CN112256300B - Method and device for managing server in band, electronic equipment and readable storage medium - Google Patents
Method and device for managing server in band, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN112256300B CN112256300B CN202011120415.4A CN202011120415A CN112256300B CN 112256300 B CN112256300 B CN 112256300B CN 202011120415 A CN202011120415 A CN 202011120415A CN 112256300 B CN112256300 B CN 112256300B
- Authority
- CN
- China
- Prior art keywords
- ipmi
- instruction
- bmc
- interface
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000006870 function Effects 0.000 claims description 73
- 238000004891 communication Methods 0.000 claims description 18
- 238000012545 processing Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 3
- 230000009471 action Effects 0.000 abstract description 20
- 238000007726 management method Methods 0.000 description 74
- 238000012423 maintenance Methods 0.000 description 15
- 238000013461 design Methods 0.000 description 14
- 230000002093 peripheral effect Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/42—Bus transfer protocol, e.g. handshake; Synchronisation
- G06F13/4282—Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/71—Version control; Configuration management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Stored Programmes (AREA)
Abstract
The application provides a method and a device for managing server in-band, electronic equipment and a readable storage medium, wherein the method comprises the following steps: receiving a first set Intelligent Platform Management Interface (IPMI) instruction sent by external equipment, wherein the first set IPMI instruction comprises information for representing starting in-band security management; according to the first set IPMI instruction, any instruction received from the keyboard controller type interface KCS interface is ignored. The server may receive an IPMI command sent from the external device and determine whether the IPMI command characterizes enabling in-band security management. If so, the server may ignore any instructions received from the KCS interface. As the common user sends the IPMI instruction and causes the IPMI instruction to be received and executed by the BMC through the KCS interface when carrying out in-band management action of the server; therefore, by omitting any instruction received from the KCS interface, in-band management actions of the server by the ordinary user can be avoided, and the risk of the server being operated by non-operation staff is reduced.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method and apparatus for in-band management of a server, an electronic device, and a readable storage medium.
Background
Server in-band management refers to management and maintenance of a server in its operating system without verification measures such as user name, password, etc. The general user can send various intelligent platform management interface (INTELLIGENT PLATFORM MANAGEMENT INTERFACE, abbreviated as IPMI) instructions to carry out in-band management on the server, wherein the various IPMI instructions are transmitted through a low pin count bus (Low pin count Bus, abbreviated as LPC bus) and are sent to a baseboard management controller (Baseboard Management Controller, abbreviated as BMC) through a keyboard controller type interface (Keyboard Controller STYLE INTERFACE, abbreviated as KCS) interface. The various IPMI instructions may correspond to, for example: in-band management operations on server power-on and power-off, setting server power-on policies, creating users with administrator rights, and the like.
When a user sends an IPMI instruction, the user does not need to verify the identity of the user, any IPMI instruction sent by the user through a KCS interface can be received and executed by the BMC, and the in-band management mode brings potential safety hazards to management and maintenance of a server. Particularly, in the present day of widely applied cloud computing, each high-performance server can virtualize a plurality of hosts for different users to use, so that the risk of the server being operated by non-operation and maintenance personnel is greatly increased.
Disclosure of Invention
The embodiment of the application aims to provide a method and a device for managing server in-band, electronic equipment and a readable storage medium, which are used for reducing the risk of the server being operated by non-operation staff.
In a first aspect, an embodiment of the present application provides a method for in-band management of a server, which is applied to a baseboard management controller BMC, and the method includes: receiving a first IPMI setting instruction sent by external equipment, wherein the first IPMI setting instruction comprises information for representing starting in-band security control; according to the first set IPMI instruction, any instruction received from the keyboard controller type interface KCS interface is ignored.
In the above embodiment, the server may receive the IPMI command sent from the external device, and determine whether the IPMI command characterizes in-band security management. If so, the server may ignore any instructions received from the KCS interface. As the common user sends the IPMI instruction and causes the IPMI instruction to be received and executed by the BMC through the KCS interface when carrying out in-band management action of the server; therefore, by omitting any instruction received from the KCS interface, in-band management actions of the server by the ordinary user can be avoided, and the risk of the server being operated by non-operation staff is reduced.
In one possible design, after the receiving the first set IPMI instruction sent by the external device, the method further includes: and controlling the BMC to close the upgrading function of the firmware of the BMC according to the first IPMI setting instruction.
In the above embodiment, after determining that the external device sends the IPMI command carrying the information characterizing the initiation of in-band security management, the action of turning off the firmware upgrade function of the BMC may be performed in addition to ignoring any command received from the KCS interface. If the non-operation and maintenance personnel upgrades the firmware of the BMC through the PCIE bus and upgrades the firmware to a software version which does not support the in-band security control, the KCS interface can receive the IPMI instruction, and the risk that the server is operated by the non-operation and maintenance personnel is increased. Therefore, the BMC is controlled to close the upgrading function of the BMC firmware, so that the risk that the server is operated by non-operation staff can be further reduced.
In one possible design, after ignoring any instruction received from the keyboard controller type interface KCS interface according to the first set IPMI instruction, the method further includes: receiving a second set IPMI instruction sent by external equipment, wherein the second set IPMI instruction comprises information for representing stopping in-band security control; and stopping ignoring the instruction received from the KCS interface according to the second IPMI setting instruction.
