Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-11-25 20:51:23 +03:00
Code Issues Packages Projects Releases Wiki Activity

More Intel AMT CCM improvements.

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2020-10-20 18:14:00 -07:00
parent 927631d880
commit 94e2f05e95
7 changed files with 131 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
agents/MeshCmd-signed.exe
View File

Binary file not shown.

BIN
agents/MeshCmd64-signed.exe
View File

Binary file not shown.

BIN
agents/MeshService-signed.exe
View File

Binary file not shown.

BIN
agents/MeshService64-signed.exe
View File

Binary file not shown.

18
agents/meshcmd.js
View File

@ -537,6 +537,7 @@ function run(argv) {
var amtMeiModule, amtMei; var amtMeiModule, amtMei;
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { console.log(ex); exit(1); return; } try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { console.log(ex); exit(1); return; }
amtMei.on('error', function (e) { console.log('ERROR: ' + e); exit(1); return; }); amtMei.on('error', function (e) { console.log('ERROR: ' + e); exit(1); return; });
try {
amtMei.getVersion(function (result) { amtMei.getVersion(function (result) {
if (result) { if (result) {
for (var version in result.Versions) { for (var version in result.Versions) {
@ -595,6 +596,7 @@ function run(argv) {
} }
exit(1); exit(1);
}); });
} catch (ex) { console.log("Unable to perform MEI operations, try running as administrator."); exit(1); return; }
} else if (settings.action == 'amtinfodebug') { } else if (settings.action == 'amtinfodebug') {
// Display Intel AMT version and activation state // Display Intel AMT version and activation state
getMeiState(15, function (state) { console.log(JSON.stringify(state, null, 2)); exit(1); }); // Flags: 1 = Versions, 2 = OsAdmin, 4 = Hashes, 8 = Network getMeiState(15, function (state) { console.log(JSON.stringify(state, null, 2)); exit(1); }); // Flags: 1 = Versions, 2 = OsAdmin, 4 = Hashes, 8 = Network
@ -1133,20 +1135,23 @@ function startMeshCommander() {
// //
function configureAmt() { function configureAmt() {
console.log('Starting Intel AMT configuration...');
settings.noconsole = true; settings.noconsole = true;
startLms(configureAmt2, amtMei); startLms(configureAmt2, amtMei);
} }
function configureAmt2() { function configureAmt2() {
getMeiState(15, function (state) { // Flags: 1 = Versions, 2 = OsAdmin, 4 = Hashes, 8 = Network getMeiState(15, function (state) { // Flags: 1 = Versions, 2 = OsAdmin, 4 = Hashes, 8 = Network
if (state == null) { console.log('Unable to get Intel AMT state, try running as administrator.'); exit(1); return; }
if (state.ProvisioningState == null) { console.log('Intel AMT not ready for configuration.'); exit(1); return; }
console.log('Starting Intel AMT configuration...');
// Connect to MPS and start APF relay // Connect to MPS and start APF relay
var apfarg = { var apfarg = {
mpsurl: settings.url, mpsurl: settings.url,
mpsuser: settings.id.substring(0, 16), mpsuser: settings.id.substring(0, 16),
