Intel AMT Provisioning: The 3 Hellos and the 3 Modes

I was recently going through the Developers Guide to the Sample Setup and Configuration document that is in the Intel® AMT Software Development Kit. I found some good reference material that I thought perhaps our developers could use as they are trying to figure out "What the heck is going on in the provisioning process??"

The first thing of interest that I found was this table that talks about the 3 different kinds of Hellos - When an AMT Client enters setup mode, it starts sending out "Hello" packets. If we are doing the PID-PPS provisioning, the AMT Client sends out Type 2 Hello packets and if we are doing the PKI-CH (using the built in certificate hashes), then the AMT Client sends out Type 3 hello packets.

The 3 different "Hellos"

THIS IS A TYPE 2 HELLO Packet - It is sent if we are using PSK Provisioning (One-Plus touches.)

THIS IS A TYPE 3 HELLO Packet - It is sent if we are using PKI-CH / Remote Provisioning using the built in Certificate Hashes.

Notice that this "Hello" packet has the Certificate Hashes in it..

The second important thing that we need to know is that there are 3 modes that an Intel AMT Client can exist in, and the AMT Client must be in "Setup Mode" in order to become provisioned (it is in this mode that the Network is open to receive provisioning messages.)  Here are the 3 modes, and what is going on during each mode:

    1. Factory Mode: Intel AMT comes from the factory in Factory Mode. In this mode Intel AMT is unconfigured and not available for use by management applications. When an operator enters information via the Intel AMT BIOS extension manually or with the aid of a USB storage device, Intel AMT makes the transition into setup mode.

    1. Setup Mode: When an Intel AMT device enters Setup Mode it waits for delivery of its configuration settings from the setup and configuration server. After it enters setup mode, the Intel AMT device periodically sends "Hello" messages to the setup and configuration server. When the setup and configuration server receives messages from the Intel AMT device, it responds by delivering the configuration settings and placing the device in Operational Mode.

    1. Operational Mode: Intel AMT enters Operational Mode once its configuration settings have been supplied and committed. At this point Intel AMT is ready to interact with management applications.

I'm going to put a couple more posts out today pertaining to Intel AMT and Mutual Authentication, steps required for PID-PPS Provisioning, and steps required for Remote PKI-CH Provisioning.