Presentation on theme: "Intel® vPro Processor Technology Intel® AMT Keyboard, Video & Mouse Remote Control Application Engineer Software and Services Group, 2009."— Presentation transcript:
Intel® vPro Processor Technology Intel® AMT Keyboard, Video & Mouse Remote Control Application Engineer Software and Services Group, 2009
2 Intel Confidential 2 Legal Disclaimer Information in this document is provided in connection with Intel products. No license, express or implied, by personnel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Intel's Terms and Conditions of Sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Intel products are not intended for use in medical, life saving, or life sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. Products referenced herein may be incomplete or contain errors known as errata which may cause the products to deviate from published specifications. Current characterized errata are available upon request. Intel® Active Management Technology requires the computer have an Intel® AMT-enabled Intel chipset, network hardware and software, connection with a power source, and a network connection. Intel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, virtual machine monitor (VMM) and for some uses, certain platform software enabled for it. Functionality, performance or other benefits will vary depending on hardware and software configurations. Intel Virtualization Technology-enabled BIOS and VMM applications are currently in development. Copyright (c) Intel Corporation * Other names and brands may be claimed as the property of others.
3 Intel Confidential 3 Expanding Redirection Capabilities Current Support (Intel® AMT Release 5.x and earlier) IDE Redirection Serial Redirection Intel® AMT Release 6 IDE & Serial Redirection Keyboard, Video & Mouse (KVM) Remote Control
4 Intel Confidential 4 Example Use-Cases Console _X ComputerState Comp AUnhealthy Comp BOS unresponsive Comp CRebooting Comp DOS Healthy Select a machine to manage Comp A Screen Dsfsd.sys failed at mem location 0x1234hfhs Memory dump: 3409afed Console OS Blue-screen OS Unresponsive Boot Process Corrupt Network Driver
5 Intel Confidential 5 Advantages of KVM Remote Control Works in many situations OS malfunctions (hung, degraded response) BIOS level OS boot OS installation OS repair (safe mode, system restore) Virtual environments Corrupt network driver or Filtered network traffic Robust, hardware based solutionReduced hardware cost (compared to 3 rd party hardware solutions)
6 Intel Confidential 6 Terminology TermDefinition KVM ServerThe KVM service running on the managed client. A KVM Server runs in the Intel® vPro management engine. KVM ClientThe ISV console connecting to the KVM Server. sprite A graphic overlay that is drawn directly to the monitor by the integrated hardware. Similar to volume / channel indication on television. Intel® vPro SystemRemote Console KVM Session Request Passcode: Sprite Graphic KVM Server KVM Client
7 Intel Confidential 7 Example Deployment Flow System Received & Installed Physically deployed Intel® vPro Drivers / Services Installed Optional MEBx Settings (manual) KVM Disable User Consent Disable (enable remote switch) Intel® vPro Setup Configuration (remote) Set RFB Password Enable / disable user consent (requires MEBx setting) Enable / disable port 5900 Enable redirection listener Optional User Settings Consent Opt-Out (MEBx) Session Notifications (IMSS) Prior to KVM Remote Control use, several steps with some notable options are required. This occurs in conjunction with Intel® vPro Setup & Configuration.
8 Intel Confidential 8 Example KVM Remote Control Session Console Initiates Session Intel® AMT Authentication Optional TLS Session Established OR VNC* Authentication User Consent Code Validation Session Established Session User Notification IMSS Icon Sprite Session Terminated Console terminates or… User terminates (IMSS or Physical Disconnect) * Other names and brands may be claimed as the property of others. Intel® vPro SystemRemote Console Passcode KVM Connect Passcode Session Terminated
9 Intel Confidential 9 Example User Consent Flow User calls help- desk Help-desk connects to Intel® AMT ME Generates consent code Consent code displayed locally in sprite User reads consent code to help-desk Help-desk enters consent code KVM Remote Control session begins By default, the user must consent to each KVM Remote Control session. This may be disabled by: OEM During USB initiated setup User opts out through MEBx Optionally enabled / disabled remotely if allowed in MEBx
10 Intel Confidential 10 Wireless Connectivity Host Wireless Driver Managing All Traffic Intel® AMT Session Established KVM Remote Control Session Begins ME Transitions to Operational State: Controls Wireless Connection ME Maintains Control of Wireless Connection During KVM Remote Control Session and Power Control KVM Remote Control Session Ends ME Transitions to Pipe State: Host Manages Wireless Connection (if available) Management traffic passes through the host wireless driver when operational. (Pipe mode) The management engine (ME) manages wireless connectivity when the host driver is absent. (Operational mode) Intel® AMT implements link sensitive behavior during some use-cases to avoid connectivity interruptions. Starting with Intel® AMT 6.0, you can control the link preference to fit your use- case through AMT_EthernetPortSettings.SetLinkPreference
12 Intel Confidential 12 TLS Enhanced Intel® AMT Connection Console GUI ISV Console or… Integrated VNC* Viewer C API Viewer Library RFB API RFB SDK Proxy Library Digest Authentication or… Kerberos TLS RFB Intel® vPro Platform Intel® AMT ports 16994/16995 * Other names and brands may be claimed as the property of others.
13 Intel Confidential 13 Protocols RealVNC * Remote Frame Buffer (RFB) Protocol (RFB 3.8)http://www.realvnc.com/docs/rfbproto.pdf Supporting versions 3.8 and 4.x Uses port 5900 (default) Adds RFB password for port 5900 (VNC Authentication) KVM Remote Control Protocol Implemented as proxy Uses ports 16994/16995 Listens on port 5900 (default) Extends RFB capabilities Digest & Kerberos authentication TLS Encryption * Other names and brands may be claimed as the property of others.
14 Intel Confidential 14 Protocol & Viewer Options Protocol Options Remote Frame Buffer 3.8 Open source Remote Frame Buffer 4.x Improved performance No GPL code Enhanced error reporting Licensed separately by RealVNC * Viewer Compatibility KVM Server 3 rd Party Real VNC * Intel® vPro Viewer RealVNC 3.8 XX RealVNC 4.x (Intel® SDK) X RealVNC 4.x XX 3 rd Party X * Other names and brands may be claimed as the property of others. Compatibility depends on 3 rd party implementation.
15 Intel Confidential 15 SDK Components RealVNC * Viewer Library Customized for use with Intel® vPro Technology Binary only RFB 4.x C interface Integrated viewer Licensed separately by RealVNC KVM Proxy Library / Sample Source provided Listens for viewer Proxies RFB through Intel® AMT Redirection Protocol SOCKS proxy Viewer Sample Demonstrates custom viewer and proxy use Documentation * Other names and brands may be claimed as the property of others.
16 Intel Confidential 16 Configuration (partial list) MEBx (local configuration screens) Disable / enable KVM Remote Control (just like legacy redirection features) Disable / enable user consent requirements Intel® AMT (network interface) Disable / enable KVM Remote Control (if enabled in MEBx) Set RFB password Enable / disable port 5900 for legacy VNC connections Ports 16994/16995 available for Intel® AMT redirection connections Disable / enable user consent (if allowed by MEBx) User consent timeouts and session timeouts Intel® Management & Security Status Select sprite language Notification options Hot-key disconnect
17 Intel Confidential 17 Architecture Considerations Console Console GUI VNC Library Intel® AMT Redirection Proxy TLS Integrated (SDK Sample) Console Console GUI VNC Library Central Server Intel® AMT Redirection Proxy TLS Distributed (Example #1) TLS RFB Central Server Console Console GUI VNC Library Intel® AMT Redirection Proxy TLS Distributed (Example #2) TLS
18 Intel Confidential 18 Discrete Graphics Considerations KVM Session Supported Integrated Graphics Enabled / Selected Switchable Graphics: Boot Process Switchable Graphics: Integrated Selected by OS KVM Session Closed No Integrated Graphics / Discrete Only Integrated Graphics Disabled Switchable Graphics: Discrete Selected by OS KVM Requires Active, Integrated Graphics
19 Intel Confidential 19 Summary Keyboard, Video & Mouse (KVM) Remote Control Added in AT6 For New Use-Cases Basic Protocol is RealVNC* Remote Frame Buffer (RFB) 3.8 or 4.x Intel® KVM Remote Control Proxy Gives Greater Security * Other names and brands may be claimed as the property of others.
20 Intel Confidential 20
21 Intel Confidential 21 BACKUP
22 Intel Confidential 22 APF TLS Remote KVM Protocols RFB VNC* Library Intel® Redirection Proxy Intel® Remote Connectivity Gateway Intel® vPro Platform * Other names and brands may be claimed as the property of others.
23 Intel Confidential 23 Access Monitor – KVM Related Events KVM session start KVM session end KVM enable KVM disable RFB password failed X times KVM user consent options changed RFB password changed
24 Intel Confidential 24 Intel® Management and Security Status (IMSS) Enhancements Display the enabled/disabled status of the KVM feature Indicate if there is an active KVM session Notify the user that a KVM session is starting Provide an option to stop the KVM session Select language for sprite messages
25 Intel Confidential 25 User Consent Switches Remote user consent control through API IPS_KVMRedirectionSettingData -> OptInPolicy Must be allowed by firmware setting OEM sets the default OEM settings may be overridden by MEBx OEM Setting: Allow Remote User Consent Control MEBx Setting: Allow Remote User Consent Control AMT Admin: User Consent Setting User Consent KVM Session No Yes Not Required Required Yes No Default Settings
26 Intel Confidential 26 KVM BIOS/FW Settings Matrix KVM Enabled (Y/N) User Consent (On/Off) Remote Config of User Consent (On/Off) Manual Touch for IT (Yes/No) YesOn No YesOffOnNo YesOnOffYes Off Yes NoOn or Off Yes Recommended OEM Settings Good for IT, no touch Bad for IT, requires touch