Read CPU memory from BMC.
Joseph Reynolds
jrey at linux.ibm.com
Wed Aug 31 03:49:49 AEST 2022
On 8/29/22 3:43 AM, Jonathan Neuschäfer wrote:
> On Sun, Aug 28, 2022 at 08:30:54PM -0500, Joseph Reynolds wrote:
>> On 8/26/22 11:42 AM, AKASH G J wrote:
>>> Hello Team,
>>>
>>> Is it possible to read CPU memory space from the BMC?
>>> If PCIe connection is available from BMC to the chipset, can we do DMA
>>> from BMC ?
>> Akash,
>>
>> I hope not. I assume you are asking about how to read the host's memory
>> from the BMC.
> Hello Akash and Joseph,
>
> At least HP iLO BMC hardware has this feature (as documented by Airbus
> security lab[1]).
>
> In other case, the reverse is possible: Reading/writing BMC memory from
> the host[2].
>
>
> In any case, before OpenBMC can support reading/writing host memory, the
> hardware has to support it. Which BMC hardware platform are you working with?
Thanks. I should clarify... I was wearing my security hat when I wrote
that the BMC and host should not be allowed to reach into each other's
memory. It would be bad to allow the BMC to read secrets out of host
memory, and vice-versa. There are some use cases, such a for device
driver using memory windows, but a general capability to access the
other device's memory is not present.
The IBM Power and OpenPOWER systems use the AST2500 and AST2600 BMC
hardware. These systems resolved CVE-2019-6260 by shutting down the
affected BMC interfaces.
I am aware the AST2x00 can open a memory window. This allows BMC device
drivers to allows host elements to write directly into the BMC memory
window. I understand this use case can be secure because access outside
the memory window is not allowed. Please note this topic is at the
limit of my knowledge, so if you are asking for more details here, that
is not me.
I am not aware of any use cases where the BMC writes directly to host
memory.
Can you point to existing OpenBMC applications? Are you trying to solve
a particular problem you can share with the community?
Joseph
>
>
> Greetings,
> Jonathan
>
>
> [1]: https://airbus-seclab.github.io/ilo/RECONBRX2018-Slides-Subverting_your_server_through_its_BMC_the_HPE_iLO4_case-perigaud-gazet-czarny.pdf
> [2]: https://www.flamingspork.com/blog/2019/01/23/cve-2019-6260:-gaining-control-of-bmc-from-the-host-processor/
More information about the openbmc
mailing list