When performing a host-based setup and configuration to Client Configuration mode, an application can optionally provide a digital signature as a parameter to the Setup method. This signature consists of the ConfigurationNonce and the McNonce concatenated and encrypted using the private key of the certificate sent in the command. Intel AMT validates that the signature was created with the attached certificate and includes the certificate in the provisioning record – an instance of IPS_ClientProvisioningRecord.
What does signing the Setup request do for you?
Performing a setup without a certificate traceable to a root certificate means that anybody with host admin permissions can execute an unprovision and then perform a Setup request and change the admin password. This “anybody” can now take over control of Intel AMT. The only way to detect this change is to look at the CreationTimestamp field in the IPS_ClientProvisioningRecord and see if it is different from the time when Setup was originally performed. By signing the Setup request, the certificate used to sign the request will be in the IPS_ClientProvisioningRecord. The user or application can validate that it is the certificate originally used to sign the command.
Consider the following flow:
1. A configuration application generates a console nonce, requests the nonce from Intel AMT and creates a hash of the two parameters.
2. The application sends the hash to a central server.
3. The server requests a certificate, creates a signature and sends the signature and certificate to the application.
4. The application performs a host-based setup, signing the request with the signature and the certificate.
5. Intel AMT validates the signature and creates a client provisioning record.
6. Periodically, the application verifies that the certificate in the provisioning record was created by the server. If the certificate came from a different source, then a rogue provisioning event occurred.
Copyright © 2006-2022, Intel Corporation. All rights reserved.