HMC

HMC & CMC

Connect, learn, share, and engage with IBM Power.

 View Only
Back to discussions
Expand all | Collapse all

What is BMC and do I care?

  • 1.  What is BMC and do I care?

    Posted Wed May 07, 2025 01:42 PM

    I have had multiple Power systems for years.  I've done numerous upgrades.

    I used to have physical HMC's but now have vHMC's and would never go back to physical HMCs.

    I'm familiar with ASMI and can log into that.

    I hear talk of BMC but I'm not really sure what that is, or, if my setup would even use it.  What is it?

    I use my HMC to upgrade firmware on my Power systems.  I keep firmware, vios, IBM i, HMC releases current and patched.  Is BMC something to be concerned about too?



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------


  • 2.  RE: What is BMC and do I care?

    Posted Wed May 07, 2025 01:49 PM
    BMC is the new FSP/ASMI. It's a cheap IPMI interface like whitebox
    Intel PC's use, instead of IBM's FSP. They are in use on the POWER10.

    You will upgrade the BMC firmware to update the system firmware from
    now on. It can be disruptive or concurrent just like the old FSP. Most
    of the time, it's basically the same.

    Be aware that the BMC account will silently fail with passwords over
    19 characters. There is a 19 character limit (IPMI standard).

    Using IPMI is yet another reason to make sure your BMC port are on a
    separate network and not on the corporate LAN.

    Thanks.

    On Wed, May 07, 2025 at 05:41:55PM +0000, Robert Berendt via IBM TechXchange Community wrote:
    > I have had multiple Power systems for years. I've done numerous upgrades.
    >
    >
    > I used to have physical HMC's but now have vHMC's and would never go back to physical HMCs.
    >
    >
    > I'm familiar with ASMI and can log into that.
    >
    >
    > I hear talk of BMC but I'm not really sure what that is, or, if my setup would even use it. What is it?
    >
    >
    > I use my HMC to upgrade firmware on my Power systems. I keep firmware, vios, IBM i, HMC releases current and patched. Is BMC something to be concerned about too?
    >
    >
    > ------------------------------
    > Robert Berendt IBMChampion
    > Business Systems Analyst, Lead
    > Dekko
    > Fort Wayne
    > ------------------------------
    >
    >
    > Reply to Sender : https://community.ibm.com/community/user/eGroups/PostReply?GroupId=6061&MID=802175&SenderKey=3fd3d035-5ed4-4c4a-9c32-f5b55fdf51fd
    >
    > Reply to Discussion : https://community.ibm.com/community/user/eGroups/PostReply?GroupId=6061&MID=802175
    >
    >
    >
    > You are subscribed to "HMC" as Russell.Adams@AdamsSystems.nl. To change your subscriptions, go to http://community.ibm.com/community/user/preferences?section=Subscriptions. To unsubscribe from this community discussion, go to https://community.ibm.com/HigherLogic/eGroups/Unsubscribe.aspx?UserKey=c23dfccc-9910-40ae-beeb-fdcbced5bf1f&sKey=KeyRemoved&GroupKey=5ed81228-db5a-4c59-90a0-c36d8c6b0a77.


    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/


    Original Message


  • 3.  RE: What is BMC and do I care?

    Posted Wed May 07, 2025 01:55 PM

    So basically BMC is a rename of ASMI?

    If I log into my HMC and upgrade the firmware that way, doesn't that automatically upgrade the BMC also?

    I've never understood why the ASMI port needs to be on a separate network.  I don't keep HR data, proprietary engineering drawings, strategic business plans, etc on a separate network.  Why should the ASMI port be on a separate network?



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------

    Original Message


  • 4.  RE: What is BMC and do I care?

    Posted Wed May 07, 2025 02:26 PM

    I logged into ASMI/BMC/nameoftheday.  Under Firmware "BMC and server" it says fw1060.21-1-1060.2446.20250214a-prod (ML1060_093)

    I logged into HMC, in view system firmware levels I see fw1060.21 (093)  Which basically looks like the above with just a bunch of stuff in the middle chopped out.  Basically, upgrading the firmware via the HMC updates BMC code also, right?  There's no additional process needed?  Someone said something to me and I wanted to make sure I'm not missing anything.



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------

    Original Message


  • 5.  RE: What is BMC and do I care?

