IPMI Firmware Firewall

Alexander Amelkin a.amelkin at yadro.com
Thu Apr 19 22:52:34 AEST 2018

Well, although I've never seen this feature actually implemented
anywhere, I can imagine that it can be useful for cases when the host OS
is "owned"/managed by a different entity than the hardware. E.g. in a
dedicated server hosting or similar scenarios. The owner of the hardware
may not want to allow the tenants to be able to perform destructive or
potentially destructive operations on the BMC. I can think of
prohibiting firmware updates (even with good firmwares), user
management, network configuration, SEL and PEF/PET manipulation, et al.


19.04.2018 13:17, Deepak Kodihalli wrote:
> Hi All,
> The Firmware Firewall is something that the OpenBMC stack does not
> implement today. Do you know how useful this is to an IPMI user? Is
> this something we must implement in the IPMI stack?
> It seems to apply to malicious firmware running on the BMC in a blade
> server/multi-bmc environment, but aren't those concerns addressed by
> signed images and/or other modern security features?
> Thanks,
> Deepak

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20180419/b8b638a0/attachment.sig>

More information about the openbmc mailing list