Skip to content

Activating AMT with E2E TLS and RPS

Jump to bottom
Ganesh Raikhelkar edited this page May 13, 2026 · 3 revisions

RPS State-machine

flowchart TD
    Start([AMT Provisioning]) --> ModeCheck{Device Mode?}

    %% ============================================================
    %% PATH 1: Already Activated (ACM/CCM)
    %% ============================================================
    ModeCheck -->|Activated - ACM / CCM| TLSConfigured{TLS already<br>configured?}

    %% TLS not configured
    TLSConfigured -->|No| GenCert[RPS generates cert<br>from MPS root and<br>adds it to AMT]
    GenCert --> Done1[Connect on port 16993<br>RPS: amt_post_tls_reject = true]

    %% TLS already configured
    TLSConfigured -->|Yes| GetCerts[Get AMT_PublicKeyCertificate<br>and AMT_TLSCredentialsContext]
    GetCerts --> IdentifyCert[Identify cert AMT<br>is currently using]
    IdentifyCert --> SignedByMPS{Cert signed by<br>MPS Root?}

    SignedByMPS -->|Yes| Reuse[Switch to port 16993<br>and reconfigure]
    Reuse --> Done2[RPS: amt_post_tls_reject = true<br>MPS root cert is trusted]

    SignedByMPS -->|No| RegenCert[RPS generates new cert<br>from MPS root and<br>configures it in AMT]
    RegenCert --> Done3[Connect on port 16993<br>RPS: amt_post_tls_reject = true]

    %% ============================================================
    %% PATH 2: Pre-Provisioning
    %% ============================================================
    ModeCheck -->|Not Activated| PreProv{AMT Version?}

    %% AMT 19+
    PreProv -->|19+| ODCA[ODCA cert present<br>and validatable]
    ODCA --> Act19[Activates to CCM<br>over e2e TLS on port 16993<br>RPS: amt_pre_tls_reject = true]
    Act19 -->|Post-Activation| Self19[AMT generates its own<br>self-signed cert]
    Self19 --> DMT19[RPS adds DMT self-signed cert<br>to AMT]
    DMT19 --> RPS19[RPS: amt_post_tls_reject = true<br>RPS owns the DMT root cert]

    %% AMT 18 and below
    PreProv -->|18 and below| TLSCheck{--tls-tunnel<br>flag set?}

    TLSCheck -->|Yes| NoODCA[No ODCA cert available]
    NoODCA --> Act18TLS[Activates to CCM<br>over non-TLS port 16992]
    Act18TLS -->|Post-Activation| VersionCheck2{AMT Version?}

    VersionCheck2 -->|16 - 18| Self16[AMT generates its own<br>self-signed cert]
    Self16 --> DMT16[RPS adds DMT self-signed cert<br>to AMT]
    DMT16 --> RPS16[RPS: amt_post_tls_reject = true<br>RPS owns the DMT root cert]

    VersionCheck2 -->|15 and below| DMT[RPS generates DMT<br>self-signed cert and<br>adds it to AMT]
    DMT --> RPS15[RPS: amt_post_tls_reject = true<br>RPS owns the DMT root cert]

    TLSCheck -->|No| Act18Plain[Activates to CCM<br>over non-TLS port 16992]
    Act18Plain -->|Post-Activation| NoTLS[No certs used or added<br>remains on port 16992]
    NoTLS --> RPS18Plain[Both RPS TLS configs<br>not applicable]

    %% Styling
    classDef version19 fill:#2563eb,stroke:#1e40af,color:#fff
    classDef version18tls fill:#7c3aed,stroke:#5b21b6,color:#fff
    classDef version15 fill:#0891b2,stroke:#0e7490,color:#fff
    classDef version18plain fill:#64748b,stroke:#475569,color:#fff
    classDef decision fill:#f59e0b,stroke:#d97706,color:#000
    classDef rps fill:#dc2626,stroke:#b91c1c,color:#fff
    classDef rpsok fill:#16a34a,stroke:#15803d,color:#fff
    classDef acm fill:#0d9488,stroke:#0f766e,color:#fff
    classDef query fill:#6366f1,stroke:#4f46e5,color:#fff

    class ODCA,Self19 version19
    class Act19 rpsok
    class NoODCA,Act18TLS,Self16 version18tls
    class DMT,DMT16,DMT19 version15
    class Act18Plain,NoTLS version18plain
    class ModeCheck,TLSConfigured,SignedByMPS,PreProv,TLSCheck,VersionCheck2 decision
    class RPS18Plain rps
    class RPS15,RPS19,RPS16,Done1,Done2,Done3 rpsok
    class GenCert,RegenCert acm
    class GetCerts,IdentifyCert query
    class Reuse query
Loading

Sequence Diagram for AMT 19 and above versions

sequenceDiagram
    autonumber

    participant DB as DB<br/>Non-secret config
    participant Vault as Vault<br/>Secrets / Certs
    participant RPS as RPS Service<br/>TLS client
    participant RPC as rpc-go<br/>Byte-forwarding proxy
    participant LMS as LMS<br/>Local AMT interface
    participant AMT as Intel AMT 19<br/>TLS server

    Note over LMS,AMT: AMT 19 local TLS path uses 16993 only<br/>16992 is not supported

    RPC->>RPS: Open Secure WebSocket
    RPC->>RPS: JSON method=activate<br/>payload includes AMT version, UUID,<br/>cert hashes, profile=acm, tlsEnforced=true

    RPS->>DB: Read AMT profile and CIRA config
    DB-->>RPS: Profile, TLS mode, non-secret config

