IPMI: Difference between revisions
Jump to navigation
Jump to search
| Line 1: | Line 1: | ||
== What is IPMI == | == What is IPMI == | ||
'''Intelligent Platform Management Interface''' ('''IPMI''') is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities '''independently of the host system's CPU, firmware ([[BIOS]] or UEFI) and operating system'''.<ref>https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface</ref> | '''Intelligent Platform Management Interface''' ('''IPMI''') is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities '''independently of the host system's CPU, firmware ([[BIOS]] or UEFI) and operating system'''.<ref>https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface</ref> | ||
| Line 47: | Line 48: | ||
== IPMI Security == | == IPMI Security == | ||
Restrict IPMI traffic to trusted internal networks. Traffic from IPMI must be restricted to a management VLAN segment with strong network controls. The default password on a shipped system must be changed to utilize stronger passwords. Devices that run IPMI must have strong, unique passwords set for the IPMI service. | Restrict IPMI traffic to trusted internal networks. Traffic from IPMI must be restricted to a management VLAN segment with strong network controls. <u>The default password on a shipped system must be changed to utilize stronger passwords</u>. Devices that run IPMI must have strong, unique passwords set for the IPMI service. | ||
Each defined cipher suite specifies what authentication, integrity, and encryption protocol are used when an IPMI connection is made. | |||
System's Cipher suite can be checked by "ipmitool lan print" output <syntaxhighlight lang="bash"> | |||
$ sudo ipmitool lan print | |||
... | |||
RMCP+ Cipher Suites : 0,1,2,3,6,7,8,11,12,15,16,17 | |||
Cipher Suite Priv Max : caaaaaaaaaaaXXX | |||
: X=Cipher Suite Unused | |||
: c=CALLBACK | |||
: u=USER | |||
: o=OPERATOR | |||
: a=ADMIN | |||
: O=OEM | |||
... | |||
</syntaxhighlight> | |||
=== Cipher suite === | === [[Cipher suite]]<ref>https://en.wikipedia.org/wiki/Cipher_suite</ref> === | ||
* Cipher 0 is an option that is enabled by default on many IPMI-enabled devices that allows authentication to be bypassed. Disable cipher 0 to prevent attackers from bypassing authentication and sending arbitrary IPMI commands. | * Cipher 0 is an option that is enabled by default on many IPMI-enabled devices that allows authentication to be bypassed. Disable cipher 0 to prevent attackers from bypassing authentication and sending arbitrary IPMI commands. | ||
| Line 92: | Line 109: | ||
$ sudo ipmitool lan set 1 snmp <Your SNMP> | $ sudo ipmitool lan set 1 snmp <Your SNMP> | ||
$ sudo ipmitool lan set 1 defgw ipaddr <Your gateway server> | $ sudo ipmitool lan set 1 defgw ipaddr <Your gateway server> | ||
</syntaxhighlight>IPMI Cipher suite<syntaxhighlight lang="bash"> | |||
# To check current cipher suites | |||
$ sudo ipmitool lan print | |||
... | |||
RMCP+ Cipher Suites : 0,1,2,3,6,7,8,11,12,15,16,17 | |||
Cipher Suite Priv Max : caaaaaaaaaaaXXX | |||
: X=Cipher Suite Unused | |||
: c=CALLBACK | |||
: u=USER | |||
: o=OPERATOR | |||
: a=ADMIN | |||
: O=OEM | |||
... | |||
# To change new cipher Suite, example enable only cipher suites 3 | |||
$sudo ipmitool lan set 1 cipher_privs XXXaXXXXXXXXXXX | |||
</syntaxhighlight> | </syntaxhighlight> | ||
|- | |- | ||
Revision as of 11:05, 31 October 2024
What is IPMI
Intelligent Platform Management Interface (IPMI) is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently of the host system's CPU, firmware (BIOS or UEFI) and operating system.[1]
A BMC (baseboard management controller) is a core building block of IPMI sub-system. OpenBMC is a Linux Foundation Collaborative open-source BMC project.
IPMItool is a utility to monitor, configure, and manage devices that support the Intelligent Platform Management Interface (IPMI) and available with recent Linux Ubuntu distributions
IPMItool[2]
IPMItool uses the System Interface (in-band) to run the IPMI command on the local BMC through the OpenIPMI Driver. IPMItool can also use a LAN Interface to receive IPMI responses from a remote (out-band) IPMI-based platform, if you know its BMC IP address and have user access to the BMC.
$ sudo ipmitool channel info
Channel 0xf info:
Channel Medium Type : System Interface
Channel Protocol Type : KCS
Session Support : session-less
Active Session Count : 0
Protocol Vendor ID : 7154
Most platforms with IPMI also have a LAN interface that is assigned to channel number 1
$ sudo ipmitool channel info 1
Channel 0x1 info:
Channel Medium Type : 802.3 LAN
Channel Protocol Type : IPMB-1.0
Session Support : multi-session
Active Session Count : 0
Protocol Vendor ID : 7154
Volatile(active) Settings
Alerting : enabled
Per-message Auth : disabled
User Level Auth : enabled
Access Mode : always available
Non-Volatile Settings
Alerting : enabled
Per-message Auth : disabled
User Level Auth : enabled
Access Mode : always availableIPMItool supports various interface for remote commands
- open Linux OpenIPMI Interface [default]
- imb Intel IMB Interface
- lan IPMI v1.5 LAN Interface
- lanplus IPMI v2.0 RMCP+ LAN Interface
- free FreeIPMI IPMI Interface
- serial-terminal Serial Interface, Terminal Mode
- serial-basic Serial Interface, Basic Mode
- dummy Linux DummyIPMI Interface
- usb IPMI USB Interface(OEM Interface for AMI Devices)
IPMI Security
Restrict IPMI traffic to trusted internal networks. Traffic from IPMI must be restricted to a management VLAN segment with strong network controls. The default password on a shipped system must be changed to utilize stronger passwords. Devices that run IPMI must have strong, unique passwords set for the IPMI service.
Each defined cipher suite specifies what authentication, integrity, and encryption protocol are used when an IPMI connection is made.
System's Cipher suite can be checked by "ipmitool lan print" output
$ sudo ipmitool lan print
...
RMCP+ Cipher Suites : 0,1,2,3,6,7,8,11,12,15,16,17
Cipher Suite Priv Max : caaaaaaaaaaaXXX
: X=Cipher Suite Unused
: c=CALLBACK
: u=USER
: o=OPERATOR
: a=ADMIN
: O=OEM
...
Cipher suite[3]
- Cipher 0 is an option that is enabled by default on many IPMI-enabled devices that allows authentication to be bypassed. Disable cipher 0 to prevent attackers from bypassing authentication and sending arbitrary IPMI commands.
- Cipher suite 3 (authentication – RAKP-HMAC-SHA1; integrity – HMAC-SHA1-96; confidentiality – AES-CBC-128) - Cipher suite 3 is the default option on the IPMItool
- Cipher suite 17 (authentication – RAKP-HMAC-SHA256; integrity – HMAC-SHA256-128; confidentiality – AES-CBC-128).
- Others
- Anonymous logins must be disabled.
- Create IPMI accounts with a user name. Nameless account must be disabled.
- Use strong passwords
IPMI Usage
| commands | Description | Notes and coments (All examples use in-bound command)
For out-bound (remote) connection, need to add -I <Interface> -H <hostip> -U <username> -P <password> options |
|---|---|---|
| raw | Send a RAW IPMI request and print response | |
| i2c | Send an I2C Master Write-Read command and print response | |
| spd | Print SPD info from remote I2C device | |
| lan | Configure LAN Channels | # Show current lan configuration
$ sudo ipmitool lan print
$ sudo ipmitool lan6 print
# Set IPv4 information
$ sudo ipmitool lan set 1 ipaddr <Your IP address for the BMC>
$ sudo ipmitool lan set 1 netmask <Your Subnet Mask>
$ sudo ipmitool lan set 1 snmp <Your SNMP>
$ sudo ipmitool lan set 1 defgw ipaddr <Your gateway server># To check current cipher suites
$ sudo ipmitool lan print
...
RMCP+ Cipher Suites : 0,1,2,3,6,7,8,11,12,15,16,17
Cipher Suite Priv Max : caaaaaaaaaaaXXX
: X=Cipher Suite Unused
: c=CALLBACK
: u=USER
: o=OPERATOR
: a=ADMIN
: O=OEM
...
