MyFavMirrors/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-01-24 13:13:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

Intel AMT activation improvements.

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2019-06-27 16:04:52 -07:00
parent 32826be071
commit 86fc328325
5 changed files with 301 additions and 296 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
agents/MeshCmd-signed.exe
View File

Binary file not shown.

BIN
agents/MeshCmd64-signed.exe
View File

Binary file not shown.

248
agents/meshcmd.js
View File

@ -517,13 +517,18 @@ function run(argv) {
settings.protocol = 'http:';
settings.localport = 16992;
debug(1, "Settings: " + JSON.stringify(settings));
if (settings.password != null) { activeToCCM(); } else { activeServerCCM(); }
if (settings.password != null) { activeToCCM(); } else { activeToACM(); }
} else if (settings.action == 'amtacm') {
// Start activation to ACM
if ((settings.url == null) || (typeof settings.url != 'string') || (settings.url == '')) { console.log('No activation server URL specified, use --url [url].'); exit(1); return; }
if ((typeof settings.profile != 'string') || (settings.profile == '')) { settings.profile = null; }
debug(1, "Settings: " + JSON.stringify(settings));
activeToACM();
} else if (settings.action == 'amtdiscover') {
// Intel AMT server discovery, tell the server the state of Intel AMT.
if ((settings.url == null) || (typeof settings.url != 'string') || (settings.url == '')) { console.log('No activation server URL specified, use --url [url].'); exit(1); return; }
debug(1, "Settings: " + JSON.stringify(settings));
activeToACM();
} else if (settings.action == 'amtdeactivate') {
// Deactivate CCM
debug(1, "Settings: " + JSON.stringify(settings));
@ -823,91 +828,6 @@ function activeToCCMEx3(stack, name, responses, status) {
}
//
// Activate Intel AMT to CCM with server activation
//
function activeServerCCM() {
settings.noconsole = true;
mestate = {};
var amtMeiModule, amtMei;
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { console.log(ex); exit(1); return; }
amtMei.on('error', function (e) { console.log('ERROR: ' + e); exit(1); return; });
amtMei.getProvisioningState(function (result) { if (result) { mestate.ProvisioningState = result; } });
amtMei.getVersion(function (val) { mestate.vers = {}; if (val != null) { for (var version in val.Versions) { mestate.vers[val.Versions[version].Description] = val.Versions[version].Version; } } });
amtMei.getUuid(function (result) {
if ((result != null) && (result.uuid != null)) { mestate.uuid = result.uuid; }
if ((mestate.vers == null) || (mestate.vers['AMT'] == null)) { console.log("Unable to get Intel AMT version."); exit(100); return; }
if (mestate.ProvisioningState == null) { console.log("Unable to read Intel AMT activation state."); exit(100); return; }
if (mestate.ProvisioningState.state !== 0) { console.log("Intel AMT is not in pre-provisioning state: " + mestate.ProvisioningState.stateStr); exit(100); return; }
if (mestate.uuid == null) { console.log("Unable to get Intel AMT UUID."); exit(100); return; }
startLms(activeServerCCMEx);
});
}
function activeServerCCMEx(state) {
osamtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], activeServerCCMEx2);
}
function activeServerCCMEx2(stack, name, responses, status) {
if (status != 200) { console.log('Failed to fetch activation status, status ' + status); exit(1); }
else if (responses['IPS_HostBasedSetupService'].response['AllowedControlModes'].length != 2) { console.log('Client control mode activation not allowed'); exit(1); }
// Establish WebSocket connection to activation server
var options = http.parseUri(settings.url);
options.checkServerIdentity = onVerifyServer;
options.rejectUnauthorized = false;
var connection = http.request(options);
connection.on('upgrade', function (response, socket) {
console.log('Connected, requesting activation...');
settings.xxsocket = socket;
socket.on('end', function () { console.log('Connection closed'); exit(0); });
socket.on('error', function () { console.log('Connection error'); exit(100); });
socket.on('data', function (data) {
// Parse and check the response
var cmd = null;
try { cmd = JSON.parse(data); } catch (ex) { console.log('Unable to parse server response: ' + data); exit(100); return; }
if (typeof cmd != 'object') { console.log('Invalid server response: ' + cmd); exit(100); return; }
if (typeof cmd.errorText == 'string') { console.log('Server error: ' + cmd.errorText); exit(100); return; }
if (cmd.action != 'ccmactivate') { console.log('Invalid server response, command: ' + cmd.cmd); exit(100); return; }
if (typeof cmd.password != 'string') { console.log('Invalid server password'); exit(100); return; }
settings.xxprofileScript = cmd.profileScript;
settings.xxrawpassword = cmd.rawpassword;
// We are ready to go, perform CCM activation.
osamtstack.IPS_HostBasedSetupService_Setup(2, cmd.password, null, null, null, null, activeServerCCMEx3);
});
socket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate', realm: responses['AMT_GeneralSettings'].response['DigestRealm'], uuid: mestate.uuid, tag: settings.tag, name: settings.name, ver: mestate.vers['AMT'] });
});
connection.end();
}
function activeServerCCMEx3(stack, name, responses, status) {
if (status != 200) {
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate-failed', uuid: mestate.uuid });
console.log('Failed to activate, status ' + status);
} else if (responses.Body.ReturnValue != 0) {
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate-failed', uuid: mestate.uuid });
console.log('Client control mode activation failed: ' + responses.Body.ReturnValueStr);
} else {
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate-success', uuid: mestate.uuid });
if ((settings.xxprofileScript !== null) && (settings.xxrawpassword != null)) {
console.log("Intel AMT ACM activation success, applying profile...");
settings.scriptjson = settings.xxprofileScript;
settings.password = settings.xxrawpassword; // This is only going to work if the server sends the raw password
settings.username = 'admin';
startMeScriptEx(function () { console.log('Intel AMT profile applied.'); socket.end(); exit(0); }, stack);
return;
} else {
console.log('Success');
settings.xxsocket.end();
exit(0);
return;
}
}
settings.xxsocket.end();
exit(1);
}
//
@ -976,11 +896,11 @@ function getTrustedHashes(amtMei, func, tag) {
}
//
// Activate Intel AMT to ACM
// Activate Intel AMT to with server (ACM or CCM)
//
function activeToACM() {
console.log('Starting Intel AMT provisioning to Admin Control Mode (ACM) attempt...');
console.log('Starting Intel AMT activation attempt...');
settings.noconsole = true;
// Display Intel AMT version and activation state
@ -992,10 +912,11 @@ function activeToACM() {
amtMei.getVersion(function (val) { mestate.vers = {}; if (val != null) { for (var version in val.Versions) { mestate.vers[val.Versions[version].Description] = val.Versions[version].Version; } } });
amtMei.getLanInterfaceSettings(0, function (result) { if (result) { mestate.net0 = result; } });
amtMei.getUuid(function (result) { if ((result != null) && (result.uuid != null)) { mestate.uuid = result.uuid; } });
amtMei.getControlMode(function (result) { if (result != null) { mestate.controlMode = result.controlMode; } }); // controlMode: 0 = NoActivated, 1 = CCM, 2 = ACM
amtMei.getDnsSuffix(function (result) {
if ((mestate.vers == null) || (mestate.vers['AMT'] == null)) { console.log("Unable to get Intel AMT version."); exit(100); return; }
if (mestate.ProvisioningState == null) { console.log("Unable to read Intel AMT activation state."); exit(100); return; }
if (mestate.ProvisioningState.state !== 0) { console.log("Intel AMT is not in pre-provisioning state: " + mestate.ProvisioningState.stateStr); exit(100); return; }
if ((settings.action != 'amtdiscover') && (mestate.controlMode == 2)) { console.log("Intel AMT already activation in admin control mode."); exit(100); return; }
if (mestate.uuid == null) { console.log("Unable to get Intel AMT UUID."); exit(100); return; }
var fqdn = null;
if ((mestate.net0 == null) && (meinfo.net0.enabled != 0)) { console.log("No Intel AMT wired interface, can't perform ACM activation."); exit(100); return; }
@ -1025,12 +946,13 @@ function getFwNonce() {
if (status != 200) { console.log("Unable to get firmware activation nonce, status=" + status); exit(100); return; }
var fwNonce = responses['IPS_HostBasedSetupService'].response['ConfigurationNonce'];
var digestRealm = responses['AMT_GeneralSettings'].response['DigestRealm'];
activeToACMEx(fwNonce, settings.fqdn, digestRealm, settings.uuid);
var allowedModes = responses['IPS_HostBasedSetupService'].response['AllowedControlModes']; // 1 = CCM, 2 = ACM
activeToACMEx(fwNonce, settings.fqdn, digestRealm, settings.uuid, allowedModes);
});
}
// Connect to the activation server and perform ACM activation
function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid, allowedModes) {
console.log('FQDN: ' + dnsSuffix);
console.log('UUID: ' + uuid);
console.log('Realm: ' + digestRealm);
@ -1039,11 +961,11 @@ function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
// Establish WebSocket connection to activation server
var options = http.parseUri(settings.url);
//options.checkServerIdentity = function (clientName, certs) { }; // TODO
options.checkServerIdentity = onVerifyServer;
options.rejectUnauthorized = false;
var connection = http.request(options);
connection.on('upgrade', function (response, socket) {
settings.xxsocket = socket;
console.log('Connected, requesting activation...');
socket.on('end', function () { console.log('Connection closed'); exit(0); });
socket.on('error', function () { console.log('Connection error'); exit(100); });
@ -1053,52 +975,135 @@ function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
try { cmd = JSON.parse(data); } catch (ex) { console.log('Unable to parse server response: ' + data); exit(100); return; }
if (typeof cmd != 'object') { console.log('Invalid server response: ' + cmd); exit(100); return; }
if (typeof cmd.errorText == 'string') { console.log('Server error: ' + cmd.errorText); exit(100); return; }
if (cmd.action != 'acmactivate') { console.log('Invalid server response, command: ' + cmd.cmd); exit(100); return; }
if (typeof cmd.signature != 'string') { console.log('Invalid server signature'); exit(100); return; }
if (typeof cmd.password != 'string') { console.log('Invalid server password'); exit(100); return; }
if (typeof cmd.nonce != 'string') { console.log('Invalid server nonce'); exit(100); return; }
if (typeof cmd.certs != 'object') { console.log('Invalid server certificates'); exit(100); return; }
switch (cmd.action) {
case 'acmactivate': {
// Server responded with ACM activation response
if (typeof cmd.signature != 'string') { console.log('Invalid server signature'); exit(100); return; }
if (typeof cmd.password != 'string') { console.log('Invalid server password'); exit(100); return; }
if (typeof cmd.nonce != 'string') { console.log('Invalid server nonce'); exit(100); return; }
if (typeof cmd.certs != 'object') { console.log('Invalid server certificates'); exit(100); return; }
// We are ready to go, perform activation.
cmd.index = 0;
performAcmActivation(cmd, function (result) {
if (result == false) {
console.log('Intel AMT ACM activation failed.');
socket.write({ client: 'meshcmd', version: 1, action: 'acmactivate-failed', uuid: mestate.uuid });
socket.end();
exit(1);
} else {
if ((cmd.profileScript !== null) && (cmd.rawpassword != null)) {
console.log('Intel AMT ACM activation success, applying profile...');
settings.scriptjson = cmd.profileScript;
settings.password = cmd.rawpassword; // This is only going to work if the server sends the raw password
settings.username = 'admin';
startMeScriptEx(function () { console.log('Intel AMT profile applied.'); socket.end(); exit(0); }, stack);
cmd.index = 0;
// If we are in CCM mode, deactivate.
