IPMI - because ACPI and UEFI weren't terrifying enough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello my name is Matthew Gareth I work as a security developer at nebula one of the things we focus on in our products is trying to ensure that every component of the systems that we put together is secure and that means analyzing various components that for the most part people ignore when it comes to making decisions about their security policies figuring out things they need to worry about when it comes to updates and the like IPMI is one of these things I've been playing with it for the past year and a half or so and some of this follows on from work that was performed by a guy called dan farmer you should certainly if you find this interesting breeze up on his work and I'll mention us again towards the end the presentation now some backgrounds are I've spoken at LCA several times in the past I have perhaps at times has none somewhat unfortunate reputation for the use of colorful metaphors and it has in the past apparently been a explicit possibility policy to ensure that I'm reminded that I'm not supposed to swear during my presentations so I'm going to start with some four-letter words and the first of them is a CPI something's generally left out of polite conversation a CPI was actually the topic of the first presentation I gave that LCA back in 2006 in lovely sunny Dunedin a TPI the advanced configuration and power management is faced which is a firmware specification that allows the platform vendor to provide additional code to price additional data to your operating system so if your operating system is able to better understand the hardware available to it and capabilities that hardware and also as a mechanism for allowing our retrieve and provided code to run in the context of your kernel this is obviously not the only four-letter words I have we also have UEFI which I spoke about in lovely sunny Ballarat in 2011 and have mentioned a few times since then UEFI the universal extensible firmware interface which is a specification for providing firmware services that make it more consistent for the booting and management of systems and provides another mechanism for allowing vendor provided code to run the context your kernel but those are the old and busted things obviously today I'm here to tell you about ipmi which is a glorious through modern specification having initially been released in I think possibly just after EFI had first been forced off so it's roughly contemporaneous my PMI is not quite a mechanism for running our retrieve vendor providing codes in your kernel but there are some qualities there that we'll get to later unlike IBM I unlike a CGI UEFI IPMI is not generally intended to be used in the context of the running system ipmi is something for you to use to communicate with the running system from somewhere else what was the reason for doing that how many of you have been Simmons in datacenters lots of you wow that's amazing I'm so sorry these centers are awful there's noise there's lots of noise there's nowhere to sit you're stuck standing in front of a server for an extended period of time waiting for it to get through its firmware initialization and it's noisy while this is happening and it's either far too warm or it's absolutely freezing depending on whether you're standing underneath an air-conditioning duct or not and it's really noisy oh and the phone receptions typically really bad because there are faithfully Faraday cages you don't want to be in a data center as much as possible any technology that allows system is to spend less time in a data center is almost certainly a goose technology now that seems like a straightforward assumption I'm now going to spend the rest of my presentation attempting to disabuse you of this notion but in addition to data centers being awful places that we would like to transfer voice it's not merely that the data center is uncomfortable and unpleasant and not a place you want to be it's also a place you have to walk down to and then you have to walk back up from it or it may be it's not even in the same building and that's miserable so as well as avoiding just the day sense being awful if you could avoid ever going to the data center at all or even better if you could expose an interface that's allows you to script many of the things that you would otherwise have to do from the data center then that seems like an amazing thing a life in which system means can spend more time sitting at their desks pretending to do work and Phil being as effective its glorious future so ipmi the intelligent platform management interface almost everybody who uses ipmi uses it for one thing which is that you can turn computers off and then you can turn them on again and since that solves 95% of all IT problems this is pretty much everything you need but the occasion does have some other useful things one of them is the ability to monitor sensors and you can call out the systems and you can make sure that they're running within their normal temperature ranges you can make sure the fans are running you can make sure that the power supplies haven't failed and you can do all of this without any operating system involvement because you're actually talking to a small device that's on a completely different network link and so you call that switch and it tells you how the computers doing so either the operating system has fallen over even if it's sitting as a boot prompt you can still make sure that the hardware is ok and there's also this lovely serial Overland functionality which allows you to export the serial console over the network link which means that you can avoid the situation in which you buy a new server and then you find that your expensive serial multiplexer doesn't have any ports left in it do it's over ipmi instead and just works except when it doesn't but nevermind this and this is firmware so take everything I'm saying with a large grain of salt this is roughly what the IP my specification provides you along with the ability to control what the next boot devices you can use IBM Isis hey who's soft Network even if the