Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-host-ipmid / fd61fc3dadec94029b290a8368113b594931e221
commitfd61fc3dadec94029b290a8368113b594931e221[log] [tgz]
authorJohnathan Mantey <johnathanx.mantey@intel.com>Thu Apr 08 11:05:38 2021 -0700
committerVernon Mauery <vernon.mauery@linux.intel.com>Tue Apr 20 20:12:00 2021 +0000
tree337ecd3039f28d10afa09ebb2dba636ba69ca2ce
parent9ab2f94794c4f4ca1856d35c87abe9fa77356fa3 [diff]
Permit assignment the IPMI management channel via JSON

phosphor-ipmi-host hard codes Channel 1 as the LAN NIC responsible for
managing and updating IPMI, Redfish, and web server access
permissions. Systems that do not have an lan-802.3 channel type
configured for IPMI Channel 1 have no way of assigning permissions
that flow to phosphor-user-manager. The inability to update
permissions within phosphor-user-manaager ultimaltely flows to Redfish
and HTTPS access.

The changes in this commit provide flexibility in assigning the IPMI
channel used to propagate permission changes to
phosphor-user-manager. A new boolean keyword, is_managment_nic, is
added. This entry is added to the JSON file, channel_config.json by
default, to announce which lan-802.3 IPMI channel is to be used to
assign IPMI permissions used by phosphor-user-manager. Only one
channel can have this ability. If the keyword is missing in the JSON
file, the code falls back to using Channel 1.

Tested:
Fully testing this change requires using code that dynamically
disables Channel 1. The SUT only has a single NIC, which is not
assigned to Channel 1.

Fully reprogrammed SPI to enter a pristine state.
Created a new user, channel 3, id 2, privilege=4

Confirmed LAN "ipmitool raw 6 1" succeeds
Confirmed Web access to new user account
Confirmed Redfish acess to new user account
Confirmed BMC console "ipmitool raw 6 1" succeeds

Used BMC console ipmitool to change user permissions from 4 to
15 (i.e. no access)

Confirmed LAN "ipmitool raw 6 1" succeeds
Confirmed Web access to new user account fails
Confirmed Redfish acess to new user account fails
Confirmed BMC console "ipmitool raw 6 1" fails

Used BMC console ipmitool to change user permissions from 15 to
4 (i.e. admin)

All of the prior tests work as expected.

Change-Id: I5f6941fefc4f80742e404de1f22ba10cbedf5d5d
Signed-off-by: Johnathan Mantey <johnathanx.mantey@intel.com>
3 files changed
tree: 337ecd3039f28d10afa09ebb2dba636ba69ca2ce
  1. app/
  2. dbus-sdr/
  3. docs/
  4. include/
  5. libipmid/
  6. libipmid-host/
  7. scripts/
  8. softoff/
  9. test/
  10. user_channel/
  11. xyz/
  12. .build.sh
  13. .clang-format
  14. .gitignore
  15. .shellcheck
  16. .travis.yml
  17. apphandler.cpp
  18. apphandler.hpp
  19. bootstrap.sh
  20. chassishandler.cpp
  21. chassishandler.hpp
  22. configure.ac
  23. dcmihandler.cpp
  24. dcmihandler.hpp
  25. elog-errors.hpp
  26. entity_map_json.cpp
  27. entity_map_json.hpp
  28. error-HostEvent.hpp
  29. fruread.hpp
  30. generate_whitelist.sh
  31. globalhandler.cpp
  32. globalhandler.hpp
  33. groupext.cpp
  34. host-cmd-manager.cpp
  35. host-cmd-manager.hpp
  36. host-interface.cpp
  37. host-interface.hpp
  38. host-ipmid-whitelist.conf
  39. ipmi_fru_info_area.cpp
  40. ipmi_fru_info_area.hpp
  41. ipmid-new.cpp
  42. ipmisensor.cpp
  43. ipmiwhitelist.hpp
  44. LICENSE
  45. MAINTAINERS
  46. Makefile.am
  47. read_fru_data.cpp
  48. read_fru_data.hpp
  49. README.md
  50. sample.cpp
  51. sample.h
  52. selutility.cpp
  53. selutility.hpp
  54. sensordatahandler.cpp
  55. sensordatahandler.hpp
  56. sensorhandler.cpp
  57. sensorhandler.hpp
  58. settings.cpp
  59. settings.hpp
  60. storageaddsel.cpp
  61. storageaddsel.hpp
  62. storagehandler.cpp
  63. storagehandler.hpp
  64. sys_info_param.cpp
  65. sys_info_param.hpp
  66. systemintfcmds.cpp
  67. systemintfcmds.hpp
  68. testaddsel.cpp
  69. testit.cpp
  70. transporthandler.cpp
  71. transporthandler.hpp
  72. whitelist-filter.cpp
README.md

To build this package, do the following steps:

1. ./bootstrap.sh
2. ./configure ${CONFIGURE_FLAGS}
3. make

To clean the repository run ./bootstrap.sh clean.