úterý 18. září 2012

Intel AMT quickstart guide

Introduction

Intel Active Management Technology (AMT) is very interesting technology and today it is built-in in many Intel based laptops, but many owners have no idea that their machine can do it nor how to use this technology in practice. No wonder, the Intel official documentation is not easy to read. It is full of enterprise shortcuts and buzzwords. That's why I wrote this very simple quickstart guide.

Intel AMT allows you to remotely configure, control and provision your machine. You don't need another separate management card, everything is already built-in in your machine. It is OS independent and shares your network interface transparently with OS. It processes network packets before OS. It is accessible even if the machine is off, booting or hung. There is also possibility to enable this functionality on wireless network card. There is built-in WWW server for easy human control (e.g. power on/off/reboot), but unfortunately there isn't many functions provided by WWW server. For more advanced control the WS-management needs to be used. It also supports CIM bindings. The following DMTF WS-Management specifications are generally supported:

  • DSP0226 Web Services for Management (WS Management)
  • DSP0227 WS-Management CIM Binding Specification
  • DSP0230 WS-CIM Mapping Specification

For more details see Intel documentation.

So what can you do with it in practice? You can remotely redirect the boot process to e.g. network share, mount a remote image (IDER), you can access and change BIOS settings, redirect input/output through KVM, packet filter/block/inspect/ or rate limit network traffic, access a persistent event log that is stored in protected memory and much more. But remember, it is over-engineered enterprise class technology, thus the configuration and activation of these features is not always apparent :).

Intel AMT is built into chipset. The supported features are defined by AMT version number. You can upgrade the AMT firmware but only over minor releases. It is not possible to flash the firmware with bigger major number, because it would be incompatible with your physical hardware. Handy list of AMT versions with matching chipsets is available on Wikipedia. KVM is available from AMT version 6.0 and up. For working KVM you need recent enough board and chipset that support at least Intel AMT 6.0. You also need supported CPU (with integrated video card that is utilized for this functionality).

AMT activation

At first you need to enable it in BIOS and reboot. Then in the early boot screen enter the Management Engine (ME) by pressing CTRL + P (or F12 on some machines). Login into ME, use ''admin'' for both username and password. Than change the default password. Remember this is enterprise class technology :) thus it has to be complex enough password that contains mixed case characters, digits and special characters, otherwise the password is rejected by ME (it took me a while to come with the right password for the first time :). Enable ME (it may require reboot and login with your new pasword). Then configure ME, at least set the network. You can use static configuration (with secondary IP used for the ME and different IP for the host OS) or DHCP (with one IP shared with the host OS) and it can also be set to automatically synchronize with host OS IP. Also do not forget to set the hostname - this is important, otherwise the machine will not be remotely accessible. Switch mode to SMB (Small Business) management mode. Do not use the Enterprise mode (it can be used together with Active Directory). And finally reboot.

Now you should be able to access the AMT web interface. Open your web browser and point it to http://YOURMACHINE:16992. You will probably need to do it from another machine, not the one, you are trying to control. Observe the web interface, nice heh?

More stuff

In Fedora there is nice package called ''amtterm''. It includes Perl script (''amttool'') that can query info, power up/down, configure network, redirect BIOS boot messages and also redirect the boot process. There is also command line serial terminal that is also called ''amtterm'' and graphical terminal called ''gamt''. To use the serial line remotely you need to enable the Serial Over LAN (SOL) in the ME configuration (after boot). Then the OS should see another serial port. Then you can configure your Fedora to use this serial port as boot console or you can even configure your Grub to use this serial port for remote OS selection (but the OS selection didn't work correctly for me with grub2/f17/t420s). To enable it add to /etc/default/grub the following lines (my AMT serial port was ttyS0):

GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0"

Also add 'console=tty0 console=ttyS0,115200' to your GRUB_CMDLINE_LINUX in /etc/default/grub (and you can remove the 'rhgb quiet'). Then regenerate your grub2 config:

# grub2-mkconfig -o /boot/grub2/grub.cfg
Now you can connect from remote machine by e.g.:
$ amtterm YOURMACHINE

KVM

That's all great, but the really cool stuff is KVM. It is possible to connect through VNC to your machine and control it remotely, even browse your BIOS setup :). Remember you need at least Intel AMT 6.0 and supported CPU for this to work. You can use out-of-band KVM. This is RFB packed into AMT authenticated and possibly TLS encrypted stream, thus special client is needed. There are several commercial clients, mostly for windows like RealVNC Viewer Plus that can do it out-of-the box. There is also Intel AMT SDK, that contains example Linux implementation of out-of-band KVM viewer. Unluckily it uses RealVNC binary that comes with evaluation license, but you can buy full license. So far not good for opensource/free software enthusiast.

Luckily, it is possible to redirect the KVM to classic VNC 5900 port, thus any VNC client can be used. This requires a little hackish session with wsman :), but it is needed to do only once. In Fedora there is ''wsmancli'' package that can be used for this task. At first you need to set the RFB password (this is another password that will be used only for KVM, not your AMT password). Remember this is highly over-engineered enterprise technology thus the password must have exactly 8 characters and have to be combination of mixed case characters, digits and special characters, otherwise it is rejected. Then set the password through wsman:

# wsman put \
http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData \
-h AMT_HOST -P 16992 -u admin -p AMT_PASSWORD -k RFBPassword=RFB_PASSWORD

Then enable KVM redirection to port 5900:

# wsman put \
http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData \
-h AMT_HOST -P 16992 -u admin -p AMT_PASSWORD -k Is5900PortEnabled=true

And finally enable the KVM:

# wsman invoke -a RequestStateChange \
http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_KVMRedirectionSAP \
-h AMT_HOST -P 16992 -u admin -p AMT_PASSWORD -k RequestedState=2

You can also query the current settings by:

# wsman get \
http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData \
-h AMT_HOST -P 16992 -u admin -p AMT_PASSWORD

By default there is opt-in policy enabled. This means that the remote access must be explicitly allowed by local user. Upon VNC connection the AMT generates OTP PIN, that is shown on the local screen as HW overlay. This OTP PIN is required as a second authentication for the VNC access. The local user tells this PIN to the remote user to allow him to connect. If opt-in policy is disabled no OTP PIN is required for access, but there is still shown OSD indicator on the local screen that the remote connection is in progress. Disable opt-in policy by:

# wsman put \
http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData \
-h AMT_HOST -P 16992 -u admin -p AMT_PASSWORD -k OptInPolicy=false

Now you can simply connect with your favorite VNC viewer.

Clean-up

To cleanup ME configuration, enter BIOS setup and disable AMT. Save and reboot. During the reboot the AMT firmware will ask you whether you really want to unconfigure it. Confirm and then the unconfiguration starts. It takes a while (again it is enterprise technology :) and when the unconfiguration finish, the machine reboots. Now the AMT is deactivated and for next activation all settings (including password) will be on their defaults.

7 komentářů:

  1. This is all nice, but is there a way to limit access to AMT interface based on source IP?

    OdpovědětVymazat
  2. I think there is a way: http://software.intel.com/sites/manageability/HLAPI_Documentation/default.htm?turl=Documents%2Fcreatingandapplyingsystemdefensepolicies.htm

    I am not sure whether it is possible to configure this through WS-management. I will try to blog post about it later after doing some research.

    OdpovědětVymazat
    Odpovědi
    1. Seen that, it only touches traffic for operating system and ignores traffic to AMT.
      I however configured TLS and now authenticate with certificate.

      Vymazat
  3. Thank you for the above; we were banging our heads trying to connect using VNC from a Linux host....

    OdpovědětVymazat
  4. Just want to say thank you for this. Couldn't find the info about the user opt-in anywhere until I ran into your blog. Thanks again!

    OdpovědětVymazat
  5. Unfortunately, the http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData url is now a 404 and this no longer works. Does anybody have a mirror or updated instructions?

    OdpovědětVymazat
  6. The schema is in the SDK, but it's odd that it doesn't seem to have a well-defined public home on the web.

    OdpovědětVymazat