Skip to content

feat: adds support for E2E TLS connection between AMT and RPS #2598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rsdmike wants to merge 1 commit into
base: main
Choose a base branch
from
+772 −173
Open

feat: adds support for E2E TLS connection between AMT and RPS #2598

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 13 additions & 3 deletions src/DataProcessor.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,10 @@ export class DataProcessor {
await this.handleConnectionReset(clientMsg, clientId)
break
}
case ClientMethods.PORT_SWITCH_ACK: {
await this.handlePortSwitchAck(clientMsg, clientId)
break
}
default: {
const uuid = clientMsg.payload.uuid ? clientMsg.payload.uuid : devices[clientId].ClientData.payload.uuid
throw new RPSError(`Device ${uuid} Not a supported method received from AMT device`)
Expand Down Expand Up @@ -151,9 +155,6 @@ export class DataProcessor {
this.logger.warn(`WSMAN RESPONSE: parse failed`)
rejectValue = new UNEXPECTED_PARSE_ERROR()
} else {
const actionMatch = xmlBody.match(/<a:Action>([^<]+)<\/a:Action>/)
const action = actionMatch ? actionMatch[1].split('/').pop() : 'unknown'
this.logger.debug(`WSMAN RESPONSE: ${action}`)
this.logger.debug(`WSMAN RESPONSE XML:\n${xmlBody}`)
}
} else {
Expand Down Expand Up @@ -253,6 +254,15 @@ export class DataProcessor {
}
}

async handlePortSwitchAck(clientMsg: ClientMsg, clientId: string): Promise<void> {
const clientObj = devices[clientId]
this.logger.info(`PORT_SWITCH_ACK received from rpc-go for device ${clientObj?.uuid}`)

if (clientObj?.pendingPromise != null && clientObj.resolve != null) {
clientObj.resolve('port_switch_ack')
}
}

async handleConnectionReset(clientMsg: ClientMsg, clientId: string): Promise<void> {
const clientObj = devices[clientId]
this.logger.warn(`CONNECTION RESET from rpc-go`)
Expand Down
5 changes: 5 additions & 0 deletions src/Validator.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,11 @@ export class Validator implements IValidator {
this.logger.info(`Device ${payload.uuid} has TLS enforced - enabling TLS tunnel mode`)
}
}
// Extract TLS tunnel activation flag from payload
if (msg.payload.tlsTunnel === true) {
clientObj.tlsTunnelActivation = true
this.logger.info(`Device ${payload.uuid} requested TLS tunnel activation`)
}
// Check for client requested action and profile activation
const profile: AMTConfiguration | null = await this.configurator.profileManager.getAmtProfile(
payload.profile,
Expand Down
70 changes: 20 additions & 50 deletions src/certs/amt-odca.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,55 +8,27 @@
* These are public Intel certificates used to validate AMT device certificates
* when TLS is enforced on the AMT platform.
*
* Certificate sources:
* - Intel(R) Client Platform Root Certificate Authority
* - Intel AMT RCFG certificates
* Certificate source: src/certs/OnDie_CA_RootCA_Certificate.cer
*/
export const AMT_ODCA_ROOT_CERTS: string[] = [
// Intel(R) CSME FW RCFG Certificate
// This root CA is used for AMT Remote Configuration
// Intel OnDie CA Root Certificate (ECC P-384, valid 2019-2049)
// Subject: O=Intel Corporation, OU=OnDie CA Root Cert Signing, CN=www.intel.com
`-----BEGIN CERTIFICATE-----
MIICwjCCAaqgAwIBAgIQT5cMYuWRhpjgXKkJ8PPbIjANBgkqhkiG9w0BAQsFADBE
MRQwEgYDVQQHEwtTYW50YSBDbGFyYTELMAkGA1UECBMCQ0ExCzAJBgNVBAYTAlVT
MRIwEAYDVQQKEwlJbnRlbChSKSAwHhcNMjEwNjAxMDAwMDAwWhcNNDkxMjMxMjM1
OTU5WjBEMRQwEgYDVQQHEwtTYW50YSBDbGFyYTELMAkGA1UECBMCQ0ExCzAJBgNV
BAYTAlVTMRIwEAYDVQQKEwlJbnRlbChSKSAwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCr4N3e8kljVeacnP5LchxH3nk5TEiKgqvPCG4HGMJUJlakfLcN
bwGHNdZdSqI4D7E+H0X5B/9v8yQVJXfsMpqvgtqPCH4H8z8xsHIVCJvJLLlA+PqI
8pVLAMEaRH2cjIAIYDu3gOxOPSH8Bx+BI9Xje6Lf8IqIHn5LR8YL2gtn0Xpf+EfV
G8RaXrN7sNhVRNCy7ZQ1DP5C+0XCduRHCa8Zqa6pzmazrVBT4jCIPnZp6wN5RAYW
pXWv1C5nZ4FW3lFP4JdqoBFZrXxNO8fE3hQhZqWLchGODu+RMDqjFNOCkYBc8GCJ
j8LyM7McbS5nyFoqhwl0DErcCSHfPJP8DXMZ5Jf3AgMBAAGjFTATMBEGA1UdEwEB
/wQHMAUBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBAHj6V8E6S3T9g8EhI3NLpaCP
3P2N/e6z3vFVJDDFVKFc4PTThgFg4J+EjIAg1VvAAYfW0wj+7Ly8SHIrWBh4CJkX
VVfwdXF2W2pFBeXcAMQHqQ7F8lAhSpaGpE8VqQ6YL7V9hOaAGy1b8t93v+7h1BVo
uJdj1S2P9v7YhNU1Kn6g8X7CsS3TqFOlQLBp2hE7qIaT0cIxU6wd9rKzNNBPi1MR
lLm7h5oJag19B1h+ppD0c0BDVpdcqdCFbBf7DmzzuMqB2OCqX8+6h5hj8JJLRCFT
x+RkGxccVfgGkNB0hDXEPp56vluWd9kDGiVPqDL73aHrcpSb8/BY5h5T5xFl6js=
-----END CERTIFICATE-----`,

