Re: Request new repo for IBM-specific code

From: Ed Tanous <ed@tanous.net>
To: Joseph Reynolds <jrey@linux.ibm.com>
Cc: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Request new repo for IBM-specific code
Date: Mon, 8 Mar 2021 08:03:40 -0800	[thread overview]
Message-ID: <CACWQX8048sDqehYaRAS9-T8G8ffWgLo-1fOVsozAC=4TtJdFqw@mail.gmail.com> (raw)
In-Reply-To: <b8af3438-f85a-cb82-c88c-9c4e120399e9@linux.ibm.com>

On Thu, Mar 4, 2021 at 7:15 PM Joseph Reynolds <jrey@linux.ibm.com> wrote:
>
> What is the right repository for a new Linux-PAM module to implement an
> IBM-specific ACF authentication?
>
> The access control file (ACF) design was introduced to the OpenBMC
> security working group and is described in [IBM issue 1737][] and
> further explained in [IBM issue 2562][].

Could you describe it in a design doc?  Implementing ACL seems like
something that's going to affect a lot of the system (at a minimum
every outward facing client).  Unless you really think that you can do
this with no changes to the client repos or phosphor-user-manager, it
seems like it's worth discussion.  For what it's worth, I really don't
want to branch the authorization code in bmcweb depending on what
company compiled the code.  They were hard enough to get right in the
general case, and matter a lot for security.  The likelihood we get
them right for every flavor of auth that a company might want to do
seems unlikely.  If we as a project need an "ultra user" that seems
like it shouldn't be specific to IBM, or should be a generic
configuration that IBM systems apply on top, using common routines.
I've already detailed a path toward this in a previous email on this
topic.

>
> Note the [pam-ipmi modules][] are scoped to the OpenBMC project because
> the IPMI implementation is shared by all of OpenBMC.  By comparison, the
> proposed ibm-pam-acf module is intended only for IBM Enterprise
> systems.  The intended implementation is based on standard cryptography
> techniques and could be developed into a general authentication
> solution, but the ACF is specific to IBM in terms of its exact format
> and content, and I expect it will only be used by IBM and its partners.

Have you released the specifications for this file format with an
appropriate license?  That seems like a good first step to figuring
out if these could find a home in OpenBMC.  If you've already done
that, could you link them?

>
> Can we create a new OpenBMC repo for this?  Perhaps ibm-pam-acf?  Or
> should this go into some other repo?

Could you please post the code you're planning on putting there
somewhere that we can see it in gerrit?  I suspect that would help
review whether or not a new repo is warranted, and probably give hints
as to what design you're planning on implementing.

>
> - Joseph
>
> [IBM issue 1737]: https://github.com/ibm-openbmc/dev/issues/1737
> [IBM issue 2562]: https://github.com/ibm-openbmc/dev/issues/2562
> [pam-ipmi modules]: https://github.com/openbmc/pam-ipmi