Intel Active Management Technology

A part of the Intel AMT web management interface, accessible even when the computer is sleeping

Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers,[1][2][3][4][5] in order to monitor, maintain, update, upgrade, and repair them.[1] Out-of-band (OOB) or hardware-based management is different from software-based (or in-band) management and software management agents.[1][2]

Hardware-based management works at a different level than software applications, uses a communication channel (through the TCP/IP stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does not depend on the presence of an OS or locally installed management agent. Hardware-based management has been available on Intel/AMD based computers in the past, but it has largely been limited to auto-configuration using DHCP or BOOTP for dynamic IP allocation and diskless workstations, as well as Wake-on-LAN (WOL) for remotely powering on systems.[6] AMT is not intended to be used by itself; it is intended to be used with a software management application.[1] It gives a management application (and thus, the system administrator who uses it) better access to the PC down the wire, in order to remotely and securely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.[1][3][7]

AMT is designed into a secondary (service) processor located on the motherboard,[8] and uses TLS-secured communication and strong encryption to provide additional security.[2] AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology.[2] AMT has moved towards increasing support for DMTF Desktop and mobile Architecture for System Hardware (DASH) standards and AMT Release 5.1 and later releases are an implementation of DASH version 1.0/1.1 standards for out-of-band management.[9] AMT provides similar functionality to IPMI, although AMT is designed for client computing systems as compared with the typically server-based IPMI.

Currently, AMT is available in desktops, servers, ultrabooks, tablets, and laptops with Intel Core vPro processor family, including Intel Core i3, i5, i7, and Intel Xeon processor E3-1200 product family.[1][10][11]

Features

Intel AMT includes hardware-based remote management, security, power-management, and remote-configuration features.[1][12] These features allow an IT technician to access an AMT featured PC remotely.[7]

Intel AMT is security and management technology that is built into PCs with Intel vPro technology.[1][6] PCs with Intel vPro include many other "platform" (general PC features) technologies and features.

Intel AMT relies on a hardware-based out-of-band (OOB) communication channel[1] that operates below the OS level, the channel is independent of the state of the OS (present, missing, corrupted, down). The communication channel is also independent of the PC's power state, the presence of a management agent, and the state of many hardware components (such as hard disk drives and memory).

Most AMT features are available OOB, regardless of PC power state.[1] Other features require the PC to be powered up (such as console redirection via serial over LAN (SOL), agent presence checking, and network traffic filtering).[1] Intel AMT has remote power-up capability.

Hardware-based features can be combined with scripting to automate maintenance and service.[1]

Hardware-based AMT features on laptop and desktop PCs include:

Laptops with AMT also include wireless technologies:

History

Main article: Intel AMT versions

Software updates provide upgrades to the next minor version of Intel AMT. New major releases of Intel AMT are built into a new chipset, and are updated through new hardware.[2]

Applications

Almost all AMT features are available even if PC power is off, the OS is crashed, the software agent is missing, or hardware (such as a hard drive or memory) has failed.[1][2] The console-redirection feature (SOL), agent presence checking, and network traffic filters are available after the PC is powered up.[1][2]

Intel AMT supports these management tasks:

From major version 6, Intel AMT embeds a proprietary VNC server, so you can connect out-of-band using dedicated VNC-compatible viewer technology, and have full KVM (Keyboard, Video, Mouse) capability throughout the power cycle - including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from RealVNC also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER).

Provisioning and integration

AMT supports certificate-based or PSK-based remote provisioning (full remote deployment), USB key-based provisioning ("one-touch" provisioning), manual provisioning[1] and provisioning using an agent on the local host ("Host Based Provisioning"). An OEM can also pre-provision AMT.[14]

The current version of AMT supports remote deployment on both laptop and desktop PCs. (Remote deployment was one of the key features missing from earlier versions of AMT and which delayed acceptance of AMT in the market.)[7] Remote deployment, until recently, was only possible within a corporate network.[17] Remote deployment lets a sys-admin deploy PCs without "touching" the systems physically.[1] It also allows a sys-admin to delay deployments and put PCs into use for a period of time before making AMT features available to the IT console.[18] As delivery and deployment models evolve, AMT can now be deployed over the Internet, using both "Zero-Touch" and Host-Based methods.[19]

PCs can be sold with AMT enabled or disabled. The OEM determines whether to ship AMT with the capabilities ready for setup (enabled) or disabled. Your setup and configuration process will vary, depending on the OEM build.[14]

AMT includes a Privacy Icon application, called IMSS,[20] that notifies the system's user if AMT is enabled. It is up to the OEM to decide whether they want to display the icon or not.

