From a5360d7bb8ad8218104ccdb4f48253c93bbeb8a3 Mon Sep 17 00:00:00 2001 From: Alyssa Rosenzweig Date: Fri, 22 Jun 2018 19:10:10 +0000 Subject: [PATCH 1/1] Rant --- BMC-Considered-Harmful.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 BMC-Considered-Harmful.md diff --git a/BMC-Considered-Harmful.md b/BMC-Considered-Harmful.md new file mode 100644 index 0000000..2f4f0b1 --- /dev/null +++ b/BMC-Considered-Harmful.md @@ -0,0 +1,18 @@ +# BMC Considered Harmful + +* Conventional BMC implementations are proprietary and often riddled with security holes. This analysis instead considers OpenBMC, a free implementation. +* Each board requires a massive porting effort, with large changes to OpenBMC itself, coreboot, U-boot, flashrom, and sometimes more. The D16 OpenBMC port is estimated to cost upwards of $60,000, but this is likely an underestimate in practice. +* For evidence of the above, consider that D16's OpenBMC port is behind schedule and unclear if it is fit for production. +* Each board requires complex reverse-engineering. +* To so much as be a candidate board for OpenBMC, the server must have BMC support +* The above issues mean that BMC users are locked in to the particular board (e.g. D16) even once there may be freer servers. +* On the powerful D16 board itself, compiling Raptor's BMC firmware takes _several hours_, locking up the machine entirely. +* Raptor does not supply binary images of the firmware, so users must compile this themselves. +* Its password is hardcoded into the firmware image. It cannot be changed without recompiling/reflashing. The default password is '0penBMC'. +* Despite many sysadmins only needing it for trivial tasks (power cycling, serial, keyboard, etc), OpenBMC is an entire embedded GNU/Linux distribution... +* ...but they call themselves a "Linux" distribution, despite clear connections to GNU https://github.com/openbmc/openbmc/search?utf8=%E2%9C%93&q=gnu&type= +* (Not to mention that they're _Open_BMC) +* (And hosted at github.com/facebook) +* OpenBMC is built on -key- technologies like D-Bus and systemd, a duo they're quite proud of +* OpenBMC exposes its functionality over an embedded web server, typically accessed by a REST API (which apparently assumes an isolated network, since there is no authentication and it is over cleartext -- no SSL).... +* ...and increasingly, the web interface is HTML5+JavaScript. -- 2.25.1