On 2020-12-15 17:43:20 -0600 (-0600), Eric K. Miller wrote: [...]
Since users (bad actors) can access the BMC via SMBus, reset BIOS password(s), change firmware versions, etc., there appears to be no proper way to secure a platform. [...] Manufacturers have not made this easy/possible, and we have yet to find a commercial device that can assist with this out-of-band. We have actually thought of building our own, but thought we would ask the community first.
My understanding is that one of the primary reasons why https://www.opencompute.org/ formed was to collaboratively design hardware which can't be compromised in-band by its users. The Elastic Secure Infrastructure effort happening in OpenInfra Labs is also attempting to template and document repeatable solutions for the first half of the problem (centrally detecting tainted BIOS/firmware via signature verification and attestation): https://www.bu.edu/rhcollab/projects/esi/ -- Jeremy Stanley