Control and uses of USB for BMC's own internal uses
Ed Tanous
edtanous at google.com
Tue Oct 19 07:32:02 AEDT 2021
On Mon, Oct 18, 2021 at 11:36 AM Bruce Mitchell
<bruce.mitchell at linux.vnet.ibm.com> wrote:
>
> On 10/17/2021 11:55, Bruce Mitchell wrote:
> > This thread BMC's USB means for the BMC's own uses
> > not for Host's uses nor to provide services to the
> > Host. Thus, if I said "Disable the BMC's USB" that
> > would not impact the Host in any fashion.
> >
> > I need to be able to control the BMC's USB ports
> > to prevent BMC uses of USB Pen Drive updates and
> > independently prevent the BMC uses of USB serial
> > cable for UPS. As well as re-enable those usages.
> >
> > Clearly in this Gerrit review the term Disabled was
> > not defined. 47180: bmc-usb: property to track usb state
> > https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/47180
> >
> >
> > Also, since this is related to security of the BMC
> > my intent was to offer the users a clear way to
> > achieve the control of the BMC's USB ports without
> > the users needing to know any of the Servers' USB
> > topology. I personally find complicated user options
> > for features adds risk to the system security.
> >
> > A recommendation I have receive is to use phosphor-state-manager.
> >
Some clarifying questions:
There are physically available USB A ports connected directly to the
BMC on IBM platforms? Or are these traces within the board?
What are these direct bmc usb ports used for normally?
Considering that while the BMC use case is likely IBM specific, but
the idea of disabling a generic USB port isn't IBM specific, it seems
like we need a model for a USB port on dbus and relate it to the
various resources. If and when a host interface wanted to implement a
similar feature, we'd be able to reuse it.
> > Also, from what I have observed this control of the
> > BMC's USB ports may be unique to my company (IBM).
> > And thus, an OEM solution may be best.
Keep in mind, you'll need a new schema and collection for these
things; I'd recommend starting up a thread with DMTF about getting
those added. Keep in mind, they already have the "port" schema, which
might fulfill the need, although it doesn't have a USB enumeration, so
it's possible that's an intentional omission.
https://github.com/openbmc/bmcweb/blob/master/OEM_SCHEMAS.md
> >
> > Does anyone else have a need or desire to control the
> > BMC's USB ports?
>
> Also suggested utilize https://github.com/openbmc/service-config-manager
> to disable/enable the service and make it like enable/disable SSH
> via Redfish via bmcweb
More information about the openbmc
mailing list