Intel Active Management Technology For Embedded Systems Intel Embedded and Communications Group 1
Legal Disclaimers INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. INTEL PRODUCTS ARE NOT INTENDED FOR USE IN MEDICAL, LIFE SAVING, OR LIFE SUSTAINING APPLICATIONS. Intel may make changes to specifications and product descriptions at any time, without notice. All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice. Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request. Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance. Intel, Intel Core, vpro and the Intel logo are trademarks of Intel Corporation in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright 2009 Intel Corporation. 2
Agenda Part 1: Introduction What is Intel Active Management Technology (Intel AMT)? Usage Models for Intel AMT Industrial Retail Gaming Military/Aerospace/Government Medical Telecommunication Intel AMT Roadmap Part 2 : Architecture Hardware, Firmware, Software Overview Software Development Kit (SDK) Developer Tool Kit (DTK) Part 3 : Implementation Key Ingredients Provisioning Setup And Configuration Summary 3
Introduction 4
What is Intel Active Management Technology? (Intel AMT) Hardware-based solution that enables: Software and hardware inventory capabilities Remote asset management Out-of-Band (OOB) system management Functions independent of system s power state Hardware-based security features including system defense network isolation Power management features Remote diagnosis and repair Third-Party non-volatile storage Remotely discover, heal and protect networked embedded systems 5
Intel AMT Usage Model: Industrial Problem: Real-time asset tracking (hardware and software) is expensive and time consuming Devices are varied and built on different platforms: Factory robots Human Machine Interface (HMI) systems Test and measurement systems Industrial PCs Automation and control systems Intel AMT Solution: OOB management enables remote asset tracking irrespective of system power state Third-party non-volatile memory stores information that can be accessed offline Independent of platform and operating system iamt Scan tool identifies Intel AMT capable systems and is available at the Intel vpro Expert Center 6
Hardware and Software Inventory Accurately track assets regardless of power state Factory Robots, HMI, Industrial PC, Test systems Network Management Console 2 Management console polls embedded systems for hardware ID and software version information Systems report asset details 1 HARDWARE Hard drive: Make, Model Memory: Size, Speed CPU: Type, GHz SOFTWARE Virus software: Version Management software: Version OS: Version Perform faster audits and optimize maintenance and licensing configurations 7
Intel AMT Usage Model: Retail Problem: Software/OS failure at point of sale (POS) terminal Intel AMT Solution: Software tools for remote diagnosis and repair OOB remote management in case of system OS crash Proactive alerting reduces system downtime by speeding diagnostics Serial over LAN (SOL) capabilities can be used to redirect text and keyboard information IDE-redirection helps in booting a remote system using a CD in local CD- ROM on management console 8
Remote Diagnostics and Repair ATM, Kiosks, POS Network Management Console 1 2 unable to boot sends an alert remotely rebooted from standard image on management server 4 3 diagnoses problem and repairs (remote software update, local hardware install) Reduce downtime and technician time 9
Estimated Cost Savings* with Intel AMT Retail Scenario: 20,000 kiosks Assume 50% of kiosks need rebooting at least 1x each year Estimate $100 per truck roll to reboot kiosk If the kiosks are equipped with Intel AMT: Reboot remotely, irrespective of power state or OS status Save $100 per truck roll 10,000 reboots = $1 million savings/year* Intel AMT reduces TCO *This is a hypothetical scenario and an estimated value and is not based on actual data. Actual results may vary depending on scenarios. 10
Intel AMT Usage Scenario: Gaming Problem: Hardware failure at one of the gaming terminals Intel AMT Solution: Event monitor sends alert and enables remote troubleshooting Remote OOB access as long as the hardware is connected to a power supply and LAN Obtain hardware inventory data stored in non-volatile memory Diagnose the problem to prepare for on-site repairs Fix the hardware in one trip 11
Remote Hardware Troubleshooting and Local Repair Slot, Poker and Lottery Machines 1 Network Failed hardware event received at management console, engineer alerted Remote diagnosis performed by analyzing event logs and boot history Hardware asset/inventory enables remote identification of failed component(s), provides make/model info for replacement Technician and hardware dispatched; platform repaired 2 3 4 Management Console Reduce on-site visits and system downtime with remote diagnosis and hardware info acquisition 12
Intel AMT Usage Scenario: Military, Aerospace and Government Problem: Secure management 24x7 protection of resources Intel AMT Solution: System defense feature confirms presence of critical security agents and isolates infected systems Event logging describes system behavior OS independent feature makes the system immune to OS configuration issues End-point access control (EAC) feature provides compliance with various network security protocols Tamper-resistant agents 13
Block Harmful Viruses and Isolate Affected Devices Proactive security threat block, hardware-based isolation and recovery COTS product, Embedded PC, Security devices 1 Network System defense capability scans incoming traffic for known viruses and worms Management Console 2 When virus is found, system defense capability alerts, isolates the infected system from the network or limits its transmission rate X 3 System sends alert Filter Management system recognizes when security agents or management features were disabled alerts staff 4 Management system installs updates and patches No user intervention required to prevent the spread of viruses and worms across the network 5 14
Intel AMT Usage Scenario: Medical Problem: Power management needed for systems when not in use: MRI X-Ray Ultrasound Diagnostic Medical Clinical Assistants Therapy systems Systems must be kept up to date Intel AMT Solution: Mobile power management policies balance power and performance to ACPI specs Power state monitoring of clients graph of results helps identify most active periods Alarm clock enables scheduled client wake up from any sleep state (or turn OFF); network connection not required Local agents can perform scheduled tasks including software updates, information stored in non-volatile memory 15
Increased Energy Efficiency Save energy costs with power management policy software and Intel AMT MRI, X-Ray, Portable Ultra Sound, Testing, Diagnostic, Medical Clinical Assistant Enterprise Energy Management Agent Network IT console sets energy management policy with agent System powered down when inactive, based on policy System can be reliably activated for maintenance via secure management channel Energy management agent protected via agent presence monitor 1 2 3 4 Management Console Improve productivity and compliance by scheduling tasks for off hours 16
Intel AMT Usage Scenario: Telecommunication Problem: Virus-infected carrier board may infect other boards in the network Intel AMT Solution: Intel AMT continuously checks for the presence of management agent and policy-based security agents on remote devices and takes necessary steps in case of a missing agent System defense feature can be used to block packet traffic through a network security policy Audit logs and agent monitor allow for easy interaction of network security policy, heuristics filters and system defense features of Intel AMT 17
Agent Presence Checking Keeps agent operating correctly Carrier boards, telecommunication devices Network Management console repairs non-working management agent Remote device alerts that management agent is missing or non-functioning 4 3 Management Console Agent Present? YES Agent Present? YES NO NO Intel AMT 1 Security Agent Agent ((( Mgmt. Mgmt. Agent Agent ((( 2 1 Management agent fails to check in Management or security agent is continuously checking in with Intel AMT Detect and contain viruses sooner to limit exposure of other systems 18
Intel AMT Base Features Asset Management OOB Features Remote Inventory (Hardware/Software) 3rd party Data Storage Access Log (Event Management) System Defense Network Outbreak Containment Base Heuristics Agent Presence BIOS POST Code BIOS Update IDE-Redirection (IDE-R) Serial Over LAN (SOL) Legacy Sensors Remote Boot Option Remote Configuration 19
Intel AMT Security Features Transport layer security for secure communications across OOB interface Certificate authority issues digital certificates for each device before provisioning HTTP digest authentication for remote access Single point of administration in enterprise mode System defense to isolate from network, yet allows management console connectivity Pseudo-random number generator in firmware to generate session keys Firmware and drivers digitally signed by Intel Access controlled non-volatile data store and functionality 20
Intel AMT Roadmap Access Monitor Intel Trusted Platform Module (TPM) Fast Call for Help (Wired) DASH 1.0 Intel AMT 4.0 (Low Power Platform) EAC extensions for Microsoft* NAP* and Cisco* NAC Low Power Intel Embedded Platform for 2008 Access Monitor Intel TPM Fast Call for Help (Wired) DASH 1.0 Intel AMT 5.0 (Scalable Platform) EAC extensions NAP and NAC Intel Remote PC Assist Technology Scalable Platform Based on Intel Core 2 Duo Processor with Intel vpro Technology *Other names and brands may be claimed as the property of others. 21
Architecture 22
OOB Architectural Overview Management Console Application Software Operating System Local Area Network (LAN) Ethernet NIC Processor Chipset Intel AMT Ingredients Non- Volatile Memory Intel AMT Ingredients Dedicated Power Rails Rails (Always (Always ON) ON) OOB Communication and Control 23
