Re: [Freeipmi-users] [EXTERNAL] Re: "BMC busy" with FreeIPMI on Intel Ice Lake Nodes

[Bautista, Devon Thomas]

Al,

Just wanted to add this response of yours to the list as well for posterity.

Thanks for your help!

Best,
Devon

On 10/27/22 5:46 PM, Al Chu11 wrote:
> Hey Devon,
>
> Ooops, I didn't reply to the list.  I'll do so for people googling in 
> the future.
>
> But I can add this to the documented list of bugs / workarounds. The 
> error returned from the board is just really bad:
>
> #define 
> RMCPPLUS_STATUS_NO_CIPHER_SUITE_MATCH_WITH_PROPOSED_SECURITY_ALGORITHMS 
> 0x11
> #define 
> RMCPPLUS_STATUS_NO_CIPHER_SUITE_MATCH_WITH_PROPOSED_SECURITY_ALGORITHMS_STR 
> \
>    "No Cipher Suite match with proposed security algorithms."
>
> Would be better / lead us to the correct solution faster.
>
>  > I do not see anything for cipher suite 17 in the above.
>
> Doh!  It ends up I don't support reading 16/17 in bmc-config b/c
>
> "  /* achu: Can't support this config until IPMI spec is updated.  Yeah, 
> it sucks */ "
>
> but that was a few years ago.  I should probably double check if it is 
> supported now.
>
> The story is sort of stupid, but cipher suite 16/17 were uhhh 
> "stealthly" introduced into IPMI implementations in the wild BEFORE they 
> mentioned it in the IPMI specification.  As of a few years ago, it still 
> wasn't documented.  Only reason its in FreeIPMI is b/c a vendor who is 
> trusted with good patches introduced it, so it was sort of added based 
> on trust from said vendor.
>
> Glad its working!
>
> Al
>
> On 10/27/22 16:23, Bautista, Devon Thomas wrote:
> > Al,
> >
> > Not sure if you meant to post on the list as well.
> >
> > > Could you try cipher suite 17 via "-I 17". FreeIPMI defaults to 
> > > cipher suite 3.  Perhaps your motherboard requires users to use the 
> > > newer / more secure cipher suite 17 only and the error it returns is 
> > > just a bad one.  May want to try "-l admin" as well in combination if 
> > > it doesn't work. 
> >
> > Adding "-I 17" did the trick:
> >
> > $ ipmipower -D LAN_2_0 -h host-bmc -u admin -p $PWORD -I 17
> > ipmipower> stat
> > host-bmc: on
> >
> > I didn't even have to add "-l ADMIN", though I would think that that 
> > would be needed for other functions besides checking the power status.
> >
> > > May be interesting to see what `bmc-config --checkout --section 
> > > Rmcpplus_Conf_Privilege` on the remote machine outputs too.  See if 
> > > they disable a number of cipher suites.
> >
> > This is curious (output from remote host):
> >
> > $ bmc-config --checkout --section Rmcpplus_Conf_Privilege
> > #
> > # Section Rmcpplus_Conf_Privilege Comments
> > #
> > # If your system supports IPMI 2.0 and Serial-over-LAN (SOL),cipher 
> > suite IDs
> > # may be configurable below. In the Rmcpplus_Conf_Privilege section, 
> > maximum
> > # user privilege levels allowed for authentication under IPMI 2.0 
> > (including
> > # Serial-over-LAN) are set for each supported cipher suite ID. Each 
> > cipher suite
> > # ID supports different sets of authentication, integrity, and encryption
> > # algorithms for IPMI 2.0. Typically, the highest privilege level any 
> > username
> > # configured should set for support under a cipher suite ID. This is 
> > typically
> > # "Administrator".
> > #
> > Section Rmcpplus_Conf_Privilege
> >     ## Possible values: 
> > Unused/User/Operator/Administrator/OEM_Proprietary
> >     Maximum_Privilege_Cipher_Suite_Id_1           Unused
> >     ## Possible values: 
> > Unused/User/Operator/Administrator/OEM_Proprietary
> >     Maximum_Privilege_Cipher_Suite_Id_2           Unused
> >     ## Possible values: 
> > Unused/User/Operator/Administrator/OEM_Proprietary
> >     Maximum_Privilege_Cipher_Suite_Id_3           Unused
> >     ## Possible values: 
> > Unused/User/Operator/Administrator/OEM_Proprietary
> >     Maximum_Privilege_Cipher_Suite_Id_6           Unused
> >     ## Possible values: 
> > Unused/User/Operator/Administrator/OEM_Proprietary
> >     Maximum_Privilege_Cipher_Suite_Id_7           Unused
> >     ## Possible values: 
> > Unused/User/Operator/Administrator/OEM_Proprietary
> >     Maximum_Privilege_Cipher_Suite_Id_8           Unused
> >     ## Possible values: 
> > Unused/User/Operator/Administrator/OEM_Proprietary
> >     Maximum_Privilege_Cipher_Suite_Id_11          Unused
> >     ## Possible values: 
> > Unused/User/Operator/Administrator/OEM_Proprietary
> >     Maximum_Privilege_Cipher_Suite_Id_12          Unused
> >     ## Possible values: 
> > Unused/User/Operator/Administrator/OEM_Proprietary
> >     Maximum_Privilege_Cipher_Suite_Id_15          Unused
> > EndSection
> >
> > I do not see anything for cipher suite 17 in the above.
> >
> > > Side note: would be curious if `bmc-info -h ... -u ... -p ....` works 
> > > / doesn't work as well.   Just to make sure its not a bug specific to 
> > > ipmipower.
> >
> > Looks like it is not specific to ipmipower:
> >
> > $ bmc-info -D LAN_2_0 -h host-bmc -u admin -p $PWORD
> > ipmi_ctx_open_outofband_2_0: BMC busy
> >
> > $ bmc-info -D LAN_2_0 -h host-bmc -u admin -p $PWORD -I 17
