Security working group meeting 2020-01-22

Security working group meeting 2020-01-22

[Joseph Reynolds]

Notes from the security working group meeting 2020-01-22:
Highlights below; details in 
https://github.com/openbmc/openbmc/wiki/Security-working-group


1. Discuss BMCWeb’s site identity certificate handling, specifically 
intermediate certificates.  See 
https://github.com/openbmc/bmcweb/#configuration 


Other web servers have directives to concatenate the intermediate 
certificates (excluding the root CA certificates) and send that. What 
does BMCWeb do?

  - What is BMCWeb's default default?
  - Need better docs, for example: How can a BMC admin replace theBMCWeb 
site cert?  Is it okay to concatenate intermediate certs? Can we 
document this for BMCWeb?


2. Design discussions about aggregation broached the security topic : 
https://lists.ozlabs.org/pipermail/openbmc/2020-January/020142.html 


We are not sure what security help is needed. at this point.


3. Revisit "Daemons should not run as root" - 
https://github.com/openbmc/openbmc/issues/3383

There is definite interest.  Who can work on this?  Possible initial 
goal: convert bmcweb so it runs as a non-root user.  BMCWeb is selected 
because it is higher risk because implements a network interface.



4. Merged BMCWeb commit to allow slower image uploads: 
https://github.com/openbmc/bmcweb/commit/2b5e08e2915d886655a78aaabff40745dca6b517 
   See also commit: 0e1cf26b1cd98e0ec069e6187434fcabf1e9c200 “Make the 
max http request body size configurable”.


Minimal discussion.



5. Merged BMCWeb commit that added new messages for security events: 
https://github.com/openbmc/bmcweb/commit/8988dda41319950476ebb146df06c2e7b3fbf44d


Minimal discussion.



6. How do we bring security assurance work into the OpenBMC project?  Is 
there interest in considering Protection Profiles that apply to 
OpenBMC?  We can use these as a systematic way review security topics.  
For example, the Operating System Protection Profile (OSPP) talks about 
cryptographic functions, audit logging, network security, secure boot, 
etc.  The Virtualization Protection Profile (VPP) considers the BMC to 
be part of the platform management system.


There was agreement that these security schemes are good starting points 
to use as a guide.  DONE: Joseph added new “Security Assurance Workflow” 
section to guide future work in this area - 
https://github.com/openbmc/openbmc/wiki/Security-working-group#security-assurance-workflow 
.


- Joseph

Re: bmcweb and certificate chains [WAS: Security working group meeting 2020-01-22]

[Alexander Tereschenko]

On 22-Jan-20 22:23, Joseph Reynolds wrote:
> Notes from the security working group meeting 2020-01-22:
> Highlights below; details in 
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
>
> 1. Discuss BMCWeb’s site identity certificate handling, specifically 
> intermediate certificates.  See 
> https://github.com/openbmc/bmcweb/#configuration 

>
> Other web servers have directives to concatenate the intermediate 
> certificates (excluding the root CA certificates) and send that. What 
> does BMCWeb do?

>  - What is BMCWeb's default default?
>  - Need better docs, for example: How can a BMC admin replace 
> theBMCWeb site cert?  Is it okay to concatenate intermediate certs? 
> Can we document this for BMCWeb?

As discussed during the meeting, I've looked into that and looks like 
bmcweb doesn't support sending the cert chain at all right now. When 
loading it expects the server's cert file to have just a private key and 
certificate in a single file [1], just as we've discussed during the 
meeting, and server's init code only loads those [2]. There's an API in 
Boost.Asio that could allow loading a chain [3], but it's not used 
anywhere, so for bmcweb to support that, a patch must be created.

HTH,
Alexander

[1] https://github.com/openbmc/bmcweb/blob/master/http/http_server.h#L159
[2] https://github.com/openbmc/bmcweb/blob/master/http/app.h#L158-L159
[3] 
https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio/reference/ssl__context/use_certificate_chain_file.html

Re: bmcweb and certificate chains [WAS: Security working group meeting 2020-01-22]

[Joseph Reynolds]

On 1/24/20 11:19 AM, Alexander Tereschenko wrote:
> On 22-Jan-20 22:23, Joseph Reynolds wrote:
>> Notes from the security working group meeting 2020-01-22:
>> Highlights below; details in 
>> https://github.com/openbmc/openbmc/wiki/Security-working-group
>>
>>
>> 1. Discuss BMCWeb’s site identity certificate handling, specifically 
>> intermediate certificates.  See 
>> https://github.com/openbmc/bmcweb/#configuration 

>>
>> Other web servers have directives to concatenate the intermediate 
>> certificates (excluding the root CA certificates) and send that. What 
>> does BMCWeb do?

>>  - What is BMCWeb's default default?
>>  - Need better docs, for example: How can a BMC admin replace 
>> theBMCWeb site cert?  Is it okay to concatenate intermediate certs? 
>> Can we document this for BMCWeb?
>
> As discussed during the meeting, I've looked into that and looks like 
> bmcweb doesn't support sending the cert chain at all right now. When 
> loading it expects the server's cert file to have just a private key 
> and certificate in a single file [1], just as we've discussed during 
> the meeting, and server's init code only loads those [2]. There's an 
> API in Boost.Asio that could allow loading a chain [3], but it's not 
> used anywhere, so for bmcweb to support that, a patch must be created.

Thank you for finding that.  I think we want to add a function to BMCWeb 
to be able to handle certificate chains.  Would we need to enhance the 
REST APIs [4] to upload server certificates as part of this work?

[4]: 
https://github.com/openbmc/phosphor-dbus-interfaces/tree/master/xyz/openbmc_project/Certs

- Joseph

> HTH,
> Alexander
>
> [1] https://github.com/openbmc/bmcweb/blob/master/http/http_server.h#L159
> [2] https://github.com/openbmc/bmcweb/blob/master/http/app.h#L158-L159
> [3] 
> https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio/reference/ssl__context/use_certificate_chain_file.html
>

Security workgroup meeting times

[Joseph Reynolds]

Team,

Let's try again to establish another OpenBMC Security Workgroup meeting 
time.  The current meeting time (every other week 10am Pacific Daylight 
Time) is working for some, but not for others.  To be clear, we would 
use the same workgroup, just have alternate meeting times.

First, let's find a time that works for Australia, Asia, and Europe.  
I've seen participation and continued interest from folks in those time 
zones. Because the current meeting time is bad for them, let's establish 
alternate times.

Second, I am thinking we could establish alternating meeting times. We 
will not find a time that works for everyone.  I try to accommodate 
folks who cannot attend by writing a summary of the topics and 
conclusions, and by pushing the work back out into this email list.  But 
that is not the same as attending a meeting.  I feel that the meetings 
foster better responses and more participation than using the email list 
alone.  For that reason, I want to continue to meet.  Hence, I am 
proposing alternating meeting times.

Third, I have been running the meetings.  I plan to continue to handle 
the Security workgroup meeting agenda, and can help set up the initial 
workgroup meetings at alternate times, I would not plan to run them.  I 
hope you will solve all the security problems while I am sleeping.  
Fortunately, running meetings is easy: just go through the agenda, 
introduce each item, wait for people to talk, and summarize the 
outcome.  We need a volunteer leader for that.

Send me your ideas,
- Joseph


On 1/22/20 3:23 PM, Joseph Reynolds wrote:
> Notes from the security working group meeting 2020-01-22:
> Highlights below; details in 
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
>
> 1. Discuss BMCWeb’s site identity certificate handling, specifically 
> intermediate certificates.  See 
> https://github.com/openbmc/bmcweb/#configuration 

>
> Other web servers have directives to concatenate the intermediate 
> certificates (excluding the root CA certificates) and send that. What 
> does BMCWeb do?

>  - What is BMCWeb's default default?
>  - Need better docs, for example: How can a BMC admin replace 
> theBMCWeb site cert?  Is it okay to concatenate intermediate certs? 
> Can we document this for BMCWeb?
>
>
> 2. Design discussions about aggregation broached the security topic : 
> https://lists.ozlabs.org/pipermail/openbmc/2020-January/020142.html 

>
> We are not sure what security help is needed. at this point.
>
>
> 3. Revisit "Daemons should not run as root" - 
> https://github.com/openbmc/openbmc/issues/3383
>
> There is definite interest.  Who can work on this?  Possible initial 
> goal: convert bmcweb so it runs as a non-root user. BMCWeb is selected 
> because it is higher risk because implements a network interface.

>
>
> 4. Merged BMCWeb commit to allow slower image uploads: 
> https://github.com/openbmc/bmcweb/commit/2b5e08e2915d886655a78aaabff40745dca6b517 
>   See also commit: 0e1cf26b1cd98e0ec069e6187434fcabf1e9c200 “Make the 
> max http request body size configurable”.

>
> Minimal discussion.

>
>
> 5. Merged BMCWeb commit that added new messages for security events: 
> https://github.com/openbmc/bmcweb/commit/8988dda41319950476ebb146df06c2e7b3fbf44d

>
> Minimal discussion.

>
>
> 6. How do we bring security assurance work into the OpenBMC project?  
> Is there interest in considering Protection Profiles that apply to 
> OpenBMC?  We can use these as a systematic way review security 
> topics.  For example, the Operating System Protection Profile (OSPP) 
> talks about cryptographic functions, audit logging, network security, 
> secure boot, etc.  The Virtualization Protection Profile (VPP) 
> considers the BMC to be part of the platform management system.

>
> There was agreement that these security schemes are good starting 
> points to use as a guide.  DONE: Joseph added new “Security Assurance 
> Workflow” section to guide future work in this area - 
> https://github.com/openbmc/openbmc/wiki/Security-working-group#security-assurance-workflow 
> .
>
>
> - Joseph
>

Re: Security workgroup meeting times

[Michael Richardson]

Joseph Reynolds <jrey@linux.ibm.com> wrote:
    > Let's try again to establish another OpenBMC Security Workgroup meeting
    > time.  The current meeting time (every other week 10am Pacific Daylight
    > Time) is working for some, but not for others.  To be clear, we would
    > use the same workgroup, just have alternate meeting times.

    > First, let's find a time that works for Australia, Asia, and Europe. 

There aren't any such times :-)
If you move to 7am PST, 10am Eastern, then it's 14:00 UTC, which is still
within the working day in Germany, Helsinki and Tel-Aviv.
In Beijing, that's 11pm. Seoul, 00:00, and Syndey, 2am.

https://www.timeanddate.com/worldclock/meetingtime.html?iso=20200131&p1=188&p2=33&p3=235&p4=240&p5=37

Many left-coast types that I work with prefer 7am, as they can do the meeting
while still at home, before traffic, before school-drop-off, etc.
(And aren't they all supposed to be super-health-nuts who get up at 6am to do Yoga?)

    > Second, I am thinking we could establish alternating meeting times. We
    > will not find a time that works for everyone.  I try to accommodate
    > folks who cannot attend by writing a summary of the topics and
    > conclusions, and by pushing the work back out into this email list. 

I've been on meetings that have simply alternated the AM/PM of the meeting.
     7pm California
     10pm NYC
     4am Berlin/5am Helsinki
     11am Beijing
     12:00 Seoul
     2pm Syndey

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

Re: Security workgroup meeting times

[Andrew Jeffery]

On Tue, 28 Jan 2020, at 04:12, Joseph Reynolds wrote:
> Team,
> 
> Let's try again to establish another OpenBMC Security Workgroup meeting 
> time.  The current meeting time (every other week 10am Pacific Daylight 
> Time) is working for some, but not for others.  To be clear, we would 
> use the same workgroup, just have alternate meeting times.
> 
> First, let's find a time that works for Australia, Asia, and Europe.  
> I've seen participation and continued interest from folks in those time 
> zones. Because the current meeting time is bad for them, let's establish 
> alternate times.
> 
> Second, I am thinking we could establish alternating meeting times. We 
> will not find a time that works for everyone.  I try to accommodate 
> folks who cannot attend by writing a summary of the topics and 
> conclusions, and by pushing the work back out into this email list.  But 
> that is not the same as attending a meeting.  I feel that the meetings 
> foster better responses and more participation than using the email list 
> alone.  For that reason, I want to continue to meet.  Hence, I am 
> proposing alternating meeting times.

What times specifically? I'm interested, and I'm in ACDT (UTC+10:30). Unless
we have people in NZ, I suspect the best time is sometime in my afternoon
for Asia and Europe. Thursday or Friday after 1430h ACDT would work best
for me.

Andrew

RE: Security workgroup meeting times

[Bruce Mitchell]

If you want to include Silicon Valley it seem like 22:00, 23:00, 00:00, 01:00, and 02:00 UTC/GMT are the only real options.

-----Original Message-----
From: openbmc [mailto:openbmc-bounces+bruce_mitchell=phoenix.com@lists.ozlabs.org] On Behalf Of Andrew Jeffery
Sent: Monday, January 27, 2020 16:29
To: Joseph Reynolds; openbmc
Subject: Re: Security workgroup meeting times



On Tue, 28 Jan 2020, at 04:12, Joseph Reynolds wrote:
> Team,
> 
> Let's try again to establish another OpenBMC Security Workgroup meeting 
> time.  The current meeting time (every other week 10am Pacific Daylight 
> Time) is working for some, but not for others.  To be clear, we would 
> use the same workgroup, just have alternate meeting times.
> 
> First, let's find a time that works for Australia, Asia, and Europe.  
> I've seen participation and continued interest from folks in those time 
> zones. Because the current meeting time is bad for them, let's establish 
> alternate times.
> 
> Second, I am thinking we could establish alternating meeting times. We 
> will not find a time that works for everyone.  I try to accommodate 
> folks who cannot attend by writing a summary of the topics and 
> conclusions, and by pushing the work back out into this email list.  But 
> that is not the same as attending a meeting.  I feel that the meetings 
> foster better responses and more participation than using the email list 
> alone.  For that reason, I want to continue to meet.  Hence, I am 
> proposing alternating meeting times.

What times specifically? I'm interested, and I'm in ACDT (UTC+10:30). Unless
we have people in NZ, I suspect the best time is sometime in my afternoon
for Asia and Europe. Thursday or Friday after 1430h ACDT would work best
for me.

Andrew

Re: Security workgroup meeting times

[Alexander Tereschenko]

On 28-Jan-20 01:50, Bruce Mitchell wrote:
> If you want to include Silicon Valley it seem like 22:00, 23:00, 00:00, 01:00, and 02:00 UTC/GMT are the only real options.

Should we maybe try something like http://whenisgood.net/ to sort out a 
slot that works for everyone?

Current time works for me BTW and I'm located in Europe :)

RE: Security workgroup meeting times

[Bruce Mitchell]

I also find the present time of Wednesday at 10:00am PDT (noon CDT) works well.

-----Original Message-----
From: openbmc [mailto:openbmc-bounces+bruce_mitchell=phoenix.com@lists.ozlabs.org] On Behalf Of Alexander Tereschenko
Sent: Tuesday, January 28, 2020 02:42
To: openbmc@lists.ozlabs.org
Subject: Re: Security workgroup meeting times


On 28-Jan-20 01:50, Bruce Mitchell wrote:
> If you want to include Silicon Valley it seem like 22:00, 23:00, 00:00, 01:00, and 02:00 UTC/GMT are the only real options.

Should we maybe try something like http://whenisgood.net/ to sort out a 
slot that works for everyone?

Current time works for me BTW and I'm located in Europe :)

Re: bmcweb and certificate chains [WAS: Security working group meeting 2020-01-22]

[Alexander Tereschenko]

On 27-Jan-20 17:03, Joseph Reynolds wrote:
> Thank you for finding that.  I think we want to add a function to 
> BMCWeb to be able to handle certificate chains.  Would we need to 
> enhance the REST APIs [4] to upload server certificates as part of 
> this work?
>
> [4]: 
> https://github.com/openbmc/phosphor-dbus-interfaces/tree/master/xyz/openbmc_project/Certs
>
Yes, I think that'd be required, otherwise the only way the BMC admin 
could provide that cert chain file would be via SSH, which of course 
will not work for everyone.

Security workgroup meeting times

[Joseph Reynolds]

Re-sending this email to refresh this topic.

Looking for a specific time and ideally someone to run the meeting.
See the replies in the archive here: 
https://lists.ozlabs.org/pipermail/openbmc/2020-January

- Joseph

-------- Forwarded Message --------
Subject: 	Security workgroup meeting times
Date: 	Mon, 27 Jan 2020 11:42:04 -0600
From: 	Joseph Reynolds <jrey@linux.ibm.com>
To: 	openbmc <openbmc@lists.ozlabs.org>



Team,

Let's try again to establish another OpenBMC Security Workgroup meeting 
time.  The current meeting time (every other week 10am Pacific Daylight 
Time) is working for some, but not for others. To be clear, we would use 
the same workgroup, just have alternate meeting times.

First, let's find a time that works for Australia, Asia, and Europe.  
I've seen participation and continued interest from folks in those time 
zones. Because the current meeting time is bad for them, let's establish 
alternate times.

Second, I am thinking we could establish alternating meeting times. We 
will not find a time that works for everyone.  I try to accommodate 
folks who cannot attend by writing a summary of the topics and 
conclusions, and by pushing the work back out into this email list.  But 
that is not the same as attending a meeting.  I feel that the meetings 
foster better responses and more participation than using the email list 
alone.  For that reason, I want to continue to meet.  Hence, I am 
proposing alternating meeting times.

Third, I have been running the meetings.  I plan to continue to handle 
the Security workgroup meeting agenda, and can help set up the initial 
workgroup meetings at alternate times, I would not plan to run them.  I 
hope you will solve all the security problems while I am sleeping.  
Fortunately, running meetings is easy: just go through the agenda, 
introduce each item, wait for people to talk, and summarize the 
outcome.  We need a volunteer leader for that.

Send me your ideas,
- Joseph

...snip...

RE: Security workgroup meeting times

[Bruce Mitchell]

If you want to include Silicon Valley it seem like 22:00, 23:00, 00:00, 01:00, and 02:00 UTC/GMT are the only real options.

> -----Original Message-----
> From: openbmc [mailto:openbmc-
> bounces+bruce_mitchell=phoenix.com@lists.ozlabs.org] On Behalf Of
> Joseph Reynolds
> Sent: Wednesday, May 13, 2020 11:31
> To: openbmc; Manojkiran Eda
> Subject: Security workgroup meeting times
> 
> Re-sending this email to refresh this topic.
> 
> Looking for a specific time and ideally someone to run the meeting.
> See the replies in the archive here:
> https://lists.ozlabs.org/pipermail/openbmc/2020-January
> 
> - Joseph
> 
> -------- Forwarded Message --------
> Subject: 	Security workgroup meeting times
> Date: 	Mon, 27 Jan 2020 11:42:04 -0600
> From: 	Joseph Reynolds <jrey@linux.ibm.com>
> To: 	openbmc <openbmc@lists.ozlabs.org>
> 
> 
> 
> Team,
> 
> Let's try again to establish another OpenBMC Security Workgroup
> meeting
> time.  The current meeting time (every other week 10am Pacific Daylight
> Time) is working for some, but not for others. To be clear, we would use
> the same workgroup, just have alternate meeting times.
> 
> First, let's find a time that works for Australia, Asia, and Europe.
> I've seen participation and continued interest from folks in those time
> zones. Because the current meeting time is bad for them, let's establish
> alternate times.
> 
> Second, I am thinking we could establish alternating meeting times. We
> will not find a time that works for everyone.  I try to accommodate
> folks who cannot attend by writing a summary of the topics and
> conclusions, and by pushing the work back out into this email list.  But
> that is not the same as attending a meeting.  I feel that the meetings
> foster better responses and more participation than using the email list
> alone.  For that reason, I want to continue to meet.  Hence, I am
> proposing alternating meeting times.
> 
> Third, I have been running the meetings.  I plan to continue to handle
> the Security workgroup meeting agenda, and can help set up the initial
> workgroup meetings at alternate times, I would not plan to run them.  I
> hope you will solve all the security problems while I am sleeping.
> Fortunately, running meetings is easy: just go through the agenda,
> introduce each item, wait for people to talk, and summarize the
> outcome.  We need a volunteer leader for that.
> 
> Send me your ideas,
> - Joseph
> 
> ...snip...

Re: Security workgroup meeting times

[Joseph Reynolds]

On 5/13/20 1:43 PM, Bruce Mitchell wrote:
> If you want to include Silicon Valley it seem like 22:00, 23:00, 00:00, 01:00, and 02:00 UTC/GMT are the only real options.

I think the current time (10:00am PDT) works for most Silicon Valley 
folks.  I am looking for a second meeting time good for others not in 
the Americas.  For example, we've has security collaborations from folks 
in Switzerland Poland Russia India China and Australia, and I want to 
find a time that work for those regions.

- Joseph

>
>> -----Original Message-----
>> From: openbmc [mailto:openbmc-
>> bounces+bruce_mitchell=phoenix.com@lists.ozlabs.org] On Behalf Of
>> Joseph Reynolds
>> Sent: Wednesday, May 13, 2020 11:31
>> To: openbmc; Manojkiran Eda
>> Subject: Security workgroup meeting times
>>
>> Re-sending this email to refresh this topic.
>>
>> Looking for a specific time and ideally someone to run the meeting.
>> See the replies in the archive here:
>> https://lists.ozlabs.org/pipermail/openbmc/2020-January
>>
>> - Joseph
>>
>> -------- Forwarded Message --------
>> Subject: 	Security workgroup meeting times
>> Date: 	Mon, 27 Jan 2020 11:42:04 -0600
>> From: 	Joseph Reynolds <jrey@linux.ibm.com>
>> To: 	openbmc <openbmc@lists.ozlabs.org>
>>
>>
>>
>> Team,
>>
>> Let's try again to establish another OpenBMC Security Workgroup
>> meeting
>> time.  The current meeting time (every other week 10am Pacific Daylight
>> Time) is working for some, but not for others. To be clear, we would use
>> the same workgroup, just have alternate meeting times.
>>
>> First, let's find a time that works for Australia, Asia, and Europe.
>> I've seen participation and continued interest from folks in those time
>> zones. Because the current meeting time is bad for them, let's establish
>> alternate times.
>>
>> Second, I am thinking we could establish alternating meeting times. We
>> will not find a time that works for everyone.  I try to accommodate
>> folks who cannot attend by writing a summary of the topics and
>> conclusions, and by pushing the work back out into this email list.  But
>> that is not the same as attending a meeting.  I feel that the meetings
>> foster better responses and more participation than using the email list
>> alone.  For that reason, I want to continue to meet.  Hence, I am
>> proposing alternating meeting times.
>>
>> Third, I have been running the meetings.  I plan to continue to handle
>> the Security workgroup meeting agenda, and can help set up the initial
>> workgroup meetings at alternate times, I would not plan to run them.  I
>> hope you will solve all the security problems while I am sleeping.
>> Fortunately, running meetings is easy: just go through the agenda,
>> introduce each item, wait for people to talk, and summarize the
>> outcome.  We need a volunteer leader for that.
>>
>> Send me your ideas,
>> - Joseph
>>
>> ...snip...

Re: Security workgroup meeting times

[Michael Richardson]

[-- Attachment #1: Type: text/plain, Size: 1141 bytes --]


Joseph Reynolds <jrey@linux.ibm.com> wrote:
    > On 5/13/20 1:43 PM, Bruce Mitchell wrote:
    >> If you want to include Silicon Valley it seem like 22:00, 23:00,
    >> 00:00, 01:00, and 02:00 UTC/GMT are the only real options.

    > I think the current time (10:00am PDT) works for most Silicon Valley
    > folks.   I am looking for a second meeting time good for others not in
    > the Americas.   For example, we've has security collaborations from
    > folks in Switzerland Poland Russia India China and Australia, and I
    > want to find a time that work for those regions.

Perhaps the right thing is to therefore run a doodle poll which is exclusive
for those not in North America.  Then afterwards, the rest of us can opine/whine.

On days when it works, 10am PDT (1pm EDT for me) is indeed great, but last
few weeks, I'm booked into higher priority things.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]