From 1562bbcb50e2bf7b6130dc9f8d34494cd115c8d5 Mon Sep 17 00:00:00 2001 From: Tom Joseph Date: Mon, 20 Feb 2017 12:01:43 +0530 Subject: IPMI Whitelisted commands for FRU and OEM repositories The IPMI whitelisted commands for phosphor-ipmi-fru and openpower-ipmi-oem is added. Only the IPMI whitelisted listed commands are allowed in restricted mode. The IPMI whitelisted commands for phosphor-ipmi-fru and openpower-ipmi-oem are added as native packages and host-ipmid depends on those. Change-Id: Ic4184773656567eb0dffa30ef29f8bc3ced3aff4 Signed-off-by: Tom Joseph --- .../ipmi/openpower-ipmi-oem-whitelist-native.bb | 6 +++++ .../openpower-ipmi-oem-whitelist-native.conf | 2 ++ .../packagegroup-obmc-ipmid-providers.bbappend | 2 +- meta-phosphor/classes/obmc-phosphor-utils.bbclass | 8 +++++++ .../classes/phosphor-ipmi-host-whitelist.bbclass | 27 ++++++++++++++++++++++ .../ipmi/phosphor-ipmi-fru-whitelist-native.bb | 6 +++++ .../phosphor-ipmi-fru-whitelist-native.conf | 2 ++ .../recipes-phosphor/ipmi/phosphor-ipmi-host.bb | 10 ++++++++ .../packagegroup-obmc-ipmid-providers.bb | 11 ++++++--- 9 files changed, 70 insertions(+), 4 deletions(-) create mode 100644 meta-openbmc-machines/meta-openpower/common/recipes-phosphor/ipmi/openpower-ipmi-oem-whitelist-native.bb create mode 100644 meta-openbmc-machines/meta-openpower/common/recipes-phosphor/ipmi/openpower-ipmi-oem-whitelist/openpower-ipmi-oem-whitelist-native.conf create mode 100644 meta-phosphor/classes/phosphor-ipmi-host-whitelist.bbclass create mode 100644 meta-phosphor/common/recipes-phosphor/ipmi/phosphor-ipmi-fru-whitelist-native.bb create mode 100644 meta-phosphor/common/recipes-phosphor/ipmi/phosphor-ipmi-fru-whitelist/phosphor-ipmi-fru-whitelist-native.conf diff --git a/meta-openbmc-machines/meta-openpower/common/recipes-phosphor/ipmi/openpower-ipmi-oem-whitelist-native.bb b/meta-openbmc-machines/meta-openpower/common/recipes-phosphor/ipmi/openpower-ipmi-oem-whitelist-native.bb new file mode 100644 index 000000000..425901894 --- /dev/null +++ b/meta-openbmc-machines/meta-openpower/common/recipes-phosphor/ipmi/openpower-ipmi-oem-whitelist-native.bb @@ -0,0 +1,6 @@ +SUMMARY = "Whitelisted OpenBMC IPMI OEM commands" +DESCRIPTION = "Whitelisted OpenBMC IPMI OEM commands for OpenPOWER based systems" + +inherit obmc-phosphor-license +inherit native +inherit phosphor-ipmi-host-whitelist \ No newline at end of file diff --git a/meta-openbmc-machines/meta-openpower/common/recipes-phosphor/ipmi/openpower-ipmi-oem-whitelist/openpower-ipmi-oem-whitelist-native.conf b/meta-openbmc-machines/meta-openpower/common/recipes-phosphor/ipmi/openpower-ipmi-oem-whitelist/openpower-ipmi-oem-whitelist-native.conf new file mode 100644 index 000000000..e61073e89 --- /dev/null +++ b/meta-openbmc-machines/meta-openpower/common/recipes-phosphor/ipmi/openpower-ipmi-oem-whitelist/openpower-ipmi-oem-whitelist-native.conf @@ -0,0 +1,2 @@ +#: +0x32:0xF0 //: diff --git a/meta-openbmc-machines/meta-openpower/common/recipes-phosphor/packagegroups/packagegroup-obmc-ipmid-providers.bbappend b/meta-openbmc-machines/meta-openpower/common/recipes-phosphor/packagegroups/packagegroup-obmc-ipmid-providers.bbappend index 43bdf4b43..538c5b9ed 100644 --- a/meta-openbmc-machines/meta-openpower/common/recipes-phosphor/packagegroups/packagegroup-obmc-ipmid-providers.bbappend +++ b/meta-openbmc-machines/meta-openpower/common/recipes-phosphor/packagegroups/packagegroup-obmc-ipmid-providers.bbappend @@ -1 +1 @@ -RDEPENDS_${PN}-libs += "openpower-ipmi-oem" +OBMC_IPMID_PROVIDERS_append=" openpower-ipmi-oem" diff --git a/meta-phosphor/classes/obmc-phosphor-utils.bbclass b/meta-phosphor/classes/obmc-phosphor-utils.bbclass index 713c892fb..baaa19d57 100644 --- a/meta-phosphor/classes/obmc-phosphor-utils.bbclass +++ b/meta-phosphor/classes/obmc-phosphor-utils.bbclass @@ -42,3 +42,11 @@ def compose_list_zip(d, fmtvar, *listvars, **kw): lists = [listvar_to_list(d, x) for x in listvars] lst = [fmt.format(*x) for x in zip(*lists)] return (kw.get('sep') or ' ').join(lst) + + +def append_suffix(val, suffix): + words = val.split(' ') + newval = [] + for w in words: + newval.append(w + suffix) + return ' '.join(newval) \ No newline at end of file diff --git a/meta-phosphor/classes/phosphor-ipmi-host-whitelist.bbclass b/meta-phosphor/classes/phosphor-ipmi-host-whitelist.bbclass new file mode 100644 index 000000000..7db71d5c3 --- /dev/null +++ b/meta-phosphor/classes/phosphor-ipmi-host-whitelist.bbclass @@ -0,0 +1,27 @@ +# Common code for recipes that implement Phosphor IPMI Whitelist +# packages + +WHITELIST ?