Supermicro HTML5 iKVM (ATEN AST2100) to standard RFB/VNC-over-WebSocket transcoding gateway
Project description
ikvm-gateway
A standalone transcoding proxy that bridges a Supermicro HTML5 iKVM console (the proprietary Nuvoton/InsydeVNC protocol with an ATEN AST2100 video codec) to a standard RFB/VNC stream over WebSocket, so any stock noVNC client can view and control the BMC console. Credentials never reach the browser.
[noVNC browser] <-- standard RFB 3.8 over WS, security None (our origin) --> [ikvm-gateway]
|
InsydeVNC over WSS (SID cookie + token) / TLS
v
[Supermicro BMC]
How it works
- Upstream (
src/ikvm_gateway/upstream/) — authenticates to the BMC (web login -> SID cookie; Redfish OEM IKVM launch -> per-sessionentry_valuetoken), openswss://<bmc>/, completes the InsydeVNC type-16 handshake (echoRFB 055.008, security type0x10, sendtoken[24] + zero[24]), then decodes each0x57AST2100 rectangle into an RGB framebuffer. - Decoder (
rust/, shipped asikvm_gateway._ast2100) — the AST2100 codec, implemented in Rust (PyO3), reimplemented from the board's own served decoder. Full-frame decode is ~1-3 ms. It is bundled into the same wheel as the Python package. - Downstream (
src/ikvm_gateway/downstream/) — a standard RFB 3.8 server offering security None, serving the framebuffer as Raw over a binary WebSocket. Stock noVNC connects directly. - Input (
src/ikvm_gateway/input/) — translates RFB key/pointer events (X11 keysyms) into ATEN HID KeyEvent/PointerEvent messages.
Install
From PyPI (prebuilt wheels bundle the native decoder; no Rust toolchain needed):
pip install ikvm-gw
For development, requires Python >= 3.12, uv, and a Rust toolchain. The project builds as a single maturin mixed Rust/Python wheel:
uv sync
# build the Rust decoder into the venv (reads ./pyproject.toml + ./Cargo.toml)
VIRTUAL_ENV="$PWD/.venv" uv run maturin develop
Run
Provide BMC credentials in a local secret file (git-ignored), three lines:
<bmc-host-or-ip>
<bmc-username>
<bmc-password>
Start the gateway (it prints a generated control API key to stderr):
uv run python -m ikvm_gateway --secret secret --bind-host 127.0.0.1 --bind-port 5700
Use from noVNC
Turnkey local viewer
uv run python -m tools.launch_viewer --api-key <key-printed-by-the-gateway>
# then open the printed http://127.0.0.1:8800/ URL in a browser
Manual integration
The downstream is plain RFB 3.8 (security None) over a binary WebSocket, so unmodified noVNC works. The one-time session ticket is presented via the WebSocket subprotocol:
- Server-side (never in the browser), fetch a ticket with the API key:
GET http://<gateway>/sessions Authorization: Bearer <API_KEY> -> {"status":200,"message":"session ticket issued","data":{"ticket":"<ticket>"}} - Connect noVNC, passing the ticket as a WebSocket subprotocol:
new RFB(document.getElementById("screen"), "ws://<gateway>/vnc", { wsProtocols: ["<ticket>"], });
Security model (per REQUIREMENTS.md §8)
- BMC credentials and the session token never reach the browser; the gateway terminates upstream auth and offers RFB security None downstream.
- The BMC host is fixed from server configuration (the
secretfile / config), never taken from a client request — no SSRF. - The downstream control endpoint requires a bearer API key (constant-time compared). It issues one-time, short-TTL tickets; the ticket is consumed on the WebSocket handshake and never appears in a URL, query string, or log.
- Per-session and global concurrency caps, idle and max-duration timeouts, and send-side backpressure are enforced.
- Upstream TLS to the BMC uses an unverified context (self-signed BMC certs are the norm; the management network is the trust boundary).
Status and limitations (v1)
- Verified end-to-end against a live Supermicro AST2500/2600 board: the console renders in a standard RFB client and keyboard input reaches the host.
- The decoder is stateless, so the upstream requests full (non-incremental) frames each refresh (a full AST2100 frame decodes in ~1-3 ms). Making the decoder stateful to support incremental/skip blocks is a planned optimization.
- Downstream encoding is Raw only; Tight/ZRLE is a planned optimization to cut bandwidth.
- Only the Supermicro HTML5 / AST2100 (
0x57) path is implemented; the VQ / low-JPEG / skip block paths in the decoder are ported but not yet exercised on the wire.