# To change new cipher Suite, example enable only cipher suites 3
$sudo ipmitool lan set 1 cipher_privs XXXaXXXXXXXXXXX
|
| lan6 | Configure IPv6 LAN Channels | |
| chassis | Get chassis status and set power state | # Show system status
$ sudo ipmitool chassis status
System Power : on
Power Overload : false
Power Interlock : inactive
Main Power Fault : false
Power Control Fault : false
Power Restore Policy : always-off
Last Power Event : ac-failed
Chassis Intrusion : inactive
Front-Panel Lockout : inactive
Drive Fault : false
Cooling/Fan Fault : false
Sleep Button Disable : allowed
Diag Button Disable : allowed
Reset Button Disable : allowed
Power Button Disable : allowed
Sleep Button Disabled: false
Diag Button Disabled : false
Reset Button Disabled: false
Power Button Disabled: false
# To power on the server
$sudo ipmitool chassis power on
#To gracefully shut down the OS and power off the server to standby power mode
$sudo ipmitool chassis power soft
# To perform an immediate power off from full-power mode to standby power mode (not graceful)
$sudo ipmitool chassis power off
# To reset the server (cycle power on and off):
$sudo ipmitool chassis power cycle
# To set chassis policy command to determine what the system does when the system experiences a power loss (and after the power is restored).
# ipmitool chassis policy <state>
$ sudo ipmitool chassis policy <state>, where chassis policy <state>
list : return supported policies
always-on : turn on when power is restored
previous : return to previous state when power is restored
always-off : stay off after power is restored# To modify boot device for next reboot
$sudo ipmitool chassis bootdev pxe
$sudo ipmitool chassis bootdev cdrom
$sudo ipmitool chassis bootdev bios |
| power | Shortcut to chassis power commands | |
| event | Send pre-defined events to MC | |
| mc | Management Controller status and global enables | # To check MC (BMC) information
$ sudo ipmitool mc info
# To reset MC (BMC) controller
$sudo ipmitool mc reset [ warm | cold ] |
| sdr | Print Sensor Data Repository entries and readings | #To check sensor information
$sudo ipmitool sdr list
# To list up sonsoer type
$ sudo ipmitool sdr type
Sensor Types:
Temperature (0x01) Voltage (0x02)
Current (0x03) Fan (0x04)
Physical Security (0x05) Platform Security (0x06)
Processor (0x07) Power Supply (0x08)
Power Unit (0x09) Cooling Device (0x0a)
Other (0x0b) Memory (0x0c)
Drive Slot / Bay (0x0d) POST Memory Resize (0x0e)
System Firmwares (0x0f) Event Logging Disabled (0x10)
Watchdog1 (0x11) System Event (0x12)
Critical Interrupt (0x13) Button (0x14)
Module / Board (0x15) Microcontroller (0x16)
Add-in Card (0x17) Chassis (0x18)
Chip Set (0x19) Other FRU (0x1a)
Cable / Interconnect (0x1b) Terminator (0x1c)
System Boot Initiated (0x1d) Boot Error (0x1e)
OS Boot (0x1f) OS Critical Stop (0x20)
Slot / Connector (0x21) System ACPI Power State (0x22)
Watchdog2 (0x23) Platform Alert (0x24)
Entity Presence (0x25) Monitor ASIC (0x26)
LAN (0x27) Management Subsys Health (0x28)
Battery (0x29) Session Audit (0x2a)
Version Change (0x2b) FRU State (0x2c)
# To check specific sdr type
$sudo ipmitool sdr type Temperature
$sudo ipmitool sdr type Fan
$sudo ipmitool sdr type ‘Power Supply’ |
| sensor | Print detailed sensor information | |
| fru | Print built-in FRU and scan SDR for FRU locators | #fru print Prints the FRU information.
