* Security Working Group meeting - Wednesday December 9
@ 2020-12-09 4:01 Joseph Reynolds
2020-12-10 15:10 ` Security Working Group meeting - Wednesday December 9 - results Joseph Reynolds
0 siblings, 1 reply; 2+ messages in thread
From: Joseph Reynolds @ 2020-12-09 4:01 UTC (permalink / raw)
To: openbmc
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday December 9 at 10:00am PDT.
We'll discuss the following items on the agenda
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
and anything else that comes up:
1.
Discord discussion #webui: Dumps and logs may contain sensitive
information as documented
herehttps://github.com/ibm-openbmc/dev/issues/1531#issuecomment-642238544
<https://github.com/ibm-openbmc/dev/issues/1531#issuecomment-642238544>andhttps://github.com/openbmc/openbmc/wiki/Configuration-guide
<https://github.com/openbmc/openbmc/wiki/Configuration-guide>
2.
Joseph: Proposed PerformService privilege enhancement to BMCWeb
https://lore.kernel.org/openbmc/1bfe87ea-9fc5-8664-d1de-d3138616a427@linux.ibm.com/T/#u
<https://lore.kernel.org/openbmc/1bfe87ea-9fc5-8664-d1de-d3138616a427@linux.ibm.com/T/#u>
Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group
<https://github.com/openbmc/openbmc/wiki/Security-working-group>
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Security Working Group meeting - Wednesday December 9 - results
2020-12-09 4:01 Security Working Group meeting - Wednesday December 9 Joseph Reynolds
@ 2020-12-10 15:10 ` Joseph Reynolds
0 siblings, 0 replies; 2+ messages in thread
From: Joseph Reynolds @ 2020-12-10 15:10 UTC (permalink / raw)
To: openbmc
On 12/8/20 10:01 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday December 9 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
> and anything else that comes up:
>
>
> 1.
>
> Discord discussion #webui: Dumps and logs may contain sensitive
> information as documented
> here
> https://github.com/ibm-openbmc/dev/issues/1531#issuecomment-642238544
> and https://github.com/openbmc/openbmc/wiki/Configuration-guide
It is worthwhile to document sensitive info stored in dump and log
items. Where are dumps stored? Encrypted? Who *should* have read
access to dumps and logs that may contain sensitive information? Note
different use cases with different details in terms of what information
is present, how sensitive it is, if it needs to be encrypted as it sits
in the BMC, and who should have read access.
The consensus was to keep these details in the wiki.
> 2.
>
> Joseph: Proposed PerformService privilege enhancement to BMCWeb
> https://lore.kernel.org/openbmc/1bfe87ea-9fc5-8664-d1de-d3138616a427@linux.ibm.com/T/#u
The question is how to implement Redfish custom roles and Redfish OEM
privileges in BMCWeb.
Use the email thread for discussion. The direction is NOT to sprinkle
customizations throughout the code, instead to implement BMCWeb so we
can consume Redfish's published PrivilegeRegistry at BMCWeb compile
time. Then downstream users can supply customized PrivilegeRegistry
files that have OEM privileges. (Refer to the email thread for details,
corrections to the above, and evolving discussion.)
Bonus topic: The December 23 meeting is cancelled, Next meeting
scheduled for January 6.
- Joseph
>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-10 15:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-09 4:01 Security Working Group meeting - Wednesday December 9 Joseph Reynolds
2020-12-10 15:10 ` Security Working Group meeting - Wednesday December 9 - results Joseph Reynolds
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).