BMC update via TFTP
Joseph Reynolds
jrey at linux.ibm.com
Tue Dec 10 12:25:02 AEDT 2019
On 12/9/19 10:06 AM, Alexander Tereschenko wrote:
> On 06-Dec-19 23:52, Joseph Reynolds wrote:
>> I was thinking along the lines of adding [SFTP][] (or SCP) support
>> and then migrating existing TFTP users to the new secure solution.
>>
>> That is, the BMC admin performing [code update][] can currently get a
>> firmware image via POST DownloadViaTFTP to URI
>> /xyz/openbmc_project/software.
>> My idea is to offer a DownloadViaSFTP method (or preferably a Redfish
>> API) for this. Note that the TFTP download is disabled by default
>> per [bmcweb config][].
>>
>> Once OpenBMC supports downloading firmware via SFTP, we can encourage
>> our users to set up their SFTP servers and take down their TFTP
>> servers. I realize that sounds easy, but I don't have a feeling how
>> difficult that would be in practice.
>>
>> Does that sound feasible?
>>
>> - Joseph
>>
>> [SFTP]: https://man.openbsd.org/sftp-server
>> [code update]:
>> https://github.com/openbmc/docs/blob/master/code-update/code-update.md
>> [bmcweb config]:
>> https://github.com/openbmc/bmcweb/blob/41d1d1833f476766f88cfb624e66eef7906bdf8c/CMakeLists.txt#L98
>
> Yes, that could be a solution for the problem we discuss, providing
> both integrity and confidentiality, without any major OpenBMC
> development necessary - but it would mean more operational burden for
> BMC admins. The problem with SCP/SFTP in this context is that for this
> to work in the same manner as TFTP, the BMC must be an SSH client -
> i.e. have some sort of identity/credentials for the SCP/SFTP server
> provisioned first. That might not be the easiest solution to setup,
> but it's of course possible and can be automated if OpenBMC provides
> respective config knobs.
>
> Existing ways we have in code-update.md either don't require
> credentials (TFTP), so being a client is easy, or are not making a
> "client" from BMC, it's the admin who uploads stuff (SCP/REST).
Yes, that's what I was thinking. (And no, I am not going to recommend
setting up a SCP or SFTP server that allows anonymous access.)
This highlight the need for OpenBMC to put together a guide to
provisioning your BMC. Such as guide would give us a place to talk
about uploading to the BMC SSH client certificates needed to access and
download the firmware images.
- Joseph
>
> regards,
> Alexander
>
More information about the openbmc
mailing list