* Re: Security Working Group meeting - Wednesday August 17
@ 2022-08-17 17:40 Nick Rivers
2022-08-17 17:47 ` Brad Bishop
0 siblings, 1 reply; 9+ messages in thread
From: Nick Rivers @ 2022-08-17 17:40 UTC (permalink / raw)
To: bradleyb, jrey, andrew, openbmc
[-- Attachment #1: Type: text/plain, Size: 1475 bytes --]
On 8/17/2022 09:57, Brad Bishop wrote:
> On Wed, 2022-08-17 at 11:13 -0500, Joseph Reynolds wrote:
>> On 8/17/22 12:11 AM, Andrew Jeffery wrote:
>>>
>>> On Wed, 17 Aug 2022, at 12:37, Joseph Reynolds wrote:
>>>> This is a reminder of the OpenBMC Security Working Group meeting
>>>> scheduled for this Wednesday August 17 at 10:00am PDT.
>>> Given the discussion from last meeting, is this on Discord?
>>
>> No. The meeting access for Aug 17 is the same as before:
>> https://ibm.webex.com/meet/joseph.reynolds1
>>
>> I wanted to give a couple of weeks notice (A) for attendees to firm up
>> any objections to moving
>
> Injecting my opinions in case they are helpful...but probably not 🤣
>
> I likely sound cliché but someone will always be unhappy with every
> decision, including this one. As the WG host, have -you- been convinced
> that improved collalboration between the security working group and the
> developer community is worthwhile, and that moving to Discord will
> improve that? If so - go for it!
>
> People were (and still are) opposed to moving from IRC to Discord, but
> we now have 500 people on our server and levels of collaboration in the
> developer community never before seen in OpenBMC...
>
Thus not really supporting diverse and inclusive workplace thinking.And
encouraging fit "The Organization's Model" with little room for those who
do not fit "The Organization's Model".I agree that utopia is not achievable.
[-- Attachment #2: Type: text/html, Size: 2401 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Security Working Group meeting - Wednesday August 17
2022-08-17 17:40 Security Working Group meeting - Wednesday August 17 Nick Rivers
@ 2022-08-17 17:47 ` Brad Bishop
2022-08-17 18:35 ` Security Working Group meeting - Wednesday August 17 - Move call to Discord Voice channel Joseph Reynolds
0 siblings, 1 reply; 9+ messages in thread
From: Brad Bishop @ 2022-08-17 17:47 UTC (permalink / raw)
To: Nick Rivers; +Cc: andrew, openbmc, jrey
On Wed, Aug 17, 2022 at 10:40:33AM -0700, Nick Rivers wrote:
>> Injecting my opinions in case they are helpful...but probably not 🤣
>>
>> I likely sound cliché but someone will always be unhappy with every
>> decision, including this one. As the WG host, have -you- been convinced
>> that improved collalboration between the security working group and the
>> developer community is worthwhile, and that moving to Discord will
>> improve that? If so - go for it!
>>
>> People were (and still are) opposed to moving from IRC to Discord, but
>> we now have 500 people on our server and levels of collaboration in the
>> developer community never before seen in OpenBMC...
>>
>Thus not really supporting diverse and inclusive workplace thinking.And
>encouraging fit "The Organization's Model" with little room for those who
>do not fit "The Organization's Model".
OK, I can understand why that might not be a good thing. So what would
you suggest Joseph do then to improve synergy between the security
working group and the developer community?
Thanks,
Brad
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Security Working Group meeting - Wednesday August 17 - Move call to Discord Voice channel
2022-08-17 17:47 ` Brad Bishop
@ 2022-08-17 18:35 ` Joseph Reynolds
0 siblings, 0 replies; 9+ messages in thread
From: Joseph Reynolds @ 2022-08-17 18:35 UTC (permalink / raw)
To: Brad Bishop, Nick Rivers, Andrew.Jeffery; +Cc: andrew, openbmc
On 8/17/22 12:47 PM, Brad Bishop wrote:
> On Wed, Aug 17, 2022 at 10:40:33AM -0700, Nick Rivers wrote:
>>> Injecting my opinions in case they are helpful...but probably not 🤣
>>>
>>> I likely sound cliché but someone will always be unhappy with every
>>> decision, including this one. As the WG host, have -you- been convinced
>>> that improved collalboration between the security working group and the
>>> developer community is worthwhile, and that moving to Discord will
>>> improve that? If so - go for it!
