AMT manager improvements.

This commit is contained in:
Ylian Saint-Hilaire 2020-10-26 11:51:19 -07:00
parent 55686471c8
commit 02a5d421b2

View File

@ -340,7 +340,7 @@ module.exports.CreateAmtManager = function (parent) {
}
// If there is no Intel AMT policy for this device, stop here.
if (amtPolicy == 0) { dev.consoleMsg("Done."); removeAmtDevice(dev); return; }
//if (amtPolicy == 0) { dev.consoleMsg("Done."); removeAmtDevice(dev); return; }
// Initiate the communication to Intel AMT
dev.consoleMsg("Checking Intel AMT state...");
@ -371,19 +371,22 @@ module.exports.CreateAmtManager = function (parent) {
if ((dev.mpsConnection.tag.meiState.ProvisioningState == 2) && ((dev.mpsConnection.tag.meiState.Flags & 2) != 0)) {
// Deactivate CCM.
deactivateIntelAmtCCM(dev);
} else {
// Already deactivated or in ACM
dev.consoleMsg("Done."); // TODO: We need to at least clear CIRA
removeAmtDevice(dev);
}
return;
} //else {
// Already deactivated or in ACM
//dev.consoleMsg("Done."); // TODO: We need to at least clear CIRA
//removeAmtDevice(dev);
//}
//return;
}
// No Intel AMT policy, stop here
/*
// No Intel AMT policy, since this is CIRA-LMS, stop here.
if (dev.policy.amtPolicy == 0) {
dev.consoleMsg("Done.");
removeAmtDevice(dev);
return;
}
*/
}
// See if we need to try different credentials
@ -762,6 +765,7 @@ module.exports.CreateAmtManager = function (parent) {
// Care should be take not to have many pending WSMAN called when performing clock sync.
function attemptSyncClock(dev, func) {
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (dev.policy.amtPolicy == 0) { func(dev); return; } // If there is no Intel AMT policy, skip this operation.
dev.taskCount = 1;
dev.taskCompleted = func;
dev.amtstack.AMT_TimeSynchronizationService_GetLowAccuracyTimeSynch(attemptSyncClockEx);
@ -802,6 +806,7 @@ module.exports.CreateAmtManager = function (parent) {
// Check if Intel AMT TLS state is correct
function attemptTlsSync(dev, func) {
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (dev.policy.amtPolicy == 0) { func(dev); return; } // If there is no Intel AMT policy, skip this operation.
dev.taskCount = 1;
dev.taskCompleted = func;
// TODO: We only deal with certificates starting with Intel AMT 6 and beyond
@ -973,6 +978,7 @@ module.exports.CreateAmtManager = function (parent) {
// We may want to work on an alternate version that does do priority if requested.
function attemptWifiSync(dev, func) {
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (dev.policy.amtPolicy == 0) { func(dev); return; } // If there is no Intel AMT policy, skip this operation.
if (dev.connType != 2) { func(dev); return; } // Only configure wireless over a CIRA-LMS link
if (parent.config.domains[dev.domainid].amtmanager.wifiprofiles == null) { func(dev); return; } // No server WIFI profiles set, skip this.
if ((dev.mpsConnection.tag.meiState == null) || (dev.mpsConnection.tag.meiState.net1 == null)) { func(dev); return; } // No WIFI on this device, skip this.
@ -1080,6 +1086,7 @@ module.exports.CreateAmtManager = function (parent) {
// Check if Intel AMT has the server root certificate
function attemptRootCertSync(dev, func) {
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (dev.policy.amtPolicy == 0) { func(dev); return; } // If there is no Intel AMT policy, skip this operation.
if ((dev.connType != 2) || (dev.policy.ciraPolicy != 2) || (parent.mpsserver.server == null)) { func(dev); return; } // Server root certificate does not need to be present is CIRA is not needed
// Find the current TLS certificate & MeshCentral root certificate
@ -1108,6 +1115,7 @@ module.exports.CreateAmtManager = function (parent) {
//
// Check if Intel AMT has the server root certificate
// If deactivation policy is in effect, remove CIRA configuration
function attemptCiraSync(dev, func) {
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if ((dev.connType != 2) || ((dev.policy.ciraPolicy != 1) && (dev.policy.ciraPolicy != 2))) { func(dev); return; } // Only setup CIRA when LMS connection is used and a CIRA policy is enabled.
@ -1116,12 +1124,15 @@ module.exports.CreateAmtManager = function (parent) {
// TODO: We only deal with remote access starting with Intel AMT 6 and beyond
dev.taskCount = 1;
dev.taskCompleted = func;
dev.tryCount = 0;
var requests = ['*AMT_EnvironmentDetectionSettingData', 'AMT_ManagementPresenceRemoteSAP', 'AMT_RemoteAccessCredentialContext', 'AMT_RemoteAccessPolicyAppliesToMPS', 'AMT_RemoteAccessPolicyRule', '*AMT_UserInitiatedConnectionService', 'AMT_MPSUsernamePassword'];
if ((dev.aquired.majorver != null) && (dev.aquired.majorver > 11)) { requests.push('*IPS_HTTPProxyService', 'IPS_HTTPProxyAccessPoint'); }
dev.amtstack.BatchEnum(null, requests, function (stack, name, responses, status) {
dev.amtstack.BatchEnum(null, requests, attemptCiraSyncResponse);
}
function attemptCiraSyncResponse(stack, name, responses, status) {
const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
//dev.consoleMsg("Added server root certificate.");
if ((dev.aquired.majorver != null) && (dev.aquired.majorver > 11) && (status == 400)) {
// Check if only the HTTP proxy objects failed
@ -1130,7 +1141,24 @@ module.exports.CreateAmtManager = function (parent) {
if (responses['IPS_HTTPProxyService'].status == 400) { delete responses['IPS_HTTPProxyService']; }
for (var i in responses) { if (responses[i].status != 200) { status = responses[i].status; } }
}
if (status != 200) { dev.consoleMsg("Failed to get CIRA state (" + status + ")."); removeAmtDevice(dev); return; }
// If batch enumeration was not succesful, try again.
if (status != 200) {
// If we failed to get the CIRA state, try again up to 5 times.
if (dev.tryCount <= 5) {
dev.tryCount++;
var requests = ['*AMT_EnvironmentDetectionSettingData', 'AMT_ManagementPresenceRemoteSAP', 'AMT_RemoteAccessCredentialContext', 'AMT_RemoteAccessPolicyAppliesToMPS', 'AMT_RemoteAccessPolicyRule', '*AMT_UserInitiatedConnectionService', 'AMT_MPSUsernamePassword'];
if ((dev.aquired.majorver != null) && (dev.aquired.majorver > 11)) { requests.push('*IPS_HTTPProxyService', 'IPS_HTTPProxyAccessPoint'); }
dev.amtstack.BatchEnum(null, requests, attemptCiraSyncResponse);
return;
}
// We tried 5 times, give up.
dev.consoleMsg("Failed to get CIRA state (" + status + ").");
removeAmtDevice(dev);
return;
}
if ((responses['AMT_UserInitiatedConnectionService'] == null) || (responses['AMT_UserInitiatedConnectionService'].response == null)) { dev.consoleMsg("Invalid CIRA state."); removeAmtDevice(dev); return; }
dev.cira = {};
@ -1203,7 +1231,6 @@ module.exports.CreateAmtManager = function (parent) {
// If we need to setup CIRA, start by checking the MPS server
// parent.mpsserver.server is not null if the MPS server is listening for TCP/TLS connections
if ((dev.policy.ciraPolicy == 2) && (parent.mpsserver.server != null)) { addMpsServer(dev); } else { checkEnvironmentDetection(dev); }
});
}
function addMpsServer(dev) {
@ -1316,6 +1343,7 @@ module.exports.CreateAmtManager = function (parent) {
function attemptSettingsSync(dev, func) {
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (dev.policy.amtPolicy == 0) { func(dev); return; } // If there is no Intel AMT policy, skip this operation.
dev.taskCount = 1;
dev.taskCompleted = func;