Control and uses of USB for BMC's own internal uses

Control and uses of USB for BMC's own internal uses

[Bruce Mitchell]

This thread BMC's USB means for the BMC's own uses
not for Host's uses nor to provide services to the
Host.  Thus, if I said "Disable the BMC's USB" that
would not impact the Host in any fashion.

I need to be able to control the BMC's USB ports
to prevent BMC uses of USB Pen Drive updates and
independently prevent the BMC uses of USB serial
cable for UPS.  As well as re-enable those usages.

Clearly in this Gerrit review the term Disabled was
not defined.  47180: bmc-usb: property to track usb state
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/47180

Also, since this is related to security of the BMC
my intent was to offer the users a clear way to
achieve the control of the BMC's USB ports without
the users needing to know any of the Servers' USB
topology.  I personally find complicated user options
for features adds risk to the system security.

A recommendation I have receive is to use phosphor-state-manager.

Also, from what I have observed this control of the
BMC's USB ports may be unique to my company (IBM).
And thus, an OEM solution may be best.

Does anyone else have a need or desire to control the
BMC's USB ports?

Re: Control and uses of USB for BMC's own internal uses

[Bruce Mitchell]

On 10/17/2021 11:55, Bruce Mitchell wrote:
> This thread BMC's USB means for the BMC's own uses
> not for Host's uses nor to provide services to the
> Host.  Thus, if I said "Disable the BMC's USB" that
> would not impact the Host in any fashion.
> 
> I need to be able to control the BMC's USB ports
> to prevent BMC uses of USB Pen Drive updates and
> independently prevent the BMC uses of USB serial
> cable for UPS.  As well as re-enable those usages.
> 
> Clearly in this Gerrit review the term Disabled was
> not defined.  47180: bmc-usb: property to track usb state
> https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/47180 
> 
> 
> Also, since this is related to security of the BMC
> my intent was to offer the users a clear way to
> achieve the control of the BMC's USB ports without
> the users needing to know any of the Servers' USB
> topology.  I personally find complicated user options
> for features adds risk to the system security.
> 
> A recommendation I have receive is to use phosphor-state-manager.
> 
> Also, from what I have observed this control of the
> BMC's USB ports may be unique to my company (IBM).
> And thus, an OEM solution may be best.
> 
> Does anyone else have a need or desire to control the
> BMC's USB ports?

Also suggested utilize https://github.com/openbmc/service-config-manager 
to disable/enable the service and make it like enable/disable SSH
via Redfish via bmcweb

Re: Control and uses of USB for BMC's own internal uses

[Ed Tanous]

On Mon, Oct 18, 2021 at 11:36 AM Bruce Mitchell
<bruce.mitchell@linux.vnet.ibm.com> wrote:
>
> On 10/17/2021 11:55, Bruce Mitchell wrote:
> > This thread BMC's USB means for the BMC's own uses
> > not for Host's uses nor to provide services to the
> > Host.  Thus, if I said "Disable the BMC's USB" that
> > would not impact the Host in any fashion.
> >
> > I need to be able to control the BMC's USB ports
> > to prevent BMC uses of USB Pen Drive updates and
> > independently prevent the BMC uses of USB serial
> > cable for UPS.  As well as re-enable those usages.
> >
> > Clearly in this Gerrit review the term Disabled was
> > not defined.  47180: bmc-usb: property to track usb state
> > https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/47180
> >
> >
> > Also, since this is related to security of the BMC
> > my intent was to offer the users a clear way to
> > achieve the control of the BMC's USB ports without
> > the users needing to know any of the Servers' USB
> > topology.  I personally find complicated user options
> > for features adds risk to the system security.
> >
> > A recommendation I have receive is to use phosphor-state-manager.
> >

Some clarifying questions:
There are physically available USB A ports connected directly to the
BMC on IBM platforms?  Or are these traces within the board?
What are these direct bmc usb ports used for normally?

