Skip to content

Activating AMT with E2E TLS and RPS

Jump to bottom
Ganesh Raikhelkar edited this page May 13, 2026 · 3 revisions

RPS State-machine

flowchart TD
    Start([AMT Provisioning]) --> ModeCheck{Device Mode?}

    %% ============================================================
    %% PATH 1: Already Activated (ACM/CCM)
    %% ============================================================
    ModeCheck -->|Activated - ACM / CCM| TLSConfigured{TLS already<br>configured?}

    %% TLS not configured
    TLSConfigured -->|No| GenCert[RPS generates cert<br>from MPS root and<br>adds it to AMT]
    GenCert --> Done1[Connect on port 16993<br>RPS: amt_post_tls_reject = true]

    %% TLS already configured
    TLSConfigured -->|Yes| GetCerts[Get AMT_PublicKeyCertificate<br>and AMT_TLSCredentialsContext]
    GetCerts --> IdentifyCert[Identify cert AMT<br>is currently using]
    IdentifyCert --> SignedByMPS{Cert signed by<br>MPS Root?}

    SignedByMPS -->|Yes| Reuse[Switch to port 16993<br>and reconfigure]
    Reuse --> Done2[RPS: amt_post_tls_reject = true<br>MPS root cert is trusted]

    SignedByMPS -->|No| RegenCert[RPS generates new cert<br>from MPS root and<br>configures it in AMT]
    RegenCert --> Done3[Connect on port 16993<br>RPS: amt_post_tls_reject = true]

    %% ============================================================
    %% PATH 2: Pre-Provisioning
    %% ============================================================
    ModeCheck -->|Not Activated| PreProv{AMT Version?}

    %% AMT 19+
    PreProv -->|19+| ODCA[ODCA cert present<br>and validatable]
    ODCA --> Act19[Activates to CCM<br>over e2e TLS on port 16993<br>RPS: amt_pre_tls_reject = true]
    Act19 -->|Post-Activation| Self19[AMT generates its own<br>self-signed cert]
    Self19 --> DMT19[RPS adds DMT self-signed cert<br>to AMT]
    DMT19 --> RPS19[RPS: amt_post_tls_reject = true<br>RPS owns the DMT root cert]

    %% AMT 18 and below
    PreProv -->|18 and below| TLSCheck{--tls-tunnel<br>flag set?}

    TLSCheck -->|Yes| NoODCA[No ODCA cert available]
    NoODCA --> Act18TLS[Activates to CCM<br>over non-TLS port 16992]
    Act18TLS -->|Post-Activation| VersionCheck2{AMT Version?}

    VersionCheck2 -->|16 - 18| Self16[AMT generates its own<br>self-signed cert]
    Self16 --> DMT16[RPS adds DMT self-signed cert<br>to AMT]
    DMT16 --> RPS16[RPS: amt_post_tls_reject = true<br>RPS owns the DMT root cert]

    VersionCheck2 -->|15 and below| DMT[RPS generates DMT<br>self-signed cert and<br>adds it to AMT]
    DMT --> RPS15[RPS: amt_post_tls_reject = true<br>RPS owns the DMT root cert]

    TLSCheck -->|No| Act18Plain[Activates to CCM<br>over non-TLS port 16992]
    Act18Plain -->|Post-Activation| NoTLS[No certs used or added<br>remains on port 16992]
    NoTLS --> RPS18Plain[Both RPS TLS configs<br>not applicable]

    %% Styling
    classDef version19 fill:#2563eb,stroke:#1e40af,color:#fff
    classDef version18tls fill:#7c3aed,stroke:#5b21b6,color:#fff
    classDef version15 fill:#0891b2,stroke:#0e7490,color:#fff
    classDef version18plain fill:#64748b,stroke:#475569,color:#fff
    classDef decision fill:#f59e0b,stroke:#d97706,color:#000
    classDef rps fill:#dc2626,stroke:#b91c1c,color:#fff
    classDef rpsok fill:#16a34a,stroke:#15803d,color:#fff
    classDef acm fill:#0d9488,stroke:#0f766e,color:#fff
    classDef query fill:#6366f1,stroke:#4f46e5,color:#fff

    class ODCA,Self19 version19
    class Act19 rpsok
    class NoODCA,Act18TLS,Self16 version18tls
    class DMT,DMT16,DMT19 version15
    class Act18Plain,NoTLS version18plain
    class ModeCheck,TLSConfigured,SignedByMPS,PreProv,TLSCheck,VersionCheck2 decision
    class RPS18Plain rps
    class RPS15,RPS19,RPS16,Done1,Done2,Done3 rpsok
    class GenCert,RegenCert acm
    class GetCerts,IdentifyCert query
    class Reuse query
Loading

Sequence Diagram for AMT 19 and above versions

sequenceDiagram
    autonumber

    participant DB as DB<br/>Non-secret config
    participant Vault as Vault<br/>Secrets and Certs
    participant RPS as RPS Service<br/>TLS client
    participant RPC as rpc-go<br/>Byte-forwarding proxy
    participant LMS as LMS<br/>Local AMT interface
    participant AMT as Intel AMT 19<br/>TLS server

    Note over LMS,AMT: AMT 19 local TLS path uses 16993 only. 16992 is not used in this flow.

    RPC->>RPS: Secure WebSocket connection established

    RPC->>RPS: JSON activate message
    Note right of RPS: method=activate
    Note right of RPS: protocolVersion=4.0.0
    Note right of RPS: payload.ver=19.0.5
    Note right of RPS: payload.uuid=device uuid
    Note right of RPS: payload.tlsEnforced=true
    Note right of RPS: payload.profile=acm

    RPS->>DB: Read AMT profile and CIRA config
    DB-->>RPS: Profile, TLS mode, non-secret config

    RPS->>Vault: Read AMT and MEBx password
    Vault-->>RPS: Secrets

    RPS->>RPS: tlsEnforced=true. Enable TLS tunnel mode.

    Note over RPS,AMT: Phase 1: Pre-activation TLS validation uses Intel ODCA trust only.

    RPS->>RPC: JSON tls_data message
    Note right of RPC: method=tls_data
    Note right of RPC: payload=base64 TLS ClientHello bytes

    RPC->>LMS: Forward raw TLS bytes
    LMS->>AMT: Forward TLS bytes to 16993

    AMT-->>LMS: TLS ServerHello and AMT ODCA cert chain
    LMS-->>RPC: Forward TLS bytes
    RPC-->>RPS: JSON tls_data payload with TLS response bytes

    RPS->>RPS: Capture AMT cert chain from TLS handshake Certificate message type 0x0b
    RPS->>RPS: Parse DER certs from handshake. Fallback to getPeerCertificate(true)

    RPS->>RPS: Validate ODCA chain

    Note right of RPS: 1. Ensure peer certificate chain exists
    Note right of RPS: 2. Check validity period for every cert in chain
    Note right of RPS: 3. Verify each cert is signed by the next cert in chain
    Note right of RPS: 4. Load trusted Intel ODCA root certificates
    Note right of RPS: 5. Verify top cert fingerprint matches trusted ODCA root
    Note right of RPS: 6. Or verify top cert is signed by trusted ODCA root
    Note right of RPS: 7. Skip EKU validation intentionally

    Note over RPS: CRL and revocation checking are not implemented.

    RPS->>RPS: Complete TLS handshake. TLS tunnel established.

    Note over RPS,AMT: WSMAN HTTP/XML is encrypted inside RPS to AMT TLS. rpc-go and LMS only forward encrypted bytes.

    RPS->>RPC: Encrypted WSMAN Get AMT_GeneralSettings
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward encrypted bytes to 16993
    AMT-->>RPS: HTTP 401 challenge over encrypted TLS

    RPS->>RPS: Close and reset tunnel after 401

    RPS->>RPC: Create new TLS tunnel
    RPC->>LMS: Forward TLS bytes
    LMS->>AMT: Forward TLS bytes to 16993
    AMT-->>RPS: TLS established again

    RPS->>RPC: Retry WSMAN Get with digest auth, encrypted inside TLS
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward encrypted bytes
    AMT-->>RPS: AMT_GeneralSettings response

    RPS->>RPC: WSMAN Setup IPS_HostBasedSetupService.Setup
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward encrypted bytes
    AMT-->>RPS: SetupResponse ReturnValue=0

    RPS->>RPC: WSMAN CommitChanges
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward encrypted bytes
    AMT-->>RPS: CommitChangesResponse ReturnValue=0

    Note over RPS,AMT: Device is now activated in CCM.

    Note over RPS,AMT: Phase 2: After CCM activation, AMT may temporarily present a self-signed TLS cert.

    RPS->>RPC: Re-establish TLS tunnel
    RPC->>LMS: Forward TLS bytes
    LMS->>AMT: Forward TLS bytes to 16993
    AMT-->>RPS: TLS handshake using temporary self-signed AMT cert

    RPS->>RPS: Temporarily allow self-signed AMT cert only during post-CCM transition.

    RPS->>Vault: Fetch MPS root key and MPS root cert
    Vault-->>RPS: MPS root key and MPS root cert

    RPS->>RPC: Enumerate AMT_PublicPrivateKeyPair
    RPC->>LMS: Forward encrypted WSMAN bytes
    LMS->>AMT: Forward encrypted WSMAN bytes
    AMT-->>RPS: Existing AMT key pair inventory

    RPS->>RPC: GenerateKeyPair on AMT_PublicPrivateKeyPair
    RPC->>LMS: Forward encrypted WSMAN bytes
    LMS->>AMT: Generate key pair internally
    AMT-->>RPS: Public key returned

    Note over AMT: Private key never leaves AMT.

    RPS->>RPS: Generate AMT TLS leaf cert signed by MPS root CA using AMT-generated public key.

    RPS->>RPC: Add MPS root certificate as trusted root
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward encrypted bytes
    AMT-->>RPS: ReturnValue=0

    RPS->>RPC: AddCertificate with RPS-signed AMT TLS leaf cert
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward encrypted bytes
    AMT-->>RPS: ReturnValue=0

    RPS->>RPC: Associate cert with AMT-generated private key
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Bind cert to internal private key
    AMT-->>RPS: ReturnValue=0

    RPS->>RPC: Configure AMT local TLS settings and bind new TLS cert to local TLS endpoint
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward encrypted bytes
    AMT-->>RPS: ReturnValue=0

    RPS->>Vault: Store AMT TLS leaf cert for future verification
    Vault-->>RPS: Stored

    RPS->>RPS: Wait for AMT TLS rollover

    Note over RPS,AMT: Phase 3: AMT switches to RPS-generated TLS cert signed by MPS root.

    RPS->>RPC: Re-establish TLS tunnel
    RPC->>LMS: Forward TLS bytes
    LMS->>AMT: Forward TLS bytes to 16993
    AMT-->>RPS: TLS handshake using AMT TLS cert signed by MPS root

    RPS->>RPS: Validate AMT leaf cert

    Note right of RPS: 1. Check AMT leaf cert validity period
    Note right of RPS: 2. Load configured MPS root CA
    Note right of RPS: 3. Verify AMT leaf signature using MPS root public key
    Note right of RPS: 4. Validate issuer relationship with MPS root
    Note right of RPS: 5. Allow issuer formatting mismatch if signature is valid

    RPS->>RPC: Continue ACM activation WSMAN calls encrypted inside end-to-end TLS
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward encrypted bytes
    AMT-->>RPS: ACM activation WSMAN responses over TLS
Loading

Clone this wiki locally