To restrict IPMI commands

To restrict IPMI commands

[P. K. Lee (李柏寬)]

Hi,

Does anyone know how to restrict the IPMI command execution via out-of-band?

I know that the IPMI commands via in-band can use the whitelist mechanism to restrict whether the commands can access the BMC, but I can't use this for the out-of-band.

If there is currently no restriction mechanism for the out-of-band, I will try to add the whitelist function for it just like the in-band.

Thanks,

P. K.

Re: To restrict IPMI commands

[Vernon Mauery]

On 22-Feb-2019 03:03 AM, P. K. Lee (李柏寬) wrote:
>Hi,
>
>Does anyone know how to restrict the IPMI command execution via out-of-band?
>
>I know that the IPMI commands via in-band can use the whitelist mechanism to restrict whether the commands can access the BMC, but I can't use this for the out-of-band.
>
>If there is currently no restriction mechanism for the out-of-band, I will try to add the whitelist function for it just like the in-band.

There is a mechanism in the works for this already. It is a generic 
filter provider that allows filtering of commands based on any criteria. 
See 
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-host-ipmid/+/13896 
for the current implementation.

--Vernon

Re: To restrict IPMI commands

[P. K. Lee (李柏寬)]

Hi Vernon,

Thank you for providing a new filtering mechanism that looks very flexible, but I have a question.
I have tried the filter that allows filtering of commands by whitelistFilter, but the channel of request must be channelSystemIfac to check the contents of the whitelist.
What puzzles me is why channelSystemIfac is in the constraint? This constraint will cause the whitelist to fail when the user calls the IPMI command via the LAN.
If the user wants to use the whitelist vis the LAN, is there a better way except for removing the channelSystemIfac restriction?
Do I need to create another whitelist filter for the LAN?

Regards,
PK

> On Feb 23, 2019, at 04:05, Vernon Mauery <vernon.mauery@linux.intel.com> wrote:
> 
> On 22-Feb-2019 03:03 AM, P. K. Lee (李柏寬) wrote:
>> Hi,
>> 
>> Does anyone know how to restrict the IPMI command execution via out-of-band?
>> 
>> I know that the IPMI commands via in-band can use the whitelist mechanism to restrict whether the commands can access the BMC, but I can't use this for the out-of-band.
>> 
>> If there is currently no restriction mechanism for the out-of-band, I will try to add the whitelist function for it just like the in-band.
> 
> There is a mechanism in the works for this already. It is a generic filter provider that allows filtering of commands based on any criteria. See https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-host-ipmid/+/13896 for the current implementation.
> 
> --Vernon

Re: To restrict IPMI commands

[Vernon Mauery]

On 16-Mar-2019 01:04 PM, P. K. Lee (李柏寬) wrote:
>Hi Vernon,
>
>Thank you for providing a new filtering mechanism that looks very flexible, but I have a question.
>I have tried the filter that allows filtering of commands by whitelistFilter, but the channel of request must be channelSystemIfac to check the contents of the whitelist.
>What puzzles me is why channelSystemIfac is in the constraint? This constraint will cause the whitelist to fail when the user calls the IPMI command via the LAN.
>If the user wants to use the whitelist vis the LAN, is there a better way except for removing the channelSystemIfac restriction?
>Do I need to create another whitelist filter for the LAN?

The whitelist filter I implemented was just one to replace the original 
filter that was there before the architecture changes. The restriction 
about the incoming interface is something that was already there and 
somebody at IBM might be a better resource for the 'why' question. At 
some point, I would like to make it an optional part of the build 
because it may not be something that everyone needs. But it is a good 
starting place for how to write a filter.

You can feel free to write a new filter as part of a 'provider' library 
just like you write ipmi command handlers and register them, you can 
write a filter and register it.

--Vernon

>Regards,
>PK
>
>> On Feb 23, 2019, at 04:05, Vernon Mauery <vernon.mauery@linux.intel.com> wrote:
>>
>> On 22-Feb-2019 03:03 AM, P. K. Lee (李柏寬) wrote:
>>> Hi,
>>>
>>> Does anyone know how to restrict the IPMI command execution via out-of-band?
>>>
>>> I know that the IPMI commands via in-band can use the whitelist mechanism to restrict whether the commands can access the BMC, but I can't use this for the out-of-band.
>>>
>>> If there is currently no restriction mechanism for the out-of-band, I will try to add the whitelist function for it just like the in-band.
>>
>> There is a mechanism in the works for this already. It is a generic filter provider that allows filtering of commands based on any criteria. See https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-host-ipmid/+/13896 for the current implementation.
>>
>> --Vernon
>

Re: To restrict IPMI commands

[Brad Bishop]

