Class AMT_PublicKeyManagementService
Used in features: Security
Administration
Compatible with the following Intel AMT Releases: 3.0,
3.2, 4.0, 5.0, 5.1, 6.0, 6.1, 6.2, 7.0, 8.0, 8.1, 9.0, 9.5, 10.0, 11.0
CIM_ManagedElement
CIM_ManagedSystemElement
CIM_LogicalElement
CIM_EnabledLogicalElement
CIM_Service
CIM_SecurityService
CIM_AuthenticationService
CIM_CredentialManagementService
AMT_PublicKeyManagementService
class AMT_PublicKeyManagementService
- extends CIM_CredentialManagementService
General Information:
This service contains the information
necessary to represent and manage the functionality provided by the Intel(R) AMT
CertStore.
Qualifiers:
-------------
Version=11.0.0
Supported Fields
Summary |
uint16
|
EnabledDefault
An enumerated value indicating an administrator's default or
startup configuration for the Enabled State of an element . . .
|
uint16
|
RequestedState
RequestedState is an integer enumeration that indicates the
last requested or desired state for the element, irrespective of the
mechanism through which it was requested . . .
|
uint16
|
EnabledState
EnabledState is an integer enumeration that indicates the
enabled and disabled states of an element . . .
|
uint16[]
|
OperationalStatus
Indicates the current statuses of the element . . .
|
string
|
ElementName A
user-friendly name for the object . . .
|
string
|
SystemCreationClassName The CreationClassName of the scoping
System.
|
string
|
SystemName The Name of the scoping System.
|
string
|
CreationClassName CreationClassName indicates the name
of the class or the subclass that is used in the creation of an instance .
. .
|
string
|
Name The Name property uniquely identifies the
Service and provides an indication of the functionality that is managed .
. .
|
Methods Summary |
uint32 |
AddCRL(Url, SerialNumbers, REF
CRL) This call adds a Certificate revocation list to be used by
the Intel(R) AMT device.
|
uint32 |
ResetCRLList()
Remove the usage of CRL during the authentication process
|
uint32 |
AddCertificate(CertificateBlob, REF
CreatedCertificate) This function adds new certificate to the
Intel(R) AMT CertStore . . .
|
uint32 |
AddTrustedRootCertificate(CertificateBlob,
REF CreatedCertificate) This function adds new root certificate
to the Intel(R) AMT CertStore . . .
|
uint32 |
AddKey(KeyBlob, REF
CreatedKey) This function adds new certificate key to the
Intel(R) AMT CertStore . . .
|
uint32 |
GeneratePKCS10RequestEx(REF
KeyPair, SigningAlgorithm, NullSignedCertificateRequest,
SignedCertificateRequest) This API is used to create a PKCS#10
certificate signing request based on a key from the key store.
|
uint32 |
GenerateKeyPair(KeyAlgorithm, KeyLength,
REF KeyPair) This API is used to generate a key in the
FW
|
|
Get(Instance) Gets the
representation of the instance
|
|
Pull(EnumerationContext,
MaxElements) Pulls instances of this class, following an
Enumerate operation
|
|
Enumerate()
Enumerates the instances of this class
|
|
Release(EnumerationContext)
Releases an enumeration context
|
EnabledDefault
public uint16 EnabledDefault
- General Information:
An enumerated value indicating an
administrator's default or startup configuration for the Enabled State of an
element. By default, the element is "Enabled"
(value=2).
Qualifiers:
-------------
Write
ValueMap={2,
3, 5, 6, 7, 9, .., 32768..65535}
Values={Enabled, Disabled, Not Applicable,
Enabled but Offline, No Default, Quiesce, DMTF Reserved, Vendor
Reserved}
RequestedState
public uint16 RequestedState
- General Information:
RequestedState is an integer enumeration
that indicates the last requested or desired state for the element,
irrespective of the mechanism through which it was requested. The actual state
of the element is represented by EnabledState. This property is provided to
compare the last requested and current enabled or disabled states. Note that
when EnabledState is set to 5 ("Not Applicable"), then this property has no
meaning. Refer to the EnabledState property description for explanations of
the values in the RequestedState enumeration.
"Unknown" (0) indicates the
last requested state for the element is unknown.
Note that the value "No
Change" (5) has been deprecated in lieu of indicating the last requested state
is "Unknown" (0). If the last requested or desired state is unknown,
RequestedState should have the value "Unknown" (0), but may have the value "No
Change" (5).Offline (6) indicates that the element has been requested to
transition to the Enabled but Offline EnabledState.
It should be noted
that there are two new values in RequestedState that build on the statuses of
EnabledState. These are "Reboot" (10) and "Reset" (11). Reboot refers to doing
a "Shut Down" and then moving to an "Enabled" state. Reset indicates that the
element is first "Disabled" and then "Enabled". The distinction between
requesting "Shut Down" and "Disabled" should also be noted. Shut Down requests
an orderly transition to the Disabled state, and might involve removing power,
to completely erase any existing state. The Disabled state requests an
immediate disabling of the element, such that it will not execute or accept
any commands or processing requests.
This property is set as the
result of a method invocation (such as Start or StopService on CIM_Service),
or can be overridden and defined as WRITEable in a subclass. The method
approach is considered superior to a WRITEable property, because it allows an
explicit invocation of the operation and the return of a result code.
If knowledge of the last RequestedState is not supported for the
EnabledLogicalElement, the property shall be NULL or have the value 12 "Not
Applicable".
Qualifiers:
-------------
ValueMap={0, 2, 3,
4, 5, 6, 7, 8, 9, 10, 11, 12, .., 32768..65535}
Values={Unknown, Enabled,
Disabled, Shut Down, No Change, Offline, Test, Deferred, Quiesce, Reboot,
Reset, Not Applicable, DMTF Reserved, Vendor
Reserved}
ModelCorrespondence={CIM_EnabledLogicalElement.EnabledState}
EnabledState
public uint16 EnabledState
- General Information:
EnabledState is an integer enumeration that
indicates the enabled and disabled states of an element. It can also indicate
the transitions between these requested states. For example, shutting down
(value=4) and starting (value=10) are transient states between enabled and
disabled. The following text briefly summarizes the various enabled and
disabled states:
Enabled (2) indicates that the element is or could be
executing commands, will process any queued commands, and queues new requests.
Disabled (3) indicates that the element will not execute commands and will
drop any new requests.
Shutting Down (4) indicates that the element is in
the process of going to a Disabled state.
Not Applicable (5) indicates the
element does not support being enabled or disabled.
Enabled but Offline
(6) indicates that the element might be completing commands, and will drop any
new requests.
Test (7) indicates that the element is in a test state.
Deferred (8) indicates that the element might be completing commands, but
will queue any new requests.
Quiesce (9) indicates that the element is
enabled but in a restricted mode.
Starting (10) indicates that the element
is in the process of going to an Enabled state. New requests are
queued.
Qualifiers:
-------------
ValueMap={0, 1, 2, 3, 4,
5, 6, 7, 8, 9, 10, 11..32767, 32768..65535}
Values={Unknown, Other,
Enabled, Disabled, Shutting Down, Not Applicable, Enabled but Offline, In
Test, Deferred, Quiesce, Starting, DMTF Reserved, Vendor
Reserved}
ModelCorrespondence={CIM_EnabledLogicalElement.OtherEnabledState}
OperationalStatus
public uint16[] OperationalStatus
- General Information:
Indicates the current statuses of the
element. Various operational statuses are defined. Many of the enumeration's
values are self-explanatory. However, a few are not and are described here in
more detail.
"Stressed" indicates that the element is functioning, but
needs attention. Examples of "Stressed" states are overload, overheated, and
so on.
"Predictive Failure" indicates that an element is functioning
nominally but predicting a failure in the near future.
"In Service"
describes an element being configured, maintained, cleaned, or otherwise
administered.
"No Contact" indicates that the monitoring system has
knowledge of this element, but has never been able to establish communications
with it.
"Lost Communication" indicates that the ManagedSystem Element is
known to exist and has been contacted successfully in the past, but is
currently unreachable.
"Stopped" and "Aborted" are similar, although the
former implies a clean and orderly stop, while the latter implies an abrupt
stop where the state and configuration of the element might need to be
updated.
"Dormant" indicates that the element is inactive or quiesced.
"Supporting Entity in Error" indicates that this element might be "OK" but
that another element, on which it is dependent, is in error. An example is a
network service or endpoint that cannot function due to lower-layer networking
problems.
