From: Joseph Reynolds <jrey@linux.ibm.com>
To: openbmc <openbmc@lists.ozlabs.org>
Subject: Security Working Group meeting - this Wednesday February 19
Date: Mon, 17 Feb 2020 16:29:23 -0600 [thread overview]
Message-ID: <b9170918-0937-714a-470e-cb41e1e74b63@linux.ibm.com> (raw)
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday February 19 at 10:00am PDT.
We'll discuss current development items, and anything else that comes up.
Ratan intends to participate and has requested that we cover the
following two items first:
(A) service discovery direction, (B) using pam_abl
The current topics:
1. (Joseph): Is OpenBMC affected by the Chrome browser’s SameSite cookie
changes
(https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html)?
Do we want to enhance BMCWeb
(https://github.com/openbmc/bmcweb/blob/master/include/token_authorization_middleware.hpp#L430)
to create cookies with SameSite=None; Secure when
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION is also used, to allow the BMC to
be used by the Chrome browser. Perhaps by default BMCWeb should
generate cookies with SameSite=Strict?
2. (Joseph, follow up to agenda item 3 from 2020-02-05): Redfish
Privilege updates:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881 and
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28878 Update Feb
11: See
https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
clarified the intention to NOT enumerate all accounts (unless you are
the admin)
3. (email) FYA. BMC aggregator - includes a security topic.
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020433.html
4. (email) FYA - BMC Secure Boot / U-Boot - use dm-verity or alternate?
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020452.html
5. Redfish forum question: Direction for channel based restrictions -
https://redfishforum.com/thread/279/channel-privilege-support-direction-redfish
6. (Bruce via email): BMCWeb Cert valid for 10 years -
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020488.html
7. (Joseph / James / Richard email): Rate limiting, use pam_abl -
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020430.html
8. (Joseph via email): New Redfish roles ServiceRep & OemRep -
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020540.html
9. (Joseph email): Implement the Redfish PasswordChangeRequired property
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020554.html
10. (Joseph email): delete BMCWeb sessions after some kinds of account
changes
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020555.html
Access, agenda, and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group
- Joseph
next reply other threads:[~2020-02-17 22:29 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-17 22:29 Joseph Reynolds [this message]
2020-02-19 23:05 ` Security Working Group meeting - this Wednesday February 19 - summary results Joseph Reynolds
2020-02-20 16:26 ` Patrick Williams
2020-02-21 12:19 ` Alexander Tereschenko
2020-02-21 20:10 ` Patrick Williams
2020-02-21 20:21 ` Bruce Mitchell
2020-02-21 20:26 ` Patrick Williams
2020-02-21 20:29 ` James Feist
2020-02-24 16:19 ` Michael Richardson
2020-02-26 11:58 ` Alexander Tereschenko
2020-02-26 13:34 ` Michael Richardson
2020-02-24 16:14 ` Michael Richardson
2020-03-03 17:56 ` Gunnar Mills
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b9170918-0937-714a-470e-cb41e1e74b63@linux.ibm.com \
--to=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.