THX Nathan! I should be able to test both on new HW which require the HMAC-SHA256 soon and report back. I still do not understand why my output is different than yours, but this is just my lack of knowledge around ipmitool most likely. I will try on the new system and see.
Gilad Berman HPC Architect, Lenovo EMEA gber...@lenovo.com<mailto:gber...@lenovo.com> +972-522554262 [cid:image001.png@01D94C6C.72A05770] From: Nathan A Besaw via xCAT-user <xcat-user@lists.sourceforge.net> Sent: Wednesday, 1 March 2023 16:05 To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> Cc: Nathan A Besaw <bes...@us.ibm.com> Subject: [External] Re: [xcat-user] ipmitool C17 and IPMI.pm SHA256 support Hi Gilad, > 1. Regarding IPMI.pm – Any reason the patch below was not merged? Can you > consider merging it now to allow support? We have not merged the patch yet for two reasons: - We did not know how to test this change and verify that HMAC-SHA256 was getting used successfully. - We don't have access to any x86 hardware that supports HMAC-SHA256, so we were unable to test the change. If others in the community could update https://github.com/xcat2/xcat-core/pull/6391<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fxcat2%2Fxcat-core%2Fpull%2F6391&data=05%7C01%7Cgberman%40lenovo.com%7C1a124a8017974cb4fefc08db1a5e0403%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638132763334353526%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=l8RtwQNkkg4KS7xw1W3a1PmXfzpKOh%2FXusjMslc7Vn4%3D&reserved=0> with a test description that can be used to verify the change and some results of that test from one or more x86 platforms that support HMAC-SHA256, it would give us more confidence in merging the PR. > 2. Ipmitool-xcat – We are using the latest package - > ipmitool-xcat-1.8.18-4.x86_64 – but it still do not have Cipher Suite 17, > although ipmitool-1.8.18 should have it (*). I think ipmitool-xcat-1.8.18-4 does support cipher suite 17. I think this output may indicate that your server does not have cipher suite 17 enabled. RMCP+ Cipher Suites : 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 Cipher Suite Priv Max : XXaXXXXXXXXXXXX I am able to enable cipher suite 17 when communicating with an IBM Power AC922 server using ipmitool-xcat: # RHEL 9.0 ppc64le + ipmitool-xcat-1.8.18-4 + IBM Power AC922 server # cat /etc/redhat-release Red Hat Enterprise Linux release 9.0 Beta (Plow) # rpm -q ipmitool-xcat ipmitool-xcat-1.8.18-4.ppc64le # ipmitool-xcat -I lanplus -H XXX.XXX.XXX.XXX lan print -C 17 Password: Set in Progress : Set Complete Auth Type Support : MD5 Auth Type Enable : Callback : MD5 : User : MD5 : Operator : MD5 : Admin : MD5 : OEM : MD5 RMCP+ Cipher Suites : 3,17 Cipher Suite Priv Max : Not Available Bad Password Threshold : Not Available # RHEL 7.6 x86_64 + ipmitool-xcat-1.8.18-3 + IBM Power AC922 server # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.6 (Maipo) # rpm -q ipmitool-xcat ipmitool-xcat-1.8.18-3.x86_64 # /opt/xcat/bin/ipmitool-xcat -I lanplus -H XXX.XXX.XXX.XXX lan print -C 17 Password: Set in Progress : Set Complete Auth Type Support : MD5 Auth Type Enable : Callback : MD5 : User : MD5 : Operator : MD5 : Admin : MD5 : OEM : MD5 RMCP+ Cipher Suites : 3,17 Cipher Suite Priv Max : Not Available Bad Password Threshold : Not Available ________________________________ From: Gilad Berman <gber...@lenovo.com<mailto:gber...@lenovo.com>> Sent: Tuesday, February 28, 2023 8:28 AM To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>> Subject: [EXTERNAL] [xcat-user] ipmitool C17 and IPMI.pm SHA256 support Hello, Taking advantage of this thread to try and understand current status and future plans, because new HW often require (at by default) the newer security protocols. Regarding IPMI. pm – Any reason the patch below was not merged? Can you ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd Hello, Taking advantage of this thread to try and understand current status and future plans, because new HW often require (at by default) the newer security protocols. 1. Regarding IPMI.pm – Any reason the patch below was not merged? Can you consider merging it now to allow support? 1. Ipmitool-xcat – We are using the latest package - ipmitool-xcat-1.8.18-4.x86_64 – but it still do not have Cipher Suite 17, although ipmitool-1.8.18 should have it (*). Any reason it is not in the xcat version? It seems that there are patches which add it (+the best-cipher, which is great) Am I missing something? Is there a way to take 1.8.19 and using it to build ipmitool-xcat? With the different patches and changes, I am sure I will miss something. RMCP+ Cipher Suites : 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 Cipher Suite Priv Max : XXaXXXXXXXXXXXX (*) I might be wrong, I am not 100% sure when it was introduced. THX in advance! Gilad Berman HPC Architect, Lenovo EMEA gber...@lenovo.com<mailto:gber...@lenovo.com> +972-522554262 [cid:image001.png@01D94C6C.72A05770] From: Jarrod Johnson <jjohns...