>>>
>>> People were (and still are) opposed to moving from IRC to Discord, but
>>> we now have 500 people on our server and levels of collaboration in the
>>> developer community never before seen in OpenBMC...
>>>
>> Thus not really supporting diverse and inclusive workplace thinking.And
>> encouraging fit "The Organization's Model" with little room for those
>> who
>> do not fit "The Organization's Model".
>
> OK, I can understand why that might not be a good thing. So what
> would you suggest Joseph do then to improve synergy between the
> security working group and the developer community?
Thanks for the discussion. In today's call there were not objections
and we agreed to move to the Security Working Group call to Discord
Discord > OpenBMC > Voice channels > Security ~
https://discord.com/channels/775381525260664832/1002376534377635860
<https://discord.com/channels/775381525260664832/1002376534377635860>
effective for the next meeting August 31, 2022.
I'll send an email.
Joseph
>
> Thanks,
> Brad
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Security Working Group meeting - Wednesday August 17
2022-08-17 20:11 ` Joseph Reynolds
@ 2022-08-17 20:29 ` Patrick Williams
0 siblings, 0 replies; 9+ messages in thread
From: Patrick Williams @ 2022-08-17 20:29 UTC (permalink / raw)
To: Joseph Reynolds; +Cc: openbmc
[-- Attachment #1: Type: text/plain, Size: 684 bytes --]
On Wed, Aug 17, 2022 at 03:11:46PM -0500, Joseph Reynolds wrote:
> On 8/16/22 10:07 PM, Joseph Reynolds wrote:
> 4 SELinux design. Request for re-review.
> https://gerrit.openbmc.org/c/openbmc/docs/+/53205
> <https://gerrit.openbmc.org/c/openbmc/docs/+/53205>
>
> Advice on how to create interest in re-reviewing a design. Use Discord:
> Ping specific reviewers and ask specific questions about design issues,
> if it is solved; ask if the design can be approved.
Step 1. Do not disappear for months at a time, without responding to
any feedback, and then expect reviewers to drop everything when you
decide it is time to show up again.
--
Patrick Williams
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Security Working Group meeting - Wednesday August 17
2022-08-17 3:07 Security Working Group meeting - Wednesday August 17 Joseph Reynolds
2022-08-17 5:11 ` Andrew Jeffery
@ 2022-08-17 20:11 ` Joseph Reynolds
2022-08-17 20:29 ` Patrick Williams
1 sibling, 1 reply; 9+ messages in thread
From: Joseph Reynolds @ 2022-08-17 20:11 UTC (permalink / raw)
To: openbmc
On 8/16/22 10:07 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday August 17 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
I added topic 0: Move the meeting access from ebex to discord voice.
I combined topic 4 (how to submit proof-of-concept exploits) into topic 2.
Attendees: Joseph Reynolds, Yutaka Sugawara, Ruud Haring, James Mihm,
Dhananjay, Krishnan Sugavanam, Sandhya Koteshwara, Dick from Phoenix,
Chris Engel, Paul Crumley, Mark McCawley, Angelo Ruocco, Daniil, Robert
Senger.
0 Move the next meeting access to Discord? Discord > OpenBMC > Voice
channels > Security ~
https://discord.com/channels/775381525260664832/1002376534377635860
<https://discord.com/channels/775381525260664832/1002376534377635860>
Yes, agreed.
The next meeting planned for 2022-08-31 will be on discord.
1 Measured Boot.
DISCUSSION:
Single design or separate designs? Let’s have separate designs:
1a. Enable measured boot: Kernel Device driver is available. Collect
measurements into TPM. See
https://review.trustedfirmware.org/q/measured-boot
<https://review.trustedfirmware.org/q/measured-boot>
1b. Enable attestation: use the Keylime-Agent REST server on default BMC
port 8890.
