IPMI Restriction Mode

Kumar Thangavel kumarthangavel.hcl at gmail.com
Thu May 5 02:57:19 AEST 2022 

On Wed, May 4, 2022 at 4:34 AM Vernon Mauery <vernon.mauery at linux.intel.com>
wrote:

> On 03-May-2022 07:46 PM, Kumar Thangavel wrote:
> >Hi Vernon,
> >
> >     We may need to write our own custom filter for other channels as you
> >suggested.
> >     While implementing this, we need some clarifications.
> >
> >     1. How can we map channel Id's with settingsd restriction mode
> >dbus-objects ?
>
> Set up a restriction mode object for each channel? This is really up to
> your implementation.
>

    Ack.

>
> >     2. The Ipmb channel has multiple devices in our system, How can we
> >handle and apply this multiple Ipmb interfaces with
> >settingsd restriction mode dbus-objects ?
> >
> >     Please refer below link for multiple Ipmb channels for our system.
> >
>
> When ipmb channel commands come in, there is also rqSA set in the
> ipmi::Context. This should be unique per device. Will this work for you?
>
>     That also works. If we use rqSA, again we need to map this rqSA value
with phosphor-settingsd restriction mode dbus-objects name (
/xyz/openbmc_project/control/*host1*/restriction_mode) ?

Alternate logic we just think of
1. Using "hostIdx'' in ipmi::Contextwhich is unique(0, 1, 2 to N) for each
devices. we can map this with phosphor-settingsd restriction mode
dbus-objects name ?  We need to maintain order (0, 1, 2 to N-1) for hosts
and N for debug cards in all configs.
2. Can we read i*pmb-channels.json* entry in ipmid with name field as
"host1", "host2", "host3" "host4" and "debug_card" which should match the
settingsd dbus-object names. ? So that we can map the name field with
settings objects easily.

  Example :
  Ipmb-channels.json entry :

{ "name" : "*host1*"
"type": "ipmb",
"slave-path": "/dev/ipmb-1",
"bmc-addr": 32,
"remote-addr": 64,
"devIndex": 0
},
{ "name" : "*host2*"
"type": "ipmb",
"slave-path": "/dev/ipmb-3",
"bmc-addr": 32,
"remote-addr": 64,
"devIndex": 2
},

{ "name" : "*hostN*"
"type": "ipmb",
"slave-path": "/dev/ipmb-7",
"bmc-addr": 32,
"remote-addr": 64,
"devIndex": N
},
{ "name" : "*debug_card*"
"type": "ipmb",
"slave-path": "/dev/ipmb-13",
"bmc-addr": 32,
"remote-addr": 64,
"devIndex": 4
}
]

  Settingsd restriction mode objects :

  /xyz/openbmc_project/control/*debug_card*/restriction_mode
  /xyz/openbmc_project/control/*host1*/restriction_mode
  /xyz/openbmc_project/control/*host2*/restriction_mode
  /xyz/openbmc_project/control/*host3*/restriction_mode
  /xyz/openbmc_project/control/*host3*/restriction_mode

  Could you please provide your thoughts on this ?

  Thanks,
  Kumar.

--Vernon
>
> >
> https://github.com/openbmc/openbmc/blob/master/meta-facebook/recipes-phosphor/ipmi/phosphor-ipmi-ipmb/yosemitev2/ipmb-channels.json
> >
> >      Already we have "hostIdx'' in ipmi::Context struct, which represents
> >the data coming from which hosts. Even Though if we plan to use this
> >"hostIdx" ,  it is still not clear how we can map this "hostIdx'' with
> >settingsd restriction mode dbus-objects.
> >
> >   Otherwise, can we have some Schema(Rules) to follow the channel order
> >for this channel and devices(settingsd dbus-objects) mapping ?
> >    Ex:   First 4 or 6 channel is for host 1 - host4
> >             Next channel is for  Debug card,
> >             Rest of the channel is for other devices.
> >
> >   I think we need to maintain this order in settingsd config file and
> >ipmb-channels.json config file for this channel and device mapping.
> >
> >  Could you please provide your suggestion on this.
> >
> >Thanks,
> >Kumar.
> >
> >On Tue, Apr 26, 2022 at 9:25 PM Kumar Thangavel <
> >kumarthangavel.hcl at gmail.com> wrote:
> >
> >> Thanks for your response and suggestions.
> >>
> >> --Kumar.
> >>
> >> On Sat, Apr 23, 2022 at 4:55 AM Vernon Mauery <
> >> vernon.mauery at linux.intel.com> wrote:
> >>
> >>> On 18-Apr-2022 04:56 PM, Kumar Thangavel wrote:
> >>> >Thanks for the response and clarification.
> >>> >
> >>> >I will clarify my question here,
> >>> >
> >>> >IPMI restriction mode support has been added for host devices which
> >>> support
> >>> >IPMI.
> >>> >This restriction mode support can be enabled or disabled from the
> >>> >phosphor-settingsd configuration (.yaml) file.
> >>> >
> >>> >Please check the below link for .yaml file of phosphor-settingsd.
> >>> >
> >>> >
> >>>
> https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
> >>> >
> >>> >We wanted to add restriction mode support for other IPMI based devices
> >>> >(Debug card).
> >>> >Already phosphor-ipmi-host supports filters for all  IPMI commands
> which
> >>> >have ipmi::Context objects.
> >>> >So, How can we enable/disable this restriction mode support
> >>> >from phosphor-settings for other IPMI based devices(Debug card). ?
> >>>
> >>> I understand that currently only the host channel is using the
> >>> restriction mode. You want to add it for other channels. This has
> >>> already been done in the intel-ipmi-oem repo, if you want to take a
> look
> >>> at that. It allows a fine-grained mechanism for command filtering,
> based
> >>> on the channel and the restriction mode (although currently, I think
> the
> >>> restriction mode still only applies to the host channel).
> >>>
> >>> My point is that it is pretty easy to come up with a custom filter
> >>> mechanism that should suit you. There is even an option to disable the
> >>> built-in filter so you can supply your own.
> >>>
> >>> --Vernon
> >>>
> >>> >
> >>> >
> >>> >
> >>> >On Thu, Apr 14, 2022 at 6:15 AM Vernon Mauery <
> >>> vernon.mauery at linux.intel.com>
> >>> >wrote:
> >>> >
> >>> >> On 04-Apr-2022 12:49 PM, Kumar Thangavel wrote:
> >>> >> >Hi All,
> >>> >> >
> >>> >> >        IPMI Restriction mode support has been added for host
> machines
> >>> >> >which support IPMI.
> >>> >> >
> >>> >> >
> >>> >>
> >>>
> https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
> >>> >> >
> >>> >> >        How IPMI restriction mode support can be added for other
> than
> >>> host
> >>> >> >devices (IPMI based devices). Ex Debug card.  ?
> >>> >>
> >>> >> I am not exactly sure what you are asking for here. When you say
> other
> >>> >> devices, are you asking about restricting commands based on what
> >>> channel
> >>> >> they come in on?
> >>> >>
> >>> >> This is possible. A filter can filter on any criteria that is
> available
> >>> >> with the ipmi::Context object and the command. It can even extract
> >>> >> command data and take action there. I only say this if you are
> >>> >> interested in writing a new filter of your own.
> >>> >>
> >>> >> But if you want to see a filter that is already implemented that
> >>> >> restricts commands based on BMC state and incoming channel, you can
> >>> look
> >>> >> at the filtering done in the intel-ipmi-oem repo.
> >>> >>
> >>> >> If my guess at what you meant was wrong, please clarify and I will
> try
> >>> >> again.
> >>> >>
> >>> >> --Vernon
> >>> >>
> >>> >> >        Could you please provide any suggestions or any docs ?
> >>> >> >
> >>> >> >Thanks,
> >>> >> >Kumar.
> >>> >>
> >>>
> >>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20220504/3960d4a7/attachment-0001.htm>

More information about the openbmc mailing list