Intel AMT 4.0 Hardware Architecture Intel Core 2 Duo Processor ME Controller built in the chipset is the Intel Management Engine (ME) responsible for performing all Intel AMT operations LVDS CRT TV- Out FSB Intel Express Chipset 4 Series I/O Controller (South Bridge) is enabled with ME subsystem and provides power to various power wells when the rest of the power wells are shut down during sleep states x4 DMI C-Link 0 ICH9 ME ME Subsystem LAN SPI PCI Express* x1/glci LAN Connect (LCI) Gigabit Ethernet LAN PHY LAN SPI Flash NVM Intel AMT enables OOB connectivity of LAN Controller and SPI through dedicated power rails (Always ON) NVM in FLASH For more information refer to the Platform Design Guide *Other names and brands may be claimed as the property of others. 24
Intel AMT Firmware Overview SPI FLASH BIOS/MEBx ME FW GbE EEPROM Platform Data Descriptors Intel AMT FLASH memory is shared by Host, ME and LAN Intel Management Engine BIOS extension (MEBx) as implemented by an OEM platform provider enables Intel AMT Intel ME Firmware enables Intel AMT LAN Firmware GbE EEPROM provides Intel AMT network connectivity Minimum size ~ 32 Mb Flash Platform Data - 3 rd Party Data Store support Descriptor has information on space allocated for each region on flash image, read-write permissions for each region, vendor specific data Dedicated power rail to FLASH device for OOB operation 25
Intel AMT Software and Drivers Client SW/Drivers ISV Agent App System Status Service UNS LMS SOL Intel ME Interface Driver Server SW ISV Console App Console Foundations ISV Agent Applications: Console Agent UI System Status Service monitors Intel AMT status User Notification Service (UNS) listens to special events happening on the system as a direct result of Intel AMT execution and logs them in the Event Viewer of Microsoft Windows* Local Management Service (LMS) runs in the host OS to provide standard interface for network communication SOL driver: SOL communication Intel ME Interface driver: software Interface from the Host OS to the ME Intel AMT Firmware Release kit available at Intel Download Center *Other names and brands may be claimed as the property of others. 26
Intel AMT Software Development Kit (SDK) Enables developers to build manageability applications that take full advantage of Intel AMT and its features Includes full set of documentation, sample code and APIs needed for implementing Intel AMT Supports C++ and C# on Microsoft* Windows* and Linux* operating systems Delivered as set of directories that can be copied to a location of developer s choice on the development system Download the Intel AMT SDK FREE at Intel Software Network *Other names and brands may be claimed as the property of others. 27
Intel AMT SDK Example Redirection Library Intel AMT software supports SOL (text/keyboard) and IDER (floppy/cd) redirection Intel AMT SDK provides C interface for integration into third-party management consoles Intel AMT SDK for redirection includes: Redirection library: a C dynamic library (for Windows*) and C static library (for Linux*) that provide support for SOL, IDE etc. Management console sample code for Windows and Linux to demonstrate the redirection capability Header files that define the library API to external applications *Other names and brands may be claimed as the property of others. 28
Intel AMT Software Development Kit Example Redirection Library (Continued) 1. Integrate the SOL and IDER functionality into third-party management console using the C dynamic library in the SDK and linking it to the software and platform 2. Use the sample code or the Windows* sample application to test the redirection capability 1. Intel SDK Redirection Sample Console 2. Add the remote client *Other names and brands may be claimed as the property of others. 29
Intel AMT Software Development Kit Example Redirection Library (Continued) 3. Provide information on security certificate to ensure secure session example provided with the SDK 4. The client dialogue allows three group of controls: TCP parameters, IDER and SOL 30
Intel AMT Developer Tool Kit (DTK) Provides tools to assist with training and development process when implementing Intel AMT in embedded systems Installed on the server system that will run the management console Tools include but not limited to: Intel AMT Commander Intel AMT Outpost Intel AMT Director Intel AMT Network Defense Tool Intel Net Status Intel Net Traffic Console Tool Agent Tool Setup & Configuration Tool Network Monitor Network Check Tool Traffic Generation Tool Download the DTK and quickly build high quality Intel AMT Applications 31
Intel AMT Commander Manageability Commander Tool: Hardware Asset Network Policies Watchdog Timers Third-party Storage Events/Alerts SOL/IDER Remote Management 32
Intel AMT Director Manageability Director Tool: Certificate Management One-Touch Setup Remote Configuration TLS Security Setup USB Flash Support 33
Intel AMT Outpost Manageability Outpost Tool: General Information Watchdogs Serial Agent TLS Security 34
Intel AMT Web Interface http://ipaddress:16992 35
Implementation 36
