# BMC Considered Harmful

* Conventional BMC implementations are proprietary and often riddled with security holes. This analysis instead considers OpenBMC, a free implementation.
* Each board requires a massive porting effort, with large changes to OpenBMC itself, coreboot, U-boot, flashrom, and sometimes more. The D16 OpenBMC port is estimated to cost upwards of $60,000, but this is likely an underestimate in practice.
* For evidence of the above, consider that D16's OpenBMC port is behind schedule and unclear if it is fit for production.
* Each board requires complex reverse-engineering.
* To so much as be a candidate board for OpenBMC, the server must have BMC support 
* The above issues mean that BMC users are locked in to the particular board (e.g. D16) even once there may be freer servers.
* On the powerful D16 board itself, compiling Raptor's BMC firmware takes _several hours_, locking up the machine entirely.
* Raptor does not supply binary images of the firmware, so users must compile this themselves.
* Its password is hardcoded into the firmware image. It cannot be changed without recompiling/reflashing. The default password is '0penBMC'.
* Despite many sysadmins only needing it for trivial tasks (power cycling, serial, keyboard, etc), OpenBMC is an entire embedded GNU/Linux distribution...
* ...but they call themselves a "Linux" distribution, despite clear connections to GNU https://github.com/openbmc/openbmc/search?utf8=%E2%9C%93&q=gnu&type=
* (Not to mention that they're _Open_BMC)
* (And hosted at github.com/facebook)
* OpenBMC is built on -key- technologies like D-Bus and systemd, a duo they're quite proud of
* OpenBMC exposes its functionality over an embedded web server, typically accessed by a REST API (which apparently assumes an isolated network, since there is no authentication and it is over cleartext -- no SSL)....
* ...and increasingly, the web interface is HTML5+JavaScript.