TL;DR: Is there any option to disable OS (in-band) access to Aspeed AST 2500 BMC on a SuperMicro board or at least limit it somehow (e.g. via specific password or via setting the permission level to read-only access)?
Long version:
Last year we bought a few SuperMicro servers containing an Aspeed AST2500 BMC. Up to now we were not using the BMCs but now are in the process of setting them up, reachable via a separate out-of-band management network. While researching options to reset BMC passwords I found multiple posts (e.g. this one) which indicate as soon as I've got root privileges on the host I can also access the BMC and change the admin password without any additional security measures.
I really don't like the idea of being able to change BMC parameters from within the host OS, especially because BMCs are often badly patched and are a very interesting target for rootkits (by the way, exactly such a rootkit was discovered the other day; at least, as far as I know, it could not get onto the BMC via in-band interface)
Is there any option to limit host-to-BMC communication?
EDIT: The server board used in our servers is "ASRock ROMED8-2T".
Best Answer
Short answer: I am not aware of a BMC setting telling it "disable all in-band access", but I really doubt it exists or it can be useful at all
Long answer: While your question is interesting, please note that if someone gained root privileges your server is irrecoverably compromised, so you can not trust it anymore. After all, root is able to not only reset the BMC password, but to also reflash it, rewrite the mainboard BIOS/UEFI and updating the firmware of other add-on cards (ie: RAID controllers).
All of that can be accomplished by standard low-level interfaces (I2C, DMI, IPMI, etc.) which the linux kernel natively supports. Removing the corresponding modules/code will not work, as a bad actor having root privileges can install and reboot a patched kernel.