All of lore.kernel.org
 help / color / mirror / Atom feed
From: "P. K. Lee (李柏寬)" <P.K.Lee@quantatw.com>
To: Brad Bishop <bradleyb@fuzziesquirrel.com>
Cc: Vernon Mauery <vernon.mauery@linux.intel.com>,
	"openbmc@lists.ozlabs.org" <openbmc@lists.ozlabs.org>
Subject: Re: To restrict IPMI commands
Date: Thu, 28 Mar 2019 14:33:25 +0000	[thread overview]
Message-ID: <3B56B3FD-0A20-4D51-8BCA-5F1637307ED9@quantatw.com> (raw)
In-Reply-To: <20190327143926.rix43miyfilbfrwp@thinkpad.dyn.fuzziesquirrel.com>



> On Mar 27, 2019, at 22:39, Brad Bishop <bradleyb@fuzziesquirrel.com> wrote:
> 
> On Sat, Mar 16, 2019 at 01:04:53PM +0000, P. K. Lee (李柏寬) wrote:
>> Hi Vernon,
>> 
>> Thank you for providing a new filtering mechanism that looks very
>> flexible, but I have a question.  I have tried the filter that allows
>> filtering of commands by whitelistFilter, but the channel of request
>> must be channelSystemIfac to check the contents of the whitelist.  What
>> puzzles me is why channelSystemIfac is in the constraint? This
>> constraint will cause the whitelist to fail when the user calls the
>> IPMI command via the LAN.  If the user wants to use the whitelist vis
>> the LAN, 
> 
> Hi P.K.
> 
> If I understand correctly, you want to have a system that operates in
> one of two modes - restricted or un-restricted.  When the system is in
> restricted mode, only whitelisted commands will be processed from _any_
> channel.  Do I understand correctly?

Yes, we need to use the whitelist mechanism to restrict IPMI commands 
from any channel.

> How do you restore the system to unrestricted mode?  Some side-band (non
> IPMI) mechanism?

For us, it can use the REST to change the restriction mode as well.

> If you are able to share, I'm curious to know more about the usage
> pattern driving the need for this.

I thought that the configuration can be modified the format of 
<NetFn>:<Command>:<Channel> to apply the whitelist with multiple channels, 
where <Channel> uses 2 bytes to map the channel using a bit array.

For example:
0x06:0x01:0xFFFE  // The 0xFFFE is used 2 bytes to represent the channel 1~15

However, in order to be compatible with the current design, the <NetFn>:<Command> still only uses the system interface.

Best,
P.K.

  reply	other threads:[~2019-03-28 14:33 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-22  3:03 To restrict IPMI commands P. K. Lee (李柏寬)
2019-02-22 20:05 ` Vernon Mauery
2019-03-16 13:04   ` P. K. Lee (李柏寬)
2019-03-18 18:31     ` Vernon Mauery
2019-03-27 14:33       ` Brad Bishop
2019-03-27 14:39     ` Brad Bishop
2019-03-28 14:33       ` P. K. Lee (李柏寬) [this message]
2019-04-01 19:39         ` Vernon Mauery
2019-04-10  7:10           ` P. K. Lee (李柏寬)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3B56B3FD-0A20-4D51-8BCA-5F1637307ED9@quantatw.com \
    --to=p.k.lee@quantatw.com \
    --cc=bradleyb@fuzziesquirrel.com \
    --cc=openbmc@lists.ozlabs.org \
    --cc=vernon.mauery@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.