Resend : Enable/disable access to BMC through interfaces for security

Joseph Reynolds jrey at linux.ibm.com
Sat Nov 2 03:55:09 AEDT 2019 

On 11/1/19 9:40 AM, Jandra A wrote:
> I am resending this message to who has thoughts on which BMC
> interfaces need to be disabled for security purposes and what the best
> way to do that would be. I would love to collaborate with all parties
> interested.

Thanks Jandra.  I've added this to the OpenBMC Security Working Group 
agenda.
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI

> ------- begin message:
>
> Hello all,
>
> As part of the GUI design team, I am starting to look at requirements
> for enabling and disabling network interfaces for which the BMC can be
> accessed. For example, IPMI, SSH, Redfish, HTTP, and USB, to name a
> few.
>
> I know there has been some conversation on the topic before (see email
> linked below) and want to reach out to see who is interested in this
> topic. And I would love to get your thoughts on the following topics.
>
> Some questions we want to tackle are:
> 1. Which interfaces need to be enabled/disabled and what is their
> priority? (See full list in the redfish documentation)
> 2. What should be the default for the selected above (enabled/disabled)?
> 3. Do we need a staged plan for it?
> 4. When can we expect backend availability?

I am interested in the list of the BMC's external interfaces from a 
security perspective.  The [network security considerations][] talks 
about many of the network interfaces.  We should encourage users to 
disable interfaces they don't need and are not using.  Having such 
interfaces active opens up the BMC's attack surface and represents 
security risks.  For example, newly discovered security vulnerabilities 
might place BMCs at risk, and shutting off the interface will likely 
make the BMC safe.

The BMC also has physical interfaces which users may wish to disable 
(for the same reasons as above).  The BMC's network interface and and 
USB ports are examples.  Some users may wish to disable the BMC's access 
to the network and control it solely via its host. However, I am not an 
exert in this area, so I need help here.  TODO: Get one of the kernel 
hackers to go over this list.  I understand because OpenBMC is used on 
different hardware models (such as AST2500's hosted in the AC922 
"Witherspoon"), it will have different interfaces present.  I think the 
folks who wirj with the machines, and who bind device drivers can help 
us if we know what questions to ask them (better questions than: what 
interfaces does the BMC have)?  <-- Once again, I am no expert here, so 
we need to work together to understand this.

Here's my starter kit of BMC's external interfaces:
network:
  - SSH to the BMC shell (port 22)
  - HTTP (for either [BMCWEB_INSECURE_DISABLE_SSL][] users or the 
nascent [HTTP redirect design][])
  - HTTPS
  - (network, aka out of band) IPMI
  - KVMIP
  - Virtual media
  - SoL (SSH via port 2200) to the host console
  - mDNS discovery
  - Avahi discovery service
  - virtual USB (USB-over-IP)
physical:
  - network
  - USB
  - more? Help needed: would anyone want to give the BMC admin control 
to shut down pathways between the BMC and host?

There will be more interfaces as the project goes forward.  For example, 
the OpenPOWER work is proposing a communication channel between a 
Hardware Management Console (HMC) and the host's hypervisor (PHYP) which 
would use the BMC to set up the channel. Users who don't need this a 
capability might want to have a way to disable it (I don't know) so they 
can avoid giving unnecessary network access to their hypervisor.  The 
point is, I think tending this list will be ongoing work.

The short list of interfaces I personally care about includes:
   SSH, IPMI, Avahi, and USB (physical and USB-over-IP)

I hope this partially addresses item 1 above.  :)

- Joseph

References:
[network security considerations]: 
https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md
[BMCWEB_INSECURE_DISABLE_SSL]: 
https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt
[HTTP redirect design]: 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/24173

>
> Redfish documentation:
> https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json
>
> Related email discussion (on staged plans to address IPMI access):
> https://lists.ozlabs.org/pipermail/openbmc/2019-September/018373.html
>
>
>
> Regards,
> Jandra Aranguren

More information about the openbmc mailing list