Skip to content

feat: Remote Platform Erase capability#2407

Open
nmgaston wants to merge 1 commit intomainfrom
remotePlatformErase
Open

feat: Remote Platform Erase capability#2407
nmgaston wants to merge 1 commit intomainfrom
remotePlatformErase

Conversation

@nmgaston
Copy link
Copy Markdown

@nmgaston nmgaston commented Mar 25, 2026
edited
Loading

NOTE: Needs to be tested on real HW. Currently don't have an AMT 16+ device that supports RPE.

PR Checklist

  • Unit Tests have been added for new changes
  • API tests have been updated if applicable
  • All commented code has been removed
  • If you've added a dependency, you've ensured license is compatible with Apache 2.0 and clearly outlined the added dependency.

What are you changing?

Adds Remote Platform Erase (RPE) support to MPS.

  • New GET /amt/boot/capabilities/:guid endpoint returning raw AMT_BootCapabilities for use by RPE and boot feature flows
  • New POST /amt/boot/rpe/:guid endpoint to enable/disable RPE on a device (setRPEEnabled)
  • New POST /amt/remoteErase/:guid endpoint to trigger a remote platform erase with a caller-supplied bitmask (sendRemoteErase)
  • DeviceAction additions: setRPEEnabled, sendRemoteErase, getBootCapabilities
  • sendRemoteErase handles both hardware erase targets (via UEFI TLV boot parameters) and CSME/ConfigurationDataReset via the AMT_BootSettingData PUT
  • Both new endpoints validate device capability (PlatformErase) before proceeding, returning a 400 if unsupported
  • Added server-side validation in sendRemoteErase rejecting any eraseMask that combines the CSME unconfigure bit (0x10000) with hardware erase bits — returns 400 with a clear error message
  • Refactored getPowerCapabilities into getBootCapabilities to eliminate duplicate logic
  • Updated getAMTFeatures/setAMTFeatures to include RPE-related feature fields
  • Postman collection updated with new RPE endpoints

Anything the reviewer should know when reviewing this PR?

  • The sendRemoteErase implementation follows the AMT spec sequence: GET boot settings → validate RPE enabled → switch boot service to RPE mode (32770) → PUT boot data with erase fields → SetBootConfigRole → power cycle off-hard (action 5). A warm reset is insufficient; S5→S0 is required for the ME to act on the erase.
  • The 0x10000 bit in eraseMask is a sentinel for CSME/ConfigurationDataReset — it is not a hardware TLV target and is stripped before building the UEFI parameter array.
  • Real hardware validation is needed on an AMT 16+ device; the PlatformErase capability field is not present on older firmware.

@nmgaston nmgaston mentioned this pull request Mar 25, 2026
Open
4 tasks
@nmgaston nmgaston force-pushed the remotePlatformErase branch 2 times, most recently from a1f3953 to 16567d2 Compare April 16, 2026 19:38
@nmgaston nmgaston linked an issue Apr 16, 2026 that may be closed by this pull request
Add support for Remote Platform Erase in MPS #915
Open
7 tasks
@nmgaston nmgaston force-pushed the remotePlatformErase branch from 86f6395 to 4f898d2 Compare April 20, 2026 18:39
@nmgaston nmgaston marked this pull request as ready for review April 23, 2026 19:38
@nmgaston nmgaston requested a review from rsdmike April 23, 2026 19:38
@nmgaston nmgaston force-pushed the remotePlatformErase branch from 15e3a49 to b99abac Compare April 23, 2026 19:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rsdmike rsdmike Awaiting requested review from rsdmike

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for Remote Platform Erase in MPS

1 participant

@nmgaston