    RPS->>Vault: Read AMT password
    Vault-->>RPS: Secrets

    RPS->>RPS: tlsEnforced=true<br/>Enable TLS tunnel mode

    Note over RPS,AMT: Phase 1: Pre-activation TLS validation uses Intel ODCA trust only

    RPS->>RPC: JSON method=tls_data<br/>payload=base64 TLS ClientHello / TLS bytes
    RPC->>LMS: Forward TLS bytes
    LMS->>AMT: Forward to AMT local TLS endpoint 16993

    AMT-->>LMS: TLS ServerHello + AMT ODCA cert chain + TLS bytes
    LMS-->>RPC: Forward TLS bytes
    RPC-->>RPS: JSON method=tls_data<br/>payload=base64 TLS bytes

    RPS->>RPS: Capture AMT cert chain from TLS handshake<br/>Certificate message type 0x0b
    RPS->>RPS: Parse DER certs from handshake<br/>Fallback: getPeerCertificate(true)

    RPS->>RPS: Validate ODCA chain<br/>1. Ensure peer chain is available<br/>2. Check every cert validity period<br/>3. Verify each cert is signed by the next cert in the chain<br/>4. Load trusted Intel ODCA roots<br/>5. Verify top cert is either the trusted ODCA root by fingerprint<br/>or is signed by a trusted ODCA root<br/>6. Skip EKU check intentionally

    Note over RPS: CRL / revocation checking is not implemented

    RPS->>RPS: Complete TLS handshake<br/>TLS tunnel established

    Note over RPS,AMT: WSMAN HTTP/XML is encrypted inside RPS ↔ AMT TLS.<br/>Traffic still passes through rpc-go and LMS, but only AMT can decrypt requests and only RPS can decrypt responses.

    RPS->>RPC: WSMAN Get AMT_GeneralSettings<br/>encrypted inside TLS
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward to 16993
    AMT-->>RPS: HTTP 401 challenge over encrypted TLS

    RPS->>RPS: Close/reset tunnel after 401

    RPS->>RPC: Create new TLS tunnel
    RPC->>LMS: Forward TLS bytes
    LMS->>AMT: Forward to 16993
    AMT-->>RPS: TLS established again

    RPS->>RPC: Retry WSMAN Get AMT_GeneralSettings<br/>with digest auth, encrypted inside TLS
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward to 16993
    AMT-->>RPS: AMT_GeneralSettings response

    RPS->>RPC: WSMAN Setup<br/>IPS_HostBasedSetupService.Setup<br/>encrypted inside TLS
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward to 16993
    AMT-->>RPS: SetupResponse ReturnValue=0

    RPS->>RPC: WSMAN CommitChanges<br/>encrypted inside TLS
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward to 16993
    AMT-->>RPS: CommitChangesResponse ReturnValue=0

    Note over RPS,AMT: Device is now activated in CCM / TLS Phase 1

    Note over RPS,AMT: Phase 2: Immediately after CCM activation, AMT may present a temporary self-signed TLS cert

    RPS->>RPC: Re-establish TLS tunnel after CCM activation
    RPC->>LMS: Forward TLS bytes
    LMS->>AMT: Forward to 16993
    AMT-->>RPS: TLS handshake using temporary self-signed AMT cert

    RPS->>RPS: Temporarily accept AMT self-signed cert<br/>only for post-CCM transition

    RPS->>Vault: Fetch MPS root key and MPS root cert
    Vault-->>RPS: MPS root key + MPS root cert

    RPS->>RPS: Select MPS root CA<br/>matching root key fingerprint

    RPS->>RPC: Enumerate AMT_PublicKeyCertificate<br/>encrypted WSMAN over temporary TLS
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward to 16993
    AMT-->>RPS: Existing AMT certificate inventory

    RPS->>RPS: Generate AMT local TLS leaf cert<br/>signed by MPS root

    RPS->>RPC: Add MPS root certificate<br/>as trusted root<br/>encrypted WSMAN over temporary TLS
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward to 16993
    AMT-->>RPS: ReturnValue=0

    RPS->>RPC: Add AMT TLS leaf cert / private key<br/>encrypted WSMAN over temporary TLS
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward to 16993
    AMT-->>RPS: ReturnValue=0

    RPS->>RPC: Configure AMT local TLS settings<br/>bind new TLS cert to local TLS endpoint<br/>encrypted WSMAN over temporary TLS
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward to 16993
    AMT-->>RPS: ReturnValue=0

    RPS->>Vault: Store AMT TLS leaf cert<br/>for future verification / pinning
    Vault-->>RPS: Stored

    RPS->>RPS: Wait for AMT TLS rollover

    Note over RPS,AMT: Phase 3: AMT switches to RPS-generated TLS cert signed by MPS root

    RPS->>RPC: Re-establish TLS tunnel
    RPC->>LMS: Forward TLS bytes
    LMS->>AMT: Forward to 16993
    AMT-->>RPS: TLS handshake using AMT TLS leaf cert signed by MPS root

    RPS->>RPS: Validate AMT leaf cert<br/>1. Check leaf cert validity period<br/>2. Load configured MPS root CA<br/>3. Verify leaf signature using MPS root public key<br/>4. Check leaf issuer against MPS root<br/>issuer formatting mismatch tolerated if signature is valid


    RPS->>RPC: Continue ACM activation WSMAN calls<br/>encrypted inside end-to-end TLS
    RPC->>LMS: Forward encrypted bytes
    LMS->>AMT: Forward to 16993
    AMT-->>RPS: ACM activation WSMAN responses over TLS
Loading

Clone this wiki locally