Design Question: Keylime vs Redfish vs other (VMWare is not OSS, Intel’s
design is proprietary).
Design Question: what gets measured by the TPM? Follow the TCG
standard.
https://trustedcomputinggroup.org/resource/tcg-server-management-domain-firmware-profile-specification/
<https://trustedcomputinggroup.org/resource/tcg-server-management-domain-firmware-profile-specification/>
Design question: when and how to init the TPM? This is partly in scope
to community project, but some parts will depend on hardware outside the
scope of OpenBMC.
Root-of-trust Issue: Does BMC hardware (for example, the next ASPEED
AST2x00 BMC hw) init the TPM and measure the Uboot image? ⇒ Or does
Uboot init the TPM? Can ew use a FIP image?
Pre-req design: the measured boot design requires the signatures
provided by secure boot.
2 CVE Response.
DISCUSSION:
Add guidance to
https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md
<https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md>for
submitting proof-of-concept exploits. How to ensure the exploit is not
harmful to the recipient , and is not tagged by the email sanitizers?
Encrypt? Or quoted with: > text Or add to the security advisory?
We are still working on:
*
Github repo maintainers need to create security tabs so they can
handle security advisories.
*
Proposal to restructure repos
*
Which CNA to use? The Openbmc CNA vs the github CNA?
3 FIPS compliance.
DISCUSSION:
Note that OpenBMC is not the kind of thing which can be FIPS compliant.
The way it works is this: a system “built on OpenBMC” seeks FIPS
compliance. As part of the compliance process, they need to ask
questions about the portions of the system which OpenBMC provides,
therefore the OpenBMC project needs to answer those questions.
FIPS reference: https://en.wikipedia.org/wiki/FIPS_140
<https://en.wikipedia.org/wiki/FIPS_140>
The way I (Joseph) see the next steps are:
3a. What FIPS requirements apply to the BMC? Note that some FIPS
requirements will not apply to the BMC and will apply only to the
overall system. (OpenBMC does not need to address those requirements.)
The work is to go through the FIPS standards, and list which
requirements apply to the BMC, and if needed, how they apply. For
example, the BMC is part of the management component of the system, and
the FIPS requirements apply to the management subsystem.
3b. Given the requirements from the previous work item, what can the
OpenBMC community say about them? For example, if OpenBMC documentation
shows how a default build of OpenBMC would pick up some code or
configuration to satisfy the requirement, that would go a long way to
help the FIPS evaluator. More specifically for example, the BMC does
provide role-based authentication to help satisfy the FIPS requirements.
3c. Create a new openbmc document to capture the answers above. This
document use case is as a starting point for the information someone
needs when they are working to FIPS-certify their system and try to roll
down the FIPS requirements to their BMC. A secondary use of this
document is to identify any gaps in BMC security function.
BONUS TOPIC:
4 SELinux design. Request for re-review.
https://gerrit.openbmc.org/c/openbmc/docs/+/53205
<https://gerrit.openbmc.org/c/openbmc/docs/+/53205>
Advice on how to create interest in re-reviewing a design. Use Discord:
Ping specific reviewers and ask specific questions about design issues,
if it is solved; ask if the design can be approved.
Joseph
>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Security Working Group meeting - Wednesday August 17
2022-08-17 16:13 ` Joseph Reynolds
@ 2022-08-17 16:57 ` Brad Bishop
0 siblings, 0 replies; 9+ messages in thread
From: Brad Bishop @ 2022-08-17 16:57 UTC (permalink / raw)
To: Joseph Reynolds, Andrew Jeffery, openbmc
On Wed, 2022-08-17 at 11:13 -0500, Joseph Reynolds wrote:
> On 8/17/22 12:11 AM, Andrew Jeffery wrote:
> >
> > On Wed, 17 Aug 2022, at 12:37, Joseph Reynolds wrote:
> > > This is a reminder of the OpenBMC Security Working Group meeting
> > > scheduled for this Wednesday August 17 at 10:00am PDT.