@lenovo.com<mailto:jjohns...@lenovo.com>>Implement HMAC-SHA256 in xCAT IPMI · xcat2/xcat-core@8d5df5d Sent: Thursday, 23 February 2023 20:44 To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>> Subject: Re: [xcat-user] [External] Re: ipmitool -I open vs lanplus vs lan Note that the ipmitool equivalent should be at least lanplus nowadays. Biggest risk I could see is that some firmware nowadays requires at least cipher suite 17, if ipmi is enabled at all. https://github.com/xcat2/xcat-core/commit/8d5df5d6cae07219e10d1a00538cafdb8e3bbf13<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fxcat2%2Fxcat-core%2Fcommit%2F8d5df5d6cae07219e10d1a00538cafdb8e3bbf13&data=05%7C01%7Cgberman%40lenovo.com%7C1a124a8017974cb4fefc08db1a5e0403%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638132763334353526%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lP7V9%2FcgPg19f2FhF4p2FMWYuDxmoqdvXOSUfoc9pFI%3D&reserved=0> [https://opengraph.githubassets.com/66d12043810f5539d598ab49b5452fc09d1d90759ae5ae218db3e6c74a55d91b/xcat2/xcat-core/commit/8d5df5d6cae07219e10d1a00538cafdb8e3bbf13]<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fxcat2%2Fxcat-core%2Fcommit%2F8d5df5d6cae07219e10d1a00538cafdb8e3bbf13&data=05%7C01%7Cgberman%40lenovo.com%7C1a124a8017974cb4fefc08db1a5e0403%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638132763334353526%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lP7V9%2FcgPg19f2FhF4p2FMWYuDxmoqdvXOSUfoc9pFI%3D&reserved=0> Implement HMAC-SHA256 in xCAT IPMI · xcat2/xcat-core@8d5df5d<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fxcat2%2Fxcat-core%2Fcommit%2F8d5df5d6cae07219e10d1a00538cafdb8e3bbf13&data=05%7C01%7Cgberman%40lenovo.com%7C1a124a8017974cb4fefc08db1a5e0403%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638132763334353526%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lP7V9%2FcgPg19f2FhF4p2FMWYuDxmoqdvXOSUfoc9pFI%3D&reserved=0> This will be compatible with some current implementations that do not have SHA-1. HMAC-SHA1 may be still secure, but SHA1 in any context *looks* bad even if it isn't. github.com That change to IPMI.pm might alleviate. Double check if ipmitool with -C 17 will work, and if that will work, you may need IPMI.pm to change to support SHA256 in the hmac. ________________________________ From: Mark Gurevich via xCAT-user <xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>> Sent: Thursday, February 23, 2023 1:35 PM To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>> Cc: Mark Gurevich <gurev...@us.ibm.com<mailto:gurev...@us.ibm.com>> Subject: [External] Re: [xcat-user] ipmitool -I open vs lanplus vs lan xCAT uses raw ipmi commands to do ipmi communication. You can turn xCAT debug on with "chdef -t site clustersite xcatdebugmode=1" and then issue a command, like "rpower <node> stat" to see all the raw ipmi commands xCAT is sending. Use "chdef -t site clustersite xcatdebugmode=0" to turn debug off. -----Original Message----- From: Michael Green <mishagr...@gmail.com<mailto:mishagr...@gmail.com>> Sent: Thursday, February 23, 2023 1:08 PM To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>> Subject: [EXTERNAL] [xcat-user] ipmitool -I open vs lanplus vs lan Hello collective wisdom, What IPMI interface does xcat use? Is it lan or lanplus or open? (As in ipmitool -I ) Is it configurable? I have a bunch of new Dell servers in the lab that don't seem to communicate over lan or lanplus interface, only open and I have trouble provisioning them through xcat. I suspect it's because of lanplus not supported/missing from these servers. -- Regards, Michael _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fxcat-user&data=05%7C01%7Cjjohnson2%40lenovo.com%7Cb9b6b5f64d5e47f91cf908db15cce89f%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638127742055309654%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BHmEMMvgmId52mKnS1F40GTNMtmzDWrZZ9a18N9s1r4%3D&reserved=0<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fxcat-user&data=05%7C01%7Cgberman%40lenovo.com%7C1a124a8017974cb4fefc08db1a5e0403%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638132763334353526%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SFPSExmofbkPzlaiHQT7EUyUnOKyT7NJkXblmo12bt4%3D&reserved=0> _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fxcat-user&data=05%7C01%7Cjjohnson2%40lenovo.com%7Cb9b6b5f64d5e47f91cf908db15cce89f%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638127742055309654%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BHmEMMvgmId52mKnS1F40GTNMtmzDWrZZ9a18N9s1r4%3D&reserved=0<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fxcat-user&data=05%7C01%7Cgberman%40lenovo.com%7C1a124a8017974cb4fefc08db1a5e0403%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638132763334509769%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UJCFMBqHpVBi1o%2Fv1FnMRHMLUY4%2BJrGniKyefpuoRXA%3D&reserved=0>
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
