Background
AMT 22 introduces updated certificate requirements where SHA256 and 2048-bit keys are being deprecated for provisioning and management related certificate flows.
DMT must support the updated requirements by using:
where applicable for AMT 22 and above platforms, while maintaining compatibility with existing AMT versions currently deployed in the field.
This effort is expected to require changes across multiple DMT components, including:
See the AMT SDK link for more details https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Ftransportlayersecurity.htm
RPS - Provisioning Flow Updates
Description
The RPS activation state machine currently contains logic that selects certificate algorithms and key sizes during provisioning. The provisioning flow should be updated to support SHA384 and 3072-bit key sizes for AMT 22 and above platforms.
Areas to Review
Certificate Hash Algorithm Selection
Current implementation: https://github.com/device-management-toolkit/rps/blob/main/src/stateMachines/activation.ts#L158
Current logic uses SHA256. For AMT 22 and above platforms, this should be updated to use SHA384.
Key Size Selection
Current implementation: https://github.com/device-management-toolkit/rps/blob/main/src/stateMachines/activation.ts#L281
The current implementation uses a hardcoded value of 2. For AMT 22 and above platforms, this should be updated to use 3 (3072-bit key size).
RPS - Local TLS Certificate Updates used for E2E TLS
Description
The Local TLS certificate generated through DMT is signed from the MPS certificate infrastructure. Certificates generated for AMT 22 and above platforms should use:
MPS CIRA Certificate Updates
Description
The MPS-generated certificate used for CIRA communication must be reviewed for compliance with AMT 22 requirements. Current direction is to default to:
The problem with this approach will be that AMT 11 devices can't be supported anymore
RPC-Go v3 Orchestration Updates
Description
RPC-Go v3 orchestration participates in provisioning and configuration workflows that rely on certificate generation and deployment. The orchestration flow should be reviewed to ensure it properly supports AMT 22 cryptographic requirements.
Areas to Review
- Provisioning orchestration similar to RPS but this will also include the MTLS based Secure Host Based Configuration
- TLS certificate deployment
- 8021x
- AMT version detection and branching logic
802.1X Certificate Flow Review
Description
The impact of AMT 22 cryptographic requirements on 802.1X provisioning is currently unknown (to me). A review should be performed to determine:
- Which certificates are used during 802.1X provisioning by EA
- Whether SHA384 and 3072-bit requirements apply
- Whether any changes are required within DMT
Domain Profile Certificate Visibility Improvements
Description
When provisioning certificates are uploaded into a domain profile, DMT currently provides limited visibility into the uploaded certificate chain. Additional certificate metadata should be exposed to simplify debugging and validation.
Proposed Enhancements
Display certificate chain information including:
- Number of certificates in the chain
- Signature algorithm used by each certificate
- Key size used by each certificate
Open Questions
- What impact will the new defaults have on AMT 11 deployments?
- What certificates are used during the 802.1X workflow today? Does the 802.1X flow require any implementation changes?
Additional things to add
Additional TLS flow references and implementation details will be added as they become available.
Initial assessment indicates changes will likely be required in:
to fully support AMT 22 certificate requirements.
Background
AMT 22 introduces updated certificate requirements where SHA256 and 2048-bit keys are being deprecated for provisioning and management related certificate flows.
DMT must support the updated requirements by using:
where applicable for AMT 22 and above platforms, while maintaining compatibility with existing AMT versions currently deployed in the field.
This effort is expected to require changes across multiple DMT components, including:
See the AMT SDK link for more details https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Ftransportlayersecurity.htm
RPS - Provisioning Flow Updates
Description
The RPS activation state machine currently contains logic that selects certificate algorithms and key sizes during provisioning. The provisioning flow should be updated to support SHA384 and 3072-bit key sizes for AMT 22 and above platforms.
Areas to Review
Certificate Hash Algorithm Selection
Current implementation: https://github.com/device-management-toolkit/rps/blob/main/src/stateMachines/activation.ts#L158
Current logic uses SHA256. For AMT 22 and above platforms, this should be updated to use SHA384.
Key Size Selection
Current implementation: https://github.com/device-management-toolkit/rps/blob/main/src/stateMachines/activation.ts#L281
The current implementation uses a hardcoded value of
2. For AMT 22 and above platforms, this should be updated to use3(3072-bit key size).RPS - Local TLS Certificate Updates used for E2E TLS
Description
The Local TLS certificate generated through DMT is signed from the MPS certificate infrastructure. Certificates generated for AMT 22 and above platforms should use:
MPS CIRA Certificate Updates
Description
The MPS-generated certificate used for CIRA communication must be reviewed for compliance with AMT 22 requirements. Current direction is to default to:
The problem with this approach will be that AMT 11 devices can't be supported anymore
RPC-Go v3 Orchestration Updates
Description
RPC-Go v3 orchestration participates in provisioning and configuration workflows that rely on certificate generation and deployment. The orchestration flow should be reviewed to ensure it properly supports AMT 22 cryptographic requirements.
Areas to Review
802.1X Certificate Flow Review
Description
The impact of AMT 22 cryptographic requirements on 802.1X provisioning is currently unknown (to me). A review should be performed to determine:
Domain Profile Certificate Visibility Improvements
Description
When provisioning certificates are uploaded into a domain profile, DMT currently provides limited visibility into the uploaded certificate chain. Additional certificate metadata should be exposed to simplify debugging and validation.
Proposed Enhancements
Display certificate chain information including:
Open Questions
Additional things to add
Additional TLS flow references and implementation details will be added as they become available.
Initial assessment indicates changes will likely be required in:
to fully support AMT 22 certificate requirements.