StartConfigurationHBased support.
jclab-joseph opened this issue · 4 comments
look at the link above, AdminSetup has been deprecated.
Starting from Intel CSME 19.0, this method of setting up ACM provisioning will be removed. Intel recommends using the Secure Host-Based (Local-PKI) provisioning method for customers who require ACM provisioning.
Starting from CSME 19.0, AdminSetup is not possible and StartConfigurationHBased must be used, but rpc also needs support for this.
If possible, please answer the questions below also.
https://community.intel.com/t5/Intel-vPro-Platform/What-is-AMTCertHash-in-StartConfigurationHBased/td-p/1568585
There is a problem with the hash output from StartConfigurationHBased not matching. (To be exact, the leaf certificate changes every tls connection. AMT Version is 15.0.45)
Hi! The team is aware of the deprecation for the AdminSetup path. This item is in our backlog to tackle as the Lunar Lake generation (CSME 19.0) gets a bit closer. We'll look to implement this flow in rpc-go for both remote and local activation paths.
Thank you for checking.
And the question is, what command should I use for setup within mTLS instead of AdminSetup?
I am attaching an issue that may be helpful.
The sample code I wrote has hei implementations for Unconfiguration and StartConfigurationHBased .
AMTCertHash is incorrect and the certificate changes with each TLS request.
- https://community.intel.com/t5/Intel-Business-Client-Software/AMTCertHash-is-incorrect-and-the-certificate-changes-with-each/td-p/1569939
- I tested this problem and it seems to have occurred up to 15.0.45 and was fixed in 15.0.47.
TLS Alert (Certificate Unknown) occurs during the Secure Host Based Configuration process.
- https://community.intel.com/t5/Intel-Business-Client-Software/TLS-Alert-Certificate-Unknown-occurs-during-the-Secure-Host/td-p/1569945
- I am stuck on this issue. If possible, please look at the sample code.
Hi @jclab-joseph,
I'm also currently working through enabling this feature for RPC-Go in preparation for AMT 19 release. Our current plan is to enable using this flow on existing AMT devices that support it (AMT 15 or newer). Since I'm still in the middle of development, I don't have a full working flow yet to show you with example code. However, I'm using these same links and can give you a high-level overview.
Secure Host Based Configuration over the local host works similarly to how remote configuration works when configuring AMT over a local network (not through the OS). An overview is provided here: https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fremoteconfigurationwithalocalagent.htm
For our purposes, anything that says "Legacy" or "Legacy out of band only" can be ignored as this is referencing the remote configuration flows that I mentioned above.
When you send the CFG_StartConfigurationHBased() call, this moves AMT into an "In-Provisioning" state. In this state, you setup AMT using the WSMAN class calls over the 16993 port once TLS negotiation has completed. Some examples of calls that you'd likely want to set would be:
- AMT_AuthorizationService.SetAdminAclEntryEx to set a new Admin digest password. Also, you can setup other digest or Kerberos account here using the other available methods.
- AMT_GeneralSettings Get and Put to change the AMTNetworkEnabled value to turn on AMT on the local network
Essentially you setup the entire AMT configuration while in this mode, based on what you need. AMT will stay in this mode for 80 minutes (by default) and this can be extended using the AMT_SetupAndConfigurationService.ExtendProvisioningPeriod call.
Finally, you call AMT_SetupAndConfigurationService.SetMEBxPassword to set a new MEBx password and then AMT_SetupAndConfigurationService.CommitChanges() to finalize the configuration. If everything works, AMT will move to Post-Provisioning and be activated.
I sent a note to our Firmware team who owns the AMT Implementation and Reference Guide online documentation to see if they have a call flow example for activating into CCM and ACM. I couldn't find it when looking through this documentation.
@matt-primrose
Thank you so much!
I now know that CommitChanges completes the actual provisioning.