Date: Sat, 5 Apr 2014 20:54:53 +0500 From: Jordan Hubbard <jkh@ixsystems.com> To: Kamil Choudhury <Kamil.Choudhury@anserinae.net> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Securing baseboard managers Message-ID: <CA2101BB-A627-4FED-BBB8-05803F771EA8@ixsystems.com> In-Reply-To: <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net> References: <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 5, 2014, at 8:00 PM, Kamil Choudhury = <Kamil.Choudhury@anserinae.net> wrote: > I spend my days doing application development, so I am probably = missing=20 > a lot of perspective that more systems-oriented people have. If my=20 > questions are ridiculous, feel free to tell me so and send me on my = way! All IPMI implementations suck. It is axiomatic. It is not, however, an = easy problem to fix - you can=92t just cobble together a tiny BSD = distribution and whap it into place any more than you can trivially = replace your motherboard's BIOS with something that works compatibily in = all respects with things that expect a standard BIOS (or an even only = vaguely standard IPMI implementation). There are hooks into = motherboard-specific sensors, weird console redirection hacks, it=92s = very very black magic. Which is also why Java applets are involved. To remotely render an = interactive console in someone=92s browser, where said browser could be = any one of 6 different flavors, you have to lean pretty heavily on the = client side - especially if you want to offer tricks like virtual = CD-to-local-ISO mapping (which is pretty handy). =46rom the security side, most reasonable motherboards don=92t feature = NIC sharing as the only option. Many offer dedicated IPMI ports, which = means you don=92t have to expose them to the big bad internet unless you = really really want to, and you can also elect to make a shared NIC = dedicated to IPMI and just plug in an external NIC if you=92re trying to = make a router out of the box. That=92s generally what I do. - Jordan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA2101BB-A627-4FED-BBB8-05803F771EA8>