In the above embodiment, after receiving the second IPMI setting instruction sent by the external device, the action of ignoring the instruction received from the KCS interface may also be stopped. The server can switch and ignore the instruction received from the KCS interface or stop to ignore the instruction received from the KCS interface according to the first set IPMI instruction and the second set IPMI instruction, and when the instruction received from the KCS interface needs to be ignored, the server receives the first set IPMI instruction and ignores the instruction according to the first set IPMI instruction; and when the command received from the KCS interface needs to be stopped from being ignored, receiving a second set IPMI command, and stopping the omission of the IPMI command received by the KCS interface according to the second set IPMI command. Through the mode, the in-band management of the server can be more flexible.
In one possible design, the controlling the BMC to close the firmware upgrade function of the BMC includes: and rewriting a preset value of a target register in the BMC from a first value to a second value so that the BMC can inhibit the function of upgrading the firmware of the BMC by a software tool through a PCIE bus.
In the above embodiment, the prohibition of the update of the BMC firmware may be implemented by rewriting the preset value of a certain register in the BMC from the first value to the second value; the update of the BMC firmware may be prohibited in other manners, for example, the IPMI instruction may directly include information indicating that the update of the BMC firmware is prohibited, and the specific manner in which the update of the BMC firmware is prohibited should not be construed as limiting the present application.
In one possible design, after controlling the BMC to close the upgrade function of the firmware of the BMC according to the first set IPMI instruction, the method further includes: receiving a second set IPMI instruction sent by external equipment, wherein the second set IPMI instruction comprises information for representing stopping in-band security control; and according to the second IPMI setting instruction, stopping ignoring any instruction received from the KCS interface, and controlling the BMC to start the upgrading function of the firmware of the BMC.
In the above embodiment, the server may further receive a second set IPMI command sent by the external device and carrying information indicating stopping in-band security management and control, and after receiving the second set IPMI command, stop ignoring any command received from the KCS interface, and control the BMC to start the upgrade function of the BMC firmware that is originally turned off. The server can switch the on state or the off state of the BMC firmware upgrading function according to the first set IPMI instruction and the second set IPMI instruction, and when the BMC firmware upgrading function is required to be turned off, the BMC firmware upgrading function is turned off; when the BMC firmware upgrading function is required to be started, the BMC firmware upgrading function is started. Through the mode, the in-band management of the server can be more flexible.
In one possible design, the controlling the BMC to turn on the firmware upgrade function of the BMC includes: and changing the preset value of the target register from the second value back to the first value so that the BMC starts the function of upgrading the firmware of the BMC by the software tool through the PCIE bus.
In the above embodiment, when the upgrade function of the BMC firmware is turned off, the preset value is changed from the first value to the second value; thus, when the upgrade function of the BMC firmware is turned on, it may be implemented by changing the preset value from the second value back to the first value. It should be appreciated that the function of upgrading the BMC firmware may be started in other manners, for example, the second set IPMI instruction may directly include information indicating that the upgrading of the BMC firmware is allowed, and the specific manner in which the upgrading of the BMC firmware is allowed should not be construed as limiting the present application.
In one possible design, after said receiving the first set IPMI command sent by the external device, before said ignoring any command received from the keyboard controller type interface KCS interface according to said first set IPMI command, the method further includes: and verifying the validity of the first set IPMI instruction.
To further improve the security of the in-band management of the server, the first set IPMI instruction may be checked to determine that the first set IPMI instruction is from an operation and maintenance person, not an ordinary user.
In one possible design, the receiving the IPMI command sent by the external device and used for setting the intelligent platform management interface includes: and receiving a communication message comprising the first IPMI setting instruction through a network interface.
In the above embodiment, the IPMI command that controls the in-band management of the server should avoid the input from the KCS interface, otherwise, after ignoring the IPMI command received from the KCS interface, the IPMI command itself that carries the indication of stopping ignoring the IPMI command received from the KCS interface is ignored. The IPMI command received by the server, which can control the in-band management of the server, may be from a communication packet transmitted through the network interface. Alternatively, the first set IPMI instruction may come from the I2C bus. It should be appreciated that where it is satisfied that IPMI instructions that control in-band management of a server are not passed from the KCS interface, the channel through which the IPMI instructions are sent to the server should not be construed as limiting the application.
In a second aspect, an embodiment of the present application provides a server in-band management apparatus, applied to a BMC, including: the first instruction receiving module is used for receiving a first set IPMI instruction sent by external equipment, wherein the first set IPMI instruction comprises information for representing starting in-band security management; and the instruction neglecting module is used for neglecting any instruction received from the keyboard controller type interface KCS interface according to the first set IPMI instruction.
In the above embodiment, the server may receive the IPMI command sent from the external device, and determine whether the IPMI command characterizes in-band security management. If so, the server may ignore any instructions received from the KCS interface. As the common user sends the IPMI instruction and causes the IPMI instruction to be received and executed by the BMC through the KCS interface when carrying out in-band management action of the server; therefore, by omitting any instruction received from the KCS interface, in-band management actions of the server by the ordinary user can be avoided, and the risk of the server being operated by non-operation staff is reduced.
In one possible design, the apparatus further comprises: and the upgrading function closing module is used for controlling the BMC to close the upgrading function of the firmware of the BMC according to the first IPMI setting instruction.
In the above embodiment, after determining that the external device sends the IPMI command carrying the information characterizing the initiation of in-band security management, the action of turning off the firmware upgrade function of the BMC may be performed in addition to ignoring any command received from the KCS interface. If the non-operation and maintenance personnel upgrades the firmware of the BMC through the PCIE bus and upgrades the firmware to a software version which does not support the in-band security control, the KCS interface can receive the IPMI instruction, and the risk that the server is operated by the non-operation and maintenance personnel is increased. Therefore, the BMC is controlled to close the upgrading function of the BMC firmware, so that the risk that the server is operated by non-operation staff can be further reduced.
