Security Working Group - Wednesday April 28

Security Working Group - Wednesday April 28

[Joseph Reynolds]

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday April 28 at 10:00am PDT.

We'll discuss the following items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
and anything else that comes up:

1. passwordless sudo access to members of the wheel group




Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

- Joseph

Re: Security Working Group - Wednesday April 28 - results

[Joseph Reynolds]

On 4/27/21 4:48 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday April 28 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> and anything else that comes up:
>
> 1. passwordless sudo access to members of the wheel group
This customization does not match the common OpenBMC use cases. 
Abandoning this commit.

Bonus topics:

2. Intel Hack-a-Thon 2021 results are coming soon.

3. As a step toward threat modeling, we discussed how to model external 
devices the BMC interfaces with.  The next step is to extend the 
existing "BMC interfaces" doc to model the a simple host processor 
module as part of the BMC's host interface.

Joseph

>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph

Re: Security Working Group - Wednesday April 28 - results

[Andrew Jeffery]

On Thu, 29 Apr 2021, at 07:01, Joseph Reynolds wrote:
> On 4/27/21 4:48 PM, Joseph Reynolds wrote:
> > This is a reminder of the OpenBMC Security Working Group meeting 
> > scheduled for this Wednesday April 28 at 10:00am PDT.
> >
> > We'll discuss the following items on the agenda 
> > <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> > and anything else that comes up:
> >
> > 1. passwordless sudo access to members of the wheel group
> This customization does not match the common OpenBMC use cases. 
> Abandoning this commit.
> 
> Bonus topics:
> 
> 2. Intel Hack-a-Thon 2021 results are coming soon.

What does this mean?

Re: Security Working Group - Wednesday April 28 - results

[Bruce Mitchell]

On 4/28/2021 15:20, Andrew Jeffery wrote:
> 
> 
> On Thu, 29 Apr 2021, at 07:01, Joseph Reynolds wrote:
>> On 4/27/21 4:48 PM, Joseph Reynolds wrote:
>>> This is a reminder of the OpenBMC Security Working Group meeting
>>> scheduled for this Wednesday April 28 at 10:00am PDT.
>>>
>>> We'll discuss the following items on the agenda
>>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
>>> and anything else that comes up:
>>>
>>> 1. passwordless sudo access to members of the wheel group
>> This customization does not match the common OpenBMC use cases.
>> Abandoning this commit.
>>
>> Bonus topics:
>>
>> 2. Intel Hack-a-Thon 2021 results are coming soon.
> 
> What does this mean?
> 

I believe Intel is trying publishing the results of
their "Intel (security) Hack-a-Thon 2021" by the end
of next week.

Re: Security Working Group - Wednesday April 28 - results

[Andrew Jeffery]

On Thu, 29 Apr 2021, at 07:55, Bruce Mitchell wrote:
> On 4/28/2021 15:20, Andrew Jeffery wrote:
> > 
> > 
> > On Thu, 29 Apr 2021, at 07:01, Joseph Reynolds wrote:
> >> On 4/27/21 4:48 PM, Joseph Reynolds wrote:
> >>> This is a reminder of the OpenBMC Security Working Group meeting
> >>> scheduled for this Wednesday April 28 at 10:00am PDT.
> >>>
> >>> We'll discuss the following items on the agenda
> >>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
> >>> and anything else that comes up:
> >>>
> >>> 1. passwordless sudo access to members of the wheel group
> >> This customization does not match the common OpenBMC use cases.
> >> Abandoning this commit.
> >>
> >> Bonus topics:
> >>
> >> 2. Intel Hack-a-Thon 2021 results are coming soon.
> > 
> > What does this mean?
> > 
> 
> I believe Intel is trying publishing the results of
> their "Intel (security) Hack-a-Thon 2021" by the end
> of next week.
> 

Okay, but what does that mean? Are they pushing patches? Announcing CVEs? Opening bugs?

What can we expect?

Re: Security Working Group - Wednesday April 28 - results

[Bruce Mitchell]

On 4/28/2021 15:28, Andrew Jeffery wrote:
> 
> 
> On Thu, 29 Apr 2021, at 07:55, Bruce Mitchell wrote:
>> On 4/28/2021 15:20, Andrew Jeffery wrote:
>>>
>>>
>>> On Thu, 29 Apr 2021, at 07:01, Joseph Reynolds wrote:
>>>> On 4/27/21 4:48 PM, Joseph Reynolds wrote:
>>>>> This is a reminder of the OpenBMC Security Working Group meeting
>>>>> scheduled for this Wednesday April 28 at 10:00am PDT.
>>>>>
>>>>> We'll discuss the following items on the agenda
>>>>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
>>>>> and anything else that comes up:
>>>>>
>>>>> 1. passwordless sudo access to members of the wheel group
>>>> This customization does not match the common OpenBMC use cases.
>>>> Abandoning this commit.
>>>>
>>>> Bonus topics:
>>>>
>>>> 2. Intel Hack-a-Thon 2021 results are coming soon.
>>>
>>> What does this mean?
>>>
>>
>> I believe Intel is trying publishing the results of
>> their "Intel (security) Hack-a-Thon 2021" by the end
>> of next week.
>>
> 
> Okay, but what does that mean? Are they pushing patches? Announcing CVEs? Opening bugs?
> 
> What can we expect?
> 

OpenBMC Security Working Group Meeting Notes and Agenda are here:
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit#heading=h.8bihrhc0925u

Anything beyond that Intel would have to state what they are doing;
James?

Re: Security Working Group - Wednesday April 28 - results

[Andrew Jeffery]

On Thu, 29 Apr 2021, at 08:04, Bruce Mitchell wrote:
> On 4/28/2021 15:28, Andrew Jeffery wrote:
> > 
> > 
> > On Thu, 29 Apr 2021, at 07:55, Bruce Mitchell wrote:
> >> On 4/28/2021 15:20, Andrew Jeffery wrote:
> >>>
> >>>
> >>> On Thu, 29 Apr 2021, at 07:01, Joseph Reynolds wrote:
> >>>> On 4/27/21 4:48 PM, Joseph Reynolds wrote:
> >>>>> This is a reminder of the OpenBMC Security Working Group meeting
> >>>>> scheduled for this Wednesday April 28 at 10:00am PDT.
> >>>>>
> >>>>> We'll discuss the following items on the agenda
> >>>>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
> >>>>> and anything else that comes up:
> >>>>>
> >>>>> 1. passwordless sudo access to members of the wheel group
> >>>> This customization does not match the common OpenBMC use cases.
> >>>> Abandoning this commit.
> >>>>
> >>>> Bonus topics:
> >>>>
> >>>> 2. Intel Hack-a-Thon 2021 results are coming soon.
> >>>
> >>> What does this mean?
> >>>
> >>
> >> I believe Intel is trying publishing the results of
> >> their "Intel (security) Hack-a-Thon 2021" by the end
> >> of next week.
> >>
> > 
> > Okay, but what does that mean? Are they pushing patches? Announcing CVEs? Opening bugs?
> > 
> > What can we expect?
> > 
> 
> OpenBMC Security Working Group Meeting Notes and Agenda are here:
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit#heading=h.8bihrhc0925u

Okay, so:

> 2 Intel HaT2021 results are being reviewed 
> internally and are planned to be sent to the 
> OpenBMC security response team.

So nothing is being made public yet it seems?

Re: Security Working Group - Wednesday April 28 - results

[Joseph Reynolds]

On 4/28/21 5:43 PM, Andrew Jeffery wrote:
>
> On Thu, 29 Apr 2021, at 08:04, Bruce Mitchell wrote:
>> On 4/28/2021 15:28, Andrew Jeffery wrote:
>>>
>>> On Thu, 29 Apr 2021, at 07:55, Bruce Mitchell wrote:
>>>> On 4/28/2021 15:20, Andrew Jeffery wrote:
>>>>>
>>>>> On Thu, 29 Apr 2021, at 07:01, Joseph Reynolds wrote:
>>>>>> On 4/27/21 4:48 PM, Joseph Reynolds wrote:
>>>>>>> This is a reminder of the OpenBMC Security Working Group meeting
>>>>>>> scheduled for this Wednesday April 28 at 10:00am PDT.
>>>>>>>
>>>>>>> We'll discuss the following items on the agenda
>>>>>>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
>>>>>>> and anything else that comes up:
>>>>>>>
>>>>>>> 1. passwordless sudo access to members of the wheel group
>>>>>> This customization does not match the common OpenBMC use cases.
>>>>>> Abandoning this commit.
>>>>>>
>>>>>> Bonus topics:
>>>>>>
>>>>>> 2. Intel Hack-a-Thon 2021 results are coming soon.
>>>>> What does this mean?
>>>>>
>>>> I believe Intel is trying publishing the results of
>>>> their "Intel (security) Hack-a-Thon 2021" by the end
>>>> of next week.
>>>>
>>> Okay, but what does that mean? Are they pushing patches? Announcing CVEs? Opening bugs?
>>>
>>> What can we expect?
>>>
>> OpenBMC Security Working Group Meeting Notes and Agenda are here:
>> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit#heading=h.8bihrhc0925u
> Okay, so:
>
>> 2 Intel HaT2021 results are being reviewed
>> internally and are planned to be sent to the
>> OpenBMC security response team.
> So nothing is being made public yet it seems?

Correct.  The OpenBMC security response team should expect to have a 
number of security vulnerability reports to triage.  Some of the results 
from Intel's HaT last year have been turned into fixes, so I'm happy to 
see work being done here.
I'll try to make the announcement more clear next time.

- Joseph

https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md