- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am moving the question at the request of the moderator.
---
First question,
If secure Host Based Provisioning is used, the agent invokes CFG_StartConfigurationHBased() to place the Intel AMT device into Setup Mode (see Intel AMT Device Modes) Mutual-TLS. The SCA TLS leaf certificate hash is provided by the agent as an input parameter. The Intel AMT device returns the hash of the AMT ODCA leaf certificate as an output parameter. The Agent sends the Intel AMT certificate hash to the management console which sends it to the SCA Server. Now both ends are configured with the required certificates for the Mutual TLS session.
But I got the hash through CFG_StartConfigurationHBased command, but it doesn't match the hash of the leaf certificate.
Whenever I run the command `openssl s_client -showcerts -connect 127.0.0.1:16993 -tls1_2`, I see the changed certificates.
> StartConfigurationHBased
status : AMT_STATUS_SUCCESS
HashAlgorithm : 2
AMTCertHash : 3ea11c5c917c8d48769363053eb12fef93b169c759fd738a873edd1084dd0d010000000000000000000000000000000000000000000000000000000000000000
> openssl s_client -showcerts -connect 127.0.0.1:16993 -tls1_2
CONNECTED(00000174)
Can't use SSL_get_servername
depth=3 CN = CSME TGL ROM CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 CN = CSME TGL SVN01 Kernel CA
verify return:1
depth=1 CN = CSME TGL AMT 01SVN
verify return:1
depth=0 CN = AMT RCFG
verify return:1
30390000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../openssl-3.1.4/ssl/record/rec_layer_s3.c:1586:SSL alert number 40
---
Certificate chain
0 s:CN = AMT RCFG
i:CN = CSME TGL AMT 01SVN
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Jul 5 00:00:00 2020 GMT; NotAfter: Dec 31 23:59:59 2049 GMT
-----BEGIN CERTIFICATE-----
MIICbjCCAfSgAwIBAgIQQVGnbtvgHWQUu6c9cVMAOzAKBggqhkjOPQQDAzAeMRww
GgYDVQQDDBNDU01FIFRHTCBBTVQgIDAxU1ZOMB4XDTIwMDcwNTAwMDAwMFoXDTQ5
MTIzMTIzNTk1OVowEzERMA8GA1UEAwwIQU1UIFJDRkcwdjAQBgcqhkjOPQIBBgUr
gQQAIgNiAAQWUUQp55VAQw9n7X3eipr4P9kAQqXCRblrl1I8+tNMmufWun1C0JWa
Tv4PAxifyuCLe/VSy9xHi8odA7HyOk0Y13talLvXZMzaGkRo60PEH91o3XAeNsBG
7kNHUlca0z+jggEAMIH9MB8GA1UdIwQYMBaAFMmxad6yAFSj19raxT57YuYFyV89
MA8GA1UdEwEB/wQFMAMBAQAwDgYDVR0PAQH/BAQDAgWgMIGgBgNVHR8EgZgwgZUw
gZKgSqBIhkZodHRwczovL3RzY2kuaW50ZWwuY29tL2NvbnRlbnQvT25EaWVDQS9j
cmxzL09uRGllX0NBX0NTTUVfSW5kaXJlY3QuY3JsokSkQjBAMSYwJAYDVQQLDB1P
bkRpZSBDQSBDU01FIEludGVybWVkaWF0ZSBDQTEWMBQGA1UEAwwNd3d3LmludGVs
LmNvbTAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAwNoADBlAjEA
0qZ8QbRsidZhuaMIxltn9OJ8euH9SwgVk+Ktjwa3pIGxB9LkIaqTC37wH0kBGN1o
AjB/lD626SiumFp94eXv2d0F8dHs7KwhoDn15bDM2vU0hZAUHwv5lmuMfMDkKGmx
ujM=