    Posted Wed May 07, 2025 03:02 PM
    On Wed, May 07, 2025 at 06:26:13PM +0000, Robert Berendt via IBM TechXchange Community wrote:
    > I logged into ASMI/BMC/nameoftheday. Under Firmware "BMC and
    > server" it says fw1060.21-1-1060.2446.20250214a-prod (ML1060_093)
    >
    >
    > I logged into HMC, in view system firmware levels I see fw1060.21
    > (093) Which basically looks like the above with just a bunch of
    > stuff in the middle chopped out. Basically, upgrading the firmware
    > via the HMC updates BMC code also, right? There's no additional
    > process needed? Someone said something to me and I wanted to make
    > sure I'm not missing anything.

    That's correct.

    Now if you have a physical POWER8 based HMC, that has BMC code to
    update separate from the HMC code. POWER10 systems only have the BMC code.

    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/


    Original Message


  • 6.  RE: What is BMC and do I care?

    Posted Wed May 07, 2025 03:16 PM

    Never had a Power based HMC.



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------

    Original Message


  • 7.  RE: What is BMC and do I care?

    Posted Thu May 08, 2025 09:42 AM

    POWER10 systems only have the BMC code. ->

    High End 9080-HEX are still with dual FSP so Power10 does not have only BMC. It is also eBMC ( enterprise).



    ------------------------------
    Ivaylo Bozhinov
    ------------------------------

    Original Message


  • 8.  RE: What is BMC and do I care?

    Posted Wed May 07, 2025 02:29 PM
    Robert,

    Management ports are often sensitive and putting them on a separate
    network prevents them from being accessed by snoopy users, network
    scans, etc. There are some appliances (*cough* FastT *cough*) that
    would die from DDOS when network scanned.

    Unfortunately ASMI also has a poor history of using weak passwords. If
    I can access your ASMI from a PC on your public LAN, and guess the IBM
    default, I can turn off your server without warning.

    I recommend SAN switches, SAN storage, and IPMI/FSP interfaces be on
    separate networks. The HMC has built in support to run that on a
    dedicated switch or a private nonrouted VLAN via DHCP.

    Thanks.


