BMC update via TFTP

Joseph Reynolds jrey at linux.ibm.com
Tue Dec 10 12:25:02 AEDT 2019


On 12/9/19 10:06 AM, Alexander Tereschenko wrote:
> On 06-Dec-19 23:52, Joseph Reynolds wrote:
>> I was thinking along the lines of adding [SFTP][] (or SCP) support 
>> and then migrating existing TFTP users to the new secure solution.
>>
>> That is, the BMC admin performing [code update][] can currently get a 
>> firmware image via POST DownloadViaTFTP to URI 
>> /xyz/openbmc_project/software.
>> My idea is to offer a DownloadViaSFTP method (or preferably a Redfish 
>> API) for this.  Note that the TFTP download is disabled by default 
>> per [bmcweb config][].
>>
>> Once OpenBMC supports downloading firmware via SFTP, we can encourage 
>> our users to set up their SFTP servers and take down their TFTP 
>> servers.  I realize that sounds easy, but I don't have a feeling how 
>> difficult that would be in practice.
>>
>> Does that sound feasible?
>>
>> - Joseph
>>
>> [SFTP]: https://man.openbsd.org/sftp-server
>> [code update]: 
>> https://github.com/openbmc/docs/blob/master/code-update/code-update.md
>> [bmcweb config]: 
>> https://github.com/openbmc/bmcweb/blob/41d1d1833f476766f88cfb624e66eef7906bdf8c/CMakeLists.txt#L98
>
> Yes, that could be a solution for the problem we discuss, providing 
> both integrity and confidentiality, without any major OpenBMC 
> development necessary - but it would mean more operational burden for 
> BMC admins. The problem with SCP/SFTP in this context is that for this 
> to work in the same manner as TFTP, the BMC must be an SSH client - 
> i.e. have some sort of identity/credentials for the SCP/SFTP server 
> provisioned first. That might not be the easiest solution to setup, 
> but it's of course possible and can be automated if OpenBMC provides 
> respective config knobs.
>
> Existing ways we have in code-update.md either don't require 
> credentials (TFTP), so being a client is easy, or are not making a 
> "client" from BMC, it's the admin who uploads stuff (SCP/REST).

Yes, that's what I was thinking.  (And no, I am not going to recommend 
setting up a SCP or SFTP server that allows anonymous access.)

This highlight the need for OpenBMC to put together a guide to 
provisioning your BMC.    Such as guide would give us a place to talk 
about uploading to the BMC SSH client certificates needed to access and 
download the firmware images.

- Joseph

>
> regards,
> Alexander
>



More information about the openbmc mailing list