Ed Tanous | 0cd5f78 | 2022-04-26 16:09:09 -0700 | [diff] [blame] | 1 | option( |
| 2 | 'yocto-deps', |
| 3 | type: 'feature', |
| 4 | value: 'disabled', |
| 5 | description: 'Use YOCTO dependencies system' |
| 6 | ) |
| 7 | |
| 8 | option( |
| 9 | 'kvm', |
| 10 | type: 'feature', |
| 11 | value: 'enabled', |
| 12 | description: '''Enable the KVM host video WebSocket. Path is /kvm/0. |
| 13 | Video is from the BMCs /dev/videodevice.''' |
| 14 | ) |
| 15 | |
| 16 | option( |
| 17 | 'tests', |
| 18 | type: 'feature', |
| 19 | value: 'enabled', |
| 20 | description: 'Enable Unit tests for bmcweb' |
| 21 | ) |
| 22 | |
| 23 | option( |
| 24 | 'vm-websocket', |
| 25 | type: 'feature', |
| 26 | value: 'enabled', |
| 27 | description: '''Enable the Virtual Media WebSocket. Path is /vm/0/0 to |
| 28 | open the websocket. See |
| 29 | https://github.com/openbmc/jsnbd/blob/master/README.''' |
| 30 | ) |
Ed Tanous | efb8062 | 2021-02-20 11:04:01 -0800 | [diff] [blame] | 31 | |
| 32 | # if you use this option and are seeing this comment, please comment here: |
| 33 | # https://github.com/openbmc/bmcweb/issues/188 and put forward your intentions |
| 34 | # for this code. At this point, no daemon has been upstreamed that implements |
| 35 | # this interface, so for the moment this appears to be dead code; In leiu of |
| 36 | # removing it, it has been disabled to try to give those that use it the |
| 37 | # opportunity to upstream their backend implementation |
Ed Tanous | 0cd5f78 | 2022-04-26 16:09:09 -0700 | [diff] [blame] | 38 | #option( |
| 39 | # 'vm-nbdproxy', |
| 40 | # type: 'feature', value: 'disabled', |
| 41 | # description: 'Enable the Virtual Media WebSocket.' |
| 42 | #) |
| 43 | |
| 44 | option( |
| 45 | 'rest', |
| 46 | type: 'feature', |
| 47 | value: 'disabled', |
| 48 | description: '''Enable Phosphor REST (D-Bus) APIs. Paths directly map |
| 49 | Phosphor D-Bus object paths, for example, |
| 50 | /xyz/openbmc_project/logging/entry/enumerate. See |
| 51 | https://github.com/openbmc/docs/blob/master/rest-api.md.''' |
| 52 | ) |
| 53 | |
| 54 | option( |
| 55 | 'redfish', |
| 56 | type: 'feature', |
| 57 | value: 'enabled', |
| 58 | description: '''Enable Redfish APIs. Paths are under /redfish/v1/. See |
| 59 | https://github.com/openbmc/bmcweb/blob/master/DEVELOPING.md#redfish.''' |
| 60 | ) |
| 61 | |
| 62 | option( |
| 63 | 'host-serial-socket', |
| 64 | type: 'feature', |
| 65 | value: 'enabled', |
| 66 | description: '''Enable host serial console WebSocket. Path is /console0. |
| 67 | See https://github.com/openbmc/docs/blob/master/console.md.''' |
| 68 | ) |
| 69 | |
| 70 | option( |
| 71 | 'static-hosting', |
| 72 | type: 'feature', |
| 73 | value: 'enabled', |
| 74 | description: '''Enable serving files from the /usr/share/www directory |
| 75 | as paths under /.''' |
| 76 | ) |
| 77 | |
| 78 | option( |
| 79 | 'redfish-bmc-journal', |
| 80 | type: 'feature', |
Willy Tu | f848367 | 2022-05-10 15:08:10 -0700 | [diff] [blame] | 81 | value: 'enabled', |
Ed Tanous | 0cd5f78 | 2022-04-26 16:09:09 -0700 | [diff] [blame] | 82 | description: '''Enable BMC journal access through Redfish. Paths are under |
| 83 | /redfish/v1/Managers/bmc/LogServices/Journal.''' |
| 84 | ) |
| 85 | |
| 86 | option( |
| 87 | 'redfish-cpu-log', |
| 88 | type: 'feature', |
| 89 | value: 'disabled', |
| 90 | description: '''Enable CPU log service transactions through Redfish. Paths |
| 91 | are under /redfish/v1/Systems/system/LogServices/Crashdump'.''' |
| 92 | ) |
| 93 | |
| 94 | option( |
| 95 | 'redfish-dump-log', |
| 96 | type: 'feature', |
| 97 | value: 'disabled', |
| 98 | description: '''Enable Dump log service transactions through Redfish. Paths |
| 99 | are under /redfish/v1/Systems/system/LogServices/Dump |
| 100 | and /redfish/v1/Managers/bmc/LogServices/Dump''' |
| 101 | ) |
| 102 | |
| 103 | option( |
| 104 | 'redfish-dbus-log', |
| 105 | type: 'feature', |
| 106 | value: 'disabled', |
