CollapseAll image

KVM and Intel AMT

Starting with Release 6.0, Intel AMT adds remote KVM to the existing redirection features Serial Over LAN (SOL) and Storage Redirection (IDE-R, replaced by USB-R in Release 11.0). A Remote Console can open a session with an Intel AMT platform and control the platform using a mouse and keyboard and display at the console what is displayed on the local monitor. The KVM capability is enabled in the same way that SOL/Storage Redirection is enabled – with network administration commands. KVM first must be enabled in the Intel® Management Engine BIOS Extension (MEBx) and the listener enabled (as with SOL/Storage Redirection) before it can be enabled remotely.

KVM is based on the RealVNC Limited* Remote Frame Buffer (RFB) protocol. In fact, off-the-shelf viewers based on the RFB protocol work in conjunction with Intel AMT without modification.

The KVM feature supports gaming and signage platforms that have high-resolution graphics. Following are the maximum supported screen resolutions with 16 bits of color depth for each Intel AMT release

   1600x1200 for Intel AMT 6.0 excluding maintenance release 2

   1920x1080 for Intel AMT 6.0 maintenance release 2 and Intel AMT 6.1

   1920x1200 for Intel AMT 7 and Intel AMT 8

   2560x1600 for Intel AMT 9.0 and Intel AMT 10

Intel AMT 11 and Intel AMT 12 also support 4096x2160 with 8 bits of color depth.

The Intel AMT implementation includes an option in the MEBx for “user opt-in”: When a remote console initiates a KVM session, the local PC user must agree to allow remote KVM before the session can start.

 Note:

In the context of KVM, the IT remote console has a KVM client operated by an IT operator. The platform containing Intel AMT contains a KVM server operated by a PC user.

Important note: Intel AMT KVM supports port 5900 to allow using standard free KVM viewers based on RFC 6143 that are available on the market. However, before enabling this port in Intel AMT, the administrator should consider the following:

- When using port 5900, the KVM viewer authenticates itself to Intel AMT using VNC authentication. The VNC authentication is based on a password that is validated using the challenge-response based on DES cryptography. As stated in RFC 6143 section 7.2.2: “This type of authentication is known to be cryptographically weak and is not intended for use on untrusted networks”. “Cryptographically weak” means that if attacker manages to break it, they can extract the password from the challenge-response.

- TLS is not supported on port 5900.

 

Intel AMT KVM Features

This section describes the KVM features supported by different Intel AMT Releases.

From Intel AMT Release 6.0

These KVM features are supported from Intel AMT Release 6.0 and higher:

   KVM can be enabled or disabled remotely, unless KVM is disabled via the MEBx.

   Intel AMT can accept a KVM connection on the IANA-defined VNC port (5900) or on the Intel AMT redirection ports (16994/5). The connection on the 5900 port requires only the RFB password for authentication, while the redirection ports add the usual Intel AMT authentication mechanisms.

   The KVM server supports RFB versions 3.8 or before and version 4.0. RFB version 4.0 offers some performance, usability and extensibility enhancements.

   Intel AMT emulates a standard USB keyboard and mouse. Note that the local keyboard and mouse at the platform supporting Intel AMT are still active during a KVM session.

   When PC user opt-in is enabled, the firmware generates a “sprite” (a pop-up graphic displayed to the PC user directly, even if the graphics driver is disabled) with a one-time password (OTP) that the KVM client must send to complete establishment of a session. The PC user has to tell the IT operator what the password is, say, by telephone or text message. Note that any sprites displayed to the local operator are not echoed to the KVM client.

   The Intel AMT Access Monitor feature can record the following events in the Access Monitor Audit Log:

Auditable KVM Events

A KVM session started or ended

KVM was enabled or disabled

VNC password authentication failed three times in a row

KVM Opt-in was enabled or disabled

KVM password was changed

KVM operator consent succeeded

KVM operator consent failed three times in a row

 

   If there is no connection activity for a configurable pre-defined period (defined as no keyboard or mouse activity), the server at the PC will drop the connection.

   There can be only one RFB session per server (i.e. per Intel AMT-enabled PC) at a time.

   If there are three consecutive failed login attempts, the Intel AMT will delay subsequent attempts and log the occurrence.

From Intel AMT Release 7.0

Intel AMT Release 7.0 includes support for additional KVM features when using version 4.0 of the RFB protocol. Support for these features is built into the Virtual Network Computing (VNC) Server component embedded in the Intel AMT device:

   Scancode Extension – The VNC Server accepts key events sent in a USB key code format.

   Relative Pointer Motion – The VNC Server can accept both x and y co-ordinates as relative motion values.

From Intel AMT Release 8.0

   Starting with Intel AMT 8.0, the KVM Library can request information from the host operating system driver and then rotate the display without operator intervention.

   Starting with Intel AMT 8.0, Intel AMT supports platforms with up to three displays.

note-icon Note:

A remote KVM session supports viewing only one local screen at a time in a multi-screen setup.  A multi-screen setup on both ends will not lead to simultaneous multi-screen viewing.  For example, in a setup where both the local Intel AMT platform and the remote operator have two screens, the remote operator will be able to view only a single screen from the local Intel AMT platform at one time.

 

 

Copyright © 2006-2020, Intel Corporation. All rights reserved.