Considering that while the BMC use case is likely IBM specific, but
the idea of disabling a generic USB port isn't IBM specific, it seems
like we need a model for a USB port on dbus and relate it to the
various resources.  If and when a host interface wanted to implement a
similar feature, we'd be able to reuse it.

> > Also, from what I have observed this control of the
> > BMC's USB ports may be unique to my company (IBM).
> > And thus, an OEM solution may be best.

Keep in mind, you'll need a new schema and collection for these
things;  I'd recommend starting up a thread with DMTF about getting
those added.  Keep in mind, they already have the "port" schema, which
might fulfill the need, although it doesn't have a USB enumeration, so
it's possible that's an intentional omission.

https://github.com/openbmc/bmcweb/blob/master/OEM_SCHEMAS.md

> >
> > Does anyone else have a need or desire to control the
> > BMC's USB ports?
>
> Also suggested utilize https://github.com/openbmc/service-config-manager
> to disable/enable the service and make it like enable/disable SSH
> via Redfish via bmcweb

Re: Control and uses of USB for BMC's own internal uses

[Bruce Mitchell]

On 10/18/2021 13:32, Ed Tanous wrote:
> On Mon, Oct 18, 2021 at 11:36 AM Bruce Mitchell
> <bruce.mitchell@linux.vnet.ibm.com> wrote:
>>
>> On 10/17/2021 11:55, Bruce Mitchell wrote:
>>> This thread BMC's USB means for the BMC's own uses
>>> not for Host's uses nor to provide services to the
>>> Host.  Thus, if I said "Disable the BMC's USB" that
>>> would not impact the Host in any fashion.
>>>
>>> I need to be able to control the BMC's USB ports
>>> to prevent BMC uses of USB Pen Drive updates and
>>> independently prevent the BMC uses of USB serial
>>> cable for UPS.  As well as re-enable those usages.
>>>
>>> Clearly in this Gerrit review the term Disabled was
>>> not defined.  47180: bmc-usb: property to track usb state
>>> https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/47180
>>>
>>>
>>> Also, since this is related to security of the BMC
>>> my intent was to offer the users a clear way to
>>> achieve the control of the BMC's USB ports without
>>> the users needing to know any of the Servers' USB
>>> topology.  I personally find complicated user options
>>> for features adds risk to the system security.
>>>
>>> A recommendation I have receive is to use phosphor-state-manager.
>>>
> 
> Some clarifying questions:
> There are physically available USB A ports connected directly to the
> BMC on IBM platforms?  Or are these traces within the board?
> What are these direct bmc usb ports used for normally?
> 
> Considering that while the BMC use case is likely IBM specific, but
> the idea of disabling a generic USB port isn't IBM specific, it seems
> like we need a model for a USB port on dbus and relate it to the
> various resources.  If and when a host interface wanted to implement a
> similar feature, we'd be able to reuse it.
> 

Yes, theses are physically available USB A ports directly connected
to the BMC on IBM platforms.
No, these are not traces within the board; "anyone can walk up and 
plugin a USB stick".
USB Flash drive for firmware update of the BMC is the first uses case
the second uses case is to talk to a UPS via a USB to Serial port.

Please clarify "generic USB port".  From my perspective there are
USB Ports to be used "owned" by the BMC's firmware and there are
USB Ports to be used "owned" by the Host.  I know of no USB Ports that 
are shared by the BMC and the Host (I know that the physical BMC 
provides SIO and thus some USB ports as well to the Host in many 
situations, I see them as Host owned USB Ports).

>>> Also, from what I have observed this control of the
>>> BMC's USB ports may be unique to my company (IBM).
>>> And thus, an OEM solution may be best.
> 
> Keep in mind, you'll need a new schema and collection for these
> things;  I'd recommend starting up a thread with DMTF about getting
> those added.  Keep in mind, they already have the "port" schema, which
> might fulfill the need, although it doesn't have a USB enumeration, so
> it's possible that's an intentional omission.
> 
> https://github.com/openbmc/bmcweb/blob/master/OEM_SCHEMAS.md
> 

I am going to let Brad address this one.