AMT supports different methods for disabling the management and security technology, as well as different methods for reenabling the technology.[1][18][21][22]

AMT can be partially unprovisioned using the Configuration Settings, or fully unprovisioned by erasing all configuration settings, security credentials, and operational and networking settings.[23] A partial unprovisioning leaves the PC in the setup state. In this state, the PC can self-initiate its automated, remote configuration process. A full unprovisioning erases the configuration profile as well as the security credentials and operational / networking settings required to communicate with the Intel Management Engine. A full unprovisioning returns Intel AMT to its factory default state.

Once AMT is disabled, in order to enable AMT again, an authorized sys-admin can reestablish the security credentials required to perform remote configuration by either:

There is a way to totally reset AMT and return in to factory defaults. This can be done in two ways:

Setup and integration of AMT is supported by a setup and configuration service (for automated setup), an AMT Webserver tool (included with Intel AMT), and AMT Commander, an unsupported and free, proprietary application available from the Intel website.

Communication

All access to the Intel AMT features is through the Intel Management Engine in the PC's hardware and firmware.[1] AMT communication depends on the state of the Management Engine, not the state of the PC's OS.

As part of the Intel Management Engine, the AMT OOB communication channel is based on the TCP/IP firmware stack designed into system hardware.[1] Because it is based on the TCP/IP stack, remote communication with AMT occurs via the network data path before communication is passed to the OS.

Intel AMT supports wired and wireless networks.[1][10][15][24] For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down. OOB communication is also available for wireless or wired notebooks connected to the corporate network over a host OS-based virtual private network (VPN) when notebooks are awake and working properly.

AMT version 4.0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall.[1][25] In this scheme, a management presence server (Intel calls this a "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel between the IT console and the PC, and mediates communication.[1][26] The scheme is intended to help the user or PC itself request maintenance or service when at satellite offices or similar places where there is no on-site proxy server or management appliance.

Technology that secures communications outside a corporate firewall is relatively new. It also requires that an infrastructure be in place, including support from IT consoles and firewalls.

An AMT PC stores system configuration information in protected memory. For PCs version 4.0 and higher, this information can include the name(s) of appropriate "whitelist" management servers for the company. When a user tries to initiate a remote session between the wired PC and a company server from an open LAN, AMT sends the stored information to a management presence server (MPS) in the "demilitarized zone" ("DMZ") that exists between the corporate firewall and client (the user PC's) firewalls. The MPS uses that information to help authenticate the PC. The MPS then mediates communication between the laptop and the company's management servers.[1]

Because communication is authenticated, a secure communication tunnel can then be opened using TLS encryption. Once secure communications are established between the IT console and Intel AMT on the user's PC, a sys-admin can use the typical AMT features to remotely diagnose, repair, maintain, or update the PC.[1]

Design

Hardware

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional[27] part in all current Intel chipsets.[28] According to an independent analysis by Igor Skochinsky, it is based on an ARC core, and the Management Engine runs the ThreadX RTOS from Express Logic. According to this analysis, versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x use the newer ARCompact (mixed 32- and 16-bit instruction set architecture). Starting with ME 7.1, the ARC processor can also execute signed Java applets. The ME state is stored in a partition of the SPI flash, using the Embedded Flash File System (EFFS).[29]

The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).[30][31] The ME also communicates with the host via PCI interface.[29] Under Linux, communication between the host and the ME is done via /dev/mei.[28]

Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout.[32] With the newer Intel architectures (Intel 5 Series onwards), ME is included into the Platform Controller Hub (PCH).[33][34]

Software

Firmware modules:

Security

Because AMT allows access to the PC below the OS level, security for the AMT features is a key concern.

