Hacker News new | past | comments | ask | show | jobs | submit login

Is there any reason KVM/IP is not a viable solution for remote management?

Remote access to DMA capability is just batshit insanity.




This works even absent an OS. In fact, that's the whole idea.


I read about this a while ago. Apparently Intel's Management Technology which is built into like every Intel CPU now listens directly on the network interface so it can still send/receive data in case the OS is borked. It hooks in at ring 0. Like a rootkit the OS can't see.


It's common in the datacenter to come across motherboards with a switched eth0, with the BMC behind one leg and the user system behind another. You don't have to get that creative to get IPMI out of a machine when the OS is hosed -- to be honest, I think that is what you're actually thinking of, because "hook[ing] in on ring 0" is difficult to imagine working. You'd need driver awareness for when the management plane wants to transmit, at the least.


It's not just Intel that does it. HP Storage solutions use iLO which is pretty much the same thing for SANs.


Not just SANs, pretty much their entire product line. iLO is a very common IPMI deployment at companies with HPe gear, which is a number of very large ones.


> This works even absent an OS. In fact, that's the whole idea.

It's still an OS, it's just not on the hard drive.

The real issue is that we don't have the source code for it and only the OEM can patch security vulnerabilities -- or not.


[flagged]


It's pretty much standard at large companies to never bother running the installer on the machine (if it even has one and isn't procured without an OS) they bought but instead to use a provisioning tool to re-image the machine before it first gets booted. Think of it as a DRAC card with some fancy tricks in a regular desktop (or laptop) and without occupying much space or a slot.


AMT includes KVM/IP.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: