Resend : Enable/disable access to BMC through interfaces for security

Justin Thaler thalerj at linux.vnet.ibm.com
Sat Nov 2 04:45:28 AEDT 2019 

Hi Jandra, I'm interested in the subject blow. Joseph, I've added a few 
more options to your list as well.

 > On 11/1/19 11:55 AM, Joseph Reynolds wrote:
> On 11/1/19 9:40 AM, Jandra A wrote:
>> I am resending this message to who has thoughts on which BMC
>> interfaces need to be disabled for security purposes and what the best
>> way to do that would be. I would love to collaborate with all parties
>> interested.
> 
> Thanks Jandra.  I've added this to the OpenBMC Security Working Group 
> agenda.
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI 
> 
> 
>> ------- begin message:
>>
>> Hello all,
>>
>> As part of the GUI design team, I am starting to look at requirements
>> for enabling and disabling network interfaces for which the BMC can be
>> accessed. For example, IPMI, SSH, Redfish, HTTP, and USB, to name a
>> few.
>>
>> I know there has been some conversation on the topic before (see email
>> linked below) and want to reach out to see who is interested in this
>> topic. And I would love to get your thoughts on the following topics.
>>
>> Some questions we want to tackle are:
>> 1. Which interfaces need to be enabled/disabled and what is their
>> priority? (See full list in the redfish documentation)
>> 2. What should be the default for the selected above (enabled/disabled)?
>> 3. Do we need a staged plan for it?
>> 4. When can we expect backend availability?
> 
> I am interested in the list of the BMC's external interfaces from a 
> security perspective.  The [network security considerations][] talks 
> about many of the network interfaces.  We should encourage users to 
> disable interfaces they don't need and are not using.  Having such 
> interfaces active opens up the BMC's attack surface and represents 
> security risks.  For example, newly discovered security vulnerabilities 
> might place BMCs at risk, and shutting off the interface will likely 
> make the BMC safe.
> 
> The BMC also has physical interfaces which users may wish to disable 
> (for the same reasons as above).  The BMC's network interface and and 
> USB ports are examples.  Some users may wish to disable the BMC's access 
> to the network and control it solely via its host. However, I am not an 
> exert in this area, so I need help here.  TODO: Get one of the kernel 
> hackers to go over this list.  I understand because OpenBMC is used on 
> different hardware models (such as AST2500's hosted in the AC922 
> "Witherspoon"), it will have different interfaces present.  I think the 
> folks who wirj with the machines, and who bind device drivers can help 
> us if we know what questions to ask them (better questions than: what 
> interfaces does the BMC have)?  <-- Once again, I am no expert here, so 
> we need to work together to understand this.
> 
> Here's my starter kit of BMC's external interfaces:
> network:
>   - SSH to the BMC shell (port 22)
>   - HTTP (for either [BMCWEB_INSECURE_DISABLE_SSL][] users or the 
> nascent [HTTP redirect design][])
>   - HTTPS
     - Secure Websockets
>   - (network, aka out of band) IPMI
     - Extend REST APIs
     - Redfish
>   - KVMIP
>   - Virtual media
>   - SoL (SSH via port 2200) to the host console
>   - mDNS discovery
>   - Avahi discovery service
>   - virtual USB (USB-over-IP)
> physical:
>   - network
     - USB External
     - USB to Host
>   - more? Help needed: would anyone want to give the BMC admin control 
> to shut down pathways between the BMC and host?
> 
> There will be more interfaces as the project goes forward.  For example, 
> the OpenPOWER work is proposing a communication channel between a 
> Hardware Management Console (HMC) and the host's hypervisor (PHYP) which 
> would use the BMC to set up the channel. Users who don't need this a 
> capability might want to have a way to disable it (I don't know) so they 
> can avoid giving unnecessary network access to their hypervisor.  The 
> point is, I think tending this list will be ongoing work.
> 
> The short list of interfaces I personally care about includes:
>    SSH, IPMI, Avahi, and USB (physical and USB-over-IP)
> 
> I hope this partially addresses item 1 above.  :)
> 
> - Joseph
> 
> References:
> [network security considerations]: 
> https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md 
> 
> [BMCWEB_INSECURE_DISABLE_SSL]: 
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt
> [HTTP redirect design]: 
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/24173
> 
>>
>> Redfish documentation:
>> https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json
>>
>> Related email discussion (on staged plans to address IPMI access):
>> https://lists.ozlabs.org/pipermail/openbmc/2019-September/018373.html
>>
>>
>>
>> Regards,
>> Jandra Aranguren
>

More information about the openbmc mailing list