Hi Bill, I wrote this before I saw all the discussions that went on this morning. I read a few and I am afraid to read any more right now. I hope this is still relevant because I believe that it will help clear up any confusion.
First I want to make it clear that the entity to which you are authenticating is the AMT firmware, not LMS. The AMT firmware is also called the Management Engine and it is like a low-cost, mini service processor that shares the machine's single network interface. The AMT firmware contains all the authentication code and the web server. If you were to breach the AMT firmware's security, you would be gaining access to the AMT firmware, not to Solaris. The LMS daemon and the HECI driver do no interpetation of the data, they just pass the requests down to the firmware and the responses back up. The purpose of LMS and HECI is to provide a pathway for applications running on the local machine to talk to the AMT firmware. Applications running on other machines on the network can also talk to the AMT firmware, but they do not go through LMS and HECI. A complete description of the AMT firmware's access control models can be found in the last section of this page: http://softwarecommunity.intel.com/articles/eng/1004.htm Mark Bill Sommerfeld wrote: > On Tue, 2007-10-16 at 16:13 -0700, Mark Logan wrote: > >> You are right. LMS requires HTTP digest access authentication. >> > > Mark, > > Can we get a high level description of the access control model in its > entirety? who are the communicating parties and what do they > demonstrate to each other to prove their identity, and what do they use > to decide whether to allow an operation? What access controls are used > on the host to prevent an unauthorized user from talking to the > management processor at all? > > Getting fragments of the spec, one line per message isn't working. > > - Bill > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20071017/469a1701/attachment.html>