"Completed" indicates that the element has completed its
operation. This value should be combined with either OK, Error, or Degraded so
that a client can tell if the complete operation Completed with OK (passed),
Completed with Error (failed), or Completed with Degraded (the operation
finished, but it did not complete OK or did not report an error).
"Power
Mode" indicates that the element has additional power model information
contained in the Associated PowerManagementService association.
"Relocating" indicates the element is being
relocated.
OperationalStatus replaces the Status property on
ManagedSystemElement to provide a consistent approach to enumerations, to
address implementation needs for an array property, and to provide a migration
path from today's environment to the future. This change was not made earlier
because it required the deprecated qualifier. Due to the widespread use of the
existing Status property in management applications, it is strongly
recommended that providers or instrumentation provide both the Status and
OperationalStatus properties. Further, the first value of OperationalStatus
should contain the primary status for the element. When instrumented, Status
(because it is single-valued) should also provide the primary status of the
element.
Qualifiers:
-------------
ValueMap={0, 1, 2, 3,
4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, ..,
0x8000..}
Values={Unknown, Other, OK, Degraded, Stressed, Predictive
Failure, Error, Non-Recoverable Error, Starting, Stopping, Stopped, In
Service, No Contact, Lost Communication, Aborted, Dormant, Supporting Entity
in Error, Completed, Power Mode, Relocating, DMTF Reserved, Vendor
Reserved}
ArrayType=Indexed
ModelCorrespondence={CIM_ManagedSystemElement.StatusDescriptions}
ElementName
public string ElementName
- General Information:
A user-friendly name for the object. This
property allows each instance to define a user-friendly name in addition to
its key properties, identity data, and description information.
Note that
the Name property of ManagedSystemElement is also defined as a user-friendly
name. But, it is often subclassed to be a Key. It is not reasonable that the
same property can convey both identity and a user-friendly name, without
inconsistencies. Where Name exists and is not a Key (such as for instances of
LogicalDevice), the same information can be present in both the Name and
ElementName properties. Note that if there is an associated instance of
CIM_EnabledLogicalElementCapabilities, restrictions on this properties may
exist as defined in ElementNameMask and MaxElementNameLen properties defined
in that class.
Product Specific Usage:
In Intel AMT Release
6.0 and later releases value is "Intel(r) AMT Certificate Store
Service"
Qualifiers:
-------------
MaxLen=40
SystemCreationClassName
public string SystemCreationClassName
- General Information:
The CreationClassName of the scoping
System.
Product Specific Usage:
In Intel AMT Release 6.0 and
later releases value is
"CIM_ComputerSystem"
Qualifiers:
-------------
Key
MaxLen=20
Propagated=CIM_System.CreationClassName
SystemName
public string SystemName
- General Information:
The Name of the scoping
System.
Product Specific Usage:
In Intel AMT Release 6.0 and
later releases value is "Intel(r)
AMT"
Qualifiers:
-------------
Key
MaxLen=20
Propagated=CIM_System.Name
CreationClassName
public string CreationClassName
- General Information:
CreationClassName indicates the name of the
class or the subclass that is used in the creation of an instance. When used
with the other key properties of this class, this property allows all
instances of this class and its subclasses to be uniquely
identified.
Product Specific Usage:
In Intel AMT Release 6.0
and later releases value is
"AMT_PublicKeyManagementService"
Qualifiers:
-------------
Key
MaxLen=35
Name
public string Name
- General Information:
The Name property uniquely identifies the
Service and provides an indication of the functionality that is managed. This
functionality is described in more detail in the Description property of the
object.
Product Specific Usage:
In Intel AMT Release 6.0 and
later releases value is "Intel(r) AMT Public Key Management
Service"
Qualifiers:
-------------
Key
Override=Name
MaxLen=45
AddCRL
public uint32 AddCRL([IN]string Url, [IN]string SerialNumbers[], [OUT]REF AMT_CRL CRL)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM
General Information:
This
call adds a Certificate revocation list to be used by the Intel(R) AMT
device.
Product Specific Usage:
After the method succeeds a
new instance of AMT_CRL will be created.
This method modifies the flash
when executed but requires "CommitChanges" to cause a reset
sequence.
