IPMI Firmware Firewall

[Vernon Mauery]

On 19-Apr-2018 03:52 PM, Alexander Amelkin wrote:
>Well, although I've never seen this feature actually implemented
>anywhere, I can imagine that it can be useful for cases when the host OS

Back in 2006, some IBM servers had BMCs that supported this. I guess 
their BMC developers got really excited about the new IPMI 2.0 spec and 
went all out.

>is "owned"/managed by a different entity than the hardware. E.g. in a
>dedicated server hosting or similar scenarios. The owner of the hardware
>may not want to allow the tenants to be able to perform destructive or
>potentially destructive operations on the BMC. I can think of
>prohibiting firmware updates (even with good firmwares), user
>management, network configuration, SEL and PEF/PET manipulation, et al.

The firmware firewall mechanism as is does not really do much good. I 
spent a while writing up the ipmitool implementation in 2006. The 
biggest trouble with it is that the configuration of it happens as the 
admin user, so if your untrusted user has admin privileges, they could 
potentially just change the firmware firewall. The nice part is that it 
makes the ipmi commands more discoverable.

But as part of the rework of the ipmi daemon, I was thinking of adding 
in a filter layer that allows ipmi providers to hook in whatever command 
filtering that they want. This is where the ipmi firmware firewall would 
exist (if it was to be implemented) and where the current IBM 
"Whitelist" could be hooked in.

--Vernon

>Sincerely,
>Alexander.
>
>19.04.2018 13:17, Deepak Kodihalli wrote:
>> Hi All,
>>
>> The Firmware Firewall is something that the OpenBMC stack does not
>> implement today. Do you know how useful this is to an IPMI user? Is
>> this something we must implement in the IPMI stack?
>>
>> It seems to apply to malicious firmware running on the BMC in a blade
>> server/multi-bmc environment, but aren't those concerns addressed by
>> signed images and/or other modern security features?
>>
>> Thanks,
>> Deepak
>>
>
>