1 # BMC Considered Harmful
3 * Conventional BMC implementations are proprietary and often riddled with security holes. This analysis instead considers OpenBMC, a free implementation.
4 * Each board requires a massive porting effort, with large changes to OpenBMC itself, coreboot, U-boot, flashrom, and sometimes more. The D16 OpenBMC port is estimated to cost upwards of $60,000, but this is likely an underestimate in practice.
5 * For evidence of the above, consider that D16's OpenBMC port is behind schedule and unclear if it is fit for production.
6 * Each board requires complex reverse-engineering.
7 * To so much as be a candidate board for OpenBMC, the server must have BMC support
8 * The above issues mean that BMC users are locked in to the particular board (e.g. D16) even once there may be freer servers.
9 * On the powerful D16 board itself, compiling Raptor's BMC firmware takes _several hours_, locking up the machine entirely.
10 * Raptor does not supply binary images of the firmware, so users must compile this themselves.
11 * Its password is hardcoded into the firmware image. It cannot be changed without recompiling/reflashing. The default password is '0penBMC'.
12 * Despite many sysadmins only needing it for trivial tasks (power cycling, serial, keyboard, etc), OpenBMC is an entire embedded GNU/Linux distribution...
13 * ...but they call themselves a "Linux" distribution, despite clear connections to GNU https://github.com/openbmc/openbmc/search?utf8=%E2%9C%93&q=gnu&type=
14 * (Not to mention that they're _Open_BMC)
15 * (And hosted at github.com/facebook)
16 * OpenBMC is built on -key- technologies like D-Bus and systemd, a duo they're quite proud of
17 * OpenBMC exposes its functionality over an embedded web server, typically accessed by a REST API (which apparently assumes an isolated network, since there is no authentication and it is over cleartext -- no SSL)....
18 * ...and increasingly, the web interface is HTML5+JavaScript.
projects / libremanage.git / blob