ipmi-whitelist: Restrict cold reset cmd from KCS
Issue: Issuing cold reset command from KCS interface is allowed.
Fix: Restrict cold reset command execution from KCS interface by adding
channel mask in ipmi-whitelist.conf
Tested:
Verified using ipmitool raw command from Linux OS
1. Set restriction mode as ProvisionedHostWhitelist
Commandi: busctl set-property xyz.openbmc_project.RestrictionMode.Manager
/xyz/openbmc_project/control/security/restriction_mode
xyz.openbmc_project.Control.Security.RestrictionMode
RestrictionMode s
"xyz.openbmc_project.Control.Security.RestrictionMode.Modes.
ProvisionedHostWhitelist"
Response: //Success
2. Check the restriction mode
Command: ipmitool raw 0x30 0xb3
Response: 04 00
3. Execute cold reset command from Linux OS terminal
Command: ipmitool raw 0x06 0x02
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x2 rsp=0xd5): Command not supported in present state
Signed-off-by: Jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Change-Id: I8d0b8ae6ef1d12b57ecccda302f31a85eecd8ee9
diff --git a/ipmi-whitelist.conf b/ipmi-whitelist.conf
index cfb4995..0e7e6c8 100644
--- a/ipmi-whitelist.conf
+++ b/ipmi-whitelist.conf
@@ -38,7 +38,7 @@
0x04:0x2f:0xff7f //<Sensor/Event>:<Get Sensor Type>
0x04:0x30:0x7f7f //<Sensor/Event>:<Set Sensor Reading and Event Status>
0x06:0x01:0xffff //<App>:<Get Device ID>
-0x06:0x02:0xff7f //<App>:<Cold Reset>
+0x06:0x02:0x7f7f //<App>:<Cold Reset>
0x06:0x04:0xff7f //<App>:<Get Self Test>
0x06:0x05:0x7f7f //<App>:<Manufacturing Test Mode>
0x06:0x06:0xffff //<App>:<Set ACPI Power State>