Security Working Group meeting - this Wednesday February 19

From: Joseph Reynolds <jrey@linux.ibm.com>
To: openbmc <openbmc@lists.ozlabs.org>
Subject: Security Working Group meeting - this Wednesday February 19
Date: Mon, 17 Feb 2020 16:29:23 -0600	[thread overview]
Message-ID: <b9170918-0937-714a-470e-cb41e1e74b63@linux.ibm.com> (raw)

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday February 19 at 10:00am PDT.

We'll discuss current development items, and anything else that comes up.

Ratan intends to participate and has requested that we cover the 
following two items first:
(A) service discovery direction, (B) using pam_abl

The current topics:

1. (Joseph): Is OpenBMC affected by the Chrome browser’s SameSite cookie 
changes 
(https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html)? 
Do we want to enhance BMCWeb 
(https://github.com/openbmc/bmcweb/blob/master/include/token_authorization_middleware.hpp#L430) 
to create cookies with SameSite=None; Secure when 
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION is also used, to allow the BMC to 
be used by the Chrome browser.  Perhaps by default BMCWeb should 
generate cookies with SameSite=Strict?   

2. (Joseph, follow up to agenda item 3 from 2020-02-05): Redfish 
Privilege updates: 
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881 and 
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28878  Update Feb 
11: See 
https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 
clarified the intention to NOT enumerate all accounts (unless you are 
the admin) 

3. (email) FYA.  BMC aggregator - includes a security topic. 
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020433.html  

4. (email) FYA - BMC Secure Boot / U-Boot - use dm-verity or alternate? 
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020452.html  

5. Redfish forum question: Direction for channel based restrictions - 
https://redfishforum.com/thread/279/channel-privilege-support-direction-redfish  

6. (Bruce via email):  BMCWeb Cert valid for 10 years - 
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020488.html  

7. (Joseph / James / Richard email): Rate limiting, use pam_abl - 
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020430.html  

8. (Joseph via email): New Redfish roles ServiceRep & OemRep - 
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020540.html  

9. (Joseph email): Implement the Redfish PasswordChangeRequired property 
  https://lists.ozlabs.org/pipermail/openbmc/2020-February/020554.html  

10. (Joseph email): delete BMCWeb sessions after some kinds of account 
changes  
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020555.html   

Access, agenda, and notes are in the wiki:

https://github.com/openbmc/openbmc/wiki/Security-working-group

- Joseph