Intel AMT Enhancements for Remote Configuration

Remote configuration depends on the following Intel AMT enhancements:

   Embedded Hashed Root Certificates — The Intel AMT device contains one or more root certificate hashes from worldwide SSL certificate providers in the firmware image. See Root Certificate Hashes. When the SCA authenticates to the Intel AMT device, it must do so with a certificate compatible with one of the hashed root certificates.

   Self-Signed Certificate — The Intel AMT device produces a self-signed certificate that it is used to pass its public key to the SCA. The SCA must be configured to accept such a certificate.
When using the Setup and Configuration Using Secure Host Based Configuration method, Intel AMT uses an On-Die-CA certificate (ODCA) instead of the self-signed-certificate, enabling the SCA to verify that the endpoint is authentic Intel AMT firmware.

   On-Die Certificate Authority (ODCA) — The On-Die Certificate Authority (ODCA) is a feature added to Intel CSME hardware starting from Tiger Lake. It replaces the existing Intel EPID signing algorithm, which is planned for deprecation. The On-Die Certificate Authority is used for issuing certificates for Intel CSE applications (e.g., Intel AMT). Each platform is manufactured with a unique ODCA key and certificate.

   One-Time Password (OTP) — Security policy may require use of a one-time password in order to authenticate the Intel AMT device. An ISV-created agent running on the local host supplies the OTP to the Intel AMT device. The agent receives the OTP from a management console that also sends the OTP to the SCA.

   Limited Network Access — The network interface is opened for secure connection during Setup Mode for a limited period (in most cases, the period is 6 hours). After this period ends, Intel AMT closes the network interface. The user will need to re-open it using a local agent. From Intel AMT Release 6 there is also an option to re-open the network interface from the MEBx menu or using a USB key.

The following remote configuration enhancements are available only from Intel AMT release 3.0 and later releases:

   Simplified One-Touch — An IT administrator can enter the SCA FQDN or PKI DNS Suffix via the MEBx menu or with a USB key. The Intel AMT device verifies that the FQDN in the SCA certificate matches the entered value. This feature is also known as Secure DNS since providing an SCA FQDN or PKI DNS Suffix is more secure than depending on DHCP option 15.

   Bare Metal Setup and Configuration — A platform containing Intel AMT can be configured by the manufacturer to start sending “Hello” messages as soon as the platform is connected to AC power and to the network. There may be no operating system up and running on the host, or there may be no Remote Configuration local agent, thus the name “bare metal”. With no agent, there is no way to install a One Time Password.

See Also:

   Remote Configuration with a Local Agent

Copyright © 2006-2022, Intel Corporation. All rights reserved.