Staging plans to remove network IPMI support?

Joseph Reynolds jrey at linux.ibm.com
Thu Sep 19 07:29:52 AEST 2019


The OpenBMC security working group discussed a desire to remove 
out-of-band network IPMI support from the OpenBMC firmware stack, here: 
https://lists.ozlabs.org/pipermail/openbmc/2019-September/018319.html

This would affect out-of-band (network IPMI) only, in repository 
https://github.com/openbmc/phosphor-net-ipmid. The host IPMI support is 
a separate topic.

The *main idea* is a staging plan to remove network IPMI support over a 
period of years, like in this progression:

1. Tell everyone the plans at each stage below. For example: emails to 
the group, mention in the release notes, update 
https://github.com/openbmc/phosphor-net-ipmid/blob/master/README.mdand 
the ipmitool repo. 2. Implement the Redfish ManagerNetworkProtocol - 
defined in the DMTF Redfish Resource and Schema Guide DSP2046 
https://www.dmtf.org/dsp/DSP2046.  This gives the BMC admin an interface 
to disable out-of-band network IPMI.That means stopping the IPMI network 
service and closing its port. 3. Change the IPMI ManagerNetworkProtocol 
setting to be disabled by default.  After this, BMC admins have to take 
an explicit action to enable IPMI access.By this point it should be 
possible to learn how to migrate from IPMI to Redfish APIs. 4. Remove 
IPMI from the default OpenBMC configuration. This means network IPMI is 
not built into the BMC firmware image. After this, project who want to 
use network IPMI willhave to explicitly add it to their image. This will 
hopefully be a wake-up call to anyone who is still using network IPMI. 
5. Remove all references to network IPMI from OpenBMC. Discussion? - Joseph


More information about the openbmc mailing list