To restrict IPMI commands

P. K. Lee (李柏寬) P.K.Lee at quantatw.com
Sun Mar 17 00:04:53 AEDT 2019


Hi Vernon,

Thank you for providing a new filtering mechanism that looks very flexible, but I have a question.
I have tried the filter that allows filtering of commands by whitelistFilter, but the channel of request must be channelSystemIfac to check the contents of the whitelist.
What puzzles me is why channelSystemIfac is in the constraint? This constraint will cause the whitelist to fail when the user calls the IPMI command via the LAN.
If the user wants to use the whitelist vis the LAN, is there a better way except for removing the channelSystemIfac restriction?
Do I need to create another whitelist filter for the LAN?

Regards,
PK

> On Feb 23, 2019, at 04:05, Vernon Mauery <vernon.mauery at linux.intel.com> wrote:
> 
> On 22-Feb-2019 03:03 AM, P. K. Lee (李柏寬) wrote:
>> Hi,
>> 
>> Does anyone know how to restrict the IPMI command execution via out-of-band?
>> 
>> I know that the IPMI commands via in-band can use the whitelist mechanism to restrict whether the commands can access the BMC, but I can't use this for the out-of-band.
>> 
>> If there is currently no restriction mechanism for the out-of-band, I will try to add the whitelist function for it just like the in-band.
> 
> There is a mechanism in the works for this already. It is a generic filter provider that allows filtering of commands based on any criteria. See https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-host-ipmid/+/13896 for the current implementation.
> 
> --Vernon



More information about the openbmc mailing list