if (mestate.controlMode == 1) {
amtMei.unprovision(1, function (status) {
if (status == 0) {
console.log('Intel AMT CCM deactivated, holding 10 seconds...');
// We are ready to go, perform ACM activation.
settings.xxTimer = setTimeout(function () { performAcmActivation(cmd, AcmActivationCompleted); }, 10000);
} else {
console.log('Intel AMT CCM deactivation error ' + status); exit(1); return;
}
});
} else {
console.log('Intel AMT ACM activation success.');
socket.write({ client: 'meshcmd', version: 1, action: 'acmactivate-success', uuid: mestate.uuid });
socket.end();
exit(0);
// We are ready to go, perform ACM activation.
performAcmActivation(cmd, AcmActivationCompleted);
}
break;
}
});
case 'ccmactivate': {
// Server responded with CCM activation response
if (typeof cmd.password != 'string') { console.log('Invalid server password'); exit(100); return; }
settings.xxprofileScript = cmd.profileScript;
settings.xxrawpassword = cmd.rawpassword;
// If we are already in CCM mode, deactivate.
if (mestate.controlMode == 1) {
amtMei.unprovision(1, function (status) {
if (status == 0) {
console.log('Intel AMT CCM deactivated, holding 10 seconds...');
// We are ready to go, perform CCM activation.
settings.xxTimer = setTimeout(function () { osamtstack.IPS_HostBasedSetupService_Setup(2, cmd.password, null, null, null, null, performCcmActivation); }, 10000);
} else {
console.log('Intel AMT CCM deactivation error ' + status); exit(1); return;
}
});
} else {
// We are ready to go, perform CCM activation.
osamtstack.IPS_HostBasedSetupService_Setup(2, cmd.password, null, null, null, null, performCcmActivation);
}
break;
}
case 'amtdiscover': {
console.log('Done.');
exit(0);
break;
}
default: {
console.log('Invalid server response, command: ' + cmd.action); exit(100);
break;
}
}
});
socket.write({ client: 'meshcmd', version: 1, action: 'acmactivate', fqdn: dnsSuffix, realm: digestRealm, nonce: fwNonce, uuid: uuid, profile: settings.profile, hashes: trustedHashes, tag: settings.tag, name: settings.name, ver: mestate.vers['AMT'] });
var action = 'acmactivate';
if (settings.action == 'amtccm') { action = 'ccmactivate'; }
if (settings.action == 'amtdiscover') { action = 'amtdiscover'; }
socket.write({ client: 'meshcmd', version: 1, action: action, fqdn: dnsSuffix, realm: digestRealm, nonce: fwNonce, uuid: uuid, profile: settings.profile, hashes: trustedHashes, tag: settings.tag, name: settings.name, ver: mestate.vers['AMT'], modes: allowedModes, currentMode: mestate.controlMode });
});
connection.end();
}
function performCcmActivation(stack, name, responses, status) {
if (status != 200) {
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate-failed', uuid: mestate.uuid });
console.log('Failed to activate, status ' + status);
} else if (responses.Body.ReturnValue != 0) {
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate-failed', uuid: mestate.uuid });
console.log('Intel AMT CCM activation failed: ' + responses.Body.ReturnValueStr);
} else {
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate-success', uuid: mestate.uuid });
if ((settings.xxprofileScript !== null) && (settings.xxrawpassword != null)) {
console.log("Intel AMT CCM activation success, applying profile...");
settings.scriptjson = settings.xxprofileScript;
settings.password = settings.xxrawpassword; // This is only going to work if the server sends the raw password
settings.username = 'admin';
startMeScriptEx(function () { console.log('Intel AMT profile applied.'); socket.end(); exit(0); }, stack);
return;
} else {
console.log('Intel AMT CCM activation success.');
settings.xxsocket.end();
exit(0);
return;
}
}
settings.xxsocket.end();
exit(1);
}
function AcmActivationCompleted(result) {
if (result == false) {
console.log('Intel AMT ACM activation failed.');
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'acmactivate-failed', uuid: mestate.uuid });
settings.xxsocket.end();
exit(1);
} else {
if ((cmd.profileScript !== null) && (cmd.rawpassword != null)) {
console.log('Intel AMT ACM activation success, applying profile...');
settings.scriptjson = cmd.profileScript;
settings.password = cmd.rawpassword; // This is only going to work if the server sends the raw password
settings.username = 'admin';
startMeScriptEx(function () { console.log('Intel AMT profile applied.'); settings.xxsocket.end(); exit(0); }, stack);
} else {
console.log('Intel AMT ACM activation success.');
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'acmactivate-success', uuid: mestate.uuid });
settings.xxsocket.end();
exit(0);
}
}
}
// Recursive function to inject the provisioning certificates into AMT in the proper order and completes ACM activation
function performAcmActivation(acmdata, func) {
var leaf = (acmdata.index == 0), root = (acmdata.index == (acmdata.certs.length - 1));
if ((acmdata.index < acmdata.certs.length) && (acmdata.certs[acmdata.index] != null)) {
osamtstack.IPS_HostBasedSetupService_AddNextCertInChain(acmdata.certs[acmdata.index], leaf, root, function (stack, name, responses, status) {
if (status !== 200) { debug('AddNextCertInChain status: ' + status); return; }
else if (responses['Body']['ReturnValue'] !== 0) { console.log('AddNextCertInChain error: ' + responses['Body']['ReturnValue']); return; }
if (status !== 200) { console.log('AddNextCertInChain error, status=' + status); exit(1); return; }
else if (responses['Body']['ReturnValue'] !== 0) { console.log('AddNextCertInChain error: ' + responses['Body']['ReturnValue']); exit(1); return; }
else { acmdata.index++; performAcmActivation(acmdata, func); }
});
} else {
console.log(acmdata.password, acmdata.nonce, acmdata.signature);
//console.log(acmdata.password, acmdata.nonce, acmdata.signature);
osamtstack.IPS_HostBasedSetupService_AdminSetup(2, acmdata.password, acmdata.nonce, 2, acmdata.signature,
function (stack, name, responses, status) {
if (status !== 200) { console.log('Error, AdminSetup status: ' + status); }
@ -1181,7 +1186,6 @@ function startMeScriptEx(callback, amtstack) {
// FETCH ALL INTEL AMT STATE
//
function saveEntireAmtState2() {
console.log('Fetching all Intel AMT state, this may take a few minutes...');
var transport = require('amt-wsman-duk');

248
agents/meshcmd.min.js vendored
View File

@ -517,13 +517,18 @@ function run(argv) {
settings.protocol = 'http:';
settings.localport = 16992;
debug(1, "Settings: " + JSON.stringify(settings));
if (settings.password != null) { activeToCCM(); } else { activeServerCCM(); }
if (settings.password != null) { activeToCCM(); } else { activeToACM(); }
} else if (settings.action == 'amtacm') {
// Start activation to ACM
if ((settings.url == null) || (typeof settings.url != 'string') || (settings.url == '')) { console.log('No activation server URL specified, use --url [url].'); exit(1); return; }
if ((typeof settings.profile != 'string') || (settings.profile == '')) { settings.profile = null; }
debug(1, "Settings: " + JSON.stringify(settings));
activeToACM();
} else if (settings.action == 'amtdiscover') {
// Intel AMT server discovery, tell the server the state of Intel AMT.