On Mon, Mar 18, 2019 at 11:31:08AM -0700, Vernon Mauery wrote:
>On 16-Mar-2019 01:04 PM, P. K. Lee (李柏寬) wrote:
>>Hi Vernon,
>>
>>Thank you for providing a new filtering mechanism that looks very flexible, but I have a question.
>>I have tried the filter that allows filtering of commands by whitelistFilter, but the channel of request must be channelSystemIfac to check the contents of the whitelist.
>>What puzzles me is why channelSystemIfac is in the constraint? This constraint will cause the whitelist to fail when the user calls the IPMI command via the LAN.
>>If the user wants to use the whitelist vis the LAN, is there a better way except for removing the channelSystemIfac restriction?
>>Do I need to create another whitelist filter for the LAN?
>
>The whitelist filter I implemented was just one to replace the 
>original filter that was there before the architecture changes. The 
>restriction about the incoming interface is something that was already 
>there and somebody at IBM might be a better resource for the 'why' 
>question.

We implemented this at the request of a bare metal hosting provider.
Their setup consisted of a trusted (by the provider) management LAN
connected to all the BMCs, and untrusted host firmware.

While the system was being provisioned, they needed unrestricted access
to the BMC, from the host over the unauthenticated in-band channels.
Once the system was provisioned and turned over to the customer, the
provider only wanted to allow whitelisted commands to flow over those
channels as the host firmware/os is not trusted at that point.  The
provider still wanted unrestricted access via the authenticated channels
on their management network connected to the bmcs.

>At some point, I would like to make it an optional part of the build
>because it may not be something that everyone needs. But it is a good
>starting place for how to write a filter.
>
>You can feel free to write a new filter as part of a 'provider' library
>just like you write ipmi command handlers and register them, you can
>write a filter and register it.

Could it be as simple as a configure option that switches between the
two behaviors?  Or maybe the configure option selects the channels to
apply the filtering to?

>
>--Vernon

Re: To restrict IPMI commands

[Brad Bishop]

On Sat, Mar 16, 2019 at 01:04:53PM +0000, P. K. Lee (李柏寬) wrote:
>Hi Vernon,
>
>Thank you for providing a new filtering mechanism that looks very
>flexible, but I have a question.  I have tried the filter that allows
>filtering of commands by whitelistFilter, but the channel of request
>must be channelSystemIfac to check the contents of the whitelist.  What
>puzzles me is why channelSystemIfac is in the constraint? This
>constraint will cause the whitelist to fail when the user calls the
>IPMI command via the LAN.  If the user wants to use the whitelist vis
>the LAN, 

Hi P.K.

If I understand correctly, you want to have a system that operates in
one of two modes - restricted or un-restricted.  When the system is in
restricted mode, only whitelisted commands will be processed from _any_
channel.  Do I understand correctly?

How do you restore the system to unrestricted mode?  Some side-band (non
IPMI) mechanism?

If you are able to share, I'm curious to know more about the usage
pattern driving the need for this.

Re: To restrict IPMI commands

[P. K. Lee (李柏寬)]

> On Mar 27, 2019, at 22:39, Brad Bishop <bradleyb@fuzziesquirrel.com> wrote:
> 
> On Sat, Mar 16, 2019 at 01:04:53PM +0000, P. K. Lee (李柏寬) wrote:
>> Hi Vernon,
>> 
>> Thank you for providing a new filtering mechanism that looks very
>> flexible, but I have a question.  I have tried the filter that allows
>> filtering of commands by whitelistFilter, but the channel of request
>> must be channelSystemIfac to check the contents of the whitelist.  What
>> puzzles me is why channelSystemIfac is in the constraint? This
>> constraint will cause the whitelist to fail when the user calls the
>> IPMI command via the LAN.  If the user wants to use the whitelist vis
>> the LAN, 
> 
> Hi P.K.
> 
> If I understand correctly, you want to have a system that operates in
> one of two modes - restricted or un-restricted.  When the system is in
> restricted mode, only whitelisted commands will be processed from _any_
> channel.  Do I understand correctly?

Yes, we need to use the whitelist mechanism to restrict IPMI commands 
from any channel.

> How do you restore the system to unrestricted mode?  Some side-band (non
> IPMI) mechanism?

For us, it can use the REST to change the restriction mode as well.

> If you are able to share, I'm curious to know more about the usage
> pattern driving the need for this.

I thought that the configuration can be modified the format of 
<NetFn>:<Command>:<Channel> to apply the whitelist with multiple channels, 
where <Channel> uses 2 bytes to map the channel using a bit array.

For example:
0x06:0x01:0xFFFE  // The 0xFFFE is used 2 bytes to represent the channel 1~15

However, in order to be compatible with the current design, the <NetFn>:<Command> still only uses the system interface.

Best,
P.K.

Re: To restrict IPMI commands

[Vernon Mauery]

On 28-Mar-2019 02:33 PM, P. K. Lee (李柏寬) wrote:
>
>
>> On Mar 27, 2019, at 22:39, Brad Bishop <bradleyb@fuzziesquirrel.com> wrote:
>>
>> On Sat, Mar 16, 2019 at 01:04:53PM +0000, P. K. Lee (李柏寬) wrote:
>>> Hi Vernon,
>>>
>>> Thank you for providing a new filtering mechanism that looks very
>>> flexible, but I have a question.  I have tried the filter that allows
>>> filtering of commands by whitelistFilter, but the channel of request
>>> must be channelSystemIfac to check the contents of the whitelist.  What
>>> puzzles me is why channelSystemIfac is in the constraint? This
>>> constraint will cause the whitelist to fail when the user calls the
>>> IPMI command via the LAN.  If the user wants to use the whitelist vis
>>> the LAN,
>>
>> Hi P.K.
>>
>> If I understand correctly, you want to have a system that operates in
>> one of two modes - restricted or un-restricted.  When the system is in
>> restricted mode, only whitelisted commands will be processed from _any_
>> channel.  Do I understand correctly?
>
>Yes, we need to use the whitelist mechanism to restrict IPMI commands
>from any channel.
>
>> How do you restore the system to unrestricted mode?  Some side-band (non
>> IPMI) mechanism?
>
>For us, it can use the REST to change the restriction mode as well.
>
>> If you are able to share, I'm curious to know more about the usage
>> pattern driving the need for this.
>
>I thought that the configuration can be modified the format of
><NetFn>:<Command>:<Channel> to apply the whitelist with multiple channels,
>where <Channel> uses 2 bytes to map the channel using a bit array.
>
>For example:
>0x06:0x01:0xFFFE  // The 0xFFFE is used 2 bytes to represent the channel 1~15
>
>However, in order to be compatible with the current design, the <NetFn>:<Command> still only uses the system interface.

This is a reasonable mechanism to extend the whitelist to multiple 
interfaces for a fixed setup. Is there a need to make the filtering more 
flexible, like runtime changing which commands are available? If so, 
does the layout of the IPMI2.0 firmware firewall work?

--Vernon

Re: To restrict IPMI commands

[P. K. Lee (李柏寬)]

> On Apr 2, 2019, at 03:39, Vernon Mauery <vernon.mauery@linux.intel.com> wrote:
> 
> On 28-Mar-2019 02:33 PM, P. K. Lee (李柏寬) wrote:
>> 
>> 
>>> On Mar 27, 2019, at 22:39, Brad Bishop <bradleyb@fuzziesquirrel.com> wrote:
>>> 
>>> On Sat, Mar 16, 2019 at 01:04:53PM +0000, P. K. Lee (李柏寬) wrote:
>>>> Hi Vernon,
>>>> 
>>>> Thank you for providing a new filtering mechanism that looks very
>>>> flexible, but I have a question.  I have tried the filter that allows
>>>> filtering of commands by whitelistFilter, but the channel of request
>>>> must be channelSystemIfac to check the contents of the whitelist.  What
>>>> puzzles me is why channelSystemIfac is in the constraint? This
>>>> constraint will cause the whitelist to fail when the user calls the
>>>> IPMI command via the LAN.  If the user wants to use the whitelist vis
>>>> the LAN,
>>> 
>>> Hi P.K.
>>> 
>>> If I understand correctly, you want to have a system that operates in
>>> one of two modes - restricted or un-restricted.  When the system is in
>>> restricted mode, only whitelisted commands will be processed from _any_
>>> channel.  Do I understand correctly?
>> 
>> Yes, we need to use the whitelist mechanism to restrict IPMI commands
>> from any channel.
>> 
>>> How do you restore the system to unrestricted mode?  Some side-band (non
>>> IPMI) mechanism?
>> 
>> For us, it can use the REST to change the restriction mode as well.
>> 
>>> If you are able to share, I'm curious to know more about the usage
>>> pattern driving the need for this.
>> 
>> I thought that the configuration can be modified the format of
>> <NetFn>:<Command>:<Channel> to apply the whitelist with multiple channels,
>> where <Channel> uses 2 bytes to map the channel using a bit array.
>> 
>> For example:
>> 0x06:0x01:0xFFFE  // The 0xFFFE is used 2 bytes to represent the channel 1~15
>> 
>> However, in order to be compatible with the current design, the <NetFn>:<Command> still only uses the system interface.
> 
> This is a reasonable mechanism to extend the whitelist to multiple interfaces for a fixed setup. Is there a need to make the filtering more flexible, like runtime changing which commands are available? If so, does the layout of the IPMI2.0 firmware firewall work?
> 
> —Vernon

I thought that the whitelist is provided by the vender, and the firmware firewall is the part that the customer can customize. In a security-based restriction, the customer cannot execute commands that are not in the whitelist.
Of course the customer can't discover the command that is not in the whitelist, just as the command does not exist. In order to distinguish the difference from the firmware firewall in the completion code, the completion code of the command that is not in whitelist can be changed to C1h.

Best,
PK