Security Working Group meeting - Wednesday April 13

Security Working Group meeting - Wednesday April 13

[Joseph Reynolds]

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday April 13 at 10:00am PDT.

We'll discuss the following items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
and anything else that comes up:

1. Renewed interest in securing D-Bus interfaces and using SELinux.




Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

- Joseph

Fwd: Security Working Group meeting - Wednesday April 13 - SELinux

[Joseph Reynolds]

Anton,

Folks from IBM research are planning to attend the OpenBMC Security 
Working Group meeting to learn more about how to apply SELinux to 
OpenBMC.  I understand this is an alternate solution to the work you had 
started here: 
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/42748 
<https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/42748> and 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49100 
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49100>.

Joseph


-------- Forwarded Message --------
Subject: 	Security Working Group meeting - Wednesday April 13
Date: 	Tue, 12 Apr 2022 11:28:24 -0500
From: 	Joseph Reynolds <jrey@linux.ibm.com>
To: 	openbmc <openbmc@lists.ozlabs.org>



This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday April 13 at 10:00am PDT.

We'll discuss the following items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
and anything else that comes up:

1. Renewed interest in securing D-Bus interfaces and using SELinux.




Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

- Joseph

Re: Security Working Group meeting - Wednesday April 13 - results

[Joseph Reynolds]

On 4/12/22 11:28 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday April 13 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
> and anything else that comes up:
>

Attended: Joseph Reynolds, Ruud Haring, Chris Engel, Dick (Phoenix), 
Dong Chen, Jesse Arroyo, Yakatawa Sugawara, Russel Wilson, Krishnan 
Sugvanam, Manojkiran Eda, McCawley, Robert Senger, Sandhya Keteshwara, 
Surya (Intel), James Mihm, Terry Duncan, (and unknown caller who joined 
as the meeting was ending).


> 1. Renewed interest in securing D-Bus interfaces and using SELinux.

Ruud Haring and Yataka Sugawara and Russel Wilson from IBM Research 
presented a proposal.


A recording was made of the presentation and discussion.  TODO: Post the 
recording.


DISCUSSION:

The proposal PDF will be shared with the OpenBMC community.  Here is my 
summary of the main points: SELinux is preferred by IBM and some large 
customers to solve several related access control problems: limiting 
access of root processes, application trust, systemd, and D-Bus.  See 
previous discussion 2020-05-13 below: SELinux email use cases and email 
https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html 
<https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html>


Next steps: Follow 
https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes 
<https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes>with 
email discussion, Discord (per 
https://github.com/openbmc/openbmc#contact 
<https://github.com/openbmc/openbmc#contact>) and creating a design for 
phase 1 (below).


TODO: Joseph to send email to begin the discussion about SELinux use 
cases which might be shared by multiple OpenBMC users.


IBM plans to work in the OpenBMC community project: stage 1 is an opt-in 
SELinux in permissive mode to collect data about which policies are 
needed.  Later stages are to create SELinux policies for access control, 
and then to change configure SELinux to enforce them.


Does OpenBMC have existing SELinux policies?  None are known, but see 
the Yocto/OE meta-selinux layer and associated docs.


We discussed some difficulties in using SELinux: Configuring the 
meta-selinux layer, configuring the Linux Kernel, and additional space 
requirements (about 20MB)


We discussed SELinux vs AppArmor.  IBM has chosen SELinux because it is 
well known to IBM and customers, and has an active community.  Note the 
planned SELinux support is opt-in, so another contributor can add 
AppArmor as needed.


The intended reference platform is an x86 system running with the 
AST2600 and  256Mb (or more) flash storage..


We discussed SELinux & D-Bus tie-ins.  (OpenBMC D-Bus runs in system 
mode.)  Note that D-Bus has built-in support for SELinux.



> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
>

Re: Security Working Group meeting - Wednesday April 13 - results

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 3568 bytes --]

Hi Team,

Apparmor doesn't work with openbmc stack, I tried it around 6 months back,
opened up the issue and finally it was told by the apparmor that it is not
trivial one.

https://gitlab.com/apparmor/apparmor/-/issues/183

Ratan

On Thu, Apr 14, 2022 at 3:00 AM Joseph Reynolds <jrey@linux.ibm.com> wrote:

> On 4/12/22 11:28 AM, Joseph Reynolds wrote:
> > This is a reminder of the OpenBMC Security Working Group meeting
> > scheduled for this Wednesday April 13 at 10:00am PDT.
> >
> > We'll discuss the following items on the agenda
> > <
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
>
> > and anything else that comes up:
> >
>
> Attended: Joseph Reynolds, Ruud Haring, Chris Engel, Dick (Phoenix),
> Dong Chen, Jesse Arroyo, Yakatawa Sugawara, Russel Wilson, Krishnan
> Sugvanam, Manojkiran Eda, McCawley, Robert Senger, Sandhya Keteshwara,
> Surya (Intel), James Mihm, Terry Duncan, (and unknown caller who joined
> as the meeting was ending).
>
>
> > 1. Renewed interest in securing D-Bus interfaces and using SELinux.
>
> Ruud Haring and Yataka Sugawara and Russel Wilson from IBM Research
> presented a proposal.
>
>
> A recording was made of the presentation and discussion.  TODO: Post the
> recording.
>
>
> DISCUSSION:
>
> The proposal PDF will be shared with the OpenBMC community.  Here is my
> summary of the main points: SELinux is preferred by IBM and some large
> customers to solve several related access control problems: limiting
> access of root processes, application trust, systemd, and D-Bus.  See
> previous discussion 2020-05-13 below: SELinux email use cases and email
> https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html
> <https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html>
>
>
> Next steps: Follow
>
> https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes
> <
> https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes>with
>
> email discussion, Discord (per
> https://github.com/openbmc/openbmc#contact
> <https://github.com/openbmc/openbmc#contact>) and creating a design for
> phase 1 (below).
>
>
> TODO: Joseph to send email to begin the discussion about SELinux use
> cases which might be shared by multiple OpenBMC users.
>
>
> IBM plans to work in the OpenBMC community project: stage 1 is an opt-in
> SELinux in permissive mode to collect data about which policies are
> needed.  Later stages are to create SELinux policies for access control,
> and then to change configure SELinux to enforce them.
>
>
> Does OpenBMC have existing SELinux policies?  None are known, but see
> the Yocto/OE meta-selinux layer and associated docs.
>
>
> We discussed some difficulties in using SELinux: Configuring the
> meta-selinux layer, configuring the Linux Kernel, and additional space
> requirements (about 20MB)
>
>
> We discussed SELinux vs AppArmor.  IBM has chosen SELinux because it is
> well known to IBM and customers, and has an active community.  Note the
> planned SELinux support is opt-in, so another contributor can add
> AppArmor as needed.
>
>
> The intended reference platform is an x86 system running with the
> AST2600 and  256Mb (or more) flash storage..
>
>
> We discussed SELinux & D-Bus tie-ins.  (OpenBMC D-Bus runs in system
> mode.)  Note that D-Bus has built-in support for SELinux.
>
>
>
> > Access, agenda and notes are in the wiki:
> > https://github.com/openbmc/openbmc/wiki/Security-working-group
> > <https://github.com/openbmc/openbmc/wiki/Security-working-group>
> >
> > - Joseph
> >
>
>

[-- Attachment #2: Type: text/html, Size: 5392 bytes --]