Security for communications between Intel AMT and the provisioning service and/or management console can be established in different ways depending on the network environment. Security can be established via certificates and keys (TLS public key infrastructure, or TLS-PKI), pre-shared keys (TLS-PSK), or administrator password.[1][2]

Security technologies that protect access to the AMT features are built into the hardware and firmware. As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such as a hard drive or memory) has failed.[1][2][36]

Networking

Because in-band remote management does not usually occur over a secured network communication channel, businesses have typically had to choose between having a secure network or allowing IT to use remote management applications without secure communications to maintain and service PCs.[1]

Modern security technologies and hardware designs allow remote management even in more secure environments. For example, Intel AMT supports IEEE 802.1x, Preboot Execution Environment (PXE), Cisco SDN, and Microsoft NAP.[1]

All AMT features are available in a secure network environment. With Intel AMT in the secure network environment:

Intel AMT can embed network security credentials in the hardware, via the Intel AMT Embedded Trust Agent and an AMT posture plug-in.[1][2] The plug-in collects security posture information, such as firmware configuration and security parameters from third-party software (such as antivirus software and antispyware), BIOS, and protected memory. The plug-in and trust agent can store the security profile(s) in AMT's protected, nonvolatile memory, which is not on the hard disk drive.

Because AMT has an out-of-band communication channel, AMT can present the PC's security posture to the network even if the PC's OS or security software is compromised. Since AMT presents the posture out-of-band, the network can also authenticate the PC out-of-band, before the OS or applications load and before they try to access the network. If the security posture is not correct, a system administrator can push an update OOB (via Intel AMT) or reinstall critical security software before letting the PC access the network.

Support for different security postures depends on the AMT release:

Technology

AMT includes several security schemes, technologies, and methodologies to secure access to the AMT features during deployment and during remote management.[1][2][36] AMT security technologies and methodologies include:

As with other aspects of Intel AMT, the security technologies and methodologies are built into the chipset.

Known vulnerabilities and exploits

A Ring -3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset; it does not work for the later Q45 chipset as Intel implemented additional protections.[39] The exploit worked by remapping the normally protected memory region (top 16 MB of RAM) reserved for the ME. The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. (The "-3" designation was chosen because the ME coprocessor works even when the system is in the S3 state, thus it was considered a layer below the System Management Mode rootkits.[32]) For the vulnerable Q35 chipset, a keystroke logger ME-based rootkit was demonstrated by Patrick Stewin.[40][41]

Another security evaluation by Vassilios Ververis showed serious weaknesses in the GM45 chipset implementation. In particular, it criticized AMT for transmitting unencrypted passwords in the SMB (small business) provisioning mode when the IDE redirection and Serial over LAN features are used. It also found that the "zero touch" provisioning mode (ZTC) is still enabled even when the AMT appears to be disabled in BIOS. For about 60 euros, Ververis purchased from Go Daddy a certificate that is accepted by the ME firmware and allows remote "zero touch" provisioning of (possibly unsuspecting) machines, which broadcast their HELLO packets to would-be configuration servers.[42]