// Intel AMT Remote Configuration Root CA
// Alternative root CA for AMT device certificates
`-----BEGIN CERTIFICATE-----
MIIDkDCCAnigAwIBAgIQT0cAanSqxS4HblMrI2TFADANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL
EwNEb0QxDDAKBgNVBAsTA1BLSTEWMBQGA1UEAxMNRG9EIFJvb3QgQ0EgMzAeFw0x
MjA0MDUxMzQzNThaFw0zNzEyMzExMzQzNThaMF8xCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJ
MRYwFAYDVQQDEw1Eb0QgUm9vdCBDQSAzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAq6EcqasGJCC9k9J6hCOJxPYHHdKfVJLCE8p2qGGBD08f6e8RADax
8u3XNMPRM0QB6LjKaHpMPkdR5WSbQrTqPN04BOZgDq1rrqREXsMzb4siDkn0J2x0
HIB2kRTDtT8VBC7JSCPlMFpZvluYwpAgJkH3AZ0yw8D0mqrKWzN0GYPRJYBeEdG7
9R6A8tF0MZBqkRAMBGM6KtD8UewJ5NIpqmxexvHyGIl0JVMJBsivfXYJzMHXm8H5
9N4cgS/rH5YMkAqN5F/MWMMP5O1ZB0aN7N5FQqW5wgQ2pjDhkUI5Fa1p3J1j+K9v
e3WXz6Q4j+U/n9z4E0ozj0Q+y0+B7dWHBwIDAQABo0IwQDAdBgNVHQ4EFgQUbIqU
Y559IcHI7UXNDS8dkzQ39JowDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMB
Af8wDQYJKoZIhvcNAQELBQADggEBAJ17j0qUFlyPNZjfU2G1jwxNvJQP1TwZ3YL4
QL67jk+E7ji0W8j3gU5JLJ4x/fdOUh0a6X/uh1HZrxsm24bIOzrV0nx3CpLs3WZM
bf0lWFiPBNbQZUzVLz1GdLhJPBLn5WNBhJYL0D7HqZSJitRmPJLttNfoVPolSKI1
FRQ6G0HHfLrnBg1TECQ0iFJsRJzRjWw6YnFf6xDy0EfOZPbCOzU9I3QBRLXL1swk
Xz5EeRXNKEP2QRh1q9rnQSNJo3cIuvHBZzT9r+aPNrNJp6hFvkCAVvWjfH/tf/T2
d6QakmgMNmgZNAiMp6ms1P1gkjxFlSsG3Nz8L/WNQBLEP2xEAeg=
MIICujCCAj6gAwIBAgIUPLLiHTrwySRtWxR4lxKLlu7MJ7wwDAYIKoZIzj0EAwMF
ADCBiTELMAkGA1UEBgwCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQHDAtTYW50YSBD
bGFyYTEaMBgGA1UECgwRSW50ZWwgQ29ycG9yYXRpb24xIzAhBgNVBAsMGk9uRGll
IENBIFJvb3QgQ2VydCBTaWduaW5nMRYwFAYDVQQDDA13d3cuaW50ZWwuY29tMB4X
DTE5MDQwMzAwMDAwMFoXDTQ5MTIzMTIzNTk1OVowgYkxCzAJBgNVBAYMAlVTMQsw
CQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExGjAYBgNVBAoMEUludGVs
IENvcnBvcmF0aW9uMSMwIQYDVQQLDBpPbkRpZSBDQSBSb290IENlcnQgU2lnbmlu
ZzEWMBQGA1UEAwwNd3d3LmludGVsLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IA
BK8SfB2UflvXZqb5Kc3+lokrABHWazvNER2axPURP64HILkXChPB0OEX5hLB7Okw
7Dy6oFqB5tQVDupgfvUX/SgYBEaDdG5rCVFrGAis6HX5TA2ewQmj14r2ncHBgnpp
B6NjMGEwHwYDVR0jBBgwFoAUtFjJ9uQIQKPyWMg5eG6ujgqNnDgwDwYDVR0TAQH/
BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLRYyfbkCECj8ljIOXhu
ro4KjZw4MAwGCCqGSM49BAMDBQADaAAwZQIxAP9B4lFF86uvpHmkcp61cWaU565a
yE3p7ezu9haLE/lPLh5hFQfmTi1nm/sG3JEXMQIwNpKfHoDmUTrUyezhhfv3GG+1
CqBXstmCYH40buj9jKW3pHWc71s9arEmPWli7I8U
-----END CERTIFICATE-----`
]

