Purpose: This introduces a simplified view of the BMC's primary interfaces. It is intended to provide a reference suitable for a wide audience:
- Engineers provide domain expertise in specific areas and learn about use cases and threats their interfaces poses.
- Give BMC administrators and system integrators a simplified view of the BMC's system interfaces. For example, to understand which interfaces can be disabled.
- Management and security folks need everything to work and play together nicely. For example, to understand the BMC's attack surfaces.
This section shows the BMC's primary interfaces and how they are related. It begins with the BMC's physical interfaces and moves toward abstractions such as network services. The intent is to show the interfaces essential to the OpenBMC project in a framework to reason about which interfaces are present, how they are related. This provides a foundation to reason about which can be disabled, how they are secured, etc. The appendix provides details about each interface and service shown.
OpenBMC's services and the interfaces they provide are controlled by systemd.
This document references OpenBMC systemd unit names to help link concepts to
the source code. The reader is assumed to be familiar with systemd concepts.
The templated units ("unit@.service") may be omitted for clarity. Relevant
details from the unit file may be shown, such as the program which implements a
service.
The OpenBMC Service Management interface can control systemd services. For
example, disabling a BMC service will disable the corresponding external
interface.
Diagrams are included to help visualize relationships. The diagrams show management agents on the left side, the BMC in the center, and host elements on the right side. The diagrams are simplified and are not intended to be complete.
This shows the BMC's physical connections including network, USB, UART serial, and connections to its host platform. This uses a simplified view of the host which shows only the host interfaces that connect directly to the BMC. A typical host would have additional connections for console, network, etc.
Interfaces between the BMC and its host platform vary considerably based on BMC and host platform implementation. The information presented in this section and its subsections is intended to illustrate common elements, not to represent any particular system. This section is intended to be referenced by additional documentation which gives details for specific BMC and host implementations.
+----------------+ +----------------+
| BMC | | Host |
| | | |
| Network -+- LPC ---+- |
-+- eth0 -+--PCIe --+- |
-+- eth1 -+--UART --+- |
| lo -+- I2C ---+- |
| -+--I3C ---+- |
| USB -+- SPI ---+- |
-+- usb0 -+- PECI --+- |
| -+- GPIOs -+- |
| Serial -+- UTMI --+- |
-+- tty0 | | |
| | | |
+----------------+ +----------------+
This lists protocols that operate over the BMC-host physical interfaces:
- Host IPMI.
- MCTP. OpenBMC offers MCTP over LPC, PCIe, UART.
- Custom OEM solution.
- SMBus.
This lists specifications for the data which flows over the BMC-host transport protocols:
- Host IPMI.
- PLDM (DMTF document DSP0240).
- Custom OEM solution.
OpenBMC provides services via its management network. The default services are listed here by port number. More information about each service is given in sections below or in the appendix.
+----------------------------------+
| BMC |
| |
-+-+ Network services |
| | |
| +-+ TCP ports |
| | +- 22 ssh - shell |
| | +- 80 HTTP (no connection) |
| | +- 443 HTTPS |
| | +- 2200 ssh - host console |
| | +- 5355 mDNS service discovery |
| | |
| +-+ UDP ports |
| +- 427 SLP |
| +- 623 RMCP+ IPMI |
| +- 5355 mDNS service discovery |
| |
+----------------------------------+
Services provided to connected clients may use ports for:
- Active SSH sessions.
- Active KVM-IP sessions.
- Active virtual media sessions.
This section lists network services used by OpenBMC systems. OpenBMC uses the typical services in the usual way, such as NTP, DNS, and DHCP. In addition, OpenBMC uses:
- TFTP (disabled by default, when invoked by BMC operator) - Trivial FTP client to fetch firmware images for code update.
- SNMP manager to catch SNMP traps (when enabled).
OpenBMC provides access to its host's serial console in various ways:
- Client access via network IPMI.
- Client access via ssh port 2200.
- The hostlogger facility.
+---------------------------+ +-----------------+
| BMC | | Host |
ipmitool sol | | | |
activate | | | |
UDP port 623 .... netipmid ------------} | | |
| } | | |
ssh -p 2200 ... obmc-console-client -}---+----+- serial UART |
TCP port 2200 | } | | console |
| hostlogger ----------} | | |
| | | |
+---------------------------+ +-----------------+
The obmc-console details how the host UART connection is abstracted within the BMC as a Unix domain socket.
OpenBMC provides a custom HTTP/Web server called BMCWeb.
+--------------------------------------------------+
| BMC |
| |
-+-+ Network services |
| ++ TCP |
| +- 443 HTTPS - BMCWeb -> { static content |
| | { Web app (webui) |
| +- (other ports) <---+ { Redfish schema |
| | | { /login |
| V | { Redfish REST APIs |
-+- Websockets -+ | { Phosphor REST APIs |
| | +<--{-- can set up: |
| | { KVM-IP, USB-IP, |
| various { Virtual Media |
| |
+--------------------------------------------------+
In the diagram, the arrowheads represent the flow of control from web agents to BMCWeb APIs, some of which set up Websockets which give the network agent direct communication with the desired interface (not via BMCWeb).
Note that BMCWeb is configurable at compile time. This section describes the default configuration (which serves the HTTP application protocol over the HTTPS transport protocol on TCP port 443).
Services provided:
- Web application (webui-vue) and other static content
- REST APIs including custom phosphor-rest and Redfish APIs
- KVM-IP (Keyboard, Video, Mouse over IP)
- Virtual media via USB-IP (Universal Serial Bus over IP)
- others
OpenBMC provides a host IPMI service.
+---------------+ +-----------------+
| BMC | | Host |
| | | |
| ipmid -+----+- |
| | | |
+---------------+ +-----------------+
The IPMI firmware firewall (which aims to control which host commands and channels can be used) is not implemented in OpenBMC. There is support for a Phosphor host IPMI whitelist scheme.
OpenBMC uses D-Bus interfaces as the primary way to communicate (inter-process communication) between OpenBMC applications. Note that other methods are used, for example Unix domain sockets.
+--------------------------------------------------+
| BMC |
| |
| +-------+ |
| | D-Bus | |
| | -+- bmcweb |
| | -+- ipmid |
| | -+- ... |
| | -+- many more (not shown here) |
| | -+- ... |
| | | |
| +-------+ |
| |
+--------------------------------------------------+
To learn more, read the Phosphor D-Bus interface docs and search for README files in various subdirectories under the xyz/openbmc_project path.
This section lists each interface and service shown in this document. The intent is to give the relevance of each item and how to locate details in the source code.
This sections shows variations in the operational environment of the BMC's management network.
The BMC may be connected to a network used to manage the BMC. This is dubbed the "management network" to distinguish it from the payload network the host system is connected to. These are typically separate networks.
+-----------+ +----------------+
| BMC | | Host |
management | | | |
network ---+- Network | | Network -+- payload
| | | | network
+-----------+ +----------------+
The BMC may be served by a Network Controller Sideband Interface (NC-SI) which maintains a logically separate network from the host, as shown in this diagram:
+-----------+ +----------------+
| BMC | | Host |
management | | | |
network +-+- Network | | Network -+-+
| | | | | |
| +-----------+ +----------------+ |
| |
| +------------------+ |
| | NIC | |
| |.........+ -+-------------+
+------+- side- : |
management -------+- band : -+- payload
network |.........+ | network
+------------------+
The BMC's management network may be provided by its host system and have no direct connection external to the host, as shown in this diagram:
+-----------+ +----------------+
| BMC | | Host |
| | | |
+--+- Network | | Network -+- payload
| | | | | network
| | | +--+- management |
| | | | | network |
| +-----------+ | +----------------+
| |
+------------------+
The BMC's management network may be connected to USB (LAN over USB):
+-----------+ +----------------+
| BMC | | Host |
+-+ | | | |
USB --+---+- Network | | Network -+- payload
+-+ | | | | network
| | | |
+-----------+ +----------------+
This gives access to the BMC's console which provides such function as controlling the BMC's U-Boot and then providing access to the BMC's shell. Contrast with the host serial console access.
This refers to the standard NIC and Linux network services on the BMC.
This refers to the SSH protocol which provides both secure shell (ssh) and secure copy (scp) access to the BMC. OpenBMC uses the Dropbear SSH implementation. Note that port 22 connects to the BMC's shell, while port 2200 connects to the host console.
OpenBMC supports the HTTP application protocol over HTTPS, both handled by the BMCWeb server. The "http" URI scheme is disabled by default but can be enabled at compile time by BMCWeb configuration options.
Refers to the BMC's access to its host's serial connection which typically
accesses the host system's console. See also obmc-console-server which
provides host serial access to various internal BMC services. Contrast with
access to the BMC's serial connection which provides access to the BMC's
console.
Refers to the multicast discovery service (mDNS). For example, you can find the
BMC via the avahi-browse -rt _obmc_rest._tcp command.
Refers to the unicast service discovery protocol provided by slpd. For
example, you can find the BMC via the
slptool -u ${ip} findsrvtypes or findsrvs command.
Refers to the RMCP+ protocol and IPMI implementation provided by netipmid with
source here: https://github.com/openbmc/phosphor-net-ipmid and some details
provided by IPMI Session management. Network IPMI provides access to many
resources including host IPMI access, SOL (access to the host console), and
more. Also known as out of band IPMI. Contrast with host-IPMI which interacts
with the host and with Redfish which provides alternate function.
The BMC's RMCP+ IPMI interface is designed to be operated by the [ipmitool][]
external command.
Refers to the host-facing IPMI service provided by the ipmid program with
source here: https://github.com/openbmc/phosphor-host-ipmid. The systemd
service is phosphor-ipmi-host implemented by the ipmid program. Also known
as in-band IPMI. Contrast with RMCP+ which faces the network and with PLDM which
provides alternate function.
This refers to the BMC's command line interface which defaults to the bash
program provided via the /bin/sh path on the BMC's file system. Note that the
shell (together with its utility programs) provides access to many of the BMC's
internal and external interfaces.
This refers to support for multiple independent consoles in https://github.com/openbmc/obmc-console and two applications:
- The
obmc-console-serverabstracts the host console (UART) connection as a Unix domain socket. - The
obmc-console-clientcan connect a console to an SSH session.
Other applications use the console server.
Refers to the BMC service provided by the hostlogger program here:
https://github.com/openbmc/phosphor-hostlogger which listens to the
obmc-console-server and logs host console messages into the BMC's file system.
Refers to the custom HTTP/Web server with source here: https://github.com/openbmc/bmcweb Note that BMCWeb is configurable per https://github.com/openbmc/bmcweb#configuration with build-time options to control which interfaces it provides. For example, there are configurations options to:
- enable downloading firmware images from a TFTP server
- enable the "http" URI scheme
- others
The webserver also sets up Secure Websockets for services such as KVM-IP, Virtual-USB, and more.
Refers to the set of Redfish REST APIs served by the BMCWeb web server. See details here: https://github.com/openbmc/bmcweb/blob/master/Redfish.md with docs here: https://github.com/openbmc/docs/blob/master/REDFISH-cheatsheet.md
Refers to the legacy REST APIs optionally served by the BMCWeb server. Docs: https://github.com/openbmc/docs/blob/master/REST-cheatsheet.md
Refers to the OpenBMC implementation of the Remote Frame Buffer (RFB, aka VNC) protocol which lets you operate the host system's keyboard, video, and mouse (KVM) remotely. See https://github.com/openbmc/obmc-ikvm/blob/master/README.md Also known as IPKvm. Do not confuse with Kernel Virtual Machine (the other KVM).
Also known as: remote media and USB-over-IP. Design: https://github.com/openbmc/docs/blob/master/designs/VirtualMedia.md Contrast with LAN-over-USB.
Also known as USB-over-IP, and helps implement virtual media. Contrast with the BMC and host physical USB ports.