@@ -69,46 +69,126 @@ One you do that, reboot and you are on your way.
6969amtctrl
7070-------
7171
72- The ``amt `` library installs a binary ``amtctrl `` for working with AMT
73- enabled machines.
72+ The ``amt `` library installs binaries ``amtctrl `` and `` amthostdb `` for working
73+ with AMT enabled machines.
7474
7575machine enrollment
7676~~~~~~~~~~~~~~~~~~
7777
78- To simplify the control commands ``amtcrtl `` has a machine
78+ To simplify the control commands ``amthostdb `` has a machine
7979registry. New machines are added via:
8080
81- amtctrl add <name> <address> <amtpassword>
81+ amthostdb add <name> <address> <amtpassword>
8282
8383You can see a list of all machines with:
8484
85- amtctrl list
85+ amthostdb list
8686
8787And remove an existing machine with:
8888
89- amtctrl rm <name>
89+ amthostdb rm <name>
9090
9191
9292controlling machines
9393~~~~~~~~~~~~~~~~~~~~
9494
9595Once machines are controlled you have a number of options exposed:
9696
97- amtctrl <name> <command>
97+ amtctrl <name> <command> [subcommand] [arguments]
9898
9999Command is one of:
100100
101- * on - power on the machine
101+ * power on - power on the machine
102102
103- * off - power off the machine
103+ * power off - power off the machine
104104
105- * reboot - power cycle the machine
105+ * power reboot - power cycle the machine
106+
107+ * power status - return power status as an ugly CIM blob (TODO: make this better)
106108
107109* pxeboot - set the machine to pxeboot the next time it reboots, and
108110 reboot the machine. This is extremely useful if you have install
109111 automation on pxeboot.
110112
111- * status - return power status as an ugly CIM blob (TODO: make this better)
113+ * pki list certs - list PKI certificates
114+
115+ * pki list keys - list PKI keys
116+
117+ * pki add cert <filename> - add PKI certificate
118+
119+ * pki add cert -t <filename> - add trusted PKI certificate
120+
121+ * pki add key <filename> - add PKI RSA key
122+
123+ * pki generate 2048 - generate 2048-bit PKI RSA key
124+
125+ * pki request <filename> <id> - sign a PKI CSR
126+
127+ * pki rm cert <id> - remove PKI certificate
128+
129+ * pki rm key <id> - remove PKI key
130+
131+ * pki tls <id> - configure TLS to use PKI key
132+
133+ * time - set AMT system time
134+
135+ * tls enable -r <-s|-p> [-m] [-c <common name>] - configure and enable remote TLS
136+ (with/without mutual authentication, with/without allowing plaintext)
137+
138+ * tls enable -l - configure and enable local TLS
139+
140+ * tls status - get current TLS settings
141+
142+ * tls disable -r - disable remote TLS
143+
144+ * tls disable -l - disable local TLS
145+
146+ * uuid - get AMT system UUID
147+
148+ * version - get AMT version
149+
150+
151+ configuring TLS
152+ ~~~~~~~~~~~~~~~
153+
154+ The AMT supports 2048-bit keys for end-entity certificates and 4096-bit keys for
155+ certificate authorities/intermediate certificates. It supports SHA512 hashes.
156+
157+ Various actions will not work without taking appropriate steps:
158+
159+ * TLS cannot be enabled until it is configured
160+ * Certificates and keys in active use for TLS cannot be removed
161+ (this includes all trusted certificates when mutual authentication is enabled)
162+
163+ Client certificates must have extended key usage ``1.3.6.1.5.5.7.3.2 ``
164+ (TLS Web Client Authentication) and ``2.16.840.1.113741.1.2.1 `` (Intel AMT Remote Console).
165+
166+ Configuring the supported Common Names (``tls enable -c ... -c ... -c ... ``) is optional.
167+
168+ Repeatedly updating the certificate (e.g. using Let's Encrypt) may wear out the
169+ AMT flash. Use your own root CA.
170+
171+ Configuring a Certificate Recovation List is not supported by this application.
172+
173+ Be careful not to prevent yourself from accessing the AMT while configuring TLS,
174+ i.e. allow plaintext while making changes until TLS has been tested.
175+
176+ 1. Generate a key with ``amtctrl ... pki generate 2048 ``
177+ 2. Get it with ``amtctrl ... pki list keys `` and save to ``amt_rsa_public_key.pem ``
178+ 3. Convert it to a generic public key with ``openssl rsa -RSAPublicKey_in -in amt_rsa_public_key.pem -pubout -out amt_public_key.pem ``
179+ 4. Create a CSR with ``openssl genrsa | openssl x509 -x509toreq -new -subj /CN=example.com -signkey /dev/stdin -force_pubkey amt_public_key.pem -out amt_csr.pem ``
180+ (requires OpenSSL 3.0.0+)
181+ 5. Use ``amtctrl ... pki request amt_csr.pem <id> `` to get the AMT to sign the CSR
182+ 6. Issue a certificate from your CA using the CSR
183+ 7. Import the certificate with ``amtctrl ... pki add cert amt_cert.pem ``
184+ 8. Configure the new certificate to be used with TLS with ``amtctrl ... pki tls <id> ``
185+ 9. Enable TLS (allowing plaintext) with ``amtctrl ... tls enable -r -l -p ``
186+ 10. Test HTTPS access, using ``amthostdb `` to configure the root CA
187+ 11. Enable TLS (disallowing plaintext) with ``amtctrl ... tls enable -r -l -s ``
188+ 12. Use ``amtctrl ... pki add cert -t root_ca.pem `` to import the root CA for client authentication
189+ 13. Enable TLS (allowing plaintext) with ``amtctrl ... tls enable -r -l -p -m ``
190+ 14. Test HTTPS access, using ``amthostdb `` to configure the root CA, user key and user cert
191+ 15. Enable TLS (disallowing plaintext) with ``amtctrl ... tls enable -r -l -s -m ``
112192
113193Futures
114194-------
@@ -117,10 +197,10 @@ Futures
117197 this)
118198
119199* Retry http requests when they fail. AMT processors randomly drop
120- some connections, built in limited retry should be done.
200+ some connections, built in limited retry should be done.
121201
122202* Fault handling. The current code is *very * optimistic. Hence, the
123203 0.x nature.
124204
125- * Remove console control. There are AMT commands to expose a VNC
205+ * Remote console control. There are AMT commands to expose a VNC
126206 remote console on the box. Want to support those.
0 commit comments