>>>
>>> Does anyone else have a need or desire to control the
>>> BMC's USB ports?
>>
>> Also suggested utilize https://github.com/openbmc/service-config-manager
>> to disable/enable the service and make it like enable/disable SSH
>> via Redfish via bmcweb

Re: Control and uses of USB for BMC's own internal uses

[Ed Tanous]

On Mon, Oct 18, 2021 at 2:15 PM Bruce Mitchell
<bruce.mitchell@linux.vnet.ibm.com> wrote:
>
> On 10/18/2021 13:32, Ed Tanous wrote:
> > On Mon, Oct 18, 2021 at 11:36 AM Bruce Mitchell
> > <bruce.mitchell@linux.vnet.ibm.com> wrote:
> >>
> >> On 10/17/2021 11:55, Bruce Mitchell wrote:
> >>> This thread BMC's USB means for the BMC's own uses
> >>> not for Host's uses nor to provide services to the
> >>> Host.  Thus, if I said "Disable the BMC's USB" that
> >>> would not impact the Host in any fashion.
> >>>
> >>> I need to be able to control the BMC's USB ports
> >>> to prevent BMC uses of USB Pen Drive updates and
> >>> independently prevent the BMC uses of USB serial
> >>> cable for UPS.  As well as re-enable those usages.
> >>>
> >>> Clearly in this Gerrit review the term Disabled was
> >>> not defined.  47180: bmc-usb: property to track usb state
> >>> https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/47180
> >>>
> >>>
> >>> Also, since this is related to security of the BMC
> >>> my intent was to offer the users a clear way to
> >>> achieve the control of the BMC's USB ports without
> >>> the users needing to know any of the Servers' USB
> >>> topology.  I personally find complicated user options
> >>> for features adds risk to the system security.
> >>>
> >>> A recommendation I have receive is to use phosphor-state-manager.
> >>>
> >
> > Some clarifying questions:
> > There are physically available USB A ports connected directly to the
> > BMC on IBM platforms?  Or are these traces within the board?
> > What are these direct bmc usb ports used for normally?
> >
> > Considering that while the BMC use case is likely IBM specific, but
> > the idea of disabling a generic USB port isn't IBM specific, it seems
> > like we need a model for a USB port on dbus and relate it to the
> > various resources.  If and when a host interface wanted to implement a
> > similar feature, we'd be able to reuse it.
> >
>
> Yes, theses are physically available USB A ports directly connected
> to the BMC on IBM platforms.
> No, these are not traces within the board; "anyone can walk up and
> plugin a USB stick".
> USB Flash drive for firmware update of the BMC is the first uses case
> the second uses case is to talk to a UPS via a USB to Serial port.
>
> Please clarify "generic USB port".  From my perspective there are
> USB Ports to be used "owned" by the BMC's firmware and there are
> USB Ports to be used "owned" by the Host.  I know of no USB Ports that
> are shared by the BMC and the Host (I know that the physical BMC
> provides SIO and thus some USB ports as well to the Host in many
> situations, I see them as Host owned USB Ports).

There are platforms that have USB ports connected between the host and
BMC.  The point is, regardless of the owner, we should have a common
interface for it such that when and if "out of band host USB port
disabling" comes, we can simply implement the same interface and have
the code be very similar.  This is the same pattern we follow for
almost all other interfaces, so it should be pretty straightforward to
represent.

