MyFavMirrors
/
MeshCentral
mirror of https://github.com/Ylianst/MeshCentral.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More work on Intel AMT provisioning server.

This commit is contained in:
Ylian Saint-Hilaire 2021-03-13 00:53:27 -08:00
parent f0c319e070
commit fb8ea438b2
5 changed files with 117 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
amt/amt-setupbin.js
View File

@ -40,7 +40,7 @@ var CreateAmtSetupBinStack = function () {
// - Setup.bin should always start with "CurrentMEBx Pwd", "newMebx Pwd", "manageability selection" (if present). // - Setup.bin should always start with "CurrentMEBx Pwd", "newMebx Pwd", "manageability selection" (if present).
// Intel(R) AMT variable identifiers // Intel(R) AMT variable identifiers
// Type: 0 = Binar Stringy, 1 = Char, 2 = Short, 3 = Int // Type: 0 = Binar String, 1 = Char, 2 = Short, 3 = Int
var AmtSetupBinVarIds = var AmtSetupBinVarIds =
{ {
1: { 1: {
@ -94,7 +94,7 @@ var CreateAmtSetupBinStack = function () {
{ 0: "Disabled", 1: "KVM", 255: "All" }], { 0: "Disabled", 1: "KVM", 255: "All" }],
27: [1, "Opt-in Remote IT Consent Policy", // 0 = Disabled, 1 = Enabled. Allows user consent to be configured remotely. 27: [1, "Opt-in Remote IT Consent Policy", // 0 = Disabled, 1 = Enabled. Allows user consent to be configured remotely.
{ 0: "Disabled", 1: "Enabled" }], { 0: "Disabled", 1: "Enabled" }],
28: [1, "ME Provision Halt Active", // 0 = Stop, 1 = Start. The "ME provisioning Halt/Activate" command must appear in the file only after "PKIDNSSuffix", "ConfigServerFQDN" and "Provisioning Server Address" 28: [1, "ME Provision Halt/Active", // 0 = Stop, 1 = Start. The "ME provisioning Halt/Activate" command must appear in the file only after "PKIDNSSuffix", "ConfigServerFQDN" and "Provisioning Server Address"
{ 0: "Stop", 1: "Start" }], { 0: "Stop", 1: "Start" }],
29: [1, "Manual Setup and Configuration", // 0 = Automated, 1 = Manual 29: [1, "Manual Setup and Configuration", // 0 = Automated, 1 = Manual
{ 0: "Automated", 1: "Manual" }], { 0: "Automated", 1: "Manual" }],
@ -134,11 +134,11 @@ var CreateAmtSetupBinStack = function () {
// RecordNumber(4) - uniquely identifies the record among all records in the file. The field contains a non-negative ordinal value. The value of this field is always zero in the Local Provisioning File Header Record. // RecordNumber(4) - uniquely identifies the record among all records in the file. The field contains a non-negative ordinal value. The value of this field is always zero in the Local Provisioning File Header Record.
// MajorVersion(1) - identifies the major version of the file format specification. This is a positive integer that is greater than or equal to 1. The Major Version number is incremented to indicate that changes have been introduced that will cause code written against a lower Major Version number to fail. // MajorVersion(1) - identifies the major version of the file format specification. This is a positive integer that is greater than or equal to 1. The Major Version number is incremented to indicate that changes have been introduced that will cause code written against a lower Major Version number to fail.
// MinorVersion(1) - identifies the minor version of the file format specification. This is an integer that is greater than or equal to 0. The Minor Version number is incremented to indicate that changes have been introduced that will not cause code written against the same Major Version and a lower Minor Version number to fail. The purpose of this behavior is to allow a single local provisioning file to be used for multiple generations of Intel® AMT platform. // MinorVersion(1) - identifies the minor version of the file format specification. This is an integer that is greater than or equal to 0. The Minor Version number is incremented to indicate that changes have been introduced that will not cause code written against the same Major Version and a lower Minor Version number to fail. The purpose of this behavior is to allow a single local provisioning file to be used for multiple generations of Intel® AMT platform.
// Flags (2) - File Flags, 1 = Do not consume records // Flags (2) - file Flags, 1 = Do not consume records
// DataRecordCount(4) - indicates the total number of data records written in the file when it was created. // DataRecordCount(4) - indicates the total number of data records written in the file when it was created.
