bridgingcommands:Fix for System interface commands
Issue: Set BMC Global Enables, Clear Message Flags, Get Message Flags,
Get Message, Read Event Message Buffer commands are allowed to execute
in all the channels instead to allow only with System interface.
Fix: Added condition check in each API to allow only with system
interface.
Tested:
Verified using cmdtool utility and clear linux OS.
Before Fix:
Set BMC Global Enables, Clear Message Flags, Get Message Flags,
Get Message and Read Event Message Buffer commands are working in other
than system interface channels.
Command: ipmitool raw 0x06 0x2e 0x09 //Set BMC Global Enables
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x2e rsp=0xd5): Command not supported in present state
Command: ipmitool raw 0x06 0x30 0x00 //Clear Message Flags
Response: //Success
Command: ipmitool raw 0x06 0x31 //Get Message Flags
Response: 00
Command: ipmitool raw 0x6 0x34 0x06 0x2c 0xd3 0x01 0xfc 0xfc 0x04 0x00
0x2c 0xfc 0x08 0xc1 0x13 //Send message
Response:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
.......
00 00 00 00 00 00 00 00
Command: ipmitool raw 0x06 0x33 //Get Message
Response: fc fc d4 30 2c fc 04 c1 13
Command: ipmitool raw 0x06 0x35 //ReadEventMessageBuffer
Response: 55 55 c0 41 a7 00 00 00 00 00 3a ff 00 ff ff ff
Verified from Clear Linux (System interface):
Command: ipmitool raw 0x06 0x2e 0x09 //Set BMC Global Enables
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x2e rsp=0xd5): Command not supported in present state
After Fix:
1. Verified executing from BMC.
2. Enable ProvisionedHostWhitelist mode (KCS trust policy) and verified.
Command: ipmitool raw 0x06 0x2e 0x09 //Set BMC Global Enables
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x2e rsp=0xd5): Command not supported in present state
Command: ipmitool raw 0x06 0x30 0x00 //Clear Message Flags
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x2e rsp=0xd5): Command not supported in present state
Command: ipmitool raw 0x06 0x31 //Get Message Flags
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x2e rsp=0xd5): Command not supported in present state
Command: ipmitool raw 0x06 0x33 //Get Message
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x2e rsp=0xd5): Command not supported in present state
Command: ipmitool raw 0x06 0x35 //ReadEventMessageBuffer
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x2e rsp=0xd5): Command not supported in present state
Verified from system interface using cmdtool utility and Clear linux.
Command: cmdtool.efi 20 18 2e 9 //Set BMC Global Enables
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x2e rsp=0xd4): Insufficient privilege level
Command: cmdtool.efi 20 18 30 00 //Clear Message Flags
Response: 00 //Success
Command: cmdtool.efi 20 18 31 //Get Message Flags
Response: 00 02
Command: cmdtool.efi 20 18 33 //Get Message
Response: 00 FC FC D4 30 2C FC 04 C1 13
Command: cmdtool.efi 20 18 35 //ReadEventMessageBuffer
Response: 00 55 55 C0 41 A7 00 00 00 00 00 3A FF 00 FF FF FF
Verified using Clear Linux (System Interface)
Command: ipmitool raw 6 0x2e //Set BMC Global Enables
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x2e rsp=0xd4): Insufficient privilege level
Command: ipmitool raw 6 0x30 0x00 //Clear Message Flags
Response: //Success
Command: ipmitool raw 6 0x31 //Get Message Flags
Response: 02
Note: OpenIPMI driver provided by the Linux kernel will reject the
Get Message, Send Message and Read Event Message Buffer commands
because it handles the message sequencing internally.
https://manpages.debian.org/testing/ipmitool/ipmitool.1.en.html
Signed-off-by: Jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Change-Id: Id2246a9f7427f9c4af12201fc9d19cccb41fc6ae
diff --git a/ipmi-whitelist.conf b/ipmi-whitelist.conf
index 17bf8bb..67bf9f2 100644
--- a/ipmi-whitelist.conf
+++ b/ipmi-whitelist.conf
@@ -47,13 +47,13 @@
0x06:0x22:0xff7f //<App>:<Reset Watchdog Timer>
0x06:0x24:0xff7f //<App>:<Set Watchdog Timer>
0x06:0x25:0xff7f //<App>:<Get Watchdog Timer>
-0x06:0x2e:0x7f7f //<App>:<Set BMC Global Enables>
+0x06:0x2e:0x0000 //<App>:<Set BMC Global Enables>
0x06:0x2f:0xffff //<App>:<Get BMC Global Enables>
-0x06:0x30:0xffff //<App>:<Clear Message Flags>
-0x06:0x31:0xffff //<App>:<Get Message Flags>
-0x06:0x33:0xff7f //<App>:<Get Message>
+0x06:0x30:0x8080 //<App>:<Clear Message Flags>
+0x06:0x31:0x8080 //<App>:<Get Message Flags>
+0x06:0x33:0x8000 //<App>:<Get Message>
0x06:0x34:0x7f7f //<App>:<Send Message>
