What is OpenBMC server software

What is OpenBMC server software

[Thang Nguyen OS]

Hi,

The Mozilla firefox SSL configuration, https://ssl-config.mozilla.org, 
provide suggestion for Web server software to use secure config by 
selecting the right Web server software, version and OpenSSL version.

However, I can't find what Web server software and version that OpenBMC 
is using. How can I find the information and check if OpenBMC is using 
the best secure configuration?

Best Regards,

Thang Q. Nguyen -

Re: What is OpenBMC server software

[Joseph Reynolds]

On 4/17/21 3:27 AM, Thang Nguyen OS wrote:
> Hi,
>
> The Mozilla firefox SSL configuration, https://ssl-config.mozilla.org, 
> provide suggestion for Web server software to use secure config by 
> selecting the right Web server software, version and OpenSSL version.
>
> However, I can't find what Web server software and version that 
> OpenBMC is using. How can I find the information and check if OpenBMC 
> is using the best secure configuration?

Thang,

I had the same questions a while ago: When given a specific version of 
OpenBMC, how do I know which versions of open source packages are pulled 
in?  This is useful for both license compliance and to understand if 
specific vulnerabilities are in your code.  I think I have some partial 
answers.

Note that OpenBMC releases are shown here 
https://github.com/openbmc/openbmc/wiki/Releases
but OpenBMC versions are often identified by a git commit.  You can find 
the OpenBMC version like this:
- If you are in your source tree, `git log -1` will show the commit number.
- If you have access to the BMC's file system, see file /etc/os-release.

The bitbake build process can produce license information; this also has 
the exact source package versions used.  For example, it can reliably 
tell you which version of OpenSSL your build used.  For details, refer 
to the Yocto project `license.bbclass` and the Yocto project development 
manual section titled "Maintaining Open Source License Compliance During 
Your Product's Lifecycle".  I believe OpenBMC produces this data by 
default, which means the build process writes license manifest data to 
files under build/tmp/deploy/licenses/{your-image-name}/.

If you are interested in how the source package versions are configured 
in the OpenBMC source tree, you need to study the Yocto documentation.  
Here are some specifics for component parts of an OpenBMC image 
including the Linux kernel and OpenSSL:
1. You can find the Linux kernel version from your source, like this: 
https://github.com/openbmc/openbmc/blob/master/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb
2. You can find the OpenSSL recipe under: 
https://github.com/openbmc/openbmc/tree/master/poky/meta/recipes-connectivity/openssl

You can find OpenBMC's SSL transport layer security configurations here:
  - For the Web/REST API server SSL configuration, see hard-coded values 
here: 
https://github.com/openbmc/bmcweb/blob/master/include/ssl_key_handler.hpp
  - For the SSH server SSL configuration (if using the dropbear server), 
see compile time options here: 
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/dropbear/dropbear/options.patch


Finally, I've added this explanation to the OpenBMC project 
configuration guide:
https://github.com/openbmc/openbmc/wiki/Configuration-guide

Thanks for asking!
- Joseph

>
> Best Regards,
>
> Thang Q. Nguyen -
>