IPMI Firmware Firewall

Alexander Amelkin a.amelkin at yadro.com
Fri Apr 20 23:30:54 AEST 2018


19.04.2018 21:36, Vernon Mauery wrote:
> On 19-Apr-2018 03:52 PM, Alexander Amelkin wrote:
>> is "owned"/managed by a different entity than the hardware. E.g. in a
>> dedicated server hosting or similar scenarios. The owner of the hardware
>> may not want to allow the tenants to be able to perform destructive or
>> potentially destructive operations on the BMC. I can think of
>> prohibiting firmware updates (even with good firmwares), user
>> management, network configuration, SEL and PEF/PET manipulation, et al.
>
> The biggest trouble with it is that the configuration of it happens as
> the admin user, so if your untrusted user has admin privileges, they
> could potentially just change the firmware firewall.
Well, if an untrusted user has admin password, then you're doomed anyway
as they may come over LAN and ruing everything.

I thought that this Firewall was intended to block certain commands on
System Interface where no authentication is required.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20180420/c8573a9d/attachment.sig>


More information about the openbmc mailing list