if ((settings.url == null) || (typeof settings.url != 'string') || (settings.url == '')) { console.log('No activation server URL specified, use --url [url].'); exit(1); return; }
debug(1, "Settings: " + JSON.stringify(settings));
activeToACM();
} else if (settings.action == 'amtdeactivate') {
// Deactivate CCM
debug(1, "Settings: " + JSON.stringify(settings));
@ -823,91 +828,6 @@ function activeToCCMEx3(stack, name, responses, status) {
}
//
// Activate Intel AMT to CCM with server activation
//
function activeServerCCM() {
settings.noconsole = true;
mestate = {};
var amtMeiModule, amtMei;
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { console.log(ex); exit(1); return; }
amtMei.on('error', function (e) { console.log('ERROR: ' + e); exit(1); return; });
amtMei.getProvisioningState(function (result) { if (result) { mestate.ProvisioningState = result; } });
amtMei.getVersion(function (val) { mestate.vers = {}; if (val != null) { for (var version in val.Versions) { mestate.vers[val.Versions[version].Description] = val.Versions[version].Version; } } });
amtMei.getUuid(function (result) {
if ((result != null) && (result.uuid != null)) { mestate.uuid = result.uuid; }
if ((mestate.vers == null) || (mestate.vers['AMT'] == null)) { console.log("Unable to get Intel AMT version."); exit(100); return; }
if (mestate.ProvisioningState == null) { console.log("Unable to read Intel AMT activation state."); exit(100); return; }
if (mestate.ProvisioningState.state !== 0) { console.log("Intel AMT is not in pre-provisioning state: " + mestate.ProvisioningState.stateStr); exit(100); return; }
if (mestate.uuid == null) { console.log("Unable to get Intel AMT UUID."); exit(100); return; }
startLms(activeServerCCMEx);
});
}
function activeServerCCMEx(state) {
osamtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], activeServerCCMEx2);
}
function activeServerCCMEx2(stack, name, responses, status) {
if (status != 200) { console.log('Failed to fetch activation status, status ' + status); exit(1); }
else if (responses['IPS_HostBasedSetupService'].response['AllowedControlModes'].length != 2) { console.log('Client control mode activation not allowed'); exit(1); }
// Establish WebSocket connection to activation server
var options = http.parseUri(settings.url);
options.checkServerIdentity = onVerifyServer;
options.rejectUnauthorized = false;
var connection = http.request(options);
connection.on('upgrade', function (response, socket) {
console.log('Connected, requesting activation...');
settings.xxsocket = socket;
socket.on('end', function () { console.log('Connection closed'); exit(0); });
socket.on('error', function () { console.log('Connection error'); exit(100); });
socket.on('data', function (data) {
// Parse and check the response
var cmd = null;
try { cmd = JSON.parse(data); } catch (ex) { console.log('Unable to parse server response: ' + data); exit(100); return; }
if (typeof cmd != 'object') { console.log('Invalid server response: ' + cmd); exit(100); return; }
if (typeof cmd.errorText == 'string') { console.log('Server error: ' + cmd.errorText); exit(100); return; }
if (cmd.action != 'ccmactivate') { console.log('Invalid server response, command: ' + cmd.cmd); exit(100); return; }
if (typeof cmd.password != 'string') { console.log('Invalid server password'); exit(100); return; }
settings.xxprofileScript = cmd.profileScript;
settings.xxrawpassword = cmd.rawpassword;
// We are ready to go, perform CCM activation.
