On 1/22/2016 2:24 PM, Gordon Messmer wrote: > On 01/22/2016 01:56 PM, John R Pierce wrote: >> Sure, if someone has penetrated my IPMI and/or virtualization >> management, I'm already in a world of hurt > > Exactly. IPMI should be on a dedicated VLAN with a bastion host. No > other systems should have access to it at all. The servers, > especially, should not have access to their own IPMI network. > Otherwise, you risk creating exactly that kind of hole, where tasks > that are supposed to require console access don't. > > Having said that, I have no idea whether or not the virtual console is > locked during the secure boot path. Anybody who uses IPMI and secure > boot? for that matter, what about a VM running on a service like Amazon AWS (or pick your virtual server environment) ? AWS provides a remote console, doesn't it? -- john r pierce, recycling bits in santa cruz