In one possible design, the apparatus further comprises: the second instruction receiving module is used for receiving a second set IPMI instruction sent by the external equipment, wherein the second set IPMI instruction comprises information for representing stopping in-band security control; and the stop ignoring module is used for stopping ignoring any instruction received from the KCS interface according to the second set IPMI instruction.
In the above embodiment, after receiving the second IPMI setting instruction sent by the external device, the action of ignoring the instruction received from the KCS interface may also be stopped. The server can switch and ignore the instruction received from the KCS interface or stop to ignore the instruction received from the KCS interface according to the first set IPMI instruction and the second set IPMI instruction, and when the instruction received from the KCS interface needs to be ignored, the server receives the first set IPMI instruction and ignores the instruction according to the first set IPMI instruction; and when the command received from the KCS interface needs to be stopped from being ignored, receiving a second set IPMI command, and stopping the omission of the IPMI command received by the KCS interface according to the second set IPMI command. Through the mode, the in-band management of the server can be more flexible.
In one possible design, the upgrade function shutdown module is specifically configured to rewrite a preset value of a target register in the BMC from a first value to a second value, so that the BMC disables a function of the software tool for upgrading firmware of the BMC through a PCIE bus.
In the above embodiment, the prohibition of the update of the BMC firmware may be implemented by rewriting the preset value of a certain register in the BMC from the first value to the second value; the update of the BMC firmware may be prohibited in other manners, for example, the IPMI instruction may directly include information indicating that the update of the BMC firmware is prohibited, and the specific manner in which the update of the BMC firmware is prohibited should not be construed as limiting the present application.
In one possible design, the apparatus further comprises: the system comprises a stopping safety control module, a first setting IPMI module and a second setting IPMI module, wherein the stopping safety control module is used for receiving a second setting IPMI instruction sent by external equipment, and the second setting IPMI instruction comprises information representing stopping in-band safety control; and the upgrading function starting module is used for stopping ignoring any instruction received from the KCS interface according to the second set IPMI instruction and controlling the BMC to start the upgrading function of the firmware of the BMC.
In the above embodiment, the server may further receive a second set IPMI command sent by the external device and carrying information indicating stopping in-band security management and control, and after receiving the second set IPMI command, stop ignoring any command received from the KCS interface, and control the BMC to start the upgrade function of the BMC firmware that is originally turned off. The server can switch the on state or the off state of the BMC firmware upgrading function according to the first set IPMI instruction and the second set IPMI instruction, and when the BMC firmware upgrading function is required to be turned off, the BMC firmware upgrading function is turned off; when the BMC firmware upgrading function is required to be started, the BMC firmware upgrading function is started. Through the mode, the in-band management of the server can be more flexible.
In one possible design, the upgrade function starting module is specifically configured to change the preset value of the target register from the second value back to the first value, so that the BMC starts the function of the software tool to upgrade the firmware of the BMC through the PCIE bus.
In the above embodiment, when the upgrade function of the BMC firmware is turned off, the preset value is changed from the first value to the second value; thus, when the upgrade function of the BMC firmware is turned on, it may be implemented by changing the preset value from the second value back to the first value. It should be appreciated that the function of upgrading the BMC firmware may be started in other manners, for example, the second set IPMI instruction may directly include information indicating that the upgrading of the BMC firmware is allowed, and the specific manner in which the upgrading of the BMC firmware is allowed should not be construed as limiting the present application.
In one possible design, the apparatus further includes an instruction checking module configured to check validity of the first set IPMI instruction.
In one possible design, the first instruction receiving module is specifically configured to receive, through a network interface, a communication packet including the first setting IPMI instruction.
In the above embodiment, the IPMI command that controls the in-band management of the server should avoid the input from the KCS interface, otherwise, after ignoring the IPMI command received from the KCS interface, the IPMI command itself that carries the indication of stopping ignoring the IPMI command received from the KCS interface is ignored. The IPMI command received by the server, which can control the in-band management of the server, may be from a communication packet transmitted through the network interface. Alternatively, the first set IPMI instruction may come from the I2C bus. It should be appreciated that where it is satisfied that IPMI instructions that control in-band management of a server are not passed from the KCS interface, the channel through which the IPMI instructions are sent to the server should not be construed as limiting the application.
In a third aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory storing machine-readable instructions executable by the processor, which when executed by the processor perform the steps of the method described above when the electronic device is run.
In a fourth aspect, the present application provides a readable storage medium having stored thereon an executable program which when executed by a processor performs the method of the first aspect or any alternative implementation of the first aspect.
In a fifth aspect, the application provides an executable program product which, when run on a computer, causes the computer to perform the method of the first aspect or any possible implementation of the first aspect.
In order to make the above objects, features and advantages of the embodiments of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 shows a flow diagram of a method for managing in-band management of a server according to an embodiment of the present application;
FIG. 2 is a schematic flow chart showing some steps of a server in-band management method according to an embodiment of the present application;
FIG. 3 is a schematic flow chart showing some steps of a server in-band management method according to an embodiment of the present application;
FIG. 4 is a schematic flow chart of a method for managing in-band management of a server according to another embodiment of the present application;
FIG. 5 shows a schematic block diagram of a server in-band management device according to an embodiment of the present application;
fig. 6 shows a possible structure of the electronic device provided by the embodiment of the application.