    On Wed, May 07, 2025 at 05:54:39PM +0000, Robert Berendt via IBM TechXchange Community wrote:
    > So basically BMC is a rename of ASMI?
    >
    >
    > If I log into my HMC and upgrade the firmware that way, doesn't that automatically upgrade the BMC also?
    >
    >
    > I've never understood why the ASMI port needs to be on a separate network. I don't keep HR data, proprietary engineering drawings, strategic business plans, etc on a separate network. Why should the ASMI port be on a separate network?
    >
    >
    > ------------------------------
    > Robert Berendt IBMChampion
    > Business Systems Analyst, Lead
    > Dekko
    > Fort Wayne
    > ------------------------------
    > -------------------------------------------
    > Original Message:
    > Sent: Wed May 07, 2025 01:48 PM
    > From: Russell Adams
    > Subject: What is BMC and do I care?
    >
    > BMC is the new FSP/ASMI. It's a cheap IPMI interface like whitebox
    > Intel PC's use, instead of IBM's FSP. They are in use on the POWER10.
    >
    > You will upgrade the BMC firmware to update the system firmware from
    > now on. It can be disruptive or concurrent just like the old FSP. Most
    > of the time, it's basically the same.
    >
    > Be aware that the BMC account will silently fail with passwords over
    > 19 characters. There is a 19 character limit (IPMI standard).
    >
    > Using IPMI is yet another reason to make sure your BMC port are on a
    > separate network and not on the corporate LAN.
    >
    > Thanks.
    >
    > On Wed, May 07, 2025 at 05:41:55PM +0000, Robert Berendt via IBM TechXchange Community wrote:
    > > I have had multiple Power systems for years. I've done numerous upgrades.
    > >
    > >
    > > I used to have physical HMC's but now have vHMC's and would never go back to physical HMCs.
    > >
    > >
    > > I'm familiar with ASMI and can log into that.
    > >
    > >
    > > I hear talk of BMC but I'm not really sure what that is, or, if my setup would even use it. What is it?
    > >
    > >
    > > I use my HMC to upgrade firmware on my Power systems. I keep firmware, vios, IBM i, HMC releases current and patched. Is BMC something to be concerned about too?
    > >
    > >
    > > ------------------------------
    > > Robert Berendt IBMChampion
    > > Business Systems Analyst, Lead
    > > Dekko
    > > Fort Wayne
    > > ------------------------------
    > >
    > >
    > > Reply to Sender : https://community.ibm.com/community/user/eGroups/PostReply?GroupId=6061&MID=802175&SenderKey=3fd3d035-5ed4-4c4a-9c32-f5b55fdf51fd <https: community.ibm.com community user egroups postreply?groupid=6061&MID=802175&SenderKey=3fd3d035-5ed4-4c4a-9c32-f5b55fdf51fd>
    > >
    > > Reply to Discussion : https://community.ibm.com/community/user/eGroups/PostReply?GroupId=6061&MID=802175 <https: community.ibm.com community user egroups postreply?groupid=6061&MID=802175>
    > >
    > >
    > >
    > > You are subscribed to "HMC" as Russell.Adams@AdamsSystems.nl <russell.adams@adamssystems.nl>. To change your subscriptions, go to http://community.ibm.com/community/user/preferences?section=Subscriptions. <http: community.ibm.com community user preferences?section=Subscriptions.> To unsubscribe from this community discussion, go to https://community.ibm.com/HigherLogic/eGroups/Unsubscribe.aspx?UserKey=c23dfccc-9910-40ae-beeb-fdcbced5bf1f&sKey=KeyRemoved&GroupKey=5ed81228-db5a-4c59-90a0-c36d8c6b0a77. <https: community.ibm.com higherlogic egroups unsubscribe.aspx?userkey=c23dfccc-9910-40ae-beeb-fdcbced5bf1f&sKey=KeyRemoved&GroupKey=5ed81228-db5a-4c59-90a0-c36d8c6b0a77.>
    >
    >
    > ------------------------------------------------------------------
    > Russell Adams Russell.Adams@AdamsSystems.nl <russell.adams@adamssystems.nl>
    > Principal Consultant Adams Systems Consultancy
    > https://adamssystems.nl/ <https: adamssystems.nl>
    >
    >
    > Original Message:
    > Sent: 5/7/2025 1:42:00 PM
    > From: Robert Berendt
    > Subject: What is BMC and do I care?
    >
    >
    > I have had multiple Power systems for years. I've done numerous upgrades.
    >
    > I used to have physical HMC's but now have vHMC's and would never go back to physical HMCs.
    >
    > I'm familiar with ASMI and can log into that.
    >
    > I hear talk of BMC but I'm not really sure what that is, or, if my setup would even use it. What is it?
    >
    > I use my HMC to upgrade firmware on my Power systems. I keep firmware, vios, IBM i, HMC releases current and patched. Is BMC something to be concerned about too?
    >
    >
    > ------------------------------
    > Robert Berendt IBMChampion
    > Business Systems Analyst, Lead
    > Dekko
    > Fort Wayne
    > ------------------------------
    >
    >
    > Reply to Sender : https://community.ibm.com/community/user/eGroups/PostReply?GroupId=6061&MID=802179&SenderKey=3fd3d035-5ed4-4c4a-9c32-f5b55fdf51fd
    >
    > Reply to Discussion : https://community.ibm.com/community/user/eGroups/PostReply?GroupId=6061&MID=802179
    >
    >
    >
    > You are subscribed to "HMC" as Russell.Adams@AdamsSystems.nl. To change your subscriptions, go to http://community.ibm.com/community/user/preferences?section=Subscriptions. To unsubscribe from this community discussion, go to https://community.ibm.com/HigherLogic/eGroups/Unsubscribe.aspx?UserKey=c23dfccc-9910-40ae-beeb-fdcbced5bf1f&sKey=KeyRemoved&GroupKey=5ed81228-db5a-4c59-90a0-c36d8c6b0a77.


    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/


    Original Message


  • 9.  RE: What is BMC and do I care?

    Posted Wed May 07, 2025 02:51 PM

    So basically this is the major concern, right?  If one leaves the ASMI password at the default, or if they assign it a weak password and it gets guessed, then someone can power off the server?  Much like if I leave my IBM i password for QSECOFR at QSECOFR someone could issue PWRDWNSYS *IMMED?  Or if I leave my AIX root user's password at a default value someone could issue the shutdown command?  But it's not like they get any backdoor access to any LPAR's data hosted on the system, right?