= "${PN}.conf" +INSTALLDIR = "${sysconfdir}/phosphor-ipmi-host/" + +python phosphor_ipmi_host_whitelist_postinstall() { + def install_whitelist(d): + # Create the install directory if needed + whitelist_file = d.getVar('WHITELIST', True) + install_dir = d.getVar('INSTALLDIR', True) + if not os.path.exists(install_dir): + os.makedirs(install_dir) + install_file = os.path.join(install_dir, whitelist_file) + + # Search for conf file in FILESPATH + searchpaths = d.getVar('FILESPATH', True) + path = bb.utils.which(searchpaths, whitelist_file) + if not os.path.isfile(path): + bb.fatal('Did not find conf file "%s"' % whitelist_file) + + # Copy the conf file into install directory + bb.utils.copyfile(path, install_file) + + install_whitelist(d) +} +do_install[postfuncs] += "phosphor_ipmi_host_whitelist_postinstall" \ No newline at end of file diff --git a/meta-phosphor/common/recipes-phosphor/ipmi/phosphor-ipmi-fru-whitelist-native.bb b/meta-phosphor/common/recipes-phosphor/ipmi/phosphor-ipmi-fru-whitelist-native.bb new file mode 100644 index 000000000..30c2443c3 --- /dev/null +++ b/meta-phosphor/common/recipes-phosphor/ipmi/phosphor-ipmi-fru-whitelist-native.bb @@ -0,0 +1,6 @@ +SUMMARY = "Whitelisted IPMI FRU Parser commands" +DESCRIPTION = "Whitelisted IPMI FRU Parser commands for OpenBMC" + +inherit obmc-phosphor-license +inherit native +inherit phosphor-ipmi-host-whitelist \ No newline at end of file diff --git a/meta-phosphor/common/recipes-phosphor/ipmi/phosphor-ipmi-fru-whitelist/phosphor-ipmi-fru-whitelist-native.conf b/meta-phosphor/common/recipes-phosphor/ipmi/phosphor-ipmi-fru-whitelist/phosphor-ipmi-fru-whitelist-native.conf new file mode 100644 index 000000000..365c3d952 --- /dev/null +++ b/meta-phosphor/common/recipes-phosphor/ipmi/phosphor-ipmi-fru-whitelist/phosphor-ipmi-fru-whitelist-native.conf @@ -0,0 +1,2 @@ +#: +0x0A:0x12 //: \ No newline at end of file diff --git a/meta-phosphor/common/recipes-phosphor/ipmi/phosphor-ipmi-host.bb b/meta-phosphor/common/recipes-phosphor/ipmi/phosphor-ipmi-host.bb index 0b8b93d52..285df5e8d 100644 --- a/meta-phosphor/common/recipes-phosphor/ipmi/phosphor-ipmi-host.bb +++ b/meta-phosphor/common/recipes-phosphor/ipmi/phosphor-ipmi-host.bb @@ -13,6 +13,7 @@ inherit obmc-phosphor-ipmiprovider-symlink DEPENDS += "phosphor-logging" DEPENDS += "phosphor-mapper" DEPENDS += "autoconf-archive-native" +DEPENDS += "packagegroup-obmc-ipmid-providers" RDEPENDS_${PN}-dev += "phosphor-logging" RDEPENDS_${PN}-dev += "phosphor-mapper-dev" RDEPENDS_${PN} += "clear-once" @@ -24,6 +25,15 @@ SRC_URI += "git://github.com/openbmc/phosphor-host-ipmid" SRCREV = "513d68e11cf6d392e847d39c743ce54ccaa0ebf7" +# Setup IPMI Whitelist Conf files +WHITELIST_CONF = " \ + ${STAGING_ETCDIR_NATIVE}/phosphor-ipmi-host/*.conf \ + ${S}/host-ipmid-whitelist.conf \ + " +EXTRA_OECONF = " \ + WHITELIST_CONF="${WHITELIST_CONF}" \ + " + S = "${WORKDIR}/git" HOSTIPMI_PROVIDER_LIBRARY += "libapphandler.so" diff --git a/meta-phosphor/common/recipes-phosphor/packagegroups/packagegroup-obmc-ipmid-providers.bb b/meta-phosphor/common/recipes-phosphor/packagegroups/packagegroup-obmc-ipmid-providers.bb index 6f82cb32c..476ad5037 100644 --- a/meta-phosphor/common/recipes-phosphor/packagegroups/packagegroup-obmc-ipmid-providers.bb +++ b/meta-phosphor/common/recipes-phosphor/packagegroups/packagegroup-obmc-ipmid-providers.bb @@ -7,7 +7,12 @@ inherit obmc-phosphor-license PROVIDES = "${PACKAGES}" PACKAGES = "${PN}-libs" +OBMC_IPMID_PROVIDERS = "phosphor-ipmi-fru" + SUMMARY_${PN}-libs = "Extra providers for ipmid." -RDEPENDS_${PN}-libs = " \ - phosphor-ipmi-fru \ - " +RDEPENDS_${PN}-libs = "${OBMC_IPMID_PROVIDERS}" + +WHITELIST_FORMAT = "{0}-whitelist-native" +OBMC_IPMID_WHITELISTS = "${@compose_list(d, 'WHITELIST_FORMAT', 'OBMC_IPMID_PROVIDERS')}" + +DEPENDS_append = "${OBMC_IPMID_WHITELISTS}" \ No newline at end of file -- cgit v1.2.1