Detailed Description
In a comparison embodiment, a general user may perform in-band management on a server by sending various IPMI instructions to the server, where the various IPMI instructions are all transmitted through an LPC bus and sent to the BMC through a KCS interface. In-band management of a server includes: operations such as powering on and powering off the server, setting a power-on policy of the server, creating a user with an administrator right, and the like. Different operations correspond to different IPMI instructions, respectively.
When a common user sends the various IPMI instructions to realize in-band management on the server, the identity of the user does not need to be verified, any one of the IPMI instructions transmitted through the KCS interface can be received and executed by the BMC, however, the in-band management mode brings potential safety hazards to management and maintenance of the server.
According to the embodiment of the application, the IPMI instruction carrying the characterization on-band security management and control information can be sent to the server by the operation and maintenance personnel through the external equipment, so that the BMC of the server can ignore any instruction received from the KCS interface, the on-band management action of the server by a common user is avoided, and the risk of the operation of the server by non-operation and maintenance personnel is further reduced.
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
Referring to fig. 1, fig. 1 illustrates a method for in-band management of a server according to an embodiment of the present application, where the method may be performed by an electronic device, which may be a server. The method specifically comprises the following steps S110 to S120:
Step S110, receiving a first set Intelligent Platform Management Interface (IPMI) instruction sent by an external device, wherein the first set IPMI instruction comprises information for representing starting in-band security management.
Receiving an IPMI command sent by an external device may specifically include: receiving an IPMI instruction through a two-wire serial (Inter-INTEGRATED CIRCUIT, I2C for short) bus; or receiving a communication message including an IPMI instruction through a network interface, where the communication message may specifically be a network communication message based on a user datagram protocol (User Datagram Protocol, abbreviated as UDP).
It should be appreciated that where it is satisfied that IPMI instructions that control in-band management of a server are not passed from the KCS interface, the channel through which the IPMI instructions are sent to the server should not be construed as limiting the application.
The IPMI instruction which controls the in-band management of the server should avoid the input from the KCS interface, otherwise, after the IPMI instruction received from the KCS interface is ignored, the IPMI instruction which characterizes to stop the ignored of the IPMI instruction received from the KCS interface is ignored. It should be appreciated that where it is satisfied that IPMI instructions that control in-band management of a server are not passed from the KCS interface, the channel through which the IPMI instructions are sent to the server should not be construed as limiting the application.
The first IPMI setting instruction may be customized by a worker or an operation and maintenance person of the server, and is not known to a general user. A first set IPMI instruction is sent to a server to initiate in-band security management actions for the server.
Optionally, in a specific embodiment, after step S110, the following steps may be further included: verifying the validity of the first set IPMI instruction, wherein the steps can be realized in the following way:
Identity information corresponding to the first IPMI setting instruction is stored in the server in advance. After receiving an IPMI command sent by an external device, the server may obtain the identity information of the IPMI command, compare the identity information of the IPMI command currently received with the identity information of the first set IPMI command stored in the server in advance, and if the two are consistent, determine that the source of the first set IPMI command currently received is legal. The identification information may be user name and password information.
In another embodiment, verifying the validity of the first set IPMI instruction may be further implemented by:
The mac addresses of the terminal devices held by each operation and maintenance person are stored in the server in advance. After receiving a communication message carrying a first set IPMI instruction sent by an external device, the server can acquire a source mac address corresponding to the communication message, compare the source mac address with a plurality of mac addresses stored in the server in advance, judge whether the source mac address is consistent with one of the plurality of mac addresses, and if so, determine that the first set IPMI instruction is from an operation and maintenance personnel and the source is legal.
Step S120, according to the first set IPMI command, ignoring any command received from the KCS interface.
The server may receive an IPMI command sent from the external device, and determine whether the IPMI command carries information characterizing in-band security management. If carried, the server may ignore any instructions received from the KCS interface.
In one embodiment, ignoring any instructions received from the keyboard controller interface KCS interface may be done as follows:
Analyzing the received IPMI instruction data packet through an IPMI processing module in the BMC, acquiring an interface type field corresponding to an interface from which the IPMI instruction data packet comes, judging whether the interface from which the IPMI instruction data packet comes is a KCS interface according to the interface type field, and discarding the IPMI instruction data packet if the interface from which the IPMI instruction data packet comes is the KCS interface.
As the in-band management action of the server is realized by sending the IPMI instruction by the common user, the IPMI instruction sent by the common user for the in-band management action is received and executed by the BMC through the KCS interface. Therefore, by omitting any instruction received from the KCS interface, in-band management actions of the server by the ordinary user can be avoided, and the risk of the server being operated by non-operation staff is reduced.
Referring to fig. 2, in a specific embodiment, after step S120, the method may further include the following steps S130 to S140:
Step S130, receiving a second IPMI setting instruction sent by the external device, wherein the second IPMI setting instruction comprises information for indicating stopping in-band security control.
The second set IPMI instruction may be an IPMI instruction corresponding to the first set IPMI instruction, and the first set IPMI instruction and the second set IPMI instruction may be IPMI instructions of the same type but different parameters.
Optionally, in a specific embodiment, verifying the validity of the second set IPMI instruction may be performed by:
Identity information corresponding to the second set IPMI instruction is prestored in the server. After receiving an IPMI command sent by an external device, the server may obtain the identity information of the IPMI command, compare the identity information of the IPMI command currently received with the identity information of a second set IPMI command stored in the server in advance, and if the two are consistent, determine that the source of the second set IPMI command currently received is legal.
