From: Vernon Mauery <vernon.mauery@linux.intel.com>
To: "P. K. Lee (李柏寬)" <P.K.Lee@quantatw.com>
Cc: "openbmc@lists.ozlabs.org" <openbmc@lists.ozlabs.org>
Subject: Re: To restrict IPMI commands
Date: Mon, 18 Mar 2019 11:31:08 -0700 [thread overview]
Message-ID: <20190318183108.GE44612@mauery.jf.intel.com> (raw)
In-Reply-To: <9674FC29-B121-444E-A123-E99A31181766@quantatw.com>
On 16-Mar-2019 01:04 PM, P. K. Lee (李柏寬) wrote:
>Hi Vernon,
>
>Thank you for providing a new filtering mechanism that looks very flexible, but I have a question.
>I have tried the filter that allows filtering of commands by whitelistFilter, but the channel of request must be channelSystemIfac to check the contents of the whitelist.
>What puzzles me is why channelSystemIfac is in the constraint? This constraint will cause the whitelist to fail when the user calls the IPMI command via the LAN.
>If the user wants to use the whitelist vis the LAN, is there a better way except for removing the channelSystemIfac restriction?
>Do I need to create another whitelist filter for the LAN?
The whitelist filter I implemented was just one to replace the original
filter that was there before the architecture changes. The restriction
about the incoming interface is something that was already there and
somebody at IBM might be a better resource for the 'why' question. At
some point, I would like to make it an optional part of the build
because it may not be something that everyone needs. But it is a good
starting place for how to write a filter.
You can feel free to write a new filter as part of a 'provider' library
just like you write ipmi command handlers and register them, you can
write a filter and register it.
--Vernon
>Regards,
>PK
>
>> On Feb 23, 2019, at 04:05, Vernon Mauery <vernon.mauery@linux.intel.com> wrote:
>>
>> On 22-Feb-2019 03:03 AM, P. K. Lee (李柏寬) wrote:
>>> Hi,
>>>
>>> Does anyone know how to restrict the IPMI command execution via out-of-band?
>>>
>>> I know that the IPMI commands via in-band can use the whitelist mechanism to restrict whether the commands can access the BMC, but I can't use this for the out-of-band.
>>>
>>> If there is currently no restriction mechanism for the out-of-band, I will try to add the whitelist function for it just like the in-band.
>>
>> There is a mechanism in the works for this already. It is a generic filter provider that allows filtering of commands based on any criteria. See https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-host-ipmid/+/13896 for the current implementation.
>>
>> --Vernon
>
next prev parent reply other threads:[~2019-03-18 18:31 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-22 3:03 To restrict IPMI commands P. K. Lee (李柏寬)
2019-02-22 20:05 ` Vernon Mauery
2019-03-16 13:04 ` P. K. Lee (李柏寬)
2019-03-18 18:31 ` Vernon Mauery [this message]
2019-03-27 14:33 ` Brad Bishop
2019-03-27 14:39 ` Brad Bishop
2019-03-28 14:33 ` P. K. Lee (李柏寬)
2019-04-01 19:39 ` Vernon Mauery
2019-04-10 7:10 ` P. K. Lee (李柏寬)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190318183108.GE44612@mauery.jf.intel.com \
--to=vernon.mauery@linux.intel.com \
--cc=P.K.Lee@quantatw.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.