systems otherwise configured to boot off disk which means that if you want to reinstall the system you can tell it to boot off the network on the next attempt your net boot server will give us an install image and then they're still default booting off disk after that but that's pretty much as far as the spec gets you the spec defines these things and it's for a firmware it's thick it's very reasonable it's only about 4,000 pages long loss of which turns out to be States diagrams but really but this is while useful while this solves many of the problems that this administration trying to figure out how they can avoid having to leave their desk it's not really enough there are additional things and this is where things start getting interesting because well I said my presentation was mostly about sign PMI I'm not really going to be talking about IPMI that much I'm primarily going to be talking about implementations of IPMI and in most cases the vendor has decided to add a significant quantity of additional code additional features because that's what vendors do if you only sell what the specification defines then there's no reason for someone to choose you over someone who's slightly cheaper so vendors get really excited by this it's the IPMI interface the IPMI controller on the system is one of the few places where you get to brand stuff as much as you want and the mess of what operating system the customer installs your branding will still be there there's no risk that someone can forget that they're using an HP when every time they log into the management interface there's a large HP logo some sensors have added all kinds of additional functionality and let's includes the ability to manage system firmware updates without having to run applications on the system you can log into the web UI that's presented and you can upload a new firmware image and then it'll reboot the system apply that and everything just magically work rather than serial over LAN which is not really such a great way to manage Windows servers you have a virtual keyboard monitor so you click a button and then a Java applet pops out and connects over something that is often I can't believe it's not VNC connect to a service that's running on this IP my controller that is hooked into the GPU on the device and then scrapes the contents of video memory out of that displays them to you and then fix up a USB keyboard and mouse so you can sit there and through the Java applets you can control your system so you can manage a pointee cliquey installer and system is love bass as well and have a fixed CD drive so if you want to install something but you've neglected to actually set up any kind of netboot infrastructure because you're a lazy system in just quick question a system instance is as a protected class I'm not violating the code of conducts here am i right laziness is a virtue I'm told so I'll go with that so you can upload an ISO to the controller and it will then make it appear as a fake CD drive there's magic discoverability features so you can plug in the BMC and then it might actually be running a UPnP service so your systems running UPnP listeners can then say oh this the empathy just appeared click here to manage your enterprise server and none of this is in the IP my specification as almost all the fun stuff is completely unspecified and vendors implements a lot of it themselves and so it's all slightly different and gratuitously incompatible and really really fun there's a lot of additional complexity here if you look at the inner workings of one these devices you'll typically find that there's a large piece of user space codes that's managing the IP my pros call step it's sitting there bound to the network ports but it's also listening to a link between the server and the I in my controller the BMC your baseboard management controller which is this device that's didn't hit providing all the IP my functionality I think that listen to that and then you've got some source of brilliant user space IP see that sometimes over sockets and sometimes over things that are worse than sockets and they're talking to each other and then sometimes they've actually moved ARP handling out of the kernel and put it in user space as well I've figured this one out after TCP dumping an IBM BMC and wondering why the trailing end of art who has packets tended to contain code thankfully not kernel code but it was leaking chunks of the IPMI management daemon over the network every time it sends an ARP request that's just going to give you a flavor for the rest of this presentation the magic GPUs are amazing most of them look like matrix due to hundreds except with different PLL setup because everybody loves PLL's these are things worthy from the operating system side they look like a PCI device that is a roughly matrix compatible chip from the BMC sides there this strange window where you read some registers and it tells you what resolution the operating system has says you can magically infer it presumably imagine the infers that from program timings and stuff and that you just read these values out and then you know well okay I read this block of memory and that's the screen and then I can just pass this off to my Java applet and there's a magic device note for you to do all of that from it's incredible I love this stuff there are web services which are not necessarily limited to just the web UI although obviously that the web UI but there are often management interfaces scriptable things devices end points where you can throw XML or JSON or XML in JSON or JSON in XML in JSON and then things happen and what those things are is sometimes documented and sometimes not and there's often a lot of things that you can do through the pointy clicking interface there's also a scriptable interface over the web management interface and everybody does that differently and there's a lot more and I'm not going to go into it because I will run out of time I will actually start swearing and I do not have anything to drink here so what's a PMC a PMC is this as I says the Baseball's management controller it sits on it used to germany be a plug-in cars these days in order to save money is normally integrated directly onto the server motherboards it's a complete small embedded computer immensely small these days they're on the order of you know six to eight hundred megahertz CPU 256 megabytes of RAM often a significant quantity of flash because they need to be able to store this ISO image that you just saw closes so usually at least a DVDs worth of Flash so that you can upload an entire windows installed DVD in almost all cases they're running Linux the CPU varies I've seen Rene sus SH family I've seen myths I've seen PowerPC I seen arm sometimes vendors will running the same software stack go from arm to a different will go between different CPU architectures in product cycles so bells I'd wreck this is arm-based idrac 7 is super H based obviously running pretty much the same code just rebuilt the only exception in the wider world that's not running so I say almost always running this I just realized I didn't actually check whether the Oracle ones are running Linux but it wouldn't surprise me HP run something called I think Green Hills which is an embedded operating system everybody else is running limits of various vintages various degrees of quality various degrees of competence these devices are there on your motherboard and I just want to mention the on your motherboard thing a little more forcefully these devices are built into your system and if something really bad happens you can't remove them and replace them that's your entire motherboard has to be replaced if someone is able to do something particularly on appealing to your BNC it's not going back from this kind of contextual stuff I'm now going to start talking about ipmi as a spec again a little IP I have gone through a few spec revisions 2.0 was released in 2004 2.0 over a third one was released in 2014 which is I think one of the longer periods I've seen between the spec in his first arouser release but there were previous versions of IPMI and older versions were basically you Center passwords over the wire and logged-in they decide that that wasn't really acceptable these days we should encrypt everything and everybody knows that cryptography solves all problems so there are various parts of this that are handles in interesting ways the spec actually has a the wildering array of different encryption protocols different integrity protocols different authentication protocols but one of the amazing things is that as part of the authentication process the BMC hands you the hash of your password I'm just going to leave that here because I hate you all that's not in the slice is true I'm not doing it because the next slides got spoilers anyway this means that without authenticating as long as you know a valid user name for an IP mi device you can connect pretend to start an authentication session and it will give you a password hash that's not very good that you can then feed it is at least voltage so and then you can feed that into a password cracker and you can wait a while and you can discover that the admin password is hunter too but it turns out that that doesn't matter because when I mentioned there's this the wildering array of combinations of encryption and authentication and in integrity management one of those combinations which is called ciphers zero and this was explicitly destroyed in the spec and was noticed by dan farmer in this article that he wrote on how IBM I was one of the worst things vs. happens in human civilization one of these combinations contains no encryption no integrity protection and no authentication as in if you connect you do not have to set up an encrypted session you do not have to do anything to verify that the session has not been man-in-the-middle and you do not have to provide a password when this was noticed this is a little bit upsetting especially because a lot of the MCS don't let you change the user names and the user name was then the only secret you had most fenders have arises updates that fix this you should really make sure if you manage any servers that your BMC's are running up to date software and you should then use IBM I tool to query them to dump the currently enabled cipher algorithms and make sure that ciphers 0 is very very disabled it's marvellous isn't technology breeze aren't we as a profession on top of things so beyond the specification again how do what I'm sorry I've got am I on slide and that's fine there are two main vendors of this hardware these vendors build on top of a variety of SOC s a mines I haven't produced them other student vendors Everson's are also known for producing kvms this is kind of how they call since that industry Mir a firmware company the absent ones are used by Dell IBM and Cisco mi tends to be used by pretty much everybody else again with the affection of HP who have their own software stack and use absent okay there's a lot of commonality if you pull apart the firmware images from say and if the absent vendors you'll find that a lot of the code is clearly derived from the same base there's an embedded web server called app web it has various modules that closes into it that manage various endpoints so if you go to slash data it gets handed off to lib data handler da so and then there's something in there that parses that request vendors can then add additional plugins into that and have their own endpoint management and this is fairly consistent bugs that I found in one vendor in this code tend to be present in other vendors as well but to Alison's credit I've not found anything particularly egregious ly bad in any of the common code that they've shipped now I'm not saying this it's beautiful amazing aspiring code it's written by a firm where a vendor for enterprise customers but it's fine it's entirely fit for purpose then there's a lots of vendor specific code on top so on this you tend to get some web UI and people vary in what they use to implement web UI some vendors do everything with CGI callbacks some vendors just have thin wrappers the call into the for instance eversince provided functionality that does all the authentication some vendors use PHP some vendors