Intel AMT and Security Considerations

The Transport Layer Security (TLS) is a protocol that secures and authenticates communications across a public network. Intel AMT TLS uses PKI, which enables users of an unsecured network to securely and privately exchange information through the use of an asymmetric public and private cryptographic key pair. The public key is shared through a digital certificate signed by a trusted authority, known as a Certification Authority (CA). The CA generates digital certificates that can identify an individual or an organization. Intel AMT can also use the PKI protocol when in Operational Mode if it was configured properly.

Prior to Intel CSME 16.1, a console can connect to Intel AMT via TCP/IP; however, Intel strongly recommends that customers use TLS mode to benefit from its enhanced security in communication. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.

note-icon End of Support for Non-TLS Connections:

Starting from Alder Lake platforms with Raptor Lake CPUs running Intel CSME 16.1 firmware, remote connections to Intel AMT unsecure TCP/IP ports 16992, 16994 and 623 are no longer supported. TLS ports 16993, 16995 and 664 must be used for connecting to Intel AMT.

Starting from Intel CSME 19 firmware on Arrow Lake platforms, connecting to Intel AMT without TLS is not supported at all (i.e., also local connections must use TLS ports).

Prior to Intel CSME 19, to enable TLS out-of-the-box, Intel AMT generates a default self-signed certificate. This can be used by the console in either of the following ways:

   Using the self-signed certificate to communicate with Intel AMT over TLS.

   Using the self-signed certificate to communicate with Intel AMT over TLS only until a managed TLS certificate is configured by the configuration server.

Starting from Intel CSME 19, Intel AMT uses the On-Die Certificate Authority (ODCA) certificate (and not the self-signed certificate) for server TLS when in the pre-provisioning state. During the TLS handshake the entire chain is returned up until level -1, as shown in the following diagram:

   SN = Certificate Serial Number

   FMC = First Mutable Code

   Intel CSME Firmware ODCA certificate is revoked by Intel upon increase in SVN

   Intel CSME embedded CA issues new certificates upon firmware update with new SVN

Flow Using Self-Signed Certificate

When Intel AMT enters the post-provisioning state, if no other TLS certificate was configured, the Intel AMT self-signed certificate will be set as the Intel AMT TLS Server certificate for remote connections and will be used for the TLS handshake.

The console may configure another certificate and set it to be the active one, by invoking AMT_TLSCredentialContext.Put with the correct handle.

This self-signed certificate is enumerated with the other TLS certificates and is set as the active certificate. To enumerate the certificate, enumerate AMT_PublicKeyCertificate.

To choose the active certificate, use AMT_TLSCredentialContext.Put.

The self-signed certificate cannot be deleted by the console and is read-only. It can be identified by checking that the value of AMT_PublicKeyCertificate.ReadOnlyCertificate is True.

A new key pair and self-signed certificate are created after unprovisioning.

The self-signed certificate has the following characteristics:

   All DN fields (Common name, Country, Organization etc.) are “Unknown”.

   The serial number is a hash of the public key.

   The time stamp is set from the BIOS or host time. If the BIOS time is not configured, 1/1/2020 is used.

   The key is randomly generated by the firmware.

   The certificate is self-signed.

When communicating with Intel AMT over a TLS session using a self-signed certificate, the console needs to verify that the endpoint is a true Intel AMT endpoint. This can be accomplished by using the AMTAuthenticate flow.

Security Before and During Configuration

Communications between the Intel AMT system and the configuration server can contain sensitive security related information. Therefore, Intel AMT uses PKI TLS to ensure authentication and security before and during the configuration process.

Details on using Remote PKI for setup and configuration

Setup and Configuration Using Secure Host Based Configuration

note-icon Note:

Setup and Configuration using PSK was removed in Intel AMT release 11.0.

Copyright © 2006-2022, Intel Corporation. All rights reserved.