* Security Working Group meeting - Wednesday September 18 @ 2021-08-18 13:54 Joseph Reynolds 2021-08-18 17:33 ` Patrick Williams 2021-08-18 19:32 ` Security Working Group meeting - Wednesday September 18 - results Joseph Reynolds 0 siblings, 2 replies; 6+ messages in thread From: Joseph Reynolds @ 2021-08-18 13:54 UTC (permalink / raw) To: openbmc This is a reminder of the OpenBMC Security Working Group meeting scheduled for this Wednesday September 18 at 10:00am PDT. We'll discuss the following items on the agenda <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, and anything else that comes up: 1. Wholesale changes to bitbake recipes were made. See https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u <https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u> My non-specific security concern (Joseph) is accidentally mis-configuring something with these changes. 2. Gerrit review - The BMCWeb session idle timeout changed to 30 minutes (was 60): https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45658 <https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45658> 3. Yocto is planning a security configuration guide. See https://bugzilla.yoctoproject.org/show_bug.cgi?id=14509 <https://bugzilla.yoctoproject.org/show_bug.cgi?id=14509> Access, agenda and notes are in the wiki: https://github.com/openbmc/openbmc/wiki/Security-working-group <https://github.com/openbmc/openbmc/wiki/Security-working-group> - Joseph ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security Working Group meeting - Wednesday September 18 2021-08-18 13:54 Security Working Group meeting - Wednesday September 18 Joseph Reynolds @ 2021-08-18 17:33 ` Patrick Williams 2021-08-18 19:12 ` Joseph Reynolds 2021-08-18 19:32 ` Security Working Group meeting - Wednesday September 18 - results Joseph Reynolds 1 sibling, 1 reply; 6+ messages in thread From: Patrick Williams @ 2021-08-18 17:33 UTC (permalink / raw) To: Joseph Reynolds; +Cc: openbmc [-- Attachment #1: Type: text/plain, Size: 524 bytes --] On Wed, Aug 18, 2021 at 08:54:52AM -0500, Joseph Reynolds wrote: > 1. Wholesale changes to bitbake recipes were made. See > https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u > <https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u> My > non-specific security concern (Joseph) is accidentally mis-configuring > something with these changes. How do we ensure that any configuration you want to ensure is done, security-wise, is covered by tests going forward? -- Patrick Williams [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security Working Group meeting - Wednesday September 18 2021-08-18 17:33 ` Patrick Williams @ 2021-08-18 19:12 ` Joseph Reynolds 0 siblings, 0 replies; 6+ messages in thread From: Joseph Reynolds @ 2021-08-18 19:12 UTC (permalink / raw) To: Patrick Williams; +Cc: openbmc On 8/18/21 12:33 PM, Patrick Williams wrote: > On Wed, Aug 18, 2021 at 08:54:52AM -0500, Joseph Reynolds wrote: > >> 1. Wholesale changes to bitbake recipes were made. See >> https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u >> <https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u> My >> non-specific security concern (Joseph) is accidentally mis-configuring >> something with these changes. > How do we ensure that any configuration you want to ensure is done, > security-wise, is covered by tests going forward? Here are my ideas: For build-time configurations, I suggest documenting all important configuration settings. Each item to include (links to) description of what the configuration setting controls, considerations for selecting the appropriate setting, and which recipe to append. Then add links to test cases. Examples: - For example, if out-of-band/network IPMI is configured out of the image, have a test case to determine that UDP port 623 is unresponsive and PATCH /redfish/v1/SessionService {"IPMI": {"ServiceEnabled": true}} fails and has no effect. - On the other hand, if out-of-band/network IPMI is configured into the image but disabled by default, have a test case to determine that UDP port 623 is unresponsive and PATCH /redfish/v1/SessionService {"IPMI": {"ServiceEnabled": true}} succeeds, and makes port 623 active, etc. These test cases are necessarily specific to a specific configuration, so they are not all appropriate to run. That is, we can have a test case for each configuration setting, and configure them into or out-of the test suite as needed. Specifically, the person responsible for configuring their downstream firmware image must also work to configure the appropriate tests to be run. (Example: if you configure IPMI out of the image, configure your test suite to (a) remove tests for IPMI function, and (b) add tests to ensure IPMI is not present.) I would be happy add test case links to the OpenBMC configuration wiki: https://github.com/openbmc/openbmc/wiki/Configuration-guide Joseph ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security Working Group meeting - Wednesday September 18 - results 2021-08-18 13:54 Security Working Group meeting - Wednesday September 18 Joseph Reynolds 2021-08-18 17:33 ` Patrick Williams @ 2021-08-18 19:32 ` Joseph Reynolds 2021-08-19 0:49 ` Jeremy Kerr 1 sibling, 1 reply; 6+ messages in thread From: Joseph Reynolds @ 2021-08-18 19:32 UTC (permalink / raw) To: openbmc On 8/18/21 8:54 AM, Joseph Reynolds wrote: > This is a reminder of the OpenBMC Security Working Group meeting > scheduled for this Wednesday September 18 at 10:00am PDT. > > We'll discuss the following items on the agenda > <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, > and anything else that comes up: > Attended: Joseph Reynolds, Bruce Mitchell, James Mihm, Jiang Zhang, Richard Wilkins, Surya Intel, Daniil Egranov Arm > 1. Wholesale changes to bitbake recipes were made. See > https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u > <https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u> My > non-specific security concern (Joseph) is accidentally mis-configuring > something with these changes. DISCUSSION: None > 2. Gerrit review - The BMCWeb session idle timeout changed to 30 > minutes (was 60): > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45658 > <https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45658> DISCUSSION: None > 3. Yocto is planning a security configuration guide. See > https://bugzilla.yoctoproject.org/show_bug.cgi?id=14509 > <https://bugzilla.yoctoproject.org/show_bug.cgi?id=14509> DISCUSSION: None Bonus items: 4. What database? Bugzilla? github.com issues? DISCUSSION: James and Surya looked at github issues. Will test drive github. Need dashboard/query function. Worries about accidental disclosure. Tianocore uses bugzilla per Richard. UEFI has a separate database (not bugzilla). Use github private branches? What development process for security code reviews (Github reviews vs gerrit)? Next steps: James and Surya will come up with critical objections to using github issues. 