Staging plans to remove network IPMI support?
Joseph Reynolds
jrey at linux.ibm.com
Thu Sep 19 07:34:03 AEST 2019
Re-sending to fix up formatting error:
The OpenBMC security working group discussed a desire to remove
out-of-band network IPMI support from the OpenBMC firmware stack, here:
https://lists.ozlabs.org/pipermail/openbmc/2019-September/018319.html
This would affect out-of-band (network IPMI) only, in repository
https://github.com/openbmc/phosphor-net-ipmid. The host IPMI support is
a separate topic.
The *main idea* is a staging plan to remove network IPMI support over a
period of years, like in this progression:
1. Tell everyone the plans at each stage below. For example: emails to
the group, mention in the release notes, update
https://github.com/openbmc/phosphor-net-ipmid/blob/master/README.md and
the ipmitool repo.
2. Implement the Redfish ManagerNetworkProtocol - defined in the DMTF
Redfish Resource and Schema Guide DSP2046
https://www.dmtf.org/dsp/DSP2046. This gives the BMC admin an interface
to disable out-of-band network IPMI.That means stopping the IPMI network
service and closing its port.
3. Change the IPMI ManagerNetworkProtocol setting to be disabled by
default. After this, BMC admins have to take an explicit action to
enable IPMI access.By this point it should be possible to learn how to
migrate from IPMI to Redfish APIs.
4. Remove IPMI from the default OpenBMC configuration. This means
network IPMI is not built into the BMC firmware image. After this,
project who want to use network IPMI will have to explicitly add it to
their image. This will hopefully be a wake-up call to anyone who is
still using network IPMI.
5. Remove all references to network IPMI from OpenBMC.
Discussion?
- Joseph
More information about the openbmc
mailing list