// DataRecordsConsumed(4) - is a counter value that begins at 0 and is incremented by 1 by each platform BIOS when it consumes a data record from the file. This value is used to determine the offset of the next data record in the file. // DataRecordsConsumed(4) - is a counter value that begins at 0 and is incremented by 1 by each platform BIOS when it consumes a data record from the file. This value is used to determine the offset of the next data record in the file.
// DataRecordChunkCount(2) - contains the number of 512-byte chunks in each data record. All data records are the same length. // DataRecordChunkCount(2) - contains the number of 512-byte chunks in each data record. All data records are the same length.
// Reserved (2) - Reserved // Reserved (2) - reserved
// ModuleList - contains a list of module identifiers. A modules identifier appears in the list if and only if the data records contain entries for that module. Each module identifier is two bytes in length. The list is terminated by an identifier value of 0. // ModuleList - contains a list of module identifiers. A modules identifier appears in the list if and only if the data records contain entries for that module. Each module identifier is two bytes in length. The list is terminated by an identifier value of 0.
var obj = {}, UUID = file.substring(0, 16); var obj = {}, UUID = file.substring(0, 16);

145
amtprovisioningserver.js
View File

@ -38,6 +38,7 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
socket.on('error', function (err) { }) socket.on('error', function (err) { })
socket.on('close', function () { if (this.data != null) { processHelloData(this.data, this.ra); } delete this.ra; this.removeAllListeners(); }) socket.on('close', function () { if (this.data != null) { processHelloData(this.data, this.ra); } delete this.ra; this.removeAllListeners(); })
socket.on('data', function (data) { socket.on('data', function (data) {
console.log('HELLO:', data.toString('HEX'));
if (this.data == null) { this.data = data; } else { Buffer.concat([this.data, data]); } if (this.data == null) { this.data = data; } else { Buffer.concat([this.data, data]); }
var str = this.data.toString(); var str = this.data.toString();
if (str.startsWith('GET ') && (str.indexOf('\r\n\r\n') >= 0)) { if (str.startsWith('GET ') && (str.indexOf('\r\n\r\n') >= 0)) {
@ -59,7 +60,8 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
// Example hello data for testing // Example hello data for testing
//setTimeout(function () { processHelloData(Buffer.from('01000300000000004b529b93d413181de4871c697a6b7a2b170220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d02207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.148'); }, 500); //setTimeout(function () { processHelloData(Buffer.from('01000300000000004b529b93d413181de4871c697a6b7a2b170220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d02207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.148'); }, 500);
//setTimeout(function () { processHelloData(Buffer.from('01000300000000004b529b93d413181de4871c697a6b7a2b180220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d0220a267c480b0b29056eb5e8aa7c93add804f5a7df516e969e77bcacafe8d45607902207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.148'); }, 500); //setTimeout(function () { processHelloData(Buffer.from('01000300000000004b529b93d413181de4871c697a6b7a2b180220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d0220a267c480b0b29056eb5e8aa7c93add804f5a7df516e969e77bcacafe8d45607902207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.148'); }, 5000);
//setTimeout(function () { processHelloData(Buffer.from('01000300010000003ec2ffd2d19d2d41860a54b2039b72ff180220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d0220a267c480b0b29056eb5e8aa7c93add804f5a7df516e969e77bcacafe8d45607902207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.134'); }, 5000);
// Parse Intel AMT hello data // Parse Intel AMT hello data
function parseHelloData(data, addr) { function parseHelloData(data, addr) {
@ -71,8 +73,8 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
const firstBytes = data.readInt16LE(0); const firstBytes = data.readInt16LE(0);
if (firstBytes > 1) return; // Invalid data if (firstBytes > 1) return; // Invalid data
amtHello.adminCredentialsSet = (firstBytes != 0); amtHello.adminCredentialsSet = (firstBytes != 0);
amtHello.version = data.readInt16LE(2); amtHello.helloversion = data.readInt16LE(2);
if (amtHello.version != 3) return null; // One touch PID not supported, only version 3 supported. if (amtHello.helloversion != 3) return null; // One touch PID not supported, only version 3 supported.
