MyFavMirrors
/
MeshCentral
mirror of https://github.com/Ylianst/MeshCentral.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More work on Intel AMT provisioning server.

This commit is contained in:
Ylian Saint-Hilaire 2021-03-13 00:53:27 -08:00
parent f0c319e070
commit fb8ea438b2
5 changed files with 117 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
amt/amt-setupbin.js
View File

@ -40,7 +40,7 @@ var CreateAmtSetupBinStack = function () {
// - Setup.bin should always start with "CurrentMEBx Pwd", "newMebx Pwd", "manageability selection" (if present).
// Intel(R) AMT variable identifiers
// Type: 0 = Binar Stringy, 1 = Char, 2 = Short, 3 = Int
// Type: 0 = Binar String, 1 = Char, 2 = Short, 3 = Int
var AmtSetupBinVarIds =
{
1: {
@ -94,7 +94,7 @@ var CreateAmtSetupBinStack = function () {
{ 0: "Disabled", 1: "KVM", 255: "All" }],
27: [1, "Opt-in Remote IT Consent Policy", // 0 = Disabled, 1 = Enabled. Allows user consent to be configured remotely.
{ 0: "Disabled", 1: "Enabled" }],
28: [1, "ME Provision Halt Active", // 0 = Stop, 1 = Start. The "ME provisioning Halt/Activate" command must appear in the file only after "PKIDNSSuffix", "ConfigServerFQDN" and "Provisioning Server Address"
28: [1, "ME Provision Halt/Active", // 0 = Stop, 1 = Start. The "ME provisioning Halt/Activate" command must appear in the file only after "PKIDNSSuffix", "ConfigServerFQDN" and "Provisioning Server Address"
{ 0: "Stop", 1: "Start" }],
29: [1, "Manual Setup and Configuration", // 0 = Automated, 1 = Manual
{ 0: "Automated", 1: "Manual" }],
@ -134,11 +134,11 @@ var CreateAmtSetupBinStack = function () {
// RecordNumber(4) - uniquely identifies the record among all records in the file. The field contains a non-negative ordinal value. The value of this field is always zero in the Local Provisioning File Header Record.
// MajorVersion(1) - identifies the major version of the file format specification. This is a positive integer that is greater than or equal to 1. The Major Version number is incremented to indicate that changes have been introduced that will cause code written against a lower Major Version number to fail.
// MinorVersion(1) - identifies the minor version of the file format specification. This is an integer that is greater than or equal to 0. The Minor Version number is incremented to indicate that changes have been introduced that will not cause code written against the same Major Version and a lower Minor Version number to fail. The purpose of this behavior is to allow a single local provisioning file to be used for multiple generations of Intel® AMT platform.
// Flags (2) - File Flags, 1 = Do not consume records
// Flags (2) - file Flags, 1 = Do not consume records
// DataRecordCount(4) - indicates the total number of data records written in the file when it was created.
// DataRecordsConsumed(4) - is a counter value that begins at 0 and is incremented by 1 by each platform BIOS when it consumes a data record from the file. This value is used to determine the offset of the next data record in the file.
// DataRecordChunkCount(2) - contains the number of 512-byte chunks in each data record. All data records are the same length.
// Reserved (2) - Reserved
// Reserved (2) - reserved
// ModuleList - contains a list of module identifiers. A modules identifier appears in the list if and only if the data records contain entries for that module. Each module identifier is two bytes in length. The list is terminated by an identifier value of 0.
var obj = {}, UUID = file.substring(0, 16);

145
amtprovisioningserver.js
View File

@ -38,6 +38,7 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
socket.on('error', function (err) { })
socket.on('close', function () { if (this.data != null) { processHelloData(this.data, this.ra); } delete this.ra; this.removeAllListeners(); })
socket.on('data', function (data) {
console.log('HELLO:', data.toString('HEX'));
if (this.data == null) { this.data = data; } else { Buffer.concat([this.data, data]); }
var str = this.data.toString();
if (str.startsWith('GET ') && (str.indexOf('\r\n\r\n') >= 0)) {
@ -59,7 +60,8 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
// Example hello data for testing
//setTimeout(function () { processHelloData(Buffer.from('01000300000000004b529b93d413181de4871c697a6b7a2b170220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d02207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.148'); }, 500);
//setTimeout(function () { processHelloData(Buffer.from('01000300000000004b529b93d413181de4871c697a6b7a2b180220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d0220a267c480b0b29056eb5e8aa7c93add804f5a7df516e969e77bcacafe8d45607902207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.148'); }, 500);
//setTimeout(function () { processHelloData(Buffer.from('01000300000000004b529b93d413181de4871c697a6b7a2b180220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d0220a267c480b0b29056eb5e8aa7c93add804f5a7df516e969e77bcacafe8d45607902207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.148'); }, 5000);
//setTimeout(function () { processHelloData(Buffer.from('01000300010000003ec2ffd2d19d2d41860a54b2039b72ff180220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d0220a267c480b0b29056eb5e8aa7c93add804f5a7df516e969e77bcacafe8d45607902207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.134'); }, 5000);
// Parse Intel AMT hello data
function parseHelloData(data, addr) {
@ -71,8 +73,8 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
const firstBytes = data.readInt16LE(0);
if (firstBytes > 1) return; // Invalid data
amtHello.adminCredentialsSet = (firstBytes != 0);
amtHello.version = data.readInt16LE(2);
if (amtHello.version != 3) return null; // One touch PID not supported, only version 3 supported.
amtHello.helloversion = data.readInt16LE(2);
if (amtHello.helloversion != 3) return null; // One touch PID not supported, only version 3 supported.
amtHello.retryCount = data.readInt32LE(4);
amtHello.guidhex = data.slice(8, 24).toString('hex');
amtHello.guid = guidToStr(amtHello.guidhex);
@ -110,9 +112,10 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
if (dev == null) { parent.debug('amtsca', addr, 'Got invalid hello from: ' + addr); return; } // Invalid Intel AMT hello
parent.debug('amtsca', 'Got hello from ' + addr);
obj.devices[addr] = dev;
dev.aquired = {};
// Set device messages
dev.consoleMsg = function deviceConsoleMsg(msg) { parent.debug('amtsca', deviceConsoleMsg.dev.hostname ? deviceConsoleMsg.dev.hostname : deviceConsoleMsg.dev.addr, msg); return; }
dev.consoleMsg = function deviceConsoleMsg(msg) { parent.debug('amtsca', deviceConsoleMsg.dev.aquired.host ? deviceConsoleMsg.dev.aquired.host : deviceConsoleMsg.dev.addr, msg); return; }
dev.consoleMsg.dev = dev;
// Get assumed trusted FQDN and device group
@ -121,18 +124,19 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
if ((mesh == null) || (mesh.mtype !== 1) || (typeof mesh.amt !== 'object') || (typeof mesh.amt.type !== 'number')) { dev.consoleMsg('Invalid device group for Intel AMT activation.'); return; }
if ((mesh.amt.type != 3) && (mesh.amt.type != 4)) { dev.consoleMsg('Device group does not have ACM activation policy.'); return; }
dev.mesh = mesh;
dev.meshid = mesh._id;
dev.domainid = mesh.domain;
// Compute the nodeid for this device using the device GUID
const g = dev.guid.split('-').join('');
const id = Buffer.from(g + g + g, 'hex').toString('base64');
const id = Buffer.from(g + g + g, 'hex').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
dev.nodeid = 'node/' + mesh.domain + '/' + id;
// Attempts reverse DNS loopup on the device IP address
const func = function dnsReverseLoopup(err, hostnames) {
var hostname = dnsReverseLoopup.addr;
if ((err == null) && (hostnames != null) && (hostnames.length > 0)) { hostname = hostnames[0]; }
dnsReverseLoopup.dev.hostname = hostname;
dnsReverseLoopup.dev.aquired.host = hostname;
processHelloDataEx1(dnsReverseLoopup.dev);
}
func.addr = addr;
@ -173,7 +177,7 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
// Setup a connection to the Intel AMT device
dev.consoleMsg('Launching TLS connection...');
var comm = CreateWsmanComm(dev.hostname, 16993, 'admin', '', 1, { cert: dev.certchain.certs.reverse().join(''), key: dev.certchain.signkey }); // Perform TLS connection
var comm = CreateWsmanComm(dev.aquired.host, 16993, 'admin', '', 1, { cert: dev.certchain.certs.reverse().join(''), key: dev.certchain.signkey }); // Perform TLS connection
comm.xtlsFingerprint = 0; // No Intel AMT certificate checking.
var wsstack = WsmanStackCreateService(comm);
dev.amtstack = AmtStackCreateService(wsstack);
@ -196,9 +200,9 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
if (amtlogicalelements.length > 0) {
var vs = getInstance(amtlogicalelements, 'AMT')['VersionString'];
if (vs != null) {
dev.amtversionstr = vs;
dev.amtversion = parseInt(dev.amtversionstr.split('.')[0]);
dev.amtversionmin = parseInt(dev.amtversionstr.split('.')[1]);
dev.aquired.version = vs;
dev.aquired.versionmajor = parseInt(dev.aquired.version.split('.')[0]);
dev.aquired.versionminor = parseInt(dev.aquired.version.split('.')[1]);
}
}
}
@ -207,24 +211,24 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
if ((dev.amtversionstr == null) && (stack.wsman.comm.amtVersion != null)) {
var s = stack.wsman.comm.amtVersion.split('.');
if (s.length >= 3) {
dev.amtversionstr = s[0] + '.' + s[1] + '.' + s[2];
dev.amtversion = parseInt(s[0]);
dev.amtversionmin = parseInt(s[1]);
dev.aquired.version = s[0] + '.' + s[1] + '.' + s[2];
dev.aquired.versionmajor = parseInt(s[0]);
dev.aquired.versionminor = parseInt(s[1]);
}
}
// If we can't get the Intel AMT version, stop here.
if (dev.amtversionstr == null) { parent.debug('amtsca', dev.hostname, 'Could not get Intel AMT version.'); destroyDevice(dev); return; } // Could not get Intel AMT version, disconnect();
if (dev.aquired.version == null) { dev.consoleMsg('Could not get Intel AMT version.'); destroyDevice(dev); return; } // Could not get Intel AMT version, disconnect();
// Get the digest realm
if (responses['AMT_GeneralSettings'] && responses['AMT_GeneralSettings'].response && (typeof responses['AMT_GeneralSettings'].response['DigestRealm'] == 'string')) {
dev.realm = responses['AMT_GeneralSettings'].response['DigestRealm'];
dev.aquired.realm = responses['AMT_GeneralSettings'].response['DigestRealm'];
} else {
dev.consoleMsg('Could not get Intel AMT digest realm.'); destroyDevice(dev); return;
}
// Looks like we are doing well.
parent.debug('amtsca', dev.hostname, 'Succesful TLS connection, Intel AMT v' + dev.amtversionstr);
dev.consoleMsg('Succesful TLS connection, Intel AMT v' + dev.aquired.version);
// Set the new MEBx password
dev.consoleMsg('Setting MEBx password...');
@ -236,29 +240,28 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (status != 200) { dev.consoleMsg('Failed to set MEBx password, status=' + status + '.'); destroyDevice(dev); return; }
parent.debug('amtsca', dev.hostname, 'MEBx password set. Setting admin password...');
dev.consoleMsg('MEBx password set. Setting admin password...');
// See what admin password to use
dev.pass = dev.mesh.amt.password;
if (dev.pass == null) { dev.pass = getRandomAmtPassword(); }
dev.aquired.user = 'admin';
dev.aquired.pass = dev.mesh.amt.password;
if (dev.aquired.pass == null) { dev.aquired.pass = getRandomAmtPassword(); }
// Set the admin password
dev.amtstack.AMT_AuthorizationService_SetAdminAclEntryEx('admin', hex_md5('admin:' + dev.realm + ':' + dev.pass), processHelloDataEx4);
dev.amtstack.AMT_AuthorizationService_SetAdminAclEntryEx(dev.aquired.user, hex_md5(dev.aquired.user + ':' + dev.aquired.realm + ':' + dev.aquired.pass), processHelloDataEx4);
}
// Response from setting admin password
function processHelloDataEx4(stack, name, responses, status) {
const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (status != 200) { parent.debug('amtsca', dev.hostname, 'Failed to set admin password, status=' + status + '.'); destroyDevice(dev); return; }
parent.debug('amtsca', dev.hostname, 'Admin password set.');
if (status != 200) { dev.consoleMsg('Failed to set admin password, status=' + status + '.'); destroyDevice(dev); return; }
dev.consoleMsg('Admin password set.');
// Setup TLS and commit.
dev.intelamt = {};
dev.aquired = {};
attemptTlsSync(dev, function (dev) {
destroyDevice(dev)
dev.consoleMsg('Intel AMT ACM activation completed.');
destroyDevice(dev)
});
}
@ -407,8 +410,6 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
*/
// TLS already enabled, update device in the database
dev.consoleMsg("Intel AMT has TLS already enabled.");
dev.intelamt.tls = dev.aquired.tls = 1;
UpdateDevice(dev);
// Perform commit
dev.taskCount = 1;
@ -438,10 +439,11 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
dev.consoleMsg("Commited, holding 5 seconds...");
// Update device in the database
dev.intelamt.tls = dev.aquired.tls = 1;
dev.intelamt.hash = dev.aquired.hash = dev.aquired.xhash;
dev.aquired.tls = 1;
dev.aquired.hash = dev.aquired.xhash;
dev.aquired.state = 2; // Activated in ACM
delete dev.aquired.xhash;
UpdateDevice(dev);
if (UpdateDevice(dev) == false) return;
// Switch our communications to TLS (Restart our management of this node)
dev.switchToTls = 1;
@ -454,20 +456,89 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) {
});
}
// Update the device in the database
function UpdateDevice(dev) {
console.log('UpdateDevice', dev.intelamt);
}
// Do aggressive cleanup on the device
function destroyDevice(dev) {
delete obj.devices[dev.addr];
if (dev.amtstack != null) { delete dev.amtstack.dev; delete dev.amtstack; }
delete dev.guid;
delete dev.mesh;
delete dev.realm;
delete dev.meshid;
delete dev.aquired;
delete dev.guidhex;
delete dev.domainid;
delete dev.certchain;
delete dev.amtversionstr;
delete dev.retryCount;
delete dev.amtversion;
delete dev.amtversionmin;
delete dev.realm;
delete dev.amtversionstr;
}
// Update the device in the database and event any changes
function UpdateDevice(dev) {
// Check that the mesh exists
const mesh = parent.webserver.meshes[dev.meshid];
if (mesh == null) { destroyDevice(dev); return false; }
// Get the node and change it if needed
parent.db.Get(dev.nodeid, function (err, nodes) {
if ((nodes == null) || (nodes.length == 0)) {
// Add a new device
var devicename = dev.guid;
if (dev.addr != dev.aquired.host) { devicename = dev.aquired.host.split('.')[0]; }
var device = { type: 'node', _id: dev.nodeid, meshid: dev.meshid, name: devicename, host: dev.aquired.host, domain: dev.domainid, intelamt: { ver: dev.aquired.version, user: dev.aquired.user, pass: dev.aquired.pass, tls: dev.aquired.tls, state: 2, realm: dev.aquired.realm } };
if (dev.aquired.hash != null) { device.intelamt.hash = dev.aquired.hash; }
parent.db.Set(device);
// Event the new node
parent.DispatchEvent(parent.webserver.CreateMeshDispatchTargets(dev.meshid, [dev.nodeid]), obj, { etype: 'node', action: 'addnode', node: parent.CloneSafeNode(device), msgid: 84, msgArgs: [devicename, mesh.name], msg: 'Added device ' + devicename + ' to device group ' + mesh.name, domain: domain.id });
} else {
// Update an existing device
const device = nodes[0];
var changes = [], change = 0, log = 0;
var domain = parent.config.domains[device.domain];
if (domain == null) return false;
// Check if anything changes
if (device.intelamt == null) { device.intelamt = {}; }
if ((typeof dev.aquired.version == 'string') && (dev.aquired.version != device.intelamt.ver)) { change = 1; log = 1; device.intelamt.ver = dev.aquired.version; changes.push('AMT version'); }
if ((typeof dev.aquired.user == 'string') && (dev.aquired.user != device.intelamt.user)) { change = 1; log = 1; device.intelamt.user = dev.aquired.user; changes.push('AMT user'); }
if ((typeof dev.aquired.pass == 'string') && (dev.aquired.pass != device.intelamt.pass)) { change = 1; log = 1; device.intelamt.pass = dev.aquired.pass; changes.push('AMT pass'); }
if ((typeof dev.aquired.mpspass == 'string') && (dev.aquired.mpspass != device.intelamt.mpspass)) { change = 1; log = 1; device.intelamt.mpspass = dev.aquired.mpspass; changes.push('AMT MPS pass'); }
if ((typeof dev.aquired.host == 'string') && (dev.aquired.host != device.intelamt.host)) { change = 1; log = 1; device.intelamt.host = dev.aquired.host; changes.push('AMT host'); }
if ((typeof dev.aquired.realm == 'string') && (dev.aquired.realm != device.intelamt.realm)) { change = 1; log = 1; device.intelamt.realm = dev.aquired.realm; changes.push('AMT realm'); }
if ((typeof dev.aquired.hash == 'string') && (dev.aquired.hash != device.intelamt.hash)) { change = 1; log = 1; device.intelamt.hash = dev.aquired.hash; changes.push('AMT hash'); }
if ((typeof dev.aquired.tls == 'number') && (dev.aquired.tls != device.intelamt.tls)) { change = 1; log = 1; device.intelamt.tls = dev.aquired.tls; changes.push('AMT TLS'); }
if ((typeof dev.aquired.state == 'number') && (dev.aquired.state != device.intelamt.state)) { change = 1; log = 1; device.intelamt.state = dev.aquired.state; changes.push('AMT state'); }
// Intel AMT Warning Flags: 1 = Unknown credentials, 2 = Realm Mismatch, 4 = TLS Cert Mismatch, 8 = Trying credentials
if ((typeof dev.aquired.warn == 'number')) { if ((dev.aquired.warn == 0) && (device.intelamt.warn != null)) { delete device.intelamt.warn; change = 1; } else if (dev.aquired.warn != device.intelamt.warn) { device.intelamt.warn = dev.aquired.warn; change = 1; } }
// Update Intel AMT flags if needed
// dev.aquired.controlMode // 1 = CCM, 2 = ACM
// (node.intelamt.flags & 2) == CCM, (node.intelamt.flags & 4) == ACM
var flags = 0;
if (typeof device.intelamt.flags == 'number') { flags = device.intelamt.flags; }
if (dev.aquired.controlMode == 1) { if ((flags & 4) != 0) { flags -= 4; } if ((flags & 2) == 0) { flags += 2; } } // CCM
if (dev.aquired.controlMode == 2) { if ((flags & 4) == 0) { flags += 4; } if ((flags & 2) != 0) { flags -= 2; } } // ACM
if (device.intelamt.flags != flags) { change = 1; log = 1; device.intelamt.flags = flags; changes.push('AMT flags'); }
// If there are changes, event the new device
if (change == 1) {
// Save to the database
parent.db.Set(device);
// Event the node change
var event = { etype: 'node', action: 'changenode', nodeid: device._id, domain: domain.id, node: parent.webserver.CloneSafeNode(device) };
if (changes.length > 0) { event.msg = 'Changed device ' + device.name + ' from group ' + mesh.name + ': ' + changes.join(', '); }
if ((log == 0) || ((obj.agentInfo) && (obj.agentInfo.capabilities) && (obj.agentInfo.capabilities & 0x20)) || (changes.length == 0)) { event.nolog = 1; } // If this is a temporary device, don't log changes
if (parent.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come.
parent.DispatchEvent(parent.webserver.CreateMeshDispatchTargets(device.meshid, [device._id]), obj, event);
}
}
});
return true;
}
//

6
certoperations.js
View File

@ -375,9 +375,9 @@ module.exports.CertificateOperations = function (parent) {
var port = 9971;
if (typeof parent.config.settings.amtprovisioningserver.port == 'number') { port = parent.config.settings.amtprovisioningserver.port; }
// Figure out the provisioning server IP address
var ipaddr = '192.168.2.147'; // TODO
if (typeof parent.config.settings.amtprovisioningserver.ip == 'string') { ipaddr = parent.config.settings.amtprovisioningserver.ip; }
// Get the provisioning server IP address from the config file
if (typeof parent.config.settings.amtprovisioningserver.ip != 'string') return null;
var ipaddr = parent.config.settings.amtprovisioningserver.ip;
var ipaddrSplit = ipaddr.split('.');
var ipaddrStr = String.fromCharCode(parseInt(ipaddrSplit[3])) + String.fromCharCode(parseInt(ipaddrSplit[2])) + String.fromCharCode(parseInt(ipaddrSplit[1])) + String.fromCharCode(parseInt(ipaddrSplit[0]));

2
meshcentral.js
View File

@ -1650,7 +1650,7 @@ function CreateMeshCentralServer(config, args) {
});
// Setup Intel AMT hello server
if ((typeof config.settings.amtprovisioningserver == 'object') && (typeof config.settings.amtprovisioningserver.devicegroup == 'string') && (typeof config.settings.amtprovisioningserver.newmebxpassword == 'string') && (typeof config.settings.amtprovisioningserver.trustedfqdn == 'string')) {
if ((typeof config.settings.amtprovisioningserver == 'object') && (typeof config.settings.amtprovisioningserver.devicegroup == 'string') && (typeof config.settings.amtprovisioningserver.newmebxpassword == 'string') && (typeof config.settings.amtprovisioningserver.trustedfqdn == 'string') && (typeof config.settings.amtprovisioningserver.ip == 'string')) {
obj.amtProvisioningServer = require('./amtprovisioningserver').CreateAmtProvisioningServer(obj, config.settings.amtprovisioningserver);
}

2
views/default.handlebars
View File

@ -4912,7 +4912,7 @@
for (var d in nodes) { nodes[d].v = (nodes[d].intelamt != null) && ((amtSearch == '') || (nodes[d].intelamt.state == amtSearch)); }
} else if (descSearch != null) {
// Device description search
for (var d in nodes) { nodes[d].v = (nodes[d].desc != null) && (nodes[d].desc != '') && ((descSearch == '') || (nodes[d].desc.indexOf(descSearch) >= 0)); }
for (var d in nodes) { nodes[d].v = (nodes[d].desc != null) && (nodes[d].desc != '') && ((descSearch == '') || (nodes[d].desc.toLowerCase().indexOf(descSearch) >= 0)); }
} else if (wscSearch != null) {
// Windows Security Center
for (var d in nodes) {