Intel® vPro™ Technology

Extreme Programming with Intel® vPro™ Technology: Pushing the Limits with Innovative Software

Extreme Use of Serial-over-LAN

Serial-over-LAN is a virtual communication port that carries data through the network to the administration console, generally at 115 Kb/sec. Intel® Active Management Technology (Intel® AMT) presents this virtual serial port (that is, a COM: port) to the BIOS and OS, but instead of being connected to a real 9-pin connector, the data are sent over the network to an authorized management console. The intended use of Serial-over-LAN was to allow BIOS vendors to perform text screen redirection in which the BIOS screen could be accessed remotely on a maintenance console. Microsoft Windows* also detects this new serial port, and the appropriate drivers are available from computer manufacturers. Serial-over-LAN is an effective means of communicating with the management console while bypassing the OS network stack. In other words, when data are sent down to the virtual serial port, the Intel AMT network stack sends the data to the management console by way of a Transmission Control Protocol (TCP) connection of its own. Therefore, even if the operating system's network stack is completely disabled, the communication can still take place.

Figure 1: Intel® AMT out-of-band serial port communication (Source: Intel Corporation)

As Figure 1 shows, a user can connect a management console to Intel AMT and use a serial application, such as Putty, on the local computer with Intel AMT. The user types in one screen and the characters are displayed in another screen. Since any binary data can be transported OOB by using Serial-over-LAN, we can build serial agents that are capable of displaying a command prompt to the management console and receiving management commands. When booted into the OS, the management console can communicate to the serial agent, and commands such as start, stop, and list processes can be performed.

Serial-over-LAN also enables binary data to be sent and received simultaneously with the VT100 display and command prompt. A new escape code is used to perform this transaction: this code does not conflict with existing VT100 codes.

A binary request can also be made for the list of processes or device drivers, and a machine-readable response is displayed in a graphical window.

In early 2007, the Developer Tool Kit (DTK) included routing of TCP traffic over the Serial-over-LAN connection, making it possible to perform any TCP connection from the management console to a computer with Intel AMT, even when the network stack on the computer with Intel AMT was completely disabled. An administrator can initiate a remote control session by using Virtual Network Computing (VNC) on a computer with all network drivers disabled. Once the remote control session is open, the administrator can open a command prompt and type IPCONFIG to confirm that no network adapter is enabled. It is also possible to re-enable the driver of the internal Ethernet adapter by using the remote control session that is connected and running on the very same network adapter.

Figure 2: TCP on Serial-over-LAN (Source: Intel Corporation)

As shown in Figure 2, the administrator may connect to management agents running on remote computers, even if the network adapter is disabled or if something else is disrupting the OS network stack. For example, firewall or anti-virus software might not be functioning correctly. Even if Serial-over-LAN allows for bypassing the OS network stack, the computer is still protected because administrators must authenticate their identities, and because of the privacy mechanisms provided by Intel AMT. A Serial-over-LAN connection can only be performed by an authorized administrator.

Back to Top