From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B2EE6ECAAD3 for ; Thu, 1 Sep 2022 11:26:21 +0000 (UTC) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4MJJdl6SP4z2yRH for ; Thu, 1 Sep 2022 21:26:19 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=stwcx.xyz header.i=@stwcx.xyz header.a=rsa-sha256 header.s=fm3 header.b=Xc1Eit/A; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.a=rsa-sha256 header.s=fm1 header.b=nTyXTr4I; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=stwcx.xyz (client-ip=66.111.4.26; helo=out2-smtp.messagingengine.com; envelope-from=patrick@stwcx.xyz; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=stwcx.xyz header.i=@stwcx.xyz header.a=rsa-sha256 header.s=fm3 header.b=Xc1Eit/A; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.a=rsa-sha256 header.s=fm1 header.b=nTyXTr4I; dkim-atps=neutral Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4MJJcs1Lj9z2xHq for ; Thu, 1 Sep 2022 21:25:32 +1000 (AEST) Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 7BD085C0121; Thu, 1 Sep 2022 07:25:26 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Thu, 01 Sep 2022 07:25:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stwcx.xyz; h=cc :cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; t=1662031526; x=1662117926; bh=FF7G2EMAF2 nnaFCRCKLzK7HTCbwoYwRZoqhN/nbLZXo=; b=Xc1Eit/A7Jauk3ekweFMs/CjE/ FwrBLY50pNiNUGUcRvOqhPIiV+ejISo5Nhc+ZvIX2wFfQ2GvZyMXNYbWj9+8UXX8 swrpOu7USORdy+GJASg6T5ApkXJmY4KwzjSlzu9HYFBcmIbZlM+UlT0LiDDKspOU 6mnOe5QIgfQJ2BcNkUD5VslRyfgzKbLRKNnhO5qa695UIkXxzmLR49sUcPH0ILoz JfKseYZ8eYDdkXHdSNPlyATOhDLayevjQvVkDWWeEA/eqYGhQ3LUbfD+paTrb2hq AnfzFEPeS7KhRTdtygSAsiBuyy44hWtxWQW+crsDRVR7DGaihUOgtIn4Qhag== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1662031526; x=1662117926; bh=FF7G2EMAF2nnaFCRCKLzK7HTCbwo YwRZoqhN/nbLZXo=; b=nTyXTr4Iogn0T0qT2oo+uRB54EP11GHH3nFIkKfUWSew tbJ76goiXvhtaYpthaP5Ch9U+C53G5v/sctFQVEWm1fJd4SPukmG2fcmHnRThh7M QAwmjZl7TDfPPEJrK+o4pXFFMwKHat9bLXbMmYXn+9+E4p60346iBz59436qPmw7 LB/1ZhF85CNxFjgb+BDhbH/FHCea5wCRwOdvidkYOcj22qP5NuDayKLU8cjeK5pk q5+uezDIEiT4bM3JWtRe4c54qeRhmOCH7TMfDGlmXsvrhTaI7KS62A0pDG11bjkr vsZl1OeII2JypW8qKZpBctriUt6EknR/a7WATYsg8w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrvdekkedggedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdlfeehmdenucfjughrpeffhffvvefukfhfgggtuggjsehgtderredt tddunecuhfhrohhmpefrrghtrhhitghkucghihhllhhirghmshcuoehprghtrhhitghkse hsthiftgigrdighiiiqeenucggtffrrghtthgvrhhnpedtjeejgfdugefhtedvudfghfej feejfefhffeffeelgeduveejleelffefvdffleenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehprghtrhhitghksehsthiftgigrdighiii X-ME-Proxy: Feedback-ID: i68a1478a:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 1 Sep 2022 07:25:25 -0400 (EDT) Date: Thu, 1 Sep 2022 06:25:24 -0500 From: Patrick Williams To: Joseph Reynolds Subject: Re: Security Working Group meeting - Wednesday August 31 - results Message-ID: References:

MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="N66FCkR9bLMLnLMW" Content-Disposition: inline In-Reply-To: X-BeenThere: openbmc@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development list for OpenBMC List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: openbmc Errors-To: openbmc-bounces+openbmc=archiver.kernel.org@lists.ozlabs.org Sender: "openbmc" --N66FCkR9bLMLnLMW Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 31, 2022 at 01:09:10PM -0500, Joseph Reynolds wrote: > DISCUSSION: Create two separate designs for: > Enable Keylime Agent.=A0 Direction is for the keylime agent to open > the BMC network port (using systemd, sort of like how SSH works).=A0 > The intention is to engage with Redfish for how to configure the > Keylime Agent: certificates, start/stop the application, etc. I guess you said someone is working on a design for this. The Keylime website seems light on details to me, but I'm having trouble conceptualizing how it is applicable to the BMC. It seems more like it is geared towards a self-selecting cluster of services (which reject peers they don't trust). Keylime does have the unfortunate aspect of being written entirely in Python, which makes it very difficult for us to support on any of the NOR-based systems (all of them except IBM's latest). Are we also planning on providing attestation information over Redfish? --=20 Patrick Williams --N66FCkR9bLMLnLMW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEBGD9ii4LE9cNbqJBqwNHzC0AwRkFAmMQlqIACgkQqwNHzC0A wRlf+A/9HYohaKkB0WXLuyYVwgcaFQpTqwEC0WcRvsVYjH+umsch883gBjv0+q+W I3OWanpPej733ZlbmWc2Ol30cvkFkeV7Cbr46x5yI6Rq6GO9ZnH+sQftQb8am6Uk fosr7PQ3SlEyLEbaY9IkQZf78Iq4jjMY3CfPszVnC/z3G08KFRBQjFdhXnr0Inee bftpSQ8gB4RDkWhOkgajQtxeffeJ6a/gGOuYQ83pCJXvQYm9W9tsYRorQDRIMuJy 8F3OBtADWpwiaBlWUhmEle6NetgNzq2/CP7CkPaqEYc7huooS90bgQA0YNsfQMoS U1EgBFEOiO9zVRW3p6eKxdO7vK43VOj3TiBq9wbCKNDKEmeidcuNaSoFSDcoBeSp 6uMFeecnNZn/unDmiu2o+S9z2Qmi0xz8CjZn8LO6gITisd9Gx2CJDnBCw0oRR/Mv 1rVUcKaLdSO7EZjpJhrQaNJmDapdRMRoRBq2g4+AgfRFmYEWfoPihDL9CAuJCHcl Vyokc9zZowiCgCcmpyxO8Xf4wxREZnTulYJDNPq2JhET5dZsfQBL7B6sYGmtP7rR CQ12p3QgGaYOxJprA8tUXg8gR6xam08F6+RSLw+iFOBXSOkCjXgwo+unZkET+cPs rlt7yEVRLVgsZNhfB7/Cc8+T0Bq5QXnu1dNjGPf0X7BV0poLyBA= =DuMI -----END PGP SIGNATURE----- --N66FCkR9bLMLnLMW--