Add support for Remote Platform Erase in MPS

[ctmorris88]

Background/Context

Intel® Remote Platform Erase (RPE) allows an IT administrator to remotely erase all platform data, including (optionally) Intel® AMT configuration, enabling secure reuse of a device without requiring manual SSD erasure.

As part of this story, we need the ability to:

• Discover whether RPE is supported and enabled on a platform
• Enable or disable RPE
• Trigger an RPE operation by setting the appropriate boot option and performing a reset (similar to the existing OCR flow)

The detailed behavior and flows are documented in the Intel AMT SDK reference https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2FSecure_Remote_Platform_Erase.htm

At a high level, the following AMT calls are involved:

1. Discovery

Discover RPE support in BIOS

• Read AMT_BootCapabilities.PlatformErase to determine whether the BIOS supports Remote Platform Erase and what erase capabilities are available.
• This is a read-only property.

Whether RPE is Enabled in BIOS

• Read AMT_BootSettingData.RPEEnabled to determine whether RPE is enabled in BIOS
• This is a read-only property and can only be changed via the BIOS menu

Whether RPE is Enabled or Disabled by AMT

• Enable or disable RPE in Intel AMT using CIM_BootService.RequestStateChange
• This operation requires administrative privileges and will fail if the feature is not supported or disabled in BIOS

Understand what features are supported by AMT as part of RPE

• AMT_BootCapabilities.PlatformErase must be parsed to understand which RPE features and erase options are supported on the platform
• Supported capabilities vary by AMT/CSME version. Full details are documented in the SDK https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=HTMLDocuments%2FWS-Management_Class_Reference%2FAMT_BootCapabilities.htm%23PlatformErase

2. Enable/Disable RPE

• RPE is enabled or disabled in Intel AMT using CIM_BootService.RequestStateChange.
• If BIOS does not support RPE or RPE is disabled in BIOS, this call will fail.

3. Trigger RPE

• Set the RPE boot option using AMT_BootSettingData.PlatformErase.
• Configure erase parameters using AMT_BootSettingData.UefiBootParametersArray.
• Activate the configuration using CIM_BootService.SetBootConfigRole.
• Perform a reset / power action to start the RPE flow.

Acceptance Criteria

• UI changes
• Add WSMAN messages to wsman-messages if any class is missing
• API to know if RPE is supported
• API to enable or disable RPE
• Power action to trigger RPE
• Validation on AMT 16 and above platforms
• Standard Definition of Done (DoD)

[graikhel-intel]

Here's the reference from AMT SDK - https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2FSecure_Remote_Platform_Erase.htm

[sudhir-intc]

@graikhel-intel and @ctmorris88 : The AMT SDK mentions the below, we should consider supporting Remote Platform Erase inplace of Remote Secure Erase.

Intel Remote Platform Erase is the new erase feature, and is more advanced than the Remote Secure Erase (RSE) feature that was added in Release 11.0.
Remote Secure Erase is being deprecated and will be removed from the firmware starting with Release 20.0. Intel recommends using Intel Remote Platform Erase instead.