AMT Manager improvements.

This commit is contained in:
Ylian Saint-Hilaire 2021-02-22 14:41:54 -08:00
parent b7117641a0
commit 5298d1c5c9
6 changed files with 48 additions and 26 deletions

View File

@ -183,7 +183,7 @@ module.exports.CreateAmtManager = function (parent) {
parent.debug('amt', "Start Management", nodeid, connType);
addAmtDevice(dev);
// Start the device manager the task limiter so not to flood the server. Low priority task
// Start the device manager in the task limiter so not to flood the server. Low priority task
obj.parent.taskLimiter.launch(function (dev, taskid, taskLimiterQueue) {
if (isAmtDeviceValid(dev)) {
// Start managing this device
@ -255,34 +255,41 @@ module.exports.CreateAmtManager = function (parent) {
// Handle server events
// Make sure to only manage devices with connections to this server. In a multi-server setup, we don't want multiple managers talking to the same device.
obj.HandleEvent = function (source, event, ids, id) {
if (event.noact == 1) return; // Take no action on these events. We are likely in peering mode and need to only act when the database signals the change in state.
switch (event.action) {
case 'removenode': { // React to node being removed
if (event.noact == 1) return; // Take no action on these events. We are likely in peering mode and need to only act when the database signals the change in state.
removeDevice(event.nodeid);
break;
}
case 'wakedevices': { // React to node wakeup command, perform Intel AMT wake if possible
if (event.noact == 1) return; // Take no action on these events. We are likely in peering mode and need to only act when the database signals the change in state.
if (Array.isArray(event.nodeids)) { for (var i in event.nodeids) { performPowerAction(event.nodeids[i], 2); } }
break;
}
case 'changenode': { // React to changes in a device
var devices = obj.amtDevices[event.nodeid];
if (devices == null) break; // We are not managing this device
for (var i in devices) {
var dev = devices[i];
if (dev.name != event.node.name) {
//console.log('device name change');
var devices = obj.amtDevices[event.nodeid], rescan = false;
if (devices != null) {
for (var i in devices) {
var dev = devices[i];
dev.name = event.node.name;
if (event.node.intelamt != null) { dev.intelamt = event.node.intelamt; }
if ((dev.connType == 3) && (dev.host != event.node.host)) {
dev.host = event.node.host; // The host has changed, if we are connected to this device locally, we need to reset.
removeAmtDevice(dev); // We are going to wait for the AMT scanned to find this device again.
rescan = true;
}
}
if (event.node.intelamt != null) {
dev.intelamt = event.node.intelamt;
}
if ((dev.connType == 3) && (dev.host != event.node.host)) {
//console.log('device host change', dev.host, event.node.host);
dev.host = event.node.host; // The host has changed, if we are connected to this device locally, we need to reset.
removeAmtDevice(dev); // We are going to wait for the AMT scanned to find this device again.
}
} else {
// If this event provides a hint that something changed with AMT and we are not managing this device, let's rescan the local network now.
if (event.amtchange == 1) { rescan = true; }
}
// If there is a significant change to the device AMT settings and this server manages local devices, perform a re-scan of the device now.
if (rescan && (parent.amtScanner != null)) { parent.amtScanner.performSpecificScan(event.node); }
break;
}
case 'meshchange': {
// TODO
break;
}
}
@ -581,7 +588,7 @@ module.exports.CreateAmtManager = function (parent) {
// Set an error that we can't login to this device
if (dev.aquired == null) { dev.aquired = {}; }
dev.aquired.warn = 1; // Intel AMT Warning Flags: 1 = Unknown credentials, 2 = Realm Mismatch, 4 = TLS Cert Mismatch
dev.aquired.warn = 1; // Intel AMT Warning Flags: 1 = Unknown credentials, 2 = Realm Mismatch, 4 = TLS Cert Mismatch, 8 = Trying credentials
UpdateDevice(dev);
}
//console.log(dev.nodeid, dev.name, dev.host, status, 'Bad response');
@ -620,7 +627,7 @@ module.exports.CreateAmtManager = function (parent) {
if ((typeof dev.aquired.tls == 'number') && (dev.aquired.tls != device.intelamt.tls)) { change = 1; log = 1; device.intelamt.tls = dev.aquired.tls; changes.push('AMT TLS'); }
if ((typeof dev.aquired.state == 'number') && (dev.aquired.state != device.intelamt.state)) { change = 1; log = 1; device.intelamt.state = dev.aquired.state; changes.push('AMT state'); }
// Intel AMT Warning Flags: 1 = Unknown credentials, 2 = Realm Mismatch, 4 = TLS Cert Mismatch
// Intel AMT Warning Flags: 1 = Unknown credentials, 2 = Realm Mismatch, 4 = TLS Cert Mismatch, 8 = Trying credentials
if ((typeof dev.aquired.warn == 'number')) { if ((dev.aquired.warn == 0) && (device.intelamt.warn != null)) { delete device.intelamt.warn; change = 1; } else if (dev.aquired.warn != device.intelamt.warn) { device.intelamt.warn = dev.aquired.warn; change = 1; } }
// Update Intel AMT flags if needed
@ -737,8 +744,8 @@ module.exports.CreateAmtManager = function (parent) {
if (devices == null) return;
for (var i in devices) {
var dev = devices[i];
if (dev.amtstack != null) {
// TODO: Check if the device passed initial connection
// If not LMS, has a AMT stack present and is in connected state, perform power operation.
if ((dev.connType != 2) && (dev.state == 1) && (dev.amtstack != null)) {
try { dev.amtstack.RequestPowerStateChange(action, performPowerActionResponse); } catch (ex) { }
}
}