mpspass: settings.id.substring(0, 16), mpspass: settings.id.substring(0, 16),
mpskeepalive: 60000, mpskeepalive: 60000,
clientname: require('os').hostname(), clientname: state.OsHostname,
clientaddress: '127.0.0.1', clientaddress: '127.0.0.1',
clientuuid: state.UUID, clientuuid: state.UUID,
conntype: 2, // 0 = CIRA, 1 = Relay, 2 = LMS. The correct value is 2 since we are performing an LMS relay. conntype: 2, // 0 = CIRA, 1 = Relay, 2 = LMS. The correct value is 2 since we are performing an LMS relay.
@ -1306,6 +1311,7 @@ function activeToACM() {
var amtMeiModule, amtMei; var amtMeiModule, amtMei;
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { console.log(ex); exit(1); return; } try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { console.log(ex); exit(1); return; }
amtMei.on('error', function (e) { console.log('ERROR: ' + e); exit(1); return; }); amtMei.on('error', function (e) { console.log('ERROR: ' + e); exit(1); return; });
try {
amtMei.getProvisioningState(function (result) { if (result) { mestate.ProvisioningState = result; } }); amtMei.getProvisioningState(function (result) { if (result) { mestate.ProvisioningState = result; } });
amtMei.getVersion(function (val) { mestate.vers = {}; if (val != null) { for (var version in val.Versions) { mestate.vers[val.Versions[version].Description] = val.Versions[version].Version; } } }); amtMei.getVersion(function (val) { mestate.vers = {}; if (val != null) { for (var version in val.Versions) { mestate.vers[val.Versions[version].Description] = val.Versions[version].Version; } } });
amtMei.getLanInterfaceSettings(0, function (result) { if (result) { mestate.net0 = result; } }); amtMei.getLanInterfaceSettings(0, function (result) { if (result) { mestate.net0 = result; } });
@ -1336,6 +1342,7 @@ function activeToACM() {
console.log("Trusted DNS suffix not set, can't perform ACM activation."); exit(100); return; console.log("Trusted DNS suffix not set, can't perform ACM activation."); exit(100); return;
} }
}); });
} catch (ex) { console.log("Unable to perform MEI operations, try running as administrator."); exit(1); return; }
} }
// Gets the FWNonce from AMT and saves it to a file. // Gets the FWNonce from AMT and saves it to a file.
@ -1719,7 +1726,7 @@ function startLms(func, lmscommander, tag) {
//console.log("PTHI Connected."); //console.log("PTHI Connected.");
console.log('Setting up LME...'); console.log('Setting up LME...');
amtLms = new lme_heci({ debug: settings.lmsdebug }); try { amtLms = new lme_heci({ debug: settings.lmsdebug }); } catch (ex) { if (func != null) { func(0, tag); } return; }
amtLms.promise = ret; amtLms.promise = ret;
amtLms.on('error', function (e) { amtLms.on('error', function (e) {
//console.log('LME connection failed', e); //console.log('LME connection failed', e);
@ -1835,6 +1842,7 @@ function setupMeiOsAdmin(func, state, tag) {
if (func) { func(state, tag); } if (func) { func(state, tag); }
} else { } else {
amtMei.getLocalSystemAccount(function (x) { amtMei.getLocalSystemAccount(function (x) {
