Securing baseboard managers

[Jordan Hubbard]

On Apr 5, 2014, at 8:00 PM, Kamil Choudhury <Kamil.Choudhury at anserinae.net> wrote:

> I spend my days doing application development, so I am probably missing 
> a lot of perspective that more systems-oriented people have. If my 
> questions are ridiculous, feel free to tell me so and send me on my way!

All IPMI implementations suck.  It is axiomatic.  It is not, however, an easy problem to fix - you can’t just cobble together a tiny BSD distribution and whap it into place any more than you can trivially replace your motherboard's BIOS with something that works compatibily in all respects with things that expect a standard BIOS (or an even only vaguely standard IPMI implementation).  There are hooks into motherboard-specific sensors, weird console redirection hacks, it’s very very black magic.

Which is also why Java applets are involved.  To remotely render an interactive console in someone’s browser, where said browser could be any one of 6 different flavors, you have to lean pretty heavily on the client side - especially if you want to offer tricks like virtual CD-to-local-ISO mapping (which is pretty handy).

From the security side, most reasonable motherboards don’t feature NIC sharing as the only option.  Many offer dedicated IPMI ports, which means you don’t have to expose them to the big bad internet unless you really really want to, and you can also elect to make a shared NIC dedicated to IPMI and just plug in an external NIC if you’re trying to make a router out of the box. That’s generally what I do.

- Jordan