To restrict IPMI commands

Brad Bishop bradleyb at fuzziesquirrel.com
Thu Mar 28 01:33:44 AEDT 2019 

On Mon, Mar 18, 2019 at 11:31:08AM -0700, Vernon Mauery wrote:
>On 16-Mar-2019 01:04 PM, P. K. Lee (李柏寬) wrote:
>>Hi Vernon,
>>
>>Thank you for providing a new filtering mechanism that looks very flexible, but I have a question.
>>I have tried the filter that allows filtering of commands by whitelistFilter, but the channel of request must be channelSystemIfac to check the contents of the whitelist.
>>What puzzles me is why channelSystemIfac is in the constraint? This constraint will cause the whitelist to fail when the user calls the IPMI command via the LAN.
>>If the user wants to use the whitelist vis the LAN, is there a better way except for removing the channelSystemIfac restriction?
>>Do I need to create another whitelist filter for the LAN?
>
>The whitelist filter I implemented was just one to replace the 
>original filter that was there before the architecture changes. The 
>restriction about the incoming interface is something that was already 
>there and somebody at IBM might be a better resource for the 'why' 
>question.

We implemented this at the request of a bare metal hosting provider.
Their setup consisted of a trusted (by the provider) management LAN
connected to all the BMCs, and untrusted host firmware.

While the system was being provisioned, they needed unrestricted access
to the BMC, from the host over the unauthenticated in-band channels.
Once the system was provisioned and turned over to the customer, the
provider only wanted to allow whitelisted commands to flow over those
channels as the host firmware/os is not trusted at that point.  The
provider still wanted unrestricted access via the authenticated channels
on their management network connected to the bmcs.

>At some point, I would like to make it an optional part of the build
>because it may not be something that everyone needs. But it is a good
>starting place for how to write a filter.
>
>You can feel free to write a new filter as part of a 'provider' library
>just like you write ipmi command handlers and register them, you can
>write a filter and register it.

Could it be as simple as a configure option that switches between the
two behaviors?  Or maybe the configure option selects the channels to
apply the filtering to?

>
>--Vernon

More information about the openbmc mailing list