amtHello.retryCount = data.readInt32LE(4); amtHello.retryCount = data.readInt32LE(4);
amtHello.guidhex = data.slice(8, 24).toString('hex'); amtHello.guidhex = data.slice(8, 24).toString('hex');
amtHello.guid = guidToStr(amtHello.guidhex); amtHello.guid = guidToStr(amtHello.guidhex);
@ -110,9 +112,10 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
if (dev == null) { parent.debug('amtsca', addr, 'Got invalid hello from: ' + addr); return; } // Invalid Intel AMT hello if (dev == null) { parent.debug('amtsca', addr, 'Got invalid hello from: ' + addr); return; } // Invalid Intel AMT hello
parent.debug('amtsca', 'Got hello from ' + addr); parent.debug('amtsca', 'Got hello from ' + addr);
obj.devices[addr] = dev; obj.devices[addr] = dev;
dev.aquired = {};
// Set device messages // Set device messages
dev.consoleMsg = function deviceConsoleMsg(msg) { parent.debug('amtsca', deviceConsoleMsg.dev.hostname ? deviceConsoleMsg.dev.hostname : deviceConsoleMsg.dev.addr, msg); return; } dev.consoleMsg = function deviceConsoleMsg(msg) { parent.debug('amtsca', deviceConsoleMsg.dev.aquired.host ? deviceConsoleMsg.dev.aquired.host : deviceConsoleMsg.dev.addr, msg); return; }
dev.consoleMsg.dev = dev; dev.consoleMsg.dev = dev;
// Get assumed trusted FQDN and device group // Get assumed trusted FQDN and device group
@ -121,18 +124,19 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
if ((mesh == null) || (mesh.mtype !== 1) || (typeof mesh.amt !== 'object') || (typeof mesh.amt.type !== 'number')) { dev.consoleMsg('Invalid device group for Intel AMT activation.'); return; } if ((mesh == null) || (mesh.mtype !== 1) || (typeof mesh.amt !== 'object') || (typeof mesh.amt.type !== 'number')) { dev.consoleMsg('Invalid device group for Intel AMT activation.'); return; }
if ((mesh.amt.type != 3) && (mesh.amt.type != 4)) { dev.consoleMsg('Device group does not have ACM activation policy.'); return; } if ((mesh.amt.type != 3) && (mesh.amt.type != 4)) { dev.consoleMsg('Device group does not have ACM activation policy.'); return; }
dev.mesh = mesh; dev.mesh = mesh;
dev.meshid = mesh._id;
dev.domainid = mesh.domain; dev.domainid = mesh.domain;
// Compute the nodeid for this device using the device GUID // Compute the nodeid for this device using the device GUID
const g = dev.guid.split('-').join(''); const g = dev.guid.split('-').join('');
const id = Buffer.from(g + g + g, 'hex').toString('base64'); const id = Buffer.from(g + g + g, 'hex').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
dev.nodeid = 'node/' + mesh.domain + '/' + id; dev.nodeid = 'node/' + mesh.domain + '/' + id;
// Attempts reverse DNS loopup on the device IP address // Attempts reverse DNS loopup on the device IP address
const func = function dnsReverseLoopup(err, hostnames) { const func = function dnsReverseLoopup(err, hostnames) {
var hostname = dnsReverseLoopup.addr; var hostname = dnsReverseLoopup.addr;
if ((err == null) && (hostnames != null) && (hostnames.length > 0)) { hostname = hostnames[0]; } if ((err == null) && (hostnames != null) && (hostnames.length > 0)) { hostname = hostnames[0]; }
dnsReverseLoopup.dev.hostname = hostname; dnsReverseLoopup.dev.aquired.host = hostname;
processHelloDataEx1(dnsReverseLoopup.dev); processHelloDataEx1(dnsReverseLoopup.dev);
} }
func.addr = addr; func.addr = addr;
@ -173,7 +177,7 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
// Setup a connection to the Intel AMT device // Setup a connection to the Intel AMT device
dev.consoleMsg('Launching TLS connection...'); dev.consoleMsg('Launching TLS connection...');
var comm = CreateWsmanComm(dev.hostname, 16993, 'admin', '', 1, { cert: dev.certchain.certs.reverse().join(''), key: dev.certchain.signkey }); // Perform TLS connection var comm = CreateWsmanComm(dev.aquired.host, 16993, 'admin', '', 1, { cert: dev.certchain.certs.reverse().join(''), key: dev.certchain.signkey }); // Perform TLS connection
comm.xtlsFingerprint = 0; // No Intel AMT certificate checking. comm.xtlsFingerprint = 0; // No Intel AMT certificate checking.
