The Intelligent Platform Management Interface (IPMI) is a set of

computer interface In computing, an interface is a shared boundary across which two or more separate components of a computer system exchange information. The exchange can be between software, computer hardware, peripheral devices, humans, and combinations of thes ...

specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently of the host system's

CPU A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The CPU performs basic arithmetic, logic, controlling, an ...

firmware In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide ...

(

BIOS In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the ...

UEFI UEFI (Unified Extensible Firmware Interface) is a set of specifications written by the UEFI Forum. They define the architecture of the platform firmware used for booting and its interface for interaction with the operating system. Examples ...

) and

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...

. IPMI defines a set of interfaces used by

system administrator A system administrator, or sysadmin, or admin is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems, especially multi-user computers, such as servers. The system administrator seeks to en ...

s for

out-of-band management In systems management, out-of-band management involves the use of management interfaces (or serial ports) for managing networking equipment. Out-of-band (''OOB'') management is a networking term which refers to accessing and managing network infras ...

computer systems A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as programs. These program ...

and monitoring of their operation. For example, IPMI provides a way to manage a computer that may be powered off or otherwise unresponsive by using a network connection to the hardware rather than to an operating system or login shell. Another use case may be installing a custom

remotely. Without IPMI, installing a custom operating system may require an

administrator Administrator or admin may refer to: Job roles Computing and internet * Database administrator, a person who is responsible for the environmental aspects of a database * Forum administrator, one who oversees discussions on an Internet forum * N ...

to be physically present near the computer, insert a

DVD The DVD (common abbreviation for Digital Video Disc or Digital Versatile Disc) is a digital optical disc data storage format. It was invented and developed in 1995 and first released on November 1, 1996, in Japan. The medium can store any kin ...

or a

USB flash drive A USB flash drive (also called a thumb drive) is a data storage device that includes flash memory with an integrated USB interface. It is typically removable, rewritable and much smaller than an optical disc. Most weigh less than . Since fir ...

containing the OS

installer Installation (or setup) of a computer program (including device drivers and plugins), is the act of making the program ready for execution. Installation refers to the particular configuration of a software or hardware with a view to making it usa ...

and complete the installation process using a monitor and a keyboard. Using IPMI, an administrator can mount an

ISO image An optical disc image (or ISO image, from the ISO 9660 file system used with CD-ROM media) is a disk image that contains everything that would be written to an optical disc, disk sector by disc sector, including the optical disc file system. I ...

, simulate an installer DVD, and perform the installation remotely. The specification is led by

Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California, Santa Clara, California. It is the world's largest semiconductor chip manufacturer by revenue, and is one of the devel ...

and was first published on September 16, 1998. It is supported by more than 200 computer system vendors, such as

Cisco Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational corporation, multinational digital communications technology conglomerate (company), conglomerate corporation headquartered in San Jose, California. Cisco develo ...

Dell Dell is an American based technology company. It develops, sells, repairs, and supports computers and related products and services. Dell is owned by its parent company, Dell Technologies. Dell sells personal computers (PCs), servers, data ...

Hewlett Packard Enterprise The Hewlett Packard Enterprise Company (HPE) is an American multinational information technology company based in Spring, Texas, United States. HPE was founded on November 1, 2015, in Palo Alto, California, as part of the splitting of the ...

, and Intel. The successor to the IPMI is

Redfish Redfish is a common name for several species of fish. It is most commonly applied to certain deep-sea rockfish in the genus ''Sebastes'', red drum from the genus '' Sciaenops'' or the reef dwelling snappers in the genus ''Lutjanus''. It is also ap ...

Functionality

Using a standardized interface and protocol allows systems-management software based on IPMI to manage multiple, disparate servers. As a message-based, hardware-level interface specification, IPMI operates independently of the

(OS) to allow administrators to manage a system remotely in the absence of an operating system or of the

system management Systems management refers to enterprise-wide administration of distributed systems including (and commonly in practice) computer systems. Systems management is strongly influenced by network management initiatives in telecommunications. The ap ...

software Software is a set of computer programs and associated software documentation, documentation and data (computing), data. This is in contrast to Computer hardware, hardware, from which the system is built and which actually performs the work. ...

. Thus, IPMI functions can work in any of three scenarios: * before an OS has booted (allowing, for example, the remote monitoring or changing of BIOS settings) * when the system is powered down * after OS or system failure the key characteristic of IPMI compared with in-band system management is that it enables remote login to the operating system using

SSH The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH applications are based on a ...