Qualifiers:
-------------
ValueMap={0, 1, 23,
36, 38}
Values={PT_STATUS_SUCCESS, PT_STATUS_INTERNAL_ERROR,
PT_STATUS_MAX_LIMIT_REACHED, PT_STATUS_INVALID_PARAMETER,
PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED}
Parameters:
--------------
- Url
- General Information:
The issuer URL of the revoked
certificates.
Qualifiers:
-------------
IN
- SerialNumbers
- General Information:
Notice: the values of this array are
actually base64 encoded values. A list of serial numbers removed by the CA
which is specified in the Url
variable.
Qualifiers:
-------------
IN
EOBase64
- CRL
- General Information:
Reference to the new AMT_CRL
instance.
Qualifiers:
-------------
OUT
ResetCRLList
public uint32 ResetCRLList()
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM
General
Information:
Remove the usage of CRL during the authentication
process
Product Specific Usage:
After the method succeeds the
instances of AMT_CRL will be
deleted.
Qualifiers:
-------------
ValueMap={0, 1,
38}
Values={PT_STATUS_SUCCESS, PT_STATUS_INTERNAL_ERROR,
PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED}
AddCertificate
public uint32 AddCertificate([IN]uint8 CertificateBlob[], [OUT]REF AMT_PublicKeyCertificate CreatedCertificate)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM
General Information:
This
function adds new certificate to the Intel(R) AMT CertStore. A certificate
cannot be removed if it is referenced (for example, used by TLS, 802.1X or
EAC).
Product Specific Usage:
After the method succeeds a new
instance of AMT_PublicKeyCertificater will be
created.
Qualifiers:
-------------
ValueMap={0, 1, 23, 38,
2058, 2063}
Values={PT_STATUS_SUCCESS, PT_STATUS_INTERNAL_ERROR,
PT_STATUS_MAX_LIMIT_REACHED, PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED,
PT_STATUS_DUPLICATE,
PT_STATUS_INVALID_CERT}
Parameters:
--------------
- CertificateBlob
- General
Information:
Note: The use of ECC 192/224 is blocked starting from Intel® CSME 18.0.
Qualifiers:
-------------
Required
IN
OctetString
- CreatedCertificate
- General Information:
Certificate encoded in X.509
format
Qualifiers:
-------------
OUT
AddTrustedRootCertificate
public uint32 AddTrustedRootCertificate([IN]uint8 CertificateBlob[], [OUT]REF AMT_PublicKeyCertificate CreatedCertificate)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM
General Information:
This
function adds new root certificate to the Intel(R) AMT CertStore. A
certificate cannot be removed if it is referenced (for example, used by TLS,
802.1X or EAC).
Product Specific Usage:
After the method
succeeds a new instance of AMT_PublicKeyCertificater will be created.
This
method modifies the flash when executed but requires "CommitChanges" to cause
a reset sequence.
Qualifiers:
-------------
ValueMap={0,
1, 16, 23, 38, 2058, 2063}
Values={PT_STATUS_SUCCESS,
PT_STATUS_INTERNAL_ERROR, PT_STATUS_NOT_PERMITTED,
PT_STATUS_MAX_LIMIT_REACHED, PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED,
PT_STATUS_DUPLICATE,
PT_STATUS_INVALID_CERT}
Parameters:
--------------
- CertificateBlob
- General
Information:
Note: The use of ECC 192/224 is blocked starting from Intel® CSME 18.0.
Qualifiers:
-------------
Required
IN
OctetString
- CreatedCertificate
- General Information:
Certificate encoded in X.509
format
Qualifiers:
-------------
OUT
AddKey
public uint32 AddKey([IN]uint8 KeyBlob[], [OUT]REF AMT_PublicPrivateKeyPair CreatedKey)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM
General Information:
This
function adds new certificate key to the Intel(R) AMT CertStore. A key cannot
be removed if its corresponding certificate is referenced (for example, used
by TLS, 802.1X or EAC).
Product Specific Usage:
After the
method succeeds a new instance of AMT_PublicPrivateKeyPair will be
created.
Supported ECC key sizes: 384 and 512 bits. Supported RSA key sizes: 2048, 3072 and 4096 bits.
