7 Replies Latest reply on May 4, 2015 3:58 AM by dariusz.wittek@intel.com

    Problems with Root Certificate USB Provisioning

    excelsi

      I have problems to provision 3rd party root certificate to an Intel AMT 6 machine.

      The Setup.bin file i can create without problems with the USBFile tool from Intel SCS SDK 10 like here:

      Creating a USB key for PKI provisioning

       

      That's the output when i view the file:

      But after i copied the Setup.bin file to a USB Stick (FAT Formatted, right?) and try to boot from it nothing happens.

      This usb key provisioning utility mentioned in the thread isnt available anymore but i also tried this USB Key Provision Tool from Intel SCS Console.

       

      Can you help me? Thanks

        • 1. Re: Problems with Root Certificate USB Provisioning
          dariusz.wittek@intel.com

          Hi,

          content of setup.bin binary file is imported by Intel MEBx FW module (it is within BIOS) directly

           

          PC doesn't have to boot / shall NOT boot from it -so do not make it bootable USB neither force USB boot in BIOS.

          Some OEM BIOS'es require to enable USB Provisioning (or setup)  in BIOS setup, some other require USB boot device to be on BIOS boot from list (to enable USB port & device initialization in the BIOS -pre OS stage).

           

          Once this is done  put your USB with setup.bin file into USB port -reboot PC and wait for MEBx to recognize it (during POST) and display user confirmation question ("Found USB Key for Provisioning ... Continue Y/N ?")

          Then press Y on the keyboard (keyboard layout in MEBx is always US one!!)

          Bare in mind that you have to create USB setup.bin file with current MEBx password in it (in command line you refered) -for factory default state of AMT it is "admin".

          If you configured AMT previously (or changed MEBx password manually) you will have to know this password or perform Full AMT reset to factory defaults (via BIOS or disconnecting CMOS RTC battery for 30 sec).

           

          rgds

          darek

          • 2. Re: Problems with Root Certificate USB Provisioning
            excelsi

            Hi Dariusz,

             

            thanks for this Information.

            I ckecked all Points you mentioned, but i stuck at this Problem.

             

            Maybe somebody with Dell Hardware can help me at this Point in BIOS.

            I dont find any Option that prevents the System from detecting that Setup.bin file at boot time?

             

            Thanks

            Michael

            • 3. Re: Problems with Root Certificate USB Provisioning
              excelsi

              I looked at this Guide here:

              Usb Drive Key Requirements; Amt Webgui - Dell OptiPlex 745 Administrator's Manual [Page 14]

              How can i ensure that the sector size on the USB Key is 1 KB?

              When I select this allocation Unit Size at Volume Creation:

              Then i get:

              Maybe im wrong...

              • 4. Re: Problems with Root Certificate USB Provisioning
                dariusz.wittek@intel.com

                Michael,

                Once you provided PC HW model things become more clear.

                Dell Optiplex 745 is Intel AMT 2.x based.

                To use Remote Configuration for Intel AMT you have make sure Intel AMT FW is version 2.2 (or update it to this version) - this applies also to Remote Configuration using factory default PKI cert hashes.
                For Dell systems Intel AMT FW usually comes bundled with BIOS update package so please make sure to update system to the latest BIOS version.

                 

                For USB setup.bin file it may be in 4 different file versions depending on Intel AMT FW generation to suport new Intel AMT features and their settings.

                 

                Setup file version is forward compatible (if Intel AMT FW supports particular setting) or if you look from the other end Intel AMT FW and Intel MEBx FW is setup file version backward compatible.

                You have used the latest USBFile.exe version 4 which by default creates Setup File version 3 (see your screen shot) which is supported only by Intel AMT 6.x or newer (even if it contains settings that are supported by earlier FW versions.

                 

                For Intel AMT 2.x (2.5/2.6 as well) you need to create Version 1 of Setup File  simply just add - v 1 into your USBFile.exe command  and it will create Version 1 of the file.

                 

                This Setup File can be used to import your own PKI root certificate hash into any Intel AMT FW version so you will achieve single consistent proces.

                 

                rgds

                darek

                • 5. Re: Problems with Root Certificate USB Provisioning
                  excelsi

                  Hi Dariusz,

                  sorry i missed this Information at my last post:

                  I dont have the Dell Optiplex 745.

                  I have the Optiplex 980 with AMT Version 6 and i used the v3 Setup File (see at my first post).

                   

                  Michael

                  • 6. Re: Problems with Root Certificate USB Provisioning
                    excelsi

                    Hi Dariusz,

                     

                    now i know what was wrong in my configuration:

                    I renamed Setup.bin to setup.bin, then everthing was working :-)

                     

                    Thanks for your help

                    Michael

                    • 7. Re: Problems with Root Certificate USB Provisioning
                      dariusz.wittek@intel.com

                      Michael,

                       

                      sorry it was my oversight.

                      I have seen that you refered to Dell Optiplex 745 Administrator's Manual - that suggested your HW to be  Optiplex 745

                       

                      Did you know that if you update your Dell system BIOS to the latest one - that shall include also Intel® ME FW 6.2  -your system will support also Host Based Configuration to Client Control Mode?

                      Client Control Mode will require User Consent (random) Code that is displayed on the manager system screen to be passed by end user (over phone) to IT technician to grant access for KVM redirection.

                       

                       

                       

                       

                       

                      As you are touching your system(s) with USB you can create bit different setup.bin file using following command:

                       

                      USBfile.exe -create setup.bin admin NewMEBxP@ssw0rd -conf 1 -passPolicyFlag 2 -userConsentOption 1 -userConsentPolicy 1 -v 3 -redir 7 -kvm 1 -scramble

                       

                       

                       

                      It will perform USB Local Configuration to Admin Control Mode (where User Consent Code is optional, can be disabled by AMT admin - same like Remote Configuration proces with Root certificate you do currently) and then you may follow up  with Host Based Configuration  using extra parameter for ACUConfig.exe tool : /AdminPassword  NewMEBxP@ssw0rd  .

                       

                      This two stage Configuration will configure rest of desired AMT parameters -also for LAN Less systems or LAN less environment.

                       

                      rgds

                      darek