IPMI Restriction Mode

IPMI Restriction Mode

[Kumar Thangavel]

[-- Attachment #1: Type: text/plain, Size: 476 bytes --]

Hi All,

        IPMI Restriction mode support has been added for host machines
which support IPMI.

https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61

        How IPMI restriction mode support can be added for other than host
devices (IPMI based devices). Ex Debug card.  ?

        Could you please provide any suggestions or any docs ?

Thanks,
Kumar.

[-- Attachment #2: Type: text/html, Size: 825 bytes --]

Re: IPMI Restriction Mode

[Kumar Thangavel]

[-- Attachment #1: Type: text/plain, Size: 632 bytes --]

Gentle Reminder on this !

Thanks,
Kumar.

On Mon, Apr 4, 2022 at 12:49 PM Kumar Thangavel <
kumarthangavel.hcl@gmail.com> wrote:

> Hi All,
>
>         IPMI Restriction mode support has been added for host machines
> which support IPMI.
>
> https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
>
>         How IPMI restriction mode support can be added for other than host
> devices (IPMI based devices). Ex Debug card.  ?
>
>         Could you please provide any suggestions or any docs ?
>
> Thanks,
> Kumar.
>

[-- Attachment #2: Type: text/html, Size: 1293 bytes --]

Re: IPMI Restriction Mode

[Vernon Mauery]

On 04-Apr-2022 12:49 PM, Kumar Thangavel wrote:
>Hi All,
>
>        IPMI Restriction mode support has been added for host machines
>which support IPMI.
>
>https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
>
>        How IPMI restriction mode support can be added for other than host
>devices (IPMI based devices). Ex Debug card.  ?

I am not exactly sure what you are asking for here. When you say other 
devices, are you asking about restricting commands based on what channel 
they come in on?

This is possible. A filter can filter on any criteria that is available 
with the ipmi::Context object and the command. It can even extract 
command data and take action there. I only say this if you are 
interested in writing a new filter of your own.

But if you want to see a filter that is already implemented that 
restricts commands based on BMC state and incoming channel, you can look 
at the filtering done in the intel-ipmi-oem repo.

If my guess at what you meant was wrong, please clarify and I will try 
again.

--Vernon

>        Could you please provide any suggestions or any docs ?
>
>Thanks,
>Kumar.

Re: IPMI Restriction Mode

[Kumar Thangavel]

[-- Attachment #1: Type: text/plain, Size: 2225 bytes --]

Thanks for the response and clarification.

I will clarify my question here,

IPMI restriction mode support has been added for host devices which support
IPMI.
This restriction mode support can be enabled or disabled from the
phosphor-settingsd configuration (.yaml) file.

Please check the below link for .yaml file of phosphor-settingsd.

https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61

We wanted to add restriction mode support for other IPMI based devices
(Debug card).
Already phosphor-ipmi-host supports filters for all  IPMI commands which
have ipmi::Context objects.
So, How can we enable/disable this restriction mode support
from phosphor-settings for other IPMI based devices(Debug card). ?


Thanks,
Kumar.



On Thu, Apr 14, 2022 at 6:15 AM Vernon Mauery <vernon.mauery@linux.intel.com>
wrote:

> On 04-Apr-2022 12:49 PM, Kumar Thangavel wrote:
> >Hi All,
> >
> >        IPMI Restriction mode support has been added for host machines
> >which support IPMI.
> >
> >
> https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
> >
> >        How IPMI restriction mode support can be added for other than host
> >devices (IPMI based devices). Ex Debug card.  ?
>
> I am not exactly sure what you are asking for here. When you say other
> devices, are you asking about restricting commands based on what channel
> they come in on?
>
> This is possible. A filter can filter on any criteria that is available
> with the ipmi::Context object and the command. It can even extract
> command data and take action there. I only say this if you are
> interested in writing a new filter of your own.
>
> But if you want to see a filter that is already implemented that
> restricts commands based on BMC state and incoming channel, you can look
> at the filtering done in the intel-ipmi-oem repo.
>
> If my guess at what you meant was wrong, please clarify and I will try
> again.
>
> --Vernon
>
> >        Could you please provide any suggestions or any docs ?
> >
> >Thanks,
> >Kumar.
>

