Explaining the Baseboard Management Controller or BMC in Servers

Discussion in 'STH Main Site Posts' started by Patrick Kennedy, Sep 27, 2018.

  1. #1
    epicurean and i386 like this.
  2. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,195
    Likes Received:
    4,147
    Quick ask - if anyone sees something they think should be added, please let me know.
     
    #2
  3. Aluminum

    Aluminum Active Member

    Joined:
    Sep 7, 2012
    Messages:
    418
    Likes Received:
    42
    aka "That second computer inside all your important computers that typically has no security considerations at all"

    These things get pointed at the internet way too often, but even the ones sitting on the LAN are not hard to get to in a lot of organizations. Default or blank password more often than not.
     
    #3
    Patrick likes this.
  4. kapone

    kapone Active Member

    Joined:
    May 23, 2015
    Messages:
    457
    Likes Received:
    159
    My server deployment checklist starts with:

    - Update BMC firmware
    - Update BIOS
    - Configure BMC .......

    And about 50 items related to the BMC after that.

    Any server admin worth his/her salt has zero excuse for leaving the BMC unconfigured. If they did, fire them. Seriously.
     
    #4
  5. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,344
    Likes Received:
    328
    BMC also managed by PAM product (privileged account management) just like other admin accounts.
     
    #5
  6. Aluminum

    Aluminum Active Member

    Joined:
    Sep 7, 2012
    Messages:
    418
    Likes Received:
    42
    Securing the accounts doesn't mitigate that core design of these systems doesn't know what security is. Intel and Dell can't get it right you think these other guys will? So far all these BMC platforms are really not much better than random cheap consumer products. (like all those popped home routers)

    We were saved from an insane vpro worldwide firmware botnet mostly due to market feature segmentation, not because of actual design: those pieces are in pretty much every intel chipset thankfully sitting dormant.

    You need to secure the network access to BMCs most of all.
     
    #6
  7. chilipepperz

    chilipepperz Active Member

    Joined:
    Mar 17, 2016
    Messages:
    169
    Likes Received:
    50
    I feel like @Patrick put this article up knowing that they were going iDracula
     
    #7
    Aluminum, fohdeesha and Patrick like this.
  8. kapone

    kapone Active Member

    Joined:
    May 23, 2015
    Messages:
    457
    Likes Received:
    159
    See...when you can get a server at a "cloud" provider WITH BMC access for peanuts...what do you expect?? They aint gonna run a big ass VPN setup to allow BMC access only through the VPN. And your BMC should never...never...ever...be accessible directly on the internet. That's just asinine.
     
    #8
    Last edited: Sep 28, 2018
  9. zir_blazer

    zir_blazer Active Member

    Joined:
    Dec 5, 2016
    Messages:
    155
    Likes Received:
    46
    This is not a list of things that I would add, but is more akin to a list of things that I, that have no first hand experience dealing with any of those low level remote management features, would like to know:


    1 - How does a dedicated BMC compares to the built in management tools like Intel vPro/AMT and AMD DASH?
    The few things I know about vPro are from a previous article of yours for Tom's Hardware, but since it is already 7 years old, there is little info coming in a Hardware review site format about how these things currently compare. I know that BMC is a bit more low level thanks to all its own dedicated Hardware (But technically Intel ME includes its own Processor builtin in the Chipset and uses system RAM, so...), but in the case of Intel, their Server products typically feature vPro so both it and the BMC are technically coexisting on the same platforms.


    2 - Is there any con about having a BMC if you are not going to use it?
    For example, Supermicro has several Workstation Motherboards without BMC and with (Those that ends in -F). I would assume that if it is possible to fully disable the BMC via a Jumper, paying more for a Motherboard with a BMC may be better since at a later time I could potentially repurpose it to do something else.