if ((x == null) || (x.user == null) || (x.pass == null)) { if (func) { func(state, tag); } return; } // No OsAdmin, stop here.
var transport = require('amt-wsman-duk'); var transport = require('amt-wsman-duk');
var wsman = require('amt-wsman'); var wsman = require('amt-wsman');
var amt = require('amt'); var amt = require('amt');
@ -2957,7 +2965,7 @@ function getMeiState(flags, func) {
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { func(null); return; } try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { func(null); return; }
amtMei.on('error', function (e) { func(null); return; }); amtMei.on('error', function (e) { func(null); return; });
try { try {
var amtMeiTmpState = { Flags: 0 }; // Flags: 1=EHBC, 2=CCM, 4=ACM var amtMeiTmpState = { OsHostname: require('os').hostname(), Flags: 0 }; // Flags: 1=EHBC, 2=CCM, 4=ACM
amtMei.getProtocolVersion(function (result) { if (result != null) { amtMeiTmpState.MeiVersion = result; } }); amtMei.getProtocolVersion(function (result) { if (result != null) { amtMeiTmpState.MeiVersion = result; } });
if ((flags & 1) != 0) { amtMei.getVersion(function (result) { if (result) { amtMeiTmpState.Versions = {}; for (var version in result.Versions) { amtMeiTmpState.Versions[result.Versions[version].Description] = result.Versions[version].Version; } } }); } if ((flags & 1) != 0) { amtMei.getVersion(function (result) { if (result) { amtMeiTmpState.Versions = {}; for (var version in result.Versions) { amtMeiTmpState.Versions[result.Versions[version].Description] = result.Versions[version].Version; } } }); }
amtMei.getProvisioningMode(function (result) { if (result) { amtMeiTmpState.ProvisioningMode = result.mode; } }); amtMei.getProvisioningMode(function (result) { if (result) { amtMeiTmpState.ProvisioningMode = result.mode; } });
@ -2980,7 +2988,7 @@ function getMeiState(flags, func) {
amtMei.getDnsSuffix(function (result) { if (result != null) { amtMeiTmpState.DnsSuffix = result; } if ((flags & 4) == 0) { if (func != null) { func(amtMeiTmpState); } } }); amtMei.getDnsSuffix(function (result) { if (result != null) { amtMeiTmpState.DnsSuffix = result; } if ((flags & 4) == 0) { if (func != null) { func(amtMeiTmpState); } } });
if ((flags & 4) != 0) { if ((flags & 4) != 0) {
amtMei.getHashHandles(function (handles) { amtMei.getHashHandles(function (handles) {
if (handles != null) { amtMeiTmpState.Hashes = []; } else { func(amtMeiTmpState); } if ((handles != null) && (handles.length > 0)) { amtMeiTmpState.Hashes = []; } else { func(amtMeiTmpState); }
var exitOnCount = handles.length; var exitOnCount = handles.length;
for (var i = 0; i < handles.length; ++i) { this.getCertHashEntry(handles[i], function (hashresult) { amtMeiTmpState.Hashes.push(hashresult); if (--exitOnCount == 0) { if (func != null) { func(amtMeiTmpState); } } }); } for (var i = 0; i < handles.length; ++i) { this.getCertHashEntry(handles[i], function (hashresult) { amtMeiTmpState.Hashes.push(hashresult); if (--exitOnCount == 0) { if (func != null) { func(amtMeiTmpState); } } }); }
}); });

