Intel AMT and Security Considerations

The Transport Layer Security (TLS) is a protocol that secures and authenticates communications across a public network.

Prior to Intel CSME 16.1, a console can connect to Intel AMT via TCP/IP; however, Intel strongly recommends that customers use TLS mode to benefit from its enhanced security in communication. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.

Starting from Raptor Lake platforms running Intel CSME 16.1 firmware, connecting to Intel AMT unsecure TCP/IP ports 16992, 16994 and 623 will no longer be supported. TLS ports 16993, 16995 and 664 must be used for connecting to Intel AMT.

Note: VNC KVM Port 5900 will stay open even though a console can connect to it without TLS. Intel plans to remove this port in the future.

To enable TLS out-of-the-box, Intel generates a self-signed certificate upon INIT. This can be used by the console in either of the following ways:

   Using the self-signed certificate to configure a proper certificate, and subsequently using the new certificate to communicate with Intel AMT over TLS.

   Using the self-signed certificate to communicate with Intel AMT over TLS.

Flow Using Self-Signed Certificate

A self-signed certificate is created when the provisioning starts (including in host-based provisioning or provisioning from MEBX).

When Intel AMT enters the post-provisioning state, if no other certificate was configured, the self-signed certificate will be set as the TLS Server certificate for remote connections and will be used for the TLS handshake.

This self-signed certificate is enumerated with the other TLS certificates and is set as the active certificate. To enumerate the certificate, enumerate AMT_PublicKeyCertificate.

To choose the active certificate, use AMT_TLSCredentialContext.Put.

The self-signed certificate cannot be deleted by the console.

The self-signed certificate can be identified by checking the value of AMT_PublicKeyCertificate.ReadOnlyCertificate.

The console may configure another certificate and set it to be the active one, by invoking AMT_TLSCredentialContext.Put with the correct handle. The self-signed certificate is not deleted; it remains read-only.

A new key pair and self-signed certificate are created after unprovisioning.

The self-signed certificate has the following characteristics:

   All DN fields (Common name, Country, Organization etc.) are “Unknown”.

   The serial number is a hash of the public key.

   The time stamp is set from the BIOS or host time. If the BIOS time is not configured, 1/1/2020 is used.

   The key is randomly generated by the firmware.

   The certificate is self-signed.

Intel AMT uses the following types of TLS:

   Pre Shared Key (PSK) — The PSK protocol provides secure communication based on a symmetric encryption key that has been shared in advance between two parties. Intel AMT uses the PSK protocol only during the configuration process of Intel AMT systems.

   Public Key Infrastructure (PKI) — The PKI enables users of an unsecured network to securely and privately exchange information through the use of an asymmetric public and private cryptographic key pair. The public key is shared through a digital certificate signed by a trusted authority, known as a Certification Authority (CA). The CA generates digital certificates that can identify an individual or an organization. Intel AMT can also use the PKI protocol when in Operational Mode if it was configured properly.

How and when these protocols are used depends on the stage in the configuration process and the version of the Intel AMT system, as described in the following.

Security Before and During Configuration

Communications between the Intel AMT system and the SCA can contain sensitive security related information. Therefore, Intel AMT uses one of the TLS protocols (PSK or PKI) to ensure authentication and security before and during the configuration process. The type of TLS protocol you can use during configuration depends on the Intel AMT version:

   Versions 2.0/2.1/2.5 — You can only use PSK.

You must change the MEBx password of these Intel AMT systems from the default password. Entering the PSK configuration key and changing the MEBx password require physical access to the Intel AMT system, as they can be done only via the MEBx menu or using a USB key. As a result, a completely remote configuration process is not available. (Unless the OEM adds the PSK and changes the MEBx password using the FOV mechanism during manufacturing.)

   Versions 2.2/2.6/3.x and later — You can use PSK or PKI.

To use PKI, the Intel AMT system must have a Root Certificate Hash pre-programmed in the firmware See Root Certificate Hashes. You must also obtain an appropriate Server Certificate that is signed by a CA whose certificate hash is present in the Intel AMT. Using PKI, there is no need to have physical access to the Intel AMT system and the entire configuration process can be completed remotely. (This feature was formerly known as Zero-Touch Configuration, or ZTC.)

note-icon Note:

Setup and Configuration using PSK was removed in Intel AMT release 11.0.

 

Security After Configuration

In versions that allow TCP:

Once an Intel AMT system has been configured, the level of security of communication between the Intel AMT system and the Management Console depends on the settings you defined in the profile used to configure the Intel AMT system.

In versions that do not allow TCP:

Once provisioning is complete, Intel AMT works only over TLS. If a TLS certificate was configured during the provisioning process, that certificate will be used for TLS purposes. If no certificate was configured, the self-signed certificate will be used.

If the self-signed certificate is used to create a "real" certificate, the self-signed certificate is deleted automatically when the platform transitions to post-provisioning.

When performing Remote Configuration (TLS-PSK or PKI), configure and enable TLS before completing the process. You can then use TLS-PKI in your network to ensure secure communication with all versions of Intel AMT systems.

Even when performing Host-Based Setup or a Manual Setup, Intel AMT starts working in TLS mode using its self-signed certificate. Since configuring TLS requires providing Intel AMT with a sensitive private key, Release 7.0 adds a key pair generation feature so that the private key exists only internal to Intel AMT. See the Certificate Enrollment flow.

Copyright © 2006-2022, Intel Corporation. All rights reserved.