评审背景:
下一代BMC芯片需要支持运行固件加密,需要在装备阶段导入对称密钥,BMC需提供导出非对称公钥(用于加密对称密钥)与导入对称密钥密文的IPMI接口
决策点一:
导出非对称公钥与导入固件加密密钥密文的IPMI接口形式
方案一:
复用文件动作(File Action)ipmi接口
IPMI命令字:netfn:30h,cmd:93h
变化类型:新增参数取值
应用场景:装备阶段调用接口导出非对称公钥,导入固件加密密钥
操作类型: SET
操作角色:Administrator
操作权限:ReadOnly
方案二:
- 新增导出非对称公钥IPMI命令
IPMI命令字:netfn:30h,cmd:93h
变化类型:新增参数取值
应用场景:装备阶段调用,导出非对称公钥操作类型: GET
操作角色:Administrator
操作权限:SecurityMgmt
- 新增导入固件加密密钥IPMI命令
IPMI命令字:netfn:30h,cmd:94h
变化类型:新增参数取值
应用场景:装备阶段调用,导入固件加密密钥
操作类型: SET
操作角色:Administrator
操作权限:SecurityMgmt
决策点二:
新增错误引擎接口说明:
| 错误引擎标识 | 变化类型 | 错误描述 | 错误信息 | 参数类型 | 处理建议 | 严重程度 | HTTPCode | IPMICode | SNMPCode |
|---|---|---|---|---|---|---|---|---|---|
| KeyFormatError | 新增 | Indicates that the operation failed because the key is not in the correct format. | The key operation failed because the key %1 is incorrect. | string | Resubmit the request with a correct key. | Warning | 400 | 0x85 | 5 |
| KeyProcessError | 新增 | Indicates that an error occurred during the key processing. | The operation cannot be properly processed due to errors at %1. | string | Resubmit the request. If the problem persists, consider resetting the service. | Warning | 500 | 0x86 | 5 |
| KeyAlreadyExists | 新增 | Indicates that the operation failed because the key already exists and cannot overwrite. | The key already exists. | 无 | Do not repeat the operation as the key already exists. | Warning | 400 | 0x87 | 5 |
评审结论:
评审点一:
同意方案一:
1.复用文件操作ipmi接口,文件操作类型新增导出非对称密钥与导入对称密钥参数
2. 新增完成码:
0x85:密钥格式错误
0x86:密钥处理错误
0x87:密钥已存在
评审点二:
- 新增错误引擎说明:
KeyProcessError表示内部错误
| 错误引擎标识 | 变化类型 | 错误描述 | 错误信息 | 参数类型 | 处理建议 | 严重程度 | HTTPCode | IPMICode | SNMPCode |
|---|---|---|---|---|---|---|---|---|---|
| KeyFormatError | 新增 | Indicates that the operation failed because the key is not in the correct format. | The key operation failed because the key %1 is incorrect. | string | Resubmit the request with a correct key. | Warning | 400 | 0x85 | 5 |
| KeyProcessError | 新增 | Indicates that an error occurred during the key processing. | The operation cannot be properly processed due to errors at %1. | string | Resubmit the request. If the problem persists, consider resetting the service. | Warning | 500 | 0x86 | 5 |
| KeyAlreadyExists | 新增 | Indicates that the operation failed because the key already exists and cannot overwrite. | The key already exists. | 无 | Do not repeat the operation as the key already exists. | Warning | 400 | 0x87 | 5 |