Intel AMT 4.0 Implementation Low Power Platform Requirements Hardware Firmware Software Processor Intel Core 2 Duo Processor P8400, T9400 (PGA) Intel Core 2 Duo Processor P8400, SL9380, SL9400, SU9300, SP9300, T9400 (BGA) Chipset Mobile Intel GM45 Express Chipset with Intel 82801IEM I/O Controller Mobile Intel GS45 Express Chipset with Intel 82801IUX-SFF I/O Controller LAN Controller Intel 82567LM Gigabit Ethernet PHY Intel AMT Firmware Kit (also includes Intel AMT drivers and BIOS extensions) Intel Download Center Operating Systems Management Server Windows* XP Pro 32/64-bit Windows 2003 Server 32/64-bit Windows Vista* 32/64-bit SUSE Linux Enterprise Server 10 SP2 32/64-bit Local AMT Windows XP Pro 32/64-bit Windows Vista* 32/64-bit Intel AMT Setup and Configuration Server (SCS) Kit Provision Server Intel AMT SDK Development System Management Software (for Server): Manageability DTK Partner ISV using SDK - LANDesk*, BMC* Software, Computer Associates*, Symantec*, etc *Other names and brands may be claimed as the property of others. 37
Intel AMT 5.0 Implementation Scalable Platform Requirements Hardware Firmware Software Processor Intel Core 2 Quad Processor Q9400 Intel Core 2 Duo Processor E7400 & E4300 Intel Core 2 Duo Processor E8400 & E6400 Chipset Intel Q45 Express Chipset with Intel 82801JO I/O Controller Intel AMT Firmware Kit (also includes Intel AMT drivers) Intel Download Center Operating Systems Management Server Windows* XP Pro 32/64-bit Windows 2003 Server 32/64-bit Windows Vista* 32/64-bit SUSE* Linux* Enterprise Server 10 SP2 32/64-bit Local AMT Windows XP Pro 32/64-bit Windows Vista* 32/64-bit Intel AMT Setup and Configuration Server (SCS) Kit Provision Server Intel AMT SDK Development System LAN Controller Intel 82567LM Gigabit Ethernet PHY Management Software (for Server): Manageability DTK Partner ISV using SDK - LANDesk*, BMC* Software, Computer Associates*, Symantec*, etc *Other names and brands may be claimed as the property of others. 38
Intel AMT Setup and Configuration - Provisioning Definition: The process of enabling an Intel Active Management Technology (Intel AMT) device is called Provisioning Provisioning Approaches: Manual installation and configuration One-touch configuration using USB Zero-touch configuration remote provisioning Maintenance Actions and Routines: Re-Provisioning Un-Provisioning 39
Intel AMT Manual Installation and Configuration Hardware Ready (Factory Default Configuration): Intel AMT enabled - Processor, Chipset, LAN Controller Intel FLASH Storage Firmware Ready (Setup): Update BIOS with Intel AMT BIOS extension provided with Intel AMT Firmware Kit BIOS Vendors : AMI*, Phoenix*, Insyde* etc Update FLASH with Intel AMT Management Engine (ME) Firmware, LAN Firmware Software Ready (Configuration - Remote Management Console and In-Band Functions): Install Operating System Supported OS : Microsoft* Windows* XP, Windows 2003 etc. Install Intel AMT Drivers provided with Intel AMT Firmware Kit Independent Software Vendor can use Intel AMT Software Development Kit and Development Tool Kit (DTK) to develop their own management console and incorporate their management features ISV: LANDesk*, BMC Software*, Computer Associates*, Symantec* etc. For more information download the OEM Bring Up Guide available with Intel AMT Firmware Release kit *Other names and brands may be claimed as the property of others. 40
Intel AMT SCS Enterprise Solution SCS provides all the tools and performs the necessary steps to setup and configure a large number of Intel AMT enabled devices remotely and automatically Provision Server (SCS) 1 4 Workflow Install SCS and load the SCS server with initial data and the tools required for provisioning Intel AMT devices send hello message to SCS Secure communication is established through TLS SCS generates and sends: Public Key Infrastructure certificate Access Control Lists Setup parameters defined in device profile specific to the platform 2 3 Intel AMT embedded devices For complete documentation and SDK download the Intel AMT SCS kit available at Intel Software Network 41
SCS Components Main Service: Windows* service that processes Setup and Configuration requests from Intel AMT devices SOAP API: API used by SCS console to interact with main service Database Server: Secure repository to store setup and configuration data, installed as database instance in Microsoft* SQL Server For more information refer to the installation guide available with Intel AMT SCS kit 42
One Touch Configuration using USB key SQL DB Provision Server DNS/ DHCP Management Console 1. Keys generated and data stored to USB 2. One-touch provisioning 3. Client boots and requests provision server 4. Client sends Hello packet 5. Server assigns profile and provisions client Intel AMT embedded devices One-touch configuration automates the process of securely setting up and configuring embedded devices 43
