[E] [ironic] Securing physical hosts in hostile environments
jay.faulkner at verizonmedia.com
Wed Dec 16 17:16:21 UTC 2020
I've attempted to secure physical hardware at a previous job. The primary
tools we used were vendor relationships and extensive testing. There's no
silver bullet to getting hardware safe against a "root" user.
Not trying to give an unhelpful answer; but outside of the groups that
Jeremy linked, there's been very little innovation enabling you to secure
your hardware, unless you work directly with a vendor (and have the buying
power to make them listen).
On Tue, Dec 15, 2020 at 3:48 PM Eric K. Miller <emiller at genesishosting.com>
> We have considered ironic for deploying physical hosts for our public
> cloud platform, but have not found any way to properly secure the hosts, or
> rather, how to reset a physical host back to factory defaults between uses
> - such as BIOS and BMC settings. Since users (bad actors) can access the
> BMC via SMBus, reset BIOS password(s), change firmware versions, etc.,
> there appears to be no proper way to secure a platform.
> This is especially true when resetting BIOS/BMC configurations since this
> typically involves shorting a jumper and power cycling a unit (physically
> removing power from the power supplies - not just a power down from the
> BMC). Manufacturers have not made this easy/possible, and we have yet to
> find a commercial device that can assist with this out-of-band. We have
> actually thought of building our own, but thought we would ask the
> community first.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openstack-discuss