All of lore.kernel.org
 help / color / mirror / Atom feed
* Security Working Group meeting - Wednesday July 21
@ 2021-07-20 22:45 Joseph Reynolds
  2021-07-21 19:49 ` Security Working Group meeting - Wednesday July 21 - results Joseph Reynolds
  0 siblings, 1 reply; 3+ messages in thread
From: Joseph Reynolds @ 2021-07-20 22:45 UTC (permalink / raw)
  To: openbmc

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday July 21 at 10:00am PDT.

We'll discuss the following items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
and anything else that comes up:

 1.

    See Google’s “unified vulnerability schema for open source”
    https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html?m=1
    <https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html?m=1>

 2.

    Email: Update phosphor-defaults with stronger root password hash
    algorithm -
    https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u
    <https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u>






Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

- Joseph

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Security Working Group meeting - Wednesday July 21 - results
  2021-07-20 22:45 Security Working Group meeting - Wednesday July 21 Joseph Reynolds
@ 2021-07-21 19:49 ` Joseph Reynolds
  2021-07-21 21:00   ` Patrick Williams
  0 siblings, 1 reply; 3+ messages in thread
From: Joseph Reynolds @ 2021-07-21 19:49 UTC (permalink / raw)
  To: openbmc

On 7/20/21 5:45 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday July 21 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> and anything else that comes up:
>

Attended: James Mihm, Sorya Intel, Dhananjay Phadke, Dick Wilkins, Jiang 
Zhang, Joseph Reynolds, mbhavsar, guptar (Ratan Gupta)

Bonus item 0: What support fore sOpenBMC have for mTLS client

DISCUSSION: See the Redfish APIs referenced below.  Redfish doesn’t 
support mTLS, but BMCWeb does support mTLS.  Is there a supported 
interface for the BMC admin to upload an mTLS client cert to the BMC?

References:

  *

    https://github.com/openbmc/openbmc/wiki/Configuration-guide#bmcweb
    <https://github.com/openbmc/openbmc/wiki/Configuration-guide#bmcweb>(mTLS)

  *

    https://github.com/openbmc/openbmc/wiki/Configuration-guide#site-identity-certificate
    <https://github.com/openbmc/openbmc/wiki/Configuration-guide#site-identity-certificate>

> 1. See Google’s “unified vulnerability schema for open source”
> https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html?m=1
> <https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html?m=1>

DISCUSSION:

This was included for awareness only, not to propose using this schema.

This seems similar to the forms needed to create CVEs such as here: 
https://cveform.mitre.org/ <https://cveform.mitre.org/>

OpenBMC’s current guidelines for collecting this kind of information are 
here: 
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md 
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md>

Related discussion: Should OpenBMC consider becoming CNA?  See previous 
effort here: https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621 
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621>(“Proposed 
answers to DWF CNA Registration Form”)



> 2. Email: Update phosphor-defaults with stronger root password hash
>   algorithm -
> https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u
> <https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u>

2 Email: Update phosphor-defaults with stronger root password hash 
algorithm - 
https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u 
<https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u>

DISCUSSION:

The group agreed to change the project’s default root password hash, 
while leaving the cleartext password the same.  TODO: Joseph will 
propose the change via a gerrit review.



Topics added after the meeting started:

3 What is the status of the OpenBMC BMC secure boot function?  Who is 
working on it?

DISCUSSION:

ASpeed AST2600 BMC secure boot using AST2600 hardware without TPM and 
without any special hardware (other than pullup resistors).  Interest in 
avoiding Cerberus.

See also Design 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/26169 
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/26169>


Two ways to validate uboot: via AST2600 hardware, via Cerberus

Once uboot is running, use uboot to validate the FIT image, kernel, etc.


4 What is happening with the Intel Hack-a-thon 2?

DISCUSSION: Creating CVEs.


5 What is happening with getting a private database to track 
vulnerability submissions?  This would be used by the OpenBMC security 
response team 
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md 
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md>to 
record security vulnerabilities which were reported to OpenBMC and not 
yet fixed or publicly disclosed.  Only members of the OpenBMC security 
response team would have access (read/write access).

DISCUSSION:

Surya plans to set up bugzilla.

Contact Andrew Geissler in his role as OpenBMC community infrastructure 
if you need a server.


6 What is happening with deploying AppArmor?

DISCUSSION:

Nobody was tracking it closely enough to answer.  Anton had been working 
on it.  See reviews under 
https://gerrit.openbmc-project.xyz/q/owner:rnouse%2540google.com 
<https://gerrit.openbmc-project.xyz/q/owner:rnouse%2540google.com>



>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Security Working Group meeting - Wednesday July 21 - results
  2021-07-21 19:49 ` Security Working Group meeting - Wednesday July 21 - results Joseph Reynolds
@ 2021-07-21 21:00   ` Patrick Williams
  0 siblings, 0 replies; 3+ messages in thread
From: Patrick Williams @ 2021-07-21 21:00 UTC (permalink / raw)
  To: Joseph Reynolds; +Cc: openbmc

[-- Attachment #1: Type: text/plain, Size: 1190 bytes --]

On Wed, Jul 21, 2021 at 02:49:11PM -0500, Joseph Reynolds wrote:
> On 7/20/21 5:45 PM, Joseph Reynolds wrote:

> 5 What is happening with getting a private database to track 
> vulnerability submissions?  This would be used by the OpenBMC security 
> response team 
> https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md 
> <https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md>to 
> record security vulnerabilities which were reported to OpenBMC and not 
> yet fixed or publicly disclosed.  Only members of the OpenBMC security 
> response team would have access (read/write access).
> 
> DISCUSSION:
> 
> Surya plans to set up bugzilla.
> 
> Contact Andrew Geissler in his role as OpenBMC community infrastructure 
> if you need a server.

I've mentioned this before that we do not need to set up a bugzilla and that it
is a waste of time to manage a bugzilla instance.  We can create unlimited
private repositories in our github org.  We just need Brad to create one for
security discussions and add the people that are currently part of the security
ML to an ACL for access.

-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-07-21 21:06 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-20 22:45 Security Working Group meeting - Wednesday July 21 Joseph Reynolds
2021-07-21 19:49 ` Security Working Group meeting - Wednesday July 21 - results Joseph Reynolds
2021-07-21 21:00   ` Patrick Williams

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.