| 107 | description: '''Enable DBUS log service transactions through Redfish. Paths |
| 108 | are under |
| 109 | /redfish/v1/Systems/system/LogServices/EventLog/Entries''' |
| 110 | ) |
| 111 | |
| 112 | option( |
| 113 | 'redfish-host-logger', |
| 114 | type: 'feature', |
| 115 | value: 'enabled', |
| 116 | description: '''Enable host log service transactions based on |
| 117 | phosphor-hostlogger through Redfish. Paths are under |
| 118 | /redfish/v1/Systems/system/LogServices/HostLogger''' |
| 119 | ) |
| 120 | |
| 121 | option( |
| 122 | 'redfish-provisioning-feature', |
| 123 | type: 'feature', |
| 124 | value: 'disabled', |
| 125 | description: '''Enable provisioning feature support in redfish. Paths are |
| 126 | under /redfish/v1/Systems/system/''' |
| 127 | ) |
| 128 | |
| 129 | option( |
| 130 | 'bmcweb-logging', |
| 131 | type: 'feature', |
| 132 | value: 'disabled', |
| 133 | description: 'Enable output the extended debug logs' |
| 134 | ) |
| 135 | |
| 136 | option( |
| 137 | 'basic-auth', |
| 138 | type: 'feature', |
| 139 | value: 'enabled', |
| 140 | description: 'Enable basic authentication' |
| 141 | ) |
| 142 | |
| 143 | option( |
| 144 | 'session-auth', |
| 145 | type: 'feature', |
| 146 | value: 'enabled', |
| 147 | description: 'Enable session authentication' |
| 148 | ) |
| 149 | |
| 150 | option( |
| 151 | 'xtoken-auth', |
| 152 | type: 'feature', |
| 153 | value: 'enabled', |
| 154 | description: 'Enable xtoken authentication' |
| 155 | ) |
| 156 | |
| 157 | option( |
| 158 | 'cookie-auth', |
| 159 | type: 'feature', |
| 160 | value: 'enabled', |
| 161 | description: 'Enable cookie authentication' |
| 162 | ) |
| 163 | |
| 164 | option( |
| 165 | 'mutual-tls-auth', |
| 166 | type: 'feature', |
| 167 | value: 'enabled', |
| 168 | description: '''Enables authenticating users through TLS client |
| 169 | certificates. The insecure-disable-ssl must be disabled for |
| 170 | this option to take effect.''' |
| 171 | ) |
| 172 | |
| 173 | option( |
| 174 | 'ibm-management-console', |
| 175 | type: 'feature', |
| 176 | value: 'disabled', |
| 177 | description: '''Enable the IBM management console specific functionality. |
| 178 | Paths are under /ibm/v1/''' |
| 179 | ) |
| 180 | |
| 181 | option( |
| 182 | 'google-api', |
| 183 | type: 'feature', |
| 184 | value: 'disabled', |
| 185 | description: '''Enable the Google specific functionality. Paths are under |
| 186 | /google/v1/''' |
| 187 | ) |
| 188 | |
| 189 | option( |
| 190 | 'http-body-limit', |
| 191 | type: 'integer', |
| 192 | min: 0, |
| 193 | max: 512, |
| 194 | value: 30, |
| 195 | description: 'Specifies the http request body length limit' |
| 196 | ) |
| 197 | |
| 198 | option( |
| 199 | 'redfish-new-powersubsystem-thermalsubsystem', |
| 200 | type: 'feature', |
| 201 | value: 'disabled', |
| 202 | description: '''Enable/disable the new PowerSubsystem, ThermalSubsystem, |
| 203 | and all children schemas. This includes displaying all |
| 204 | sensors in the SensorCollection. At a later date, this |
| 205 | feature will be defaulted to enabled.''' |
| 206 | ) |
| 207 | |
| 208 | option( |
| 209 | 'redfish-allow-deprecated-power-thermal', |
| 210 | type: 'feature', |
| 211 | value: 'enabled', |
| 212 | description: '''Enable/disable the old Power / Thermal. The default |
| 213 | condition is allowing the old Power / Thermal.''' |
| 214 | ) |
| 215 | |
| 216 | option( |
Ed Tanous | 4dc23f3 | 2022-05-11 11:32:19 -0700 | [diff] [blame] | 217 | 'redfish-post-to-old-updateservice', |
| 218 | type: 'feature', |
| 219 | value: 'enabled', |
| 220 | description: '''Allows POST to /redfish/v1/UpdateService, counter to |
| 221 | the redfish specification. Option provided to allow |
| 222 | potential users to move away from using this endpoint. |
| 223 | Option will be removed Q4 2022.''' |
| 224 | ) |
| 225 | |
Ed Tanous | 4dc23f3 | 2022-05-11 11:32:19 -0700 | [diff] [blame] | 226 | option( |
Gunnar Mills | 54dce7f | 2022-08-05 17:01:32 +0000 | [diff] [blame] | 227 | 'redfish-oem-manager-fan-data', |