In another embodiment, verifying the validity of the second set IPMI instruction may be further implemented by:
The mac addresses of the terminal devices held by each operation and maintenance person are stored in the server in advance. After receiving a communication message carrying a second set IPMI instruction sent by an external device, the server can acquire a source mac address corresponding to the communication message, compare the source mac address with a plurality of mac addresses stored in the server in advance, judge whether the source mac address is consistent with one of the plurality of mac addresses, if yes, further judge whether a first set IPMI instruction from the same mac address exists, and if yes, determine that the source of the second set IPMI instruction is legal.
And step S140, stopping ignoring the instruction received from the KCS interface according to the second set IPMI instruction.
The act of ignoring the receipt of the instruction from the KCS interface may also be stopped after receiving the second setting IPMI instruction sent by the external device. The server may switch to ignore the instruction received from the KCS interface or stop to ignore the instruction received from the KCS interface according to the first setting IPMI instruction and the second setting IPMI instruction. Through the mode, the in-band management of the server can be more flexible.
In a specific embodiment, after step S110, the method may further include: and controlling the BMC to close the upgrading function of the firmware of the BMC according to the first IPMI setting instruction.
Under the condition that the upgrading function of the BMC firmware is not closed, if a non-operation staff upgrades the BMC firmware and upgrades the BMC firmware to a software version which does not support the in-band security control, the KCS interface can be enabled to receive the IPMI instruction again. Therefore, the BMC is controlled to close the upgrading function of the BMC firmware, so that the risk that the server is operated by non-operation staff can be further reduced.
Alternatively, the update function of the BMC firmware may specifically be turned off only in an update mode without a verification process, for example, in a mode of updating the BMC firmware in a PCIE mode. For the BMC firmware upgrading mode with the verification process, for example, the mode of upgrading the BMC firmware through a network can not be closed.
Optionally, the upgrading function of the firmware for controlling the BMC to close the BMC can be specifically realized by the following steps:
And rewriting a preset value of a target register in the BMC from a first value to a second value so that the BMC disables the function of upgrading the firmware of the BMC by the software tool through a PCIE bus.
The target register may be a scu_misc_control register of ASPEED chips, the preset value may be 25, 24, 23, 22 four bits of the scu_misc_control register, and the software tool may be socflash. Specifically, the bits 25, 24, 23 and 22 of the SCU_MISC_CONTROL register of ASPEED chips can be changed from 0 to 1.
Optionally, in another specific embodiment, the firmware upgrading function of the BMC for controlling the BMC to close may be specifically implemented by the following manner:
The first set IPMI instruction may directly carry information indicating that the update of the BMC firmware is prohibited, and after receiving the first set IPMI instruction, the server analyzes the first set IPMI instruction to obtain information indicating that the update of the BMC firmware is prohibited, and executes the operation of prohibiting the update of the BMC firmware.
In the steps of: after controlling the BMC to close the upgrade function of the firmware of the BMC according to the first IPMI setting instruction, the method may further include the following steps S210 to S220:
Step S210, receiving a second IPMI setting instruction sent by the external equipment, wherein the second IPMI setting instruction comprises information for representing stopping in-band security control.
Step S220, according to the second set IPMI instruction, stopping ignoring any instruction received from the KCS interface, and controlling the BMC to start the upgrading function of the firmware of the BMC.
The server may also receive a second set IPMI command sent by the external device and carrying information indicating to stop in-band security management and control, and after receiving the second set IPMI command, stop ignoring any command received from the KCS interface, and control the BMC to start the upgrade function of the BMC firmware that was originally turned off. The server may switch the on state or the off state of the BMC firmware upgrade function according to the first set IPMI instruction and the second set IPMI instruction. Through the mode, the in-band management of the server can be more flexible.
Optionally, step S220 specifically includes the following steps: and changing the preset value of the target register from the second value back to the first value so that the BMC starts the function of upgrading the firmware of the BMC by the software tool through the PCIE bus.
Specifically, the bits 25, 24, 23 and 22 of the SCU_MISC_CONTROL register of ASPEED chips can be changed from 1 to 0.
Optionally, in another specific embodiment, the controlling the BMC to start the firmware upgrading function of the BMC may be specifically implemented by the following manner:
the IPMI instruction may directly carry information indicating that the update of the BMC firmware is allowed, and after receiving the IPMI instruction, the server parses the IPMI instruction to obtain information indicating that the update of the BMC firmware is allowed, and performs an operation allowing the update of the BMC firmware.
Optionally, referring to fig. 5, in a specific embodiment, the method for in-band management of a server provided in the embodiment of the present application may specifically include the following steps S310 to S340:
step S310, receiving a first IPMI setting instruction sent by an external device, where the first IPMI setting instruction includes information indicating that in-band security management is enabled.
Step S320, according to the first IPMI setting instruction, ignoring any instruction received from the KCS interface of the keyboard controller interface, and controlling the BMC to close the firmware upgrade function of the BMC.
Alternatively, after determining that the received IPMI instruction is the first set IPMI instruction, the following two actions may be performed simultaneously: according to the first set IPMI instruction, ignoring any instruction received from a keyboard controller type interface KCS interface; and controlling the BMC to close the upgrading function of the firmware of the BMC.
The method has the advantages that the instruction received from the KCS interface is ignored, the upgrading function of the firmware of the BMC is closed, an illegal user is prevented from bypassing the instruction received from the KCS interface by upgrading the firmware of the BMC, and in-band management can be realized more comprehensively and perfectly.
Step S330, receiving a second IPMI command sent by the external device, where the second IPMI command includes information indicating that in-band security management is stopped.
Step S340, according to the second IPMI setting instruction, stopping ignoring any instruction received from the KCS interface, and controlling the BMC to start the firmware upgrade function of the BMC.
After determining that the received IPMI instruction is the second set IPMI instruction, the following two actions may be performed simultaneously: stop ignoring any instructions received from the KCS interface; and controlling the BMC to start the upgrading function of the firmware of the BMC. The method and the device not only stop ignoring the instruction received from the KCS interface, but also start the upgrading function of the firmware of the BMC, and can comprehensively recover the original function of the server.
Referring to fig. 5, fig. 5 shows a server in-band management apparatus provided by an embodiment of the present application, where the apparatus 400 includes:
the first instruction receiving module 410 is configured to receive a first set intelligent platform management interface IPMI instruction sent by an external device, where the first set IPMI instruction includes information indicating that in-band security management is enabled.
The instruction ignoring module 420 is configured to ignore any instruction received from the keyboard controller type interface KCS interface according to the first set IPMI instruction.
The first instruction receiving module 410 is specifically configured to receive, through a network interface, a communication packet including the first setting IPMI instruction.
The apparatus further comprises:
and the instruction checking module is used for checking the validity of the first set IPMI instruction.
And the upgrading function closing module is used for controlling the BMC to close the upgrading function of the firmware of the BMC according to the first IPMI setting instruction. The updating function closing module is specifically configured to rewrite a preset value of a target register in the BMC from a first value to a second value, so that the BMC prohibits a function of the software tool for updating firmware of the BMC through a PCIE bus.
And the stopping safety control module is used for receiving a second set IPMI instruction sent by the external equipment, wherein the second set IPMI instruction comprises information representing stopping in-band safety control.
And the upgrading function starting module is used for controlling the BMC to start the upgrading function of the firmware of the BMC according to the second set IPMI instruction.
The upgrade function starting module is specifically configured to change the preset value of the target register from the second value back to the first value, so that the BMC starts a function of upgrading firmware of the BMC by the software tool through the PCIE bus.
And the second instruction receiving module is used for receiving a second set IPMI instruction sent by the external equipment, wherein the second set IPMI instruction comprises information for representing stopping in-band security control.
And the stop ignoring module is used for stopping ignoring any instruction received from the KCS interface according to the second set IPMI instruction.
The in-band management device of the server provided by the embodiment of the application corresponds to the in-band management method of the server provided above, and will not be described herein.
Fig. 6 shows a block schematic of an electronic device. The electronic device 500 may include a memory 510, a memory controller 520, a processor 530, a peripheral interface 540, and an input output unit 550. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 6 is merely illustrative and is not limiting of the configuration of electronic device 500. For example, electronic device 500 may also include more or fewer components than shown in FIG. 6, or have a different configuration than shown in FIG. 6.
The above-mentioned memory 510, memory controller 520, processor 530, peripheral interface 540, and input/output unit 550 are electrically connected directly or indirectly to each other to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The processor 530 is configured to execute executable modules stored in the memory.
The Memory 510 may be, but is not limited to, a random access Memory (Random Access Memory, RAM), a Read Only Memory (ROM), a programmable Read Only Memory (Programmable Read-Only Memory, PROM), an erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), an electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. The memory 510 is configured to store a program, where the processor 530 executes the program after receiving an execution instruction, and a method executed by the electronic device 500 defined by the process disclosed in any embodiment of the present application may be applied to the processor 530 or implemented by the processor 530.
The processor 530 may be an integrated circuit chip with signal processing capabilities. The processor 530 may be a general-purpose processor, including a central processing unit (Central Processing Unit, abbreviated as CPU), a network processor (Network Processor, abbreviated as NP), etc.; but may also be a digital signal processor (DIGITAL SIGNAL processor, DSP for short), application SPECIFIC INTEGRATED Circuit (ASIC for short), field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The above-described peripheral interface 540 couples various input/output devices to the processor 530 and the memory 510. In some embodiments, the peripheral interface 540, the processor 530, and the memory controller 520 may be implemented in a single chip. In other examples, they may be implemented by separate chips.
The input/output unit 550 is used for providing input data to a user. The input/output unit 550 may be, but is not limited to, a mouse, a keyboard, and the like.
The embodiment of the application also provides a computer readable storage medium, and the computer readable storage medium stores computer program instructions which execute the method for managing the server in-band provided by the embodiment of the application when being read and run by a processor of a computer. For example, a computer-readable storage medium may be implemented as memory 510 in electronic device 500 in FIG. 6.
The computer program product of the server in-band management method provided by the embodiment of the present application includes a computer readable storage medium storing program codes, where the program codes include instructions for executing the steps of the server in-band management method described in the above method embodiment, and the specific reference may be made to the above method embodiment, which is not repeated herein.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Furthermore, functional modules in various embodiments of the present application may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (7)
1. A method for managing in-band of a server, wherein the method is applied to a baseboard management controller BMC of the server, and comprises:
the server receives a first set Intelligent Platform Management Interface (IPMI) instruction sent by external equipment, wherein the first set IPMI instruction comprises information for representing starting in-band security management;
according to the first set IPMI instruction, ignoring any instruction received from a keyboard controller type interface KCS interface;
Wherein after receiving the first IPMI setting instruction sent by the external device, the method further includes: controlling the BMC to close the upgrading function of the firmware of the BMC according to the first IPMI setting instruction;
The receiving the first set intelligent platform management interface IPMI instruction sent by the external device includes: receiving a communication message comprising the first IPMI setting instruction through a network interface;
Said ignoring any instruction received from the keyboard controller type interface KCS interface according to said first set IPMI instruction, including: the server judges whether an IPMI instruction sent by an external device carries information representing the starting in-band security management and control, if yes, the server analyzes the received IPMI instruction data packet through an IPMI processing module in the BMC, obtains an interface type field corresponding to an interface from which the IPMI instruction data packet comes, and discards the IPMI instruction data packet when the interface from which the IPMI instruction data packet comes is determined to be a KCS interface according to the interface type field;
The controlling, according to the first IPMI setting instruction, the BMC to close the upgrade function of the firmware of the BMC includes: and the server analyzes the first set IPMI instruction, obtains information representing that the firmware of the BMC is forbidden to be upgraded, and executes the operation of forbidden firmware upgrade of the BMC.
