[E] [ironic] Securing physical hosts in hostile environments

Eric K. Miller emiller at genesishosting.com
Wed Dec 16 17:30:58 UTC 2020

> I've attempted to secure physical hardware at a previous job. The primary tools we used were vendor relationships and extensive testing. There's no silver bullet to getting hardware safe against a "root" user.
> Not trying to give an unhelpful answer; but outside of the groups that Jeremy linked, there's been very little innovation enabling you to secure  your hardware,  unless you work directly with a vendor (and have the buying power to make them listen).
> -
> Jay Faulkner

Thanks Jay!  I suspected as much.  It does seem that there is likely a big market for this - an out-of-band device/PCI card that can assist with initiating re-flashing, power management (outside of the switchable power supplies), and jumper changes.  I was a bit shocked that it didn't exist.  I thought SMC would have built something like this into their SuperBlade systems, but their chassis-level BMC reset functions simply use the network to connect to the blades' BMCs, which isn't too helpful when the user changes the IP address of the BMC…  ugh.


More information about the openstack-discuss mailing list