-0x06:0x35:0xffff //<App>:<Read Event Message Buffer>
+0x06:0x35:0x8080 //<App>:<Read Event Message Buffer>
0x06:0x37:0xff7f //<App>:<Get System GUID>
0x06:0x38:0xff7f //<App>:<Get Channel Authentication Capability>
0x06:0x39:0xff7f //<App>:<Get Session Challenge>
diff --git a/src/bridgingcommands.cpp b/src/bridgingcommands.cpp
index 2f2c3fa..b44edc3 100644
--- a/src/bridgingcommands.cpp
+++ b/src/bridgingcommands.cpp
@@ -23,6 +23,7 @@
#include <sdbusplus/bus/match.hpp>
#include <sdbusplus/message.hpp>
#include <storagecommands.hpp>
+#include <user_channel/channel_layer.hpp>
#include <bitset>
#include <cstring>
@@ -468,8 +469,30 @@
ipmi::RspType<uint8_t, // channelNumber
std::vector<uint8_t> // messageData
>
- ipmiAppGetMessage()
+ ipmiAppGetMessage(ipmi::Context::ptr ctx)
{
+ ipmi::ChannelInfo chInfo;
+
+ try
+ {
+ getChannelInfo(ctx->channel, chInfo);
+ }
+ catch (sdbusplus::exception_t& e)
+ {
+ phosphor::logging::log<phosphor::logging::level::ERR>(
+ "ipmiAppGetMessage: Failed to get Channel Info",
+ phosphor::logging::entry("MSG: %s", e.description()));
+ return ipmi::responseUnspecifiedError();
+ }
+ if (chInfo.mediumType !=
+ static_cast<uint8_t>(ipmi::EChannelMediumType::systemInterface))
+ {
+ phosphor::logging::log<phosphor::logging::level::ERR>(
+ "ipmiAppGetMessage: Error - supported only in System(SMS) "
+ "interface");
+ return ipmi::responseCommandNotAvailable();
+ }
+
uint8_t channelData = 0;
std::vector<uint8_t> res(ipmbMaxFrameLength);
size_t dataLength = 0;
@@ -513,8 +536,30 @@
@return IPMI completion code plus Flags as response data on success.
**/
-ipmi::RspType<std::bitset<8>> ipmiAppGetMessageFlags()
+ipmi::RspType<std::bitset<8>> ipmiAppGetMessageFlags(ipmi::Context::ptr ctx)
{
+ ipmi::ChannelInfo chInfo;
+
+ try
+ {
+ getChannelInfo(ctx->channel, chInfo);
+ }
+ catch (sdbusplus::exception_t& e)
+ {
+ phosphor::logging::log<phosphor::logging::level::ERR>(
+ "ipmiAppGetMessageFlags: Failed to get Channel Info",
+ phosphor::logging::entry("MSG: %s", e.description()));
+ return ipmi::responseUnspecifiedError();
+ }
+ if (chInfo.mediumType !=
+ static_cast<uint8_t>(ipmi::EChannelMediumType::systemInterface))
+ {
+ phosphor::logging::log<phosphor::logging::level::ERR>(
+ "ipmiAppGetMessageFlags: Error - supported only in System(SMS) "
+ "interface");
+ return ipmi::responseCommandNotAvailable();
+ }
+
std::bitset<8> getMsgFlagsRes;
// set event message buffer bit
@@ -570,11 +615,34 @@
* @return IPMI completion code on success
*/
-ipmi::RspType<> ipmiAppClearMessageFlags(bool receiveMessage,
+ipmi::RspType<> ipmiAppClearMessageFlags(ipmi::Context::ptr ctx,
+ bool receiveMessage,
bool eventMsgBufFull, bool reserved2,
bool watchdogTimeout, bool reserved1,
bool oem0, bool oem1, bool oem2)
{
+ ipmi::ChannelInfo chInfo;
+
+ try
+ {
+ getChannelInfo(ctx->channel, chInfo);
+ }
+ catch (sdbusplus::exception_t& e)
+ {
+ phosphor::logging::log<phosphor::logging::level::ERR>(
+ "ipmiAppClearMessageFlags: Failed to get Channel Info",
+ phosphor::logging::entry("MSG: %s", e.description()));
+ return ipmi::responseUnspecifiedError();
+ }
+ if (chInfo.mediumType !=
+ static_cast<uint8_t>(ipmi::EChannelMediumType::systemInterface))
+ {
+ phosphor::logging::log<phosphor::logging::level::ERR>(
+ "ipmiAppClearMessageFlags: Error - supported only in System(SMS) "
+ "interface");
+ return ipmi::responseCommandNotAvailable();
+ }
+
if (reserved1 || reserved2)
{
return ipmi::responseInvalidFieldRequest();
@@ -640,8 +708,30 @@
uint8_t, // Record Type
std::variant<systemEventType, oemTsEventType,
oemEventType>> // Record Content
- ipmiAppReadEventMessageBuffer()
+ ipmiAppReadEventMessageBuffer(ipmi::Context::ptr ctx)
{
+ ipmi::ChannelInfo chInfo;
+
+ try
+ {
+ getChannelInfo(ctx->channel, chInfo);
+ }
+ catch (sdbusplus::exception_t& e)
+ {
+ phosphor::logging::log<phosphor::logging::level::ERR>(
+ "ipmiAppReadEventMessageBuffer: Failed to get Channel Info",
+ phosphor::logging::entry("MSG: %s", e.description()));
+ return ipmi::responseUnspecifiedError();
+ }
+ if (chInfo.mediumType !=
+ static_cast<uint8_t>(ipmi::EChannelMediumType::systemInterface))
+ {
+ phosphor::logging::log<phosphor::logging::level::ERR>(
+ "ipmiAppReadEventMessageBuffer: Error - supported only in "
+ "System(SMS) interface");
+ return ipmi::responseCommandNotAvailable();
+ }
+
uint16_t recordId =
static_cast<uint16_t>(0x5555); // recordId: 0x55 << 8 | 0x55
uint16_t generatorId =