    And, with the growing popularity of vHMC, taking that ASMI cable and plugging it into a dedicated port on the HMC is out of the question.  So you end up plugging it into a switch anyway, right?  So, sure, we can configure it on a vlan, just as long as I, or my team can get to it.  Our Power systems are either a few hours south or a few hours north of our office.

    <snip>

    Unfortunately ASMI also has a poor history of using weak passwords. If
    I can access your ASMI from a PC on your public LAN, and guess the IBM
    default, I can turn off your server without warning.

    </snip>



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------

    Original Message


  • 10.  RE: What is BMC and do I care?

    Posted Wed May 07, 2025 03:08 PM
    On Wed, May 07, 2025 at 06:51:20PM +0000, Robert Berendt via IBM TechXchange Community wrote:
    > So basically this is the major concern, right? If one leaves the
    > ASMI password at the default, or if they assign it a weak password
    > and it gets guessed, then someone can power off the server?

    Power off. Factory reset settings. Tweak the hardware so you can't
    power back on (ie: guard out hardware). It's bad, but shouldn't be any
    data access. Unexpected downtime and risk of inoperable hardware.

    > Much like if I leave my IBM i password for QSECOFR at QSECOFR
    > someone could issue PWRDWNSYS *IMMED? Or if I leave my AIX root
    > user's password at a default value someone could issue the shutdown
    > command? But it's not like they get any backdoor access to any
    > LPAR's data hosted on the system, right?

    These accounts are administrative in the OS of the LPAR. Having root
    means you can access all data, period. That's really bad. Mass
    deletion, data theft, etc.

    Also look out for ANY regular user account on AIX that can login (ie:
    via SSH). The default configuration of AIX's SSHD allows all users to
    SFTP any files they have permissions for (ie: your whole database
    directory with 755 perms). The logging of SFTP transfers isn't enabled
    either, making it a silent vector for data theft.

    > And, with the growing popularity of vHMC, taking that ASMI cable and
    > plugging it into a dedicated port on the HMC is out of the question.
    > So you end up plugging it into a switch anyway, right? So, sure, we
    > can configure it on a vlan, just as long as I, or my team can get to
    > it. Our Power systems are either a few hours south or a few hours
    > north of our office.

    You can dual home the vHMC. One network port gets a public LAN IP for
    you to login. A second port can be attached to a dead / private
    VLAN. Configure DHCP there and the FSP/BMC should connect. I still
    recommend strong passwords under 19 characters.

    Thanks.


    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/


    Original Message


  • 11.  RE: What is BMC and do I care?

    Posted Wed May 07, 2025 03:26 PM
    Thank you for bearing with me.
     
    If I were to do something like this, and my vHMC was on vmware so one of the physical ports on that vmserver would then be tied up solely for this?
     
    Currently we have two vHMC's.  One in Indianapolis and one in Grand Rapids MI.  Either vHMC can control the power systems in the other DC.  If I were to connect that ASMI port to the local vmserver for sole access by the vHMC hosted on that vmserver, then if that instance goes down, or if that vmserver is undergoing maintenance then I have no access to ASMI, right?  But with the way I have it set up I can still get to ASMI if needed.  And my vHMC in the other DC can perform as a backup.
     
    Actually, this has been quite convenient when upgrading HMC's to still have access via the other data center.
    One thing I really love about vHMC is the ability to do a flash copy so if the HMC goes bad while upgrading it is quite simple to restart the upgrade.


    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------

    Original Message


  • 12.  RE: What is BMC and do I care?

    Posted Wed May 07, 2025 03:35 PM
    On Wed, May 07, 2025 at 07:25:38PM +0000, Robert Berendt via IBM TechXchange Community wrote:
    > If I were to do something like this, and my vHMC was on vmware so
    > one of the physical ports on that vmserver would then be tied up
    > solely for this?

    Not if you have trunking enabled. Then VMware can just use a virtual
    port on a vlan with a trunked physical port.

    > Currently we have two vHMC's. One in Indianapolis and one in Grand
    > Rapids MI. Either vHMC can control the power systems in the other
    > DC.

    Depends on if your private VLAN is setup to cross sites. It would be
    more normal to be local though. That means only the local HMC could
    manage the system.

    Another option is to use firewalling to restrict who can talk into a
    shared VLAN. That may work better for a dual site.

    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/


    Original Message


  • 13.  RE: What is BMC and do I care?

    Posted Thu May 08, 2025 05:27 AM

    > It's bad, but shouldn't be any data access. Unexpected downtime and risk of inoperable hardware.

    This is what you can easily accomplish if you have ASMI access from a corporate network and can read IBM documentation.

    Don't forget that ASMI works on the same hardware as all your LPARs and nothing else, like a small Linux system. It has access to all data in RAM. Your LPARs don't write directly to disks, but write first to the RAM. If someone can hack into it, they can get access to all your LPARs and data. No, I never heard about such a case, and this is a theory. But separate your ASMI/BMC interfaces into a separate VLAN, where nobody has access except the HMC. Make the VLAN non-routable.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 14.  RE: What is BMC and do I care?

    Posted Mon May 12, 2025 05:15 PM

    There are a few things in this thread that I would like to correct for Power10 eBMC :

    > Be aware that the BMC account will silently fail with passwords over
    > 19 characters. There is a 19 character limit (IPMI standard).

    > Using IPMI is yet another reason to make sure your BMC port are on a
    > separate network and not on the corporate LAN.

    It is true that the IPMI standard has a password limit however this is not the case for the eBMC.  Due to the known security concerns with IPMI it is disabled by default and eBMC accounts do not have a 20 char IPMI limit.  However if you decide to enable IPMI and also give IPMI permissions to an account on the BMC then that account will be impacted by the IPMI 20 char limit.

    Information on the eBMC password policy : https://www.ibm.com/docs/en/power10/9105-22B?topic=gui-setting-password
    Information on how to control IPMI : https://www.ibm.com/docs/en/power10/9105-22B?topic=ipmi-enabling-adding-user-accounts

    > Don't forget that ASMI works on the same hardware as all your LPARs and nothing else, like a small Linux system. It has access to all data in RAM. Your 
    > LPARs don't write directly to disks, but write first to the RAM. If someone can hack into it, they can get access to all your LPARs and data. No, I never heard
    > about such a case, and this is a theory. But separate your ASMI/BMC interfaces into a separate VLAN, where nobody has access except the HMC.
    > Make the VLAN non-routable.


    This is not correct.  The eBMC is a separate isolated domain inside the system that has its own processor, RAM and firmware stack.  The eBMC does not have arbitrary access to the RAM that is used by the host processors and where the LPARs on the system have their data stored.  If someone can hack into the BMC they could create DoS attacks as was mentioned in this thread but they cannot breach the confidentiality or integrity of the host (LPARs).

    However I do agree that it is recommended to put your management network (HMC/BMC/FSP) on a separate VLAN from your LPARs to reduce the exposure of the attacks that were mentioned.  This and many other suggestions can be found here : https://www.ibm.com/docs/en/power10/9105-22B?topic=systems-security-guidelines

    > I logged into HMC, in view system firmware levels I see fw1060.21 (093)  Which basically looks like the above with just a bunch of stuff in the middle
    > chopped out.  Basically, upgrading the firmware via the HMC updates BMC code also, right?  There's no additional process needed?  Someone said
    > something to me and I wanted to make sure I'm not missing anything.

    As I believe you have found out already the Power FW image (eg fw1060.21) contains the BMC firmware as well as the host processor firmware in one bundle.  So only one update is required.



    ------------------------------
    Chris Engel
    Power Firmware Security Architect
    ------------------------------

    Original Message


  • 15.  RE: What is BMC and do I care?

    Posted Thu May 08, 2025 04:34 PM

    It's a good story, security, APIs, standards ... perhaps look at these from the bottom up...  All P10 servers except E1080 use eBMC.

    OpenBMC industry standard 'roots':  https://www.openbmc.org/ 


    ------------------------------
    Charlie Berry
    ------------------------------

    Original Message


  • 16.  RE: What is BMC and do I care?

    Posted Fri May 09, 2025 01:41 AM

    You should be aware that with the introduction of eBMC, IBM introduced the new VMI connection ( thing that does not exist before on the FSP systems) so now you should consider configuring the VMI connection as well ( when managed by HMC) 



    ------------------------------
    Ivaylo Bozhinov
    ------------------------------

    Original Message


Related Content