zlacker

I don't disagree, but if you have admin access to the BMC you can access the console, reboot the machine into single-user mode or even into another OS entirely, and then implant any malware you want, wipe the storage, etc.

Some of the Supermicro boards don't even have a separate BMC NIC, the only choice is to bond it to one of the main NICs or sacrifice one of them to be BMC only. I try to pay attention to that now after being surprised by that once on some servers we bought.

replies(2): >>Aurorn+f3 >>jcgl+kl4

>>SoftTa+(OP)
> I don't disagree, but if you have admin access to the BMC you can access the console, reboot the machine into single-user mode or even into another OS entirely, and then implant any malware you want, wipe the storage, etc.

Yes, all of which can be reversed by another admin in the future. That is expected.

It should not be the case that getting admin access one time can result in modifying the hardware in a way that can’t be reversed by future admin, short of physically reflashing the chip on the board.

replies(1): >>buckle+yb

>>Aurorn+f3
That is believe it or not true for nearly every computer on the planet.

If you have admin on windows you can flash the bios on regular motherboards with firmware that refuses to change.

replies(2): >>lmz+ug >>adastr+6z

>>buckle+yb
> If you have admin on windows you can flash the bios on regular motherboards with firmware that refuses to change.

The vendors even sell this as downgrade prevention!

>>buckle+yb
Huh? I don’t understand what you are getting at. Every PC I’ve had uses a very simple protocol for bit banging new firmware.

replies(1): >>buckle+n51

>>adastr+6z
Which only worked because the existing firmware let's it.

replies(1): >>adastr+A61

>>buckle+n51
Flashing the EEPROM doesn’t involve the firmware.

replies(1): >>labcom+N91

>>adastr+A61
Who do you think bit bangs the EEPROM?

replies(3): >>crest+Lq1 >>adastr+Ht1 >>ameliu+Mv2

>>labcom+N91
On some boards you can access can reconfigure GPIO pins of the chipset and bitbang SPI from the application processor (aka your normal x86_64 CPU) without firmware support.

replies(1): >>Dylan1+qI3

>>labcom+N91
As I said, with literally every desktop PC I have ever owned I have updated the BIOS this way. So me, I guess.

replies(2): >>Dylan1+mI3 >>labcom+YBd

>>labcom+N91
This is a design flaw in itself.

It makes it easy to brick a system.

>>adastr+Ht1
You are not typing the bits in with your fingers.

What chip are you using to bit bang? Is that chip directly or indirectly controlled by the firmware? Usually it is.

>>crest+Lq1
Isn't the firmware ultimately in charge of those pins, and able to block access to your OS if it chooses to?

replies(1): >>labcom+zBd

>>SoftTa+(OP)
> but if you have admin access to the BMC you can access the console, reboot the machine into single-user mode or even into another OS entirely, and then implant any malware you want, wipe the storage, etc.

True in the common case, but this can/should be guarded against by disk encryption and secured boot chains.

>>Dylan1+qI3
Depending on the implementation, kinda, but maybe not in the way you are thinking.

More generally, when you get down to the bottom of the pile of elephants, you are requesting some software currently running on your computer to write some bits to some kind of storage medium.

But there is no law of physics that says the software must to do as you ask! If the software is malicious, it can refuse. It could even pretend that it updated the bits but not actually do so.

"Oh, but I booted into $OTHER_PROGRAM and it writes the bits!"

Maybe. But how do you know that the boot loader faithfully loaded it? You don't. Maybe the boot loader is malicious and patches your firmware updater so that it won't actually write new firmware.

If you squint and tilt your head, it kinda looks like Ken Thompson's "Reflections on Trusting Trust".

>>adastr+Ht1
You can lead a horse to water...