var wsstack = WsmanStackCreateService(comm); var wsstack = WsmanStackCreateService(comm);
dev.amtstack = AmtStackCreateService(wsstack); dev.amtstack = AmtStackCreateService(wsstack);
@ -196,9 +200,9 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
if (amtlogicalelements.length > 0) { if (amtlogicalelements.length > 0) {
var vs = getInstance(amtlogicalelements, 'AMT')['VersionString']; var vs = getInstance(amtlogicalelements, 'AMT')['VersionString'];
if (vs != null) { if (vs != null) {
dev.amtversionstr = vs; dev.aquired.version = vs;
dev.amtversion = parseInt(dev.amtversionstr.split('.')[0]); dev.aquired.versionmajor = parseInt(dev.aquired.version.split('.')[0]);
dev.amtversionmin = parseInt(dev.amtversionstr.split('.')[1]); dev.aquired.versionminor = parseInt(dev.aquired.version.split('.')[1]);
} }
} }
} }
@ -207,24 +211,24 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
if ((dev.amtversionstr == null) && (stack.wsman.comm.amtVersion != null)) { if ((dev.amtversionstr == null) && (stack.wsman.comm.amtVersion != null)) {
var s = stack.wsman.comm.amtVersion.split('.'); var s = stack.wsman.comm.amtVersion.split('.');
if (s.length >= 3) { if (s.length >= 3) {
dev.amtversionstr = s[0] + '.' + s[1] + '.' + s[2]; dev.aquired.version = s[0] + '.' + s[1] + '.' + s[2];
dev.amtversion = parseInt(s[0]); dev.aquired.versionmajor = parseInt(s[0]);
dev.amtversionmin = parseInt(s[1]); dev.aquired.versionminor = parseInt(s[1]);
} }
} }
// If we can't get the Intel AMT version, stop here. // If we can't get the Intel AMT version, stop here.
if (dev.amtversionstr == null) { parent.debug('amtsca', dev.hostname, 'Could not get Intel AMT version.'); destroyDevice(dev); return; } // Could not get Intel AMT version, disconnect(); if (dev.aquired.version == null) { dev.consoleMsg('Could not get Intel AMT version.'); destroyDevice(dev); return; } // Could not get Intel AMT version, disconnect();
// Get the digest realm // Get the digest realm
if (responses['AMT_GeneralSettings'] && responses['AMT_GeneralSettings'].response && (typeof responses['AMT_GeneralSettings'].response['DigestRealm'] == 'string')) { if (responses['AMT_GeneralSettings'] && responses['AMT_GeneralSettings'].response && (typeof responses['AMT_GeneralSettings'].response['DigestRealm'] == 'string')) {
dev.realm = responses['AMT_GeneralSettings'].response['DigestRealm']; dev.aquired.realm = responses['AMT_GeneralSettings'].response['DigestRealm'];
} else { } else {
dev.consoleMsg('Could not get Intel AMT digest realm.'); destroyDevice(dev); return; dev.consoleMsg('Could not get Intel AMT digest realm.'); destroyDevice(dev); return;
} }
// Looks like we are doing well. // Looks like we are doing well.
parent.debug('amtsca', dev.hostname, 'Succesful TLS connection, Intel AMT v' + dev.amtversionstr); dev.consoleMsg('Succesful TLS connection, Intel AMT v' + dev.aquired.version);
// Set the new MEBx password // Set the new MEBx password
dev.consoleMsg('Setting MEBx password...'); dev.consoleMsg('Setting MEBx password...');
@ -236,29 +240,28 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
const dev = stack.dev; const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request. if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (status != 200) { dev.consoleMsg('Failed to set MEBx password, status=' + status + '.'); destroyDevice(dev); return; } if (status != 200) { dev.consoleMsg('Failed to set MEBx password, status=' + status + '.'); destroyDevice(dev); return; }
parent.debug('amtsca', dev.hostname, 'MEBx password set. Setting admin password...'); dev.consoleMsg('MEBx password set. Setting admin password...');
// See what admin password to use // See what admin password to use
dev.pass = dev.mesh.amt.password; dev.aquired.user = 'admin';
if (dev.pass == null) { dev.pass = getRandomAmtPassword(); } dev.aquired.pass = dev.mesh.amt.password;
if (dev.aquired.pass == null) { dev.aquired.pass = getRandomAmtPassword(); }
// Set the admin password // Set the admin password
dev.amtstack.AMT_AuthorizationService_SetAdminAclEntryEx('admin', hex_md5('admin:' + dev.realm + ':' + dev.pass), processHelloDataEx4); dev.amtstack.AMT_AuthorizationService_SetAdminAclEntryEx(dev.aquired.user, hex_md5(dev.aquired.user + ':' + dev.aquired.realm + ':' + dev.aquired.pass), processHelloDataEx4);
} }
// Response from setting admin password // Response from setting admin password
function processHelloDataEx4(stack, name, responses, status) { function processHelloDataEx4(stack, name, responses, status) {
const dev = stack.dev; const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request. if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (status != 200) { parent.debug('amtsca', dev.hostname, 'Failed to set admin password, status=' + status + '.'); destroyDevice(dev); return; } if (status != 200) { dev.consoleMsg('Failed to set admin password, status=' + status + '.'); destroyDevice(dev); return; }
parent.debug('amtsca', dev.hostname, 'Admin password set.'); dev.consoleMsg('Admin password set.');
// Setup TLS and commit. // Setup TLS and commit.
dev.intelamt = {};
dev.aquired = {};
attemptTlsSync(dev, function (dev) { attemptTlsSync(dev, function (dev) {
destroyDevice(dev)
dev.consoleMsg('Intel AMT ACM activation completed.'); dev.consoleMsg('Intel AMT ACM activation completed.');
destroyDevice(dev)
}); });
} }
@ -407,8 +410,6 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
*/ */
// TLS already enabled, update device in the database // TLS already enabled, update device in the database
dev.consoleMsg("Intel AMT has TLS already enabled."); dev.consoleMsg("Intel AMT has TLS already enabled.");
dev.intelamt.tls = dev.aquired.tls = 1;
UpdateDevice(dev);
// Perform commit // Perform commit
dev.taskCount = 1; dev.taskCount = 1;
@ -438,10 +439,11 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
dev.consoleMsg("Commited, holding 5 seconds..."); dev.consoleMsg("Commited, holding 5 seconds...");
// Update device in the database // Update device in the database
dev.intelamt.tls = dev.aquired.tls = 1; dev.aquired.tls = 1;
dev.intelamt.hash = dev.aquired.hash = dev.aquired.xhash; dev.aquired.hash = dev.aquired.xhash;
dev.aquired.state = 2; // Activated in ACM
delete dev.aquired.xhash; delete dev.aquired.xhash;
UpdateDevice(dev); if (UpdateDevice(dev) == false) return;
// Switch our communications to TLS (Restart our management of this node) // Switch our communications to TLS (Restart our management of this node)
dev.switchToTls = 1; dev.switchToTls = 1;
@ -454,20 +456,89 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
}); });
} }
// Update the device in the database
function UpdateDevice(dev) {
console.log('UpdateDevice', dev.intelamt);
}
// Do aggressive cleanup on the device // Do aggressive cleanup on the device
function destroyDevice(dev) { function destroyDevice(dev) {
delete obj.devices[dev.addr]; delete obj.devices[dev.addr];
if (dev.amtstack != null) { delete dev.amtstack.dev; delete dev.amtstack; } if (dev.amtstack != null) { delete dev.amtstack.dev; delete dev.amtstack; }
delete dev.guid;
delete dev.mesh;
delete dev.realm;
delete dev.meshid;
delete dev.aquired;
delete dev.guidhex;
delete dev.domainid;
delete dev.certchain; delete dev.certchain;
delete dev.amtversionstr; delete dev.retryCount;
delete dev.amtversion; delete dev.amtversion;
delete dev.amtversionmin; delete dev.amtversionmin;
delete dev.realm; delete dev.amtversionstr;
}
// Update the device in the database and event any changes
function UpdateDevice(dev) {
// Check that the mesh exists
const mesh = parent.webserver.meshes[dev.meshid];
if (mesh == null) { destroyDevice(dev); return false; }
// Get the node and change it if needed
parent.db.Get(dev.nodeid, function (err, nodes) {
if ((nodes == null) || (nodes.length == 0)) {
// Add a new device
var devicename = dev.guid;
if (dev.addr != dev.aquired.host) { devicename = dev.aquired.host.split('.')[0]; }
var device = { type: 'node', _id: dev.nodeid, meshid: dev.meshid, name: devicename, host: dev.aquired.host, domain: dev.domainid, intelamt: { ver: dev.aquired.version, user: dev.aquired.user, pass: dev.aquired.pass, tls: dev.aquired.tls, state: 2, realm: dev.aquired.realm } };
if (dev.aquired.hash != null) { device.intelamt.hash = dev.aquired.hash; }
parent.db.Set(device);
// Event the new node
parent.DispatchEvent(parent.webserver.CreateMeshDispatchTargets(dev.meshid, [dev.nodeid]), obj, { etype: 'node', action: 'addnode', node: parent.CloneSafeNode(device), msgid: 84, msgArgs: [devicename, mesh.name], msg: 'Added device ' + devicename + ' to device group ' + mesh.name, domain: domain.id });
} else {
// Update an existing device
