From cbc93ea25054250798856602615e05d52217f72e Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sat, 31 Aug 2024 20:51:09 +0300 Subject: [PATCH] amtterm: enable SSL support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Current versions of Intel AMT/vPro only support connecting over SSL, but our current amtterm version isn't built with SSL support. Set the `USE_OPENSSL=1` makeFlag and add openssl and pkg-config. It adds an additional `-C cacert` parameter, which needs to point to a previously downloaded server certificate. The server certificate can be retrieved with `openssl s_client -showcerts -connect $host:16995`. However, due to the use of `UnsafeLegacyRenegotiation`, `OPENSSL_CONF` needs to point to a text file explicitly allowing this: ``` openssl_conf = default_conf [ default_conf ] ssl_conf = ssl_sect [ssl_sect] system_default = ssl_default_sect [ssl_default_sect] Options = UnsafeLegacyRenegotiation ``` With this, I'm able to connect to `/dev/ttyS2` inside the host: ``` ❯ AMT_PASSWORD='supersecret' amtterm $host 16995 -C cert.pem amtterm: NONE -> CONNECT (connection to host) ipv4 $ip [$ip] 16995 open amtterm: CONNECT -> INIT (redirection initialization) amtterm: INIT -> AUTH (session authentication) amtterm: AUTH -> INIT_SOL (serial-over-lan initialization) amtterm: INIT_SOL -> RUN_SOL (serial-over-lan active) serial-over-lan redirection ok connected now, use ^] to escape Hello World ``` --- pkgs/tools/system/amtterm/default.nix | 30 ++++++++++++++------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/pkgs/tools/system/amtterm/default.nix b/pkgs/tools/system/amtterm/default.nix index 1dd26e5b3c1b..caa030b8c65f 100644 --- a/pkgs/tools/system/amtterm/default.nix +++ b/pkgs/tools/system/amtterm/default.nix @@ -1,27 +1,29 @@ -{ fetchurl, lib, stdenv, makeWrapper, perl, perlPackages }: +{ fetchFromGitHub, lib, stdenv, makeWrapper, openssl, perl, perlPackages, pkg-config }: stdenv.mkDerivation (finalAttrs: { pname = "amtterm"; - version = "1.7-1"; + version = "1.7-1-unstable-2023-10-27"; - buildInputs = with perlPackages; [ perl SOAPLite ]; - nativeBuildInputs = [ makeWrapper ]; + buildInputs = (with perlPackages; [ perl SOAPLite ]) ++ [ openssl ]; + nativeBuildInputs = [ makeWrapper pkg-config ]; - src = fetchurl { - url = "https://www.kraxel.org/cgit/amtterm/snapshot/amtterm-${finalAttrs.version}.tar.gz"; - sha256 = "sha256-WrYWAXLW74hb/DfSiPyiFIGAUfDQFdNEPx+XevZYcyk="; + src = fetchFromGitHub { + owner = "kraxel"; + repo = "amtterm"; + rev = "ed5da502cbb150982ad982211ad9475414b8689a"; + hash = "sha256-JwS2agmJJ6VcGLkNbkFRb5bzKV8el1DMDjalmLnOdE8="; }; - makeFlags = [ "prefix=$(out)" "STRIP=" ]; + makeFlags = [ "prefix=$(out)" "STRIP=" "USE_OPENSSL=1" ]; postInstall = "wrapProgram $out/bin/amttool --prefix PERL5LIB : $PERL5LIB"; - meta = with lib; - { description = "Intel AMT® SoL client + tools"; - homepage = "https://www.kraxel.org/cgit/amtterm/"; - license = licenses.gpl2Plus; - platforms = platforms.linux; - }; + meta = { + description = "Intel AMT® SoL client + tools"; + homepage = "https://www.kraxel.org/cgit/amtterm/"; + license = lib.licenses.gpl2Plus; + platforms = lib.platforms.linux; + }; })