osamtstack.IPS_HostBasedSetupService_Setup(2, cmd.password, null, null, null, null, activeServerCCMEx3);
});
socket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate', realm: responses['AMT_GeneralSettings'].response['DigestRealm'], uuid: mestate.uuid, tag: settings.tag, name: settings.name, ver: mestate.vers['AMT'] });
});
connection.end();
}
function activeServerCCMEx3(stack, name, responses, status) {
if (status != 200) {
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate-failed', uuid: mestate.uuid });
console.log('Failed to activate, status ' + status);
} else if (responses.Body.ReturnValue != 0) {
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate-failed', uuid: mestate.uuid });
console.log('Client control mode activation failed: ' + responses.Body.ReturnValueStr);
} else {
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate-success', uuid: mestate.uuid });
if ((settings.xxprofileScript !== null) && (settings.xxrawpassword != null)) {
console.log("Intel AMT ACM activation success, applying profile...");
settings.scriptjson = settings.xxprofileScript;
settings.password = settings.xxrawpassword; // This is only going to work if the server sends the raw password
settings.username = 'admin';
startMeScriptEx(function () { console.log('Intel AMT profile applied.'); socket.end(); exit(0); }, stack);
return;
} else {
console.log('Success');
settings.xxsocket.end();
exit(0);
return;
}
}
settings.xxsocket.end();
exit(1);
}
//
@ -976,11 +896,11 @@ function getTrustedHashes(amtMei, func, tag) {
}
//
// Activate Intel AMT to ACM
// Activate Intel AMT to with server (ACM or CCM)
//
function activeToACM() {
console.log('Starting Intel AMT provisioning to Admin Control Mode (ACM) attempt...');
console.log('Starting Intel AMT activation attempt...');
settings.noconsole = true;
// Display Intel AMT version and activation state
@ -992,10 +912,11 @@ function activeToACM() {
amtMei.getVersion(function (val) { mestate.vers = {}; if (val != null) { for (var version in val.Versions) { mestate.vers[val.Versions[version].Description] = val.Versions[version].Version; } } });
amtMei.getLanInterfaceSettings(0, function (result) { if (result) { mestate.net0 = result; } });
amtMei.getUuid(function (result) { if ((result != null) && (result.uuid != null)) { mestate.uuid = result.uuid; } });
amtMei.getControlMode(function (result) { if (result != null) { mestate.controlMode = result.controlMode; } }); // controlMode: 0 = NoActivated, 1 = CCM, 2 = ACM
amtMei.getDnsSuffix(function (result) {
if ((mestate.vers == null) || (mestate.vers['AMT'] == null)) { console.log("Unable to get Intel AMT version."); exit(100); return; }
if (mestate.ProvisioningState == null) { console.log("Unable to read Intel AMT activation state."); exit(100); return; }
if (mestate.ProvisioningState.state !== 0) { console.log("Intel AMT is not in pre-provisioning state: " + mestate.ProvisioningState.stateStr); exit(100); return; }
if ((settings.action != 'amtdiscover') && (mestate.controlMode == 2)) { console.log("Intel AMT already activation in admin control mode."); exit(100); return; }
if (mestate.uuid == null) { console.log("Unable to get Intel AMT UUID."); exit(100); return; }
var fqdn = null;
if ((mestate.net0 == null) && (meinfo.net0.enabled != 0)) { console.log("No Intel AMT wired interface, can't perform ACM activation."); exit(100); return; }
@ -1025,12 +946,13 @@ function getFwNonce() {
if (status != 200) { console.log("Unable to get firmware activation nonce, status=" + status); exit(100); return; }
var fwNonce = responses['IPS_HostBasedSetupService'].response['ConfigurationNonce'];
var digestRealm = responses['AMT_GeneralSettings'].response['DigestRealm'];
activeToACMEx(fwNonce, settings.fqdn, digestRealm, settings.uuid);
var allowedModes = responses['IPS_HostBasedSetupService'].response['AllowedControlModes']; // 1 = CCM, 2 = ACM
activeToACMEx(fwNonce, settings.fqdn, digestRealm, settings.uuid, allowedModes);
});
}
// Connect to the activation server and perform ACM activation
function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid, allowedModes) {
console.log('FQDN: ' + dnsSuffix);
console.log('UUID: ' + uuid);
console.log('Realm: ' + digestRealm);
@ -1039,11 +961,11 @@ function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
// Establish WebSocket connection to activation server
var options = http.parseUri(settings.url);
//options.checkServerIdentity = function (clientName, certs) { }; // TODO
options.checkServerIdentity = onVerifyServer;
options.rejectUnauthorized = false;
var connection = http.request(options);
connection.on('upgrade', function (response, socket) {
settings.xxsocket = socket;
console.log('Connected, requesting activation...');
socket.on('end', function () { console.log('Connection closed'); exit(0); });
socket.on('error', function () { console.log('Connection error'); exit(100); });
@ -1053,52 +975,135 @@ function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
try { cmd = JSON.parse(data); } catch (ex) { console.log('Unable to parse server response: ' + data); exit(100); return; }
if (typeof cmd != 'object') { console.log('Invalid server response: ' + cmd); exit(100); return; }
if (typeof cmd.errorText == 'string') { console.log('Server error: ' + cmd.errorText); exit(100); return; }
if (cmd.action != 'acmactivate') { console.log('Invalid server response, command: ' + cmd.cmd); exit(100); return; }
if (typeof cmd.signature != 'string') { console.log('Invalid server signature'); exit(100); return; }
if (typeof cmd.password != 'string') { console.log('Invalid server password'); exit(100); return; }
if (typeof cmd.nonce != 'string') { console.log('Invalid server nonce'); exit(100); return; }
if (typeof cmd.certs != 'object') { console.log('Invalid server certificates'); exit(100); return; }
switch (cmd.action) {
case 'acmactivate': {
// Server responded with ACM activation response
if (typeof cmd.signature != 'string') { console.log('Invalid server signature'); exit(100); return; }
if (typeof cmd.password != 'string') { console.log('Invalid server password'); exit(100); return; }
if (typeof cmd.nonce != 'string') { console.log('Invalid server nonce'); exit(100); return; }
if (typeof cmd.certs != 'object') { console.log('Invalid server certificates'); exit(100); return; }
// We are ready to go, perform activation.
cmd.index = 0;
performAcmActivation(cmd, function (result) {
if (result == false) {
console.log('Intel AMT ACM activation failed.');
socket.write({ client: 'meshcmd', version: 1, action: 'acmactivate-failed', uuid: mestate.uuid });
socket.end();
exit(1);
} else {
if ((cmd.profileScript !== null) && (cmd.rawpassword != null)) {
console.log('Intel AMT ACM activation success, applying profile...');
settings.scriptjson = cmd.profileScript;
settings.password = cmd.rawpassword; // This is only going to work if the server sends the raw password
settings.username = 'admin';
startMeScriptEx(function () { console.log('Intel AMT profile applied.'); socket.end(); exit(0); }, stack);
cmd.index = 0;
// If we are in CCM mode, deactivate.
