Open AMT Cloud Toolkit — Part 6: Activate client in Admin Control Mode

In order to switch a client to Admin Control Mode, depending on your setup you may have to perform additional steps.

We assume the client has already been configured and is working in Client Control Mode as the steps are identical except additional configuration in certain cases.

If you created your own root CA certificate, you need to enroll its hash in each client's AMT. If you use an AMT certificate from an authority already trusted in AMT, you can skip this step.

Additionally, AMT must know about the DNS suffix to validate the certificate. If you have a DHCP server you can configure, you can simply add an option to it. Otherwise, it needs to be set manually in MEBx (Management Engine Bios Extension) UI.

If you use a trusted CA and you can configure the DHCP properly, no specific configuration has to be performed on the client. Otherwise you need physical and BIOS access to each client machine.

Enroll custom CA certificate hash

When using a custom root CA certificate, its hash must be added manually in each client's AMT in order for the certificate to be validated.

The MEBx UI allows typing in SHA1 hashes only, however this is deprecated  and removed since AMT 15, and also found not to be working on earlier versions. Instead, SHA256 hashes must be used, but they cannot be typed into MEBx with ME 14 and earlier since they are slightly longer.

The solution is to create a setup.bin provisioning file on an USB drive that will be read at boot time by the client.

Create a setup.bin file with USBFile

The setup.bin file is created using the USBFile tool, found in the Intel AMT SDK. Intel only supplies a Windows binary, but it can be executed on Linux with Wine.

Note that USBFile can do much more than enroll a certificate hash, but we will restrict its usage to this purpose here.

Download and extract Intel AMT SDK: https://www.intel.com/content/www/us/en/download/704388/intel-amt-sdk.html then extract the USB_File_Module_*.zip archive inside. The USBFile.exe tool is under the Bin directory.

Download a libcrypto.dll library in the same directory as USBFile.exe, you can for example use the OpenSSL-Win32 1.1 Light from https://slproweb.com/products/Win32OpenSSL.html and rename libcrypto-1_1.dll to libcrypto.dll.

Put the AMT_root_ca.crt root CA certificate file in the same directory as USBFile.exe, then, from the Bin directory, run:

USBFile.exe -create setup.bin <MEBx password> <MEBx password> -hash AMT_root_ca.crt "Custom AMT Root CA" sha256

Insert twice the MEBx password specified during creation of the ACM profile. Format is <current password> <new password> but we are not changing it. Note that if you never set the MEBx password previously, the default password is admin so <current password> should be admin instead.

Under Linux, after installing Wine, simply prepend wine to the command.

A setup.bin file is generated in the same directory.

Use the setup.bin to configure an AMT client

Put the previously generated setup.bin file on a USB drive with a single partition formatted as FAT32.

This USB drive can now be used on any client to add the custom root CA hash.

Plug the USB drive in a client machine, reboot and enter the UEFI boot menu.

Select the Intel(R) Management Engine BIOS Extension (MEBx) entry. If this entry is not available, make sure MEBx access is not restricted in UEFI setup.

A prompt should appear asking to confirm the enrollment of the configuration, press Y.

If the prompt does not show up or an error shows up about disabled USB provisioning, enable Intel AMT USB Provisioning in UEFI Setup and try again.

The machine will reboot, you can unplug the USB drive and boot into the operating system.

Once in the operating, confirm the hash now available by running:

cd rpc-go
sudo ./rpc amtinfo -cert

An entry called Custom AMT Root CA should show up with the SHA256 hash.

You can compare it to the SHA256 hash obtained from the root CA certificate file by running:

openssl x509 -noout -fingerprint -sha256 -inform pem -in AMT_root_ca.crt

Set DNS suffix

By DHCP configuration

If clients receive IP configuration from a DHCP server and you can edit the configuration of the DHCP server, you can set DHCP Option 15 to the appropriate DNS suffix (i.e. server FQDN) and the AMT clients will pull it automatically.

By manual configuration in MEBx

If you do not have a DHCP server or cannot change its configuration, you must add the DNS suffix manually on each client through MEBx UI, as described here or below.

Reboot the machine and enter the UEFI boot menu. Select the Intel(R) Management Engine BIOS Extension (MEBx) entry. If this entry is not available, make sure MEBx access is not restricted in UEFI setup.

Then, if you never set an MEBx password on the client (different from AMT password), you need to set one now. The default password is admin. Use the same password than the one specifed during the ACM profile creation as the new password.

Log in with the MEBx password (warning: QWERTY US layout), then enter the Intel(R) AMT Configuration menu and the Remote Setup And Configuration submenu. Select TLS PKI, and set the PKI DNS Suffix to the server FQDN used throughout this guide (more specifically, the Domain Name specified during ACM profile creation).

If one of these option is not available, AMT may still be provisioned with an existing profile and needs to be unprovisioned. To do so, set the Unconfigure Network Access option to Full unprovision in the Intel(R) AMT Configuration menu. Warning: unprovisioning will also delete custom root CA hashes.

Deactivate CCM profile

If the client is already configured in Client Control Mode, deactivate it first:

cd rpc-go
sudo ./rpc deactivate -u wss://<server FQDN>/activate -n

The AMT password set in the CCM profile will be required.

Activate with ACM profile

The process is the same as the Activate step of part 4, so follow these steps again. The only difference is that the ACM profile name should be specified in the rpc activate command instead:

sudo ./rpc activate -u wss://<server FQDN>/activate -n -profile <acm profile name>

If there is a failure, activate verbose mode by adding -v to the command above, and check part 5 again.

However, if the error is "Invalid domain certificate, hash does not exists in list of trusted root certificates on AMT", then it means there is no hash corresponding to the root CA certificate in the client's AMT, go over the Enroll custom CA certificate hash section and double check the SHA256 hash matches. This error can also show up when using SHA1 instead of SHA256.

Check KVM without user consent

Log in to the web UI and click on the Devices tab. Your newly activated device should be listed there with its hostname.

Click on the device and make sure there is no error popping up while loading the page. Device information should be listed under System Summary, BIOS Summary and Memory Summary.

You can try the various controls under the Out-of-Band Power Actions section, as well as In-Band Power Actions if LMS agent is installed on the client.

Finally, on the top-right, you can click the KVM button to try to establish a KVM session. Since the client is now activated in Admin Control Mode and user consent is disabled in the profile, the session should be established immediately, without needing the user consent code. Regardless, when a remote session is established, the client machine will still display a notification to the user.

Subscribe to piernov

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe