Intelligent Platform Management Interface

Last updated

The Intelligent Platform Management Interface (IPMI) is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently of the host system's CPU, firmware (BIOS or UEFI) and operating system. IPMI defines a set of interfaces used by system administrators for out-of-band management of computer systems and monitoring of their operation. For example, IPMI provides a way to manage a computer that may be powered off or otherwise unresponsive by using a network connection to the hardware rather than to an operating system or login shell. Another use case may be installing a custom operating system remotely. Without IPMI, installing a custom operating system may require an administrator to be physically present near the computer, insert a DVD or a USB flash drive containing the OS installer and complete the installation process using a monitor and a keyboard. Using IPMI, an administrator can mount an ISO image, simulate an installer DVD, and perform the installation remotely. [1]

Contents

The specification is led by Intel and was first published on September 16, 1998. It is supported by more than 200 computer system vendors, such as Cisco, Dell, [2] Hewlett Packard Enterprise, and Intel. [3] [4]

Functionality

Using a standardized interface and protocol allows systems-management software based on IPMI to manage multiple, disparate servers. As a message-based, hardware-level interface specification, IPMI operates independently of the operating system (OS) to allow administrators to manage a system remotely in the absence of an operating system or of the system management software. Thus, IPMI functions can work in any of three scenarios:

System administrators can use IPMI messaging to monitor platform status (such as system temperatures, voltages, fans, power supplies and chassis intrusion); to query inventory information; to review hardware logs of out-of-range conditions; or to perform recovery procedures such as issuing requests from a remote console through the same connections e.g. system power-down and rebooting, or configuring watchdog timers. The standard also defines an alerting mechanism for the system to send a simple Network Management Protocol (SNMP) platform event trap (PET).

The monitored system may be powered off, but must be connected to a power source and to the monitoring medium, typically a local area network (LAN) connection. IPMI can also function after the operating system has started, and exposes management data and structures to the system management software. IPMI prescribes only the structure and format of the interfaces as a standard, while detailed implementations may vary. An implementation of IPMI version 1.5 can communicate via a direct out-of-band LAN or serial connection or via a side-band LAN connection to a remote client. The side-band LAN connection utilizes the board network interface controller (NIC). This solution is less expensive than a dedicated LAN connection but also has limited bandwidth and security issues.

Systems compliant with IPMI version 2.0 can also communicate via serial over LAN, whereby serial console output can be remotely viewed over the LAN. Systems implementing IPMI 2.0 typically also include KVM over IP, remote virtual media and out-of-band embedded web-server interface functionality, although strictly speaking, these lie outside of the scope of the IPMI interface standard.

DCMI (Data Center Manageability Interface) is a similar standard based on IPMI but designed to be more suitable for Data Center management: it uses the interfaces defined in IPMI, but minimizes the number of optional interfaces and includes power capping control, among other differences.

IPMI components

Interfaces to the baseboard management controller (BMC) IPMI-Block-Diagram.png
Interfaces to the baseboard management controller (BMC)

An IPMI sub-system consists of a main controller, called the baseboard management controller (BMC) and other management controllers distributed among different system modules that are referred to as satellite controllers. The satellite controllers within the same chassis connect to the BMC via the system interface called Intelligent Platform Management Bus/Bridge (IPMB)  an enhanced implementation of I²C (Inter-Integrated Circuit). The BMC connects to satellite controllers or another BMC in another chassis via the Intelligent Platform Management Controller (IPMC) bus or bridge. It may be managed with the Remote Management Control Protocol (RMCP), a specialized wire protocol defined by this specification. RMCP+ (a UDP-based protocol with stronger authentication than RMCP) is used for IPMI over LAN.

Several vendors develop and market BMC chips. A BMC utilized for embedded applications may have limited memory and require optimized firmware code for implementation of the full IPMI functionality. Highly integrated BMCs can provide complex instructions and provide the complete out-of-band functionality of a service processor. The firmware implementing the IPMI interfaces is provided by various vendors. A field-replaceable unit (FRU) repository holds the inventory, such as vendor ID and manufacturer, of potentially replaceable devices. A sensor data record (SDR) repository provides the properties of the individual sensors present on the board. For example, the board may contain sensors for temperature, fan speed, and voltage.

Baseboard management controller

Fully integrated BMC as a single chip on a server motherboard ASPEED AST2400 BMC Baseboard management controller.jpg
Fully integrated BMC as a single chip on a server motherboard

The baseboard management controller (BMC) provides the intelligence in the IPMI architecture. It is a specialized microcontroller embedded on the motherboard of a computer  – generally a server. The BMC manages the interface between system-management software and platform hardware. BMC has its dedicated firmware and RAM.

Different types of sensors built into the computer system report to the BMC on parameters such as temperature, cooling fan speeds, power status, operating system (OS) status, etc. The BMC monitors the sensors and can send alerts to a system administrator via the network if any of the parameters do not stay within pre-set limits, indicating a potential failure of the system. The administrator can also remotely communicate with the BMC to take some corrective actions – such as resetting or power cycling the system to get a hung OS running again. These abilities reduce the total cost of ownership of a system.

Systems compliant with IPMI version 2.0 can also communicate via serial over LAN, whereby serial console output can be remotely viewed over the LAN. Systems implementing IPMI 2.0 typically also include KVM over IP, remote virtual media and out-of-band embedded web-server interface functionality, although strictly speaking, these lie outside of the scope of the IPMI interface standard.

Physical interfaces to the BMC include SMBuses, an RS-232 serial console, address and data lines and an IPMB, that enables the BMC to accept IPMI request messages from other management controllers in the system.

A direct serial connection to the BMC is not encrypted as the connection itself is secure. Connection to the BMC over LAN may or may not use encryption depending on the security concerns of the user.

There are rising concerns about general security regarding BMCs as a closed infrastructure. [5] [6] [7] [8] OpenBMC is a Linux Foundation Collaborative open-source BMC project. [9]

Security

Historical issues

On 2 July 2013, Rapid7 published a guide to security penetration testing of the latest IPMI 2.0 protocol and implementations by various vendors. [10]

Some sources in 2013 were advising against using the older version of IPMI, [5] due to security concerns related to the design and vulnerabilities of Baseboard Management Controllers (BMCs). [11] [12]

However, like any other management interface, best security practices dictate the placement of the IPMI management port on a dedicated management LAN or VLAN restricted to trusted Administrators. [13]

Latest IPMI specification security improvements

The IPMI specification has been updated with RAKP+ and a stronger cipher that is computationally impractical to break. [14] Vendors as a result have provided patches that remediate these vulnerabilities.[ citation needed ]

The DMTF organization has developed a secure and scalable interface specification called Redfish to work in modern datacenter environments. [15]

Potential solutions

Some potential solutions exist outside of the IPMI standard, depending on proprietary implementations. The use of default short passwords, or "cipher 0" hacks can be easily overcome with the use of a RADIUS server for Authentication, Authorization, and Accounting (AAA) over SSL as is typical in a datacenter or any medium to large deployment. The user's RADIUS server can be configured to store AAA securely in an LDAP database using either FreeRADIUS/OpenLDAP or Microsoft Active Directory and related services.

Role-based access provides a way to respond to current and future security issues by increasing amounts of restriction for higher roles. Role-based access is supported with three roles available: Administrator, Operator and User.

Overall, the User role has read-only access of the BMC and no remote control ability such as power cycle or the ability to view or log into the main CPU on the motherboard. Therefore, any hacker with the User role has zero access to confidential information, and zero control over the system. The User role is typically used to monitor sensor readings, after an SNMP alert has been received by SNMP Network Monitoring Software.

The Operator role is used in the rare event when a system is hung, to generate an NMI crash/core dump file and reboot or power cycle the system. In such a case, the Operator will also have access to the system software to collect the crash/core dump file.

The Administrator role is used to configure the BMC on first boot during the commissioning of the system when first installed.

Therefore, the prudent best practice is to disable the use of the Operator and Administrator roles in LDAP/RADIUS, and only enable them when needed by the LDAP/RADIUS administrator. For example, in RADIUS a role can have its setting Auth-Type changed to:

Auth-Type := Reject

Doing so will prevent RAKP hash attacks from succeeding since the username will be rejected by the RADIUS server.

Version history

The IPMI standard specification has evolved through a number of iterations: [16] [17]

Implementations

See also

Related Research Articles

<span class="mw-page-title-main">Preboot Execution Environment</span> Standard for booting from a server

In computing, the Preboot eXecution Environment, PXE specification describes a standardized client–server environment that boots a software assembly, retrieved from a network, on PXE-enabled clients. On the client side it requires only a PXE-capable network interface controller (NIC), and uses a small set of industry-standard network protocols such as DHCP and TFTP.

