IPMI Firmware Firewall

IPMI Firmware Firewall

[Deepak Kodihalli]

Hi All,

The Firmware Firewall is something that the OpenBMC stack does not 
implement today. Do you know how useful this is to an IPMI user? Is this 
something we must implement in the IPMI stack?

It seems to apply to malicious firmware running on the BMC in a blade 
server/multi-bmc environment, but aren't those concerns addressed by 
signed images and/or other modern security features?

Thanks,
Deepak

Re: IPMI Firmware Firewall

[Alexander Amelkin]

[-- Attachment #1.1: Type: text/plain, Size: 1072 bytes --]

Well, although I've never seen this feature actually implemented
anywhere, I can imagine that it can be useful for cases when the host OS
is "owned"/managed by a different entity than the hardware. E.g. in a
dedicated server hosting or similar scenarios. The owner of the hardware
may not want to allow the tenants to be able to perform destructive or
potentially destructive operations on the BMC. I can think of
prohibiting firmware updates (even with good firmwares), user
management, network configuration, SEL and PEF/PET manipulation, et al.

Sincerely,
Alexander.

19.04.2018 13:17, Deepak Kodihalli wrote:
> Hi All,
>
> The Firmware Firewall is something that the OpenBMC stack does not
> implement today. Do you know how useful this is to an IPMI user? Is
> this something we must implement in the IPMI stack?
>
> It seems to apply to malicious firmware running on the BMC in a blade
> server/multi-bmc environment, but aren't those concerns addressed by
> signed images and/or other modern security features?
>
> Thanks,
> Deepak
>



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: IPMI Firmware Firewall

[Vernon Mauery]

On 19-Apr-2018 03:52 PM, Alexander Amelkin wrote:
>Well, although I've never seen this feature actually implemented
>anywhere, I can imagine that it can be useful for cases when the host OS

Back in 2006, some IBM servers had BMCs that supported this. I guess 
their BMC developers got really excited about the new IPMI 2.0 spec and 
went all out.

>is "owned"/managed by a different entity than the hardware. E.g. in a
>dedicated server hosting or similar scenarios. The owner of the hardware
>may not want to allow the tenants to be able to perform destructive or
>potentially destructive operations on the BMC. I can think of
>prohibiting firmware updates (even with good firmwares), user
>management, network configuration, SEL and PEF/PET manipulation, et al.

The firmware firewall mechanism as is does not really do much good. I 
spent a while writing up the ipmitool implementation in 2006. The 
biggest trouble with it is that the configuration of it happens as the 
admin user, so if your untrusted user has admin privileges, they could 
potentially just change the firmware firewall. The nice part is that it 
makes the ipmi commands more discoverable.

But as part of the rework of the ipmi daemon, I was thinking of adding 
in a filter layer that allows ipmi providers to hook in whatever command 
filtering that they want. This is where the ipmi firmware firewall would 
exist (if it was to be implemented) and where the current IBM 
"Whitelist" could be hooked in.

--Vernon

>Sincerely,
>Alexander.
>
>19.04.2018 13:17, Deepak Kodihalli wrote:
>> Hi All,
>>
>> The Firmware Firewall is something that the OpenBMC stack does not
>> implement today. Do you know how useful this is to an IPMI user? Is
>> this something we must implement in the IPMI stack?
>>
>> It seems to apply to malicious firmware running on the BMC in a blade
>> server/multi-bmc environment, but aren't those concerns addressed by
>> signed images and/or other modern security features?
>>
>> Thanks,
>> Deepak
>>
>
>

Re: IPMI Firmware Firewall

[Alexander Amelkin]

[-- Attachment #1.1: Type: text/plain, Size: 988 bytes --]

19.04.2018 21:36, Vernon Mauery wrote:
> On 19-Apr-2018 03:52 PM, Alexander Amelkin wrote:
>> is "owned"/managed by a different entity than the hardware. E.g. in a
>> dedicated server hosting or similar scenarios. The owner of the hardware
>> may not want to allow the tenants to be able to perform destructive or
>> potentially destructive operations on the BMC. I can think of
>> prohibiting firmware updates (even with good firmwares), user
>> management, network configuration, SEL and PEF/PET manipulation, et al.
>
> The biggest trouble with it is that the configuration of it happens as
> the admin user, so if your untrusted user has admin privileges, they
> could potentially just change the firmware firewall.
Well, if an untrusted user has admin password, then you're doomed anyway
as they may come over LAN and ruing everything.

I thought that this Firewall was intended to block certain commands on
System Interface where no authentication is required.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]