const device = nodes[0];
var changes = [], change = 0, log = 0;
var domain = parent.config.domains[device.domain];
if (domain == null) return false;
// Check if anything changes
if (device.intelamt == null) { device.intelamt = {}; }
if ((typeof dev.aquired.version == 'string') && (dev.aquired.version != device.intelamt.ver)) { change = 1; log = 1; device.intelamt.ver = dev.aquired.version; changes.push('AMT version'); }
if ((typeof dev.aquired.user == 'string') && (dev.aquired.user != device.intelamt.user)) { change = 1; log = 1; device.intelamt.user = dev.aquired.user; changes.push('AMT user'); }
if ((typeof dev.aquired.pass == 'string') && (dev.aquired.pass != device.intelamt.pass)) { change = 1; log = 1; device.intelamt.pass = dev.aquired.pass; changes.push('AMT pass'); }
if ((typeof dev.aquired.mpspass == 'string') && (dev.aquired.mpspass != device.intelamt.mpspass)) { change = 1; log = 1; device.intelamt.mpspass = dev.aquired.mpspass; changes.push('AMT MPS pass'); }
if ((typeof dev.aquired.host == 'string') && (dev.aquired.host != device.intelamt.host)) { change = 1; log = 1; device.intelamt.host = dev.aquired.host; changes.push('AMT host'); }
if ((typeof dev.aquired.realm == 'string') && (dev.aquired.realm != device.intelamt.realm)) { change = 1; log = 1; device.intelamt.realm = dev.aquired.realm; changes.push('AMT realm'); }
if ((typeof dev.aquired.hash == 'string') && (dev.aquired.hash != device.intelamt.hash)) { change = 1; log = 1; device.intelamt.hash = dev.aquired.hash; changes.push('AMT hash'); }
if ((typeof dev.aquired.tls == 'number') && (dev.aquired.tls != device.intelamt.tls)) { change = 1; log = 1; device.intelamt.tls = dev.aquired.tls; changes.push('AMT TLS'); }
if ((typeof dev.aquired.state == 'number') && (dev.aquired.state != device.intelamt.state)) { change = 1; log = 1; device.intelamt.state = dev.aquired.state; changes.push('AMT state'); }
// Intel AMT Warning Flags: 1 = Unknown credentials, 2 = Realm Mismatch, 4 = TLS Cert Mismatch, 8 = Trying credentials
if ((typeof dev.aquired.warn == 'number')) { if ((dev.aquired.warn == 0) && (device.intelamt.warn != null)) { delete device.intelamt.warn; change = 1; } else if (dev.aquired.warn != device.intelamt.warn) { device.intelamt.warn = dev.aquired.warn; change = 1; } }
// Update Intel AMT flags if needed
// dev.aquired.controlMode // 1 = CCM, 2 = ACM
// (node.intelamt.flags & 2) == CCM, (node.intelamt.flags & 4) == ACM
var flags = 0;
if (typeof device.intelamt.flags == 'number') { flags = device.intelamt.flags; }
if (dev.aquired.controlMode == 1) { if ((flags & 4) != 0) { flags -= 4; } if ((flags & 2) == 0) { flags += 2; } } // CCM
if (dev.aquired.controlMode == 2) { if ((flags & 4) == 0) { flags += 4; } if ((flags & 2) != 0) { flags -= 2; } } // ACM
if (device.intelamt.flags != flags) { change = 1; log = 1; device.intelamt.flags = flags; changes.push('AMT flags'); }
// If there are changes, event the new device
if (change == 1) {
// Save to the database
parent.db.Set(device);
// Event the node change
var event = { etype: 'node', action: 'changenode', nodeid: device._id, domain: domain.id, node: parent.webserver.CloneSafeNode(device) };
if (changes.length > 0) { event.msg = 'Changed device ' + device.name + ' from group ' + mesh.name + ': ' + changes.join(', '); }
if ((log == 0) || ((obj.agentInfo) && (obj.agentInfo.capabilities) && (obj.agentInfo.capabilities & 0x20)) || (changes.length == 0)) { event.nolog = 1; } // If this is a temporary device, don't log changes
if (parent.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come.
