From owner-freebsd-hackers@FreeBSD.ORG Sat Apr 5 15:55:04 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DC14AFDF for ; Sat, 5 Apr 2014 15:55:04 +0000 (UTC) Received: from mail.iXsystems.com (newknight.ixsystems.com [206.40.55.70]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BC22BF4C for ; Sat, 5 Apr 2014 15:55:04 +0000 (UTC) Received: from localhost (mail.ixsystems.com [10.2.55.1]) by mail.iXsystems.com (Postfix) with ESMTP id 326AE736A9; Sat, 5 Apr 2014 08:55:04 -0700 (PDT) Received: from mail.iXsystems.com ([10.2.55.1]) by localhost (mail.ixsystems.com [10.2.55.1]) (maiad, port 10024) with ESMTP id 05036-02; Sat, 5 Apr 2014 08:55:04 -0700 (PDT) Received: from [10.8.0.26] (unknown [10.8.0.26]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.iXsystems.com (Postfix) with ESMTPSA id 218C9736A3; Sat, 5 Apr 2014 08:54:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ixsystems.com; s=newknight0; t=1396713303; bh=27YqxsBTKLxUsJ/48y5vx26W3QP4rLZM1LM9vNbCeVk=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=kiN7VeJMcBjRhrckwaKOdJLZrF9lyUvTAQ3chkOX955FEk5NDW6N62Zk3jGz14p8G 1wuKVKjZ2cnogkfjg5f03p8vf3wD5QBQ5WhKP2A/6fMwkn26Xj3UyXEWKcWOHz2X31 ViliERGo4R4+CcwiLCmz2uXIze6Ff/GnsGiZzCZk= Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: Securing baseboard managers From: Jordan Hubbard In-Reply-To: Date: Sat, 5 Apr 2014 20:54:53 +0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Kamil Choudhury X-Mailer: Apple Mail (2.1874) Cc: "freebsd-hackers@freebsd.org" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 15:55:04 -0000 On Apr 5, 2014, at 8:00 PM, Kamil Choudhury = wrote: > I spend my days doing application development, so I am probably = missing=20 > a lot of perspective that more systems-oriented people have. If my=20 > questions are ridiculous, feel free to tell me so and send me on my = way! All IPMI implementations suck. It is axiomatic. It is not, however, an = easy problem to fix - you can=92t just cobble together a tiny BSD = distribution and whap it into place any more than you can trivially = replace your motherboard's BIOS with something that works compatibily in = all respects with things that expect a standard BIOS (or an even only = vaguely standard IPMI implementation). There are hooks into = motherboard-specific sensors, weird console redirection hacks, it=92s = very very black magic. Which is also why Java applets are involved. To remotely render an = interactive console in someone=92s browser, where said browser could be = any one of 6 different flavors, you have to lean pretty heavily on the = client side - especially if you want to offer tricks like virtual = CD-to-local-ISO mapping (which is pretty handy). =46rom the security side, most reasonable motherboards don=92t feature = NIC sharing as the only option. Many offer dedicated IPMI ports, which = means you don=92t have to expose them to the big bad internet unless you = really really want to, and you can also elect to make a shared NIC = dedicated to IPMI and just plug in an external NIC if you=92re trying to = make a router out of the box. That=92s generally what I do. - Jordan