[-- Attachment #2: Type: text/html, Size: 3248 bytes --]

Re: IPMI Restriction Mode

[Vernon Mauery]

On 18-Apr-2022 04:56 PM, Kumar Thangavel wrote:
>Thanks for the response and clarification.
>
>I will clarify my question here,
>
>IPMI restriction mode support has been added for host devices which support
>IPMI.
>This restriction mode support can be enabled or disabled from the
>phosphor-settingsd configuration (.yaml) file.
>
>Please check the below link for .yaml file of phosphor-settingsd.
>
>https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
>
>We wanted to add restriction mode support for other IPMI based devices
>(Debug card).
>Already phosphor-ipmi-host supports filters for all  IPMI commands which
>have ipmi::Context objects.
>So, How can we enable/disable this restriction mode support
>from phosphor-settings for other IPMI based devices(Debug card). ?

I understand that currently only the host channel is using the 
restriction mode. You want to add it for other channels. This has 
already been done in the intel-ipmi-oem repo, if you want to take a look 
at that. It allows a fine-grained mechanism for command filtering, based 
on the channel and the restriction mode (although currently, I think the 
restriction mode still only applies to the host channel).

My point is that it is pretty easy to come up with a custom filter 
mechanism that should suit you. There is even an option to disable the 
built-in filter so you can supply your own.

--Vernon

>
>
>
>On Thu, Apr 14, 2022 at 6:15 AM Vernon Mauery <vernon.mauery@linux.intel.com>
>wrote:
>
>> On 04-Apr-2022 12:49 PM, Kumar Thangavel wrote:
>> >Hi All,
>> >
>> >        IPMI Restriction mode support has been added for host machines
>> >which support IPMI.
>> >
>> >
>> https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
>> >
>> >        How IPMI restriction mode support can be added for other than host
>> >devices (IPMI based devices). Ex Debug card.  ?
>>
>> I am not exactly sure what you are asking for here. When you say other
>> devices, are you asking about restricting commands based on what channel
>> they come in on?
>>
>> This is possible. A filter can filter on any criteria that is available
>> with the ipmi::Context object and the command. It can even extract
>> command data and take action there. I only say this if you are
>> interested in writing a new filter of your own.
>>
>> But if you want to see a filter that is already implemented that
>> restricts commands based on BMC state and incoming channel, you can look
>> at the filtering done in the intel-ipmi-oem repo.
>>
>> If my guess at what you meant was wrong, please clarify and I will try
>> again.
>>
>> --Vernon
>>
>> >        Could you please provide any suggestions or any docs ?
>> >
>> >Thanks,
>> >Kumar.
>>

Re: IPMI Restriction Mode

[Kumar Thangavel]

[-- Attachment #1: Type: text/plain, Size: 4776 bytes --]

Hi Vernon,

     We may need to write our own custom filter for other channels as you
suggested.
     While implementing this, we need some clarifications.

     1. How can we map channel Id's with settingsd restriction mode
dbus-objects ?
     2. The Ipmb channel has multiple devices in our system, How can we
handle and apply this multiple Ipmb interfaces with
settingsd restriction mode dbus-objects ?

     Please refer below link for multiple Ipmb channels for our system.


https://github.com/openbmc/openbmc/blob/master/meta-facebook/recipes-phosphor/ipmi/phosphor-ipmi-ipmb/yosemitev2/ipmb-channels.json

      Already we have "hostIdx'' in ipmi::Context struct, which represents
the data coming from which hosts. Even Though if we plan to use this
"hostIdx" ,  it is still not clear how we can map this "hostIdx'' with
settingsd restriction mode dbus-objects.

   Otherwise, can we have some Schema(Rules) to follow the channel order
for this channel and devices(settingsd dbus-objects) mapping ?
    Ex:   First 4 or 6 channel is for host 1 - host4
             Next channel is for  Debug card,
             Rest of the channel is for other devices.

   I think we need to maintain this order in settingsd config file and
ipmb-channels.json config file for this channel and device mapping.

  Could you please provide your suggestion on this.

Thanks,
Kumar.