use an extension of PHP that is incorporated into App web that allows you to not merely embed PHP but to embed C in your PHP what could possibly go wrong writing the stuff that takes untrusted input over the web in C that sounds like a great plan that does not sound like a great plan you can usually SSH in and then you'll get some sort of command line as well as SSH there's normally telnet these fun features you typically turn them on and off there'll be non UI web services like ones I mentioned before so anyone heard of WS man I really envy your lives I wish I hadn't WS man is a specification that allows you to use web calls in order to get information about system state about so you can for instance call out and query whether your BMC has appropriate licensing you can pull down the system firmware configuration you can push new firmware configuration into the system you can upload new license you can get all kinds of great data out of it some vendors don't use this kind of thing and instead extend the ipmi protocol I'm PMI has a couple of command bytes which are then for vendor specific commands and then after that you embed a code represents your company and so there's name spacing of it IBM for instance implement firmware configuration support by implementing something that's quite like a file system over IP MI you send a open command with a path and then you get back a handle and then you can seek in that and you can read it and you can write with and you can close it it's really like a file system it's pretty awesome and it took me three days staring at TCP dump until I realized that oh the stream of characters that I haven't worked out yeah that's ASCII it's not enough gin in the world that's the quick plug for another project I've worked on server configuration there's this URL here if you go there you can download a Python module that allows you to write Python scripts that allow you to connect to the bmc's on Dells and Cisco's pull down the firmware configuration modify the firmware configuration and then push it back out again so you can completely configure it the firmware on systems remotely and this allows you to do automates deployment of systems rather than having to log into each one individually and change the firmware settings I'll be adding supports the latest generation HP stuff in the near future but that's not why you're here really is it really you're here because you want to hear me get really really angry and upset and just leave significant silences it's the first thing first if the code you're writing links against glib see it's software okay that seems pretty obvious right you do not get to get out of this by saying oh but I write firmware not software it links against validity its software software is miserable software it's really bad and firmware it tends to be worse than software because most people spend less time playing with it there's much less external QA or bug reporting anything like that and honestly if it works well enough who cares it's not like there's anything security sensitive here is there so you end up with situations like this which is a pseudo code please ignore the fact that I'm not bothering to do any memory management here because that would just be an effort the original code did do memory management as opposed to just scribbling over random pointers it probably also didn't just call guess s but you know for the sake of argument it probably links gets read liners tears probably a GPL violation anyway can anybody see an obvious problem here that isn't a buffer overflow oh yeah yeah I am in fact missing the semicolon on the last line and as a result that's the only reason why this code would not compile and run that is a completely accessible objection as that you raised your hand sorry system called with random arguments right apparently I should have a semicolon in the Artemus ring well anyway this is what happens if you've logged into a dell idrac 7 or I think this is an IDE rx-7 specific bug you log in you switch to this RAC ADM thing and then whenever you type a command it handles that commands by re-executing itself with whatever you typed attached to the end of the binary name so if you for instance type this this happens and now you have a root shell on the BMC this is the BMC that as I mentioned previously is embedded into the motherboards and can't be replaced this does require that someone that have valid credentials for your system in advance merely being able to reach as over the Internet's not sufficient for this and so you can say well they've already got admin credentials for the BMC they can already do bad things being able to get a shell means that they can become persistent even if you then notice this has happened and changed the credentials they can log back in and change them back because they probably back doored stuff if you attempt to do an install by uploading and ISO to the device then Baker's have some codes that modifies the ISO before it's hands it off to the operating system that you can block any firmware updates you attempt to apply so it looks like you updated the system in order to close the back door that you actually didn't that's an unfortunate situation it's kind of bad you should avoid being in that situation and you should update the firmware on your BMC's this is fixed this was reported over 18 months ago they released a fix over a year ago hmmm how do I know I report it I'll ask the fix you can attempt a cessation do this and see whether it gives you a root front or not yeah yeah okay it's difficult to prove that your PMC is trustworthy so no the TCG specification for measured boot explicitly says that the security of the MCS is outside the scope of this document and they are merely assumes to be secure someone decided to do their own XML parsing and this is wonderfully for a login and this means that at this point you haven't actually authentic aces this is your attempting to authenticate and if you say dude this it ends very very very badly now the good news is that I haven't figured out a way to do anything with this that doesn't result in this attempting to mem copy at least two