hw-mgmt: scripts: change BMC password to be platform based

sholeksandr · acoifmannvidia · commit 0b6b254d4108 · 2025-09-08T21:18:35.000+03:00
Change BMC password to be platform based

Why I did it:
Strengthen the bmc credentials without breaking backward compatibility
How I did it:
the TPM generation password now depends on platform number

Issue: 4410461

Signed-off-by: Vladi Tarnavsky &lt;vtarnavsky@nvidia.com&gt;
diff --git a/usr/usr/bin/hw_management_redfish_client.py b/usr/usr/bin/hw_management_redfish_client.py
@@ -45,6 +45,7 @@
 import re
 import shlex
 import os
+import base64
 
 # TBD:
 # Support token persistency later on and remove RedfishClient.__password
@@ -394,6 +395,7 @@ class BMCAccessor(object):
     BMC_DIR = "/host/bmc"
     BMC_PASS_FILE = "bmc_pass"
     BMC_TPM_HEX_FILE = "hw_mgmt_const.bin"
+    LEGACY_PLATFORM_PATTERN = r'N5\d{3}_LD'
 
     def __init__(self):
         # TBD: Token persistency.
@@ -441,80 +443,97 @@ def redfish_api_wrapper(*args, **kwargs):
         err_msg = f"'{self.__class__.__name__}' object has no attribute '{name}'"
         raise AttributeError(err_msg)
 