Zero-Touch Configuration Via Network SQL DB Provision Server DNS/ DHCP Hello 1. Client sends hello packet to SCS Management Console 3. Client validates the SCS certificate 2. SCS server sends trusted root certificate matching hash received with the hello message Intel AMT client embedded devices, pre-programmed with at least one active root certificate hash 4. Client verifies domain suffix matched DNS suffix and establishes communication 5. Server assigns profile and provisions client Remote configuration eliminates the need for IT personnel to manually install security keys to enable setup 44
Summary Intel Active Management Technology enables embedded equipment OEMs to provide their customers with: Decreased downtime Increased security State-of-the-art remote management Out-of-Band management Long life support Rich ecosystem of hardware and software vendors Improve platform manageability and reduce TCO with Intel Active Management Technology 45
For more information, visit the following links: Intel Active Management Technology for Embedded and Communication Applications Manageability Technology for Embedded and Communications Applications Intel Product Technologies for Embedded and Communications Applications Intel Software Network Manageability Intel vpro Expert Center for blogs on Intel AMT by developers and manageability forums Videos Intel Active Management Technology Remote Platform Management Intel Active Management Technology One Touch Setup using Intel AMT Director Management Console Intel Active Management Technology Developer Tool Kit Video Pack 46
Intel Active Management Technology Downloads Intel Active Management Technology (Intel AMT) Software Development Kit (SDK): contains the building blocks and documentation material needed to develop software that interacts with Intel AMT systems http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/ Intel AMT Developer Tool Kit (DTK): Intel AMT DTK provides full set of documentation, sample code in C# and APIs needed for implementing Intel AMT http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit/ Intel AMT Setup and Configuration Service (SCS) : Includes tools and documentation to setup and configure Intel AMT devices remotely and automatically http://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configurationservice-scs/ Intel AMT Reference Design Kit : Includes set of open source building blocks similar to Intel AMT DTK, however it provides solution written in Java on Linux* and is based on older versions of (Intel AMT). This kit is no longer being updated or maintained http://software.intel.com/en-us/articles/intel-active-management-technology-reference-design-kit/ Intel AMT Open Source Drivers and Tools : The Openamt project is an open-source project providing drivers and tools to support Intel AMT on Linux and other operating systems http://www.openamt.org/ Intel AMT Add-on for Microsoft* SMS 2003 : includes a plug-in utility to extend the functionality of Microsoft SMS 2003 http://software.intel.com/en-us/articles/intel-client-manageability-add-on-for-microsoft-sms-2003/ Intel AMT WS-Management Translator for Intel vpro Technology : makes it possible for WS-Management based software to be used in conjunction with Intel AMT platforms older than version 3.0 http://software.intel.com/en-us/articles/intel-ws-management-translator/ For full list of available downloads on Intel AMT : http://software.intel.com/en-us/articles/manageability/download/1/ 47
Glossary of Terms EAC: ACPI: SHA: TLS: PKI: SOAP: OOB: IDE/IDER: NAC: NAP: Endpoint Access Control feature allows the IT administrators to implement differentiated policy enforcement and configuration based on the security state of the end point. Advanced Configuration and Power Interface specification: It is a standard for universal device configuration and power management by Operating Systems. Secure HASH Algorithm: SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency. Transport Layer Security provides end point authentication and data encryption for communication over the internet. Public Key Certificate also termed as Identity Certificate used to associate a digital signature to a public key with an identity so the owner of the digital signature can be identified. Simple Object Access Protocol. Out Of Band management enables management irrespective of operating status or power state of a device as long as the device is connected to a power supple and Local Area Network (LAN). Integrated Device Electronics is a parallel interface standard for connection to computer storage devices such as Hard Disks, Solid state devices, and CD-ROM. Integrated Device Electronics Redirection is a feature in Intel Active Management Technology (Intel AMT) that enables redirection of information from an IDE device on a server to a remote Intel AMT managed system. Network Access Control is a networking solution that uses a set of protocols to implement a policy to screen devices that initially attempt to access a node or computer on a network. Network Access Protocol is a networking solution by Microsoft* to control access to network resources based on a client s identity and compliance with corporate governance policy. 48
49