> > Device ID             : 34
> > Device Revision       : 1
> > Device SDRs           : unsupported
> > Firmware Revision     : 2.89
> > Device Available      : yes (normal operation)
> > IPMI Version          : 2.0
> > Sensor Device         : supported
> > SDR Repository Device : supported
> > SEL Device            : supported
> > FRU Inventory Device  : supported
> > IPMB Event Receiver   : supported
> > IPMB Event Generator  : unsupported
> > Bridge                : unsupported
> > Chassis Device        : supported
> > Manufacturer ID       : Intel Corporation (343)
> > Product ID            : 152
> > Auxiliary Firmware Revision Information : 7E3B728Bh
> >
> > Device GUID : ba922c2e-9b0e-8347-5586-d7428bea0474
> >
> > System GUID : 123d8901-bfa4-c79b-eb11-51dd801ff599
> >
> > Channel Information
> >
> > Channel Number       : 0
> > Medium Type          : IPMB (I2C)
> > Protocol Type        : IPMB-1.0
> > Active Session Count : 0
> > Session Support      : session-less
> > Vendor ID            : Intelligent Platform Management Interface forum 
> > (7154)
> >
> > Channel Number       : 1
> > Medium Type          : 802.3 LAN
> > Protocol Type        : IPMB-1.0
> > Active Session Count : 15
> > Session Support      : multi-session
> > Vendor ID            : Intelligent Platform Management Interface forum 
> > (7154)
> >
> > Channel Number       : 2
> > Medium Type          : 802.3 LAN
> > Protocol Type        : IPMB-1.0
> > Active Session Count : 0
> > Session Support      : multi-session
> > Vendor ID            : Intelligent Platform Management Interface forum 
> > (7154)
> >
> > Channel Number       : 3
> > Medium Type          : 802.3 LAN
> > Protocol Type        : IPMB-1.0
> > Active Session Count : 0
> > Session Support      : multi-session
> > Vendor ID            : Intelligent Platform Management Interface forum 
> > (7154)
> >
> > Channel Number       : 5
> > Medium Type          : OEM
> > Protocol Type        : IPMB-1.0
> > Active Session Count : 0
> > Session Support      : session-less
> > Vendor ID            : Intelligent Platform Management Interface forum 
> > (7154)
> >
> > Channel Number       : 6
> > Medium Type          : IPMB (I2C)
> > Protocol Type        : IPMB-1.0
> > Active Session Count : 0
> > Session Support      : session-less
> > Vendor ID            : Intelligent Platform Management Interface forum 
> > (7154)
> >
> > Channel Number       : 7
> > Medium Type          : System Interface (KCS, SMIC, or BT)
> > Protocol Type        : KCS
> > Active Session Count : 0
> > Session Support      : session-less
> > Vendor ID            : Intelligent Platform Management Interface forum 
> > (7154)
> >
> > Channel Number       : 8
> > Medium Type          : OEM
> > Protocol Type        : IPMB-1.0
> > Active Session Count : 0
> > Session Support      : session-less
> > Vendor ID            : Intelligent Platform Management Interface forum 
> > (7154)
> >
> > Channel Number       : 9
> > Medium Type          : IPMB (I2C)
> > Protocol Type        : IPMB-1.0
> > Active Session Count : 0
> > Session Support      : session-less
> > Vendor ID            : Intelligent Platform Management Interface forum 
> > (7154)
> >
> > Channel Number       : 10
> > Medium Type          : IPMB (I2C)
> > Protocol Type        : IPMB-1.0
> > Active Session Count : 0
> > Session Support      : session-less
> > Vendor ID            : Intelligent Platform Management Interface forum 
> > (7154)
> >
> > Channel Number       : 208
> > Medium Type          : unknown
> > Protocol Type        : unknown
> > Active Session Count : 49
> > Session Support      : unknown
> > Vendor ID             : 722393994
> >
> > Channel Number       : 157
> > Medium Type          : OEM
> > Protocol Type        : Reserved
> > Active Session Count : 0
> > Session Support      : unknown
> > Vendor ID            : Corp. Hostarica (22059)
> >
> > Channel Number       : 157
> > Medium Type          : OEM
> > Protocol Type        : Reserved
> > Active Session Count : 0
> > Session Support      : unknown
> > Vendor ID            : consistec Engineering & Consulting GmbH (32669)
> >
> > Thank you, Al!
> >
> > Regards,
> > Devon
> >
> > On 10/27/22 4:41 PM, Al Chu11 wrote:
> > > Ahhh it did remind me of something.
> > >
> > > > Using best available cipher suite 17 
> > >
> > > Could you try cipher suite 17 via "-I 17". FreeIPMI defaults to 
> > > cipher suite 3.  Perhaps your motherboard requires users to use the 
> > > newer / more secure cipher suite 17 only and the error it returns is 
> > > just a bad one.  May want to try "-l admin" as well in combination if 
> > > it doesn't work.
> > >
> > > May be interesting to see what `bmc-config --checkout --section 
> > > Rmcpplus_Conf_Privilege` on the remote machine outputs too.  See if 
> > > they disable a number of cipher suites.
> > >
> > > Side note: would be curious if `bmc-info -h ... -u ... -p ....` works 
> > > / doesn't work as well.   Just to make sure its not a bug specific to 
> > > ipmipower.
> > >
> > > Al

smime.p7s
Description: S/MIME Cryptographic Signature