On Tue, Apr 26, 2022 at 9:25 PM Kumar Thangavel <
kumarthangavel.hcl@gmail.com> wrote:

> Thanks for your response and suggestions.
>
> --Kumar.
>
> On Sat, Apr 23, 2022 at 4:55 AM Vernon Mauery <
> vernon.mauery@linux.intel.com> wrote:
>
>> On 18-Apr-2022 04:56 PM, Kumar Thangavel wrote:
>> >Thanks for the response and clarification.
>> >
>> >I will clarify my question here,
>> >
>> >IPMI restriction mode support has been added for host devices which
>> support
>> >IPMI.
>> >This restriction mode support can be enabled or disabled from the
>> >phosphor-settingsd configuration (.yaml) file.
>> >
>> >Please check the below link for .yaml file of phosphor-settingsd.
>> >
>> >
>> https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
>> >
>> >We wanted to add restriction mode support for other IPMI based devices
>> >(Debug card).
>> >Already phosphor-ipmi-host supports filters for all  IPMI commands which
>> >have ipmi::Context objects.
>> >So, How can we enable/disable this restriction mode support
>> >from phosphor-settings for other IPMI based devices(Debug card). ?
>>
>> I understand that currently only the host channel is using the
>> restriction mode. You want to add it for other channels. This has
>> already been done in the intel-ipmi-oem repo, if you want to take a look
>> at that. It allows a fine-grained mechanism for command filtering, based
>> on the channel and the restriction mode (although currently, I think the
>> restriction mode still only applies to the host channel).
>>
>> My point is that it is pretty easy to come up with a custom filter
>> mechanism that should suit you. There is even an option to disable the
>> built-in filter so you can supply your own.
>>
>> --Vernon
>>
>> >
>> >
>> >
>> >On Thu, Apr 14, 2022 at 6:15 AM Vernon Mauery <
>> vernon.mauery@linux.intel.com>
>> >wrote:
>> >
>> >> On 04-Apr-2022 12:49 PM, Kumar Thangavel wrote:
>> >> >Hi All,
>> >> >
>> >> >        IPMI Restriction mode support has been added for host machines
>> >> >which support IPMI.
>> >> >
>> >> >
>> >>
>> https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
>> >> >
>> >> >        How IPMI restriction mode support can be added for other than
>> host
>> >> >devices (IPMI based devices). Ex Debug card.  ?
>> >>
>> >> I am not exactly sure what you are asking for here. When you say other
>> >> devices, are you asking about restricting commands based on what
>> channel
>> >> they come in on?
>> >>
>> >> This is possible. A filter can filter on any criteria that is available
>> >> with the ipmi::Context object and the command. It can even extract
>> >> command data and take action there. I only say this if you are
>> >> interested in writing a new filter of your own.
>> >>
>> >> But if you want to see a filter that is already implemented that
>> >> restricts commands based on BMC state and incoming channel, you can
>> look
>> >> at the filtering done in the intel-ipmi-oem repo.
>> >>
>> >> If my guess at what you meant was wrong, please clarify and I will try
>> >> again.
>> >>
>> >> --Vernon
>> >>
>> >> >        Could you please provide any suggestions or any docs ?
>> >> >
>> >> >Thanks,
>> >> >Kumar.
>> >>
>>
>

[-- Attachment #2: Type: text/html, Size: 6933 bytes --]

Re: IPMI Restriction Mode

[Vernon Mauery]

On 03-May-2022 07:46 PM, Kumar Thangavel wrote:
>Hi Vernon,
>
>     We may need to write our own custom filter for other channels as you
>suggested.
>     While implementing this, we need some clarifications.
>
>     1. How can we map channel Id's with settingsd restriction mode
>dbus-objects ?

Set up a restriction mode object for each channel? This is really up to 
your implementation.

>     2. The Ipmb channel has multiple devices in our system, How can we
>handle and apply this multiple Ipmb interfaces with
>settingsd restriction mode dbus-objects ?
>
>     Please refer below link for multiple Ipmb channels for our system.
>

When ipmb channel commands come in, there is also rqSA set in the 
ipmi::Context. This should be unique per device. Will this work for you?