See also

References

  1. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 "Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology" (PDF). Intel. 2008. Archived from the original (PDF) on 2011-03-20. Retrieved 2008-08-07.
  2. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 "Architecture Guide: Intel Active Management Technology". Intel. 2008-06-26. Retrieved 2008-08-12.
  3. 1 2 "Remote Pc Management with Intel's vPro". Tom's Hardware Guide. Retrieved 2007-11-21.
  4. "Intel vPro Chipset Lures MSPs, System Builders". ChannelWeb. Retrieved August 2007.
  5. "Intel Mostly Launches Centrino 2 Notebook Platform". ChannelWeb. Retrieved July 2008.
  6. 1 2 "A new dawn for remote management? A first glimpse at Intel's vPro platform". ars technica. Retrieved 2007-11-07.
  7. 1 2 3 4 "Revisiting vPro for Corporate Purchases". Gartner. Retrieved 2008-08-07.
  8. "Answers to Frequently Asked Questions about libreboot". libreboot.org. Retrieved 2015-09-25.
  9. "Intel AMT implementation and reference guide".
  10. 1 2 3 4 "Intel Centrino 2 with vPro Technology" (PDF). Intel. Retrieved 2008-07-15.
  11. https://msp.intel.com/find-a-vpro-system
  12. "Intel vPro Technology". Intel. Retrieved 2008-07-14.
  13. 1 2 3 4 5 6 7 "Intel Active Management Technology System Defense and Agent Presence Overview" (PDF). Intel. February 2007. Retrieved 2008-08-16.
  14. 1 2 3 "Intel Centrino 2 with vPro Technology". Intel. Retrieved 2008-06-30.
  15. 1 2 3 "New Intel-Based Laptops Advance All Facets of Notebook PCs". Intel. Archived from the original on 2008-07-17. Retrieved 2008-07-15.
  16. 1 2 "Understanding Intel AMT over wired vs. wireless (video)". Intel. Archived from the original on March 26, 2008. Retrieved 2008-08-14.
  17. Product and Performance Information
  18. 1 2 "Part 3: Post Deployment of Intel vPro in an Altiris Environment: Enabling and Configuring Delayed Provisioning". Intel (forum). Retrieved 2008-09-12.
  19. Active Management Cloud Overview
  20. http://software.intel.com/en-us/blogs/2009/07/17/intel-management-and-security-status-imss-advanced-configurations-part-9/
  21. "Intel vPro Provisioning" (PDF). HP (Hewlett Packard). Retrieved 2008-06-02.
  22. "vPro Setup and Configuration for the dc7700 Business PC with Intel vPro Technology" (PDF). HP (Hewlett Packard). Retrieved 2008-06-02.
  23. "Part 4: Post Deployment of Intel vPro in an Altiris Environment Intel: Partial UnProvDefault". Intel (forum). Retrieved 2008-09-12.
  24. "Technical Considerations for Intel AMT in a Wireless Environment". Intel. 2007-09-27. Retrieved 2008-08-16.
  25. "Intel Active Management Technology Setup and Configuration Service, Version 5.0" (PDF). Intel. Retrieved 2008-08-04.
  26. "Intel AMT - Fast Call for Help". Intel. 2008-08-15. Retrieved 2008-08-17.(Intel developer's blog)
  27. Joanna Rutkowska, Intel x86 considered harmful, 2015, http://blog.invisiblethings.org/2015/10/27/x86_harmful.html
  28. 1 2 MEI in the Linux kernel
  29. 1 2 Igor Skochinsky (Hex-Rays) Rootkit in your laptop, Ruxcon Breakpoint 2012
  30. "Intel Ethernet Controller I210 Datasheet" (PDF). Intel. 2013. pp. 1, 15, 52, 621776. Retrieved 2013-11-09.
  31. "Intel Ethernet Controller X540 Product Brief" (PDF). Intel. 2012. Retrieved 2014-02-26.
  32. 1 2 http://invisiblethingslab.com/resources/misc09/Quest%20To%20The%20Core%20%28public%29.pdf
  33. http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/celeron-mobile-p4000-u3000-datasheet.pdf, p. 10
  34. http://users.nik.uni-obuda.hu/sima/letoltes/magyar/SZA2011_osz/nappali/Platforms-3_E_2011_12_14.ppt
  35. "Intel Quiet System Technology 2.0: Programmer's Reference Manual" (PDF). Intel. February 2010. Retrieved 2014-08-25.
  36. 1 2 "New Intel vPro Processor Technology Fortifies Security for Business PCs (news release)". Intel. 2007-08-27. Archived from the original on 2007-09-12. Retrieved 2007-08-07.
  37. "Intel Software Network, engineer / developers forum". Intel. Retrieved 2008-08-09.
  38. "Cisco Security Solutions with Intel Centrino Pro and Intel vPro Processor Technology" (PDF). Intel. 2007.
  39. http://invisiblethingslab.com/press/itl-press-2009-03.pdf
  40. http://www.stewin.org/slides/pstewin-SPRING6-EvaluatingRing-3Rootkits.pdf
  41. http://stewin.org/slides/44con_2013-dedicated_hw_malware-stewin_bystrov.pdf
  42. http://web.it.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf

External links

This article is issued from Wikipedia - version of the Wednesday, January 20, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.