Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 5 Apr 2014 20:54:53 +0500
From:      Jordan Hubbard <jkh@ixsystems.com>
To:        Kamil Choudhury <Kamil.Choudhury@anserinae.net>
Cc:        "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Subject:   Re: Securing baseboard managers
Message-ID:  <CA2101BB-A627-4FED-BBB8-05803F771EA8@ixsystems.com>
In-Reply-To: <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net>
References:  <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 5, 2014, at 8:00 PM, Kamil Choudhury =
<Kamil.Choudhury@anserinae.net> wrote:

> I spend my days doing application development, so I am probably =
missing=20
> a lot of perspective that more systems-oriented people have. If my=20
> questions are ridiculous, feel free to tell me so and send me on my =
way!

All IPMI implementations suck.  It is axiomatic.  It is not, however, an =
easy problem to fix - you can=92t just cobble together a tiny BSD =
distribution and whap it into place any more than you can trivially =
replace your motherboard's BIOS with something that works compatibily in =
all respects with things that expect a standard BIOS (or an even only =
vaguely standard IPMI implementation).  There are hooks into =
motherboard-specific sensors, weird console redirection hacks, it=92s =
very very black magic.

Which is also why Java applets are involved.  To remotely render an =
interactive console in someone=92s browser, where said browser could be =
any one of 6 different flavors, you have to lean pretty heavily on the =
client side - especially if you want to offer tricks like virtual =
CD-to-local-ISO mapping (which is pretty handy).

=46rom the security side, most reasonable motherboards don=92t feature =
NIC sharing as the only option.  Many offer dedicated IPMI ports, which =
means you don=92t have to expose them to the big bad internet unless you =
really really want to, and you can also elect to make a shared NIC =
dedicated to IPMI and just plug in an external NIC if you=92re trying to =
make a router out of the box. That=92s generally what I do.

- Jordan




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA2101BB-A627-4FED-BBB8-05803F771EA8>