View File

@ -167,7 +167,7 @@ module.exports.CreateAmtScanner = function (parent) {
const ciraConnections = obj.parent.mpsserver ? obj.parent.mpsserver.GetConnectionToNode(doc._id, null, true) : null; // See if any OOB connections are present
if ((host != '127.0.0.1') && (host != '::1') && (host.toLowerCase() != 'localhost') && (ciraConnections == null)) {
var scaninfo = obj.scanTable[doc._id];
if (scaninfo == undefined) {
if (scaninfo == null) {
var tag = obj.nextTag++;
obj.scanTableTags[tag] = obj.scanTable[doc._id] = scaninfo = { nodeinfo: doc, present: true, tag: tag, state: 0 };
//console.log('Scan ' + host + ', state=' + scaninfo.state + ', delta=' + delta);
@ -212,6 +212,17 @@ module.exports.CreateAmtScanner = function (parent) {
return true;
};
// Look for all Intel AMT computers that may be locally reachable and poll their presence
obj.performSpecificScan = function (node) {
var host = node.host.toLowerCase();
const ciraConnections = obj.parent.mpsserver ? obj.parent.mpsserver.GetConnectionToNode(node._id, null, true) : null; // See if any OOB connections are present
if ((host != '127.0.0.1') && (host != '::1') && (host.toLowerCase() != 'localhost') && (ciraConnections == null)) {
obj.checkTcpPresence(host, (node.intelamt.tls == 1) ? 16993 : 16992, { nodeinfo: node }, function (tag, result, version) {
if ((result == true) && (obj.parent.amtManager != null)) { obj.parent.amtManager.startAmtManagement(tag.nodeinfo._id, 3, tag.nodeinfo.host); }
});
}
};
// Check the presense of a specific Intel AMT computer using RMCP
obj.checkAmtPresence = function (host, tag) { obj.ResolveName(host, function (hostname, ip) { obj.checkAmtPresenceEx(ip, tag); }); };

View File

@ -439,6 +439,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
parent.parent.debug('agent', 'Agent reported web cert hash:' + (Buffer.from(msg.substring(2, 50), 'binary').toString('hex')) + '.');
console.log('Agent bad web cert hash (Agent:' + (Buffer.from(msg.substring(2, 50), 'binary').toString('hex').substring(0, 10)) + ' != Server:' + (Buffer.from(getWebCertHash(domain), 'binary').toString('hex').substring(0, 10)) + ' or ' + (Buffer.from(getWebCertFullHash(domain), 'binary').toString('hex').substring(0, 10)) + '), holding connection (' + obj.remoteaddrport + ').');
console.log('Agent reported web cert hash:' + (Buffer.from(msg.substring(2, 50), 'binary').toString('hex')) + '.');
delete obj.agentSeenCerthash;
return;
} else {
// The hash matched one of the acceptable values, send the agent web hash back to the agent
@ -1078,6 +1079,9 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
if (isIgnoreHashCheck() == false) {
var verified = false;
// This agent did not report a valid TLS certificate hash, fail now.
if (obj.agentSeenCerthash == null) return false;
// Raw RSA signatures have an exact length of 256 or 384. PKCS7 is larger.
if ((msg.length != 384) && (msg.length != 256)) {
// Verify a PKCS7 signature.