if (mestate.controlMode == 1) {
amtMei.unprovision(1, function (status) {
if (status == 0) {
console.log('Intel AMT CCM deactivated, holding 10 seconds...');
// We are ready to go, perform ACM activation.
settings.xxTimer = setTimeout(function () { performAcmActivation(cmd, AcmActivationCompleted); }, 10000);
} else {
console.log('Intel AMT CCM deactivation error ' + status); exit(1); return;
}
});
} else {
console.log('Intel AMT ACM activation success.');
socket.write({ client: 'meshcmd', version: 1, action: 'acmactivate-success', uuid: mestate.uuid });
socket.end();
exit(0);
// We are ready to go, perform ACM activation.
performAcmActivation(cmd, AcmActivationCompleted);
}
break;
}
});
case 'ccmactivate': {
// Server responded with CCM activation response
if (typeof cmd.password != 'string') { console.log('Invalid server password'); exit(100); return; }
settings.xxprofileScript = cmd.profileScript;
settings.xxrawpassword = cmd.rawpassword;
// If we are already in CCM mode, deactivate.
if (mestate.controlMode == 1) {
amtMei.unprovision(1, function (status) {
if (status == 0) {
console.log('Intel AMT CCM deactivated, holding 10 seconds...');
// We are ready to go, perform CCM activation.
settings.xxTimer = setTimeout(function () { osamtstack.IPS_HostBasedSetupService_Setup(2, cmd.password, null, null, null, null, performCcmActivation); }, 10000);
} else {
console.log('Intel AMT CCM deactivation error ' + status); exit(1); return;
}
});
} else {
// We are ready to go, perform CCM activation.
osamtstack.IPS_HostBasedSetupService_Setup(2, cmd.password, null, null, null, null, performCcmActivation);
}
break;
}
case 'amtdiscover': {
console.log('Done.');
exit(0);
break;
}
default: {
console.log('Invalid server response, command: ' + cmd.action); exit(100);
break;
}
}
});
socket.write({ client: 'meshcmd', version: 1, action: 'acmactivate', fqdn: dnsSuffix, realm: digestRealm, nonce: fwNonce, uuid: uuid, profile: settings.profile, hashes: trustedHashes, tag: settings.tag, name: settings.name, ver: mestate.vers['AMT'] });
var action = 'acmactivate';
if (settings.action == 'amtccm') { action = 'ccmactivate'; }
if (settings.action == 'amtdiscover') { action = 'amtdiscover'; }
socket.write({ client: 'meshcmd', version: 1, action: action, fqdn: dnsSuffix, realm: digestRealm, nonce: fwNonce, uuid: uuid, profile: settings.profile, hashes: trustedHashes, tag: settings.tag, name: settings.name, ver: mestate.vers['AMT'], modes: allowedModes, currentMode: mestate.controlMode });
});
connection.end();
}
function performCcmActivation(stack, name, responses, status) {
if (status != 200) {
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate-failed', uuid: mestate.uuid });
console.log('Failed to activate, status ' + status);
} else if (responses.Body.ReturnValue != 0) {
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate-failed', uuid: mestate.uuid });
console.log('Intel AMT CCM activation failed: ' + responses.Body.ReturnValueStr);
} else {
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'ccmactivate-success', uuid: mestate.uuid });
if ((settings.xxprofileScript !== null) && (settings.xxrawpassword != null)) {
console.log("Intel AMT CCM activation success, applying profile...");
settings.scriptjson = settings.xxprofileScript;
settings.password = settings.xxrawpassword; // This is only going to work if the server sends the raw password
settings.username = 'admin';
startMeScriptEx(function () { console.log('Intel AMT profile applied.'); socket.end(); exit(0); }, stack);
return;
} else {
console.log('Intel AMT CCM activation success.');
settings.xxsocket.end();
exit(0);
return;
}
}
settings.xxsocket.end();
exit(1);
}
function AcmActivationCompleted(result) {
if (result == false) {
console.log('Intel AMT ACM activation failed.');
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'acmactivate-failed', uuid: mestate.uuid });
settings.xxsocket.end();
exit(1);
} else {
if ((cmd.profileScript !== null) && (cmd.rawpassword != null)) {
console.log('Intel AMT ACM activation success, applying profile...');
settings.scriptjson = cmd.profileScript;
settings.password = cmd.rawpassword; // This is only going to work if the server sends the raw password
settings.username = 'admin';
startMeScriptEx(function () { console.log('Intel AMT profile applied.'); settings.xxsocket.end(); exit(0); }, stack);
} else {
console.log('Intel AMT ACM activation success.');
settings.xxsocket.write({ client: 'meshcmd', version: 1, action: 'acmactivate-success', uuid: mestate.uuid });
settings.xxsocket.end();
exit(0);
}
}
}
// Recursive function to inject the provisioning certificates into AMT in the proper order and completes ACM activation
function performAcmActivation(acmdata, func) {
var leaf = (acmdata.index == 0), root = (acmdata.index == (acmdata.certs.length - 1));
if ((acmdata.index < acmdata.certs.length) && (acmdata.certs[acmdata.index] != null)) {
osamtstack.IPS_HostBasedSetupService_AddNextCertInChain(acmdata.certs[acmdata.index], leaf, root, function (stack, name, responses, status) {
if (status !== 200) { debug('AddNextCertInChain status: ' + status); return; }
else if (responses['Body']['ReturnValue'] !== 0) { console.log('AddNextCertInChain error: ' + responses['Body']['ReturnValue']); return; }
if (status !== 200) { console.log('AddNextCertInChain error, status=' + status); exit(1); return; }
else if (responses['Body']['ReturnValue'] !== 0) { console.log('AddNextCertInChain error: ' + responses['Body']['ReturnValue']); exit(1); return; }
else { acmdata.index++; performAcmActivation(acmdata, func); }
});
} else {
console.log(acmdata.password, acmdata.nonce, acmdata.signature);
//console.log(acmdata.password, acmdata.nonce, acmdata.signature);
osamtstack.IPS_HostBasedSetupService_AdminSetup(2, acmdata.password, acmdata.nonce, 2, acmdata.signature,