8
agents/meshcore.js
View File

@ -3545,12 +3545,13 @@ function createMeshCore(agent) {
if (amt == null) { response = "No Intel AMT support delected"; break; } if (amt == null) { response = "No Intel AMT support delected"; break; }
getMeiState(15, function (state) { getMeiState(15, function (state) {
var rx = ''; var rx = '';
if ((state == null) || (state.ProvisioningState == null)) { rx = "Intel AMT not ready for configuration."; } else {
var apfarg = { var apfarg = {
mpsurl: mesh.ServerUrl.replace('agent.ashx', 'apf.ashx'), mpsurl: mesh.ServerUrl.replace('agent.ashx', 'apf.ashx'),
mpsuser: Buffer.from(mesh.ServerInfo.MeshID, 'hex').toString('base64').substring(0, 16), mpsuser: Buffer.from(mesh.ServerInfo.MeshID, 'hex').toString('base64').substring(0, 16),
mpspass: Buffer.from(mesh.ServerInfo.MeshID, 'hex').toString('base64').substring(0, 16), mpspass: Buffer.from(mesh.ServerInfo.MeshID, 'hex').toString('base64').substring(0, 16),
mpskeepalive: 60000, mpskeepalive: 60000,
clientname: require('os').hostname(), clientname: state.OsHostname,
clientaddress: '127.0.0.1', clientaddress: '127.0.0.1',
clientuuid: state.UUID, clientuuid: state.UUID,
conntype: 2, // 0 = CIRA, 1 = Relay, 2 = LMS. The correct value is 2 since we are performing an LMS relay, other values for testing. conntype: 2, // 0 = CIRA, 1 = Relay, 2 = LMS. The correct value is 2 since we are performing an LMS relay, other values for testing.
@ -3573,6 +3574,7 @@ function createMeshCore(agent) {
rx = JSON.stringify(ex); rx = JSON.stringify(ex);
} }
} }
}
if (rx != '') { require('MeshAgent').SendCommand({ action: 'msg', type: 'console', value: rx }); } if (rx != '') { require('MeshAgent').SendCommand({ action: 'msg', type: 'console', value: rx }); }
}); });
break; break;
@ -3840,7 +3842,7 @@ function createMeshCore(agent) {
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { func(null); return; } try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { func(null); return; }
amtMei.on('error', function (e) { func(null); return; }); amtMei.on('error', function (e) { func(null); return; });
try { try {
var amtMeiTmpState = { Flags: 0 }; // Flags: 1=EHBC, 2=CCM, 4=ACM var amtMeiTmpState = { OsHostname: require('os').hostname(), Flags: 0 }; // Flags: 1=EHBC, 2=CCM, 4=ACM
amtMei.getProtocolVersion(function (result) { if (result != null) { amtMeiTmpState.MeiVersion = result; } }); amtMei.getProtocolVersion(function (result) { if (result != null) { amtMeiTmpState.MeiVersion = result; } });
if ((flags & 1) != 0) { amtMei.getVersion(function (result) { if (result) { amtMeiTmpState.Versions = {}; for (var version in result.Versions) { amtMeiTmpState.Versions[result.Versions[version].Description] = result.Versions[version].Version; } } }); } if ((flags & 1) != 0) { amtMei.getVersion(function (result) { if (result) { amtMeiTmpState.Versions = {}; for (var version in result.Versions) { amtMeiTmpState.Versions[result.Versions[version].Description] = result.Versions[version].Version; } } }); }
amtMei.getProvisioningMode(function (result) { if (result) { amtMeiTmpState.ProvisioningMode = result.mode; } }); amtMei.getProvisioningMode(function (result) { if (result) { amtMeiTmpState.ProvisioningMode = result.mode; } });
@ -3863,7 +3865,7 @@ function createMeshCore(agent) {
amtMei.getDnsSuffix(function (result) { if (result != null) { amtMeiTmpState.DnsSuffix = result; } if ((flags & 4) == 0) { if (func != null) { func(amtMeiTmpState); } } }); amtMei.getDnsSuffix(function (result) { if (result != null) { amtMeiTmpState.DnsSuffix = result; } if ((flags & 4) == 0) { if (func != null) { func(amtMeiTmpState); } } });
if ((flags & 4) != 0) { if ((flags & 4) != 0) {
amtMei.getHashHandles(function (handles) { amtMei.getHashHandles(function (handles) {
if (handles != null) { amtMeiTmpState.Hashes = []; } else { func(amtMeiTmpState); } if ((handles != null) && (handles.length > 0)) { amtMeiTmpState.Hashes = []; } else { func(amtMeiTmpState); }
var exitOnCount = handles.length; var exitOnCount = handles.length;
for (var i = 0; i < handles.length; ++i) { this.getCertHashEntry(handles[i], function (hashresult) { amtMeiTmpState.Hashes.push(hashresult); if (--exitOnCount == 0) { if (func != null) { func(amtMeiTmpState); } } }); } for (var i = 0; i < handles.length; ++i) { this.getCertHashEntry(handles[i], function (hashresult) { amtMeiTmpState.Hashes.push(hashresult); if (--exitOnCount == 0) { if (func != null) { func(amtMeiTmpState); } } }); }
}); });