<span class="mw-page-title-main">Terminal server</span> Device that interfaces serial hosts to a network

A terminal server connects devices with a serial port to a local area network (LAN). Products marketed as terminal servers can be very simple devices that do not offer any security functionality, such as data encryption and user authentication. The primary application scenario is to enable serial devices to access network server applications, or vice versa, where security of the data on the LAN is not generally an issue. There are also many terminal servers on the market that have highly advanced security functionality to ensure that only qualified personnel can access various servers and that any data that is transmitted across the LAN, or over the Internet, is encrypted. Usually, companies that need a terminal server with these advanced functions want to remotely control, monitor, diagnose and troubleshoot equipment over a telecommunications network.

Advanced Telecommunications Computing Architecture is the largest specification effort in the history of the PCI Industrial Computer Manufacturers Group (PICMG), with more than 100 companies participating. Known as AdvancedTCA, the official specification designation PICMG 3.x was ratified by the PICMG organization in December 2002. AdvancedTCA is targeted primarily to requirements for "carrier grade" communications equipment, but has recently expanded its reach into more ruggedized applications geared toward the military/aerospace industries as well. This series of specifications incorporates the latest trends in high speed interconnect technologies, next-generation processors, and improved Reliability, Availability and Serviceability (RAS).

The Dell Remote Access Controller (DRAC) is an out-of-band management platform on certain Dell servers. The platform may be provided on a separate expansion card, or integrated into the main board; when integrated, the platform is referred to as iDRAC.

Integrated Lights-Out, or iLO, is a proprietary embedded server management technology by Hewlett-Packard Enterprise which provides out-of-band management facilities. The physical connection is an Ethernet port that can be found on most ProLiant servers and microservers of the 300 and above series.

Open Platform Management Architecture (OPMA) is an open, royalty free standard for connecting a modular, platform hardware management subsystem to a computer motherboard. Platform hardware management generally refers to the remote monitoring of platform hardware variables such as fan speed, voltages, CPU and enclosure temperatures along with a wide range of other sensors. It also implies the ability to remotely control the power state of the platform and to reset the system back into an operational state should it "hang". A significant advantage of OPMA over previous generation management subsystem attachment methods is that OPMA does not consume a PCI socket. OPMA cards are also smaller and lower cost than their PCI predecessors.

<span class="mw-page-title-main">Intel vPro</span> Umbrella marketing term by Intel

Intel vPro technology is an umbrella marketing term used by Intel for a large collection of computer hardware technologies, including VT-x, VT-d, Trusted Execution Technology (TXT), and Intel Active Management Technology (AMT). When the vPro brand was launched, it was identified primarily with AMT, thus some journalists still consider AMT to be the essence of vPro.

<span class="mw-page-title-main">Out-of-band management</span> Management of networking equipment

In systems management, out-of-band management is a process for accessing and managing devices and infrastructure at remote locations through a separate management plane from the production network. OOB allows a system administrator to monitor and manage servers and other network-attached equipment by remote control regardless of whether the machine is powered on or whether an OS is installed or functional. It is contrasted to in-band management which requires the managed systems to be powered on and available over their operating system's networking facilities.

The IBM Remote Supervisor Adapter is a full-length ISA or PCI adapter produced by the IBM corporation.

<span class="mw-page-title-main">Intel Active Management Technology</span> Out-of-band management platform by Intel

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

Host Embedded Controller Interface (HECI) is technology introduced in 2006 used for Active Management Technology (AMT) in Intel chipsets that support Core 2 Duo microprocessors.

The Hardware Platform Interface (HPI) is an open specification that defines an application programming interface (API) for platform management of computer systems. The API supports tasks including reading temperature or voltage sensors built into a processor, configuring hardware registers, accessing system inventory information like model numbers and serial numbers, and performing more complex activities, such as upgrading system firmware or diagnosing system failures.

Intel Active Management Technology (AMT) is hardware-based technology built into PCs with Intel vPro technology. AMT is designed to help sys-admins remotely manage and secure PCs out-of-band when PC power is off, the operating system (OS) is unavailable, software management agents are missing, or hardware has failed.

