Looking for Feedback for Hardware Server Security

6 pointsby b1128 months ago3 comments

transpute7 months ago
Thanks to OpenCompute and the Open Source Firmware Conference (OSFC), there has been some progress in servers towards open firmware and open silicon RoT (OpenTitan, Caliptra). The primary beneficiaries have been cloud hyperscalers who buy large quantities of customized OCP servers from ODMs like Quanta.
For businesses buying smaller quantities, HPE servers have made a small step towards open firmware, enabling customer-configured OpenBMC as an alternative to iLO, https://www.youtube.com/watch?v=21kiLA1DVSU
3np8 months ago
Only speaking for ASRockRACK, the situation is not much better with regards to firmware updates or confidence in IPMI security. Oh, and there's a fishy undocumented preconfigured second Admin account you have to go into user management to spot... Thank for alleviating buyers remorse as the grass seemed greener at SuperMicro ;^^
> They still seem to have ridiculous LAN sharing of IPMI, which means that even if you set their IPMI to use the dedicated NIC, and setup an isolated network, a loss of defaults means your IPMI is now no longer on that network but sharing the NIC on your main network.
This sounds partilularly weird though, if I am reading it right. Are you saying the BMC will bridge IPMI over multiple NICs in default configuration? And that there is no setup that safely and consistently binds the IPMI to a single NIC?
Isolating management to a dedicated network continues to be part of basic security and it's very surprising to hear that this would not be a supported use-case by SuperMicro...
- b1128 months ago
  This sounds partilularly weird though, if I am reading it right. Are you saying the BMC will bridge IPMI over multiple NICs in default configuration? And that there is no setup that safely and consistently binds the IPMI to a single NIC?
  By default, their servers have a 'failover' mode for the main NIC. This means that when the server gets power, and IPMI boots, if the IPMI NIC doesn't have a link it will then share connectivity with the main NIC.
  # To get LAN mode:
  ipmitool raw 0x30 0x70 0x0c 0
  # 00 = dedicated, 01 = share, 02 = failover
  # To set, use 0|1|2:
  ipmitool raw 0x30 0x70 0x0c 1 <value>
  You can set it to 'dedicated', but sometimes that's buggy and the setting can get lost. I've had it happen. And it defaults to failover on most servers I've bought, so a dead bios battery means the same outcome.
  And if you're not aware, and leave it at failover, your dedicated IPMI LAN switch dies, then next boot all your stuff is exposed.
  From what I've read, this is still the same in 2025.
  I'd really have preferred a jumper for something this insanely unsecure.
  Thanks for the FYI on AsRockRACK.
  Have you had any firmware updates for IPMI with them, however?
  - 3np8 months ago
    That sucks. If it were me I'd suck it up and consider that I now have two dedicated IPMI NICs with failover and attach new ones if needed for system network...
    > Thanks for the FYI on AsRockRACK.
    NP. FWIW at least I think the BMC networking doesn't have the kind of failure mode you're describing.
    > Have you had any firmware updates for IPMI with them, however?
    Yeah, they have unofficial newer "beta" versions that you will get a private download link for over email if you contact support and ask for it. Same if you want fixes for UEFI or AMD firmware vulnerabilities more than a year or so after board release.
    Thinking about supply-chain security when flashing those make me a bit nauseous... The industry seems to be stuck with 90s mindset and processes.
toomuchtodo8 months ago
Is Oxide an option? https://oxide.computer/
(no affiliation, I just like the solution)
- b1128 months ago
  I'm not worried about what I'll put on my servers, but keeping the server hardware updated and secure. Mostly looking for answers from people that have had to deal with, and update IPMI on servers in the last few years.
  Thanks though.
  - bcantrill8 months ago
    Belated response here (and certainly not trying to talk you into Oxide!), but just for anyone who happens upon this, we do solve exactly the problem you describe. We have a true root-of-trust[0], a proper service processor in lieu of the larded-up BMC[1], an isolated management network[2] -- and we don't have a BIOS at all[3][4].
    [0] https://oxide.computer/blog/exploiting-undocumented-hardware...
    [1] https://oxide.computer/blog/hubris-and-humility
    [2] https://rfd.shared.oxide.computer/rfd/0250
    [3] https://rfd.shared.oxide.computer/rfd/0241
    [4] https://www.youtube.com/watch?v=cWDDx74s090
    b1128 months ago
    You may have all of these things, but you seem to have a holistic platform, not bare metal servers. I just want servers. I want my own OS. I don't want some VM architecture between me and baremetal.
    Can I just install Linux directly on baremetal here?
    panick21_8 months ago
    Are you gone do a Oxide and Friends on the root-of-trust?
    bcantrill8 months ago
    Yes! We want to get a little further down the road on a few things with respect to plumbing the RoT through the stack -- but an episode on this is coming!