To restrict IPMI commands
P. K. Lee (李柏寬)
P.K.Lee at quantatw.com
Fri Mar 29 01:33:25 AEDT 2019
> On Mar 27, 2019, at 22:39, Brad Bishop <bradleyb at fuzziesquirrel.com> wrote:
>
> On Sat, Mar 16, 2019 at 01:04:53PM +0000, P. K. Lee (李柏寬) wrote:
>> Hi Vernon,
>>
>> Thank you for providing a new filtering mechanism that looks very
>> flexible, but I have a question. I have tried the filter that allows
>> filtering of commands by whitelistFilter, but the channel of request
>> must be channelSystemIfac to check the contents of the whitelist. What
>> puzzles me is why channelSystemIfac is in the constraint? This
>> constraint will cause the whitelist to fail when the user calls the
>> IPMI command via the LAN. If the user wants to use the whitelist vis
>> the LAN,
>
> Hi P.K.
>
> If I understand correctly, you want to have a system that operates in
> one of two modes - restricted or un-restricted. When the system is in
> restricted mode, only whitelisted commands will be processed from _any_
> channel. Do I understand correctly?
Yes, we need to use the whitelist mechanism to restrict IPMI commands
from any channel.
> How do you restore the system to unrestricted mode? Some side-band (non
> IPMI) mechanism?
For us, it can use the REST to change the restriction mode as well.
> If you are able to share, I'm curious to know more about the usage
> pattern driving the need for this.
I thought that the configuration can be modified the format of
<NetFn>:<Command>:<Channel> to apply the whitelist with multiple channels,
where <Channel> uses 2 bytes to map the channel using a bit array.
For example:
0x06:0x01:0xFFFE // The 0xFFFE is used 2 bytes to represent the channel 1~15
However, in order to be compatible with the current design, the <NetFn>:<Command> still only uses the system interface.
Best,
P.K.
More information about the openbmc
mailing list