Security Working Group meeting - Wednesday December 9

Security Working Group meeting - Wednesday December 9

[Joseph Reynolds]

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday December 9 at 10:00am PDT.

We'll discuss the following items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
and anything else that comes up:


 1.

    Discord discussion #webui: Dumps and logs may contain sensitive
    information as documented
    herehttps://github.com/ibm-openbmc/dev/issues/1531#issuecomment-642238544
    <https://github.com/ibm-openbmc/dev/issues/1531#issuecomment-642238544>andhttps://github.com/openbmc/openbmc/wiki/Configuration-guide
    <https://github.com/openbmc/openbmc/wiki/Configuration-guide>

 2.

    Joseph: Proposed PerformService privilege enhancement to BMCWeb
    https://lore.kernel.org/openbmc/1bfe87ea-9fc5-8664-d1de-d3138616a427@linux.ibm.com/T/#u
    <https://lore.kernel.org/openbmc/1bfe87ea-9fc5-8664-d1de-d3138616a427@linux.ibm.com/T/#u>



Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

Re: Security Working Group meeting - Wednesday December 9 - results

[Joseph Reynolds]

On 12/8/20 10:01 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday December 9 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> and anything else that comes up:
>
>
> 1.
>
>    Discord discussion #webui: Dumps and logs may contain sensitive
>    information as documented
>    here 
> https://github.com/ibm-openbmc/dev/issues/1531#issuecomment-642238544
>    and https://github.com/openbmc/openbmc/wiki/Configuration-guide

It is worthwhile to document sensitive info stored in dump and log 
items.  Where are dumps stored?  Encrypted?  Who *should* have read 
access to dumps and logs that may contain sensitive information?  Note 
different use cases with different details in terms of what information 
is present, how sensitive it is, if it needs to be encrypted as it sits 
in the BMC, and who should have read access.

The consensus was to keep these details in the wiki.



> 2.
>
>    Joseph: Proposed PerformService privilege enhancement to BMCWeb
> https://lore.kernel.org/openbmc/1bfe87ea-9fc5-8664-d1de-d3138616a427@linux.ibm.com/T/#u

The question is how to implement Redfish custom roles and Redfish OEM 
privileges in BMCWeb.
Use the email thread for discussion.  The direction is NOT to sprinkle 
customizations throughout the code, instead to implement BMCWeb so we 
can consume Redfish's published PrivilegeRegistry at BMCWeb compile 
time.  Then downstream users can supply customized PrivilegeRegistry 
files that have OEM privileges.  (Refer to the email thread for details, 
corrections to the above, and evolving discussion.)

Bonus topic: The December 23 meeting is cancelled,  Next meeting 
scheduled for January 6.

- Joseph

>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>