Staging plans to remove network IPMI support?
Joseph Reynolds
jrey at linux.ibm.com
Thu Sep 19 07:29:52 AEST 2019
The OpenBMC security working group discussed a desire to remove
out-of-band network IPMI support from the OpenBMC firmware stack, here:
https://lists.ozlabs.org/pipermail/openbmc/2019-September/018319.html
This would affect out-of-band (network IPMI) only, in repository
https://github.com/openbmc/phosphor-net-ipmid. The host IPMI support is
a separate topic.
The *main idea* is a staging plan to remove network IPMI support over a
period of years, like in this progression:
1. Tell everyone the plans at each stage below. For example: emails to
the group, mention in the release notes, update
https://github.com/openbmc/phosphor-net-ipmid/blob/master/README.mdand
the ipmitool repo. 2. Implement the Redfish ManagerNetworkProtocol -
defined in the DMTF Redfish Resource and Schema Guide DSP2046
https://www.dmtf.org/dsp/DSP2046. This gives the BMC admin an interface
to disable out-of-band network IPMI.That means stopping the IPMI network
service and closing its port. 3. Change the IPMI ManagerNetworkProtocol
setting to be disabled by default. After this, BMC admins have to take
an explicit action to enable IPMI access.By this point it should be
possible to learn how to migrate from IPMI to Redfish APIs. 4. Remove
IPMI from the default OpenBMC configuration. This means network IPMI is
not built into the BMC firmware image. After this, project who want to
use network IPMI willhave to explicitly add it to their image. This will
hopefully be a wake-up call to anyone who is still using network IPMI.
5. Remove all references to network IPMI from OpenBMC. Discussion? - Joseph
More information about the openbmc
mailing list