From: Chittari Pabba <ChittariP@ami.com>
To: Joseph Reynolds <jrey@linux.ibm.com>, openbmc <openbmc@lists.ozlabs.org>
Subject: RE: BMC threat model docs
Date: Wed, 17 Jul 2019 17:21:24 +0000 [thread overview]
Message-ID: <00DE8410EF1E8148ABEDA156FA727A3C03ED1D95CB@atlms2.us.megatrends.com> (raw)
In-Reply-To: <685b6066-fdd1-9fc7-82be-372f6ad9ff22@linux.ibm.com>
Thank you, Joseph, for quick response !!! I will review the Open BMC threat model document and will provide my feedback.
-----Original Message-----
From: openbmc <openbmc-bounces+chittarip=ami.com@lists.ozlabs.org> On Behalf Of Joseph Reynolds
Sent: Wednesday, July 17, 2019 12:27 PM
To: openbmc <openbmc@lists.ozlabs.org>
Subject: BMC threat model docs
I got a private email asking
> [where are the] BMC project threat model documents?
The approved network threat model is here:
https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md
The threat model is very basic and does little more than identify OpenBMC's network services. The level of detail was initially superficial to get approval for the document. I hope to add more details and add new sections for BMC network connections including LDAP, remote logging, remote media, ip-kvm, event subscriptions, etc. Then add a section for Redfish security considerations.
The network threat model is only a subset of the overall BMC threat model. (For example, the BMC faces threats from its environment and its host system.) The OpenBMC project has no overall BMC threat model, and mine is in review here:
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/22404
(You can find other threat model reviews by searching gerrit for "threat" or "security").
I am using my review to collect information about BMC threats, which in turn depends on how the BMC is used, so I am collecting information about BMC use cases too. Any and all contributions are welcome, and can be added as review comments, email to the community, or directly to me. I am struggling with the threat model scope, and how to organize the document. Any feedback is welcome.
- Joseph
Please consider the environment before printing this email.
The information contained in this message may be confidential and proprietary to American Megatrends, Inc. This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.
next prev parent reply other threads:[~2019-07-17 17:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-17 16:26 BMC threat model docs Joseph Reynolds
2019-07-17 17:21 ` Chittari Pabba [this message]
2019-07-17 17:26 ` Chittari Pabba
2019-07-17 19:35 ` Joseph Reynolds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00DE8410EF1E8148ABEDA156FA727A3C03ED1D95CB@atlms2.us.megatrends.com \
--to=chittarip@ami.com \
--cc=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.