--Vernon

>https://github.com/openbmc/openbmc/blob/master/meta-facebook/recipes-phosphor/ipmi/phosphor-ipmi-ipmb/yosemitev2/ipmb-channels.json
>
>      Already we have "hostIdx'' in ipmi::Context struct, which represents
>the data coming from which hosts. Even Though if we plan to use this
>"hostIdx" ,  it is still not clear how we can map this "hostIdx'' with
>settingsd restriction mode dbus-objects.
>
>   Otherwise, can we have some Schema(Rules) to follow the channel order
>for this channel and devices(settingsd dbus-objects) mapping ?
>    Ex:   First 4 or 6 channel is for host 1 - host4
>             Next channel is for  Debug card,
>             Rest of the channel is for other devices.
>
>   I think we need to maintain this order in settingsd config file and
>ipmb-channels.json config file for this channel and device mapping.
>
>  Could you please provide your suggestion on this.
>
>Thanks,
>Kumar.
>
>On Tue, Apr 26, 2022 at 9:25 PM Kumar Thangavel <
>kumarthangavel.hcl@gmail.com> wrote:
>
>> Thanks for your response and suggestions.
>>
>> --Kumar.
>>
>> On Sat, Apr 23, 2022 at 4:55 AM Vernon Mauery <
>> vernon.mauery@linux.intel.com> wrote:
>>
>>> On 18-Apr-2022 04:56 PM, Kumar Thangavel wrote:
>>> >Thanks for the response and clarification.
>>> >
>>> >I will clarify my question here,
>>> >
>>> >IPMI restriction mode support has been added for host devices which
>>> support
>>> >IPMI.
>>> >This restriction mode support can be enabled or disabled from the
>>> >phosphor-settingsd configuration (.yaml) file.
>>> >
>>> >Please check the below link for .yaml file of phosphor-settingsd.
>>> >
>>> >
>>> https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
>>> >
>>> >We wanted to add restriction mode support for other IPMI based devices
>>> >(Debug card).
>>> >Already phosphor-ipmi-host supports filters for all  IPMI commands which
>>> >have ipmi::Context objects.
>>> >So, How can we enable/disable this restriction mode support
>>> >from phosphor-settings for other IPMI based devices(Debug card). ?
>>>
>>> I understand that currently only the host channel is using the
>>> restriction mode. You want to add it for other channels. This has
>>> already been done in the intel-ipmi-oem repo, if you want to take a look
>>> at that. It allows a fine-grained mechanism for command filtering, based
>>> on the channel and the restriction mode (although currently, I think the
>>> restriction mode still only applies to the host channel).
>>>
>>> My point is that it is pretty easy to come up with a custom filter
>>> mechanism that should suit you. There is even an option to disable the
>>> built-in filter so you can supply your own.
>>>
>>> --Vernon
>>>
>>> >
>>> >
>>> >
>>> >On Thu, Apr 14, 2022 at 6:15 AM Vernon Mauery <
>>> vernon.mauery@linux.intel.com>
>>> >wrote:
>>> >
>>> >> On 04-Apr-2022 12:49 PM, Kumar Thangavel wrote:
>>> >> >Hi All,
>>> >> >
>>> >> >        IPMI Restriction mode support has been added for host machines
>>> >> >which support IPMI.
>>> >> >
>>> >> >
>>> >>
>>> https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
>>> >> >
>>> >> >        How IPMI restriction mode support can be added for other than
>>> host
>>> >> >devices (IPMI based devices). Ex Debug card.  ?
>>> >>
>>> >> I am not exactly sure what you are asking for here. When you say other
>>> >> devices, are you asking about restricting commands based on what
>>> channel
>>> >> they come in on?
>>> >>
>>> >> This is possible. A filter can filter on any criteria that is available
>>> >> with the ipmi::Context object and the command. It can even extract
>>> >> command data and take action there. I only say this if you are
>>> >> interested in writing a new filter of your own.
>>> >>
>>> >> But if you want to see a filter that is already implemented that
>>> >> restricts commands based on BMC state and incoming channel, you can
>>> look
>>> >> at the filtering done in the intel-ipmi-oem repo.
>>> >>
>>> >> If my guess at what you meant was wrong, please clarify and I will try
>>> >> again.
>>> >>
>>> >> --Vernon
>>> >>
>>> >> >        Could you please provide any suggestions or any docs ?
>>> >> >
>>> >> >Thanks,
>>> >> >Kumar.
>>> >>
>>>
>>

