1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
|
option(
'yocto-deps',
type: 'feature',
value: 'disabled',
description: 'Use YOCTO dependencies system'
)
option(
'kvm',
type: 'feature',
value: 'enabled',
description: '''Enable the KVM host video WebSocket. Path is /kvm/0.
Video is from the BMCs /dev/videodevice.'''
)
option(
'tests',
type: 'feature',
value: 'enabled',
description: 'Enable Unit tests for bmcweb'
)
option(
'vm-websocket',
type: 'feature',
value: 'enabled',
description: '''Enable the Virtual Media WebSocket. Path is /vm/0/0 to
open the websocket. See
https://github.com/openbmc/jsnbd/blob/master/README.'''
)
# if you use this option and are seeing this comment, please comment here:
# https://github.com/openbmc/bmcweb/issues/188 and put forward your intentions
# for this code. At this point, no daemon has been upstreamed that implements
# this interface, so for the moment this appears to be dead code; In leiu of
# removing it, it has been disabled to try to give those that use it the
# opportunity to upstream their backend implementation
#option(
# 'vm-nbdproxy',
# type: 'feature', value: 'disabled',
# description: 'Enable the Virtual Media WebSocket.'
#)
option(
'rest',
type: 'feature',
value: 'disabled',
description: '''Enable Phosphor REST (D-Bus) APIs. Paths directly map
Phosphor D-Bus object paths, for example,
/xyz/openbmc_project/logging/entry/enumerate. See
https://github.com/openbmc/docs/blob/master/rest-api.md.'''
)
option(
'redfish',
type: 'feature',
value: 'enabled',
description: '''Enable Redfish APIs. Paths are under /redfish/v1/. See
https://github.com/openbmc/bmcweb/blob/master/DEVELOPING.md#redfish.'''
)
option(
'host-serial-socket',
type: 'feature',
value: 'enabled',
description: '''Enable host serial console WebSocket. Path is /console0.
See https://github.com/openbmc/docs/blob/master/console.md.'''
)
option(
'static-hosting',
type: 'feature',
value: 'enabled',
description: '''Enable serving files from the /usr/share/www directory
as paths under /.'''
)
option(
'redfish-bmc-journal',
type: 'feature',
value: 'enabled',
description: '''Enable BMC journal access through Redfish. Paths are under
/redfish/v1/Managers/bmc/LogServices/Journal.'''
)
option(
'redfish-cpu-log',
type: 'feature',
value: 'disabled',
description: '''Enable CPU log service transactions through Redfish. Paths
are under /redfish/v1/Systems/system/LogServices/Crashdump'.'''
)
option(
'redfish-dump-log',
type: 'feature',
value: 'disabled',
description: '''Enable Dump log service transactions through Redfish. Paths
are under /redfish/v1/Systems/system/LogServices/Dump
and /redfish/v1/Managers/bmc/LogServices/Dump'''
)
option(
'redfish-dbus-log',
type: 'feature',
value: 'disabled',
description: '''Enable DBUS log service transactions through Redfish. Paths
are under
/redfish/v1/Systems/system/LogServices/EventLog/Entries'''
)
option(
'redfish-host-logger',
type: 'feature',
value: 'enabled',
description: '''Enable host log service transactions based on
phosphor-hostlogger through Redfish. Paths are under
/redfish/v1/Systems/system/LogServices/HostLogger'''
)
option(
'redfish-provisioning-feature',
type: 'feature',
value: 'disabled',
description: '''Enable provisioning feature support in redfish. Paths are
under /redfish/v1/Systems/system/'''
)
option(
'bmcweb-logging',
type: 'feature',
value: 'disabled',
description: 'Enable output the extended debug logs'
)
option(
'basic-auth',
type: 'feature',
value: 'enabled',
description: 'Enable basic authentication'
)
option(
'session-auth',
type: 'feature',
value: 'enabled',
description: 'Enable session authentication'
)
option(
'xtoken-auth',
type: 'feature',
value: 'enabled',
description: 'Enable xtoken authentication'
)
option(
'cookie-auth',
type: 'feature',
value: 'enabled',
description: 'Enable cookie authentication'
)
option(
'mutual-tls-auth',
type: 'feature',
value: 'enabled',
description: '''Enables authenticating users through TLS client
certificates. The insecure-disable-ssl must be disabled for
this option to take effect.'''
)
option(
'ibm-management-console',
type: 'feature',
value: 'disabled',
description: '''Enable the IBM management console specific functionality.
Paths are under /ibm/v1/'''
)
option(
'google-api',
type: 'feature',
value: 'disabled',
description: '''Enable the Google specific functionality. Paths are under
/google/v1/'''
)
option(
'http-body-limit',
type: 'integer',
min: 0,
max: 512,
value: 30,
description: 'Specifies the http request body length limit'
)
option(
'redfish-new-powersubsystem-thermalsubsystem',
type: 'feature',
value: 'disabled',
description: '''Enable/disable the new PowerSubsystem, ThermalSubsystem,
and all children schemas. This includes displaying all
sensors in the SensorCollection. At a later date, this
feature will be defaulted to enabled.'''
)
option(
'redfish-allow-deprecated-power-thermal',
type: 'feature',
value: 'enabled',
description: '''Enable/disable the old Power / Thermal. The default
condition is allowing the old Power / Thermal.'''
)
option(
'redfish-post-to-old-updateservice',
type: 'feature',
value: 'enabled',
description: '''Allows POST to /redfish/v1/UpdateService, counter to
the redfish specification. Option provided to allow
potential users to move away from using this endpoint.
Option will be removed Q4 2022.'''
)
option(
'https_port',
type: 'integer',
min: 1,
max: 65535,
value: 443,
description: 'HTTPS Port number.'
)
option(
'redfish-aggregation',
type: 'feature',
value: 'disabled',
description: 'Allows this BMC to aggregate resources from satellite BMCs'
)
# Insecure options. Every option that starts with a `insecure` flag should
# not be enabled by default for any platform, unless the author fully comprehends
# the implications of doing so.In general, enabling these options will cause security
# problems of varying degrees
option(
'insecure-disable-csrf',
type: 'feature',
value: 'disabled',
description: '''Disable CSRF prevention checks.Should be set to false for
production systems.'''
)
option(
'insecure-disable-ssl',
type: 'feature',
value: 'disabled',
description: '''Disable SSL ports. Should be set to false for production
systems.'''
)
option(
'insecure-disable-auth',
type: 'feature',
value: 'disabled',
description: '''Disable authentication and authoriztion on all ports.
Should be set to false for production systems.'''
)
option(
'insecure-disable-xss',
type: 'feature',
value: 'disabled',
description: 'Disable XSS preventions'
)
option(
'insecure-tftp-update',
type: 'feature',
value: 'disabled',
description: '''Enable TFTP based firmware update transactions through
Redfish UpdateService. SimpleUpdate.'''
)
option(
'insecure-push-style-notification',
type: 'feature',
value: 'disabled',
description: 'Enable HTTP push style eventing feature'
)
option(
'insecure-enable-redfish-query',
type: 'feature',
value: 'disabled',
description: '''Enables Redfish expand query parameter. This feature is
experimental, and has not been tested against the full
limits of user-facing behavior. It is not recommended to
enable on production systems at this time. Other query
parameters such as only are not controlled by this option.'''
)
|
