Expired password + disabled power button design

Ed Tanous ed.tanous at intel.com
Fri Sep 6 07:02:07 AEST 2019 

On 9/5/19 1:19 PM, Joseph Reynolds wrote:
> HOWEVER, there is a hole in this design which extends the time window
> indefinitely.  The scenario begins when the installer takes possession
> of a new system (BMC + host) and plugs it into power.  At this point,
> the BMC starts running and offering its services to network users. 
> The host remains powered off.  The installer then disregards the BMC
> and uses the power button to boot the host system, then continues to
> disregard the BMC when provisioning the host, either using physical
> access to the host (not via the BMC), or a pre-configured host.  This
> results in a fully-functional host and a BMC which still has its
> default password.
> THEREFORE, I am proposing a new "disabled power button" image
> feature.  Normally, pressing the power button tells the BMC to power
> on and boot the host.  With this design, if the BMC still has its
> default expired password, it will ignore a power button press, and
> will instead indicate to the operator to configure the BMC's password,
> and try again.  Options for the BMC to indicate this are
> machine-specific and include: messages to an operator panel, or LED
> blink codes.  The recovery procedure is for the installer to access
> the BMC, change its password, and try again to power on the server.
>

This goes completely against one of the principals that some commercial
products hold dear:  The BMC should NEVER be able to brick the host.

In a perfect world, the BMC would never crash, get loaded with bad
firmware or brick itself.  In practice, this is far from the case.  In
general the primary avenue used to resolve these cases is a force
firmware update jumper, and a download of a new (fixed) firmware via KCS
or block transfer.  For that flow to function, the power button needs to
work, and the host needs to boot, otherwise the board is considered
bricked, and needs to be returned to the factory to be reflashed.

With all of the above said, if it's an option that can be disabled (and
hopefully disabled by default) I have no objection to it, but I don't
think it's an acceptable solution for most of the BMCs out on the market
today.


Another option for your scenario would also be to default the BMC to a
static IP of 0.0.0.0, and disable the NIC(s) by default.  To set up the
network, a user would need to log into the BMC the first time over an
in-band channel, set their password, then set up either a valid static
IP, or DHCP.  This is how some of the more security conscious BMCs I
know of get around this problem today.

More information about the openbmc mailing list