About Intel AMT > Authentication and Authorization > Intel AMT Configuration Security Models

Intel AMT Configuration Security Models

When preparing an Intel AMT device for use, there are different authentication methods available for use, each with its advantages and disadvantages. Two of these methods use TLS and operate over the network. The others are done locally and depend on an operator or an application to provide credentials. Using the TLS methods, a server-based application can perform a full configuration of Intel AMT before completing the process. For example, Intel AMT can exit the process with the appropriate certificates to support TLS. The other options complete setup before doing configuration. Subsequent settings (for example, enabling TLS, defining user permissions) will depend on use of admin credentials supplied during the shorter local process. Once Intel AMT is enabled, an application performing configuration can run over the network or locally.

   TLS-PSK (Removed in Release 11.0)

   Remote Configuration using PKI and stored root CA hashes

   Using a remote setup and configuration server

   Manual configuration

   Local setup

   Locally setup using PKI

TLS-PSK

(This method is deprecated in Release 11.0.) Both the Intel AMT platform and a remote setup and configuration server start with two pieces of shared information – a platform ID and a pre-shared key (PSK). The key is entered manually or via a USB key. The first communication between Intel AMT and the setup and configuration server is an unencrypted “hello” message from Intel AMT to the server that contains the platform identifier. The setup and configuration server then performs the setup and configuration process using the PSK and the TLS-PSK protocol for authentication and encryption of the configuration traffic. See Setup and Configuration Using PSK.

Remote Configuration using PKI and stored root CA hashes

Intel AMT has root certificate hashes that can verify a server certificate sent by the setup and configuration server. The setup and configuration process can be triggered automatically without the manual task of loading a pre-shared key. See Setup and Configuration Using PKI (Remote Configuration).

Using a remote setup and configuration server

The setup and configuration server downloads TLS certificates to the Intel AMT platform, which stores them in non-volatile memory. The certificates trace to an enterprise certificate authority and are used by Intel AMT to authenticate to management console applications. If Intel AMT is configured for mutual authentication, the setup and configuration server must provide a client certificate for each application that will communicate with Intel AMT.

The setup and configuration server also establishes an Access Control List, enables certain Intel AMT features, and configures device settings. At the end of the setup and configuration process, the keys generated and used during the process are deleted. All subsequent communications use the certificates and Transport Layer Security (TLS) for authentication, confidentiality (encryption), and integrity (mutual authentication). Intel AMT performs authorization using the Access Control List, as described in Access Control Lists and Realms.

Manual configuration

A user who can access the ME BIOS extension can move Intel AMT to a setup state by providing a new admin password. Applications performing subsequent configuration will use this password as a credential. See Manual Setup and Configuration.

Local setup

Starting with Release 7.0, it is possible to setup Intel AMT having only local OS admin permissions. This approach is inherently less secure, so there are limitations placed on a device configured this way (for example, user consent is required when activating redirection or KVM). See Host-Based Setup and Configuration.

Locally setup using PKI

Starting with Release 7.0, it is possible to perform a local setup like the remote PKI setup, by providing a PKI certificate that matches one of the stored hashes. See Host-Based Setup and Configuration.

See Also:

Setup and Configuration of Intel AMT

Copyright © 2006-2022, Intel Corporation. All rights reserved.