Staging plans to remove network IPMI support?

Joseph Reynolds jrey at linux.ibm.com
Thu Sep 19 07:34:03 AEST 2019


Re-sending to fix up formatting error:

The OpenBMC security working group discussed a desire to remove 
out-of-band network IPMI support from the OpenBMC firmware stack, here: 
https://lists.ozlabs.org/pipermail/openbmc/2019-September/018319.html

This would affect out-of-band (network IPMI) only, in repository 
https://github.com/openbmc/phosphor-net-ipmid. The host IPMI support is
a separate topic.

The *main idea* is a staging plan to remove network IPMI support over a 
period of years, like in this progression:

1. Tell everyone the plans at each stage below. For example: emails to 
the group, mention in the release notes, update 
https://github.com/openbmc/phosphor-net-ipmid/blob/master/README.md and 
the ipmitool repo.

2. Implement the Redfish ManagerNetworkProtocol - defined in the DMTF 
Redfish Resource and Schema Guide DSP2046 
https://www.dmtf.org/dsp/DSP2046.  This gives the BMC admin an interface 
to disable out-of-band network IPMI.That means stopping the IPMI network 
service and closing its port.

3. Change the IPMI ManagerNetworkProtocol setting to be disabled by 
default.  After this, BMC admins have to take an explicit action to 
enable IPMI access.By this point it should be possible to learn how to 
migrate from IPMI to Redfish APIs.

4. Remove IPMI from the default OpenBMC configuration. This means 
network IPMI is not built into the BMC firmware image. After this, 
project who want to use network IPMI will have to explicitly add it to 
their image. This will hopefully be a wake-up call to anyone who is 
still using network IPMI.

5. Remove all references to network IPMI from OpenBMC.

Discussion?

- Joseph



More information about the openbmc mailing list