13
amtmanager.js
View File

@ -443,6 +443,7 @@ module.exports.CreateAmtManager = function(parent) {
if (dev.aquired.version && (typeof dev.aquired.version == 'string') && (dev.aquired.version != device.intelamt.ver)) { change = 1; log = 1; device.intelamt.ver = dev.aquired.version; changes.push('AMT version'); } if (dev.aquired.version && (typeof dev.aquired.version == 'string') && (dev.aquired.version != device.intelamt.ver)) { change = 1; log = 1; device.intelamt.ver = dev.aquired.version; changes.push('AMT version'); }
if (dev.aquired.user && (typeof dev.aquired.user == 'string') && (dev.aquired.user != device.intelamt.user)) { change = 1; log = 1; device.intelamt.user = dev.aquired.user; changes.push('AMT user'); } if (dev.aquired.user && (typeof dev.aquired.user == 'string') && (dev.aquired.user != device.intelamt.user)) { change = 1; log = 1; device.intelamt.user = dev.aquired.user; changes.push('AMT user'); }
if (dev.aquired.pass && (typeof dev.aquired.pass == 'string') && (dev.aquired.pass != device.intelamt.pass)) { change = 1; log = 1; device.intelamt.pass = dev.aquired.pass; changes.push('AMT pass'); } if (dev.aquired.pass && (typeof dev.aquired.pass == 'string') && (dev.aquired.pass != device.intelamt.pass)) { change = 1; log = 1; device.intelamt.pass = dev.aquired.pass; changes.push('AMT pass'); }
if (dev.aquired.host && (typeof dev.aquired.host == 'string') && (dev.aquired.host != device.host)) { change = 1; log = 1; device.host = dev.aquired.host; changes.push('host'); }
if (dev.aquired.realm && (typeof dev.aquired.realm == 'string') && (dev.aquired.realm != device.intelamt.realm)) { change = 1; log = 1; device.intelamt.realm = dev.aquired.realm; changes.push('AMT realm'); } if (dev.aquired.realm && (typeof dev.aquired.realm == 'string') && (dev.aquired.realm != device.intelamt.realm)) { change = 1; log = 1; device.intelamt.realm = dev.aquired.realm; changes.push('AMT realm'); }
if (dev.aquired.hash && (typeof dev.aquired.hash == 'string') && (dev.aquired.hash != device.intelamt.hash)) { change = 1; log = 1; device.intelamt.hash = dev.aquired.hash; changes.push('AMT hash'); } if (dev.aquired.hash && (typeof dev.aquired.hash == 'string') && (dev.aquired.hash != device.intelamt.hash)) { change = 1; log = 1; device.intelamt.hash = dev.aquired.hash; changes.push('AMT hash'); }
if (dev.aquired.tls && (typeof dev.aquired.tls == 'number') && (dev.aquired.tls != device.intelamt.tls)) { change = 1; log = 1; device.intelamt.tls = dev.aquired.tls; changes.push('AMT TLS'); } if (dev.aquired.tls && (typeof dev.aquired.tls == 'number') && (dev.aquired.tls != device.intelamt.tls)) { change = 1; log = 1; device.intelamt.tls = dev.aquired.tls; changes.push('AMT TLS'); }
@ -469,7 +470,6 @@ module.exports.CreateAmtManager = function(parent) {
if (parent.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come. if (parent.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come.
parent.DispatchEvent(parent.webserver.CreateMeshDispatchTargets(device.meshid, [device._id]), obj, event); parent.DispatchEvent(parent.webserver.CreateMeshDispatchTargets(device.meshid, [device._id]), obj, event);
} }
}); });
} }
@ -703,7 +703,7 @@ module.exports.CreateAmtManager = function(parent) {
const domain = parent.config.domains[dev.domainid]; const domain = parent.config.domains[dev.domainid];
var serverName = 'MeshCentral'; var serverName = 'MeshCentral';
if ((domain != null) && (domain.title != null)) { serverName = domain.title; } if ((domain != null) && (domain.title != null)) { serverName = domain.title; }
const certattributes = { 'CN': commonName, 'O': serverName, 'ST': serverName, 'C': serverName }; const certattributes = { 'CN': commonName, 'O': serverName, 'ST': 'MC', 'C': 'MC' };