+    def _handle_legacy_password(self):
+        """Handle legacy password generation for juliet platforms"""
+        pass_len = 13
+        attempt = 1
+        max_attempts = 100
+        max_repeat = int(3 + 0.09 * pass_len)
+        hex_data = "1300NVOS-BMC-USER-Const"
+        os.makedirs(self.BMC_DIR, exist_ok=True)
+        cmd = f'echo "{hex_data}" | xxd -r -p >  {self.BMC_DIR}/{self.BMC_TPM_HEX_FILE}'
+        subprocess.run(cmd, shell=True, check=True)
+
+        tpm_command = ["tpm2_createprimary", "-C", "o", "-u", f"{self.BMC_DIR}/{self.BMC_TPM_HEX_FILE}", "-G", "aes256cfb"]
+        result = subprocess.run(tpm_command, capture_output=True, check=True, text=True)
+
+        while attempt <= max_attempts:
+            if attempt > 1:
+                const = f"1300NVOS-BMC-USER-Const-{attempt}"
+                mess = f"Password did not meet criteria; retrying with const: {const}"
+                # print(mess)
+                tpm_command = f'echo -n "{const}" | tpm2_createprimary -C o -G aes -u -'
+                result = subprocess.run(tpm_command, shell=True, capture_output=True, check=True, text=True)
+
+            symcipher_pattern = r"symcipher:\s+([\da-fA-F]+)"
+            symcipher_match = re.search(symcipher_pattern, result.stdout)
+
+            if not symcipher_match:
+                raise Exception("Symmetric cipher not found in TPM output")
+
+            # BMC dictates a password of 13 characters. Random from TPM is used with an append of A!
+            symcipher_part = symcipher_match.group(1)[:pass_len - 2]
+            if symcipher_part.isdigit():
+                symcipher_value = symcipher_part[:pass_len - 3] + 'vA!'
+            elif symcipher_part.isalpha() and symcipher_part.islower():
+                symcipher_value = symcipher_part[:pass_len - 3] + '9A!'
+            else:
+                symcipher_value = symcipher_part + 'A!'
+            if len(symcipher_value) != pass_len:
+                raise Exception("Bad cipher length from TPM output")
+
+            # check for monotonic
+            monotonic_check = True
+            for i in range(len(symcipher_value) - 3):
+                seq = symcipher_value[i:i + 4]
+                increments = [ord(seq[j + 1]) - ord(seq[j]) for j in range(3)]
+                if increments == [1, 1, 1] or increments == [-1, -1, -1]:
+                    monotonic_check = False
+                    break
+
+            variety_check = len(set(symcipher_value)) >= 5
+            repeating_pattern_check = sum(1 for i in range(pass_len - 1) if symcipher_value[i] == symcipher_value[i + 1]) <= max_repeat
+
+            # check for consecutive_pairs
+            count = 0
+            for i in range(11):
+                val1 = symcipher_value[i]
+                val2 = symcipher_value[i + 1]
+                if val2 == "v" or val1 == "v":
+                    continue
+                if abs(int(val2, 16) - int(val1, 16)) == 1:
+                    count += 1
+            consecutive_pair_check = count <= 4
+
+            if consecutive_pair_check and variety_check and repeating_pattern_check and monotonic_check:
+                os.remove(f"{self.BMC_DIR}/{self.BMC_TPM_HEX_FILE}")
+                return symcipher_value
+            else:
+                attempt += 1
+        raise Exception("Failed to generate a valid password after maximum retries.")
+
     def get_login_password(self):
         try:
-            pass_len = 13
-            attempt = 1
-            max_attempts = 100
-            max_repeat = int(3 + 0.09 * pass_len)
-            hex_data = "1300NVOS-BMC-USER-Const"
-            os.makedirs(self.BMC_DIR, exist_ok=True)
-            cmd = f'echo "{hex_data}" | xxd -r -p >  {self.BMC_DIR}/{self.BMC_TPM_HEX_FILE}'
-            subprocess.run(cmd, shell=True, check=True)
-
-            tpm_command = ["tpm2_createprimary", "-C", "o", "-u", f"{self.BMC_DIR}/{self.BMC_TPM_HEX_FILE}", "-G", "aes256cfb"]
-            result = subprocess.run(tpm_command, capture_output=True, check=True, text=True)
-
-            while attempt <= max_attempts:
-                if attempt > 1:
-                    const = f"1300NVOS-BMC-USER-Const-{attempt}"
-                    mess = f"Password did not meet criteria; retrying with const: {const}"
-                    # print(mess)
-                    tpm_command = f'echo -n "{const}" | tpm2_createprimary -C o -G aes -u -'
-                    result = subprocess.run(tpm_command, shell=True, capture_output=True, check=True, text=True)
-
-                symcipher_pattern = r"symcipher:\s+([\da-fA-F]+)"
-                symcipher_match = re.search(symcipher_pattern, result.stdout)
-
-                if not symcipher_match:
+            with open('/sys/devices/virtual/dmi/id/product_name') as f:
+                platform_name = f.read().strip()
+            if re.match(self.LEGACY_PLATFORM_PATTERN, platform_name.upper()):
+                return self._handle_legacy_password()
+            else:
+                const = "1300NVOS-BMC-USER-Const"
+                tpm_command = f'echo -n "{const}" | tpm2_createprimary -C o -G aes -u -'
+                result = subprocess.run(tpm_command, shell=True,
+                                        capture_output=True, check=True,
+                                        text=True).stdout
+                match = re.search(r"symcipher:\s+([\da-fA-F]+)", result)
+                if not match:
                     raise Exception("Symmetric cipher not found in TPM output")
-
-                # BMC dictates a password of 13 characters. Random from TPM is used with an append of A!
-                symcipher_part = symcipher_match.group(1)[:pass_len - 2]
-                if symcipher_part.isdigit():
-                    symcipher_value = symcipher_part[:pass_len - 3] + 'vA!'
-                elif symcipher_part.isalpha() and symcipher_part.islower():
-                    symcipher_value = symcipher_part[:pass_len - 3] + '9A!'
-                else:
-                    symcipher_value = symcipher_part + 'A!'
-                if len(symcipher_value) != pass_len:
-                    raise Exception("Bad cipher length from TPM output")
-
-                # check for monotonic
-                monotonic_check = True
-                for i in range(len(symcipher_value) - 3):
-                    seq = symcipher_value[i:i + 4]
-                    increments = [ord(seq[j + 1]) - ord(seq[j]) for j in range(3)]
-                    if increments == [1, 1, 1] or increments == [-1, -1, -1]:
-                        monotonic_check = False
-                        break
-
-                variety_check = len(set(symcipher_value)) >= 5
-                repeating_pattern_check = sum(1 for i in range(pass_len - 1) if symcipher_value[i] == symcipher_value[i + 1]) <= max_repeat
-
-                # check for consecutive_pairs
-                count = 0
-                for i in range(11):
-                    val1 = symcipher_value[i]
-                    val2 = symcipher_value[i + 1]
-                    if val2 == "v" or val1 == "v":
-                        continue
-                    if abs(int(val2, 16) - int(val1, 16)) == 1:
-                        count += 1
-                consecutive_pair_check = count <= 4
-
-                if consecutive_pair_check and variety_check and repeating_pattern_check and monotonic_check:
-                    os.remove(f"{self.BMC_DIR}/{self.BMC_TPM_HEX_FILE}")
-                    return symcipher_value
-                else:
-                    attempt += 1
-
-            raise Exception("Failed to generate a valid password after maximum retries.")
-
+                # Extract symcipher and encode to base64
+                return base64.b64encode(bytes.fromhex(match.group(1))).decode("ascii")
         except subprocess.CalledProcessError as e:
             # print(f"Error executing TPM command: {e}")
             raise Exception("Failed to communicate with TPM")
-
+        except (FileNotFoundError, PermissionError) as e:
+            raise Exception("no platform name found")
         except Exception as e:
             # print(f"Error: {e}")
             raise
