When provisioning Intel® vPro™ processor technology systems via One Touch -- using a USB flash drive -- the following tips and information may be of interest.
The setup.bin file is used to insert key provisioning data into an Intel vPro system - thus changing the management engine's configuration state from factory default to setup mode. The records of the setup.bin file match that of the ProvisionServer. However - the question has been raised - When might a setup.bin file be too large? How should be file be handled and secured?
To help open the discussion on this, the following items should be noted:
Only FAT16 format supported and the setup.bin file MUST be first file at the root - this is to ensure compatibility across platforms, and since a RAW I/O lookup is used to access the file
Only systems with Intel® AMT in factory default mode will respond to USB provisioning. Once USB or One Touch provisioning are performed on a system – only a full BIOS reset (e.g. CMOS clear) will allow this option again.
Once the provisioning data is transferred – Intel® AMT is now in "setup" mode and the Setup.bin file is incremented to the next valid key.
In ad-hoc tests, 20,000 provisioning records used 10MB of space on the USB flash drive. Most favorable experiences occur with flash drives that are 2GB or smaller.
With a larger number of provisioning records, the One Touch process will experience a delay as the setup.bin file is parsed to find the next valid record. In ad-hoc tests, 1,000 records on the key experienced a 15 second delay, 100,000 keys experienced a 3 minute delay. Different OEM implementations may reflect different results - yet the main item to be aware of - The larger the setup.bin file the longer the process takes
With the first generation Intel vPro and Intel Centrino Pro - each record in the setup.bin file included only the PID, PPS, and new pass. With the latest generation of Intel vPro (launched Aug. 2007) - the setup.bin file can include additional attributes yet this is only supported on the Aug2007 Intel vPro release (fka Weybridge) and beyond.
Once a record is used in the setup.bin file, it is marked as such and the next record is available. If all records are used, an error will appear on the Intel vPro console when attempting to utilize an "expired" setup.bin.
When a system is provisioned\configured, the assigned provisioning data is changed.
With that base knowledge - When might a setup.bin file be too large? How should be file be handled and secured?<![CDATA[<p> ]]>
One view - keep the setup.bin file to 1,000 records or less. Within the ProvisionServer, tens of thousands of keys may be generated, yet only a few at a time need to be exported to setup.bin file. When the "one-touch" sequence is done, the technician's wait time will be minimal.
If the setup.bin file is lost or compromised - a malicious user has a file of previously used provisioning data that has subsequently been changed. However, should an unused setup.bin file be compromised and maliciously used within the managed environment - the "untrusted" systems are authenticated into a trusted network\environment... and are now owned\managed by the environment owner and can be quickly isolated if needed (e.g. System Defense).
Other views\thoughts out there?
Thank you for this post. Finally I have found decision to use setup.bin for multiple systems - just create more tls-psk pairs.
USBfile -create setup.bin admin P@ssw0rd -consume 0 -rpsk -v 1 -nrec 100