Resend : Enable/disable access to BMC through interfaces for security
Justin Thaler
thalerj at linux.vnet.ibm.com
Sat Nov 2 04:45:28 AEDT 2019
Hi Jandra, I'm interested in the subject blow. Joseph, I've added a few
more options to your list as well.
> On 11/1/19 11:55 AM, Joseph Reynolds wrote:
> On 11/1/19 9:40 AM, Jandra A wrote:
>> I am resending this message to who has thoughts on which BMC
>> interfaces need to be disabled for security purposes and what the best
>> way to do that would be. I would love to collaborate with all parties
>> interested.
>
> Thanks Jandra. I've added this to the OpenBMC Security Working Group
> agenda.
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
>
>
>> ------- begin message:
>>
>> Hello all,
>>
>> As part of the GUI design team, I am starting to look at requirements
>> for enabling and disabling network interfaces for which the BMC can be
>> accessed. For example, IPMI, SSH, Redfish, HTTP, and USB, to name a
>> few.
>>
>> I know there has been some conversation on the topic before (see email
>> linked below) and want to reach out to see who is interested in this
>> topic. And I would love to get your thoughts on the following topics.
>>
>> Some questions we want to tackle are:
>> 1. Which interfaces need to be enabled/disabled and what is their
>> priority? (See full list in the redfish documentation)
>> 2. What should be the default for the selected above (enabled/disabled)?
>> 3. Do we need a staged plan for it?
>> 4. When can we expect backend availability?
>
> I am interested in the list of the BMC's external interfaces from a
> security perspective. The [network security considerations][] talks
> about many of the network interfaces. We should encourage users to
> disable interfaces they don't need and are not using. Having such
> interfaces active opens up the BMC's attack surface and represents
> security risks. For example, newly discovered security vulnerabilities
> might place BMCs at risk, and shutting off the interface will likely
> make the BMC safe.
>
> The BMC also has physical interfaces which users may wish to disable
> (for the same reasons as above). The BMC's network interface and and
> USB ports are examples. Some users may wish to disable the BMC's access
> to the network and control it solely via its host. However, I am not an
> exert in this area, so I need help here. TODO: Get one of the kernel
> hackers to go over this list. I understand because OpenBMC is used on
> different hardware models (such as AST2500's hosted in the AC922
> "Witherspoon"), it will have different interfaces present. I think the
> folks who wirj with the machines, and who bind device drivers can help
> us if we know what questions to ask them (better questions than: what
> interfaces does the BMC have)? <-- Once again, I am no expert here, so
> we need to work together to understand this.
>
> Here's my starter kit of BMC's external interfaces:
> network:
> - SSH to the BMC shell (port 22)
> - HTTP (for either [BMCWEB_INSECURE_DISABLE_SSL][] users or the
> nascent [HTTP redirect design][])
> - HTTPS
- Secure Websockets
> - (network, aka out of band) IPMI
- Extend REST APIs
- Redfish
> - KVMIP
> - Virtual media
> - SoL (SSH via port 2200) to the host console
> - mDNS discovery
> - Avahi discovery service
> - virtual USB (USB-over-IP)
> physical:
> - network
- USB External
- USB to Host
> - more? Help needed: would anyone want to give the BMC admin control
> to shut down pathways between the BMC and host?
>
> There will be more interfaces as the project goes forward. For example,
> the OpenPOWER work is proposing a communication channel between a
> Hardware Management Console (HMC) and the host's hypervisor (PHYP) which
> would use the BMC to set up the channel. Users who don't need this a
> capability might want to have a way to disable it (I don't know) so they
> can avoid giving unnecessary network access to their hypervisor. The
> point is, I think tending this list will be ongoing work.
>
> The short list of interfaces I personally care about includes:
> SSH, IPMI, Avahi, and USB (physical and USB-over-IP)
>
> I hope this partially addresses item 1 above. :)
>
> - Joseph
>
> References:
> [network security considerations]:
> https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md
>
> [BMCWEB_INSECURE_DISABLE_SSL]:
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt
> [HTTP redirect design]:
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/24173
>
>>
>> Redfish documentation:
>> https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json
>>
>> Related email discussion (on staged plans to address IPMI access):
>> https://lists.ozlabs.org/pipermail/openbmc/2019-September/018373.html
>>
>>
>>
>> Regards,
>> Jandra Aranguren
>
More information about the openbmc
mailing list