Re: IPMI Restriction Mode

[Kumar Thangavel]

[-- Attachment #1: Type: text/plain, Size: 7238 bytes --]

On Wed, May 4, 2022 at 4:34 AM Vernon Mauery <vernon.mauery@linux.intel.com>
wrote:

> On 03-May-2022 07:46 PM, Kumar Thangavel wrote:
> >Hi Vernon,
> >
> >     We may need to write our own custom filter for other channels as you
> >suggested.
> >     While implementing this, we need some clarifications.
> >
> >     1. How can we map channel Id's with settingsd restriction mode
> >dbus-objects ?
>
> Set up a restriction mode object for each channel? This is really up to
> your implementation.
>

    Ack.

>
> >     2. The Ipmb channel has multiple devices in our system, How can we
> >handle and apply this multiple Ipmb interfaces with
> >settingsd restriction mode dbus-objects ?
> >
> >     Please refer below link for multiple Ipmb channels for our system.
> >
>
> When ipmb channel commands come in, there is also rqSA set in the
> ipmi::Context. This should be unique per device. Will this work for you?
>
>     That also works. If we use rqSA, again we need to map this rqSA value
with phosphor-settingsd restriction mode dbus-objects name (
/xyz/openbmc_project/control/*host1*/restriction_mode) ?

Alternate logic we just think of
1. Using "hostIdx'' in ipmi::Contextwhich is unique(0, 1, 2 to N) for each
devices. we can map this with phosphor-settingsd restriction mode
dbus-objects name ?  We need to maintain order (0, 1, 2 to N-1) for hosts
and N for debug cards in all configs.
2. Can we read i*pmb-channels.json* entry in ipmid with name field as
"host1", "host2", "host3" "host4" and "debug_card" which should match the
settingsd dbus-object names. ? So that we can map the name field with
settings objects easily.

  Example :
  Ipmb-channels.json entry :

{ "name" : "*host1*"
"type": "ipmb",
"slave-path": "/dev/ipmb-1",
"bmc-addr": 32,
"remote-addr": 64,
"devIndex": 0
},
{ "name" : "*host2*"
"type": "ipmb",
"slave-path": "/dev/ipmb-3",
"bmc-addr": 32,
"remote-addr": 64,
"devIndex": 2
},

{ "name" : "*hostN*"
"type": "ipmb",
"slave-path": "/dev/ipmb-7",
"bmc-addr": 32,
"remote-addr": 64,
"devIndex": N
},
{ "name" : "*debug_card*"
"type": "ipmb",
"slave-path": "/dev/ipmb-13",
"bmc-addr": 32,
"remote-addr": 64,
"devIndex": 4
}
]

  Settingsd restriction mode objects :

  /xyz/openbmc_project/control/*debug_card*/restriction_mode
  /xyz/openbmc_project/control/*host1*/restriction_mode
  /xyz/openbmc_project/control/*host2*/restriction_mode
  /xyz/openbmc_project/control/*host3*/restriction_mode
  /xyz/openbmc_project/control/*host3*/restriction_mode

  Could you please provide your thoughts on this ?

  Thanks,
  Kumar.