5 How to add session timeouts to host console? DISCUSSION: See the diagram in the README under https://github.com/openbmc/obmc-console <https://github.com/openbmc/obmc-console>. We thought obmc-console-client was the right place to implement the timeout mechanism. I created https://github.com/openbmc/obmc-console/issues/18 <https://github.com/openbmc/obmc-console/issues/18>. > > Access, agenda and notes are in the wiki: > https://github.com/openbmc/openbmc/wiki/Security-working-group > <https://github.com/openbmc/openbmc/wiki/Security-working-group> > > - Joseph ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security Working Group meeting - Wednesday September 18 - results 2021-08-18 19:32 ` Security Working Group meeting - Wednesday September 18 - results Joseph Reynolds @ 2021-08-19 0:49 ` Jeremy Kerr 2021-08-20 16:19 ` Security Working Group meeting - Wednesday September 18 - results - add idle timeout Joseph Reynolds 0 siblings, 1 reply; 6+ messages in thread From: Jeremy Kerr @ 2021-08-19 0:49 UTC (permalink / raw) To: Joseph Reynolds, openbmc Hi Joseph, > 5 How to add session timeouts to host console? > > DISCUSSION: > > See the diagram in the README under > https://github.com/openbmc/obmc-console > <https://github.com/openbmc/obmc-console>. > > We thought obmc-console-client was the right place to implement the > timeout mechanism. OK, but that diagram doesn't really cover the detail you'd need to base such a decision on; there's the ssh server between port 2222 and the obmc-console-client program. [obmc-console-client is just a *really* simple bridge between stdio and a unix domain socket. It doesn't own the network socket, nor do any authentication or authorisation] We can definitely do an optional timeout in obmc-console-client, but I want to make sure that's really what you want first. Cheers, Jeremy ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security Working Group meeting - Wednesday September 18 - results - add idle timeout 2021-08-19 0:49 ` Jeremy Kerr @ 2021-08-20 16:19 ` Joseph Reynolds 0 siblings, 0 replies; 6+ messages in thread From: Joseph Reynolds @ 2021-08-20 16:19 UTC (permalink / raw) To: Jeremy Kerr, openbmc On 8/18/21 7:49 PM, Jeremy Kerr wrote: > Hi Joseph, > >> 5 How to add session timeouts to host console? >> >> DISCUSSION: >> >> See the diagram in the README under >> https://github.com/openbmc/obmc-console >> <https://github.com/openbmc/obmc-console>. >> >> We thought obmc-console-client was the right place to implement the >> timeout mechanism. > OK, but that diagram doesn't really cover the detail you'd need to base > such a decision on; there's the ssh server between port 2222 and the > obmc-console-client program. Here is my understanding of the code which establishes new connections. My knowledge here is limited; please correct me or ad anything I missed. 1. The service to listen at port 2200 ("host console") is here: github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-phosphor/console/obmc-console_git.bb 2. That service uses systemd service files under: github.com/openbmc/obmc-console/tree/master/conf 3. The `obmc-console-ssh@.service` handles each new connection by running dropbear which connects the instance to the obmc-console-client program. When a network client reaches TCP port 2200, I understand the flow is: 1. When the obmc-console-ssh.socket gets a new connection, it activates an instance of obmc-console-ssh@.service. 2. The obmc-console-ssh instance runs the dropbear program. 3. The dropbear program creates an SSH session which connects the network session user to the obmc-console-client program. Given that flow, I see the following choices for where to enforce an idle timeout: 1. Do systemd sockets have a timeout mechanism? I found controls for when the listening socket is idle, but not for a socket handling connection instance. However, my knowledge in this area is very limited. 2. The dropbear SSH server has a session idle timeout mechanism (command line parameter: `dropbear ... -I 3600`). 3. Add a new parameter to the obmc-console-client. See https://github.com/openbmc/obmc-console/issues/18 4. Run a new program between dropbear and obmc-console-client to provide the idle timeout, for example, like the`screen` command with TMOUT set to the desired timeout. Of these options, I think the easiest is to have dropbear provide the timeout, but note that OpenSSH does not provide an idle session timeout. I believe the right solution is to add a timeout to obmc-console-client, as proposed in obmc-console/issues/18. Joseph > > [obmc-console-client is just a *really* simple bridge between stdio and > a unix domain socket. It doesn't own the network socket, nor do any > authentication or authorisation] > > We can definitely do an optional timeout in obmc-console-client, but I > want to make sure that's really what you want first. > > Cheers, > > > > Jeremy > ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-08-20 16:20 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-08-18 13:54 Security Working Group meeting - Wednesday September 18 Joseph Reynolds 2021-08-18 17:33 ` Patrick Williams 2021-08-18 19:12 ` Joseph Reynolds 2021-08-18 19:32 ` Security Working Group meeting - Wednesday September 18 - results Joseph Reynolds 2021-08-19 0:49 ` Jeremy Kerr 2021-08-20 16:19 ` Security Working Group meeting - Wednesday September 18 - results - add idle timeout Joseph Reynolds
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).