Using a USB Device for Configuring Intel® AMT Parameters

A USB device can be used to prepare an Intel AMT device for provisioning as a replacement to entering settings manually via the BIOS (MEBX) menu. The USBfile command line tool in the Intel AMT SDK enables use of the USB device for this purpose.

USBfile Tool

The USBfile command line tool creates provisioning records that are later copied to a USB device. The provisioning records contain some of the MEBX parameters required for provisioning. When you run the USBfile tool, you specify the parameters that should be included in each provisioning record.

USBfile can create two types of records:

   Records that are not reusable. In this case, USBfile creates a separate record for each Intel AMT device that needs to be provisioned. The values in each record are consumed by one platform, and the record is not used again.

   Records that are reusable, i.e., the same record is consumed by multiple platforms

When a platform is booted from the USB device, the BIOS consumes the values in the record and assigns them to the relevant MEBX parameters.

If the record is not reusable: Once the platform has booted and its values have been consumed, the record is marked as “used” on the USB device. When another platform is subsequently booted from the USB device, that platform’s BIOS consumes the parameters of the next available unused record.

If the record is reusable: All platforms that are booted from the USB device consume that record’s values.

For testing PKI provisioning, the tool can be used to create a single (non-consumable) PKI record file.

The USBfile tool creates different record formats for different versions of Intel AMT. In addition, the parameters in the provisioning record depend on the Intel AMT version.

For details of the record formats and parameters in each version of Intel AMT, see Intel AMT and USB Versions.

USBfile Running Modes

After USBfile has been run and the resulting provisioning records have been copied to the USB device, booting from the device provides some of the MEBX parameters but does not complete provisioning of Intel AMT. Provisioning can be completed by Remote Configuration or Secure Host Based Configuration.

The USBfile tool can be used for streamlining the setup of the trust anchor for provisioning Intel AMT Provisioning in Admin Control Mode, by setting the Trusted FQDN of the company (the -dns parameter) and the Trusted CA Certificate Hash (the -hash parameter).

Note: Prior versions of USBfile could also be run in Manual mode, in which booting from the USB device resulted in complete provisioning of Intel AMT. Manual mode has been deprecated to enhance security.

Running the USBfile Tool

For details on the USBfile syntax and options, see the USBFile Readme.txt file in USB_File_Module_<version>.zip in the Intel AMT SDK kit.

See Also:

   Intel AMT and USB Versions

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.