System administrators can use IPMI messaging to monitor platform status (such as system temperatures, voltages, fans, power supplies and chassis intrusion); to query inventory information; to review hardware logs of out-of-range conditions; or to perform recovery procedures such as issuing requests from a remote console through the same connections e.g. system power-down and rebooting, or configuring

watchdog timer A watchdog timer (sometimes called a ''computer operating properly'' or ''COP'' timer, or simply a ''watchdog'') is an electronic or software timer that is used to detect and recover from computer malfunctions. Watchdog timers are widely used in ...

s. The standard also defines an alerting mechanism for the system to send a

simple Network Management Protocol Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behaviour. Devices that typically ...

(SNMP) platform event trap (PET). The monitored system may be powered off, but must be connected to a power source and to the monitoring medium, typically a

local area network A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building. By contrast, a wide area network (WAN) not only covers a larger ...

(LAN) connection. IPMI can also function after the operating system has started, and exposes management data and structures to the system management software. IPMI prescribes only the structure and format of the interfaces as a standard, while detailed implementations may vary. An implementation of IPMI version 1.5 can communicate via a direct out-of-band LAN or serial connection or via a side-band LAN connection to a remote

client Client(s) or The Client may refer to: * Client (business) * Client (computing), hardware or software that accesses a remote service on another computer * Customer or client, a recipient of goods or services in return for monetary or other valuabl ...

. The side-band LAN connection utilizes the board

network interface controller A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network. E ...

(NIC). This solution is less expensive than a dedicated LAN connection but also has limited bandwidth and security issues. Systems compliant with IPMI version 2.0 can also communicate via

serial over LAN Serial over LAN (SOL) is a mechanism that enables the input and output of the serial port of a managed system to be redirected over IP. Details On some managed systems, notably blade server systems, the serial ports on the managed computers ar ...

, whereby serial console output can be remotely viewed over the LAN. Systems implementing IPMI 2.0 typically also include

KVM over IP A KVM switch (with KVM being an abbreviation for "keyboard, video, and mouse") is a hardware device that allows a user to control multiple computers from one or more sets of keyboards, video monitors, and mice. Name Switches to connect m ...

remote virtual media In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely off of one system (usually a PC, but the concept applies equally to a server or a ...

and out-of-band embedded web-server interface functionality, although strictly speaking, these lie outside of the scope of the IPMI interface standard. DCMI (Data Center Manageability Interface) is a similar standard based on IPMI but designed to be more suitable for Data Center management: it uses the interfaces defined in IPMI, but minimizes the number of optional interfaces and includes power capping control, among other differences.

IPMI components

An IPMI sub-system consists of a main controller, called the baseboard management controller (BMC) and other management controllers distributed among different system modules that are referred to as satellite controllers. The satellite controllers within the same chassis connect to the BMC via the system interface called Intelligent Platform Management Bus/Bridge (IPMB) an enhanced implementation of

I²C I2C (Inter-Integrated Circuit, ), alternatively known as I2C or IIC, is a synchronous, multi-controller/multi-target (master/slave), packet switched, single-ended, serial communication bus invented in 1982 by Philips Semiconductors. It is w ...

(Inter-Integrated Circuit). The BMC connects to satellite controllers or another BMC in another chassis via the Intelligent Platform Management Controller (IPMC) bus or bridge. It may be managed with the ''Remote Management Control Protocol'' (RMCP), a specialized wire protocol defined by this specification. RMCP+ (a UDP-based protocol with stronger authentication than RMCP) is used for IPMI over LAN. Several vendors develop and market BMC chips. A BMC utilized for embedded applications may have limited memory and require optimized firmware code for implementation of the full IPMI functionality. Highly integrated BMCs can provide complex instructions and provide the complete out-of-band functionality of a service processor. The firmware implementing the IPMI interfaces is provided by various vendors. A

field replaceable unit A field-replaceable unit (FRU) is a printed circuit board, part, or assembly that can be quickly and easily removed from a computer or other piece of electronic equipment, and replaced by the user or a technician without having to send the entire ...

(FRU) repository holds the inventory, such as vendor ID and manufacturer, of potentially replaceable devices. A sensor data record (SDR) repository provides the properties of the individual sensors present on the board. For example, the board may contain sensors for temperature, fan speed, and voltage.

Baseboard management controller

The baseboard management controller (BMC) provides the intelligence in the IPMI architecture. It is a specialized

microcontroller A microcontroller (MCU for ''microcontroller unit'', often also MC, UC, or μC) is a small computer on a single VLSI integrated circuit (IC) chip. A microcontroller contains one or more CPUs ( processor cores) along with memory and programma ...

embedded on the

motherboard A motherboard (also called mainboard, main circuit board, mb, mboard, backplane board, base board, system board, logic board (only in Apple computers) or mobo) is the main printed circuit board (PCB) in general-purpose computers and other expand ...

of a computer – generally a

server Server may refer to: Computing *Server (computing), a computer program or a device that provides functionality for other programs or devices, called clients Role * Waiting staff, those who work at a restaurant or a bar attending customers and su ...

