The following steps describe the setup and configuration flow using TLS-PKI.
1. The Intel AMT sends a PKI “Hello” message to the SCA.
2. The SCA extracts the hashes from the “Hello” message sent by the Intel AMT device.
3. The SCA and the Intel AMT device perform a complete mutual authentication session key exchange:
a. The Intel AMT device uses a self-signed certificate, sending its public key. Note: Starting with Tiger Lake, the On-Die Certificate Authority (ODCA) is used for issuing certificates for Intel CSE applications (e.g., Intel AMT).
b. The SCA creates a TLS session master key, encrypts it with the Intel AMT device public key, and sends it to the Intel AMT device. The SCA also sends a certificate chain that includes a root certificate matching one of the received hashes.
c. The Intel AMT device decrypts the master key with its private key. The key is the shared secret used to establish the setup and configuration TLS session.
d. The Intel AMT device validates the SCA certificate: It checks that the OID or the OU is correct, that it is derived from a Certification Authority (CA) that matches one of the root certificate hashes and that it is a Server certificate.
e. The Intel AMT device verifies that the domain suffix matches the FQDN suffix in the SCA certificate.
4. One Time Password verification: The SCA optionally requests the OTP from the Intel AMT device. The device sends the OTP securely. The SCA verifies the OTP for correctness.
5. At some point before the SCA sends a CommitChanges command to complete the setup and configuration process, it sends a SetMEBx password command to change the password from its default, if it was not already changed.
6. Since the Intel AMT device network interface is open only for a maximum of 255 hours after sending the first “Hello” message, the SCA can command the device to reset the period to a new value of 1 to 24 hours.
Copyright © 2006-2022, Intel Corporation. All rights reserved.