Security Working Group meeting - Wednesday November 10

Security Working Group meeting - Wednesday November 10

[Joseph Reynolds]

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday November 10 at 10:00am PDT.

We'll discuss the following items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
and anything else that comes up:

1.



Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

- Joseph

Re: Security Working Group meeting - Wednesday November 10 - results

[Joseph Reynolds]

On 11/10/21 8:38 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday November 10 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
> and anything else that comes up:
>

Attended: Joseph, Bruce, Vernon, James, Caci, Jiang, Dick, Ratan, Dhananjay


Agenda items discussed:

1 Next meeting Nov 24 “Thanksgiving eve”

Votes: cancel, cancel, cancel.  Agreed.  Someone else schedule a meeting?


2 Should OpenBMC become a CVE Numbering Authority (CNA).

Ref: https://www.cve.org/ResourcesSupport/AllResources/CNARules 
<https://www.cve.org/ResourcesSupport/AllResources/CNARules>

This would better integrate the CVE process with github.

OpenBMC looked into become a CNA years ago.  See the old review: 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621 
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621>

Is it worthwhile for openBMC to become a CNA?  Yes, we have had multiple 
CVEs per year and believe this will continue.  We have filled out the 
form (at cve.mitre.org) to create CVEs and have become familiar with 
writing CVE language.

We agreed to pursue becoming a CNA.  No objections.  James will follow up.


3 Make progress on these competing reviews:

https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/48564 
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/48564>

https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/48633 
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/48633>

Ensure we have a CI test for this.  TODO: Joseph to contact George on email.


4 The OpenBMC security response team (SRT) is working toward improving 
the way it handles private security vulnerabilities before they are 
disclosed.  (See notes from previous meetings.)

The repo https://github.com/openbmc/openbmc/security-response 
<https://github.com/openbmc/openbmc/security-response>was created for 
this, the idea is to make this private to the SRT members and  use  
https://github.com/openbmc/openbmc/security-response/issues to identify 
issues and track progress.

Open questions: What content should this repo have?

How to add content? Do  we  need  files?  Any private content? Web 
interfaces vs gerrit vs command line (git submissions?)

The README should have content like:

  *

    the purpose of the repo (to track security vulnerability issues for
    the overall openbmc organization before public disclosure).

  *

    the fact that the repo is private and access is controlled by the
    github @security-response team.

  *

    Link to
    https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md
    <https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md>

  *

    Instructions to use
    github.com/openbmc/openbmc/security-response/issues for new issues

Nothing in the README needs to be private.  The content which must 
remain private is in the issues.

Code reviews for fixes would use their own repo, and perhaps private 
gerrit review process, as stated in the 
obmc-security-response-team-guidelines.md.


The question for github is: What should a security response team (like 
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md 
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md>) 
use to track private security reports before public disclosure?


The overall structure might be like this:

  *

    github.com/openbmc/openbmc/issues -- currently stores security
    advisories: search for “advisory”

  *

    github.com/openbmc/openbmc/security/advisories -- proposed place for
    all advisories; this is what github wants us to use.

  *

    github.com/openbmc/openbmc/security-response -- new PRIVATE repo for
    the SRT to track new security vulnerabilities toward closure


See

https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization 
<https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization>


Next steps:

  *

    Add github.com/openbmc/openbmc/security-response README -- see above
    for ideas

  *

    Create first low-sev issue in
    https://github.com/openbmc/openbmc/security-response/issues
    <https://github.com/openbmc/openbmc/security-response/issues>and
    ensure it is not accidentally disclosed via a Discord bot, an email
    bot, or any other way.



>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph

Security Working Group - Nov 24 meeting cancelled: reschedule?

[Joseph Reynolds]

On 11/10/21 2:35 PM, Joseph Reynolds wrote:
> On 11/10/21 8:38 AM, Joseph Reynolds wrote:
>
> Agenda items discussed:
>
> 1 Next meeting Nov 24 “Thanksgiving eve”
>
> Votes: cancel, cancel, cancel.  Agreed.  Someone else schedule a meeting?
>

The next regularly scheduled Security Working Group meeting (Nov 24) is 
cancelled.
This would be a perfect time to for someone maybe in another time zone 
outside the US to schedule a Security Working Group call.
Any volunteers?

Security Working Group - OpenBMC working to become a CVE numbering authority (CNA)

[Joseph Reynolds]

On 11/10/21 2:35 PM, Joseph Reynolds wrote:
> On 11/10/21 8:38 AM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting 
>> scheduled for this Wednesday November 10 at 10:00am PDT.
>>
>> We'll discuss the following items on the agenda 
>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
>> and anything else that comes up:
>>
>
> Attended: Joseph, Bruce, Vernon, James, Caci, Jiang, Dick, Ratan, 
> Dhananjay
>
>
> Agenda items discussed:

...snip...

> 2 Should OpenBMC become a CVE Numbering Authority (CNA).
>
> Ref: https://www.cve.org/ResourcesSupport/AllResources/CNARules 
> <https://www.cve.org/ResourcesSupport/AllResources/CNARules>
>
> This would better integrate the CVE process with github.
>
> OpenBMC looked into become a CNA years ago.  See the old review: 
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621 
> <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621>
>
> Is it worthwhile for openBMC to become a CNA?  Yes, we have had 
> multiple CVEs per year and believe this will continue.  We have filled 
> out the form (at cve.mitre.org) to create CVEs and have become 
> familiar with writing CVE language.
>
> We agreed to pursue becoming a CNA.  No objections.  James will follow 
> up.

The OpenBMC security response team is working to become a CVE Numbering 
Authority (CNA).

Re: Security Working Group - Nov 24 meeting cancelled: reschedule?

[Joseph Reynolds]

On 11/10/21 2:38 PM, Joseph Reynolds wrote:
> On 11/10/21 2:35 PM, Joseph Reynolds wrote:
>> On 11/10/21 8:38 AM, Joseph Reynolds wrote:
>>
>> Agenda items discussed:
>>
>> 1 Next meeting Nov 24 “Thanksgiving eve”
>>
>> Votes: cancel, cancel, cancel.  Agreed.  Someone else schedule a 
>> meeting?
>>
>
> The next regularly scheduled Security Working Group meeting (Nov 24) 
> is cancelled.
> This would be a perfect time to for someone maybe in another time zone 
> outside the US to schedule a Security Working Group call.
> Any volunteers?
>

The regularly scheduled OpenBMC Security Working Group meeting for Nov 
24 is cancelled because of the US Thanksgiving holiday.

Joseph