Tests
uv run pytest -q # Python
cargo test # Rust decoder
Release
Tagging a version (e.g. git tag v0.1.0 && git push --tags) triggers
.github/workflows/pypi.yaml, which builds abi3 wheels (Linux x86_64/aarch64,
macOS x86_64/arm64, Windows x64) plus an sdist and publishes to PyPI via Trusted
Publishing (OIDC) — register the repo as a Trusted Publisher for the
ikvm-gw project on PyPI first.
License
GNU Lesser General Public License v3.0 or later (LGPL-3.0-or-later). See
COPYING.LESSER (LGPL terms) and COPYING (the
GPL-3.0 text the LGPL builds on).
noVNC is loaded unmodified from a CDN at runtime and is not redistributed here (noVNC is MPL-2.0).
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ikvm_gw-1.0.1.tar.gz.
File metadata
- Download URL: ikvm_gw-1.0.1.tar.gz
- Upload date:
- Size: 128.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6d2f17a20be0b9dd7adc635dafb08d44b9fd07f26b0a3e4afd0ae4caf6d91025
|
|
| MD5 |
fe8eecba8dc4f146ed9645a4fc6005b8
|
|
| BLAKE2b-256 |
a88ab2314c2c675b2d2a4e9d364ad527a16a1a7c64f5a8c3dbc93649d2f29193
|
Provenance
The following attestation bundles were made for ikvm_gw-1.0.1.tar.gz:
Publisher:
pypi.yaml on DoyunShin/ikvm-gw
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ikvm_gw-1.0.1.tar.gz -
Subject digest:
6d2f17a20be0b9dd7adc635dafb08d44b9fd07f26b0a3e4afd0ae4caf6d91025 - Sigstore transparency entry: 1867443933
- Sigstore integration time:
-
Permalink:
DoyunShin/ikvm-gw@fb1a45bd867b0ca72c016a93cd915a5a44c6dfd6 -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/DoyunShin
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi.yaml@fb1a45bd867b0ca72c016a93cd915a5a44c6dfd6 -
Trigger Event:
push
-
Statement type:
File details
Details for the file ikvm_gw-1.0.1-cp312-abi3-win_amd64.whl.
File metadata
- Download URL: ikvm_gw-1.0.1-cp312-abi3-win_amd64.whl
- Upload date:
- Size: 161.7 kB
- Tags: CPython 3.12+, Windows x86-64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
73bfc7f3e1e16f9a553ce48de989dd2915974685d0c3a26189be3e8317dc09e1
|
|
| MD5 |
273d3f1d6aabcb2df67371c258c4dc6d
|
|
| BLAKE2b-256 |
6fe40aaf4f3a020b8bc5cfd67c8282a35d80c8965cf619728a5bc3691fa5af3e
|
Provenance
The following attestation bundles were made for ikvm_gw-1.0.1-cp312-abi3-win_amd64.whl:
Publisher:
pypi.yaml on DoyunShin/ikvm-gw
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ikvm_gw-1.0.1-cp312-abi3-win_amd64.whl -
Subject digest:
73bfc7f3e1e16f9a553ce48de989dd2915974685d0c3a26189be3e8317dc09e1 - Sigstore transparency entry: 1867444129
- Sigstore integration time:
-
Permalink:
DoyunShin/ikvm-gw@fb1a45bd867b0ca72c016a93cd915a5a44c6dfd6 -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/DoyunShin
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi.yaml@fb1a45bd867b0ca72c016a93cd915a5a44c6dfd6 -
Trigger Event:
push
-
Statement type:
File details
Details for the file ikvm_gw-1.0.1-cp312-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.
File metadata
- Download URL: ikvm_gw-1.0.1-cp312-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
- Upload date:
- Size: 294.7 kB
- Tags: CPython 3.12+, manylinux: glibc 2.17+ x86-64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c53a955892a6023d5f014f090c78c1e6eddc0e9cc669df07de136e901983416f
|
|
| MD5 |
9cc6db34de0d64282f9d07b67e0fad81
|
|
| BLAKE2b-256 |
e7a88d4115d5bed596130cb510f5e68bf7a1da9a22b4d6f38ea40951c560cbfc
|
Provenance
The following attestation bundles were made for ikvm_gw-1.0.1-cp312-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:
Publisher:
pypi.yaml on DoyunShin/ikvm-gw
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ikvm_gw-1.0.1-cp312-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl -
Subject digest:
c53a955892a6023d5f014f090c78c1e6eddc0e9cc669df07de136e901983416f - Sigstore transparency entry: 1867444507
- Sigstore integration time:
-
Permalink:
DoyunShin/ikvm-gw@fb1a45bd867b0ca72c016a93cd915a5a44c6dfd6 -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/DoyunShin
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi.yaml@fb1a45bd867b0ca72c016a93cd915a5a44c6dfd6 -
Trigger Event:
push
-
Statement type:
File details
Details for the file ikvm_gw-1.0.1-cp312-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.
