Re: Request new repo for IBM-specific code

From: Joseph Reynolds <jrey@linux.ibm.com>
To: Patrick Williams <patrick@stwcx.xyz>
Cc: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Request new repo for IBM-specific code
Date: Sat, 6 Mar 2021 22:09:36 -0600	[thread overview]
Message-ID: <dc7eb87e-c13f-dcb7-7b98-dbeb382d7caa@linux.ibm.com> (raw)
In-Reply-To: <YEKDY6+zfW5Uuqkl@heinlein>

On 3/5/21 1:15 PM, Patrick Williams wrote:
> On Thu, Mar 04, 2021 at 09:14:47PM -0600, Joseph Reynolds wrote:
>> What is the right repository for a new Linux-PAM module to implement an
>> IBM-specific ACF authentication?
>>
>> The access control file (ACF) design was introduced to the OpenBMC
>> security working group and is described in [IBM issue 1737][] and
>> further explained in [IBM issue 2562][].
> I'm not really seeing much documentation on this in either issue.  Do
> you have a document describing your requirements and how you're planning
> to accomplish it?

Patrick, thanks for your response!  You are correct I did not motivate 
this very well.  The short answer is twofold:
1. IBM service reps need password authentication: that is how they will 
access the BMC.  They work in a variety of environments, some of which 
do not allow them to carry a certificate to the BMC.
2. Each service call requires an unique password which is enabled by a 
digital certificate.  There is nothing secret in the certificate, so an 
admin may install it on the BMC.

Thus, the flow is for the service rep to generate a certificate (and its 
accompanying password), work with the BMC admin to install the cert onto 
the BMC, and then use the password to authenticate to the BMC.  Password 
authentication steps for the service user are detailed in issue 2562 
cited above.

> My first reading of what is there, I'm not sure why typical certificate
> based authentication couldn't solve your needs (but I'm just guessing
> what your needs are).  It seems like you have a root-authority (IBM), a
> a daily expiring certificate, and some fields in the certificate you
> want to confirm (ex. serial number).  I've seen other production-level
> systems doing similar for SSH/HTTPS without additional PAM modules.

Our service team requires password based authentication.  Period. And 
they don't like the idea of having to generate a certificate/password 
pair for each service call.  But certificates offer the best technology 
we have to solve the access problem.  And we are not yet prepared to go 
to a certificate-only solution. ... So this is where we are at.

>> Note the [pam-ipmi modules][] are scoped to the OpenBMC project because
>> the IPMI implementation is shared by all of OpenBMC.  By comparison, the
>> proposed ibm-pam-acf module is intended only for IBM Enterprise
>> systems.  The intended implementation is based on standard cryptography
>> techniques and could be developed into a general authentication
>> solution, but the ACF is specific to IBM in terms of its exact format
>> and content, and I expect it will only be used by IBM and its partners.
> Are you planning to open up the tools necessary to create these ACFs?

No, I hadn't been, but good idea!  We have prototype tools to generate 
and read the ACF.  They should be useful to our test team.
There should be nothing secret in the code.  ("The only secret is the 
private key.")  I'll check with my security team.

- Joseph

>> Can we create a new OpenBMC repo for this?  Perhaps ibm-pam-acf?  Or
>> should this go into some other repo?
>>
>> - Joseph
>>
>> [IBM issue 1737]: https://github.com/ibm-openbmc/dev/issues/1737
>> [IBM issue 2562]: https://github.com/ibm-openbmc/dev/issues/2562
>> [pam-ipmi modules]: https://github.com/openbmc/pam-ipmi