>
> >>> Also, from what I have observed this control of the
> >>> BMC's USB ports may be unique to my company (IBM).
> >>> And thus, an OEM solution may be best.
> >
> > Keep in mind, you'll need a new schema and collection for these
> > things;  I'd recommend starting up a thread with DMTF about getting
> > those added.  Keep in mind, they already have the "port" schema, which
> > might fulfill the need, although it doesn't have a USB enumeration, so
> > it's possible that's an intentional omission.
> >
> > https://github.com/openbmc/bmcweb/blob/master/OEM_SCHEMAS.md
> >
>
> I am going to let Brad address this one.
>
> >>>
> >>> Does anyone else have a need or desire to control the
> >>> BMC's USB ports?
> >>
> >> Also suggested utilize https://github.com/openbmc/service-config-manager
> >> to disable/enable the service and make it like enable/disable SSH
> >> via Redfish via bmcweb
>

Re: Control and uses of USB for BMC's own internal uses

[Brad Bishop]

On Mon, 2021-10-18 at 13:32 -0700, Ed Tanous wrote:
> On Mon, Oct 18, 2021 at 11:36 AM Bruce Mitchell
> <bruce.mitchell@linux.vnet.ibm.com> wrote:
> > 
> > On 10/17/2021 11:55, Bruce Mitchell wrote:
> > > 
> > > 
> 
> Some clarifying questions:
> There are physically available USB A ports connected directly to the
> BMC on IBM platforms?  Or are these traces within the board?
> What are these direct bmc usb ports used for normally?
> 
> Considering that while the BMC use case is likely IBM specific,

Just curious - what makes you say this?

> but
> the idea of disabling a generic USB port isn't IBM specific, it seems
> like we need a model for a USB port on dbus and relate it to the
> various resources.  If and when a host interface wanted to implement a
> similar feature, we'd be able to reuse it.

The goal isn't really to disable a USB port.  It is to disable the
assorted bits of software that run when a USB device of a specific class
(mass storage, serial, etc) is plugged into it.  What would it even mean
to disable a USB port?  Would it need to be powered off?

Re: Control and uses of USB for BMC's own internal uses

[Bruce Mitchell]

On 10/18/2021 14:19, Ed Tanous wrote:
> On Mon, Oct 18, 2021 at 2:15 PM Bruce Mitchell
> <bruce.mitchell@linux.vnet.ibm.com> wrote:
>>
>> On 10/18/2021 13:32, Ed Tanous wrote:
>>> On Mon, Oct 18, 2021 at 11:36 AM Bruce Mitchell
>>> <bruce.mitchell@linux.vnet.ibm.com> wrote:
>>>>
>>>> On 10/17/2021 11:55, Bruce Mitchell wrote:
>>>>> This thread BMC's USB means for the BMC's own uses
>>>>> not for Host's uses nor to provide services to the
>>>>> Host.  Thus, if I said "Disable the BMC's USB" that
>>>>> would not impact the Host in any fashion.
>>>>>
>>>>> I need to be able to control the BMC's USB ports
>>>>> to prevent BMC uses of USB Pen Drive updates and
>>>>> independently prevent the BMC uses of USB serial
>>>>> cable for UPS.  As well as re-enable those usages.
>>>>>
>>>>> Clearly in this Gerrit review the term Disabled was
>>>>> not defined.  47180: bmc-usb: property to track usb state
>>>>> https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/47180
>>>>>
>>>>>
>>>>> Also, since this is related to security of the BMC
>>>>> my intent was to offer the users a clear way to
>>>>> achieve the control of the BMC's USB ports without
>>>>> the users needing to know any of the Servers' USB
>>>>> topology.  I personally find complicated user options
>>>>> for features adds risk to the system security.
>>>>>
>>>>> A recommendation I have receive is to use phosphor-state-manager.
>>>>>
>>>
>>> Some clarifying questions:
>>> There are physically available USB A ports connected directly to the
>>> BMC on IBM platforms?  Or are these traces within the board?
>>> What are these direct bmc usb ports used for normally?
>>>
>>> Considering that while the BMC use case is likely IBM specific, but
>>> the idea of disabling a generic USB port isn't IBM specific, it seems
>>> like we need a model for a USB port on dbus and relate it to the
>>> various resources.  If and when a host interface wanted to implement a
>>> similar feature, we'd be able to reuse it.
>>>
>>
>> Yes, theses are physically available USB A ports directly connected
>> to the BMC on IBM platforms.
>> No, these are not traces within the board; "anyone can walk up and
>> plugin a USB stick".
>> USB Flash drive for firmware update of the BMC is the first uses case
>> the second uses case is to talk to a UPS via a USB to Serial port.
>>
>> Please clarify "generic USB port".  From my perspective there are
>> USB Ports to be used "owned" by the BMC's firmware and there are
>> USB Ports to be used "owned" by the Host.  I know of no USB Ports that
>> are shared by the BMC and the Host (I know that the physical BMC
>> provides SIO and thus some USB ports as well to the Host in many
>> situations, I see them as Host owned USB Ports).
> 
> There are platforms that have USB ports connected between the host and
> BMC.  The point is, regardless of the owner, we should have a common
> interface for it such that when and if "out of band host USB port
> disabling" comes, we can simply implement the same interface and have
> the code be very similar.  This is the same pattern we follow for
> almost all other interfaces, so it should be pretty straightforward to
> represent.
> 

