From fb8ea438b26282e77a87c6aad2cd78f959396620 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Sat, 13 Mar 2021 00:53:27 -0800 Subject: [PATCH] More work on Intel AMT provisioning server. --- amt/amt-setupbin.js | 8 +-- amtprovisioningserver.js | 145 +++++++++++++++++++++++++++++---------- certoperations.js | 6 +- meshcentral.js | 2 +- views/default.handlebars | 2 +- 5 files changed, 117 insertions(+), 46 deletions(-) diff --git a/amt/amt-setupbin.js b/amt/amt-setupbin.js index 12170f7e..cc37ecc2 100644 --- a/amt/amt-setupbin.js +++ b/amt/amt-setupbin.js @@ -40,7 +40,7 @@ var CreateAmtSetupBinStack = function () { // - Setup.bin should always start with "CurrentMEBx Pwd", "newMebx Pwd", "manageability selection" (if present). // Intel(R) AMT variable identifiers - // Type: 0 = Binar Stringy, 1 = Char, 2 = Short, 3 = Int + // Type: 0 = Binar String, 1 = Char, 2 = Short, 3 = Int var AmtSetupBinVarIds = { 1: { @@ -94,7 +94,7 @@ var CreateAmtSetupBinStack = function () { { 0: "Disabled", 1: "KVM", 255: "All" }], 27: [1, "Opt-in Remote IT Consent Policy", // 0 = Disabled, 1 = Enabled. Allows user consent to be configured remotely. { 0: "Disabled", 1: "Enabled" }], - 28: [1, "ME Provision Halt Active", // 0 = Stop, 1 = Start. The "ME provisioning Halt/Activate" command must appear in the file only after "PKIDNSSuffix", "ConfigServerFQDN" and "Provisioning Server Address" + 28: [1, "ME Provision Halt/Active", // 0 = Stop, 1 = Start. The "ME provisioning Halt/Activate" command must appear in the file only after "PKIDNSSuffix", "ConfigServerFQDN" and "Provisioning Server Address" { 0: "Stop", 1: "Start" }], 29: [1, "Manual Setup and Configuration", // 0 = Automated, 1 = Manual { 0: "Automated", 1: "Manual" }], @@ -134,11 +134,11 @@ var CreateAmtSetupBinStack = function () { // RecordNumber(4) - uniquely identifies the record among all records in the file. The field contains a non-negative ordinal value. The value of this field is always zero in the Local Provisioning File Header Record. // MajorVersion(1) - identifies the major version of the file format specification. This is a positive integer that is greater than or equal to 1. The Major Version number is incremented to indicate that changes have been introduced that will cause code written against a lower Major Version number to fail. // MinorVersion(1) - identifies the minor version of the file format specification. This is an integer that is greater than or equal to 0. The Minor Version number is incremented to indicate that changes have been introduced that will not cause code written against the same Major Version and a lower Minor Version number to fail. The purpose of this behavior is to allow a single local provisioning file to be used for multiple generations of Intel® AMT platform. - // Flags (2) - File Flags, 1 = Do not consume records + // Flags (2) - file Flags, 1 = Do not consume records // DataRecordCount(4) - indicates the total number of data records written in the file when it was created. // DataRecordsConsumed(4) - is a counter value that begins at 0 and is incremented by 1 by each platform BIOS when it consumes a data record from the file. This value is used to determine the offset of the next data record in the file. // DataRecordChunkCount(2) - contains the number of 512-byte chunks in each data record. All data records are the same length. - // Reserved (2) - Reserved + // Reserved (2) - reserved // ModuleList - contains a list of module identifiers. A module’s identifier appears in the list if and only if the data records contain entries for that module. Each module identifier is two bytes in length. The list is terminated by an identifier value of 0. var obj = {}, UUID = file.substring(0, 16); diff --git a/amtprovisioningserver.js b/amtprovisioningserver.js index 65a48450..a8785f91 100644 --- a/amtprovisioningserver.js +++ b/amtprovisioningserver.js @@ -38,6 +38,7 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) { socket.on('error', function (err) { }) socket.on('close', function () { if (this.data != null) { processHelloData(this.data, this.ra); } delete this.ra; this.removeAllListeners(); }) socket.on('data', function (data) { + console.log('HELLO:', data.toString('HEX')); if (this.data == null) { this.data = data; } else { Buffer.concat([this.data, data]); } var str = this.data.toString(); if (str.startsWith('GET ') && (str.indexOf('\r\n\r\n') >= 0)) { @@ -59,7 +60,8 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) { // Example hello data for testing //setTimeout(function () { processHelloData(Buffer.from('01000300000000004b529b93d413181de4871c697a6b7a2b170220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d02207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.148'); }, 500); - //setTimeout(function () { processHelloData(Buffer.from('01000300000000004b529b93d413181de4871c697a6b7a2b180220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d0220a267c480b0b29056eb5e8aa7c93add804f5a7df516e969e77bcacafe8d45607902207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.148'); }, 500); + //setTimeout(function () { processHelloData(Buffer.from('01000300000000004b529b93d413181de4871c697a6b7a2b180220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d0220a267c480b0b29056eb5e8aa7c93add804f5a7df516e969e77bcacafe8d45607902207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.148'); }, 5000); + //setTimeout(function () { processHelloData(Buffer.from('01000300010000003ec2ffd2d19d2d41860a54b2039b72ff180220c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4022045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda0220d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef402201465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65802202ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f502209acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df022016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0220960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3022068ad50909b04363c605ef13581a939ff2c96372e3f12325b0a6861e1d59f660302206dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177022073c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c022043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f33902202399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c022070a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a02204348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701610220cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f022031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00220552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988022067540a47aa5b9f34570a99723cfefa96a96ee3f0d9b8bf4def9440b8065d665d0220a267c480b0b29056eb5e8aa7c93add804f5a7df516e969e77bcacafe8d45607902207224395222cd588c4f2683716922addb41e39b581ac34fa87b39efa896fbb39e0220cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0220179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c892402202cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69', 'hex'), '192.168.2.134'); }, 5000); // Parse Intel AMT hello data function parseHelloData(data, addr) { @@ -71,8 +73,8 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) { const firstBytes = data.readInt16LE(0); if (firstBytes > 1) return; // Invalid data amtHello.adminCredentialsSet = (firstBytes != 0); - amtHello.version = data.readInt16LE(2); - if (amtHello.version != 3) return null; // One touch PID not supported, only version 3 supported. + amtHello.helloversion = data.readInt16LE(2); + if (amtHello.helloversion != 3) return null; // One touch PID not supported, only version 3 supported. amtHello.retryCount = data.readInt32LE(4); amtHello.guidhex = data.slice(8, 24).toString('hex'); amtHello.guid = guidToStr(amtHello.guidhex); @@ -110,9 +112,10 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) { if (dev == null) { parent.debug('amtsca', addr, 'Got invalid hello from: ' + addr); return; } // Invalid Intel AMT hello parent.debug('amtsca', 'Got hello from ' + addr); obj.devices[addr] = dev; + dev.aquired = {}; // Set device messages - dev.consoleMsg = function deviceConsoleMsg(msg) { parent.debug('amtsca', deviceConsoleMsg.dev.hostname ? deviceConsoleMsg.dev.hostname : deviceConsoleMsg.dev.addr, msg); return; } + dev.consoleMsg = function deviceConsoleMsg(msg) { parent.debug('amtsca', deviceConsoleMsg.dev.aquired.host ? deviceConsoleMsg.dev.aquired.host : deviceConsoleMsg.dev.addr, msg); return; } dev.consoleMsg.dev = dev; // Get assumed trusted FQDN and device group @@ -121,18 +124,19 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) { if ((mesh == null) || (mesh.mtype !== 1) || (typeof mesh.amt !== 'object') || (typeof mesh.amt.type !== 'number')) { dev.consoleMsg('Invalid device group for Intel AMT activation.'); return; } if ((mesh.amt.type != 3) && (mesh.amt.type != 4)) { dev.consoleMsg('Device group does not have ACM activation policy.'); return; } dev.mesh = mesh; + dev.meshid = mesh._id; dev.domainid = mesh.domain; // Compute the nodeid for this device using the device GUID const g = dev.guid.split('-').join(''); - const id = Buffer.from(g + g + g, 'hex').toString('base64'); + const id = Buffer.from(g + g + g, 'hex').toString('base64').replace(/\+/g, '@').replace(/\//g, '$'); dev.nodeid = 'node/' + mesh.domain + '/' + id; // Attempts reverse DNS loopup on the device IP address const func = function dnsReverseLoopup(err, hostnames) { var hostname = dnsReverseLoopup.addr; if ((err == null) && (hostnames != null) && (hostnames.length > 0)) { hostname = hostnames[0]; } - dnsReverseLoopup.dev.hostname = hostname; + dnsReverseLoopup.dev.aquired.host = hostname; processHelloDataEx1(dnsReverseLoopup.dev); } func.addr = addr; @@ -173,7 +177,7 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) { // Setup a connection to the Intel AMT device dev.consoleMsg('Launching TLS connection...'); - var comm = CreateWsmanComm(dev.hostname, 16993, 'admin', '', 1, { cert: dev.certchain.certs.reverse().join(''), key: dev.certchain.signkey }); // Perform TLS connection + var comm = CreateWsmanComm(dev.aquired.host, 16993, 'admin', '', 1, { cert: dev.certchain.certs.reverse().join(''), key: dev.certchain.signkey }); // Perform TLS connection comm.xtlsFingerprint = 0; // No Intel AMT certificate checking. var wsstack = WsmanStackCreateService(comm); dev.amtstack = AmtStackCreateService(wsstack); @@ -196,9 +200,9 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) { if (amtlogicalelements.length > 0) { var vs = getInstance(amtlogicalelements, 'AMT')['VersionString']; if (vs != null) { - dev.amtversionstr = vs; - dev.amtversion = parseInt(dev.amtversionstr.split('.')[0]); - dev.amtversionmin = parseInt(dev.amtversionstr.split('.')[1]); + dev.aquired.version = vs; + dev.aquired.versionmajor = parseInt(dev.aquired.version.split('.')[0]); + dev.aquired.versionminor = parseInt(dev.aquired.version.split('.')[1]); } } } @@ -207,24 +211,24 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) { if ((dev.amtversionstr == null) && (stack.wsman.comm.amtVersion != null)) { var s = stack.wsman.comm.amtVersion.split('.'); if (s.length >= 3) { - dev.amtversionstr = s[0] + '.' + s[1] + '.' + s[2]; - dev.amtversion = parseInt(s[0]); - dev.amtversionmin = parseInt(s[1]); + dev.aquired.version = s[0] + '.' + s[1] + '.' + s[2]; + dev.aquired.versionmajor = parseInt(s[0]); + dev.aquired.versionminor = parseInt(s[1]); } } // If we can't get the Intel AMT version, stop here. - if (dev.amtversionstr == null) { parent.debug('amtsca', dev.hostname, 'Could not get Intel AMT version.'); destroyDevice(dev); return; } // Could not get Intel AMT version, disconnect(); + if (dev.aquired.version == null) { dev.consoleMsg('Could not get Intel AMT version.'); destroyDevice(dev); return; } // Could not get Intel AMT version, disconnect(); // Get the digest realm if (responses['AMT_GeneralSettings'] && responses['AMT_GeneralSettings'].response && (typeof responses['AMT_GeneralSettings'].response['DigestRealm'] == 'string')) { - dev.realm = responses['AMT_GeneralSettings'].response['DigestRealm']; + dev.aquired.realm = responses['AMT_GeneralSettings'].response['DigestRealm']; } else { dev.consoleMsg('Could not get Intel AMT digest realm.'); destroyDevice(dev); return; } // Looks like we are doing well. - parent.debug('amtsca', dev.hostname, 'Succesful TLS connection, Intel AMT v' + dev.amtversionstr); + dev.consoleMsg('Succesful TLS connection, Intel AMT v' + dev.aquired.version); // Set the new MEBx password dev.consoleMsg('Setting MEBx password...'); @@ -236,29 +240,28 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) { const dev = stack.dev; if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request. if (status != 200) { dev.consoleMsg('Failed to set MEBx password, status=' + status + '.'); destroyDevice(dev); return; } - parent.debug('amtsca', dev.hostname, 'MEBx password set. Setting admin password...'); + dev.consoleMsg('MEBx password set. Setting admin password...'); // See what admin password to use - dev.pass = dev.mesh.amt.password; - if (dev.pass == null) { dev.pass = getRandomAmtPassword(); } + dev.aquired.user = 'admin'; + dev.aquired.pass = dev.mesh.amt.password; + if (dev.aquired.pass == null) { dev.aquired.pass = getRandomAmtPassword(); } // Set the admin password - dev.amtstack.AMT_AuthorizationService_SetAdminAclEntryEx('admin', hex_md5('admin:' + dev.realm + ':' + dev.pass), processHelloDataEx4); + dev.amtstack.AMT_AuthorizationService_SetAdminAclEntryEx(dev.aquired.user, hex_md5(dev.aquired.user + ':' + dev.aquired.realm + ':' + dev.aquired.pass), processHelloDataEx4); } // Response from setting admin password function processHelloDataEx4(stack, name, responses, status) { const dev = stack.dev; if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request. - if (status != 200) { parent.debug('amtsca', dev.hostname, 'Failed to set admin password, status=' + status + '.'); destroyDevice(dev); return; } - parent.debug('amtsca', dev.hostname, 'Admin password set.'); + if (status != 200) { dev.consoleMsg('Failed to set admin password, status=' + status + '.'); destroyDevice(dev); return; } + dev.consoleMsg('Admin password set.'); // Setup TLS and commit. - dev.intelamt = {}; - dev.aquired = {}; attemptTlsSync(dev, function (dev) { - destroyDevice(dev) dev.consoleMsg('Intel AMT ACM activation completed.'); + destroyDevice(dev) }); } @@ -407,8 +410,6 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) { */ // TLS already enabled, update device in the database dev.consoleMsg("Intel AMT has TLS already enabled."); - dev.intelamt.tls = dev.aquired.tls = 1; - UpdateDevice(dev); // Perform commit dev.taskCount = 1; @@ -438,10 +439,11 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) { dev.consoleMsg("Commited, holding 5 seconds..."); // Update device in the database - dev.intelamt.tls = dev.aquired.tls = 1; - dev.intelamt.hash = dev.aquired.hash = dev.aquired.xhash; + dev.aquired.tls = 1; + dev.aquired.hash = dev.aquired.xhash; + dev.aquired.state = 2; // Activated in ACM delete dev.aquired.xhash; - UpdateDevice(dev); + if (UpdateDevice(dev) == false) return; // Switch our communications to TLS (Restart our management of this node) dev.switchToTls = 1; @@ -454,20 +456,89 @@ module.exports.CreateAmtProvisioningServer = function (parent, config) { }); } - // Update the device in the database - function UpdateDevice(dev) { - console.log('UpdateDevice', dev.intelamt); - } - // Do aggressive cleanup on the device function destroyDevice(dev) { delete obj.devices[dev.addr]; if (dev.amtstack != null) { delete dev.amtstack.dev; delete dev.amtstack; } + delete dev.guid; + delete dev.mesh; + delete dev.realm; + delete dev.meshid; + delete dev.aquired; + delete dev.guidhex; + delete dev.domainid; delete dev.certchain; - delete dev.amtversionstr; + delete dev.retryCount; delete dev.amtversion; delete dev.amtversionmin; - delete dev.realm; + delete dev.amtversionstr; + } + + // Update the device in the database and event any changes + function UpdateDevice(dev) { + // Check that the mesh exists + const mesh = parent.webserver.meshes[dev.meshid]; + if (mesh == null) { destroyDevice(dev); return false; } + + // Get the node and change it if needed + parent.db.Get(dev.nodeid, function (err, nodes) { + if ((nodes == null) || (nodes.length == 0)) { + // Add a new device + var devicename = dev.guid; + if (dev.addr != dev.aquired.host) { devicename = dev.aquired.host.split('.')[0]; } + var device = { type: 'node', _id: dev.nodeid, meshid: dev.meshid, name: devicename, host: dev.aquired.host, domain: dev.domainid, intelamt: { ver: dev.aquired.version, user: dev.aquired.user, pass: dev.aquired.pass, tls: dev.aquired.tls, state: 2, realm: dev.aquired.realm } }; + if (dev.aquired.hash != null) { device.intelamt.hash = dev.aquired.hash; } + parent.db.Set(device); + + // Event the new node + parent.DispatchEvent(parent.webserver.CreateMeshDispatchTargets(dev.meshid, [dev.nodeid]), obj, { etype: 'node', action: 'addnode', node: parent.CloneSafeNode(device), msgid: 84, msgArgs: [devicename, mesh.name], msg: 'Added device ' + devicename + ' to device group ' + mesh.name, domain: domain.id }); + } else { + // Update an existing device + const device = nodes[0]; + var changes = [], change = 0, log = 0; + var domain = parent.config.domains[device.domain]; + if (domain == null) return false; + + // Check if anything changes + if (device.intelamt == null) { device.intelamt = {}; } + if ((typeof dev.aquired.version == 'string') && (dev.aquired.version != device.intelamt.ver)) { change = 1; log = 1; device.intelamt.ver = dev.aquired.version; changes.push('AMT version'); } + if ((typeof dev.aquired.user == 'string') && (dev.aquired.user != device.intelamt.user)) { change = 1; log = 1; device.intelamt.user = dev.aquired.user; changes.push('AMT user'); } + if ((typeof dev.aquired.pass == 'string') && (dev.aquired.pass != device.intelamt.pass)) { change = 1; log = 1; device.intelamt.pass = dev.aquired.pass; changes.push('AMT pass'); } + if ((typeof dev.aquired.mpspass == 'string') && (dev.aquired.mpspass != device.intelamt.mpspass)) { change = 1; log = 1; device.intelamt.mpspass = dev.aquired.mpspass; changes.push('AMT MPS pass'); } + if ((typeof dev.aquired.host == 'string') && (dev.aquired.host != device.intelamt.host)) { change = 1; log = 1; device.intelamt.host = dev.aquired.host; changes.push('AMT host'); } + if ((typeof dev.aquired.realm == 'string') && (dev.aquired.realm != device.intelamt.realm)) { change = 1; log = 1; device.intelamt.realm = dev.aquired.realm; changes.push('AMT realm'); } + if ((typeof dev.aquired.hash == 'string') && (dev.aquired.hash != device.intelamt.hash)) { change = 1; log = 1; device.intelamt.hash = dev.aquired.hash; changes.push('AMT hash'); } + if ((typeof dev.aquired.tls == 'number') && (dev.aquired.tls != device.intelamt.tls)) { change = 1; log = 1; device.intelamt.tls = dev.aquired.tls; changes.push('AMT TLS'); } + if ((typeof dev.aquired.state == 'number') && (dev.aquired.state != device.intelamt.state)) { change = 1; log = 1; device.intelamt.state = dev.aquired.state; changes.push('AMT state'); } + + // Intel AMT Warning Flags: 1 = Unknown credentials, 2 = Realm Mismatch, 4 = TLS Cert Mismatch, 8 = Trying credentials + if ((typeof dev.aquired.warn == 'number')) { if ((dev.aquired.warn == 0) && (device.intelamt.warn != null)) { delete device.intelamt.warn; change = 1; } else if (dev.aquired.warn != device.intelamt.warn) { device.intelamt.warn = dev.aquired.warn; change = 1; } } + + // Update Intel AMT flags if needed + // dev.aquired.controlMode // 1 = CCM, 2 = ACM + // (node.intelamt.flags & 2) == CCM, (node.intelamt.flags & 4) == ACM + var flags = 0; + if (typeof device.intelamt.flags == 'number') { flags = device.intelamt.flags; } + if (dev.aquired.controlMode == 1) { if ((flags & 4) != 0) { flags -= 4; } if ((flags & 2) == 0) { flags += 2; } } // CCM + if (dev.aquired.controlMode == 2) { if ((flags & 4) == 0) { flags += 4; } if ((flags & 2) != 0) { flags -= 2; } } // ACM + if (device.intelamt.flags != flags) { change = 1; log = 1; device.intelamt.flags = flags; changes.push('AMT flags'); } + + // If there are changes, event the new device + if (change == 1) { + // Save to the database + parent.db.Set(device); + + // Event the node change + var event = { etype: 'node', action: 'changenode', nodeid: device._id, domain: domain.id, node: parent.webserver.CloneSafeNode(device) }; + if (changes.length > 0) { event.msg = 'Changed device ' + device.name + ' from group ' + mesh.name + ': ' + changes.join(', '); } + if ((log == 0) || ((obj.agentInfo) && (obj.agentInfo.capabilities) && (obj.agentInfo.capabilities & 0x20)) || (changes.length == 0)) { event.nolog = 1; } // If this is a temporary device, don't log changes + if (parent.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come. + parent.DispatchEvent(parent.webserver.CreateMeshDispatchTargets(device.meshid, [device._id]), obj, event); + } + } + }); + + return true; } // diff --git a/certoperations.js b/certoperations.js index 3b906432..fa2dc02c 100644 --- a/certoperations.js +++ b/certoperations.js @@ -375,9 +375,9 @@ module.exports.CertificateOperations = function (parent) { var port = 9971; if (typeof parent.config.settings.amtprovisioningserver.port == 'number') { port = parent.config.settings.amtprovisioningserver.port; } - // Figure out the provisioning server IP address - var ipaddr = '192.168.2.147'; // TODO - if (typeof parent.config.settings.amtprovisioningserver.ip == 'string') { ipaddr = parent.config.settings.amtprovisioningserver.ip; } + // Get the provisioning server IP address from the config file + if (typeof parent.config.settings.amtprovisioningserver.ip != 'string') return null; + var ipaddr = parent.config.settings.amtprovisioningserver.ip; var ipaddrSplit = ipaddr.split('.'); var ipaddrStr = String.fromCharCode(parseInt(ipaddrSplit[3])) + String.fromCharCode(parseInt(ipaddrSplit[2])) + String.fromCharCode(parseInt(ipaddrSplit[1])) + String.fromCharCode(parseInt(ipaddrSplit[0])); diff --git a/meshcentral.js b/meshcentral.js index 2c94c1de..656c2b17 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -1650,7 +1650,7 @@ function CreateMeshCentralServer(config, args) { }); // Setup Intel AMT hello server - if ((typeof config.settings.amtprovisioningserver == 'object') && (typeof config.settings.amtprovisioningserver.devicegroup == 'string') && (typeof config.settings.amtprovisioningserver.newmebxpassword == 'string') && (typeof config.settings.amtprovisioningserver.trustedfqdn == 'string')) { + if ((typeof config.settings.amtprovisioningserver == 'object') && (typeof config.settings.amtprovisioningserver.devicegroup == 'string') && (typeof config.settings.amtprovisioningserver.newmebxpassword == 'string') && (typeof config.settings.amtprovisioningserver.trustedfqdn == 'string') && (typeof config.settings.amtprovisioningserver.ip == 'string')) { obj.amtProvisioningServer = require('./amtprovisioningserver').CreateAmtProvisioningServer(obj, config.settings.amtprovisioningserver); } diff --git a/views/default.handlebars b/views/default.handlebars index 1ee4c5ac..5b4cc232 100644 --- a/views/default.handlebars +++ b/views/default.handlebars @@ -4912,7 +4912,7 @@ for (var d in nodes) { nodes[d].v = (nodes[d].intelamt != null) && ((amtSearch == '') || (nodes[d].intelamt.state == amtSearch)); } } else if (descSearch != null) { // Device description search - for (var d in nodes) { nodes[d].v = (nodes[d].desc != null) && (nodes[d].desc != '') && ((descSearch == '') || (nodes[d].desc.indexOf(descSearch) >= 0)); } + for (var d in nodes) { nodes[d].v = (nodes[d].desc != null) && (nodes[d].desc != '') && ((descSearch == '') || (nodes[d].desc.toLowerCase().indexOf(descSearch) >= 0)); } } else if (wscSearch != null) { // Windows Security Center for (var d in nodes) {