Skip to content

fix: resolve local LMS enforcement issue for AMT19 above#1257

Draft
nbmaiti wants to merge 1 commit into
mainfrom
lms_local_tls_amt19
Draft

fix: resolve local LMS enforcement issue for AMT19 above#1257
nbmaiti wants to merge 1 commit into
mainfrom
lms_local_tls_amt19

Conversation

@nbmaiti
Copy link
Copy Markdown
Contributor

@nbmaiti nbmaiti commented Apr 9, 2026

This PR addresses activation failures on AMT 19+ where local LMS connections must use TLS and Go’s default TLS verification rejects the AMT self-signed certificate; it also propagates local TLS-enforcement status to RPS/cloud payloads.

Changes:

  • Add localTlsEnforced to the RPS message payload and propagate it through command/request plumbing.
  • Extend command context/request creation to pass local TLS-enforcement status into RPS flows (activate/deactivate).
  • Adjust LMS TLS config creation to allow loopback TLS connections with self-signed certificates.
  • Send localtls enforcement status to cloud/console during WebSocket connect

fixes #1163

@nbmaiti nbmaiti requested a review from Copilot April 9, 2026 17:22

This comment was marked as outdated.

Sign in to view

@nbmaiti
fix: resolve local LMS enforcement issue for AMT>19
d6305b7 
Added LMS certificate check for loopback connections.

Return local LMS TLS status to AMT cloud/console.

Signed-off-by: Nabendu Maiti <nabendu.bikash.maiti@intel.com>
@nbmaiti nbmaiti force-pushed the lms_local_tls_amt19 branch from cb31c4f to d6305b7 Compare April 9, 2026 19:11
@nbmaiti nbmaiti requested a review from Copilot April 9, 2026 19:12
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/certs/lmsTls.go
Comment on lines 37 to +41
} else {
// default tls config if device is in ACM or CCM
log.Trace("Setting default TLS Config for ACM/CCM mode")
if skipAMTCertCheck {
log.Trace("Skipping AMT certificate verification for ACM/CCM mode (loopback TLS)")
} else {
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In GetTLSConfig(), the ACM/CCM branch leaves default TLS verification enabled (InsecureSkipVerify stays false when skipAMTCertCheck is false) and does not set VerifyPeerCertificate. For AMT 19+ loopback TLS where LMS presents a self-signed/untrusted certificate, this will still fail the handshake. Consider always enabling InsecureSkipVerify for loopback and performing certificate validation via VerifyPeerCertificate/VerifyCertificates for all modes when skipAMTCertCheck is false.

Copilot uses AI. Check for mistakes.
Comment thread internal/certs/lmsTls.go
Comment on lines +106 to +109

if !bytes.Equal(cert.RawSubject, cert.RawIssuer) {
return errors.New("single AMT loopback certificate is not self-signed")
}
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The self-signed check compares cert.RawSubject and cert.RawIssuer, which is not sufficient to prove the certificate is actually self-signed (same DN can still be signed by another key). Use a signature check (e.g., cert.CheckSignatureFrom(cert)) before treating it as self-signed.

Copilot uses AI. Check for mistakes.
Comment thread internal/commands/activate/activate.go
Comment on lines +261 to +262
// Propagate local TLS enforcement status detected in AMTBaseCmd.AfterApply
ctx.LocalTLSEnforced = cmd.LocalTLSEnforced
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

runRemoteActivation propagates LocalTLSEnforced into the shared Context, but Context.ControlMode is still never set and RemoteActivateCmd later forwards it into the RPS request. Propagate the detected control mode as well (e.g., ctx.ControlMode = cmd.GetControlMode()) so RPS/LMS TLS config selection is based on the real AMT mode.

Suggested change
// Propagate local TLS enforcement status detected in AMTBaseCmd.AfterApply
ctx.LocalTLSEnforced = cmd.LocalTLSEnforced
// Propagate activation state detected in AMTBaseCmd.AfterApply
ctx.LocalTLSEnforced = cmd.LocalTLSEnforced
ctx.ControlMode = cmd.GetControlMode()

Copilot uses AI. Check for mistakes.
Comment thread internal/commands/deactivate.go
Verbose: ctx.Verbose,
SkipCertCheck: ctx.SkipCertCheck,
SkipAmtCertCheck: ctx.SkipAMTCertCheck,
LocalTLSEnforced: cmd.LocalTLSEnforced,
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This RPS request does not populate ControlMode. Since RPS executor uses ControlMode to build the LMS TLS config, leaving it as the zero value can cause incorrect TLS behavior when local TLS is enforced. Set ControlMode from the detected AMT mode (e.g., cmd.GetControlMode() / cmd.ControlMode).

Suggested change
LocalTLSEnforced: cmd.LocalTLSEnforced,
LocalTLSEnforced: cmd.LocalTLSEnforced,
ControlMode: cmd.GetControlMode(),

Copilot uses AI. Check for mistakes.
Comment thread internal/commands/activate/remote.go
Comment on lines 169 to 173
Verbose: service.context.Verbose,
SkipCertCheck: service.context.SkipCertCheck,
SkipAmtCertCheck: service.context.SkipAMTCertCheck,
LocalTLSEnforced: service.context.LocalTLSEnforced,
ControlMode: service.context.ControlMode,
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ControlMode is taken from service.context.ControlMode here, but Context.ControlMode does not appear to be populated anywhere (AMTBaseCmd stores control mode on the command, not the Context). This likely means RPS always receives ControlMode=0; propagate the detected mode into the Context before invoking RemoteActivateCmd, or set ControlMode explicitly when building this request.

Copilot uses AI. Check for mistakes.
@rsdmike rsdmike changed the base branch from next to main May 1, 2026 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Activate fails with "not running LMS" on AMT 19.0.5 — TLS Bad Certificate on localhost:16993

2 participants

@nbmaiti