Intel AMT CIRA auto-config almost done.

This commit is contained in:
Ylian Saint-Hilaire 2020-10-18 21:06:39 -07:00
parent d3ba1349c2
commit 51ae65b5dc
5 changed files with 254 additions and 26 deletions

Binary file not shown.

Binary file not shown.

View File

@ -279,7 +279,7 @@ function AmtStackCreateService(wsmanStack) {
obj.AMT_RedirectionService_RequestStateChange = function (RequestedState, callback_func) { obj.Exec("AMT_RedirectionService", "RequestStateChange", { "RequestedState": RequestedState }, callback_func); }
obj.AMT_RedirectionService_TerminateSession = function (SessionType, callback_func) { obj.Exec("AMT_RedirectionService", "TerminateSession", { "SessionType": SessionType }, callback_func); }
obj.AMT_RemoteAccessService_AddMpServer = function (AccessInfo, InfoFormat, Port, AuthMethod, Certificate, Username, Password, CN, callback_func) { obj.Exec("AMT_RemoteAccessService", "AddMpServer", { "AccessInfo": AccessInfo, "InfoFormat": InfoFormat, "Port": Port, "AuthMethod": AuthMethod, "Certificate": Certificate, "Username": Username, "Password": Password, "CN": CN }, callback_func); }
obj.AMT_RemoteAccessService_AddRemoteAccessPolicyRule = function (Trigger, TunnelLifeTime, ExtendedData, MpServer, callback_func) { obj.Exec("AMT_RemoteAccessService", "AddRemoteAccessPolicyRule", { "Trigger": Trigger, "TunnelLifeTime": TunnelLifeTime, "ExtendedData": ExtendedData, "MpServer": MpServer }, callback_func); }
obj.AMT_RemoteAccessService_AddRemoteAccessPolicyRule = function (Trigger, TunnelLifeTime, ExtendedData, MpServer, InternalMpServer, callback_func) { obj.Exec('AMT_RemoteAccessService', 'AddRemoteAccessPolicyRule', { 'Trigger': Trigger, 'TunnelLifeTime': TunnelLifeTime, 'ExtendedData': ExtendedData, 'MpServer': MpServer, 'InternalMpServer': InternalMpServer }, callback_func); }
obj.AMT_RemoteAccessService_CloseRemoteAccessConnection = function (_method_dummy, callback_func) { obj.Exec("AMT_RemoteAccessService", "CloseRemoteAccessConnection", { "_method_dummy": _method_dummy }, callback_func); }
obj.AMT_SetupAndConfigurationService_CommitChanges = function (_method_dummy, callback_func) { obj.Exec("AMT_SetupAndConfigurationService", "CommitChanges", { "_method_dummy": _method_dummy }, callback_func); }
obj.AMT_SetupAndConfigurationService_Unprovision = function (ProvisioningMode, callback_func) { obj.Exec("AMT_SetupAndConfigurationService", "Unprovision", { "ProvisioningMode": ProvisioningMode }, callback_func); }

View File

@ -113,6 +113,7 @@ module.exports.CreateAmtManager = function(parent) {
if (typeof connection == 'object') { dev.mpsConnection = connection; }
dev.consoleMsg = function deviceConsoleMsg(msg) { if (typeof deviceConsoleMsg.conn == 'object') { deviceConsoleMsg.conn.ControlMsg({ action: 'console', msg: msg }); } }
dev.consoleMsg.conn = connection;
dev.consoleMsg.dev = dev;
dev.controlMsg = function deviceControlMsg(msg) { if (typeof deviceControlMsg.conn == 'object') { deviceControlMsg.conn.ControlMsg(msg); } }
dev.controlMsg.conn = connection;
parent.debug('amt', "Start Management", nodeid, connType);
@ -188,6 +189,11 @@ module.exports.CreateAmtManager = function(parent) {
}
}
//
// Intel AMT Connection Setup
//
// Update information about a device
function fetchIntelAmtInformation(dev) {
parent.db.Get(dev.nodeid, function (err, nodes) {
@ -331,7 +337,7 @@ module.exports.CreateAmtManager = function(parent) {
if (dev.aquired == null) { dev.aquired = {}; }
