feat(devices): add remote platform erase support

[nmgaston]

NOTE: Requires real AMT 16.0+ hardware with RPE BIOS support for end-to-end testing.

Related PRs

• go-wsman-messages: feat: add RPE parameter types, sizes, and validation maps go-wsman-messages#665 (required — adds RPE TLV parameter types and NewUint32Parameter)
• sample-web-ui: feat(devices): add remote platform erase support sample-web-ui#3206 (frontend changes for RPE UI)

Description

Adds support for Intel Remote Platform Erase (RPE), a CSME 16.0+ feature that allows remote administrators to securely erase platform storage components (SSDs, TPM, BIOS NVM, etc.) on the next system boot.

What's New

API Endpoints

Method	Path	Description
GET	/api/v1/amt/boot/capabilities/:guid	Returns AMT_BootCapabilities including the PlatformErase bitmask indicating which erase components the device BIOS supports
POST	/api/v1/amt/boot/rpe/:guid	Enables or disables the RPE feature in AMT firmware (AMT_BootSettingData PUT)
POST	/api/v1/amt/remoteErase/:guid	Arms and triggers RPE on the next boot with a bitmask specifying which components to erase

Erase Component Bitmask (AMT_BootCapabilities.PlatformErase)

Per the Intel AMT spec:

Bit	Value	Component
0	0x01	RPE overall support
2	0x04	Secure Erase All SSDs
3	0x08	Verify Storage Erase (CSME 18.0+)
4	0x10	Generate sanitization report (CSME 18.0+)
6	0x40	TPM Clear
16	0x10000	OEM Custom Action (Raptor Lake CSME 16.1+) — also used as the UI-level CSME-unconfigure sentinel (see Notes)
25	0x2000000	Clear BIOS NVM Variables
26	0x4000000	BIOS Reload of Golden Configuration

RPE Trigger Flow (SendRemoteErase)

1. GET AMT_BootSettingData — read current state and verify RPEEnabled=true
2. (CSME-only path) CIM_BootConfigSetting.ChangeBootOrder("") — clears any active boot source override before setting CSME reset flags (equivalent to ClearBootOptions in the Intel AMT C# SDK). Only called when eraseMask contains no hardware TLV targets (tlvMask == 0); clearing the boot order when hardware targets are also present causes undefined BIOS behavior
3. CIM_BootService.RequestStateChange(32770) — switch firmware to RPE mode (required when boot service is in OCR mode 32769; omitting it causes ActionNotSupported)
4. If eraseMask contains hardware targets: encode tlvMask (eraseMask with the CSME sentinel bit stripped) as a TLV buffer (ParameterTypeID=1, uint32 LE) and base64-encode it into UefiBootParametersArray
5. PUT AMT_BootSettingData with PlatformErase=true (if hardware targets present), ConfigurationDataReset=true (if CSME sentinel bit set), UefiBootParametersArray=<TLV> (if hardware targets present)
6. Verify PlatformErase latched via a follow-up GET — abort if not
7. CIM_BootService.SetBootConfigRole — activate the boot configuration
8. RequestPowerStateChange(PowerCycleOffHard) — full S5→S0 power cycle to execute erase on next boot

CIM_BootService.EnabledState Constants (clarified)

Value	Meaning
32768	OCR disabled, RPE disabled
32769	OCR enabled, RPE disabled
32770	OCR disabled, RPE enabled
32771	OCR enabled, RPE enabled

SetFeatures correctly computes the required state when OCR and RPE are set together, and setRPE runs before the OCR state change to avoid the OCR state blocking the RPE PUT.

DTO / Feature Surface

AMTFeaturesRequest and Features DTOs (v1 + v2) updated with:

Field	Description
rpe	Whether RPE is currently active in firmware state
rpeSupported	Whether device BIOS supports RPE (Bit 0 of PlatformErase capabilities)

Testing

• Unit tests added for GetBootCapabilities, SetRPEEnabled, SendRemoteErase use-case functions and HTTP controller handlers
• SetFeatures tests extended to cover RPE + OCR state combinations
• Unit tests added for buildRPETLVParams covering individual hardware targets, combined masks, and CSME bit stripping
• Verified on real AMT 16.1 hardware

Notes

• 0x10000 (rpeCSMEBit) doubles as the raw AMT_BootCapabilities.PlatformErase bit for OEM Custom Action and as the UI-level sentinel for "Unconfigure Intel CSME Firmware". When set in the request mask it sets ConfigurationDataReset=true in the PUT and is stripped from the TLV hardware bitmask — PlatformErase and ConfigurationDataReset are independent flags and are never both set from the same bit
• CSME unconfigure (0x10000) must be requested alone — it cannot be combined with hardware TLV targets (TPM, SSD, BIOS NVM, BIOS Reload) in one call. The UI enforces this; the backend additionally guards ChangeBootOrder from firing when tlvMask != 0 to prevent silently poisoning hardware targets if the API is called directly with a combined mask
• UefiBootParametersArray must be non-empty when PlatformErase=true — the firmware returns InvalidRepresentation if the element is present but empty or absent. The TLV device bitmask (ParameterTypeID=1) is mandatory per the Intel RPE spec
• PowerCycleOffHard (S5→S0) is required for erase execution; MasterBusReset (warm reset) keeps ME power rails energised so the BIOS never gets the opportunity to execute the CSME/platform erase
• RequestStateChange(32770) must be called before the PUT when the boot service is in OCR mode (32769); omitting it causes ActionNotSupported
• Devices that don't advertise RPE support (Bit 0 of PlatformErase == 0) return a validation error rather than attempting the operation

[codecov]

Codecov Report

❌ Patch coverage is 95.80420% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.21%. Comparing base (87d9ebe) to head (72b55d3).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/usecase/devices/boot.go	92.59%	2 Missing and 2 partials ⚠️
internal/controller/openapi/devicemanagement.go	87.50%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #846       +/-   ##
===========================================
+ Coverage   39.92%   58.21%   +18.28%     
===========================================
  Files         123      111       -12     
  Lines       11355     8561     -2794     
===========================================
+ Hits         4534     4984      +450     
+ Misses       6424     3174     -3250     
- Partials      397      403        +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[rsdmike]

Thanks @nmgaston for doing this. @graikhel-intel and i have taken some time to think through and go through this. Here is our feedback:

1. Simplify AMT features request/response to just include rpeSupported and rpe:

{
    "redirection": true,
    "KVM": true,
    "SOL": true,
    "IDER": true,
    "optInState": 0,
    "userConsent": "none",
    "kvmAvailable": true,
    "ocr": false,
    "httpsBootSupported": true,
    "winREBootSupported": true,
    "localPBABootSupported": true,
    "rpe": true,
    "rpeSupported": true,
<remove>
    "rpeCaps": 100728925,
    "rpeSecureErase": true,
    "rpeTPMClear": true,
    "rpeClearBIOSNVM": true,
    "rpeBIOSReload": true
</remove>
}

Once this is done, can update the UI on the General AMT Info screen change RPE into a checkbox which will enable/disable rpe and grey it out/disable if rpe is not supported.

2. Currently you have GET: boot/capabilities/:guid (where is this used?) , POST: boot/rpe/:guid, and POST: remoteErase/:guid endpoints added. Consolidate this to GET boot/remoteErase/:guid -- which will fetch the supported capabilities
   and POST boot/remoteErase/:guid which will perform the desired action

 {
  "secureEraseAllSSDs": true,
  "tpmClear": true,
  "restoreBIOSToEOM": true,
  "unconfigureCSME": true
}

Note important removal of any mask representation of features. This will mean the UI needs to be updated with the new payload.