File metadata
- Download URL: ikvm_gw-1.0.1-cp312-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
- Upload date:
- Size: 290.7 kB
- Tags: CPython 3.12+, manylinux: glibc 2.17+ ARM64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ae391aad3ff368bd69dd94a39f80b0bcb5c69e5c7031a8989924a978a936b43c
|
|
| MD5 |
54197e34631f608bcc1433eb00f9a964
|
|
| BLAKE2b-256 |
434008109947af6e043ced3b699a80cea4cc5bf2740bbfecaecdf41e041b16e2
|
Provenance
The following attestation bundles were made for ikvm_gw-1.0.1-cp312-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl:
Publisher:
pypi.yaml on DoyunShin/ikvm-gw
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ikvm_gw-1.0.1-cp312-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl -
Subject digest:
ae391aad3ff368bd69dd94a39f80b0bcb5c69e5c7031a8989924a978a936b43c - Sigstore transparency entry: 1867444712
- Sigstore integration time:
-
Permalink:
DoyunShin/ikvm-gw@fb1a45bd867b0ca72c016a93cd915a5a44c6dfd6 -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/DoyunShin
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi.yaml@fb1a45bd867b0ca72c016a93cd915a5a44c6dfd6 -
Trigger Event:
push
-
Statement type:
File details
Details for the file ikvm_gw-1.0.1-cp312-abi3-macosx_11_0_arm64.whl.
File metadata
- Download URL: ikvm_gw-1.0.1-cp312-abi3-macosx_11_0_arm64.whl
- Upload date:
- Size: 262.7 kB
- Tags: CPython 3.12+, macOS 11.0+ ARM64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
98904ce1687723bd9f7d446290e045cd109091c10476399e2d6eeaae121d3e56
|
|
| MD5 |
3c6316a8afaf1369671dc6ca0237bbcb
|
|
| BLAKE2b-256 |
49d767e917db9ed95c5da17ad5ff3a2f905e208c6b1b85c65109ecc2df2bcf5b
|
Provenance
The following attestation bundles were made for ikvm_gw-1.0.1-cp312-abi3-macosx_11_0_arm64.whl:
Publisher:
pypi.yaml on DoyunShin/ikvm-gw
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ikvm_gw-1.0.1-cp312-abi3-macosx_11_0_arm64.whl -
Subject digest:
98904ce1687723bd9f7d446290e045cd109091c10476399e2d6eeaae121d3e56 - Sigstore transparency entry: 1867444324
- Sigstore integration time:
-
Permalink:
DoyunShin/ikvm-gw@fb1a45bd867b0ca72c016a93cd915a5a44c6dfd6 -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/DoyunShin
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi.yaml@fb1a45bd867b0ca72c016a93cd915a5a44c6dfd6 -
Trigger Event:
push
-
Statement type:
File details
Details for the file ikvm_gw-1.0.1-cp312-abi3-macosx_10_12_x86_64.whl.
File metadata
- Download URL: ikvm_gw-1.0.1-cp312-abi3-macosx_10_12_x86_64.whl
- Upload date:
- Size: 264.1 kB
- Tags: CPython 3.12+, macOS 10.12+ x86-64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cab12669cd44cdbb10ef199b75b930576236e41f7b8883217e00ede9653f859a
|
|
| MD5 |
bf3207bc286a8c9c85b1c52b25ebb09a
|
|
| BLAKE2b-256 |
5d87efd2b8a2a77d832299d76b2981e283a2e06161a9361e14b900b02fda5964
|
Provenance
The following attestation bundles were made for ikvm_gw-1.0.1-cp312-abi3-macosx_10_12_x86_64.whl:
Publisher:
pypi.yaml on DoyunShin/ikvm-gw
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ikvm_gw-1.0.1-cp312-abi3-macosx_10_12_x86_64.whl -
Subject digest:
cab12669cd44cdbb10ef199b75b930576236e41f7b8883217e00ede9653f859a - Sigstore transparency entry: 1867444922
- Sigstore integration time:
-
Permalink:
DoyunShin/ikvm-gw@fb1a45bd867b0ca72c016a93cd915a5a44c6dfd6 -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/DoyunShin
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi.yaml@fb1a45bd867b0ca72c016a93cd915a5a44c6dfd6 -
Trigger Event:
push
-
Statement type: