Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

StartConfigurationHBased support. #355

Open
jclab-joseph opened this issue Feb 5, 2024 · 4 comments
Open

StartConfigurationHBased support. #355

jclab-joseph opened this issue Feb 5, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@jclab-joseph
Copy link

jclab-joseph commented Feb 5, 2024

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/HTMLDocuments/WS-Management_Class_Reference/IPS_HostBasedSetupService.htm#AdminSetup

look at the link above, AdminSetup has been deprecated.

Starting from Intel CSME 19.0, this method of setting up ACM provisioning will be removed. Intel recommends using the Secure Host-Based (Local-PKI) provisioning method for customers who require ACM provisioning.

Starting from CSME 19.0, AdminSetup is not possible and StartConfigurationHBased must be used, but rpc also needs support for this.


If possible, please answer the questions below also.
https://community.intel.com/t5/Intel-vPro-Platform/What-is-AMTCertHash-in-StartConfigurationHBased/td-p/1568585

There is a problem with the hash output from StartConfigurationHBased not matching. (To be exact, the leaf certificate changes every tls connection. AMT Version is 15.0.45)

@bwendlandt-intel
Copy link
Contributor

Hi! The team is aware of the deprecation for the AdminSetup path. This item is in our backlog to tackle as the Lunar Lake generation (CSME 19.0) gets a bit closer. We'll look to implement this flow in rpc-go for both remote and local activation paths.

@jclab-joseph
Copy link
Author

jclab-joseph commented Feb 13, 2024

Thank you for checking.
And the question is, what command should I use for setup within mTLS instead of AdminSetup?

I am attaching an issue that may be helpful.
The sample code I wrote has hei implementations for Unconfiguration and StartConfigurationHBased .

AMTCertHash is incorrect and the certificate changes with each TLS request.

TLS Alert (Certificate Unknown) occurs during the Secure Host Based Configuration process.

@matt-primrose
Copy link
Member

matt-primrose commented Feb 15, 2024

Hi @jclab-joseph,
I'm also currently working through enabling this feature for RPC-Go in preparation for AMT 19 release. Our current plan is to enable using this flow on existing AMT devices that support it (AMT 15 or newer). Since I'm still in the middle of development, I don't have a full working flow yet to show you with example code. However, I'm using these same links and can give you a high-level overview.

Secure Host Based Configuration over the local host works similarly to how remote configuration works when configuring AMT over a local network (not through the OS). An overview is provided here: https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fremoteconfigurationwithalocalagent.htm

and here:
https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fremotesetupandconfigurationflow.htm

For our purposes, anything that says "Legacy" or "Legacy out of band only" can be ignored as this is referencing the remote configuration flows that I mentioned above.

When you send the CFG_StartConfigurationHBased() call, this moves AMT into an "In-Provisioning" state. In this state, you setup AMT using the WSMAN class calls over the 16993 port once TLS negotiation has completed. Some examples of calls that you'd likely want to set would be:

  • AMT_AuthorizationService.SetAdminAclEntryEx to set a new Admin digest password. Also, you can setup other digest or Kerberos account here using the other available methods.
  • AMT_GeneralSettings Get and Put to change the AMTNetworkEnabled value to turn on AMT on the local network

Essentially you setup the entire AMT configuration while in this mode, based on what you need. AMT will stay in this mode for 80 minutes (by default) and this can be extended using the AMT_SetupAndConfigurationService.ExtendProvisioningPeriod call.

Finally, you call AMT_SetupAndConfigurationService.SetMEBxPassword to set a new MEBx password and then AMT_SetupAndConfigurationService.CommitChanges() to finalize the configuration. If everything works, AMT will move to Post-Provisioning and be activated.

I sent a note to our Firmware team who owns the AMT Implementation and Reference Guide online documentation to see if they have a call flow example for activating into CCM and ACM. I couldn't find it when looking through this documentation.

@jclab-joseph
Copy link
Author

jclab-joseph commented Feb 19, 2024

@matt-primrose
Thank you so much!
I now know that CommitChanges completes the actual provisioning.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: No status
Development

No branches or pull requests

3 participants