--Vernon
>
> >
> https://github.com/openbmc/openbmc/blob/master/meta-facebook/recipes-phosphor/ipmi/phosphor-ipmi-ipmb/yosemitev2/ipmb-channels.json
> >
> >      Already we have "hostIdx'' in ipmi::Context struct, which represents
> >the data coming from which hosts. Even Though if we plan to use this
> >"hostIdx" ,  it is still not clear how we can map this "hostIdx'' with
> >settingsd restriction mode dbus-objects.
> >
> >   Otherwise, can we have some Schema(Rules) to follow the channel order
> >for this channel and devices(settingsd dbus-objects) mapping ?
> >    Ex:   First 4 or 6 channel is for host 1 - host4
> >             Next channel is for  Debug card,
> >             Rest of the channel is for other devices.
> >
> >   I think we need to maintain this order in settingsd config file and
> >ipmb-channels.json config file for this channel and device mapping.
> >
> >  Could you please provide your suggestion on this.
> >
> >Thanks,
> >Kumar.
> >
> >On Tue, Apr 26, 2022 at 9:25 PM Kumar Thangavel <
> >kumarthangavel.hcl@gmail.com> wrote:
> >
> >> Thanks for your response and suggestions.
> >>
> >> --Kumar.
> >>
> >> On Sat, Apr 23, 2022 at 4:55 AM Vernon Mauery <
> >> vernon.mauery@linux.intel.com> wrote:
> >>
> >>> On 18-Apr-2022 04:56 PM, Kumar Thangavel wrote:
> >>> >Thanks for the response and clarification.
> >>> >
> >>> >I will clarify my question here,
> >>> >
> >>> >IPMI restriction mode support has been added for host devices which
> >>> support
> >>> >IPMI.
> >>> >This restriction mode support can be enabled or disabled from the
> >>> >phosphor-settingsd configuration (.yaml) file.
> >>> >
> >>> >Please check the below link for .yaml file of phosphor-settingsd.
> >>> >
> >>> >
> >>>
> https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
> >>> >
> >>> >We wanted to add restriction mode support for other IPMI based devices
> >>> >(Debug card).
> >>> >Already phosphor-ipmi-host supports filters for all  IPMI commands
> which
> >>> >have ipmi::Context objects.
> >>> >So, How can we enable/disable this restriction mode support
> >>> >from phosphor-settings for other IPMI based devices(Debug card). ?
> >>>
> >>> I understand that currently only the host channel is using the
> >>> restriction mode. You want to add it for other channels. This has
> >>> already been done in the intel-ipmi-oem repo, if you want to take a
> look
> >>> at that. It allows a fine-grained mechanism for command filtering,
> based
> >>> on the channel and the restriction mode (although currently, I think
> the
> >>> restriction mode still only applies to the host channel).
> >>>
> >>> My point is that it is pretty easy to come up with a custom filter
> >>> mechanism that should suit you. There is even an option to disable the
> >>> built-in filter so you can supply your own.
> >>>
> >>> --Vernon
> >>>
> >>> >
> >>> >
> >>> >
> >>> >On Thu, Apr 14, 2022 at 6:15 AM Vernon Mauery <
> >>> vernon.mauery@linux.intel.com>
> >>> >wrote:
> >>> >
> >>> >> On 04-Apr-2022 12:49 PM, Kumar Thangavel wrote:
> >>> >> >Hi All,
> >>> >> >
> >>> >> >        IPMI Restriction mode support has been added for host
> machines
> >>> >> >which support IPMI.
> >>> >> >
> >>> >> >
> >>> >>
> >>>
> https://github.com/openbmc/openbmc/blob/7298b2478ec25cc1814124af523acc4ffade05e6/meta-phosphor/recipes-phosphor/settings/phosphor-settings-defaults/host-template.yaml#L61
> >>> >> >
> >>> >> >        How IPMI restriction mode support can be added for other
> than
> >>> host
> >>> >> >devices (IPMI based devices). Ex Debug card.  ?
> >>> >>
> >>> >> I am not exactly sure what you are asking for here. When you say
> other
> >>> >> devices, are you asking about restricting commands based on what
> >>> channel
> >>> >> they come in on?
> >>> >>
> >>> >> This is possible. A filter can filter on any criteria that is
> available
> >>> >> with the ipmi::Context object and the command. It can even extract
> >>> >> command data and take action there. I only say this if you are
> >>> >> interested in writing a new filter of your own.
> >>> >>
> >>> >> But if you want to see a filter that is already implemented that
> >>> >> restricts commands based on BMC state and incoming channel, you can
> >>> look
> >>> >> at the filtering done in the intel-ipmi-oem repo.
> >>> >>
> >>> >> If my guess at what you meant was wrong, please clarify and I will
> try
> >>> >> again.
> >>> >>
> >>> >> --Vernon
> >>> >>
> >>> >> >        Could you please provide any suggestions or any docs ?
> >>> >> >
> >>> >> >Thanks,
> >>> >> >Kumar.
> >>> >>
> >>>
> >>
>