Alert Standard Format (ASF) is a DMTF standard for remote monitoring, management and control of computer systems in both OS-present and OS-absent environments. These technologies are primarily focused on minimizing on-site I/T maintenance, maximizing system availability and performance to the local user.

Desktop and mobile Architecture for System Hardware (DASH) is a Distributed Management Task Force (DMTF) standard.

The MegaRAC from American Megatrends is a product line of baseboard management controller (BMC) firmware packages and formerly Service Processors providing complete Out-of-band, or Lights-out remote management of computer systems independently of the Operating System status or location to troubleshoot computers and assure continuity of service. MegaRAC Service Processors came in various formats - PCI cards, embedded modules and software-only.

Management Component Transport Protocol (MCTP) is a protocol designed by the Distributed Management Task Force (DMTF) to support communications between different intelligent hardware components that make up a platform management subsystem, providing monitoring and control functions inside a managed computer system. This protocol is independent of the underlying physical bus properties, as well as the data link layer messaging used on the bus. The MCTP communication model includes a message format, transport description, message exchange patterns, and operational endpoint characteristics.

<span class="mw-page-title-main">Intel Management Engine</span> Autonomous computer subsystem

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

The Redfish standard is a suite of specifications that deliver an industry standard protocol providing a RESTful interface for the management of servers, storage, networking, and converged infrastructure.

WinRM (Windows Remote Management) is Microsoft's implementation of WS-Management in Windows which allows systems to access or exchange management information across a common network. Utilizing scripting objects or the built-in command-line tool, WinRM can be used with any remote computers that may have baseboard management controllers (BMCs) to acquire data. On Windows-based computers including WinRM, certain data supplied by Windows Management Instrumentation (WMI) can also be obtained.

References

  1. "Supermicro IPMI - What is it and what can it do for you?". Archived from the original on 27 February 2019. Retrieved 27 February 2018.
  2. An Introduction to the Intelligent Platform Management Interface
  3. "Intelligent Platform Management Interface; Adopters list". Intel . Retrieved 9 August 2014.
  4. Chernis, P J (1985). "Petrographic analyses of URL-2 and URL-6 special thermal conductivity samples". doi: 10.4095/315247 .{{cite journal}}: Cite journal requires |journal= (help)
  5. 1 2 "The Eavesdropping System in Your Computer - Schneier on Security". Schneier.com. 2013-01-31. Retrieved 2013-12-05.
  6. "InfoSec Handlers Diary Blog - IPMI: Hacking servers that are turned "off"". Isc.sans.edu. 2012-06-07. Retrieved 2015-05-29.
  7. Goodin, Dan (2013-08-16). ""Bloodsucking leech" puts 100,000 servers at risk of potent attacks". Arstechnica.com. Retrieved 2015-05-29.
  8. Anthony J. Bonkoski; Russ Bielawski; J. Alex Halderman (2013). "Illuminating the Security Issues Surrounding Lights-Out Server Management.Usenix Workshop on Offensive Technologies" (PDF). Usenix.org. Retrieved 2015-05-29.
  9. "OpenBMC Project Community Comes Together at The Linux Foundation to Define Open Source Implementation of BMC Firmware Stack - The Linux Foundation". The Linux Foundation. 2018-03-19. Retrieved 2018-03-27.
  10. "Metasploit: A Penetration Tester's Guide to IPMI and BMCs". Rapid7.com. 2013-07-02. Retrieved 2013-12-05.
  11. "Authentication Bypass Vulnerability in IPMI 2.0 RAKP through the use of cipher zero". websecuritywatch.com. 2013-08-23. Retrieved 2013-12-05.
  12. Dan Farmer (2013-08-22). "IPMI: Freight train to hell" (PDF). fish2.com. Retrieved 2013-12-05.
  13. Kumar, Rohit (2018-10-19). "Basic BMC and IPMI Management Security Practices". ServeTheHome. Retrieved 2019-12-23.
  14. "IPMI Specification, V2.0, Rev. 1.1: Document". Intel. Retrieved 2022-06-11.
  15. "Redfish: A New API for Managing Servers". InfoQ. Retrieved 2022-06-11.
  16. "Intelligent Platform Management Interface: What is IPMI?". Intel . Retrieved 9 August 2014.
  17. "Intelligent Platform Management Interface; Specifications". Intel . Retrieved 9 August 2014.
  18. IPMI - Ver2.0 Rev1.1 Errata7
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.