[E] [ironic] Securing physical hosts in hostile environments

Jay Faulkner jay.faulkner at verizonmedia.com
Wed Dec 16 17:16:21 UTC 2020

I've attempted to secure physical hardware at a previous job. The primary
tools we used were vendor relationships and extensive testing. There's no
silver bullet to getting hardware safe against a "root" user.

Not trying to give an unhelpful answer; but outside of the groups that
Jeremy linked, there's been very little innovation enabling you to secure
your hardware,  unless you work directly with a vendor (and have the buying
power to make them listen).

Jay Faulkner

On Tue, Dec 15, 2020 at 3:48 PM Eric K. Miller <emiller at genesishosting.com>

> Hi,
> We have considered ironic for deploying physical hosts for our public
> cloud platform, but have not found any way to properly secure the hosts, or
> rather, how to reset a physical host back to factory defaults between uses
> - such as BIOS and BMC settings.  Since users (bad actors) can access the
> BMC via SMBus, reset BIOS password(s), change firmware versions, etc.,
> there appears to be no proper way to secure a platform.
> This is especially true when resetting BIOS/BMC configurations since this
> typically involves shorting a jumper and power cycling a unit (physically
> removing power from the power supplies - not just a power down from the
> BMC).  Manufacturers have not made this easy/possible, and we have yet to
> find a commercial device that can assist with this out-of-band.  We have
> actually thought of building our own, but thought we would ask the
> community first.
> Thanks!
> Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201216/f49d96f0/attachment-0001.html>

More information about the openstack-discuss mailing list