| 228 | type: 'feature', |
| 229 | value: 'enabled', |
| 230 | description: '''Enables Redfish OEM fan data on the manager resource. |
| 231 | This includes PID and Stepwise controller data. See |
| 232 | OemManager schema for more detail.''' |
| 233 | ) |
| 234 | |
| 235 | option( |
Ed Tanous | 0cd5f78 | 2022-04-26 16:09:09 -0700 | [diff] [blame] | 236 | 'https_port', |
| 237 | type: 'integer', |
| 238 | min: 1, |
| 239 | max: 65535, |
| 240 | value: 443, |
| 241 | description: 'HTTPS Port number.' |
| 242 | ) |
Manojkiran Eda | af6298d | 2020-05-27 08:51:32 +0530 | [diff] [blame] | 243 | |
Carson Labrado | 7fb3356 | 2022-04-18 23:26:56 +0000 | [diff] [blame] | 244 | option( |
| 245 | 'redfish-aggregation', |
| 246 | type: 'feature', |
| 247 | value: 'disabled', |
| 248 | description: 'Allows this BMC to aggregate resources from satellite BMCs' |
| 249 | ) |
| 250 | |
Manojkiran Eda | af6298d | 2020-05-27 08:51:32 +0530 | [diff] [blame] | 251 | # Insecure options. Every option that starts with a `insecure` flag should |
| 252 | # not be enabled by default for any platform, unless the author fully comprehends |
| 253 | # the implications of doing so.In general, enabling these options will cause security |
| 254 | # problems of varying degrees |
| 255 | |
Ed Tanous | 0cd5f78 | 2022-04-26 16:09:09 -0700 | [diff] [blame] | 256 | option( |
| 257 | 'insecure-disable-csrf', |
| 258 | type: 'feature', |
| 259 | value: 'disabled', |
| 260 | description: '''Disable CSRF prevention checks.Should be set to false for |
| 261 | production systems.''' |
| 262 | ) |
| 263 | |
| 264 | option( |
| 265 | 'insecure-disable-ssl', |
| 266 | type: 'feature', |
| 267 | value: 'disabled', |
| 268 | description: '''Disable SSL ports. Should be set to false for production |
| 269 | systems.''' |
| 270 | ) |
| 271 | |
| 272 | option( |
| 273 | 'insecure-disable-auth', |
| 274 | type: 'feature', |
| 275 | value: 'disabled', |
Nan Zhou | a43ea82 | 2022-05-27 00:42:44 +0000 | [diff] [blame] | 276 | description: '''Disable authentication and authoriztion on all ports. |
| 277 | Should be set to false for production systems.''' |
Ed Tanous | 0cd5f78 | 2022-04-26 16:09:09 -0700 | [diff] [blame] | 278 | ) |
| 279 | |
| 280 | option( |
| 281 | 'insecure-disable-xss', |
| 282 | type: 'feature', |
| 283 | value: 'disabled', |
| 284 | description: 'Disable XSS preventions' |
| 285 | ) |
| 286 | |
| 287 | option( |
| 288 | 'insecure-tftp-update', |
| 289 | type: 'feature', |
| 290 | value: 'disabled', |
| 291 | description: '''Enable TFTP based firmware update transactions through |
| 292 | Redfish UpdateService. SimpleUpdate.''' |
| 293 | ) |
| 294 | |
| 295 | option( |
Ed Tanous | 1aa0c2b | 2022-02-08 12:24:30 +0100 | [diff] [blame^] | 296 | 'insecure-ignore-content-type', |
| 297 | type: 'feature', |
| 298 | value: 'enabled', |
| 299 | description: '''Allows parsing PUT/POST/PATCH content as JSON regardless |
| 300 | of the presence of the content-type header. Enabling this |
| 301 | conflicts with the input parsing guidelines, but may be |
| 302 | required to support old clients that may not set the |
| 303 | Content-Type header on payloads.''' |
| 304 | ) |
| 305 | |
| 306 | option( |
Ed Tanous | 0cd5f78 | 2022-04-26 16:09:09 -0700 | [diff] [blame] | 307 | 'insecure-push-style-notification', |
| 308 | type: 'feature', |
| 309 | value: 'disabled', |
| 310 | description: 'Enable HTTP push style eventing feature' |
| 311 | ) |
| 312 | |
| 313 | option( |
| 314 | 'insecure-enable-redfish-query', |
| 315 | type: 'feature', |
| 316 | value: 'disabled', |
| 317 | description: '''Enables Redfish expand query parameter. This feature is |
| 318 | experimental, and has not been tested against the full |
| 319 | limits of user-facing behavior. It is not recommended to |
| 320 | enable on production systems at this time. Other query |
| 321 | parameters such as only are not controlled by this option.''' |
| 322 | ) |