Open AMT Cloud Toolkit — Part 4: Client setup
Now that we have a basic server setup we can switch to the client.
We will demonstrate a setup using Ubuntu 22.04 as the operating system, but any relatively modern distribution should do, or even possibly Windows.
All the actions in this article are performed on a client machine.
Check the client requirements and enable AMT
Refer to Open AMT Cloud Toolkit — Part 1: Introduction for the requirements of the client machine.
Then, if it is not enabled already, you need to enable Intel AMT in your UEFI setup. Doing so should cause a new Intel(R) Management Engine BIOS Extension (MEBx) entry to appear in the UEFI boot menu.
For example, in Dell UEFI Setup, the options are generally under the Manageability section. Under there, Intel AMT Capability should be set to Enabled. While you are there, you can also check that Restrict MEBx access is disabled and USB Provision is enabled, these options will be required for Admin Control Mode.
If AMT cannot be enabled from the BIOS setup, your platform may not support AMT at all, or it may have been permanently disabled from factory. On Dell desktops, a sticker on the chassis (outside or on the inside of the side panel) often indicates the AMT status, which should be 1 ENABLE. If it reads 3 DISABLE, Intel AMT has been permanently disabled from factory. We will cover in a future article a way to enable it again in this case.
Force enable the mei_wdt module
Before installing LMS (Local Manageability Service), the mei_wdt module needs to be loaded, otherwise LMS will complain when starting up. Most distributions blacklist it by default, so we need to force it to load anyway.
Create a directory for a custom modprobe override for mei_wdt:
sudo mkdir /etc/systemd/system/modprobe@mei_wdt.service.d/Edit /etc/systemd/system/modprobe@mei_wdt.service.d/ignore-blacklist.conf as root:
[Unit]
Before=lms.service
[Service]
ExecStart=
ExecStart=/sbin/modprobe -aq %I
[Install]
WantedBy=multi-user.targetEnable the service:
sudo systemctl enable --now modprobe@mei_wdt.serviceBuild and install LMS
Intel LMS (Local Manageability Service) is an agent installed on the client machine that allows some additional remote control capabilities such as sleep, hibernate and poweroff, as well as setting up the static IP settings automatically. However, it is not required for other features such as hardware power actions or KVM.
Install the build dependencies:
sudo apt install libace-dev libxml2-dev libcurl4-openssl-dev libxerces-c-dev libnl-3-dev libnl-route-3-dev devscripts libglib2.0-devFetch the source code:
git clone https://github.com/intel/lms.gitBuild the package:
cd lms
mkdir build
cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/usr
make -j
make -j packageFinally, install the package:
sudo apt install ./lms-2322.0.0-Linux.debThis package can be copied and installed to other client machines with the same operating system.
Build rpc-go
rpc-go is used to set the client AMT configuration, such as enrolling the server profile.
At the time of writing, Go 1.20 seems to be the version of choice to build the source code, so let's install it. On Ubuntu:
sudo apt install golang-1.20
sudo /usr/lib/go-1.20/bin/go mod tidyThe second command may or may not be required depending on your setup.
Now, let's clone rpc-go:
git clone https://github.com/open-amt-cloud-toolkit/rpc-go.gitAnd build it:
cd rpc-go
/usr/lib/go-1.20/bin/go build -o rpc ./cmd/main.goThe rpc executable can be copied and installed to other client machines with the same operating system.
Activate
First, we will check if rpc-go can talk to AMT:
sudo ./rpc amtinfo
This should display some information about the AMT version available on the machine as well as the current configuration, whould should mostly be empty and especially Control Mode which should be pre-provisioning state meaning AMT has not been configured yet. For example:
Version : 14.1.67
Build Number : 2046
SKU : 16392
Features : AMT Pro Corporate
UUID : <client UUID>
Control Mode : pre-provisioning state
DNS Suffix :
DNS Suffix (OS) : <client hostname or FQDN>
Hostname (OS) : <client hostname>
RAS Network : outside enterprise
RAS Remote Status : not connected
RAS Trigger : user initiated
RAS MPS Hostname :
---Wired Adapter---
DHCP Enabled : true
DHCP Mode : passive
Link Status : up
IP Address : 0.0.0.0
MAC Address : <client AMT interface MAC address>Any error at this stage means the operating system cannot talk to AMT. Make sure AMT is available on your platform, make sure it is enabled in the UEFI Setup and make sure nothing prevents the mei_me from loading. The intelmetool from coreboot repository may give more information.