function (stack, name, responses, status) {
if (status !== 200) { console.log('Error, AdminSetup status: ' + status); }
@ -1181,7 +1186,6 @@ function startMeScriptEx(callback, amtstack) {
// FETCH ALL INTEL AMT STATE
//
function saveEntireAmtState2() {
console.log('Fetching all Intel AMT state, this may take a few minutes...');
var transport = require('amt-wsman-duk');

101
webserver.js
View File

@ -2190,73 +2190,74 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Process the command
switch (cmd.action) {
case 'ccmactivate': {
case 'amtdiscover': {
console.log(cmd);
ws.send(JSON.stringify({ action: 'amtdiscover' }));
ws.close();
return;
}
case 'ccmactivate':
case 'acmactivate': {
// Check the command
if (cmd.version != 1) { ws.send(JSON.stringify({ errorText: 'Unsupported version' })); ws.close(); return; }
if (obj.common.validateString(cmd.realm, 16, 256) == false) { ws.send(JSON.stringify({ errorText: 'Invalid realm argument' })); ws.close(); return; }
if (obj.common.validateString(cmd.uuid, 36, 36) == false) { ws.send(JSON.stringify({ errorText: 'Invalid UUID argument' })); ws.close(); return; }
if ((obj.common.validateString(cmd.ver, 5, 16) == false) || (cmd.ver.split('.').length != 3)) { ws.send(JSON.stringify({ errorText: 'Invalid Intel AMT version' })); ws.close(); return; }
// Get the current Intel AMT policy
var mesh = obj.meshes[ws.meshid];
if ((mesh == null) || (mesh.amt == null) || (mesh.amt.type != 2) || (mesh.amt.password == null)) { ws.send(JSON.stringify({ errorText: 'Unable to activate' })); ws.close(); return; }
// Get the Intel AMT admin password, randomize if needed.
var amtpassword = ((mesh.amt.password == '') ? getRandomAmtPassword() : mesh.amt.password);
if (checkAmtPassword(amtpassword) == false) { ws.send(JSON.stringify({ errorText: 'Invalid Intel AMT password' })); ws.close(); return; } // Invalid Intel AMT password, this should never happen.
// Log the activation request, logging is a required step for activation.
if (parent.certificateOperations.logAmtActivation(domain, { time: new Date(), action: 'ccmactivate', domain: domain.id, amtUuid: cmd.uuid, amtRealm: cmd.realm, user: 'admin', password: amtpassword, ipport: ws.remoteaddrport, meshid: ws.meshid, tag: cmd.tag, name: cmd.name }) == false) return { errorText: 'Unable to log operation' };
// Save some state, if activation is succesful, we need this to add the device
ws.xxstate = { uuid: cmd.uuid, realm: cmd.realm, tag: cmd.tag, name: cmd.name, pass: amtpassword, flags: 2, ver: cmd.ver }; // Flags 2 = CCM
// Compute the HTTP digest hash and send the response
ws.send(JSON.stringify({ action: 'ccmactivate', password: obj.crypto.createHash('md5').update('admin:' + cmd.realm + ':' + amtpassword).digest('hex') }));
break;
}
case 'acmactivate': {
// Check the command
if (cmd.version != 1) { ws.send(JSON.stringify({ errorText: 'Unsupported version' })); ws.close(); return; }
if (typeof cmd.hashes != 'object') { ws.send(JSON.stringify({ errorText: 'Invalid hashes' })); ws.close(); return; }
if (typeof cmd.fqdn != 'string') { ws.send(JSON.stringify({ errorText: 'Invalid FQDN' })); ws.close(); return; }
if ((obj.common.validateString(cmd.ver, 5, 16) == false) || (cmd.ver.split('.').length != 3)) { ws.send(JSON.stringify({ errorText: 'Invalid Intel AMT version' })); ws.close(); return; }
if (obj.common.validateArray(cmd.modes, 1, 2) == false) { ws.send(JSON.stringify({ errorText: 'Invalid activation modes' })); ws.close(); return; }
// Get the current Intel AMT policy
var mesh = obj.meshes[ws.meshid];
if ((mesh == null) || (mesh.amt == null) || (mesh.amt.type != 3) || (domain.amtacmactivation == null) || (domain.amtacmactivation.acmmatch == null) || (mesh.amt.password == null)) { ws.send(JSON.stringify({ errorText: 'Unable to activate' })); ws.close(); return; }
var mesh = obj.meshes[ws.meshid], activationMode = 4; // activationMode: 2 = CCM, 4 = ACM
if ((mesh == null) || (mesh.amt == null) || (mesh.amt.password == null) || ((mesh.amt.type != 2) && (mesh.amt.type != 3))) { ws.send(JSON.stringify({ errorText: 'Unable to activate' })); ws.close(); return; }
if ((mesh.amt.type != 3) || (domain.amtacmactivation == null) || (domain.amtacmactivation.acmmatch == null)) { activationMode = 2; }
// Check if we have a FQDN/Hash match
var matchingHash = null, matchingCN = null;
for (var i in domain.amtacmactivation.acmmatch) {
// Check for a matching FQDN
if ((domain.amtacmactivation.acmmatch[i].cn == '*') || (domain.amtacmactivation.acmmatch[i].cn.toLowerCase() == cmd.fqdn)) {
// Check for a matching certificate
if (cmd.hashes.indexOf(domain.amtacmactivation.acmmatch[i].sha256) >= 0) {
matchingCN = domain.amtacmactivation.acmmatch[i].cn;
matchingHash = domain.amtacmactivation.acmmatch[i].sha256;
continue;
} else if (cmd.hashes.indexOf(domain.amtacmactivation.acmmatch[i].sha1) >= 0) {
matchingCN = domain.amtacmactivation.acmmatch[i].cn;
matchingHash = domain.amtacmactivation.acmmatch[i].sha1;
continue;
if (activationMode == 4) {
// Check if we have a FQDN/Hash match
var matchingHash = null, matchingCN = null;
for (var i in domain.amtacmactivation.acmmatch) {
// Check for a matching FQDN
if ((domain.amtacmactivation.acmmatch[i].cn == '*') || (domain.amtacmactivation.acmmatch[i].cn.toLowerCase() == cmd.fqdn)) {
// Check for a matching certificate
if (cmd.hashes.indexOf(domain.amtacmactivation.acmmatch[i].sha256) >= 0) {
matchingCN = domain.amtacmactivation.acmmatch[i].cn;
matchingHash = domain.amtacmactivation.acmmatch[i].sha256;
continue;
} else if (cmd.hashes.indexOf(domain.amtacmactivation.acmmatch[i].sha1) >= 0) {
matchingCN = domain.amtacmactivation.acmmatch[i].cn;
matchingHash = domain.amtacmactivation.acmmatch[i].sha1;
continue;
}
}
}
// If no cert match or wildcard match which is not yet supported, do CCM activation.
