How to remotely access Intel AMT KVM from Linux desktop

last updated in Categories , , ,

I have enabled Intel AMT/ME in my Xeon server grade CPU hosted in remote data center building for OOB purpose. I do not want to use Windows 10 Pro edition. Is it possible to access Intel AMT/ME KVM session from Linux? How do I remotely access Intel AMT KVM from Linux desktop and do out of band management of my server?

Introduction: You can remotely control Intel vPro based CPU that includes AMT using Linux. Intel Active Management Technology (AMT) is a combination of hardware, software and firmware technology for remote out-of-band management of servers, desktops, and laptop computers. AMT is built into modern CPUs such as i7, i5, Xeon (look for vPro) and based on Intel ME. This page shows how to remotely access Intel AMT KVM from Linux desktop when you have vPro enabled system from Intel. DASH is an acronym for Desktop and Mobile Architecture for System Hardware. A set of DMTF specifications for standardizing the management and security of desktop and mobile client systems independent of the machine state, operating system, and hardware vendor. DASH takes full advantage of WS-Management. As DASH has evolved, Intel AMT has moved towards increasing support for DASH standards. Intel AMT Release 5.1 and later releases comply with DASH 1.0.

How to install wsmancli/wsman on Linux to access KVM

Starting with Intel AMT version0 3.2, all Intel AMT features supported with WS-Management (Web Services Management protocol) DASH specification supported by both Intel vPro and AMD Pro CPUs. Openwsman is an opensource implementation of WS-Management. To interact with a wsman server.

Debian/Ubuntu Linux install wsmancli

Use the following apt command/apt-get command to install wsmancli:
$ sudo apt install wsmancli
Debian / Ubuntu Linux install wsmancli using apt-get

RHEL/CentOS Linux Linux install wsmancli

Type the following yum command to install wsmancli:
$ sudo yum install wsmancli
Install wsmancli on RHEL CentOS Linux using yum

Fedora Linux Linux install wsmancli

Enter the following dnf command to install wsmancli:
$ sudo dnf install wsmancli

How to configure Intel AMT/MEBx as for remote access

As pointed out earlier only vPro CPUs such as i7, i5 and Xeon CPU support Intel AMT. Intel does not support AMT on all processors but does include Intel ME in every CPU made since 2008. Boot your system and visit BIOS settings. For demo purpose I am going to use ThinkPad x230 laptop with Intel vPro. To enable Hardware KVM and Intel AMT find option that read as follows in your BIOS and enable it:
Thinkpad-x230 Enabling Intel AMT
You mist save setting in BIOS and restart the computer. Press CTRL+p to configure the Intel Management engine and AMT hardware KVM by login into MBEx:
Enter Intel Management Engine BIOS Extension (MBEx) to configure Intel AMT KVM
You must log in to MEBx. If AMT has never been set up on your server or desktop, use admin as password:
Login to MBEx using default admin password

Setting up an IP address

  1. Enter “AMT Configuration
  2. Set “Manageability feature Selection” to Enabled
  3. Press Enter to select “Network Setup” and choose TCP/IP Settings

Intel Standard Manageability Configuration
Finally choose Wired LAN IPv4 Configurations. Set “DHCP Mode” to “Disabled” and set all IPv4 settings as per your network:
Intel AMT IPv4 address BIOS settings in MEBx
You are all. Press “ESC” key to get back to main menu. Enter “MEBx Exit” and wait until the system reboot. I suggest that you unplug your system for 1 minute and then plug it back.

How to access Intel AMT web interface

Once your system turned on. Go back to your Linux desktop. Fire a web browser and type the following url:
http://192.168.2.88:16992
Type username as “admin” and password set previously:
Intel AMT Web GUI login with admin user

Remotely access Intel AMT KVM from Linux desktop

Create a Linux shell script as follows:

#!/bin/bash
# Name: kvm.sh
# Purpose : Control remote server/laptop/desktop using KVM and VNC client
# Author: nixCraft {https://www.cyberciti.biz/} under GPL v3.x
# ----------------------------------------------------------------------
xIP='192.168.2.88'
xPASSWORD='PasssordHere'
xVNC_PWD='In9t8el@' # random but must be 8 charter long
xVNC_PORT='5900'
wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k RFBPassword=${xVNC_PWD}
wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k Is5900PortEnabled=true
wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k OptInPolicy=false
wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k SessionTimeout=0
wsman invoke -a RequestStateChange http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_KVMRedirectionSAP -h ${xIP} -P 16992 -u admin -p ${xPASSWORD} -k RequestedState=2
echo "Open Linux vnc client. Use \"$xIP:$xVNC_PORT\" as host and when promoted enter \"$xVNC_PWD\" as password"

Run the script:
chmod +x kvm.sh
./kvm.sh

For remote KVM use any standard Linux VNC client

So far we verified that web UI worked and ran the Linux shell script. It is time to access KVM console. Intel AMT KVM allows you to access the desktop remotely, install the operating system, change bios settings, turn on/off the system and much more. Open Linux VNC client:
Connect to vPro Machine using Linux vnc client
Type the password as set in $xVNC_PWD and you should able to login to remote desktop using Intel AMT. You can reboot the device. Access BIOS. Unlock disk. Turn off PC. Turn it on from Web interface. Fix OS disk or networking. Install a new OS and so on.

Remotely access Intel AMT KVM from Linux desktop with vnc client
(click to enlarge image)

Here is a quick demo that shows remotely access Intel AMT KVM from Linux desktop, BIOS, power on/off and other stuff one can do with it:


(HTML5 Video 01: Click to play)

Conclusion

I just used Intel AMT with vPro to remotely manage my laptop or server. Intel AMT enables sysadmin to manage remote servers, desktops, laptops regardless of the operating system installed. Intel AMT can be disabled or unprovisioned by the sysadmin to reduce security risk. Intel ME cannot be disabled on any Intel CPUs since 2008. Some vendor such as System76 and Dell allows disabling Intel Me. Next time I will talk about MeshCommander a web based tool for remote management of your Intel AMT computers.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.