Setup Mode Hello Messages

When an Intel AMT device transitions from Factory Mode to Setup Mode, it attempts to create a TCP/IP connection with the SCA on the default port as described in the following steps.

1.  Intel AMT connects to the SCA using one of the following methods:

   Using the IP address entered via the BIOS extension – Continue from step 2.

   Looking up the address on the domain name server (DNS), using the SCA hostname. Intel AMT does a DNS lookup using the hostname “ProvisionServer” and the optional domain name entered via the BIOS sub-menu as one of the TCP/IP parameters or the default domain name, if no domain name was entered (this is an OEM option and may be blank). Intel AMT sends this lookup request even if no domain name was entered. If this lookup fails (and it will if there is no FQDN or domain suffix), Intel AMT tries a DNS lookup using a DNS suffix returned by the DHCP server, if the DHCP server is configured to return domain names (DHCP option 15). If the DNS server does not have a record for the setup and configuration server FQDN, the device will not be able to look up the FQDN of the SCA server. The user will need to either manually enter the setup and configuration server IP address via the BIOS extension or add a static alias to the DNS server, where the setup and configuration server hostname, combined with Intel AMT local domain, resolves to the setup and configuration server IP address.

2.  When the device successfully connects to the SCA, it sends a ”Hello” Message, with one of the following formats:

   For PSK:

Byte Offset

Type

Content

0

Unsigned short

Admin credentials set

2

Unsigned short

Interface version (2 for PSK)

4

Unsigned long

Retry count (0 – 14)

8

Byte 16

Device UUID

24

Byte 8

PID

 

note-icon Note:

Support for the PSK format was removed in Intel AMT release 11.0.

   For PKI:

Byte Offset

Type

Content

0

Unsigned short

Admin credentials set

2

Unsigned short

Interface version (3 for PKI)

4

Unsigned long

Retry count (0 – 264)

8

Byte 16

Device UUID

24

Unsigned Char

Number of certificate hashes (maximum value is 23)

25 and on

 

Certificate hashes

Each hash entry consists of a header and the hash itself, in the following format:

Header: 2 bytes

     Byte 0: Hash algorithm: 1=SHA1 (20 byte hash); 2 = SHA256 (32 byte hash); 3 = SHA384 (48 byte hash)

     Byte 1: Hash length in bytes (20, 32, or 48)

Hash: 20, 32, or 48 bytes

Each hash corresponds to a root certificate from a CA.

 

note-icon Note:

Support for the SHA1 hash algorithm was deprecated in Intel AMT release 11.0.

 

3.  In PSK “Hello” messages the first two bytes are usually 0x0001 unless the device has a localized BIOS. If there is a localized BIOS, the value will be 0x0000, indicating that new administrator credentials must be set in the Intel AMT device for Setup and Configuration to complete successfully. In PKI “Hello” messages will usually be 0x0000 (i.e. admin credentials have not been set, meaning that the MEBx password is still the default).

4.  After the “Hello” message is sent, the Intel AMT device closes the TCP/IP connection.

note-icon Note:

Intel AMT sends the “Hello” message in Host order, not in network order. To compensate for this, the sample SCA processes the message in host order. An ISV-created setup and configuration application must do the same.

 

Hello Message Retries and the Network Interface

The Intel AMT device continues to send “hello” messages until configuration is complete (all mandatory parameters are set and the Commit Changes command is issued by the Configuration Server), or the network interface is closed by the Intel AMT device. The Intel AMT device performs retries according to the following retry algorithm:

   5 retries at ~1 minute intervals (AMT adds a random delay of up to 15 seconds)

   5 retries at ~10 minute intervals (AMT adds a random delay of up to 255 seconds)

   5 retries at ~1 hour intervals (AMT adds a random delay of up to 15 minutes)

note-icon Note:

The retry algorithm restarts after a firmware reset, which can happen due to a power-cycle of the Intel AMT device (i.e., disconnecting AC power from the platform).

The following table describes the behavior of the different Intel AMT releases when the retry algorithm has completed.

Intel AMT Release

Behavior

2.0/2.1/2.5 (and 3.x using PSK)

The network interface remains open but “hello” messages are not sent unless the retry algorithm is restarted by performing a firmware reset.

2.2/2.6

After 6 hours the network interface is closed, unless a new value is entered using the “ExtendProvisioningPeriod” command. When the network interface is closed, the Intel AMT device remains in the Setup Mode. Only a command from a local agent or a partial Unprovision from the MEBx will re-open the network interface. Full unprovision will cause Intel AMT to close the network interface until the agent re-activates it.

3.x/4.x/5.x

After 6 hours the network interface is closed, unless a new value is entered using the “ExtendProvisioningPeriod” command. When the network interface is closed, the Intel AMT device remains in the Setup Mode. Only a command from a local agent or a partial Unprovision from the MEBx will re-open the network interface.

If using PKI, full unprovision will cause Intel AMT to restart sending “hello” messages. The network interface remains open. Furthermore, full unprovision from the MEBx Menu will also re-open the network interface.

6.x and later

After 6 hours the network interface is closed, unless a new value is entered using the “ExtendProvisioningPeriod” command. When the network interface is closed, the Intel AMT device is moved back to Factory Mode (but PSK data/ PKI customized data is not deleted).

Copyright © 2006-2022, Intel Corporation. All rights reserved.