Qualifiers:
-------------
ValueMap={0, 1, 23, 38,
2058, 2062}
Values={PT_STATUS_SUCCESS, PT_STATUS_INTERNAL_ERROR,
PT_STATUS_MAX_LIMIT_REACHED, PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED,
PT_STATUS_DUPLICATE,
PT_STATUS_INVALID_KEY}
Parameters:
--------------
- KeyBlob
- General Information:
RSA Key encoded as DES
PKCS#1.
Note: The use of ECC 192/224 is blocked starting from Intel® CSME 18.0.
Qualifiers:
-------------
Required
IN
OctetString
- CreatedKey
- General
Information:
Qualifiers:
-------------
OUT
GeneratePKCS10RequestEx
public uint32 GeneratePKCS10RequestEx([IN]REF AMT_PublicPrivateKeyPair KeyPair, [IN]uint32 SigningAlgorithm, [IN]uint8 NullSignedCertificateRequest[], [OUT]uint8 SignedCertificateRequest[])
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM
General Information:
This
API is used to create a PKCS#10 certificate signing request based on a key
from the key store.
Product Specific Usage:
AMT supports
requests of size 2KB or
less.
Qualifiers:
-------------
ValueMap={0, 1, 36,
2066}
Values={PT_STATUS_SUCCESS, PT_STATUS_INTERNAL_ERROR,
PT_STATUS_INVALID_PARAMETER,
PT_STATUS_UNSUPPORTED}
Parameters:
--------------
- KeyPair
- General Information:
An EPR to a key
pair.
Qualifiers:
-------------
Required
IN
- SigningAlgorithm
- General Information:
The signing algorithm that the FW should
use for signing the certificate
request
Qualifiers:
-------------
Required
IN
ValueMap={0,
1, 2, ..}
Values={SHA1-RSA, SHA256-RSA, SHA384-RSA, Reserved}. Note: SHA1 is no longer available starting from Intel CSME 18.0.
- NullSignedCertificateRequest
- General Information:
A binary representation of the
null-signed PKCS#10 request.the request must include a valid
PKCS10RequestInfo, that will be signed by AMT FW. The Public Key specified
in the request must match the public key of the referenced KeyPair
parameter.
Qualifiers:
-------------
Required
IN
OctetString
- SignedCertificateRequest
- General Information:
A binary representation of the PKCS#10
request, signed by
FW.
Qualifiers:
-------------
OUT
OctetString
GenerateKeyPair
public uint32 GenerateKeyPair([IN]uint32 KeyAlgorithm, [IN]uint32 KeyLength, [OUT]REF AMT_PublicPrivateKeyPair KeyPair)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM
General Information:
This
API is used to generate a key in the
FW
Qualifiers:
-------------
ValueMap={0, 1, 23, 36, 38,
2066, 2082}
Values={PT_STATUS_SUCCESS, PT_STATUS_INTERNAL_ERROR,
PT_STATUS_MAX_LIMIT_REACHED, PT_STATUS_INVALID_PARAMETER,
PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED, PT_STATUS_UNSUPPORTED,
PT_STATUS_OPERATION_IN_PROGRESS}
Parameters:
--------------
- KeyAlgorithm
- General Information:
The algorithm of the generated
key.
Qualifiers:
-------------
Required
IN
ValueMap={0,
..}
Values={RSA, Reserved}
- KeyLength
- General Information:
The length of the generatd key in
bits.
Qualifiers:
-------------
Required
IN
- KeyPair
- General Information:
An EPR to a key
pair.
Supported ECC key size: 384 bits. Supported RSA key size: 2048 bits
Qualifiers:
-------------
OUT
Get
public Get([OUT]AMT_PublicKeyManagementService Instance)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM,
ADMIN_SECURITY_GENERAL_INFO_REALM
General Information:
Gets
the representation of the instance
Pull
public Pull([IN]String EnumerationContext, [IN]String MaxElements)
- Permission Information:
All users permitted to use method, only
instances to whom the user has permissions will be returned
General
Information:
Pulls instances of this class, following an Enumerate
operation
Enumerate
public Enumerate()
- Permission Information:
All users permitted to use
method
General Information:
Enumerates the instances of this
class
Release
public Release([IN]String EnumerationContext)
- Permission Information:
All users permitted to use
method
General Information:
Releases an enumeration
context