IPMI Firmware Firewall
vernon.mauery at linux.intel.com
Fri Apr 20 04:36:37 AEST 2018
On 19-Apr-2018 03:52 PM, Alexander Amelkin wrote:
>Well, although I've never seen this feature actually implemented
>anywhere, I can imagine that it can be useful for cases when the host OS
Back in 2006, some IBM servers had BMCs that supported this. I guess
their BMC developers got really excited about the new IPMI 2.0 spec and
went all out.
>is "owned"/managed by a different entity than the hardware. E.g. in a
>dedicated server hosting or similar scenarios. The owner of the hardware
>may not want to allow the tenants to be able to perform destructive or
>potentially destructive operations on the BMC. I can think of
>prohibiting firmware updates (even with good firmwares), user
>management, network configuration, SEL and PEF/PET manipulation, et al.
The firmware firewall mechanism as is does not really do much good. I
spent a while writing up the ipmitool implementation in 2006. The
biggest trouble with it is that the configuration of it happens as the
admin user, so if your untrusted user has admin privileges, they could
potentially just change the firmware firewall. The nice part is that it
makes the ipmi commands more discoverable.
But as part of the rework of the ipmi daemon, I was thinking of adding
in a filter layer that allows ipmi providers to hook in whatever command
filtering that they want. This is where the ipmi firmware firewall would
exist (if it was to be implemented) and where the current IBM
"Whitelist" could be hooked in.
>19.04.2018 13:17, Deepak Kodihalli wrote:
>> Hi All,
>> The Firmware Firewall is something that the OpenBMC stack does not
>> implement today. Do you know how useful this is to an IPMI user? Is
>> this something we must implement in the IPMI stack?
>> It seems to apply to malicious firmware running on the BMC in a blade
>> server/multi-bmc environment, but aren't those concerns addressed by
>> signed images and/or other modern security features?
More information about the openbmc