[ironic] Securing physical hosts in hostile environments

Jeremy Stanley fungi at yuggoth.org
Wed Dec 16 17:02:19 UTC 2020


On 2020-12-15 17:43:20 -0600 (-0600), Eric K. Miller wrote:
[...]
> Since users (bad actors) can access the BMC via SMBus, reset BIOS
> password(s), change firmware versions, etc., there appears to be
> no proper way to secure a platform.
[...]
> Manufacturers have not made this easy/possible, and we have yet to
> find a commercial device that can assist with this out-of-band.
> We have actually thought of building our own, but thought we would
> ask the community first.

My understanding is that one of the primary reasons why
https://www.opencompute.org/ formed was to collaboratively design
hardware which can't be compromised in-band by its users.

The Elastic Secure Infrastructure effort happening in OpenInfra Labs
is also attempting to template and document repeatable solutions for
the first half of the problem (centrally detecting tainted
BIOS/firmware via signature verification and attestation):
https://www.bu.edu/rhcollab/projects/esi/
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201216/c51926dd/attachment.sig>


More information about the openstack-discuss mailing list