dev.aquired.controlMode = responses['IPS_HostBasedSetupService'].response.CurrentControlMode; // 1 = CCM, 2 = ACM
var verSplit = stack.wsman.comm.amtVersion.split('.');
if (verSplit.length >= 3) { dev.aquired.version = verSplit[0] + '.' + verSplit[1] + '.' + verSplit[2]; dev.aquired.majorver = parseInt(verSplit[0]); }
if (verSplit.length >= 3) { dev.aquired.version = verSplit[0] + '.' + verSplit[1] + '.' + verSplit[2]; dev.aquired.majorver = parseInt(verSplit[0]); dev.aquired.minorver = parseInt(verSplit[1]); }
dev.aquired.realm = stack.wsman.comm.digestRealm;
dev.aquired.user = stack.wsman.comm.user;
dev.aquired.pass = stack.wsman.comm.pass;
@ -346,6 +352,8 @@ module.exports.CreateAmtManager = function(parent) {
attemptTlsSync(dev, function () {
// Check Intel AMT root certificate state
attemptRootCertSync(dev, function () {
// Check Intel AMT CIRA settings
attemptCiraSync(dev, function () {
// See if we need to get hardware inventory
attemptFetchHardwareInventory(dev, function () {
dev.consoleMsg('Done.');
@ -357,12 +365,13 @@ module.exports.CreateAmtManager = function(parent) {
fetchPowerState(dev);
} else {
// For LMS connections, close now.
dev.controlMsg({ action: "close" });
dev.controlMsg({ action: 'close' });
}
});
});
});
});
});
} else {
// We got a bad response
if ((dev.conntype == 1) && (dev.tlsfail !== true) && (status == 408)) {
@ -382,6 +391,11 @@ module.exports.CreateAmtManager = function(parent) {
}
}
//
// Intel AMT Database Update
//
// Change the current core information string and event it
function UpdateDevice(dev) {
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
@ -468,6 +482,11 @@ module.exports.CreateAmtManager = function(parent) {
});
}
//
// Intel AMT Power State
//
// Get the current power state of a device
function fetchPowerState(dev) {
if (isAmtDeviceValid(dev) == false) return;
@ -529,6 +548,11 @@ module.exports.CreateAmtManager = function(parent) {
//console.log('performPowerActionResponse', status);
}
//
// Intel AMT Clock Syncronization
//
// Attempt to sync the Intel AMT clock if needed, call func back when done.
// Care should be take not to have many pending WSMAN called when performing clock sync.
function attemptSyncClock(dev, func) {
@ -566,6 +590,11 @@ module.exports.CreateAmtManager = function(parent) {
devTaskCompleted(dev)
}
//
// Intel AMT TLS setup
//
// Check if Intel AMT TLS state is correct
function attemptTlsSync(dev, func) {
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
@ -605,7 +634,7 @@ module.exports.CreateAmtManager = function(parent) {
var xxCertificates = responses['AMT_PublicKeyCertificate'].responses;
for (var i in xxCertificates) {
xxCertificates[i].TrustedRootCertficate = (xxCertificates[i]['TrustedRootCertficate'] == true);
xxCertificates[i].X509Certificate = Buffer.from(xxCertificates[i]['X509Certificate'], 'base64').toString('binary');
xxCertificates[i].X509CertificateBin = Buffer.from(xxCertificates[i]['X509Certificate'], 'base64').toString('binary');
xxCertificates[i].XIssuer = parseCertName(xxCertificates[i]['Issuer']);
xxCertificates[i].XSubject = parseCertName(xxCertificates[i]['Subject']);
}
@ -715,16 +744,21 @@ module.exports.CreateAmtManager = function(parent) {
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (status != 200) { dev.consoleMsg("Failed perform commit."); removeAmtDevice(dev); return; }
dev.consoleMsg("Enabled TLS");
// TODO: Switch our communications to TLS.