$sudo ipmitool fru |
| gendev | Read/Write Device associated with Generic Device locators sdr | |
| sel | Print System Event Log (SEL)
Returns an error log |
#ipmitool sel list
... 6c | 10/29/2024 | 05:55:17 | Temperature #0x30 | Upper Critical going high | Asserted ... The first column is a unique record number in the hexadecimal format. The next two columns are the date and time stamp. The fourth column shows the corresponding sensor. The final column shows a description# To check system logging
$sudo ipmitool sel info
$sudo ipmitool sel list
$sudo ipmitool sel elist # extended list (see manpage)
$sudo ipmitool sel clear#on Ubuntu, ipmievd is disabled by default
$ sudo systemctl enable ipmievd
Synchronizing state of ipmievd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ipmievd
Created symlink /etc/systemd/system/ipmi.service → /lib/systemd/system/ipmievd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ipmievd.service → /lib/systemd/system/ipmievd.service.
# enable and start ipmievd
$ sudo systemctl start ipmievd
$ sudo systemctl status ipmievd
● ipmievd.service - IPMI event daemon
Loaded: loaded (/lib/systemd/system/ipmievd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2024-10-31 09:32:09 KST; 13s ago
Process: 377408 ExecStart=/usr/sbin/ipmievd open daemon (code=exited, status=0/SUCCESS)
Main PID: 377420 (ipmievd)
Tasks: 1 (limit: 308967)
Memory: 1.8M
CGroup: /system.slice/ipmievd.service
└─377420 /usr/sbin/ipmievd open daemon |
| pef | Configure Platform Event Filtering (PEF) | |
| sol | Configure and connect IPMIv2.0 Serial-over-LAN | #Activates SOL system console
$sudo ipmitool sol activate
#Deactivates SOL system console.
$sudo ipmitool sol deactivate
#Sets the default retry-interval value in milliseconds.
$sudo ipmitool sol set retry-interval value |
| tsol | Configure and connect with Tyan IPMIv1.5 Serial-over-LAN | |
| isol | Configure IPMIv1.5 Serial-over-LAN | |
| user | Configure Management Controller users | # List up IPMI users
$ sudo ipmitool user list 1
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
1 false false true ADMINISTRATOR
2 root false false true ADMINISTRATOR
3 true false false NO ACCESS
...
#To change the name of userid 2, run the following command:
$ sudo ipmitool user set name 2 <New User ID>
#To set a new password for userid 2, run the following command:
$ sudo ipmitool user set password 2 ipmitool user set password 2 <New Password>
#You can also use a null user for anonymous login. To change the password for the null user (userid 1) on the LAN channel, run the following command:
$ sudo ipmitool lan set 1 password <New Password>
#To delete user id, Set user name to empty
$sudo ipmitool user set name <ID> "" |
| channel | Configure Management Controller channels | |
| session | Print session information | |
| dcmi | Data Center Management Interface | # To check system power information
$ sudo ipmitool dcmi power
power <command>
reading Get power related readings from the system
get_limit Get the configured power limits
set_limit Set a power limit option
activate Activate the set power limit
deactivate Deactivate the set power limit
$ sudo ipmitool dcmi power reading
Instantaneous power reading: 425 Watts
Minimum during sampling period: 0 Watts
Maximum during sampling period: 1520 Watts
Average power reading over sample period: 319 Watts
IPMI timestamp: Thu Oct 31 01:30:54 2024
Sampling period: 00000005 Seconds.
Power reading state is: activated
$ sudo ipmitool dcmi power get_limit
Current Limit State: Power Limit Active
Exception actions: Hard Power Off & Log Event to SEL
Power Limit: 500 Watts
Correction time: 1000 milliseconds
Sampling period: 5 seconds |
| nm | Node Manager Interface | |
| sunoem | OEM Commands for Sun servers | |
| kontronoem | OEM Commands for Kontron devices | |
| picmg | Run a PICMG/ATCA extended cmd | |
| fwum | Update IPMC using Kontron OEM Firmware Update Manager | |
| firewall | Configure Firmware Firewall | |
| delloem | OEM Commands for Dell systems | |
| shell | Launch interactive IPMI shell | |
| exec | Run list of commands from file | |
| set | Set runtime variable for shell and exec | |
| hpm | Update HPM components using PICMG HPM.1 file | |
| ekanalyzer | run FRU-Ekeying analyzer using FRU files | |
| ime | Update Intel Manageability Engine Firmware | |
| vita | Run a VITA 46.11 extended cmd |