> > Given the discussion from last meeting, is this on Discord?
>
> No. The meeting access for Aug 17 is the same as before:
> https://ibm.webex.com/meet/joseph.reynolds1
>
> I wanted to give a couple of weeks notice (A) for attendees to firm up
> any objections to moving
Injecting my opinions in case they are helpful...but probably not 🤣
I likely sound cliché but someone will always be unhappy with every
decision, including this one. As the WG host, have -you- been convinced
that improved collalboration between the security working group and the
developer community is worthwhile, and that moving to Discord will
improve that? If so - go for it!
People were (and still are) opposed to moving from IRC to Discord, but
we now have 500 people on our server and levels of collaboration in the
developer community never before seen in OpenBMC...
Thanks,
Brad
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Security Working Group meeting - Wednesday August 17
2022-08-17 5:11 ` Andrew Jeffery
@ 2022-08-17 16:13 ` Joseph Reynolds
2022-08-17 16:57 ` Brad Bishop
0 siblings, 1 reply; 9+ messages in thread
From: Joseph Reynolds @ 2022-08-17 16:13 UTC (permalink / raw)
To: Andrew Jeffery, openbmc
On 8/17/22 12:11 AM, Andrew Jeffery wrote:
>
> On Wed, 17 Aug 2022, at 12:37, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting
>> scheduled for this Wednesday August 17 at 10:00am PDT.
> Given the discussion from last meeting, is this on Discord?
No. The meeting access for Aug 17 is the same as before:
https://ibm.webex.com/meet/joseph.reynolds1
I wanted to give a couple of weeks notice (A) for attendees to firm up
any objections to moving, and (B) to announce the change.
Joseph
>
> Andrew
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Security Working Group meeting - Wednesday August 17
2022-08-17 3:07 Security Working Group meeting - Wednesday August 17 Joseph Reynolds
@ 2022-08-17 5:11 ` Andrew Jeffery
2022-08-17 16:13 ` Joseph Reynolds
2022-08-17 20:11 ` Joseph Reynolds
1 sibling, 1 reply; 9+ messages in thread
From: Andrew Jeffery @ 2022-08-17 5:11 UTC (permalink / raw)
To: Joseph Reynolds, openbmc
On Wed, 17 Aug 2022, at 12:37, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday August 17 at 10:00am PDT.
Given the discussion from last meeting, is this on Discord?
Andrew
^ permalink raw reply [flat|nested] 9+ messages in thread
* Security Working Group meeting - Wednesday August 17
@ 2022-08-17 3:07 Joseph Reynolds
2022-08-17 5:11 ` Andrew Jeffery
2022-08-17 20:11 ` Joseph Reynolds
0 siblings, 2 replies; 9+ messages in thread
From: Joseph Reynolds @ 2022-08-17 3:07 UTC (permalink / raw)
To: openbmc
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday August 17 at 10:00am PDT.
We'll discuss the following items on the agenda
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
and anything else that comes up:
1. Continue discussing Measured Boot.
2. Continue discussing CVE response.
3. BMC FIPS compliance.
4. Add guidance to
https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md
<https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md>for
submitting proof-of-concept exploits.
Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group
<https://github.com/openbmc/openbmc/wiki/Security-working-group>
- Joseph
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-08-18 0:59 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-17 17:40 Security Working Group meeting - Wednesday August 17 Nick Rivers
2022-08-17 17:47 ` Brad Bishop
2022-08-17 18:35 ` Security Working Group meeting - Wednesday August 17 - Move call to Discord Voice channel Joseph Reynolds
-- strict thread matches above, loose matches on Subject: below --
2022-08-17 3:07 Security Working Group meeting - Wednesday August 17 Joseph Reynolds
2022-08-17 5:11 ` Andrew Jeffery
2022-08-17 16:13 ` Joseph Reynolds
2022-08-17 16:57 ` Brad Bishop
2022-08-17 20:11 ` Joseph Reynolds
2022-08-17 20:29 ` Patrick Williams
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.