gigabytes of data and since the system only allocated a sixty byte buffer that is going to seg fault so it's probably not exploitable it is sufficient for causing the BMC to fall over for a while because it call dumps and then it thinks oh I should gzip this core dump and store it somewhere and these aren't very fast so when it's gzipping a large core dump it doesn't do much else while that's going on other things you'll find are in some cases implementations that are shall we say not written defensively if you take one vendor code and do this I can't see any way that this could end badly again to actually guess at this you need the authentication probably still playing with a couple of bits there I'm not actually going to drop in the O'Day here sorry I practiced responsible disclosure and less like in a bar you know anything goes and then there are some things that just make no sense whatsoever I mean it's a good thing you never want to pass more than six arguments savings so you might be thinking here the obvious thing to do is actually deal with the fact that you're going to have to leave your desk go down to the data center and terms and users often on yourself because these are not worth the hassle of potentially having to throw away every single server you own because they've all been compromised and are being used to mind whichever all coins in fashion this week so fine just don't plug them in that seems like it makes a great deal of sense and then you discover that if you do that they've realized oh I'm not plugged in I better bring up ipmi on the main system network force piggybacked on another IP address and just steal those packets which means your BMC is no longer on a separate network it's now on your main network and it DHCP that's fine because nobody will ever find these things and you think okay we block ipmi the protocol at the border so nobody's going to scan and find these IPMI endpoints yeah okay they tend to have predictable C ends in their SSL Certificates because they all generate new SSL certificates on booze except the ones that all use the same SSL certificate every single idrac 7 has the same SSL certificate and the private 1/2 is in the firmware updates you can download from Dell so quick quick quiz here could everybody put their hands up great excellent keep them up for a moment now if you think it would take more than a week to scan the entire Internet and extract every SSL certificate from every system actually a week's ridiculous if you think it would take more than a month can every ipv4 address and pull down the SSL cert put your hand down if you think it would take more than the week put your hand down more than two days more than a day more than 12 hours more than 6 hours more than an hour so there's like 4 yet YouTube don't count because I told you this already and nor do you so it got maybe five or so people that think it takes less than an hour to scan the entire ipv4 address space for SSL Certificates and you know how ridiculous that sounds the office 40 minutes and the wonderful thing is not only do they tend to leak the fact that there a specific EMC for convenience purposes a lot of them embeds this serve a serial number in there as well which means you can scan find all the PMC's that are on the public internet and find the serial numbers for the further they're attached to and you can then go to the manufacturer website plug that into the warranty lock up tool finds the dates that the server was purchased find the exact model it is from who is you probably know who owns this as well at which point you can call the manufacturer and you've probably got enough information to socially engineer them into telling you the default passwords for that system HP's randomly generate the passwords sorry HP's default credentials are an 8 character alphanumeric string rather than something that's consistent it varies between systems and so that's maybe something you could get an HP tech to tell you but it's almost certainly enough to get HP to ship you some new CPUs or some Ram when you say that it's broken and then you obviously run away with the RAM and CPUs I recommend not doing that thankfully the industry has realized that IPMI is not particularly attractive especially because it's a pain to actually interact with so we now have this thing called a redfish specification which is basically ipmi except it's just a restful HTTP thing and now you can turn your servers often turn them on again in like five lines of Python which is this is one of those cases where I'm good to say it's s but over JSON is actually better than X just to close a few morals make sure that the OB mcs are on a completely separate physical network if at all possible and that that physical network is not connected to the outside world in any way shape or form because someone is at some point going to unplug the cable firewall out all incoming IP my anyway make sure they're up to date and make sure that you do have cables plugged into them and that it's not sitting there piggybacking off something and it's actually on the public Internet and with that we've got just over 5 minutes for questions could you reliably turn off the piggybacking in the bmc's firmware can you reliably turn off the piggybacking on the host Network pause its vendor-specific how that's implemented some vendors provides a way to do this some vendors don't wife's awesome next did someone else have a microphone so a lot of these IPMI BMC chips also accessible via like memory bus from the host what type of extra issues is that cause so one thing that is important is that it's assumed that if someone has administrative access to the server then they also are responsible for control of the BMC they you can communicate directly with the BMC over an IP a - face that's implemented in a keyboard controller style manner so there's an index port in the data port and then you write stuff and then you poll and then nothing happens for a while and then it arms as you just after you've given up because firmware but what's important is that since its assumes that if your route on the system you own the system there's no