    3 - How much of a practical difference there is between a dedicated IPMI Port and a "shared" one? How does the sharing works?
    I suppose that the sharing works because both out-of-band remote management and standard network gets treated as if they were different VLANs or something that separates them on the wire, but works concurrently. However, a dedicated Port would allow you to have something like a secondary infrastructure for out-of-band like a separate Switch or something, that has no direct Internet access, guaranteeing that only Intranet users can access a computer BMC Port.
    Looks like a dedicated Port is the more secure way to do it, unless you're a cheap bastard that doesn't want to purchase another Switch and have twice the cabling. I suppose that sharing the same Switch may still be viable if properly isolating things (For example, having two cables per computer to a Switch, one for the normal network, the other for the dedicated out-of-band, and configuring two separate VLANs for them at the Switch level).
    Also, why does BMC Ports typically use Realtek NIC instead of the Intel ones? Yes, I know that they are cheaper, but typically everyone prefers the Intel ones, so why cheap out in the dedicated BMC Port? It is too overkill?


    4 - How does the BMC integrated GPU interacts with Intel IGPs or dedicated cards, including the "boot graphics" part?
    I have almost no knowledge about this, nor what you can mix. I would suppose that to use any remote management that outputs video, then you need to use as boot graphics the appropiated GPU since otherwise the tighly integrated remote management Hardware can't access the video framebuffer and forward it outside. However, after you get Linux/Windows working, can you use the Intel IGP or dedicated card as main GPU to process graphics, then clone the screen on the BMC GPU so that it sends that via out-of-band? I doubt that a BMC is viable to do game streaming, since there was also compression when outputting video via network and it is not its intended use, so I doubt that it is fast enough for that. Also, Intel AMT seems to have a massive advantage in this point since you rely on the infinitely more powerful Intel IGP instead of the BMC GPU.
    By the way, I hate with a passion that the BMCs are STILL using a VGA Port. Not even a DVI-I so that you could use either a DVI-D Monitor or a DVI-I-to-VGA passive adapter. Is just a plain VGA Port. I'm quite outdated regarding Monitors so I don't know if they still come with VGA input. My expected use case would be to do the first boot of a bare build in a platform that has no Processor IGP nor it is being set up for remote management, thus using the BMC GPU with direct video output would save me from the hazzle of having to get a Video Card from elsewhere or wire the dedicated BMC Port just to have visual confirmation than the computer POSTs correctly.


    5 - How much does the BMC and Super I/O chip functions overlaps? Are there any other implementation variants or interesing differences between them?
    It seems that in normal non-BMC computers the PWM Controller is the Super I/O and you get all the Motherboard Fans headers wired to it. The BMC seems to have its own PWM Controller, so the Fans headers are wired to it instead in platforms that have it. This means that technically, in a platform that has a BMC, you can't really disable it since otherwise you lose all the Motherboard Fans, right? Or are they in a parallel Bus connected to both the BMC and the Super I/O, so that either can control it?
    Also, it seems that both the BMC and the Super I/O sees both the Motherboard Firmware Flash chip in the same SPI Bus, which is the reason why the BMC can update it all by itself. However, I think having seen Block Diagrams where the BMC SPI didn't seem to have direct access to that Flash chip. I'm not sure how many variations of these implementation details exists, but it seems that at times that can make a functional difference...


    Well, I think than these is all the questions that I could think about. Is quite hard to get answers to these questions in standard documentation, which is why I need custom answers.
     
    #9
  10. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,195
    Likes Received:
    4,147
    That is a blast from the past! You will see what parts were edited. I do not use contractions if there is anything 9+ years of STH has shown.
     
    #10
  11. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    932
    Likes Received:
    679
    Any particular reason for that? There was something about your writing I couldn't put my finger on, but now that you mention it that's 100% it
     
    #11
  12. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,195
    Likes Received:
    4,147
    Law school professors.
     
    #12
    Aluminum and fohdeesha like this.
  13. Blinky 42

    Blinky 42 Active Member

    Joined:
    Aug 6, 2015
    Messages:
    477
    Likes Received:
    158
    #13
Similar Threads: Explaining Baseboard
Forum Title Date
STH Main Site Posts Explaining the Automatic Transfer Switching ATS PDU Sep 7, 2018

Share This Page