. The BMC manages the interface between system-management software and platform hardware. BMC has its dedicated firmware and RAM. Different types of sensors built into the computer system report to the BMC on

parameter A parameter (), generally, is any characteristic that can help in defining or classifying a particular system (meaning an event, project, object, situation, etc.). That is, a parameter is an element of a system that is useful, or critical, when ...

s such as

temperature Temperature is a physical quantity that expresses quantitatively the perceptions of hotness and coldness. Temperature is measured with a thermometer. Thermometers are calibrated in various temperature scales that historically have relied on ...

, cooling

fan Fan commonly refers to: * Fan (machine), a machine for producing airflow, often used for cooling ** Hand fan, an implement held and waved by hand to move air for cooling * Fan (person), short for fanatic; an enthusiast or supporter, especially w ...

speed In everyday use and in kinematics, the speed (commonly referred to as ''v'') of an object is the magnitude of the change of its position over time or the magnitude of the change of its position per unit of time; it is thus a scalar quantity ...

power Power most often refers to: * Power (physics), meaning "rate of doing work" ** Engine power, the power put out by an engine ** Electric power * Power (social and political), the ability to influence people or events ** Abusive power Power may ...

status,

(OS) status, etc. The BMC monitors the sensors and can send alerts to a

via the

network Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...

if any of the parameters do not stay within pre-set limits, indicating a potential failure of the system. The administrator can also remotely communicate with the BMC to take some corrective actions – such as resetting or power cycling the system to get a hung OS running again. These abilities reduce the

total cost of ownership Total cost of ownership (TCO) is a financial estimate intended to help buyers and owners determine the direct and indirect costs of a product or service. It is a management accounting concept that can be used in full cost accounting or even ecolo ...

of a system. Systems compliant with IPMI version 2.0 can also communicate via

, whereby serial console output can be remotely viewed over the LAN. Systems implementing IPMI 2.0 typically also include

and out-of-band embedded web-server interface functionality, although strictly speaking, these lie outside of the scope of the IPMI interface standard. Physical interfaces to the BMC include

SMBus The System Management Bus (abbreviated to SMBus or SMB) is a single-ended simple two-wire bus for the purpose of lightweight communication. Most commonly it is found in computer motherboards for communication with the power source for ON/OFF instru ...

es, an

RS-232 In telecommunications, RS-232 or Recommended Standard 232 is a standard originally introduced in 1960 for serial communication transmission of data. It formally defines signals connecting between a ''DTE'' ('' data terminal equipment'') suc ...

serial console, address and data lines and an IPMB, that enables the BMC to accept IPMI request messages from other management controllers in the system. A direct serial connection to the BMC is not

encrypted In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...

as the connection itself is secure. Connection to the BMC over LAN may or may not use encryption depending on the security concerns of the user. There are rising concerns about general security regarding BMCs as a closed infrastructure.

OpenBMC The OpenBMC project is a Linux Foundation collaborative open-source project whose goal is to produce an open source implementation of the Baseboard Management Controllers (BMC) Firmware Stack. OpenBMC is a Linux distribution for BMCs meant to wor ...

is a

Linux Foundation The Linux Foundation (LF) is a non-profit technology consortium founded in 2000 as a merger between Open Source Development Labs and the Free Standards Group to standardize Linux, support its growth, and promote its commercial adoption. Addi ...

Collaborative open-source BMC project.

Security

Historical issues

On 2 July 2013,

Rapid7 The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. ...

published a guide to security penetration testing of the latest IPMI 2.0 protocol and implementations by various vendors. Some sources in 2013 were advising against using the older version of IPMI, due to security concerns related to the design and vulnerabilities of Baseboard Management Controllers (BMCs). However, like for any other management interface, best security practices dictate the placement of the IPMI management port on a dedicated management LAN or VLAN restricted to trusted Administrators.

Latest IPMI specification security improvements

The IPMI specification has been updated with RAKP+ and a stronger cipher that is computationally impractical to break. Vendors as a result have provided patches that remediate these vulnerabilities. The

DMTF Distributed Management Task Force (DMTF) is a 501(c)(6) nonprofit industry standards organization that creates open manageability standards spanning diverse emerging and traditional IT infrastructures including cloud, virtualization, network, s ...

organization has developed a secure and scalable interface specification calle
Redfish
to work in modern datacenter environments.

Potential solutions

Some potential solutions exist outside of the IPMI standard, depending on proprietary implementations. The use of default short passwords, or "cipher 0" hacks can be easily overcome with the use of a

RADIUS In classical geometry, a radius ( : radii) of a circle or sphere is any of the line segments from its center to its perimeter, and in more modern usage, it is also their length. The name comes from the latin ''radius'', meaning ray but also the ...

server for Authentication, Authorization, and Accounting over SSL as is typical in a datacenter or any medium to large deployment. The user's RADIUS server can be configured to store AAA securely in an LDAP database using either FreeRADIUS/OpenLDAP or Microsoft Active Directory and related services. Role-based access provides a way to respond to current and future security issues by increasing amounts of restriction for higher roles. Role-based access is supported with three roles available: Administrator, Operator and User. Overall, the User role has read-only access of the BMC and no remote control ability such as power cycle or the ability to view or log into the main CPU on the motherboard. Therefore, any hacker with the User role has zero access to confidential information, and zero control over the system. The User role is typically used to monitor sensor readings, after an SNMP alert has been received by SNMP Network Monitoring Software. The Operator role is used in the rare event when a system is hung, to generate an NMI crash/core dump file and reboot or power cycle the system. In such a case, the Operator will also have access to the system software to collect the crash/core dump file. The Administrator role is used to configure the BMC on first boot during the commissioning of the system when first installed. Therefore, the prudent best practice is to disable the use of the Operator and Administrator roles in LDAP/RADIUS, and only enable them when needed by the LDAP/RADIUS administrator. For example, in RADIUS a role can have its setting Auth-Type changed to: Auth-Type := Reject Doing so will prevent RAKP hash attacks from succeeding since the username will be rejected by the RADIUS server.

Version history

The IPMI standard specification has evolved through a number of iterations: * v1.0 was announced on September 16, 1998: base specification * v1.5, published on February 21, 2001: added features including IPMI over LAN, IPMI over Serial/Modem, and LAN Alerting * v2.0, published on February 12, 2004: added features including Serial over LAN, Group Managed Systems, Enhanced Authentication, Firmware Firewall, and VLAN Support * v2.0 revision 1.1, published on October 1, 2013: amended for errata, clarifications, and addenda, plus addition of support for IPv6 Addressing * v2.0 revision 1.1 Errata 7, published on April 21, 2015: amended for errata, clarifications, addendaIPMI - Ver2.0 Rev1.1 Errata7
/ref>

Implementations

HP Integrated Lights-Out Integrated Lights-Out, or iLO, is a proprietary embedded server management technology by Hewlett-Packard Enterprise which provides out-of-band management facilities. The physical connection is an Ethernet port that can be found on most ProLiant ...

, HP's implementation of IPMI *

Dell DRAC The Dell Remote Access Controller, or DRAC, is an out-of-band management platform on certain Dell servers. The platform may be provided on a separate expansion card, or integrated into the main board; when integrated, the platform is referred to ...

, Dell's implementation of IPMI *

IBM Remote Supervisor Adapter The IBM Remote Supervisor Adapter is a full-length ISA or PCI adapter produced by the IBM corporation. Adapter versions Systems Management Adapter (ASMA) This is a full-length ISA or PCI adapter. The ISA version is very rare, and was only ever ...

, IBM's out-of-band management products, including IPMI implementations *

MegaRAC The MegaRAC from American Megatrends is a product line of Service Processors providing complete Out-of-band, or Lights-out remote management of computer systems independently of the Operating System An operating system (OS) is system software ...

AMI AMI or Ami may refer to: Arts, entertainment and media *AMI-tv, a Canadian TV channel **AMI-télé, the French-language version *AMI-audio, a Canadian audio broadcast TV service *''Ami Magazine'', an Orthodox Jewish news magazine Businesses ...

's out-of-band management product and OEM IPMI firmware *

Avocent Avocent, a business of Vertiv, is an information-technology products manufacturer headquartered in Huntsville, Alabama. Avocent formed in 2000 from the merger of the world's two largest manufacturers of KVM (keyboard, video and mouse) equipmen ...

MergePoint Embedded Management Software, an OEM IPMI firmware

References

External links

{{Commons category
Intel IPMI Technical Resources WebsitecoreIPM Project
- open source firmware for IPMI baseboard management
GNU FreeIPMIipmitoolipmiutilOpenIPMIIPMeye
- Centralized out-of-band access for enterprises / Part of VendorN's OneDDI platform Computer hardware standards System administration Out-of-band management Computer-related introductions in 1998