2. The method of claim 1, wherein after ignoring any instruction received from a keyboard controller type interface KCS interface according to said first set IPMI instruction, said method further comprises:
Receiving a second set IPMI instruction sent by external equipment, wherein the second set IPMI instruction comprises information for representing stopping in-band security control;
According to the second set IPMI instruction, stopping ignoring any instruction received from the KCS interface.
3. The method of claim 1, wherein after controlling the BMC to turn off upgrade functions of firmware of the BMC according to the first set IPMI instruction, the method further comprises:
Receiving a second set IPMI instruction sent by external equipment, wherein the second set IPMI instruction comprises information for representing stopping in-band security control;
And according to the second IPMI setting instruction, stopping ignoring any instruction received from the KCS interface, and controlling the BMC to start the upgrading function of the firmware of the BMC.
4. The method of claim 1, wherein after said receiving a first set IPMI command sent by an external device, before said ignoring any command received from a keyboard controller type interface KCS interface according to said first set IPMI command, said method further comprises:
and verifying the validity of the first set IPMI instruction.
5. A server in-band management device, characterized by a baseboard management controller BMC applied to a server, the device comprising:
The first instruction receiving module is used for receiving a first set Intelligent Platform Management Interface (IPMI) instruction sent by the external equipment, wherein the first set IPMI instruction comprises information for representing starting in-band security management;
The instruction ignoring module is used for ignoring any instruction received from the keyboard controller type interface KCS interface according to the first set IPMI instruction;
The upgrading function closing module is used for controlling the BMC to close the upgrading function of the firmware of the BMC according to the first set IPMI instruction;
The receiving the IPMI command of the first configuration intelligent platform management interface sent by the external device includes: receiving a communication message comprising the first IPMI setting instruction through a network interface;
Said ignoring any instruction received from the keyboard controller type interface KCS interface according to said first set IPMI instruction, including: judging whether an IPMI instruction sent by external equipment carries information representing the starting in-band security management control, if so, analyzing a received IPMI instruction data packet through an IPMI processing module in the BMC, acquiring an interface type field corresponding to an interface from which the IPMI instruction data packet comes, and discarding the IPMI instruction data packet under the condition that the interface from which the IPMI instruction data packet comes is determined to be a KCS interface according to the interface type field;
the controlling, according to the first IPMI setting instruction, the BMC to close the upgrade function of the firmware of the BMC includes: analyzing the first set IPMI instruction to obtain information representing prohibition of upgrading the firmware of the BMC, and executing operation of prohibiting the firmware of the BMC from being upgraded.
6. An electronic device, comprising: a processor, a memory storing machine-readable instructions executable by the processor, which when executed by the processor perform the steps of the method of any of claims 1 to 4 when the electronic device is run.
7. A readable storage medium, characterized in that it has stored thereon a computer program which, when executed by a processor, performs the steps of the method according to any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011120415.4A CN112256300B (en) | 2020-10-19 | 2020-10-19 | Method and device for managing server in band, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011120415.4A CN112256300B (en) | 2020-10-19 | 2020-10-19 | Method and device for managing server in band, electronic equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112256300A CN112256300A (en) | 2021-01-22 |
| CN112256300B true CN112256300B (en) | 2024-09-17 |
Family
ID=74244992
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011120415.4A Active CN112256300B (en) | 2020-10-19 | 2020-10-19 | Method and device for managing server in band, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112256300B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115061759A (en) * | 2022-05-24 | 2022-09-16 | 联想(北京)有限公司 | Data acquisition method, related device and storage medium |
Family Cites Families (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100347674C (en) * | 2004-06-09 | 2007-11-07 | 宏正自动科技股份有限公司 | Intelligent platform management interface system and execution method thereof |
| US20070005828A1 (en) * | 2005-06-30 | 2007-01-04 | Nimrod Diamant | Interrupts support for the KCS manageability interface |
| US20070086449A1 (en) * | 2005-10-18 | 2007-04-19 | Aten International Co., Ltd | System and method for remote management |
| CN100561923C (en) * | 2006-02-28 | 2009-11-18 | 联想(北京)有限公司 | A kind of system and method for BIOS refreshing and upgrading |
| US8843905B2 (en) * | 2006-11-02 | 2014-09-23 | Tokyo Electron Limited | Server apparatus, manufacturing apparatus, group management system, information processing method, and storage medium |
| CN102681959A (en) * | 2012-04-28 | 2012-09-19 | 浪潮电子信息产业股份有限公司 | Method for interacting inner-band information and out-of-band information of server |
| US9384018B2 (en) * | 2012-07-27 | 2016-07-05 | Vmware, Inc. | Virtual intelligent platform management interface for hardware components |
| CN102904754A (en) * | 2012-09-28 | 2013-01-30 | 浪潮(北京)电子信息产业有限公司 | Method and system for managing server |
| US9189225B2 (en) * | 2012-10-16 | 2015-11-17 | Imprivata, Inc. | Secure, non-disruptive firmware updating |
| US9043527B2 (en) * | 2013-01-04 | 2015-05-26 | American Megatrends, Inc. | PCI express channel implementation in intelligent platform management interface stack |
| CN104202195B (en) * | 2014-09-10 | 2018-05-04 | 华为技术有限公司 | Method, baseboard management controller and the server of server Unified Communication |
| US9806959B2 (en) * | 2015-08-05 | 2017-10-31 | American Megatrends, Inc. | Baseboard management controller (BMC) to host communication through device independent universal serial bus (USB) interface |
| US20170102952A1 (en) * | 2015-10-07 | 2017-04-13 | Dell Products, L.P. | Accessing data stored in a remote target using a baseboard management controler (bmc) independently of the status of the remote target's operating system (os) |
| CN105978724A (en) * | 2016-05-12 | 2016-09-28 | 浪潮集团有限公司 | Server management system based on IPMI |
| TWI647617B (en) * | 2018-01-23 | 2019-01-11 | 緯創資通股份有限公司 | Electronic device and firmware update method thereof |
| CN110719583B (en) * | 2018-07-12 | 2022-12-16 | 中移(杭州)信息技术有限公司 | A communication method and device |
| CN109358888A (en) * | 2018-12-18 | 2019-02-19 | 郑州云海信息技术有限公司 | Server firmware upgrade method, device, system and computer readable storage medium |
| CN110399150B (en) * | 2019-06-27 | 2022-07-08 | 苏州浪潮智能科技有限公司 | Bios upgrading method, system, device and computer storage medium |
| CN110413435A (en) * | 2019-07-12 | 2019-11-05 | 苏州浪潮智能科技有限公司 | A kind of communication failure restoration methods, system and associated component |
| CN110532005A (en) * | 2019-08-09 | 2019-12-03 | 苏州浪潮智能科技有限公司 | Baseboard management controller and its construction method |
| CN110633110A (en) * | 2019-08-30 | 2019-12-31 | 苏州浪潮智能科技有限公司 | Server starting method, equipment and storage medium |
| CN110943860B (en) * | 2019-11-22 | 2022-11-18 | 苏州浪潮智能科技有限公司 | BMC (baseboard management controller) firmware updating method and system, electronic equipment and storage medium |
| CN111338676B (en) * | 2020-02-27 | 2022-08-02 | 苏州浪潮智能科技有限公司 | BMC (baseboard management controller) firmware upgrading system and method with in-band mode and out-of-band mode |
-
2020
- 2020-10-19 CN CN202011120415.4A patent/CN112256300B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112256300A (en) | 2021-01-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10318736B2 (en) | Validating operating firmware of a periperhal device | |
| CN106528097B (en) | A kind of the version synchronization method and electronic equipment of double BIOS/firmwares | |
| US11030347B2 (en) | Protect computing device using hash based on power event | |
| US10282538B2 (en) | Technologies for providing hardware subscription models using pre-boot update mechanism | |
| CN110472421B (en) | Mainboard and firmware safety detection method and terminal equipment | |
| US10628588B2 (en) | Information processing apparatus and computer readable storage medium | |
| US20120151231A1 (en) | Power supply switching device, a power supply switching device control method and a power supply control program | |
| US20160147546A1 (en) | Managing the Customizing of Appliances | |
| CN111158767A (en) | BMC-based server secure starting method and device | |
| US20190052634A1 (en) | Dynamic generation of key for encrypting data in management node | |
| CN111625263A (en) | Server component firmware updating method | |
| US20230009470A1 (en) | Workspace-based fixed pass-through monitoring system and method for hardware devices using a baseboard management controller (bmc) | |
| CN112162825A (en) | Equipment configuration method, device, equipment and storage medium | |
| CN112256300B (en) | Method and device for managing server in band, electronic equipment and readable storage medium | |
| CN110750794B (en) | BIOS (basic input output System) safe starting method and system | |
| CN106570402A (en) | Encryption module and process trusted measurement method | |
| CN114237722B (en) | System starting method, device, equipment and engineering vehicle | |
| US11880273B2 (en) | Method for installing a program code packet onto a device, device, and motor vehicle | |
| US12050691B2 (en) | Security processing device | |
| CN114185603A (en) | A kind of control method of intelligent acceleration card, server and intelligent acceleration card | |
| US11921599B2 (en) | Control method and electronic device | |
| CN113626792B (en) | PCIe Switch firmware secure execution method, device, terminal and storage medium | |
| US12072966B2 (en) | System and method for device authentication using a baseboard management controller (BMC) | |
| CN116204214A (en) | BMC upgrading method, device and system, electronic equipment and storage medium | |
| CN115906046A (en) | Trusted Computing System and Measurement Method Based on Trusted Computing System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20211012 Address after: 100089 building 36, courtyard 8, Dongbeiwang West Road, Haidian District, Beijing Applicant after: Dawning Information Industry (Beijing) Co.,Ltd. Applicant after: ZHONGKE SUGON INFORMATION INDUSTRY CHENGDU Co.,Ltd. Address before: Building 36, yard 8, Dongbei Wangxi Road, Haidian District, Beijing Applicant before: Dawning Information Industry (Beijing) Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |