More Intel AMT ACM improvements.

This commit is contained in:
Ylian Saint-Hilaire 2019-06-20 16:56:19 -07:00
parent e45a919c6e
commit 56637d4d58
6 changed files with 29 additions and 39 deletions

View File

@ -754,7 +754,7 @@ function createMeshCore(agent)
// Store the latest Intel AMT policy
amtPolicy = data.amtPolicy;
if (data.amtPolicy != null) { db.Put('amtPolicy', JSON.stringify(data.amtPolicy)); } else { db.Put('amtPolicy', null); }
if (amt != null) { amt.setPolicy(amtPolicy); }
if (amt != null) { amt.setPolicy(amtPolicy, true); }
break;
}
case 'getScript': {
@ -1533,7 +1533,7 @@ function createMeshCore(agent)
var response = null;
switch (cmd) {
case 'help': { // Displays available commands
response = 'Available commands: help, info, osinfo,args, print, type, dbget, dbset, dbcompact, eval, parseuri, httpget,\r\nwslist, wsconnect, wssend, wsclose, notify, ls, ps, kill, amt, netinfo, location, power, wakeonlan, scanwifi,\r\nscanamt, setdebug, smbios, rawsmbios, toast, lock, users, sendcaps, openurl, amtreset, amtccm, amtacm, amtdeactivate,\r\namtpolicy, getscript, getclip, setclip.';
response = 'Available commands: help, info, osinfo, args, print, type, dbget, dbset, dbcompact, eval, parseuri, httpget,\r\nwslist, wsconnect, wssend, wsclose, notify, ls, ps, kill, amt, netinfo, location, power, wakeonlan, scanwifi,\r\nscanamt, setdebug, smbios, rawsmbios, toast, lock, users, sendcaps, openurl, amtreset, amtccm, amtacm,\r\namtdeactivate, amtpolicy, getscript, getclip, setclip.';
break;
}
/*
@ -2067,7 +2067,7 @@ function createMeshCore(agent)
if (typeof text == 'object') { text = JSON.stringify(text); }
mesh.SendCommand({ "action": "msg", "type": "console", "value": text, "sessionid": sessionid });
}
// Called before the process exits
//process.exit = function (code) { console.log("Exit with code: " + code.toString()); }

View File

@ -754,7 +754,7 @@ function createMeshCore(agent)
// Store the latest Intel AMT policy
amtPolicy = data.amtPolicy;
if (data.amtPolicy != null) { db.Put('amtPolicy', JSON.stringify(data.amtPolicy)); } else { db.Put('amtPolicy', null); }
if (amt != null) { amt.setPolicy(amtPolicy); }
if (amt != null) { amt.setPolicy(amtPolicy, true); }
break;
}
case 'getScript': {
@ -1533,7 +1533,7 @@ function createMeshCore(agent)
var response = null;
switch (cmd) {
case 'help': { // Displays available commands
response = 'Available commands: help, info, osinfo,args, print, type, dbget, dbset, dbcompact, eval, parseuri, httpget,\r\nwslist, wsconnect, wssend, wsclose, notify, ls, ps, kill, amt, netinfo, location, power, wakeonlan, scanwifi,\r\nscanamt, setdebug, smbios, rawsmbios, toast, lock, users, sendcaps, openurl, amtreset, amtccm, amtacm, amtdeactivate,\r\namtpolicy, getscript, getclip, setclip.';
response = 'Available commands: help, info, osinfo, args, print, type, dbget, dbset, dbcompact, eval, parseuri, httpget,\r\nwslist, wsconnect, wssend, wsclose, notify, ls, ps, kill, amt, netinfo, location, power, wakeonlan, scanwifi,\r\nscanamt, setdebug, smbios, rawsmbios, toast, lock, users, sendcaps, openurl, amtreset, amtccm, amtacm,\r\namtdeactivate, amtpolicy, getscript, getclip, setclip.';
break;
}
/*
@ -2067,7 +2067,7 @@ function createMeshCore(agent)
if (typeof text == 'object') { text = JSON.stringify(text); }
mesh.SendCommand({ "action": "msg", "type": "console", "value": text, "sessionid": sessionid });
}
// Called before the process exits
//process.exit = function (code) { console.log("Exit with code: " + code.toString()); }

View File

@ -42,10 +42,10 @@ function AmtManager(agent, db, isdebug) {
obj.setDebug = function (x) { isdebug = x; }
// Set current Intel AMT activation policy
obj.setPolicy = function (policy) {
if (JSON.stringify(amtpolicy) != JSON.stringify(policy)) {
obj.setPolicy = function (policy, forceApply) {
if (forceApply || (JSON.stringify(amtpolicy) != JSON.stringify(policy))) {
amtpolicy = policy;
if (applyPolicyTimer == null) { obj.applyPolicy(); }
if (applyPolicyTimer == null) { applyPolicyTimer = setTimeout(obj.applyPolicy, 8000); }
}
}
@ -58,7 +58,7 @@ function AmtManager(agent, db, isdebug) {
try {
var amtMeiLib = require('amt-mei');
amtMei = new amtMeiLib();
amtMei.on('error', function (e) { debug('MEI error'); amtMei = null; amtMeiState = -1; obj.state = -1; obj.onStateChange(amtMeiState); });
amtMei.on('error', function (e) { debug('MEI error'); amtMei = null; amtMeiState = -1; obj.state = -1; if (obj.onStateChange != null) { obj.onStateChange(amtMeiState); } });
amtMei.getVersion(function (result) {
if (result == null) {
amtMeiState = -1;
@ -455,11 +455,8 @@ function AmtManager(agent, db, isdebug) {
//
obj.activeToACM = function (mestate) {
//debug('TrustedHashes: ' + JSON.stringify(trustedHashes));
//debug('ProvisioningState: ' + JSON.stringify(mestate.ProvisioningState));
if ((mestate.ProvisioningState != 0) || (amtpolicy == null) || (amtpolicy.match == null)) return; // Can't activate unless in "PRE" activation mode & policy is present.
var trustedFqdn = null;
//debug('Wired Interface: ' + JSON.stringify(mestate.net0));
if ((mestate.net0 == null) && (mestate.net0.enabled != 0)) return; // Can't activate unless wired interface is active
if (mestate.DNS) { trustedFqdn = mestate.DNS; } // If Intel AMT has a trusted DNS suffix set, use that one.
else {
@ -471,41 +468,31 @@ function AmtManager(agent, db, isdebug) {
}
}
}
//debug('TrustedFqdn: ' + trustedFqdn);
if (trustedFqdn == null) return; // No trusted DNS suffix.
// Check if we have a ACM policy match
var hashMatch = null;
for (var i in amtpolicy.match) { var m = amtpolicy.match[i]; if (m.cn == trustedFqdn) { for (var j in trustedHashes) { if ((trustedHashes[j] == m.sha256) || (trustedHashes[j] == m.sha1)) { hashMatch = trustedHashes[j]; } } } }
if (hashMatch == null) return; // No certificate / FQDN match
//debug('Policy: ' + JSON.stringify(amtpolicy));
//debug('HashMatch: ' + hashMatch);
// Fetch Intel AMT realm and activation nonce and get ready to ACM activation...
if (osamtstack != null) {
//debug('Trying to get Intel AMT activation information (1)...');
osamtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], activeToACM2, { fqdn: trustedFqdn, hash: hashMatch, uuid: mestate.UUID });
} else {
//debug('ACM Activation: Trying to get local account info...');
amtMei.getLocalSystemAccount(function (x) {
if ((x != null) && x.user && x.pass) {
//debug('Intel AMT local account info: User=' + x.user + ', Pass=' + x.pass + '.');
var transport = require('amt-wsman-duk');
var wsman = require('amt-wsman');
var amt = require('amt');
oswsstack = new wsman(transport, '127.0.0.1', 16992, x.user, x.pass, false);
osamtstack = new amt(oswsstack);
//debug('Trying to get Intel AMT activation information (2)...');
osamtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], activeToACM2, { fqdn: trustedFqdn, hash: hashMatch, uuid: mestate.UUID });
} else {
//debug('Unable to get $$OsAdmin password.');
}
});
}
}
function activeToACM2(stack, name, responses, status, tag) {
//debug('activeToACM2 status=' + status);
if (status != 200) return;
var fwNonce = responses['IPS_HostBasedSetupService'].response['ConfigurationNonce'];
var digestRealm = responses['AMT_GeneralSettings'].response['DigestRealm'];
@ -513,29 +500,24 @@ function AmtManager(agent, db, isdebug) {
}
// Called when the server responds with a ACM activation signature.
obj.setAcmResponse = function (acmdata) {
//debug('setAcmResponse=' + JSON.stringify(acmdata));
acmdata.index = 0;
performAcmActivation(acmdata);
}
obj.setAcmResponse = function (acmdata) { acmdata.index = 0; performAcmActivation(acmdata); }
// Recursive function to inject the provisioning certificates into AMT in the proper order and completes ACM activation
function performAcmActivation(acmdata) {
//debug('performAcmActivation(' + JSON.stringify(acmdata) + ')');
var leaf = (acmdata.index == 0), root = (acmdata.index == (acmdata.certs.length - 1));
if ((acmdata.index < acmdata.certs.length) && (acmdata.certs[acmdata.index] != null)) {
//debug('Calling AddNextCertInChain(' + acmdata.index + ', ' + acmdata.certs[acmdata.index] + ')');
osamtstack.IPS_HostBasedSetupService_AddNextCertInChain(acmdata.certs[acmdata.index], leaf, root, function (stack, name, responses, status) {
if (status !== 200) { debug('AddNextCertInChain status=' + status); return; }
else if (responses['Body']['ReturnValue'] !== 0) { debug('AddNextCertInChain error=' + responses['Body']['ReturnValue']); return; }
else { acmdata.index++; performAcmActivation(acmdata); }
});
} else {
debug('Calling AdminSetup() ' + JSON.stringify(acmdata));
osamtstack.IPS_HostBasedSetupService_AdminSetup(2, acmdata.password, acmdata.nonce, 2, acmdata.signature,
function (stack, name, responses, status) {
debug('AdminSetup Status: ' + status);
if (status == 200) { debug('AdminSetup ReturnValue: ' + responses['Body']['ReturnValue']); }
if ((status == 200) && (responses['Body']['ReturnValue'] == 0)) {
// ACM activation success, force an update to the server so it can get our new state.
if (obj.onStateChange != null) { obj.onStateChange(2); }
}
}
);
}
@ -628,7 +610,7 @@ function AmtManager(agent, db, isdebug) {
var wsmanQuery = ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService', '*AMT_RedirectionService', '*CIM_KVMRedirectionSAP', 'AMT_PublicKeyCertificate', '*AMT_EnvironmentDetectionSettingData'];
if (amtpolicy.cirasetup == 2) { wsmanQuery.push("AMT_ManagementPresenceRemoteSAP", "AMT_RemoteAccessCredentialContext", "AMT_RemoteAccessPolicyAppliesToMPS", "AMT_RemoteAccessPolicyRule", "*AMT_UserInitiatedConnectionService", "AMT_MPSUsernamePassword"); }
try { amtstack.BatchEnum(null, wsmanQuery, wsmanPassTestResponse); } catch (ex) { debug(ex); }
} else if ((amtpolicy.type == 3) && (meinfo.ProvisioningState == 0)) {
} else if ((amtpolicy.type == 3) && (meinfo.ProvisioningState == 0) && (agent.isControlChannelConnected)) {
// ACM Activation Policy
obj.getTrustedHashes(obj.activeToACM, meinfo);
} else {

File diff suppressed because one or more lines are too long

View File

@ -12417,7 +12417,8 @@ var QRCode;!function(){function a(a){this.mode=c.MODE_8BIT_BYTE,this.data=a,this
function p20editMeshAmtChange() {
var ptype = Q('dp20amtpolicy').value, x = '';
if (ptype >= 2) {
x = addHtmlValue('Password*', '<input id=dp20amtpolicypass style=width:230px maxlength=32 onchange=dp20amtValidatePolicy() onkeyup=dp20amtValidatePolicy() />')
x = addHtmlValue('Password*', '<input id=dp20amtpolicypass type=password style=width:230px maxlength=32 onchange=dp20amtValidatePolicy() onkeyup=dp20amtValidatePolicy() />')
x += addHtmlValue('Password*', '<input id=dp20amtpolicypass2 type=password style=width:230px maxlength=32 onchange=dp20amtValidatePolicy() onkeyup=dp20amtValidatePolicy() />')
if (ptype == 2) { x += addHtmlValue('Password mismatch', "<select id=dp20amtbadpass style=width:230px><option value=0>Do nothing</option><option value=1>Reactivate Intel&reg; AMT</option></select>"); }
if ((features & 0x400) == 0) {
if (ptype == 2) {
@ -12439,7 +12440,10 @@ var QRCode;!function(){function a(a){this.mode=c.MODE_8BIT_BYTE,this.data=a,this
function dp20amtValidatePolicy() {
var ok = true, ptype = Q('dp20amtpolicy').value;
if (ptype == 2) { var pass = Q('dp20amtpolicypass').value; ok = (pass == '') ? true : passwordcheck(pass); }
if ((ptype == 2) || (ptype == 3)) {
var pass = Q('dp20amtpolicypass').value, pass2 = Q('dp20amtpolicypass2').value;
ok = ((pass === pass2) && ((pass === '') ? true : passwordcheck(pass)));
}
QE('idx_dlgOkButton', ok);
}

View File

@ -6362,7 +6362,8 @@
function p20editMeshAmtChange() {
var ptype = Q('dp20amtpolicy').value, x = '';
if (ptype >= 2) {
x = addHtmlValue('Password*', '<input id=dp20amtpolicypass style=width:230px maxlength=32 onchange=dp20amtValidatePolicy() onkeyup=dp20amtValidatePolicy() />')
x = addHtmlValue('Password*', '<input id=dp20amtpolicypass type=password style=width:230px maxlength=32 onchange=dp20amtValidatePolicy() onkeyup=dp20amtValidatePolicy() />')
x += addHtmlValue('Password*', '<input id=dp20amtpolicypass2 type=password style=width:230px maxlength=32 onchange=dp20amtValidatePolicy() onkeyup=dp20amtValidatePolicy() />')
if (ptype == 2) { x += addHtmlValue('Password mismatch', "<select id=dp20amtbadpass style=width:230px><option value=0>Do nothing</option><option value=1>Reactivate Intel&reg; AMT</option></select>"); }
if ((features & 0x400) == 0) {
if (ptype == 2) {
@ -6384,7 +6385,10 @@
function dp20amtValidatePolicy() {
var ok = true, ptype = Q('dp20amtpolicy').value;
if (ptype == 2) { var pass = Q('dp20amtpolicypass').value; ok = (pass == '') ? true : passwordcheck(pass); }
if ((ptype == 2) || (ptype == 3)) {
var pass = Q('dp20amtpolicypass').value, pass2 = Q('dp20amtpolicypass2').value;
ok = ((pass === pass2) && ((pass === '') ? true : passwordcheck(pass)));
}
QE('idx_dlgOkButton', ok);
}