to enter the PID/PPS or the hash manually then I have two choices:
1. The USB-Key variant
2. Use a cert which hash is directly saved from the vendor. Because our company has its own pki I thought, it would be finer if we can use our own cert. But at this point I will investigate the costs for a cert from verisign or something else...

To understand: I am only a trainee and have a project to investigate the use of Out-Of-Band Management with intel vPro in our company... So its better if i find a way to provision with usb also...

Thanks very much so far,

Greetings,
Kasi

Leave a Comment

Please sign in to add a comment. Not a member? Join today