* IPMI Firmware Firewall
@ 2018-04-19 10:17 Deepak Kodihalli
2018-04-19 12:52 ` Alexander Amelkin
0 siblings, 1 reply; 4+ messages in thread
From: Deepak Kodihalli @ 2018-04-19 10:17 UTC (permalink / raw)
To: emilyshaffer, vernon.mauery, a.amelkin, tomjose, OpenBMC Maillist
Hi All,
The Firmware Firewall is something that the OpenBMC stack does not
implement today. Do you know how useful this is to an IPMI user? Is this
something we must implement in the IPMI stack?
It seems to apply to malicious firmware running on the BMC in a blade
server/multi-bmc environment, but aren't those concerns addressed by
signed images and/or other modern security features?
Thanks,
Deepak
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IPMI Firmware Firewall
2018-04-19 10:17 IPMI Firmware Firewall Deepak Kodihalli
@ 2018-04-19 12:52 ` Alexander Amelkin
2018-04-19 18:36 ` Vernon Mauery
0 siblings, 1 reply; 4+ messages in thread
From: Alexander Amelkin @ 2018-04-19 12:52 UTC (permalink / raw)
To: Deepak Kodihalli, emilyshaffer, vernon.mauery, tomjose, OpenBMC Maillist
[-- Attachment #1.1: Type: text/plain, Size: 1072 bytes --]
Well, although I've never seen this feature actually implemented
anywhere, I can imagine that it can be useful for cases when the host OS
is "owned"/managed by a different entity than the hardware. E.g. in a
dedicated server hosting or similar scenarios. The owner of the hardware
may not want to allow the tenants to be able to perform destructive or
potentially destructive operations on the BMC. I can think of
prohibiting firmware updates (even with good firmwares), user
management, network configuration, SEL and PEF/PET manipulation, et al.
Sincerely,
Alexander.
19.04.2018 13:17, Deepak Kodihalli wrote:
> Hi All,
>
> The Firmware Firewall is something that the OpenBMC stack does not
> implement today. Do you know how useful this is to an IPMI user? Is
> this something we must implement in the IPMI stack?
>
> It seems to apply to malicious firmware running on the BMC in a blade
> server/multi-bmc environment, but aren't those concerns addressed by
> signed images and/or other modern security features?
>
> Thanks,
> Deepak
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IPMI Firmware Firewall
2018-04-19 12:52 ` Alexander Amelkin
@ 2018-04-19 18:36 ` Vernon Mauery
2018-04-20 13:30 ` Alexander Amelkin
0 siblings, 1 reply; 4+ messages in thread
From: Vernon Mauery @ 2018-04-19 18:36 UTC (permalink / raw)
To: Alexander Amelkin
Cc: Deepak Kodihalli, emilyshaffer, tomjose, OpenBMC Maillist
On 19-Apr-2018 03:52 PM, Alexander Amelkin wrote:
>Well, although I've never seen this feature actually implemented
>anywhere, I can imagine that it can be useful for cases when the host OS
Back in 2006, some IBM servers had BMCs that supported this. I guess
their BMC developers got really excited about the new IPMI 2.0 spec and
went all out.
>is "owned"/managed by a different entity than the hardware. E.g. in a
>dedicated server hosting or similar scenarios. The owner of the hardware
>may not want to allow the tenants to be able to perform destructive or
>potentially destructive operations on the BMC. I can think of
>prohibiting firmware updates (even with good firmwares), user
>management, network configuration, SEL and PEF/PET manipulation, et al.
The firmware firewall mechanism as is does not really do much good. I
spent a while writing up the ipmitool implementation in 2006. The
biggest trouble with it is that the configuration of it happens as the
admin user, so if your untrusted user has admin privileges, they could
potentially just change the firmware firewall. The nice part is that it
makes the ipmi commands more discoverable.
But as part of the rework of the ipmi daemon, I was thinking of adding
in a filter layer that allows ipmi providers to hook in whatever command
filtering that they want. This is where the ipmi firmware firewall would
exist (if it was to be implemented) and where the current IBM
"Whitelist" could be hooked in.
--Vernon
>Sincerely,
>Alexander.
>
>19.04.2018 13:17, Deepak Kodihalli wrote:
>> Hi All,
>>
>> The Firmware Firewall is something that the OpenBMC stack does not
>> implement today. Do you know how useful this is to an IPMI user? Is
>> this something we must implement in the IPMI stack?
>>
>> It seems to apply to malicious firmware running on the BMC in a blade
>> server/multi-bmc environment, but aren't those concerns addressed by
>> signed images and/or other modern security features?
>>
>> Thanks,
>> Deepak
>>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IPMI Firmware Firewall
2018-04-19 18:36 ` Vernon Mauery
@ 2018-04-20 13:30 ` Alexander Amelkin
0 siblings, 0 replies; 4+ messages in thread
From: Alexander Amelkin @ 2018-04-20 13:30 UTC (permalink / raw)
To: Vernon Mauery; +Cc: Deepak Kodihalli, emilyshaffer, tomjose, OpenBMC Maillist
[-- Attachment #1.1: Type: text/plain, Size: 988 bytes --]
19.04.2018 21:36, Vernon Mauery wrote:
> On 19-Apr-2018 03:52 PM, Alexander Amelkin wrote:
>> is "owned"/managed by a different entity than the hardware. E.g. in a
>> dedicated server hosting or similar scenarios. The owner of the hardware
>> may not want to allow the tenants to be able to perform destructive or
>> potentially destructive operations on the BMC. I can think of
>> prohibiting firmware updates (even with good firmwares), user
>> management, network configuration, SEL and PEF/PET manipulation, et al.
>
> The biggest trouble with it is that the configuration of it happens as
> the admin user, so if your untrusted user has admin privileges, they
> could potentially just change the firmware firewall.
Well, if an untrusted user has admin password, then you're doomed anyway
as they may come over LAN and ruing everything.
I thought that this Firewall was intended to block certain commands on
System Interface where no authentication is required.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-04-20 13:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-19 10:17 IPMI Firmware Firewall Deepak Kodihalli
2018-04-19 12:52 ` Alexander Amelkin
2018-04-19 18:36 ` Vernon Mauery
2018-04-20 13:30 ` Alexander Amelkin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.