Expand All @@ -65,8 +37,6 @@ d6QakmgMNmgZNAiMp6ms1P1gkjxFlSsG3Nz8L/WNQBLEP2xEAeg=
* Used to validate that certificates are issued by Intel AMT ODCA.
*/
export const AMT_ALLOWED_ISSUERS = [
'iAMT CSME IDevID RCFG',
'AMT RCFG',
'Intel(R) CSME',
'Intel(R)'
'OnDie CA Root Cert Signing',
'Intel Corporation'
]
2 changes: 2 additions & 0 deletions src/interfaces/ISecretManagerService.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ export interface DeviceCredentials {
AMT_PASSWORD: string | null
MPS_PASSWORD?: string // only required for CIRA
MEBX_PASSWORD?: string | null
TLS_ROOT_CERTIFICATE?: string
TLS_ISSUED_CERTIFICATE?: string
version?: string
}

Expand Down
9 changes: 8 additions & 1 deletion src/models/RCS.Config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@ export interface ClientObject {
resolve: (value: unknown) => void
reject: (value: unknown) => void
tlsEnforced?: boolean
tlsTunnelActivation?: boolean
tlsTunnelManager?: TLSTunnelManager
tlsTunnelNeedsReset?: boolean
tlsTunnelSessionId?: string // Current TLS session ID for filtering stale data
Expand Down Expand Up @@ -200,6 +201,9 @@ export interface TLSConfigFlow {
commitLocalTLS?: boolean
getTimeSynch?: boolean
setTimeSynch?: boolean
rootCertPEM?: string
rootCertKey?: any
issuedCertPEM?: string
}

export interface mpsServer {
Expand Down Expand Up @@ -240,6 +244,7 @@ export interface Payload {
client: string
profile?: any
tlsEnforced?: boolean
tlsTunnel?: boolean
}

export interface ConnectionObject {
Expand Down Expand Up @@ -271,7 +276,9 @@ export enum ClientMethods {
HEARTBEAT = 'heartbeat_response',
MAINTENANCE = 'maintenance',
TLS_DATA = 'tls_data',
CONNECTION_RESET = 'connection_reset'
CONNECTION_RESET = 'connection_reset',
PORT_SWITCH = 'port_switch',
PORT_SWITCH_ACK = 'port_switch_ack'
}

export interface apiResponse {
Expand Down
Loading