authentication for that local access you can change the IP my credentials if you have Rouge on the system this is something to bear in mind if you're doing bare metal deployments because if you're not giving the customer access to the BMC the customer can just change all the BMC credentials and then you go to reboot the system is also reprovision this and you'll slice the prices discover that you can't reboot it anymore because the credentials have changed right so you just typically you can't get to the web UI or any of the extended functionality you've only got the item ID protocol stuff IBM decided that's an excellent thing to do with these have a USB Ethernet link between the server and BMC so you can from the server gain access to the web UI so you can log if you get routes on the server you can first of all change the credentials on the BMC then you can probably execute arbitrary code on the BMC by the web UI and that you can hand the machine back and then next time some provisions it you can change what they're running looks awesome yes I got a question how do you sleep at night and what brand of tonic how do I sleep at night actually really well that's good it's it's wonderful knowing that while this is all terrible it's not my fault right the gym the gym helps another question oh yeah if please PMC's mainly running Linux is there anyone who's looking at like pretty a third-party firmware that's actually a really interesting question super mikro got into some trouble a few years ago because they were distributing binaries for the vent for the BMC's without any associated source code and one of the outcomes of the settlement of that lawsuit was that for a while they were shipping basically the entire sdk to build replacement firmware for their bmc's now Bose that was binary only but including the item I stack but nominally it ought to be possible to take that work and build upon it and produce something that is interesting but the BMC's are very tightly integrated with the hardware that they ship with they have to have a lot of knowledge about GPIO GPIO SS up I to CSS up and so on in order to be able to integrate with all the platform management functionality you could start a project but the amount of integration you have to do is probably even more complex than coreboot the first 90% would be easy the other nine hundred percent would be really difficult is HP silo ipmi or is a different thing HP's does use IPM is an offense like EMI but it's not running Linux that is that is there the separate thing the Eylau is there ikmi right controller thing yes the scanning the entire ipv4 address range in 40 minutes is that doing something like pulling up a whole heap of AWS instances and assigning them so paying or just look for masks can and you jars and ISP with a large link and who doesn't ask to me it's a great way of managing this is to find a list of ISPs who are blacklisted by various people for not answering abuse requests and then find one that is running in a country that has strong credit card protection law and so they won't run away with your money and they're probably a great choice if you want to do this kind of thing pretty much time for one or two more questions right now you could potentially just gain higher Assam systems compromised the PMC's and then run mask on off the BMC's although it said elite the mcs only have a 100 megabit length so as to take you a bit longer this why ipv6 have been delayed is this one ipv6 is being delayed that's actually an interesting kind of conspiracy security people enjoy ipv4 being scannable too much and therefore have restricted the adoption of ipv6 I don't think I'm past for shady conspiracy well I am just not that one presumably you or someone near you has run that scan just out of curiosity how many the did you find percentage-wise BMC that was vulnerable okay so I'm not going to stand in front of an audience a live stream and a record the presentation and incriminate myself but were you to ask me to guess in an informed manner or perhaps to speculate I might say that there's on the order well okay when supermicro had well has revealed that supermicro were running a UPnP server that was five years out-of-date and vulnerable to at least three arbitrary code execution attacks people doing some analysis then found at least 35,000 of these on the public Internet so thinking all the other vendors into accounts I'd say there's probably at least you're looking at a ballpark some arounds at least a hundred thousands PMC's on the public Internet I think we ran out of time there is there one more just okay sure okay how would you compare ipmi to Intel vPro how would I compare ipmi to Intel vPro better worse or the same ipmi provides a greater amount of functionality than vPro but vPro does actually have a lot of functional overlap vPro in this case I think we're specifically talking about AMT the advanced management technologies that run on the management engine that's incorporated into many Intel Enterprise chipsets now this means that rather than having an external VM see there's a small microcontroller actually in your motherboard chipset and it's listening for packets on the network port and if it's enabled it will steal those packets before the operating system sees them it doesn't speak iBM is only speaks in fact WS man you have this web thing that you can contact and you can make various API calls you can power stuff on you can power I'm going to say that based on quality of implementations AMT is not the worst thing that's probably about as enthusiastic as you're ever going to hear me be about AMT but yeah I'm not aware of this if I'm not aware of significant code issues in the AMT stack it's it seems to basically work it needs to be basically secure IP my implementations on the other hand seems to be pretty uniformly bad anyway I think knows this so thank you everybody I hope that that was

Info

Channel: Linux.conf.au 2015 -- Auckland, New Zealand

Views: 33,112

Rating: 4.8440113 out of 5

Keywords: lca, lca_2015, MatthewGarrett

Id: GZeUntdObCA

Channel Id: undefined

Length: 47min 36sec (2856 seconds)

Published: Fri Jan 16 2015