Skip to content

refactor: add amt enable/disable functionality to CLI #1094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ShradhaGupta31 wants to merge 1 commit into
base: next
Choose a base branch
from
Open

refactor: add amt enable/disable functionality to CLI #1094

ShradhaGupta31 wants to merge 1 commit into from
+620 −36

Conversation

@ShradhaGupta31
Copy link

@ShradhaGupta31 ShradhaGupta31 commented Jan 9, 2026
edited
Loading

  • Modify rpc configure to support amt enable & disable features using SetAmtOperationalState HECI command
  • Added test files for enableamt.go & disableamt.go

addresses : #1002

Implementation results:
Note: After disabling AMT to enable it back OS refresh is needed

$ sudo ./rpc amtinfo --operationalState
time="2026-02-06T16:55:55Z" level=info msg="TLS is enforced on local ports"
Operational State       : disabled
user@localhost:~$ sudo ./rpc configure enable-operational-state -v
time="2026-02-06T16:56:25Z" level=trace msg="Running AfterApply for AMTBaseCmd"
time="2026-02-06T16:56:25Z" level=info msg="TLS is enforced on local ports"
time="2026-02-06T16:56:25Z" level=trace msg="Enabling AMT..."
time="2026-02-06T16:56:25Z" level=debug msg="IsAMTChangeEnabled response: 0xE0" currentOperationalState=Disabled isNewInterfaceVersion=true transitionAllowed=false
time="2026-02-06T16:56:25Z" level=warning msg="AMT transition may be blocked; attempting to enable anyway" reason="Device is in locked state - requires unprovisioning first"
time="2026-02-06T16:56:25Z" level=info msg="AMT enabled successfully"
user@localhost:~$ sudo ./rpc amtinfo --operationalState
time="2026-02-06T16:56:32Z" level=info msg="TLS is enforced on local ports"
Operational State       : enabled
user@localhost:~$ sudo ./rpc configure disable-operational-state -v
time="2026-02-06T16:56:41Z" level=trace msg="Running AfterApply for AMTBaseCmd"
time="2026-02-06T16:56:41Z" level=info msg="TLS is enforced on local ports"
time="2026-02-06T16:56:41Z" level=trace msg="Disabling AMT..."
time="2026-02-06T16:56:41Z" level=debug msg="IsAMTChangeEnabled response: 0xE2" currentOperationalState=Enabled isNewInterfaceVersion=true transitionAllowed=false
time="2026-02-06T16:56:41Z" level=warning msg="AMT transition blocked; device appears provisioned; attempting disable anyway (disable operations are more permissive for security)" provisionedLikely=true
time="2026-02-06T16:56:41Z" level=info msg="AMT disabled successfully"
user@localhost:~$ sudo ./rpc amtinfo --operationalState
time="2026-02-06T16:56:44Z" level=warning msg="GetControlMode failed (attempt 1/4): empty response from AMT. Retrying in 4s..."
time="2026-02-06T16:56:48Z" level=info msg="TLS is enforced on local ports"
Operational State       : disabled

@github-actions
Copy link

github-actions bot commented Jan 9, 2026
edited
Loading

Unit tests (Go)

837 tests  +23   837 ✅ +23   2s ⏱️ ±0s
 20 suites ± 0     0 💤 ± 0 
  1 files   ± 0     0 ❌ ± 0 

Results for commit 875b3d2. ± Comparison against base commit 3a1aca6.

This pull request removes 3 and adds 26 tests. Note that renamed tests count towards both. 
github.com/device-management-toolkit/rpc-go/v2/pkg/amt ‑ TestGetIsAMTEnabled
github.com/device-management-toolkit/rpc-go/v2/pkg/amt ‑ TestGetIsAMTEnabledError
github.com/device-management-toolkit/rpc-go/v2/pkg/pthi ‑ TestGetIsAMTEnabled

github.com/device-management-toolkit/rpc-go/v2/internal/commands/configure ‑ TestDisableAMTCmd_Run_AlreadyDisabled
github.com/device-management-toolkit/rpc-go/v2/internal/commands/configure ‑ TestDisableAMTCmd_Run_DisableAMTError
github.com/device-management-toolkit/rpc-go/v2/internal/commands/configure ‑ TestDisableAMTCmd_Run_GetChangeEnabledError
github.com/device-management-toolkit/rpc-go/v2/internal/commands/configure ‑ TestDisableAMTCmd_Run_OldInterfaceVersion
github.com/device-management-toolkit/rpc-go/v2/internal/commands/configure ‑ TestDisableAMTCmd_Run_Success
github.com/device-management-toolkit/rpc-go/v2/internal/commands/configure ‑ TestDisableAMTCmd_Run_TransitionNotAllowed_AndFails
github.com/device-management-toolkit/rpc-go/v2/internal/commands/configure ‑ TestDisableAMTCmd_Run_TransitionNotAllowed_ButSucceeds
github.com/device-management-toolkit/rpc-go/v2/internal/commands/configure ‑ TestEnableAMTCmd_Run_AlreadyEnabled
github.com/device-management-toolkit/rpc-go/v2/internal/commands/configure ‑ TestEnableAMTCmd_Run_EnableAMTError
github.com/device-management-toolkit/rpc-go/v2/internal/commands/configure ‑ TestEnableAMTCmd_Run_GetChangeEnabledError
…

♻️ This comment has been updated with latest results.

@ShradhaGupta31
Copy link
Author

ShradhaGupta31 commented Jan 9, 2026
edited
Loading

Functionality check(AMT 21.0.2)

$ sudo ./rpc-v1 amtinfo
time="2026-01-09T05:34:59Z" level=info msg="TLS is enforced on local ports"
Version : 21.0.2
Build Number : 1415
SKU : 16392
Features : AMT Pro Corporate
UUID : 19ee4f98-df59-4f58-ae19-59df984fee19
Control Mode : pre-provisioning state
Operational State : enabled
DNS Suffix :
DNS Suffix (OS) : localdomain6
Hostname (OS) : localhost
RAS Network : outside enterprise
RAS Remote Status : not connected
RAS Trigger : user initiated
RAS MPS Hostname :
---Wired Adapter---
DHCP Enabled : true
DHCP Mode : passive
Link Status : up
AMT IP Address : 0.0.0.0
OS IP Address : 10.49.96.100
MAC Address : 98:4f:ee:19:59:df
---Wireless Adapter---
DHCP Enabled : false
DHCP Mode : passive
Link Status : down
AMT IP Address : 0.0.0.0
OS IP Address : 0.0.0.0
MAC Address : 00:00:00:00:00:00

$ sudo ./rpc-v3 configure enable-amt
time="2026-01-09T05:43:11Z" level=info msg="TLS is enforced on local ports"
time="2026-01-09T05:43:11Z" level=info msg="Enabling AMT..."
time="2026-01-09T05:43:11Z" level=info msg="AMT is already enabled"

user@localhost:~/shradha$ sudo ./rpc-v3 configure disable-amt
time="2026-01-09T05:43:24Z" level=info msg="TLS is enforced on local ports"
time="2026-01-09T05:43:24Z" level=info msg="Disabling AMT..."
time="2026-01-09T05:43:24Z" level=warning msg="AMT transition may not be allowed in current state (response: 0xE2)"
time="2026-01-09T05:43:24Z" level=info msg="This typically means the device is not in unprovisioned state"
time="2026-01-09T05:43:24Z" level=info msg="Attempting to disable AMT anyway..."
time="2026-01-09T05:43:24Z" level=info msg="AMT disabled successfully"

$ sudo ./rpc-v3 amtinfo
time="2026-01-09T05:43:39Z" level=info msg="TLS is enforced on local ports"
Version : 21.0.2
Build Number : 1415
SKU : 16392
Features : AMT Pro Corporate
UUID : 19ee4f98-df59-4f58-ae19-59df984fee19
Control Mode : pre-provisioning state
Operational State : disabled
DNS Suffix :
DNS Suffix (OS) : localdomain6
Hostname (OS) : localhost
RAS Network : outside enterprise
RAS Remote Status : not connected
RAS Trigger : user initiated
RAS MPS Hostname :
---Wired Adapter---
DHCP Enabled : true
DHCP Mode : passive
Link Status : up
AMT IP Address : 0.0.0.0
OS IP Address : 10.49.96.100
MAC Address : 98:4f:ee:19:59:df
---Wireless Adapter---
DHCP Enabled : false
DHCP Mode : passive
Link Status : down
AMT IP Address : 0.0.0.0
OS IP Address : 0.0.0.0
MAC Address : 00:00:00:00:00:00

$ sudo ./rpc-v3 configure enable-amt
time="2026-01-09T05:44:18Z" level=info msg="TLS is enforced on local ports"
time="2026-01-09T05:44:18Z" level=info msg="Enabling AMT..."
time="2026-01-09T05:44:18Z" level=warning msg="AMT transition may not be allowed in current state (response: 0xE0)"
time="2026-01-09T05:44:18Z" level=info msg="This typically means the device is not in unprovisioned state"
time="2026-01-09T05:44:18Z" level=info msg="Attempting to enable AMT anyway..."
time="2026-01-09T05:44:18Z" level=error msg="Failed to enable AMT: error setting AMT operational state enabled: AMT_STATUS_NOT_PERMITTED"
time="2026-01-09T05:44:18Z" level=error msg="failed to enable AMT: error setting AMT operational state enabled: AMT_STATUS_NOT_PERMITTED"

@ShradhaGupta31 ShradhaGupta31 force-pushed the add-amt-enable-disable-cli branch 2 times, most recently from 1038049 to 31b25d8 Compare January 20, 2026 05:52
@sudhir-intc sudhir-intc changed the title feat: add amt enable/diable functionality to CLI feat: add amt enable/disable functionality to CLI Jan 20, 2026
@ShradhaGupta31 ShradhaGupta31 force-pushed the add-amt-enable-disable-cli branch from 5ede741 to 31b25d8 Compare January 28, 2026 08:51
@rsdmike
Copy link
Member

rsdmike commented Jan 29, 2026

Seeing this as well:

PS C:\Users\Mike\Development\rpc-go> go run ./cmd/rpc/main.go amtinfo
Version                 : 18.1.18
Build Number            : 2644
SKU                     : 16392
Features                : AMT Pro Corporate
UUID                    : 
Control Mode            : pre-provisioning state
Operational State       : disabled
DNS Suffix              :
DNS Suffix (OS)         : 
Hostname (OS)           : AMT18
RAS Network             : outside enterprise
RAS Remote Status       : not connected
RAS Trigger             : user initiated
RAS MPS Hostname        :
---Wired Adapter---
DHCP Enabled            : true
DHCP Mode               : passive
Link Status             : up
AMT IP Address          : 0.0.0.0
OS IP Address           : 
MAC Address             : 
---Wireless Adapter---
DHCP Enabled            : true
DHCP Mode               : passive
Link Status             : down
AMT IP Address          : 0.0.0.0
OS IP Address           : Not Found
MAC Address             : 
PS C:\Users\Mike\Development\rpc-go> go run ./cmd/rpc/main.go configure enable
time="2026-01-29T14:56:28-08:00" level=info msg="Enabling AMT..."
time="2026-01-29T14:56:28-08:00" level=warning msg="AMT transition may be blocked (response: 0xA0): Device has additional security restrictions or OEM policy lockdown"
time="2026-01-29T14:56:28-08:00" level=info msg="Attempting to enable AMT anyway..."
time="2026-01-29T14:56:28-08:00" level=error msg="Failed to enable AMT: error setting AMT operational state enabled: AMT_STATUS_NOT_PERMITTED"
time="2026-01-29T14:56:28-08:00" level=info msg="AMT Enable operation failed."
time="2026-01-29T14:56:28-08:00" level=error msg="failed to enable AMT: error setting AMT operational state enabled: AMT_STATUS_NOT_PERMITTED"
exit status 10
PS C:\Users\Mike\Development\rpc-go>

@ShradhaGupta31 ShradhaGupta31 force-pushed the add-amt-enable-disable-cli branch 2 times, most recently from 65af3c0 to caabded Compare February 3, 2026 08:15
@ShradhaGupta31
Copy link
Author

ShradhaGupta31 commented Feb 3, 2026

aliases for enable & disable is changed as discussed.

user@localhost:$ sudo ./rpc-v8 configure enable-operational-state
time="2026-02-03T08:13:03Z" level=info msg="TLS is enforced on local ports"
time="2026-02-03T08:13:03Z" level=info msg="Enabling AMT..."
time="2026-02-03T08:13:03Z" level=info msg="AMT is already enabled"
user@localhost:$
user@localhost:$
user@localhost:$
user@localhost:$ sudo ./rpc-v8 configure enable-op-state
time="2026-02-03T08:13:13Z" level=info msg="TLS is enforced on local ports"
time="2026-02-03T08:13:13Z" level=info msg="Enabling AMT..."
time="2026-02-03T08:13:13Z" level=info msg="AMT is already enabled"
user@localhost:$
user@localhost:$
user@localhost:$ sudo ./rpc-v8 configure disable-op-state
time="2026-02-03T08:13:21Z" level=info msg="TLS is enforced on local ports"
time="2026-02-03T08:13:21Z" level=info msg="Disabling AMT..."
time="2026-02-03T08:13:21Z" level=warning msg="AMT transition blocked (response: 0xE2): Device is in locked state - requires unprovisioning first"
time="2026-02-03T08:13:21Z" level=info msg="Note: Device appears provisioned, but attempting disable for security purposes"
time="2026-02-03T08:13:21Z" level=info msg="Attempting to disable AMT anyway (disable operations are more permissive for security)..."
time="2026-02-03T08:13:21Z" level=info msg="AMT disabled successfully"
user@localhost:$
user@localhost:$
user@localhost:$ sudo ./rpc-v8 configure disable-operational-state
time="2026-02-03T08:13:34Z" level=info msg="TLS is enforced on local ports"
time="2026-02-03T08:13:34Z" level=info msg="Disabling AMT..."
time="2026-02-03T08:13:34Z" level=info msg="AMT is already disabled"
user@localhost:$

sudhir-intc
sudhir-intc reviewed Feb 3, 2026
View reviewed changes
Copy link

@sudhir-intc sudhir-intc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did a code review, but need to test the usage. Will provide further feedback after doing the testing

sinchubhat
sinchubhat reviewed Feb 3, 2026
View reviewed changes
@ShradhaGupta31 ShradhaGupta31 changed the title feat: add amt enable/disable functionality to CLI refactor: add amt enable/disable functionality to CLI Feb 4, 2026
@sudhir-intc
Copy link

sudhir-intc commented Feb 4, 2026
edited
Loading

I see these multiple logs, please remove the duplicate one

sudo ./rpc configure disable-amt
time="2026-02-04T13:58:56+05:30" level=error msg="This AMT version does not support SetAmtOperationalState mechanism (response: 0x02)"
time="2026-02-04T13:58:56+05:30" level=error msg="AMT version does not support SetAmtOperationalState - use legacy provisioning method"


sudo ./rpc-amt-op configure disable-amt
time="2026-02-04T13:46:29+05:30" level=warning msg="AMT transition blocked (response: 0x82): Device is provisioned or has manufacturer restrictions - try unprovisioning"
time="2026-02-04T13:46:29+05:30" level=info msg="Attempting to disable AMT (disable operations are more permissive for security)..."
time="2026-02-04T13:46:29+05:30" level=error msg="Failed to disable AMT: error setting AMT operational state disabled: AMT_STATUS_NOT_PERMITTED"
time="2026-02-04T13:46:29+05:30" level=error msg="failed to disable AMT: error setting AMT operational state disabled: AMT_STATUS_NOT_PERMITTED"

rpc.exe configure enable-amt -v
time="2026-02-04T17:14:47+05:30" level=trace msg="Running AfterApply for AMTBaseCmd"
time="2026-02-04T17:14:47+05:30" level=trace msg="Enabling AMT..."
time="2026-02-04T17:14:47+05:30" level=debug msg="ChangeEnabled response: 0xA0 | IsNewInterfaceVersion: true | IsTransitionAllowed: false | IsAMTEnabled: false"
time="2026-02-04T17:14:47+05:30" level=warning msg="AMT transition may be blocked (response: 0xA0): Device has additional security restrictions or OEM policy lockdown; Attempting to enable AMT anyway..."
time="2026-02-04T17:14:47+05:30" level=error msg="Failed to enable AMT: error setting AMT operational state enabled: AMT_STATUS_NOT_PERMITTED"
time="2026-02-04T17:14:47+05:30" level=info msg="AMT Enable operation failed."
time="2026-02-04T17:14:47+05:30" level=error msg="failed to enable AMT: error setting AMT operational state enabled: AMT_STATUS_NOT_PERMITTED"

@ShradhaGupta31

@ShradhaGupta31 ShradhaGupta31 force-pushed the add-amt-enable-disable-cli branch 2 times, most recently from 875b3d2 to 315bd41 Compare February 6, 2026 08:33
@ShradhaGupta31
Copy link
Author

ShradhaGupta31 commented Feb 6, 2026

@sudhir-intc incorporated the code changes shared by you for log updates. Pls review.

graikhel-intel
graikhel-intel reviewed Feb 6, 2026
View reviewed changes
internal/commands/configure/enableamt.go Outdated

// Step 2: Attempt to use MHC_SetAmtOperationalState to enable AMT
if err := ctx.AMTCommand.EnableAMT(); err != nil {
return fmt.Errorf("failed to enable AMT; retry after resetting device: %w", err)
Copy link
Contributor

@graikhel-intel graikhel-intel Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nitpick: I’ve seen customers ask what “reset” means. Would it be clearer to say “restarting the device” (or “rebooting the device”) instead?

Copy link
Author

@ShradhaGupta31 ShradhaGupta31 Feb 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

modified code to display "reboot the device" message

@ShradhaGupta31 ShradhaGupta31 changed the base branch from main to next February 9, 2026 04:05
@ShradhaGupta31 ShradhaGupta31 force-pushed the add-amt-enable-disable-cli branch 3 times, most recently from 4857cab to 0fc7405 Compare February 9, 2026 05:40
@ShradhaGupta31
refactor: add amt enable/diable functionality to CLI
0fc7405 
- Modify rpc configure to support amt enable & disable features using SetAmtOperationalState
HECI command
- Added test files for enableamt.go & disableamt.go
- Modified relevant files for a more readable function names

addresses : #1002

Signed-off-by: ShradhaGupta31 <shradha.gupta@intel.com>
@ShradhaGupta31 ShradhaGupta31 marked this pull request as ready for review February 9, 2026 08:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sinchubhat sinchubhat sinchubhat left review comments

@rsdmike rsdmike rsdmike approved these changes

@sudhir-intc sudhir-intc sudhir-intc approved these changes

@nbmaiti nbmaiti Awaiting requested review from nbmaiti

@madhavilosetty-intel madhavilosetty-intel Awaiting requested review from madhavilosetty-intel

@graikhel-intel graikhel-intel Awaiting requested review from graikhel-intel

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ShradhaGupta31 @rsdmike @sudhir-intc @sinchubhat @graikhel-intel