-----END CERTIFICATE-----
1 s:CN = CSME TGL AMT 01SVN
i:CN = CSME TGL SVN01 Kernel CA
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Jul 5 00:00:00 2020 GMT; NotAfter: Dec 31 23:59:59 2049 GMT
-----BEGIN CERTIFICATE-----
MIICfDCCAgGgAwIBAgIFAQQdACAwCgYIKoZIzj0EAwMwIzEhMB8GA1UEAwwYQ1NN
RSBUR0wgU1ZOMDEgS2VybmVsIENBMB4XDTIwMDcwNTAwMDAwMFoXDTQ5MTIzMTIz
NTk1OVowHjEcMBoGA1UEAwwTQ1NNRSBUR0wgQU1UICAwMVNWTjB2MBAGByqGSM49
AgEGBSuBBAAiA2IABEV/Zb5f7lJuAprg80Hb/sYreRHkeJvPShTx+cZYQHdMvbdi
ujqZrPEZKVwwpPNa+Ko5F4VQo1EzVbibHysCZQjo4Xn/idX5pd9+NUPZCLO1nnpy
X99lOza7R1TzCiEffKOCAQgwggEEMB8GA1UdIwQYMBaAFHs/xhfS0XLl7zhV0t53
Fa8/fPR2MB0GA1UdDgQWBBTJsWnesgBUo9fa2sU+e2LmBclfPTAPBgNVHRMBAf8E
BTADAQH/MA4GA1UdDwEB/wQEAwICBDCBoAYDVR0fBIGYMIGVMIGSoEqgSIZGaHR0
cHM6Ly90c2NpLmludGVsLmNvbS9jb250ZW50L09uRGllQ0EvY3Jscy9PbkRpZV9D
QV9DU01FX0luZGlyZWN0LmNybKJEpEIwQDEmMCQGA1UECwwdT25EaWUgQ0EgQ1NN
RSBJbnRlcm1lZGlhdGUgQ0ExFjAUBgNVBAMMDXd3dy5pbnRlbC5jb20wCgYIKoZI
zj0EAwMDaQAwZgIxAO8Ghy8Oc5reePXKWIt8WYRGZEw3X8hps3gV134HWTfwF7pG
H5jcrUaInRvt6aVNCwIxAJVFHkZS8egpu53n/UMzlXXnRBs9SlxfPhSdXuAHCKaD
gdpv3DpfJnoXBYWievVbkA==
-----END CERTIFICATE-----
2 s:CN = CSME TGL SVN01 Kernel CA
i:CN = CSME TGL ROM CA
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Oct 4 00:00:00 2020 GMT; NotAfter: Dec 31 23:59:59 2049 GMT
-----BEGIN CERTIFICATE-----
MIICcjCCAfmgAwIBAgIBATAKBggqhkjOPQQDAzAaMRgwFgYDVQQDDA9DU01FIFRH
TCBST00gQ0EwHhcNMjAxMDA0MDAwMDAwWhcNNDkxMjMxMjM1OTU5WjAjMSEwHwYD
VQQDDBhDU01FIFRHTCBTVk4wMSBLZXJuZWwgQ0EwdjAQBgcqhkjOPQIBBgUrgQQA
IgNiAASbDSUBdhrmowV1EaDSAgNMWsiOB+WI3DtRcEPaKYudiNr5KaNxtkmjQaU6
DESSnkHC4ODzivEPQPkJ/HDQhGocme2gNUPQGLracoPn1BXfUKBhP5L2mlJRPcvu
TNmJhkWjggEIMIIBBDAfBgNVHSMEGDAWgBQwk5q+4GqrKzhN2KP5niNt0wsinzAd
BgNVHQ4EFgQUez/GF9LRcuXvOFXS3ncVrz989HYwDwYDVR0TAQH/BAUwAwEB/zAO
BgNVHQ8BAf8EBAMCAqwwgaAGA1UdHwSBmDCBlTCBkqBKoEiGRmh0dHBzOi8vdHNj
aS5pbnRlbC5jb20vY29udGVudC9PbkRpZUNBL2NybHMvT25EaWVfQ0FfQ1NNRV9J
bmRpcmVjdC5jcmyiRKRCMEAxJjAkBgNVBAsMHU9uRGllIENBIENTTUUgSW50ZXJt
ZWRpYXRlIENBMRYwFAYDVQQDDA13d3cuaW50ZWwuY29tMAoGCCqGSM49BAMDA2cA
MGQCMAcyo5kRq6miBsW2Ki8mZ+pBTQqd6+GGtl7Py/cbo4Tb7+X5sfwLQ0eMED9C
+D5J0gIwfOdDer04y3Y7extnsySPAd2mPxTDhU1qwp50xaU8VC4hwachY5wL2FQv
aYv7jOo8
-----END CERTIFICATE-----
3 s:CN = CSME TGL ROM CA
i:OU = On Die CSME P_TGL 00002004 Issuing CA, CN = www.intel.com
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: May 1 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2049 GMT
-----BEGIN CERTIFICATE-----
MIICvzCCAkagAwIBAgIQQiEkuraVUA3ZBAGpmk+PLDAKBggqhkjOPQQDAzBIMS4w
LAYDVQQLDCVPbiBEaWUgQ1NNRSBQX1RHTCAwMDAwMjAwNCBJc3N1aW5nIENBMRYw
FAYDVQQDDA13d3cuaW50ZWwuY29tMB4XDTE5MDUwMTAwMDAwMFoXDTQ5MTIzMTIz
NTk1OVowGjEYMBYGA1UEAwwPQ1NNRSBUR0wgUk9NIENBMHYwEAYHKoZIzj0CAQYF
K4EEACIDYgAEfTagXdiRew+x5bsr3TOHQyjw3t8xwwSID1HMKfXaMmIjKwBN0u0z
MfK7SqjDE/zrkuU5NqOtjLSXftJHQUw+SBPDIxGd2ZooUdHaQLaN4QPe7boiKECa
10kVfVbG4ssJo4IBITCCAR0wHwYDVR0jBBgwFoAUsGbZaX9dOge0JcEPWHzO7PFv
/lgwHQYDVR0OBBYEFDCTmr7gaqsrOE3Yo/meI23TCyKfMA8GA1UdEwEB/wQFMAMB
Af8wDgYDVR0PAQH/BAQDAgGuMGIGCCsGAQUFBwEBBFYwVDBSBggrBgEFBQcwAoZG
aHR0cHM6Ly90c2NpLmludGVsLmNvbS9jb250ZW50L09uRGllQ0EvY2VydHMvVEdM
XzAwMDAyMDA0X09uRGllX0NBLmNlcjBWBgNVHR8ETzBNMEugSaBHhkVodHRwczov
L3RzY2kuaW50ZWwuY29tL2NvbnRlbnQvT25EaWVDQS9jcmxzL1RHTF8wMDAwMjAw
NF9PbkRpZV9DQS5jcmwwCgYIKoZIzj0EAwMDZwAwZAIwDpbRk7g5LOCO/UL8izy6
vskOMCyu4oX2YcgJ84Jtmt/YuFJo8/uVWpeyZXaAA4GqAjAPIgUjpqQtBjDDQEfy
yuwDZEs9fiFDjAE3eniZS9cgx4fI/cvm+Ei1QZoZT2AOL2Q=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = AMT RCFG
issuer=CN = CSME TGL AMT 01SVN
---
This is the leaf certificate obtained by running the command again:
-----BEGIN CERTIFICATE-----
MIICbjCCAfSgAwIBAgIQQVGnbtvgHWQUu6c9cVMAOzAKBggqhkjOPQQDAzAeMRww
GgYDVQQDDBNDU01FIFRHTCBBTVQgIDAxU1ZOMB4XDTIwMDcwNTAwMDAwMFoXDTQ5
MTIzMTIzNTk1OVowEzERMA8GA1UEAwwIQU1UIFJDRkcwdjAQBgcqhkjOPQIBBgUr
gQQAIgNiAAQWUUQp55VAQw9n7X3eipr4P9kAQqXCRblrl1I8+tNMmufWun1C0JWa
Tv4PAxifyuCLe/VSy9xHi8odA7HyOk0Y13talLvXZMzaGkRo60PEH91o3XAeNsBG
7kNHUlca0z+jggEAMIH9MB8GA1UdIwQYMBaAFMmxad6yAFSj19raxT57YuYFyV89
MA8GA1UdEwEB/wQFMAMBAQAwDgYDVR0PAQH/BAQDAgWgMIGgBgNVHR8EgZgwgZUw
gZKgSqBIhkZodHRwczovL3RzY2kuaW50ZWwuY29tL2NvbnRlbnQvT25EaWVDQS9j
cmxzL09uRGllX0NBX0NTTUVfSW5kaXJlY3QuY3JsokSkQjBAMSYwJAYDVQQLDB1P
bkRpZSBDQSBDU01FIEludGVybWVkaWF0ZSBDQTEWMBQGA1UEAwwNd3d3LmludGVs
LmNvbTAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAwNoADBlAjBy
Fb0ebmUccSdb7pMC8YYEyytUrftHqur6ZNZLcjLDHKnDML2q/pH9HnuZfCL7pEoC
MQDIDx+EEgM4VCZu3qSiDNNJh9hHu1pbi5leRP+HAd+6DKIjunEfwHZJeJtW6YWA
E4A=
-----END CERTIFICATE-----
The public key of the 'AMT RCFG' certificate is the same, but the signature is different each time, making hash comparison impossible.
AMT version is 15.0.45. It's probably a bug in the firmware.
Second question,
Here it says that AdminSetup has been deprecated. so, I am trying CFG_StartConfigurationHBased.
After establishing an mTLS connection using CFG_StartConfigurationHBased, what Action is available for ACM Setup instead of AdminSetup?
Test Sample : https://github.com/jclab-joseph/intel-vpro-hbased-problem-01
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I uploaded it incorrectly. Please delete it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, jic5760,
Thank you for your notification. I am closing the forum.
Regards,
Miguel C.
Intel Customer Support Technician
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page