Access Control File functions

libpam, libssl, libsdplus

meson setup build
ninja -C build

Note: tests=enabled disables creating the unmodified pam_ibmacf module

meson setup -Dtests=enabled build
or
meson configure -Dtests=enabled build

cd build
meson test

Test status should display location of log file to view in depth logs of test

• To test this feature from scratch a private key, public key and ACF are required
• The private key is needed to generate the ACF
• Both the public key and ACF need to be uploaded onto the bmc if not already present
• To generate the ACF the ce_login utility must be built
• Once the corresponding public key and ACF files are uploaded then login can be performed with the service user and the password used during generation of the ACF

• Create the RSA keypair

openssl genrsa -out rsakeys.pem 2048

• Get public key

openssl rsa -in rsakeys.pem -pubout -outform DER -out rsapubkey.der

• Get private key

openssl rsa -in rsakeys.pem -outform DER -out rsaprivkey.der

cd subprojects/ce-login
meson setup -Dlib=false -Dbin=true build
ninja -C build

First get the serial number of the machine you would like to generate the ACF for.

The value can be retrieved from BMC's web interface as such:
Overview page > Server information > Serial number
The value can also be retrieved from the BMC shell with the following command:

busctl get-property xyz.openbmc_project.Inventory.Manager /xyz/openbmc_project/inventory/system xyz.openbmc_project.Inventory.Decorator.Asset SerialNumber

The --machine argument can either be "x,x,UNSET" or the serial number fetched from the BMC "x,x,123454321"

./celogin_cli create \
                --machine 'P10,dev,12345' \
                --sourceFileName "none" \
                --password "0penBmc" \
                --expirationDate "2025-12-25" \
                --requestId "1234" \
                --pkey ../p10-celogin-lab-pkey.der \
                --output ./service.acf

scp ./ACFFile.bin root@BMCIP:/etc/acf/service.acf
scp ./rsapubkey.der root@BMCIP:/etc/acf/ibmacf-dev.key

ssh service@BMCIP

password:0penBmc

This should be successful.

• Generate a DER encoded keypair
• Generate the ACF file (noting the password used)
• Upload the public key and acf file to the bmc as /etc/acf/ibmacf-dev.key and /etc/acf/service.acf respectively
• Login with one of supported interfaces as the service user
• Enter the password used in the creation of the ACF file

• ACF login inaccessable with non service user
• Login with invalid password
• If only using dev key, set field mode to enabled (busctl set-property xyz.openbmc_project.Software.BMC.Updater /xyz/openbmc_project/software xyz.openbmc_project.Control.FieldMode FieldModeEnabled b 1)
• Upload a mismatched ACF file/public key
• Set a serial number that doesn't match the machines serial number
• Set processing type to invalid value in ACF file
• Set date prior to date on BMC in ACF file
• Set FrameworkEc to invalid value in ACF file