DQ35JO, AMT 3.2 and usb PKI setup.bin

DQ35JO, AMT 3.2 and usb PKI setup.bin

i seem to be having a problem using a usb stick to insert the certificate hash code we use into the bios of these boards(DQ35JO) (we have about 200 of them)
has any one had any luck with doing this?

BIOS version:1126
Commandline for the USBFILE(V3) tool: USBFile.exe -create setup.bin admin NEWPASSWORD -v 2 -hash AMTProvision.cer "OUR Root CA" -amt -fqdn SERVERFQDN -ztc 1 -redir 1 -psadd IPADDRESS -pspo 9971 -domname DOMAINNAME

if i change the version of the file to version 1 via "-v 1" and add a pid/pps pair it will recognise the setup.bin file and install the PSK pair.

Anyone have any ideas?

8 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Quick clarifying question, where did you get your copy of the USBFile? I noticed it said it's a V3 tool so I'm guessing the AMT 6 SDK.

I think some of the parameters you mentioned are from version 2.1 (psadd, pspo, domname), do you get the same error without those arguments?

yup its from AMT 6 SDK

I tried
usbfile.exe -create f:\setup.bin adminPASSWORD -v 2 -hash AMTProvision.cer "Root CA" -amt -ztc 1
and
usbfile.exe -create f:\setup.bin adminPASSWORD -v 2 -hash AMTProvision.cer "Root CA"

and the pc still wont see the v2setup.bin file on the usb stick
i have also tried a wide selection of usb sticks, just in case :)

You mentioned being able to load a PID/PPS pair with a version 1 formatted file, if you create a version 2 formatted file with the same arguments, is the system also not detecting that setup.bin on the USBFile? I believe the argument string for this would be either "USBfile -create setup.bin admin Admin22@ -rpsk -v 2", unless you wanted to explicitly specify the PID/PPS pair. Also, when you say the system isn't seeing the V2 setup.bin file, I assume you mean it's not prompting you for whether you want to load the setup.bin on startup.

Taking a step back, what is your end goal for putting the certs into the ME? Do you want to provision the systems with PKI instead of PID/PPS, and you'd prefer to use your own cert? If you can get a PID/PPS pair onto the systems via USB, then SCS is able to provision them.

Andy

I wonder if there is an issue with the format of your certificate?

You may want to take a look at the "Intel SCS Installation and User Guide" which has a section on Creating and Installing Your Own Certificate. The guide is part of the Intel SCS 6 Source Kit.zip.

In addition to showing you how to create a certificate which you can try with the USButility, there is a process described there to insert the certificate hash manually using the MEBx. This may also help you troubleshoot your issue.

i tried a V2 file with a PID/PPS pair and it still didnt notice the setup.bin file.

we are using System Center Configuration Manager and are using our own Cert to provide theprovisioning system, ifwe cant getthe boards to use a PKIsetup.bin we will just have to use aPSK Pair.

we have managed to get thePCs with version 4 and above AMT to work usingour own Cert its only these boards that are anoying we would just like to use PKI if at all posiable

Hi Colin,
I think it may be a problem with the changes between AMT versions not being handled by the USB tool.

Let me follow up with the tools team.

Hi Colin,
Our internal teams were able to successfully use the USBTool from AMT 6.0 SDK and add PKI certificate hash to AMT 3.2.11.1136 system. In order for us to help you trouble shoot, there are couple things we would like you to do.

First, please make sure you have the latest BIOS updates, this sounds like BIOS not able to detect any v2 setup.bin files.
Second, if you can send us your setup.bin file, we can try here on our systems and let you know what is going on.

Thanks,
AI

Leave a Comment

Please sign in to add a comment. Not a member? Join today