The activate command of rpc-go will enroll the client machine with the given server profile:
sudo ./rpc activate -u wss://<server FQDN>/activate -n -profile <ccm profile name>The server FQDN should be replaced with the MPS_COMMON_NAME set previously and with the subdirectory /openamtcloudtoolkit/ if using the relative URL setup, e.g. wss://example.com/openamtcloudtoolkit/activate. The profile name is the name of the CCM profile created previously.
This can take up to a few minutes, so be patient. Once it has finished, the output should read something like:
time="2023-08-20T21:19:46+02:00" level=info msg="connecting to wss://<server FQDN>/activate"
time="2023-08-20T21:19:46+02:00" level=info msg="wss://<server FQDN>/activate"
time="2023-08-20T21:19:46+02:00" level=info msg="connected to wss://<server FQDN>/activate"
time="2023-08-20T21:20:35+02:00" level=info msg="Status: Client control mode."
time="2023-08-20T21:20:35+02:00" level=info msg="Network: Wired Network Configured"
time="2023-08-20T21:20:35+02:00" level=info msg="CIRA: Configured"
time="2023-08-20T21:20:35+02:00" level=info msg="TLS: "
If the process does not succeed, you can add -v to the command to see more information and try to find the problem.
However, a successful activation does not yet mean AMT is working. Let's check with:
sudo ./rpc amtinfo
Which should print something similar to:
Version : 14.1.67
Build Number : 2046
SKU : 16392
Features : AMT Pro Corporate
UUID : <client UUID>
Control Mode : activated in client control mode
DNS Suffix :
DNS Suffix (OS) : <client hostname or FQDN>
Hostname (OS) : <client hostname>
RAS Network : outside enterprise
RAS Remote Status : connected
RAS Trigger : periodic
RAS MPS Hostname : <server FQDN>
---Wired Adapter---
DHCP Enabled : true
DHCP Mode : passive
Link Status : up
IP Address : 0.0.0.0
MAC Address : <client AMT interface MAC address>In particular, the RAS Remote Status should show connected. Failing this, the server will not be able to manage the client machine.
If the RAS Remote Status is stuck on connected, there is probably a networking problem, such as one of the following:
Server is not accessible by the client
Double check the TCP port 4433 is open and redirected as necessary.
From the client, run:
curl -k https://<server FQDN>:4433/This should return HTML content with Intel Management Presence Server (MPS) in the body.
Server certificate is incorrect
Open https://<server FQDN>:4433/ in a web browser. The page will not load since the certificate is self-signed, but this should only cause a SEC_ERROR_UNKNOWN_ISSUER error. Inspect the certificate and make sure the Common Name in Subject Name matches the server FQDN (without a possible subdirectory). If it does not, make sure MPS_COMMON_NAME has been set properly in .env, delete the certificate from the vault and try to restart the MPS service on the server.
Client AMT IP configuration is incorrect
If you chose DHCP configuration, make sure the client is able to get an IP address from the DHCP. Otherwise, you need to make a static IP profile.
If you are using a static IP profile, check the IP configuration in the rpc amtinfo output. LMS should synchronize the configuration automatically, but if this does not work, you can set it manually:
sudo ./rpc maintenance syncip -staticip <client IP address> -netmask <netmask> -gateway <gateway> -primarydns <primary DNS> -secondarydns <secondary DNS> -u wss://<server FQDN>/activateReplacing the fields with the appropriate configuration.
This command will require to input the AMT password set in the profile.
Client is not connected to the network through the AMT interface
There may be multiple integrated network adapters or add-on cards in the machine.
For AMT to be able to communicate with the server, the client machine must be connected to the network through the primary Intel integrated network adapter.
Make sure the correct interface has been configured, check the consistency of the settings (such as IP and MAC addresses) between the output of ip a and rpc amtinfo.
Check availability and manageability of the client in web UI
Log in to the web UI and click on the Devices tab. Your newly activated device should be listed there with its hostname.
Click on the device and make sure there is no error popping up while loading the page. Device information should be listed under System Summary, BIOS Summary and Memory Summary.
You can try the various controls under the Out-of-Band Power Actions section, as well as In-Band Power Actions if LMS agent is installed on the client.
Finally, on the top-right, you can click the KVM button to try to establish a KVM session. After clicking the button, a dialog box should show up with a code that must be entered in the web UI. If the dialog box does not show up, you can reboot the client machine and enter the UEFI boot menu. There, select the Fast Call for Help entry and the code should show up.
The code, known as user consent, is needed to initiate a KVM session since the client has been configured in Client Control Mode. In a future article, we will look at setting up an Admin Control Mode profile to skip the user consent requirement.
When a remote session is established, the client machine will display a notification to the user.
Switch to Admin Control Mode
In the next article, we will create an ACM profile to prepare switching to Admin Control Mode in order to remove the requirement for user consent.