Staging plans to remove network IPMI support?
Vernon Mauery
vernon.mauery at linux.intel.com
Sat Sep 21 01:48:35 AEST 2019
On 18-Sep-2019 04:34 PM, Joseph Reynolds wrote:
> Re-sending to fix up formatting error:
>
> The OpenBMC security working group discussed a desire to remove out-of-band
> network IPMI support from the OpenBMC firmware stack, here:
> https://lists.ozlabs.org/pipermail/openbmc/2019-September/018319.html
>
> This would affect out-of-band (network IPMI) only, in repository
> https://github.com/openbmc/phosphor-net-ipmid. The host IPMI support is
> a separate topic.
>
> The *main idea* is a staging plan to remove network IPMI support over a
> period of years, like in this progression:
This may be a year 3030 topic; I would not worry too much about it for
now. By the time RMCP+ is gone, BMCs may not even be a thing anymore :)
But in all seriousness, telnet and rlogin stayed on for YEARS beyond
their welcome. It will be a difficult task to wean users off RMCP+. It
is so easy to use and we are all used to it. Redfish is so complicated
and we don't have the tooling to make it work as smoothly as RMCP+.
Basically what I am saying is that we need buy-in from the end users. So
far, for all its wonder and glory, Redfish really has been a hard sell.
For all the warts and flaws of RMCP+ over IPMI, people *need* it. People
are not rational and do not make security decisions based on logic.
> 1. Tell everyone the plans at each stage below. For example: emails to the
> group, mention in the release notes, update
> https://github.com/openbmc/phosphor-net-ipmid/blob/master/README.md and the
> ipmitool repo.
We can certainly add something to the README, but we do need to set some
expectations on how much people actually read documentation. Adding
something there will not have nearly as much effect as putting a big red
banner on the bmcweb console that says "IPMI over RMCP+ is enabled and
is insecure. You might consider disabling it and using the Redfish
protocol instead"
OpenBMC does not own the ipmitool project (or any of the other
opensource utilities that speak RMCP+), so we will need to reach out. It
turns out that the ipmitool maintainer is a member of the OpenBMC
community, so we can hopefully leverage that relationship.
> 2. Implement the Redfish ManagerNetworkProtocol - defined in the DMTF
> Redfish Resource and Schema Guide DSP2046 https://www.dmtf.org/dsp/DSP2046.
> This gives the BMC admin an interface to disable out-of-band network
> IPMI.That means stopping the IPMI network service and closing its port.
I keep hearing stories about redfish not being united and common enough
to be useful. Does the spec need to grow or do we just need to make sure
that it is always implemented according to the spec?
> 3. Change the IPMI ManagerNetworkProtocol setting to be disabled by
> default. After this, BMC admins have to take an explicit action to enable
> IPMI access.
I would hope that long before we disable netipmid by default, Redfish
would be the main mechanism for accessing the BMC.
> By this point it should be possible to learn how to migrate from
> IPMI to Redfish APIs.
No, people should be learning how to migrate from IPMI to Redfish right
now, long before we attempt to disable RMCP+/IPMI by default.
> 4. Remove IPMI from the default OpenBMC configuration. This means network
> IPMI is not built into the BMC firmware image. After this, project who want
> to use network IPMI will have to explicitly add it to their image. This will
> hopefully be a wake-up call to anyone who is still using network IPMI.
I think this step could be moved up. Not every OEM user of OpenBMC wants
to include netipmid in their builds today. Adding a package to an image
is just as easy as removing it. We could make it NOT part of the image
by default and require all OEMs that want it to add it to their image.
> 5. Remove all references to network IPMI from OpenBMC.
I am not sure this is ever necessary. This is not a nanny state. If
someone wants openBMC to have insecure packages on their builds, that is
up to them. We can disable the package by default, but I think that is
as far as we need to go.
--Vernon
More information about the openbmc
mailing list