parent.DispatchEvent(parent.webserver.CreateMeshDispatchTargets(device.meshid, [device._id]), obj, event);
}
}
});
return true;
} }
// //

6
certoperations.js
View File

@ -375,9 +375,9 @@ module.exports.CertificateOperations = function (parent) {
var port = 9971; var port = 9971;
if (typeof parent.config.settings.amtprovisioningserver.port == 'number') { port = parent.config.settings.amtprovisioningserver.port; } if (typeof parent.config.settings.amtprovisioningserver.port == 'number') { port = parent.config.settings.amtprovisioningserver.port; }
// Figure out the provisioning server IP address // Get the provisioning server IP address from the config file
var ipaddr = '192.168.2.147'; // TODO if (typeof parent.config.settings.amtprovisioningserver.ip != 'string') return null;
if (typeof parent.config.settings.amtprovisioningserver.ip == 'string') { ipaddr = parent.config.settings.amtprovisioningserver.ip; } var ipaddr = parent.config.settings.amtprovisioningserver.ip;
var ipaddrSplit = ipaddr.split('.'); var ipaddrSplit = ipaddr.split('.');
var ipaddrStr = String.fromCharCode(parseInt(ipaddrSplit[3])) + String.fromCharCode(parseInt(ipaddrSplit[2])) + String.fromCharCode(parseInt(ipaddrSplit[1])) + String.fromCharCode(parseInt(ipaddrSplit[0])); var ipaddrStr = String.fromCharCode(parseInt(ipaddrSplit[3])) + String.fromCharCode(parseInt(ipaddrSplit[2])) + String.fromCharCode(parseInt(ipaddrSplit[1])) + String.fromCharCode(parseInt(ipaddrSplit[0]));

2
meshcentral.js
View File

@ -1650,7 +1650,7 @@ function CreateMeshCentralServer(config, args) {
}); });
// Setup Intel AMT hello server // Setup Intel AMT hello server
if ((typeof config.settings.amtprovisioningserver == 'object') && (typeof config.settings.amtprovisioningserver.devicegroup == 'string') && (typeof config.settings.amtprovisioningserver.newmebxpassword == 'string') && (typeof config.settings.amtprovisioningserver.trustedfqdn == 'string')) { if ((typeof config.settings.amtprovisioningserver == 'object') && (typeof config.settings.amtprovisioningserver.devicegroup == 'string') && (typeof config.settings.amtprovisioningserver.newmebxpassword == 'string') && (typeof config.settings.amtprovisioningserver.trustedfqdn == 'string') && (typeof config.settings.amtprovisioningserver.ip == 'string')) {
obj.amtProvisioningServer = require('./amtprovisioningserver').CreateAmtProvisioningServer(obj, config.settings.amtprovisioningserver); obj.amtProvisioningServer = require('./amtprovisioningserver').CreateAmtProvisioningServer(obj, config.settings.amtprovisioningserver);
} }

2
views/default.handlebars
View File

@ -4912,7 +4912,7 @@
for (var d in nodes) { nodes[d].v = (nodes[d].intelamt != null) && ((amtSearch == '') || (nodes[d].intelamt.state == amtSearch)); } for (var d in nodes) { nodes[d].v = (nodes[d].intelamt != null) && ((amtSearch == '') || (nodes[d].intelamt.state == amtSearch)); }
} else if (descSearch != null) { } else if (descSearch != null) {
// Device description search // Device description search
for (var d in nodes) { nodes[d].v = (nodes[d].desc != null) && (nodes[d].desc != '') && ((descSearch == '') || (nodes[d].desc.indexOf(descSearch) >= 0)); } for (var d in nodes) { nodes[d].v = (nodes[d].desc != null) && (nodes[d].desc != '') && ((descSearch == '') || (nodes[d].desc.toLowerCase().indexOf(descSearch) >= 0)); }
} else if (wscSearch != null) { } else if (wscSearch != null) {
// Windows Security Center // Windows Security Center
for (var d in nodes) { for (var d in nodes) {