Explaining the Baseboard Management Controller or BMC in Servers

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
P

Patrick Kennedy

Guest
  • Like
Reactions: epicurean and i386

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
Quick ask - if anyone sees something they think should be added, please let me know.
 

Aluminum

Active Member
Sep 7, 2012
431
46
28
aka "That second computer inside all your important computers that typically has no security considerations at all"

These things get pointed at the internet way too often, but even the ones sitting on the LAN are not hard to get to in a lot of organizations. Default or blank password more often than not.
 
  • Like
Reactions: Patrick

kapone

Well-Known Member
May 23, 2015
1,095
642
113
My server deployment checklist starts with:

- Update BMC firmware
- Update BIOS
- Configure BMC .......

And about 50 items related to the BMC after that.

Any server admin worth his/her salt has zero excuse for leaving the BMC unconfigured. If they did, fire them. Seriously.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
BMC also managed by PAM product (privileged account management) just like other admin accounts.
 

Aluminum

Active Member
Sep 7, 2012
431
46
28
Securing the accounts doesn't mitigate that core design of these systems doesn't know what security is. Intel and Dell can't get it right you think these other guys will? So far all these BMC platforms are really not much better than random cheap consumer products. (like all those popped home routers)

We were saved from an insane vpro worldwide firmware botnet mostly due to market feature segmentation, not because of actual design: those pieces are in pretty much every intel chipset thankfully sitting dormant.

You need to secure the network access to BMCs most of all.
 

kapone

Well-Known Member
May 23, 2015
1,095
642
113
See...when you can get a server at a "cloud" provider WITH BMC access for peanuts...what do you expect?? They aint gonna run a big ass VPN setup to allow BMC access only through the VPN. And your BMC should never...never...ever...be accessible directly on the internet. That's just asinine.
 
Last edited:

zir_blazer

Active Member
Dec 5, 2016
355
128
43
Quick ask - if anyone sees something they think should be added, please let me know.
This is not a list of things that I would add, but is more akin to a list of things that I, that have no first hand experience dealing with any of those low level remote management features, would like to know:


1 - How does a dedicated BMC compares to the built in management tools like Intel vPro/AMT and AMD DASH?
The few things I know about vPro are from a previous article of yours for Tom's Hardware, but since it is already 7 years old, there is little info coming in a Hardware review site format about how these things currently compare. I know that BMC is a bit more low level thanks to all its own dedicated Hardware (But technically Intel ME includes its own Processor builtin in the Chipset and uses system RAM, so...), but in the case of Intel, their Server products typically feature vPro so both it and the BMC are technically coexisting on the same platforms.


2 - Is there any con about having a BMC if you are not going to use it?
For example, Supermicro has several Workstation Motherboards without BMC and with (Those that ends in -F). I would assume that if it is possible to fully disable the BMC via a Jumper, paying more for a Motherboard with a BMC may be better since at a later time I could potentially repurpose it to do something else.


3 - How much of a practical difference there is between a dedicated IPMI Port and a "shared" one? How does the sharing works?
I suppose that the sharing works because both out-of-band remote management and standard network gets treated as if they were different VLANs or something that separates them on the wire, but works concurrently. However, a dedicated Port would allow you to have something like a secondary infrastructure for out-of-band like a separate Switch or something, that has no direct Internet access, guaranteeing that only Intranet users can access a computer BMC Port.
Looks like a dedicated Port is the more secure way to do it, unless you're a cheap bastard that doesn't want to purchase another Switch and have twice the cabling. I suppose that sharing the same Switch may still be viable if properly isolating things (For example, having two cables per computer to a Switch, one for the normal network, the other for the dedicated out-of-band, and configuring two separate VLANs for them at the Switch level).
Also, why does BMC Ports typically use Realtek NIC instead of the Intel ones? Yes, I know that they are cheaper, but typically everyone prefers the Intel ones, so why cheap out in the dedicated BMC Port? It is too overkill?


4 - How does the BMC integrated GPU interacts with Intel IGPs or dedicated cards, including the "boot graphics" part?
I have almost no knowledge about this, nor what you can mix. I would suppose that to use any remote management that outputs video, then you need to use as boot graphics the appropiated GPU since otherwise the tighly integrated remote management Hardware can't access the video framebuffer and forward it outside. However, after you get Linux/Windows working, can you use the Intel IGP or dedicated card as main GPU to process graphics, then clone the screen on the BMC GPU so that it sends that via out-of-band? I doubt that a BMC is viable to do game streaming, since there was also compression when outputting video via network and it is not its intended use, so I doubt that it is fast enough for that. Also, Intel AMT seems to have a massive advantage in this point since you rely on the infinitely more powerful Intel IGP instead of the BMC GPU.
By the way, I hate with a passion that the BMCs are STILL using a VGA Port. Not even a DVI-I so that you could use either a DVI-D Monitor or a DVI-I-to-VGA passive adapter. Is just a plain VGA Port. I'm quite outdated regarding Monitors so I don't know if they still come with VGA input. My expected use case would be to do the first boot of a bare build in a platform that has no Processor IGP nor it is being set up for remote management, thus using the BMC GPU with direct video output would save me from the hazzle of having to get a Video Card from elsewhere or wire the dedicated BMC Port just to have visual confirmation than the computer POSTs correctly.


5 - How much does the BMC and Super I/O chip functions overlaps? Are there any other implementation variants or interesing differences between them?
It seems that in normal non-BMC computers the PWM Controller is the Super I/O and you get all the Motherboard Fans headers wired to it. The BMC seems to have its own PWM Controller, so the Fans headers are wired to it instead in platforms that have it. This means that technically, in a platform that has a BMC, you can't really disable it since otherwise you lose all the Motherboard Fans, right? Or are they in a parallel Bus connected to both the BMC and the Super I/O, so that either can control it?
Also, it seems that both the BMC and the Super I/O sees both the Motherboard Firmware Flash chip in the same SPI Bus, which is the reason why the BMC can update it all by itself. However, I think having seen Block Diagrams where the BMC SPI didn't seem to have direct access to that Flash chip. I'm not sure how many variations of these implementation details exists, but it seems that at times that can make a functional difference...


Well, I think than these is all the questions that I could think about. Is quite hard to get answers to these questions in standard documentation, which is why I need custom answers.
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
1 - How does a dedicated BMC compares to the built in management tools like Intel vPro/AMT and AMD DASH?
The few things I know about vPro are from a previous article of yours for Tom's Hardware, but since it is already 7 years old, there is little info coming in a Hardware review site format about how these things currently compare. I know that BMC is a bit more low level thanks to all its own dedicated Hardware (But technically Intel ME includes its own Processor builtin in the Chipset and uses system RAM, so...), but in the case of Intel, their Server products typically feature vPro so both it and the BMC are technically coexisting on the same platforms.
That is a blast from the past! You will see what parts were edited. I do not use contractions if there is anything 9+ years of STH has shown.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,729
3,082
113
33
fohdeesha.com
That is a blast from the past! You will see what parts were edited. I do not use contractions if there is anything 9+ years of STH has shown.
Any particular reason for that? There was something about your writing I couldn't put my finger on, but now that you mention it that's 100% it