[-- Attachment #2: Type: text/html, Size: 38444 bytes --]

Re: IPMI Restriction Mode

[Vernon Mauery]

On 04-May-2022 10:27 PM, Kumar Thangavel wrote:
>On Wed, May 4, 2022 at 4:34 AM Vernon Mauery <vernon.mauery@linux.intel.com>
>wrote:
>
>> On 03-May-2022 07:46 PM, Kumar Thangavel wrote:
>> >Hi Vernon,
>> >
>> >     We may need to write our own custom filter for other channels as you
>> >suggested.
>> >     While implementing this, we need some clarifications.
>> >
>> >     1. How can we map channel Id's with settingsd restriction mode
>> >dbus-objects ?
>>
>> Set up a restriction mode object for each channel? This is really up to
>> your implementation.
>>
>
>    Ack.
>
>>
>> >     2. The Ipmb channel has multiple devices in our system, How can we
>> >handle and apply this multiple Ipmb interfaces with
>> >settingsd restriction mode dbus-objects ?
>> >
>> >     Please refer below link for multiple Ipmb channels for our system.
>> >
>>
>> When ipmb channel commands come in, there is also rqSA set in the
>> ipmi::Context. This should be unique per device. Will this work for you?
>>
>>     That also works. If we use rqSA, again we need to map this rqSA value
>with phosphor-settingsd restriction mode dbus-objects name (
>/xyz/openbmc_project/control/*host1*/restriction_mode) ?
>
>Alternate logic we just think of
>1. Using "hostIdx'' in ipmi::Contextwhich is unique(0, 1, 2 to N) for each
>devices. we can map this with phosphor-settingsd restriction mode
>dbus-objects name ?  We need to maintain order (0, 1, 2 to N-1) for hosts
>and N for debug cards in all configs.
>2. Can we read i*pmb-channels.json* entry in ipmid with name field as
>"host1", "host2", "host3" "host4" and "debug_card" which should match the
>settingsd dbus-object names. ? So that we can map the name field with
>settings objects easily.
>
>  Example :
>  Ipmb-channels.json entry :
>
>{ "name" : "*host1*"
>"type": "ipmb",
>"slave-path": "/dev/ipmb-1",
>"bmc-addr": 32,
>"remote-addr": 64,
>"devIndex": 0
>},
>{ "name" : "*host2*"
>"type": "ipmb",
>"slave-path": "/dev/ipmb-3",
>"bmc-addr": 32,
>"remote-addr": 64,
>"devIndex": 2
>},
>
>{ "name" : "*hostN*"
>"type": "ipmb",
>"slave-path": "/dev/ipmb-7",
>"bmc-addr": 32,
>"remote-addr": 64,
>"devIndex": N
>},
>{ "name" : "*debug_card*"
>"type": "ipmb",
>"slave-path": "/dev/ipmb-13",
>"bmc-addr": 32,
>"remote-addr": 64,
>"devIndex": 4
>}
>]
>
>  Settingsd restriction mode objects :
>
>  /xyz/openbmc_project/control/*debug_card*/restriction_mode
>  /xyz/openbmc_project/control/*host1*/restriction_mode
>  /xyz/openbmc_project/control/*host2*/restriction_mode
>  /xyz/openbmc_project/control/*host3*/restriction_mode
>  /xyz/openbmc_project/control/*host3*/restriction_mode
>
>  Could you please provide your thoughts on this ?

I think you can do all of this in your filter code. You can really do 
just about anything in there. You can have a setup function that gets 
called when the provider library is loaded and read the file and set up 
your map. Then when an IPMI function is called you can consult your map 
and filter however you want.

Just be aware that your filter code will run on *every* IPMI call, so do 
your best to make it streamlined or it will impact performance.

--Vernon

Re: IPMI Restriction Mode

[Kumar Thangavel]

[-- Attachment #1: Type: text/plain, Size: 3467 bytes --]

Thanks for your suggestions.

--Kumar.

On Thu, May 5, 2022 at 3:55 AM Vernon Mauery <vernon.mauery@linux.intel.com>
wrote:

> On 04-May-2022 10:27 PM, Kumar Thangavel wrote:
> >On Wed, May 4, 2022 at 4:34 AM Vernon Mauery <
> vernon.mauery@linux.intel.com>
> >wrote:
> >
> >> On 03-May-2022 07:46 PM, Kumar Thangavel wrote:
> >> >Hi Vernon,
> >> >
> >> >     We may need to write our own custom filter for other channels as
> you
> >> >suggested.
> >> >     While implementing this, we need some clarifications.
> >> >
> >> >     1. How can we map channel Id's with settingsd restriction mode
> >> >dbus-objects ?
> >>
> >> Set up a restriction mode object for each channel? This is really up to
> >> your implementation.
> >>
> >
> >    Ack.
> >
> >>
> >> >     2. The Ipmb channel has multiple devices in our system, How can we
> >> >handle and apply this multiple Ipmb interfaces with
> >> >settingsd restriction mode dbus-objects ?
> >> >
> >> >     Please refer below link for multiple Ipmb channels for our system.
> >> >
> >>
> >> When ipmb channel commands come in, there is also rqSA set in the
> >> ipmi::Context. This should be unique per device. Will this work for you?
> >>
> >>     That also works. If we use rqSA, again we need to map this rqSA
> value
> >with phosphor-settingsd restriction mode dbus-objects name (
> >/xyz/openbmc_project/control/*host1*/restriction_mode) ?
> >
> >Alternate logic we just think of
> >1. Using "hostIdx'' in ipmi::Contextwhich is unique(0, 1, 2 to N) for each
> >devices. we can map this with phosphor-settingsd restriction mode
> >dbus-objects name ?  We need to maintain order (0, 1, 2 to N-1) for hosts
> >and N for debug cards in all configs.
> >2. Can we read i*pmb-channels.json* entry in ipmid with name field as
> >"host1", "host2", "host3" "host4" and "debug_card" which should match the
> >settingsd dbus-object names. ? So that we can map the name field with
> >settings objects easily.
> >
> >  Example :
> >  Ipmb-channels.json entry :
> >
> >{ "name" : "*host1*"
> >"type": "ipmb",
> >"slave-path": "/dev/ipmb-1",
> >"bmc-addr": 32,
> >"remote-addr": 64,
> >"devIndex": 0
> >},
> >{ "name" : "*host2*"
> >"type": "ipmb",
> >"slave-path": "/dev/ipmb-3",
> >"bmc-addr": 32,
> >"remote-addr": 64,
> >"devIndex": 2
> >},
> >
> >{ "name" : "*hostN*"
> >"type": "ipmb",
> >"slave-path": "/dev/ipmb-7",
> >"bmc-addr": 32,
> >"remote-addr": 64,
> >"devIndex": N
> >},
> >{ "name" : "*debug_card*"
> >"type": "ipmb",
> >"slave-path": "/dev/ipmb-13",
> >"bmc-addr": 32,
> >"remote-addr": 64,
> >"devIndex": 4
> >}
> >]
> >
> >  Settingsd restriction mode objects :
> >
> >  /xyz/openbmc_project/control/*debug_card*/restriction_mode
> >  /xyz/openbmc_project/control/*host1*/restriction_mode
> >  /xyz/openbmc_project/control/*host2*/restriction_mode
> >  /xyz/openbmc_project/control/*host3*/restriction_mode
> >  /xyz/openbmc_project/control/*host3*/restriction_mode
> >
> >  Could you please provide your thoughts on this ?
>
> I think you can do all of this in your filter code. You can really do
> just about anything in there. You can have a setup function that gets
> called when the provider library is loaded and read the file and set up
> your map. Then when an IPMI function is called you can consult your map
> and filter however you want.
>
> Just be aware that your filter code will run on *every* IPMI call, so do
> your best to make it streamlined or it will impact performance.
>
> --Vernon
>
>

[-- Attachment #2: Type: text/html, Size: 4988 bytes --]