Through June and July, AMI MegaRAC BMC firmware has been in the news owing to high-severity vulnerabilities that have existed for years but only recently come to light. Server hardware widely contains BMCs, and compromising one can give near-total control over the server. Many vendors shipped this firmware with their own branding.
But what exactly is a BMC, and what can we do to stay secure?
A BMC, or “Baseboard Management Controller”, manages a server remotely. Physical access to servers is typically tightly controlled (or at least very inconvenient). But like any computer, it could go offline, fail to boot, or otherwise misbehave. If this was your PC at home, you’d go sit down at the keyboard and monitor to troubleshoot it, and maybe reinstall the OS from USB, but on a server we want to do this remotely.
That’s where the BMC comes in. One of its key functions is to make the “physical” keyboard, monitor, and power button, available remotely over a web interface. Often, you can attach a local ISO as a virtual USB disk, and the remote system thinks it is a real USB disk. Remote serial ports and many other features are possible too.
All of this works if the OS’s networking is broken, or even if the entire OS is unbootable. The BMC may even be able to flash the system BIOS, allowing recovery from a failed flash or broken firmware. You may have done this before for virtual machines – the BMC brings remote management to physical systems.
The BMC is a second, smaller computer hanging off of the main computer. Much like the embedded controller in a laptop, it is in charge of powering on or off the main system. The BMC is always on when the server is plugged in, like the EC. It is a complete computer, commonly containing an ARM CPU, DRAM, and its own firmware.
To provide all these features, the BMC connects to many buses from the main system. The BMC firmware fully controls some interfaces, while hardware functionality controls others.
The main system is unlikely to consider any of these buses to be security boundaries. The BMC has great power to lie about what is on the display, hide it from a physical monitor, or act as a malicious USB device.
Purism disables BMC functionality on Librem Servers where possible. PureBoot, when combined with a Librem Key, authenticate the system firmware to you, which complicates any tampering attack.
Model | Status | Lead Time | ||
---|---|---|---|---|
Librem Key (Made in USA) | In Stock ($59+) | 10 business days | ||
Librem 5 | In Stock ($699+) 3GB/32GB | 10 business days | ||
Librem 5 COMSEC Bundle | In Stock ($1299+) Qty 2; 3GB/32GB | 10 business days | ||
Liberty Phone (Made in USA Electronics) | Backorder ($1,999+) 4GB/128GB | Estimated fulfillment early November | ||
Librem 5 + SIMple (3 GB Data) | In Stock ($99/mo) | 10 business days | ||
Librem 5 + SIMple Plus (5 GB Data) | In Stock ($129/mo) | 10 business days | ||
Librem 5 + AweSIM (Unlimited Data) | In Stock ($169/mo) | 10 business days | ||
Librem 11 | In Stock ($999+) 8GB/1TB | 10 business days | ||
Librem 14 | Backorder ($1,370+) | Estimated fulfillment date pending | ||
Librem Mini | Backorder ($799+) | Estimated fulfillment November | ||
Librem Server | In Stock ($2,999+) | 45 business days |