Manualshelf

Setting up and configuring Intel AMT in HP Business Notebooks, Desktops, and Workstations - Technical white paper

ManualsBrandsHP ManualsDesktopsHP ProBook 650 G1 Notebook PC
21222324252627282930
Using a USB drive key A USB drive key can be used for zero-touch provisioning. With this method, password, PID, and
PPS information is loaded to the MEBx on system boot using a specially formatted setup.bin file. After this information
has been loaded, the Intel AMT system starts requesting provisioning. For more information, refer to
Using a USB drive
key for provisioning.
Using the TLS-PSK method
TLS-PSK provisioning requires the Intel AMT system to possess a pre-shared key (PSK) in order to support authentication
with the SCS. While the distribution of pre-shared keys adds complexity and cost, this method provides strong security.
To support PSK provisioning, Intel AMT and the SCS share a Provisioning ID (PID)/Provisioning Passphrase (PPS) set, which
forms the PSK. Security can be further enhanced by allocating a unique PID/PPS set to each Intel AMT system.
Note
Without dashes, PIDs have eight characters, while PPSs have 32 characters. Since there are dashes between every set of
four characters, PIDs have a total of 9 characters, while PPSs have a total of 40 characters.
As soon as a PID/PPS set has been delivered to the ME either manually via the MEBx or using a USB Key the Intel AMT
system starts looking for an SCS. The Intel AMT system continues to look for an SCS every time it is powered up until
provisioning has occurred.
The provisioning process is as follows:
1. Assuming an agent has been pushed to the Intel AMT system, the system automatically looks for an SCS as soon as
power is applied.
2. If an SCS is found, the Intel AMT system sends it a “hello” message.
DHCP and DNS must be available for the SCS search to automatically succeed. If DHCP and DNS are not available, then
you must manually enter the IP address of the SCS into the Intel AMT system’s MEBx.
The “hello” message contains the following information:
PID
UUID (Universally Unique Identifier)
IP address
ROM and FW version numbers
The “hello” message is transparent to the user; there is no feedback mechanism to tell you messages are being broadcast..
Note
The initial “hello” message is unencrypted; however, all subsequent communications between Intel AMT system and SCS can
be encrypted with TLS.
3. The SCS uses the information in the “hello” message to initiate a TLS connection (if supported) to the Intel AMT system
using TLS PSK.
Note
TLS is optional. However, if the infrastructure is available, you should use TLS for secure, encrypted transactions.
If TLS is not available, less secure HTTP Digest is used for mutual authentication.
The SCS looks up the appropriate PPS in its database
7
and uses the PPS and PID to generate the premaster secret.
7
Based on the PID
28