BMC update via TFTP

Joseph Reynolds jrey at linux.ibm.com
Sat Dec 7 09:52:39 AEDT 2019


On 12/6/19 8:03 AM, Alexander Tereschenko wrote:
> On 05-Dec-19 23:37, Vernon Mauery wrote:
>> On 05-Dec-2019 12:05 PM, Alexander Tereschenko wrote:
>>> On 04-Dec-19 22:36, Vernon Mauery wrote:
>>>> Even if the BMC only accepts signed images, we want to make sure 
>>>> that the signed image the BMC fetches is the one that the 
>>>> administrator *wants* to be fetched. With tftp or http (or any 
>>>> insecure transport), one possible MiTM attack would be to 
>>>> substitute an alternate valid image. Let's say the admin wants to 
>>>> go from 1.18 to 1.20, bu the attacker wants to go to 1.16, which 
>>>> has a known vulnerability. The image would be authenticated by the 
>>>> signature, and will be accepted.
...snip...
>> I am not convinced that it needs to be this elaborate. I don't see 
>> what it adds over the simple case of sending the key/hmac/uri 
>> encrypted with TLS to the BMC. There will be no replay attacks 
>> because TLS prevents it.
>> Maybe I am missing something?
>
> We may be talking about slightly different contexts indeed. I meant to 
> suggest something that doesn't require
>
...snip...

I was thinking along the lines of adding [SFTP][] (or SCP) support and 
then migrating existing TFTP users to the new secure solution.

That is, the BMC admin performing [code update][] can currently get a 
firmware image via POST DownloadViaTFTP to URI 
/xyz/openbmc_project/software.
My idea is to offer a DownloadViaSFTP method (or preferably a Redfish 
API) for this.  Note that the TFTP download is disabled by default per 
[bmcweb config][].

Once OpenBMC supports downloading firmware via SFTP, we can encourage 
our users to set up their SFTP servers and take down their TFTP 
servers.  I realize that sounds easy, but I don't have a feeling how 
difficult that would be in practice.

Does that sound feasible?

- Joseph

[SFTP]: https://man.openbsd.org/sftp-server
[code update]: 
https://github.com/openbmc/docs/blob/master/code-update/code-update.md
[bmcweb config]: 
https://github.com/openbmc/bmcweb/blob/41d1d1833f476766f88cfb624e66eef7906bdf8c/CMakeLists.txt#L98

> regards,
> Alexander
>
>



More information about the openbmc mailing list