if ((matchingHash == null) || (matchingCN == '*')) { activationMode = 2; } else { cmd.hash = matchingHash; }
}
if (matchingHash == null) { ws.send(JSON.stringify({ errorText: 'No matching activation certificates' })); ws.close(); return; }
if (matchingCN == '*') { ws.send(JSON.stringify({ errorText: 'Wildcard certificate activation not yet supported' })); ws.close(); return; }
cmd.hash = matchingHash;
// Check if we are going to activate in an allowed mode. cmd.modes: 1 = CCM, 2 = ACM
if ((activationMode == 4) && (cmd.modes.indexOf(2) == -1)) { activationMode = 2; } // We want to do ACM, but mode is not allowed. Change to CCM.
// If we want to do CCM, but mode is not allowed. Error out.
if ((activationMode == 2) && (cmd.modes.indexOf(1) == -1)) { ws.send(JSON.stringify({ errorText: 'Unsupported activation mode' })); ws.close(); return; }
// Get the Intel AMT admin password, randomize if needed.
var amtpassword = ((mesh.amt.password == '') ? getRandomAmtPassword() : mesh.amt.password);
if (checkAmtPassword(amtpassword) == false) { ws.send(JSON.stringify({ errorText: 'Invalid Intel AMT password' })); ws.close(); return; } // Invalid Intel AMT password, this should never happen.
// Save some state, if activation is succesful, we need this to add the device
ws.xxstate = { uuid: cmd.uuid, realm: cmd.realm, tag: cmd.tag, name: cmd.name, pass: amtpassword, flags: 4, ver: cmd.ver }; // Flags 4 = ACM
ws.xxstate = { uuid: cmd.uuid, realm: cmd.realm, tag: cmd.tag, name: cmd.name, pass: amtpassword, flags: activationMode, ver: cmd.ver }; // Flags: 2 = CCM, 4 = ACM
// Agent is asking the server to sign an Intel AMT ACM activation request
var signResponse = parent.certificateOperations.signAcmRequest(domain, cmd, 'admin', amtpassword, ws.remoteaddrport, null, ws.meshid, null, null);
ws.send(JSON.stringify(signResponse));
if (activationMode == 4) {
// ACM: Agent is asking the server to sign an Intel AMT ACM activation request
var signResponse = parent.certificateOperations.signAcmRequest(domain, cmd, 'admin', amtpassword, ws.remoteaddrport, null, ws.meshid, null, null);
ws.send(JSON.stringify(signResponse));
} else {
// CCM: Log the activation request, logging is a required step for activation.
if (parent.certificateOperations.logAmtActivation(domain, { time: new Date(), action: 'ccmactivate', domain: domain.id, amtUuid: cmd.uuid, amtRealm: cmd.realm, user: 'admin', password: amtpassword, ipport: ws.remoteaddrport, meshid: ws.meshid, tag: cmd.tag, name: cmd.name }) == false) return { errorText: 'Unable to log operation' };
// Compute the HTTP digest hash and send the response for CCM activation
ws.send(JSON.stringify({ action: 'ccmactivate', password: obj.crypto.createHash('md5').update('admin:' + cmd.realm + ':' + amtpassword).digest('hex') }));
}
break;
}
case 'ccmactivate-failed':
@ -2929,6 +2930,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
obj.app.ws(url + 'control.ashx', function (ws, req) { PerformWSSessionAuth(ws, req, false, function (ws1, req1, domain, user, cookie) { obj.meshUserHandler.CreateMeshUser(obj, obj.db, ws1, req1, obj.args, domain, user); }); });
obj.app.get(url + 'logo.png', handleLogoRequest);
obj.app.get(url + 'welcome.jpg', handleWelcomeImageRequest);
obj.app.ws(url + 'amtactivate', handleAmtActivateWebSocket);
// Server redirects
if (parent.config.domains[i].redirects) { for (var j in parent.config.domains[i].redirects) { if (j[0] != '_') { obj.app.get(url + j, handleDomainRedirect); } } }
@ -2967,11 +2969,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
});
}
// Intel AMT ACM activation
if ((parent.config.domains[i].amtacmactivation != null) && (parent.config.domains[i].amtacmactivation.acmmatch != null)) {
obj.app.ws(url + 'amtactivate', handleAmtActivateWebSocket);
}
// Creates a login token using the user/pass that is passed in as URL arguments.
// For example: https://localhost/createLoginToken.ashx?user=admin&pass=admin&a=3
// It's not advised to use this to create login tokens since the URL is often logged and you got credentials in the URL.