// TODO: Switch our communications to TLS (Restart our management of this node)
devTaskCompleted(dev);
});
}
}
//
// Intel AMT Server Root Certificate
//
// Check if Intel AMT has the server root certificate
function attemptRootCertSync(dev, func) {
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (dev.policy.ciraPolicy != 2) { func(); return; } // Server root certificate does not need to be present is CIRA is not needed
if ((dev.connType != 2) || (dev.policy.ciraPolicy != 2)) { func(); return; } // Server root certificate does not need to be present is CIRA is not needed
// Find the current TLS certificate & MeshCentral root certificate
var xxMeshCentralRoot = null;
@ -746,6 +780,193 @@ module.exports.CreateAmtManager = function(parent) {
} else { func(); }
}
//
// Intel AMT CIRA Setup
//
// Check if Intel AMT has the server root certificate
function attemptCiraSync(dev, func) {
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if ((dev.connType != 2) || (dev.policy.ciraPolicy != 2)) { func(); return; } // Only setup CIRA when LMS connection is used and a CIRA policy is enabled.
// Get current CIRA settings
// TODO: We only deal with remote access starting with Intel AMT 6 and beyond
dev.taskCount = 1;
dev.taskCompleted = func;
var requests = ['*AMT_EnvironmentDetectionSettingData', 'AMT_ManagementPresenceRemoteSAP', 'AMT_RemoteAccessCredentialContext', 'AMT_RemoteAccessPolicyAppliesToMPS', 'AMT_RemoteAccessPolicyRule', '*AMT_UserInitiatedConnectionService', 'AMT_MPSUsernamePassword'];
if (dev.aquired.majorver > 11) { requests.push('*IPS_HTTPProxyService', 'IPS_HTTPProxyAccessPoint'); }
dev.amtstack.BatchEnum(null, requests, function (stack, name, responses, status) {
const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
//dev.consoleMsg("Added server root certificate.");
if ((dev.aquired.majorver > 11) && (status == 400)) {
// Check if only the HTTP proxy objects failed
status = 200;
if (responses['IPS_HTTPProxyAccessPoint'].status == 400) { delete responses['IPS_HTTPProxyAccessPoint']; }
if (responses['IPS_HTTPProxyService'].status == 400) { delete responses['IPS_HTTPProxyService']; }
for (var i in responses) { if (responses[i].status != 200) { status = responses[i].status; } }
}
if ((status != 200) || (responses['AMT_UserInitiatedConnectionService'] == null) || (responses['AMT_UserInitiatedConnectionService'].response == null)) { dev.consoleMsg("Failed get CIRA state."); removeAmtDevice(dev); return; }
dev.cira = {};
dev.cira.xxRemoteAccess = responses;
dev.cira.xxEnvironementDetection = responses['AMT_EnvironmentDetectionSettingData'].response;
dev.cira.xxEnvironementDetection['DetectionStrings'] = MakeToArray(dev.cira.xxEnvironementDetection['DetectionStrings']);
dev.cira.xxCiraServers = responses['AMT_ManagementPresenceRemoteSAP'].responses;
dev.cira.xxUserInitiatedCira = responses['AMT_UserInitiatedConnectionService'].response;
dev.cira.xxRemoteAccessCredentiaLinks = responses['AMT_RemoteAccessCredentialContext'].responses;
dev.cira.xxMPSUserPass = responses['AMT_MPSUsernamePassword'].responses;
// Set CIRA initiation to BIOS & OS enabled
if (dev.cira.xxUserInitiatedCira['EnabledState'] != 32771) { // 32768: "Disabled", 32769: "BIOS enabled", 32770: "OS enable", 32771: "BIOS & OS enabled"
dev.amtstack.AMT_UserInitiatedConnectionService_RequestStateChange(32771, null, function (stack, name, responses, status) { }); // This is not a critical call.