On our systems (at least some), the BMC does not have control over the
Host's USB ports.  The Host USB Ports are disjoint from the BMC.  The
Host has its own independent USB Ports and they are controlled by the
Host's Firmware and or Software and the BMC does not come into play.
So the BMC's Redfish API will not know about the Host's USB nor offer
any control of the Host's USB ports.

>>
>>>>> Also, from what I have observed this control of the
>>>>> BMC's USB ports may be unique to my company (IBM).
>>>>> And thus, an OEM solution may be best.
>>>
>>> Keep in mind, you'll need a new schema and collection for these
>>> things;  I'd recommend starting up a thread with DMTF about getting
>>> those added.  Keep in mind, they already have the "port" schema, which
>>> might fulfill the need, although it doesn't have a USB enumeration, so
>>> it's possible that's an intentional omission.
>>>
>>> https://github.com/openbmc/bmcweb/blob/master/OEM_SCHEMAS.md
>>>
>>
>> I am going to let Brad address this one.
>>
>>>>>
>>>>> Does anyone else have a need or desire to control the
>>>>> BMC's USB ports?
>>>>
>>>> Also suggested utilize https://github.com/openbmc/service-config-manager
>>>> to disable/enable the service and make it like enable/disable SSH
>>>> via Redfish via bmcweb
>>

Re: Control and uses of USB for BMC's own internal uses

[Ed Tanous]

On Tue, Oct 19, 2021 at 6:46 AM Brad Bishop <bradleyb@fuzziesquirrel.com> wrote:
>
> On Mon, 2021-10-18 at 13:32 -0700, Ed Tanous wrote:
> > On Mon, Oct 18, 2021 at 11:36 AM Bruce Mitchell
> > <bruce.mitchell@linux.vnet.ibm.com> wrote:
> > >
> > > On 10/17/2021 11:55, Bruce Mitchell wrote:
> > > >
> > > >
> >
> > Some clarifying questions:
> > There are physically available USB A ports connected directly to the
> > BMC on IBM platforms?  Or are these traces within the board?
> > What are these direct bmc usb ports used for normally?
> >
> > Considering that while the BMC use case is likely IBM specific,
>
> Just curious - what makes you say this?

I don't know of any BMCs that actually expose the BMC USB to a
physical port.  There are lots that expose the USB to the host via
internally routed lines.  Maybe there are more than just IBM boards
that I've not seen before?

>
> > but
> > the idea of disabling a generic USB port isn't IBM specific, it seems
> > like we need a model for a USB port on dbus and relate it to the
> > various resources.  If and when a host interface wanted to implement a
> > similar feature, we'd be able to reuse it.
>
> The goal isn't really to disable a USB port.  It is to disable the
> assorted bits of software that run when a USB device of a specific class
> (mass storage, serial, etc) is plugged into it.  What would it even mean
> to disable a USB port?  Would it need to be powered off?

I know there's use cases for disabling the USB ports entirely for
preventing things like USB booting.  Yes, ideally they wouldn't even
provide power to avoid things like shorting it out to take the server
down, but I don't know of any implementations that do that.

>