ibm-acf

Access Control File functions

This repository depends on the following libraries and should be installed on build machine:

libpam, libssl, libsdplus

To build the ibm-acf pam module run these commands:

meson setup build
ninja -C build

To run ibm-acf pam module unit tests, enable the tests option

Note: tests=enabled disables creating the unmodified pam_ibmacf module

meson setup -Dtests=enabled build
or
meson configure -Dtests=enabled build

cd build
meson test

Test status should display location of log file to view in depth logs of test

How to setup this feature

Overview

• To test this feature from scratch a private key, public key and ACF are required
• The private key is needed to generate the ACF
• Both the public key and ACF need to be uploaded onto the bmc if not already present
• To generate the ACF the ce_login utility must be built
• Once the corresponding public key and ACF files are uploaded then login can be performed with the service user and the password used during generation of the ACF

Step 1. Generate public and private keys

• Create the RSA keypair

openssl genrsa -out rsakeys.pem 2048

• Get public key

openssl rsa -in rsakeys.pem -pubout -outform DER -out rsapubkey.der

• Get private key

openssl rsa -in rsakeys.pem -outform DER -out rsaprivkey.der

Step 2. Build the celogin_cli utility

cd subprojects/ce-login
meson setup -Dlib=false -Dbin=true build
ninja -C build

Step 3. Generate the ACF

First get the serial number of the machine you would like to generate the ACF for.

The value can be retrieved from BMC's web interface as such:
Overview page > Server information > Serial number
The value can also be retrieved from the BMC shell with the following command:

busctl get-property xyz.openbmc_project.Inventory.Manager /xyz/openbmc_project/inventory/system xyz.openbmc_project.Inventory.Decorator.Asset SerialNumber

The --machine argument can either be "x,x,UNSET" or the serial number fetched from the BMC "x,x,123454321"

./celogin_cli create \
                --machine 'P10,dev,12345' \
                --sourceFileName "none" \
                --password "0penBmc" \
                --expirationDate "2025-12-25" \
                --requestId "1234" \
                --pkey ../p10-celogin-lab-pkey.der \
                --output ./service.acf

Step 4. Upload ACF and Pubkey to BMC

scp ./ACFFile.bin root@BMCIP:/etc/acf/service.acf
scp ./rsapubkey.der root@BMCIP:/etc/acf/ibmacf-dev.key

Step 5. Login with service user

ssh service@BMCIP

password:0penBmc

This should be successful.

Additional details on generating the ACF are contained in the ce-login subproject README.

Positive test case:

• Generate a DER encoded keypair
• Generate the ACF file (noting the password used)
• Upload the public key and acf file to the bmc as /etc/acf/ibmacf-dev.key and /etc/acf/service.acf respectively
• Login with one of supported interfaces as the service user
• Enter the password used in the creation of the ACF file

Negative test cases:

• ACF login inaccessable with non service user
• Login with invalid password
• If only using dev key, set field mode to enabled (busctl set-property xyz.openbmc_project.Software.BMC.Updater /xyz/openbmc_project/software xyz.openbmc_project.Control.FieldMode FieldModeEnabled b 1)
• Upload a mismatched ACF file/public key
• Set a serial number that doesn't match the machines serial number
• Set processing type to invalid value in ACF file
• Set date prior to date on BMC in ACF file
• Set FrameworkEc to invalid value in ACF file