Resend : Enable/disable access to BMC through interfaces for security
Joseph Reynolds
jrey at linux.ibm.com
Sat Nov 2 03:55:09 AEDT 2019
On 11/1/19 9:40 AM, Jandra A wrote:
> I am resending this message to who has thoughts on which BMC
> interfaces need to be disabled for security purposes and what the best
> way to do that would be. I would love to collaborate with all parties
> interested.
Thanks Jandra. I've added this to the OpenBMC Security Working Group
agenda.
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
> ------- begin message:
>
> Hello all,
>
> As part of the GUI design team, I am starting to look at requirements
> for enabling and disabling network interfaces for which the BMC can be
> accessed. For example, IPMI, SSH, Redfish, HTTP, and USB, to name a
> few.
>
> I know there has been some conversation on the topic before (see email
> linked below) and want to reach out to see who is interested in this
> topic. And I would love to get your thoughts on the following topics.
>
> Some questions we want to tackle are:
> 1. Which interfaces need to be enabled/disabled and what is their
> priority? (See full list in the redfish documentation)
> 2. What should be the default for the selected above (enabled/disabled)?
> 3. Do we need a staged plan for it?
> 4. When can we expect backend availability?
I am interested in the list of the BMC's external interfaces from a
security perspective. The [network security considerations][] talks
about many of the network interfaces. We should encourage users to
disable interfaces they don't need and are not using. Having such
interfaces active opens up the BMC's attack surface and represents
security risks. For example, newly discovered security vulnerabilities
might place BMCs at risk, and shutting off the interface will likely
make the BMC safe.
The BMC also has physical interfaces which users may wish to disable
(for the same reasons as above). The BMC's network interface and and
USB ports are examples. Some users may wish to disable the BMC's access
to the network and control it solely via its host. However, I am not an
exert in this area, so I need help here. TODO: Get one of the kernel
hackers to go over this list. I understand because OpenBMC is used on
different hardware models (such as AST2500's hosted in the AC922
"Witherspoon"), it will have different interfaces present. I think the
folks who wirj with the machines, and who bind device drivers can help
us if we know what questions to ask them (better questions than: what
interfaces does the BMC have)? <-- Once again, I am no expert here, so
we need to work together to understand this.
Here's my starter kit of BMC's external interfaces:
network:
- SSH to the BMC shell (port 22)
- HTTP (for either [BMCWEB_INSECURE_DISABLE_SSL][] users or the
nascent [HTTP redirect design][])
- HTTPS
- (network, aka out of band) IPMI
- KVMIP
- Virtual media
- SoL (SSH via port 2200) to the host console
- mDNS discovery
- Avahi discovery service
- virtual USB (USB-over-IP)
physical:
- network
- USB
- more? Help needed: would anyone want to give the BMC admin control
to shut down pathways between the BMC and host?
There will be more interfaces as the project goes forward. For example,
the OpenPOWER work is proposing a communication channel between a
Hardware Management Console (HMC) and the host's hypervisor (PHYP) which
would use the BMC to set up the channel. Users who don't need this a
capability might want to have a way to disable it (I don't know) so they
can avoid giving unnecessary network access to their hypervisor. The
point is, I think tending this list will be ongoing work.
The short list of interfaces I personally care about includes:
SSH, IPMI, Avahi, and USB (physical and USB-over-IP)
I hope this partially addresses item 1 above. :)
- Joseph
References:
[network security considerations]:
https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md
[BMCWEB_INSECURE_DISABLE_SSL]:
https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt
[HTTP redirect design]:
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/24173
>
> Redfish documentation:
> https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json
>
> Related email discussion (on staged plans to address IPMI access):
> https://lists.ozlabs.org/pipermail/openbmc/2019-September/018373.html
>
>
>
> Regards,
> Jandra Aranguren
More information about the openbmc
mailing list