Re: Security Working Group meeting - Wednesday August 17

Re: Security Working Group meeting - Wednesday August 17

[Nick Rivers]

[-- Attachment #1: Type: text/plain, Size: 1475 bytes --]

On 8/17/2022 09:57, Brad Bishop wrote:
> On Wed, 2022-08-17 at 11:13 -0500, Joseph Reynolds wrote:
>> On 8/17/22 12:11 AM, Andrew Jeffery wrote:
>>>
>>> On Wed, 17 Aug 2022, at 12:37, Joseph Reynolds wrote:
>>>> This is a reminder of the OpenBMC Security Working Group meeting
>>>> scheduled for this Wednesday August 17 at 10:00am PDT.
>>> Given the discussion from last meeting, is this on Discord?
>>
>> No.  The meeting access for Aug 17 is the same as before:
>> https://ibm.webex.com/meet/joseph.reynolds1
>>
>> I wanted to give a couple of weeks notice (A) for attendees to firm up
>> any objections to moving
>
> Injecting my opinions in case they are helpful...but probably not 🤣
>
> I likely sound cliché but someone will always be unhappy with every
> decision, including this one. As the WG host, have -you- been convinced
> that improved collalboration between the security working group and the
> developer community is worthwhile, and that moving to Discord will
> improve that? If so - go for it!
>
> People were (and still are) opposed to moving from IRC to Discord, but
> we now have 500 people on our server and levels of collaboration in the
> developer community never before seen in OpenBMC...
>
Thus not really supporting diverse and inclusive workplace thinking.And
encouraging fit "The Organization's Model" with little room for those who
do not fit "The Organization's Model".I agree that utopia is not achievable.

[-- Attachment #2: Type: text/html, Size: 2401 bytes --]

Re: Security Working Group meeting - Wednesday August 17

[Brad Bishop]

On Wed, Aug 17, 2022 at 10:40:33AM -0700, Nick Rivers wrote:
>> Injecting my opinions in case they are helpful...but probably not 🤣
>>
>> I likely sound cliché but someone will always be unhappy with every
>> decision, including this one. As the WG host, have -you- been convinced
>> that improved collalboration between the security working group and the
>> developer community is worthwhile, and that moving to Discord will
>> improve that? If so - go for it!
>>
>> People were (and still are) opposed to moving from IRC to Discord, but
>> we now have 500 people on our server and levels of collaboration in the
>> developer community never before seen in OpenBMC...
>>
>Thus not really supporting diverse and inclusive workplace thinking.And
>encouraging fit "The Organization's Model" with little room for those who
>do not fit "The Organization's Model".

OK, I can understand why that might not be a good thing.  So what would 
you suggest Joseph do then to improve synergy between the security 
working group and the developer community?

Thanks,
Brad

Re: Security Working Group meeting - Wednesday August 17 - Move call to Discord Voice channel

[Joseph Reynolds]

On 8/17/22 12:47 PM, Brad Bishop wrote:
> On Wed, Aug 17, 2022 at 10:40:33AM -0700, Nick Rivers wrote:
>>> Injecting my opinions in case they are helpful...but probably not 🤣
>>>
>>> I likely sound cliché but someone will always be unhappy with every
>>> decision, including this one. As the WG host, have -you- been convinced
>>> that improved collalboration between the security working group and the
>>> developer community is worthwhile, and that moving to Discord will
>>> improve that? If so - go for it!
>>>
>>> People were (and still are) opposed to moving from IRC to Discord, but
>>> we now have 500 people on our server and levels of collaboration in the
>>> developer community never before seen in OpenBMC...
>>>
>> Thus not really supporting diverse and inclusive workplace thinking.And
>> encouraging fit "The Organization's Model" with little room for those 
>> who
>> do not fit "The Organization's Model".
>
> OK, I can understand why that might not be a good thing.  So what 
> would you suggest Joseph do then to improve synergy between the 
> security working group and the developer community?

Thanks for the discussion.  In today's call there were not objections 
and we agreed to move to the Security Working Group call to Discord

Discord > OpenBMC > Voice channels >  Security ~ 
https://discord.com/channels/775381525260664832/1002376534377635860 
<https://discord.com/channels/775381525260664832/1002376534377635860>

effective for the next meeting August 31, 2022.

I'll send an email.


Joseph

>
> Thanks,
> Brad

Re: Security Working Group meeting - Wednesday August 17

[Patrick Williams]

[-- Attachment #1: Type: text/plain, Size: 684 bytes --]

On Wed, Aug 17, 2022 at 03:11:46PM -0500, Joseph Reynolds wrote:
> On 8/16/22 10:07 PM, Joseph Reynolds wrote:
> 4 SELinux design.  Request for re-review. 
> https://gerrit.openbmc.org/c/openbmc/docs/+/53205 
> <https://gerrit.openbmc.org/c/openbmc/docs/+/53205>
> 
> Advice on how to create interest in re-reviewing a design.  Use Discord: 
> Ping specific reviewers and ask specific questions about design issues, 
> if it is solved; ask if the design can be approved.

Step 1.  Do not disappear for months at a time, without responding to
any feedback, and then expect reviewers to drop everything when you
decide it is time to show up again.

-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Security Working Group meeting - Wednesday August 17

[Joseph Reynolds]

On 8/16/22 10:07 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday August 17 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
> and anything else that comes up:

I added topic 0: Move the meeting access from ebex to discord voice.
I combined topic 4 (how to submit proof-of-concept exploits) into topic 2.

Attendees: Joseph Reynolds, Yutaka Sugawara, Ruud Haring, James Mihm, 
Dhananjay, Krishnan Sugavanam, Sandhya Koteshwara, Dick from Phoenix, 
Chris Engel, Paul Crumley, Mark McCawley, Angelo Ruocco, Daniil, Robert 
Senger.


0 Move the next meeting access to Discord?  Discord > OpenBMC > Voice 
channels >  Security ~ 
https://discord.com/channels/775381525260664832/1002376534377635860 
<https://discord.com/channels/775381525260664832/1002376534377635860>

Yes, agreed.

The next meeting planned for 2022-08-31 will be on discord.


1 Measured Boot.

DISCUSSION:

Single design or separate designs?  Let’s have separate designs:


1a. Enable measured boot: Kernel Device driver is available. Collect 
measurements into TPM.  See 
https://review.trustedfirmware.org/q/measured-boot 
<https://review.trustedfirmware.org/q/measured-boot>


1b. Enable attestation: use the Keylime-Agent REST server on default BMC 
port 8890.

Design Question: Keylime vs Redfish vs other (VMWare is not OSS, Intel’s 
design is proprietary).

Design Question: what gets measured by the TPM?  Follow the TCG 
standard. 
https://trustedcomputinggroup.org/resource/tcg-server-management-domain-firmware-profile-specification/ 
<https://trustedcomputinggroup.org/resource/tcg-server-management-domain-firmware-profile-specification/>

Design question: when and how to init the TPM?  This is partly in scope 
to community project, but some parts will depend on hardware outside the 
scope of OpenBMC.

Root-of-trust Issue: Does BMC hardware (for example, the next ASPEED 
AST2x00 BMC hw) init the TPM and measure the Uboot image?  ⇒  Or does 
Uboot init the TPM?  Can ew use a FIP image?

Pre-req design: the measured boot design requires the signatures 
provided by secure boot.


2 CVE Response.

DISCUSSION:

Add guidance to 
https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md 
<https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md>for 
submitting proof-of-concept exploits. How to ensure the exploit is not 
harmful to the recipient , and is not tagged by the email sanitizers?   
Encrypt? Or quoted with: > text  Or add to the security advisory?

We are still working on:

  *

    Github repo maintainers need to create security tabs so they can
    handle security advisories.

  *

    Proposal to restructure repos

  *

    Which CNA to use?  The Openbmc CNA vs the github CNA?


3 FIPS compliance.

DISCUSSION:

Note that OpenBMC is not the kind of thing which can be FIPS compliant.  
The way it works is this: a system “built on OpenBMC” seeks FIPS 
compliance.  As part of the compliance process, they need to ask 
questions about the portions of the system which OpenBMC provides, 
therefore the OpenBMC project needs to answer those questions.

FIPS reference: https://en.wikipedia.org/wiki/FIPS_140 
<https://en.wikipedia.org/wiki/FIPS_140>

The way I (Joseph) see the next steps are:


3a. What FIPS requirements apply to the BMC?  Note that some FIPS 
requirements will not apply to the BMC and will apply only to the 
overall system.  (OpenBMC does not need to address those requirements.)  
The work is to go through the FIPS standards, and list which 
requirements apply to the BMC, and if needed, how they apply.  For 
example, the BMC is part of the management component of the system, and 
the FIPS requirements apply to the management subsystem.


3b. Given the requirements from the previous work item, what can the 
OpenBMC community say about them?  For example, if OpenBMC documentation 
shows how a default build of OpenBMC would pick up some code or 
configuration to satisfy the requirement, that would go a long way to 
help the FIPS evaluator.  More specifically for example, the BMC does 
provide role-based authentication to help satisfy the FIPS requirements.


3c. Create a new openbmc document to capture the answers above.  This 
document use case is as a starting point for the information someone 
needs when they are working to FIPS-certify their system and try to roll 
down the FIPS requirements to their BMC.  A secondary use of this 
document is to identify any gaps in BMC security function.


BONUS TOPIC:

4 SELinux design.  Request for re-review. 
https://gerrit.openbmc.org/c/openbmc/docs/+/53205 
<https://gerrit.openbmc.org/c/openbmc/docs/+/53205>

Advice on how to create interest in re-reviewing a design.  Use Discord: 
Ping specific reviewers and ask specific questions about design issues, 
if it is solved; ask if the design can be approved.



Joseph

>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph

Re: Security Working Group meeting - Wednesday August 17

[Brad Bishop]

On Wed, 2022-08-17 at 11:13 -0500, Joseph Reynolds wrote:
> On 8/17/22 12:11 AM, Andrew Jeffery wrote:
> > 
> > On Wed, 17 Aug 2022, at 12:37, Joseph Reynolds wrote:
> > > This is a reminder of the OpenBMC Security Working Group meeting
> > > scheduled for this Wednesday August 17 at 10:00am PDT.
> > Given the discussion from last meeting, is this on Discord?
> 
> No.  The meeting access for Aug 17 is the same as before:
> https://ibm.webex.com/meet/joseph.reynolds1
> 
> I wanted to give a couple of weeks notice (A) for attendees to firm up
> any objections to moving

Injecting my opinions in case they are helpful...but probably not 🤣

I likely sound cliché but someone will always be unhappy with every
decision, including this one.  As the WG host, have -you- been convinced
that improved collalboration between the security working group and the
developer community is worthwhile, and that moving to Discord will
improve that?  If so - go for it!

People were (and still are) opposed to moving from IRC to Discord, but
we now have 500 people on our server and levels of collaboration in the
developer community never before seen in OpenBMC...

Thanks,
Brad

Re: Security Working Group meeting - Wednesday August 17

[Joseph Reynolds]

On 8/17/22 12:11 AM, Andrew Jeffery wrote:
>
> On Wed, 17 Aug 2022, at 12:37, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting
>> scheduled for this Wednesday August 17 at 10:00am PDT.
> Given the discussion from last meeting, is this on Discord?

No.  The meeting access for Aug 17 is the same as before:
https://ibm.webex.com/meet/joseph.reynolds1

I wanted to give a couple of weeks notice (A) for attendees to firm up 
any objections to moving, and (B) to announce the change.

Joseph

>
> Andrew

Re: Security Working Group meeting - Wednesday August 17

[Andrew Jeffery]

On Wed, 17 Aug 2022, at 12:37, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday August 17 at 10:00am PDT.

Given the discussion from last meeting, is this on Discord?

Andrew

Security Working Group meeting - Wednesday August 17

[Joseph Reynolds]

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday August 17 at 10:00am PDT.

We'll discuss the following items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
and anything else that comes up:
1. Continue discussing Measured Boot.

2. Continue discussing CVE response.

3. BMC FIPS compliance.

4. Add guidance to 
https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md 
<https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md>for 
submitting proof-of-concept exploits.



Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

- Joseph