}
// Figure out policies attached to servers. Create a policy type to server table.
dev.cira.xxPolicies = { 'User': [], 'Alert': [], 'Periodic': [] };
for (var i in responses['AMT_RemoteAccessPolicyAppliesToMPS'].responses) {
var policy = responses['AMT_RemoteAccessPolicyAppliesToMPS'].responses[i];
var server = Clone(getItem(dev.cira.xxCiraServers, 'Name', getItem(policy['ManagedElement']['ReferenceParameters']['SelectorSet']['Selector'], '@Name', 'Name')['Value']));
server.MpsType = policy['MpsType']; // MpsType was added in Intel AMT 11.6
var ptype = (getItem(policy['PolicySet']['ReferenceParameters']['SelectorSet']['Selector'], '@Name', 'PolicyRuleName')['Value']).split(' ')[0];
dev.cira.xxPolicies[ptype].push(server);
}
// Fetch the server's CIRA settings
dev.cira.mpsPresent = null;
dev.cira.mpsPolicy = false;
if (dev.policy.ciraPolicy == 2) { // DEBUG
dev.cira.meshidx = dev.meshid.split('/')[2].replace(/\@/g, 'X').replace(/\$/g, 'X').substring(0, 16);
dev.cira.mpsName = parent.webserver.certificates.AmtMpsName;
var serverNameSplit = dev.cira.mpsName.split('.');
dev.cira.mpsPort = ((parent.args.mpsaliasport != null) ? parent.args.mpsaliasport : parent.args.mpsport);
dev.cira.mpsAddressFormat = 201; // 201 = FQDN, 3 = IPv4
if ((serverNameSplit.length == 4) && (parseInt(serverNameSplit[0]) == serverNameSplit[0]) && (parseInt(serverNameSplit[1]) == serverNameSplit[1]) && (parseInt(serverNameSplit[2]) == serverNameSplit[2]) && (parseInt(serverNameSplit[3]) == serverNameSplit[3])) { dev.cira.mpsAddressFormat = 3; }
// Check if our server is already present
if (dev.cira.xxCiraServers.length > 0) {
for (var i = 0; i < dev.cira.xxCiraServers.length; i++) {
var mpsServer = dev.cira.xxCiraServers[i];
if ((mpsServer.AccessInfo == dev.cira.mpsName) && (mpsServer.Port == dev.cira.mpsPort) && (mpsServer.InfoFormat == dev.cira.mpsAddressFormat)) { dev.cira.mpsPresent = mpsServer['Name']; }
}
}
// Check if our server is already present
if (dev.cira.xxPolicies['Periodic'].length > 0) {
var mpsServer = dev.cira.xxPolicies['Periodic'][0];
if ((mpsServer.AccessInfo == dev.cira.mpsName) && (mpsServer.Port == dev.cira.mpsPort) && (mpsServer.InfoFormat == dev.cira.mpsAddressFormat)) { dev.cira.mpsPolicy = true; }
}
}
// Remove all MPS policies that are not ours
if ((dev.cira.xxPolicies['User Initiated'] != null) && (dev.cira.xxPolicies['User Initiated'].length > 0)) { dev.consoleMsg("Removing CIRA user trigger."); dev.amtstack.Delete('AMT_RemoteAccessPolicyRule', { 'PolicyRuleName': 'User Initiated' }, function (stack, name, responses, status) { }); }
if ((dev.cira.xxPolicies['Alert'] != null) && (dev.cira.xxPolicies['Alert'].length > 0)) { dev.consoleMsg("Removing CIRA alert trigger."); dev.amtstack.Delete('AMT_RemoteAccessPolicyRule', { 'PolicyRuleName': 'Alert' }, function (stack, name, responses, status) { }); }
if ((dev.cira.xxPolicies['Periodic'] != null) && (dev.cira.xxPolicies['Periodic'].length > 0) && (dev.cira.mpsPolicy == false)) { dev.consoleMsg("Removing CIRA periodic trigger."); dev.amtstack.Delete('AMT_RemoteAccessPolicyRule', { 'PolicyRuleName': 'Periodic' }, function (stack, name, responses, status) { }); }
// Remove all MPS servers that are not ours
if (dev.cira.xxCiraServers.length > 0) {
for (var i = 0; i < dev.cira.xxCiraServers.length; i++) {
var mpsServer = dev.cira.xxCiraServers[i];
if ((mpsServer.AccessInfo != dev.cira.mpsName) || (mpsServer.Port != dev.cira.mpsPort) || (mpsServer.InfoFormat != dev.cira.mpsAddressFormat)) {
dev.consoleMsg("Removing MPS server.");
dev.amtstack.Delete('AMT_ManagementPresenceRemoteSAP', { 'Name': mpsServer['Name'] }, function (stack, name, responses, status) { });
}
}
}
// If we need to setup CIRA, start by checking the MPS server
if (dev.policy.ciraPolicy == 2) { addMpsServer(dev); } else { checkEnvironmentDetection(dev); }
});
}
function addMpsServer(dev) {
// Add the MPS server if not present
if (dev.cira.mpsPresent == null) {
dev.taskCount++;
dev.amtstack.AMT_RemoteAccessService_AddMpServer(dev.cira.mpsName, dev.cira.mpsAddressFormat, dev.cira.mpsPort, 2, null, dev.cira.meshidx, 'P@ssw0rd', dev.cira.mpsName, function (stack, name, response, status) {
const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (status != 200) { dev.consoleMsg("Failed to create new MPS server."); removeAmtDevice(dev); return; }
dev.cira.mpsPresent = getItem(response.Body.MpServer.ReferenceParameters.SelectorSet.Selector, '@Name', 'Name').Value;
dev.consoleMsg("Created new MPS server.");
addMpsPolicy(dev);
});
} else {
// MPS server is present, check MPS trigger policy
addMpsPolicy(dev);
}
}
function addMpsPolicy(dev) {
if (dev.cira.mpsPolicy == false) {
var cilaSupport = ((dev.aquired.majorver > 11) || ((dev.aquired.majorver == 11) && (dev.aquired.minorver >= 6)));
var trigger = 2; // 1 = Alert, 2 = Periodic
// Setup extended data
var extendedData = null;
if (trigger == 2) {
var timertype = 0; // 0 = Periodic, 1 = Time of day
var exdata = IntToStr(10); // Interval trigger, 10 seconds
extendedData = Buffer.from(IntToStr(timertype) + exdata, 'binary').toString('base64');
}
// Create the MPS server references
var server1 = '<Address xmlns="http://schemas.xmlsoap.org/ws/2004/08/addressing">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</Address><ReferenceParameters xmlns="http://schemas.xmlsoap.org/ws/2004/08/addressing"><ResourceURI xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://intel.com/wbem/wscim/1/amt-schema/1/AMT_ManagementPresenceRemoteSAP</ResourceURI><SelectorSet xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"><Selector Name="Name">' + dev.cira.mpsPresent + '</Selector></SelectorSet></ReferenceParameters>';
var server2 = null;
// Put the CIRA/CILA servers in the right bins.
var ciraServers = [], cilaServers = [];
if (server1) { ciraServers.push(server1); if (server2) { ciraServers.push(server2); } }
// Go ahead and create the new CIRA/CILA policy.
dev.taskCount++;
dev.amtstack.AMT_RemoteAccessService_AddRemoteAccessPolicyRule(trigger, 0, extendedData, ciraServers, cilaServers, function (stack, name, responses, status) {
const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (status != 200) { dev.consoleMsg("Failed to create new MPS policy."); removeAmtDevice(dev); return; }
dev.consoleMsg("Created new MPS policy.");
checkEnvironmentDetection(dev);
});
} else {
checkEnvironmentDetection(dev);
}
}
function checkEnvironmentDetection(dev) {
var changes = false;
var editEnvironmentDetectionTmp = [];
//console.log('checkEnvironmentDetection', dev.cira.xxEnvironementDetection);
if (dev.policy.ciraPolicy == 2) {
// Check that we have a random environment detection
// TODO
} else {
// Check environment detection is clear
// TODO
}
if (changes == true) {
var t = Clone(dev.cire.xxEnvironementDetection);
t['DetectionStrings'] = editEnvironmentDetectionTmp;
//console.log('AMT_EnvironmentDetectionSettingData', t);
amtstack.Put('AMT_EnvironmentDetectionSettingData', t, function (stack, name, responses, status) {
const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (status != 200) { dev.consoleMsg("Failed to set environement detection."); removeAmtDevice(dev); return; }
dev.consoleMsg("Environment detection set.");
devTaskCompleted(dev);
}, 0, 1);
} else {
devTaskCompleted(dev);
}
}
//
// Intel AMT Hardware Inventory and Networking
//
function attemptFetchHardwareInventory(dev, func) {
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
const mesh = parent.webserver.meshes[dev.meshid];
@ -761,12 +982,6 @@ module.exports.CreateAmtManager = function(parent) {
}
}
// Called this when a task is completed, when all tasks are completed the call back function will be called.
function devTaskCompleted(dev) {
dev.taskCount--;
if (dev.taskCount == 0) { var f = dev.taskCompleted; delete dev.taskCount; delete dev.taskCompleted; if (f != null) { f(); } }
}
function attemptFetchNetworkResponse(stack, name, responses, status) {
const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
@ -928,6 +1143,16 @@ module.exports.CreateAmtManager = function(parent) {
devTaskCompleted(dev);
}
//
// General Methods
//
// Called this when a task is completed, when all tasks are completed the call back function will be called.
function devTaskCompleted(dev) {
dev.taskCount--;
if (dev.taskCount == 0) { var f = dev.taskCompleted; delete dev.taskCount; delete dev.taskCompleted; if (f != null) { f(); } }
}
function guidToStr(g) { return g.substring(6, 8) + g.substring(4, 6) + g.substring(2, 4) + g.substring(0, 2) + '-' + g.substring(10, 12) + g.substring(8, 10) + '-' + g.substring(14, 16) + g.substring(12, 14) + '-' + g.substring(16, 20) + '-' + g.substring(20); }
// Check which key pair matches the public key in the certificate
@ -936,7 +1161,7 @@ module.exports.CreateAmtManager = function(parent) {
var cert = certs[i];
try {
if (keys.length == 0) return;
var b = obj.parent.certificateOperations.forge.asn1.fromDer(cert.X509Certificate);
var b = obj.parent.certificateOperations.forge.asn1.fromDer(cert.X509CertificateBin);
var a = obj.parent.certificateOperations.forge.pki.certificateFromAsn1(b).publicKey;
var publicKeyPEM = obj.parent.certificateOperations.forge.pki.publicKeyToPem(a).substring(28 + 32).replace(/(\r\n|\n|\r)/gm, "");
for (var j = 0; j < keys.length; j++) {
@ -950,6 +1175,9 @@ module.exports.CreateAmtManager = function(parent) {
}
function Clone(v) { return JSON.parse(JSON.stringify(v)); }
function MakeToArray(v) { if (!v || v == null || typeof v == 'object') return v; return [v]; }
function getItem(x, y, z) { for (var i in x) { if (x[i][y] == z) return x[i]; } return null; }
function IntToStr(v) { return String.fromCharCode((v >> 24) & 0xFF, (v >> 16) & 0xFF, (v >> 8) & 0xFF, v & 0xFF); }
function parseCertName(x) {
var j, r = {}, xx = x.split(',');

View File

@ -6542,7 +6542,7 @@
if (os == 16) { osn = "MeshCmd (macOS, 64bit)"; }
if (os == 25) { osn = "MeshCmd (Linux ARM, 32bit)"; }
QH('meshcmddownloadid', osn);
Q('meshcmddownloadid').setAttribute('href', 'meshagents?meshcmd=' + os + (urlargs.key?('&key=' + urlargs.key):''));
Q('meshcmddownloadid').onclick = function() { downloadFile('meshagents?meshcmd=' + os + (urlargs.key?('&key=' + urlargs.key):''), null, true); }
}
function p10showiconselector() {