ipmi password storage

Joseph Reynolds jrey at linux.ibm.com
Thu Apr 16 06:32:36 AEST 2020


On 4/14/20 5:48 PM, Joseph Reynolds wrote:
>
>
> On 4/14/20 5:44 PM, Vernon Mauery wrote:
>> On 14-Apr-2020 05:18 PM, Joseph Reynolds wrote:
>>> On 4/14/20 2:11 PM, Vernon Mauery wrote:
>>>> On 14-Apr-2020 06:27 PM, Alexander Tereschenko wrote:
>>>>> To be more specific, I'm considering two attack scenarios in the 
>>>>> below comments:
>>>>> 1) The attacker gets into BMC and is able to copy off the data 
>>>>> files, including ipmi_pass. This IMHO is a more realistic scenario 
>>>>> in this case.
>>>>> 2) The attacker gets ipmi_pass file/contents only, without being 
>>>>> able to retrieve anything else.
>>>>>
>>>>> Which ones do *you* have in mind? For the sake of discussion, it 
>>>>> would be helpful to specify them all and see how potential 
>>>>> solutions address them.
>>>>
>>>> Attack one is the most likely, since if you can read one file, you 
>>>> can probably get any/all of them.
>>>
>>> An alternate solution is to make those file readable only by root, 
>>> restricting root logins, and restricting SSH access in general.  See 
>>> https://github.com/ibm-openbmc/dev/issues/1528
>>
>> Changes have been made already to restrict permissions to 0600. The 
>> problem is that currently that is not much of protection at all 
>> because all the processes run as root right now anyway.
>
> Understood.  An attacker who gets control of any process will have 
> read access to this file, etc.
> The issue that all processes run as root is documented here 
> https://github.com/openbmc/openbmc/issues/3383
> and was recently discussed in the security working group, 2020-04-01 - 
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI 
>
>
> - Joseph

We discussed this in the OpenBMC security working group meeting 
2020-04-15 - 
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI

My summary:

There is a patch to fix the file permissions so only root can read the 
files.  It addresses the most severe aspect of the vulnerability.  With 
the patch, only the root user can exploit the vulnerability.

But even with the fix, the underlying problem remains that encrypted 
passwords are stored on the BMC's file system that the root user can 
decrypt.  The root user should be trustworthy, but also should not have 
such access to user passwords.  Also, some other user can become root, 
making it a priority to restrict root access (including access to SSH 
and to the su and sudo commands).  Also, the fact that most OpenBMC 
processes run as the root user id (userid=0) makes escalation more likely.

Additional attempts were made to secure the ipmi_pass file, but the 
cost/benefit is unclear:

1. Encrypting the file differently was considered, but provides little 
benefit because the decryption credentials are still available to root.  
And we don't have a TPM and are not using ARM TrustZone to help isolate 
access to the key.  And changes like this cause upgrade and downgrade 
complications.

2. Abandoning RMCP+ would mean the ipmi_pass file is no longer needed, 
so the problem goes away.  We would need to create a new way for 
ipmitool to authenticate with the ipmi network daemon, thus creating a 
de-facto standard.  That would be a bunch of work and may extend the 
lifetime of IPMI.

So the answer for now is to fix the file permissions, pending coming up 
with a better solution.

- Joseph

... snip...



More information about the openbmc mailing list