[ironic] Securing physical hosts in hostile environments

Eric K. Miller emiller at genesishosting.com
Tue Dec 15 23:43:20 UTC 2020



We have considered ironic for deploying physical hosts for our public
cloud platform, but have not found any way to properly secure the hosts,
or rather, how to reset a physical host back to factory defaults between
uses - such as BIOS and BMC settings.  Since users (bad actors) can
access the BMC via SMBus, reset BIOS password(s), change firmware
versions, etc., there appears to be no proper way to secure a platform.


This is especially true when resetting BIOS/BMC configurations since
this typically involves shorting a jumper and power cycling a unit
(physically removing power from the power supplies - not just a power
down from the BMC).  Manufacturers have not made this easy/possible, and
we have yet to find a commercial device that can assist with this
out-of-band.  We have actually thought of building our own, but thought
we would ask the community first. 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201215/8ab74da5/attachment-0001.html>

More information about the openstack-discuss mailing list