View File

@ -4047,12 +4047,12 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
}
if (command.desc != null && (command.desc != node.desc)) { change = 1; node.desc = command.desc; changes.push('description'); }
if (command.intelamt != null) {
if ((parent.parent.amtManager == null) || (node.intelamt.user == null) || (node.intelamt.user == '') || ((node.intelamt.warn != null) && ((node.intelamt.warn) & 3 != 0))) { // Only allow changes to Intel AMT credentials if AMT manager is not running, or manager warned of unknown/trying credentials.
if ((parent.parent.amtManager == null) || (node.intelamt.user == null) || (node.intelamt.user == '') || ((node.intelamt.warn != null) && (((node.intelamt.warn) & 9) != 0))) { // Only allow changes to Intel AMT credentials if AMT manager is not running, or manager warned of unknown/trying credentials.
if ((command.intelamt.user != null) && (command.intelamt.pass != null) && ((command.intelamt.user != node.intelamt.user) || (command.intelamt.pass != node.intelamt.pass))) {
change = 1;
node.intelamt.user = command.intelamt.user;
node.intelamt.pass = command.intelamt.pass;
node.intelamt.warn = 2; // Change warning to "Trying". Bit flags: 0 = Valid credentials, 1 = Invalid credentials, 2 = Trying new credentials.
node.intelamt.warn |= 8; // Change warning to "Trying". Bit flags: 1 = Unknown credentials, 2 = Realm Mismatch, 4 = TLS Cert Mismatch, 8 = Trying credentials
changes.push('Intel AMT credentials');
amtchange = 1;
}

View File

@ -3128,7 +3128,7 @@
} else if (((features2 & 1) != 0) && (node.intelamt.warn != null)) { // If AMT manager is running and warned of invalid credentials, allow setting them.
var warn = null;
if ((node.intelamt.warn & 1) != 0) { warn = "Invalid Credentials"; }
if ((node.intelamt.warn & 2) != 0) { warn = "Trying Credentials"; }
if ((node.intelamt.warn & 8) != 0) { warn = "Trying Credentials"; }
if (warn != null) {
if ((meshrights & 4) != 0) {
str += ', <i style=color:#FF0000;cursor:pointer title="' + "Edit Intel&reg; AMT credentials" + '" onclick=editDeviceAmtSettings("' + node._id + '")>' + warn + '</i>';

View File

@ -2772,7 +2772,7 @@
meshserver.send({ action: 'nodes' }); // Request a refresh of all nodes (TODO: We could optimize this to only request nodes for the new mesh).
}
} else {
// This is an existing mesh
// This is an existing device group
if (message.event.name != null) {
meshes[message.event.meshid].name = message.event.name;
for (var i in nodes) { if (nodes[i].meshid == message.event.meshid) { nodes[i].meshnamel = message.event.name.toLowerCase(); } }
@ -5927,7 +5927,7 @@
} else if (((features2 & 1) != 0) && (node.intelamt.warn != null)) { // If AMT manager is running and warned of invalid credentials, allow setting them.
var warn = null;
if ((node.intelamt.warn & 1) != 0) { warn = "Invalid Credentials"; }
if ((node.intelamt.warn & 2) != 0) { warn = "Trying Credentials"; }
if ((node.intelamt.warn & 8) != 0) { warn = "Trying Credentials"; }
if (warn != null) {
if ((meshrights & 4) != 0) {
str += ', <i style=color:#FF0000;cursor:pointer title="' + "Edit Intel&reg; AMT credentials" + '" onclick=editDeviceAmtSettings("' + node._id + '")>' + warn + '</i>';