const issuerattributes = { 'CN': obj.rootCertCN }; const issuerattributes = { 'CN': obj.rootCertCN };
const xxCaPrivateKey = obj.parent.certificates.root.key; const xxCaPrivateKey = obj.parent.certificates.root.key;
@ -781,7 +781,7 @@ module.exports.CreateAmtManager = function(parent) {
const dev = stack.dev; const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request. if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (status != 200) { dev.consoleMsg("Failed perform commit (" + status + ")."); removeAmtDevice(dev); return; } if (status != 200) { dev.consoleMsg("Failed perform commit (" + status + ")."); removeAmtDevice(dev); return; }
dev.consoleMsg("Enabled TLS"); dev.consoleMsg("Enabled TLS.");
// Update device in the database // Update device in the database
dev.aquired.tls = 1; dev.aquired.tls = 1;
@ -1205,7 +1205,7 @@ module.exports.CreateAmtManager = function(parent) {
} }
function activateIntelAmtCcm(dev, password) { function activateIntelAmtCcm(dev, password) {
console.log('Intel AMT CCM Activation Required: ' + dev.name, dev.nodeid); // Generate a random Intel AMT password if needed
if ((password == null) || (password == '')) { password = getRandomAmtPassword(); } if ((password == null) || (password == '')) { password = getRandomAmtPassword(); }
dev.temp = { pass: password }; dev.temp = { pass: password };
@ -1229,13 +1229,15 @@ module.exports.CreateAmtManager = function(parent) {
const dev = stack.dev; const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request. if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (status != 200) { dev.consoleMsg("Failed to activate Intel AMT to CCM."); removeAmtDevice(dev); return; } if (status != 200) { dev.consoleMsg("Failed to activate Intel AMT to CCM."); removeAmtDevice(dev); return; }
obj.parent.mpsserver.SendJsonControl(dev.mpsConnection, { action: 'mestate' }); // Request an MEI state refresh
// Update the device // Update the device
dev.aquired = {}; dev.aquired = {};
dev.aquired.controlMode = 1; // 1 = CCM, 2 = ACM dev.aquired.controlMode = 1; // 1 = CCM, 2 = ACM
var verSplit = dev.amtstack.wsman.comm.amtVersion.split('.'); var verSplit = dev.amtstack.wsman.comm.amtVersion.split('.');
if (verSplit.length >= 3) { dev.aquired.version = verSplit[0] + '.' + verSplit[1] + '.' + verSplit[2]; dev.aquired.majorver = parseInt(verSplit[0]); dev.aquired.minorver = parseInt(verSplit[1]); } if (verSplit.length >= 3) { dev.aquired.version = verSplit[0] + '.' + verSplit[1] + '.' + verSplit[2]; dev.aquired.majorver = parseInt(verSplit[0]); dev.aquired.minorver = parseInt(verSplit[1]); }
if ((typeof dev.mpsConnection.tag.meiState.OsHostname == 'string') && (typeof dev.mpsConnection.tag.meiState.OsDnsSuffix == 'string')) {
dev.aquired.host = dev.mpsConnection.tag.meiState.OsHostname + '.' + dev.mpsConnection.tag.meiState.OsDnsSuffix;
}
dev.aquired.realm = dev.amtstack.wsman.comm.digestRealm; dev.aquired.realm = dev.amtstack.wsman.comm.digestRealm;
dev.aquired.user = 'admin'; dev.aquired.user = 'admin';
dev.aquired.pass = dev.temp.pass; dev.aquired.pass = dev.temp.pass;
@ -1244,6 +1246,7 @@ module.exports.CreateAmtManager = function(parent) {
UpdateDevice(dev); UpdateDevice(dev);
// Success, switch to managing this device // Success, switch to managing this device
obj.parent.mpsserver.SendJsonControl(dev.mpsConnection, { action: 'mestate' }); // Request an MEI state refresh
dev.consoleMsg("Succesfully activated Intel AMT in CCM mode."); dev.consoleMsg("Succesfully activated Intel AMT in CCM mode.");
// Wait 8 seconds before attempting to manage this device in CCM // Wait 8 seconds before attempting to manage this device in CCM