Security Working Group meeting - Wednesday September 18

Security Working Group meeting - Wednesday September 18

[Joseph Reynolds]

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday September 18 at 10:00am PDT.

We'll discuss the following items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
and anything else that comes up:

1. Wholesale changes to bitbake recipes were made.  See 
https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u 
<https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u>  My 
non-specific security concern (Joseph) is accidentally mis-configuring 
something with these changes.
2. Gerrit review - The BMCWeb session idle timeout changed to 30 minutes 
(was 60): https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45658 
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45658>
3. Yocto is planning a security configuration guide.  See 
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14509 
<https://bugzilla.yoctoproject.org/show_bug.cgi?id=14509>

Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

- Joseph

Re: Security Working Group meeting - Wednesday September 18

[Patrick Williams]

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

On Wed, Aug 18, 2021 at 08:54:52AM -0500, Joseph Reynolds wrote:
 
> 1. Wholesale changes to bitbake recipes were made.  See 
> https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u 
> <https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u>  My 
> non-specific security concern (Joseph) is accidentally mis-configuring 
> something with these changes.

How do we ensure that any configuration you want to ensure is done,
security-wise, is covered by tests going forward?

-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Security Working Group meeting - Wednesday September 18

[Joseph Reynolds]

On 8/18/21 12:33 PM, Patrick Williams wrote:
> On Wed, Aug 18, 2021 at 08:54:52AM -0500, Joseph Reynolds wrote:
>   
>> 1. Wholesale changes to bitbake recipes were made.  See
>> https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u
>> <https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u>  My
>> non-specific security concern (Joseph) is accidentally mis-configuring
>> something with these changes.
> How do we ensure that any configuration you want to ensure is done,
> security-wise, is covered by tests going forward?

Here are my ideas:

For build-time configurations, I suggest documenting all important 
configuration settings.  Each item to include (links to) description of 
what the configuration setting controls, considerations for selecting 
the appropriate setting, and which recipe to append.  Then add links to 
test cases.  Examples:
- For example, if out-of-band/network IPMI is configured out of the 
image, have a test case to determine that UDP port 623 is unresponsive 
and PATCH /redfish/v1/SessionService {"IPMI": {"ServiceEnabled": true}} 
fails and has no effect.
- On the other hand, if out-of-band/network IPMI is configured into the 
image but disabled by default, have a  test case to determine that UDP 
port 623 is unresponsive and PATCH /redfish/v1/SessionService {"IPMI": 
{"ServiceEnabled": true}} succeeds, and makes port 623 active, etc.

These test cases are necessarily specific to a specific configuration, 
so they are not all appropriate to run.
That is, we can have a test case for each configuration setting, and 
configure them into or out-of the test suite as needed.

Specifically, the person responsible for configuring their downstream 
firmware image must also work to configure the appropriate tests to be 
run.  (Example: if you configure IPMI out of the image, configure your 
test suite to (a) remove tests for IPMI function, and (b) add tests to 
ensure IPMI is not present.)

I would be happy add test case links to the OpenBMC configuration wiki:
https://github.com/openbmc/openbmc/wiki/Configuration-guide

Joseph

Re: Security Working Group meeting - Wednesday September 18 - results

[Joseph Reynolds]

On 8/18/21 8:54 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday September 18 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> and anything else that comes up:
>
Attended: Joseph Reynolds, Bruce Mitchell, James Mihm, Jiang Zhang, 
Richard Wilkins, Surya Intel, Daniil Egranov Arm

> 1. Wholesale changes to bitbake recipes were made.  See 
> https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u 
> <https://lore.kernel.org/openbmc/YQ1FD5q8KbhbXVBK@heinlein/T/#u> My 
> non-specific security concern (Joseph) is accidentally mis-configuring 
> something with these changes.

DISCUSSION: None


> 2. Gerrit review - The BMCWeb session idle timeout changed to 30 
> minutes (was 60): 
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45658 
> <https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45658>
DISCUSSION: None
> 3. Yocto is planning a security configuration guide.  See 
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=14509 
> <https://bugzilla.yoctoproject.org/show_bug.cgi?id=14509>

DISCUSSION: None

Bonus items:

4. What database?  Bugzilla?  github.com issues?

DISCUSSION:

James and Surya looked at github issues.  Will test drive github.  Need 
dashboard/query function.  Worries about accidental disclosure.

Tianocore uses bugzilla per Richard.  UEFI has a separate database (not 
bugzilla).

Use github private branches?

What development process for security code reviews (Github reviews vs 
gerrit)?

Next steps: James and Surya will come up with critical objections to 
using github issues.


5 How to add session timeouts to host console?

DISCUSSION:

See the diagram in the README under 
https://github.com/openbmc/obmc-console 
<https://github.com/openbmc/obmc-console>.

We thought obmc-console-client was the right place to implement the 
timeout mechanism.

I created https://github.com/openbmc/obmc-console/issues/18 
<https://github.com/openbmc/obmc-console/issues/18>.




>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph

Re: Security Working Group meeting - Wednesday September 18 - results

[Jeremy Kerr]

Hi Joseph,

> 5 How to add session timeouts to host console?
> 
> DISCUSSION:
> 
> See the diagram in the README under 
> https://github.com/openbmc/obmc-console 
> <https://github.com/openbmc/obmc-console>.
> 
> We thought obmc-console-client was the right place to implement the 
> timeout mechanism.

OK, but that diagram doesn't really cover the detail you'd need to base
such a decision on; there's the ssh server between port 2222 and the
obmc-console-client program.

[obmc-console-client is just a *really* simple bridge between stdio and
a unix domain socket. It doesn't own the network socket, nor do any
authentication or authorisation]

We can definitely do an optional timeout in obmc-console-client, but I
want to make sure that's really what you want first.

Cheers,



Jeremy

Re: Security Working Group meeting - Wednesday September 18 - results - add idle timeout

[Joseph Reynolds]

On 8/18/21 7:49 PM, Jeremy Kerr wrote:
> Hi Joseph,
>
>> 5 How to add session timeouts to host console?
>>
>> DISCUSSION:
>>
>> See the diagram in the README under
>> https://github.com/openbmc/obmc-console
>> <https://github.com/openbmc/obmc-console>.
>>
>> We thought obmc-console-client was the right place to implement the
>> timeout mechanism.
> OK, but that diagram doesn't really cover the detail you'd need to base
> such a decision on; there's the ssh server between port 2222 and the
> obmc-console-client program.

Here is my understanding of the code which establishes new connections.  
My knowledge here is limited; please correct me or ad anything I missed.
1. The service to listen at port 2200 ("host console") is here:
github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-phosphor/console/obmc-console_git.bb
2. That service uses systemd service files under:
github.com/openbmc/obmc-console/tree/master/conf
3. The `obmc-console-ssh@.service` handles each new connection by 
running dropbear which connects the instance to the obmc-console-client 
program.

When a network client reaches TCP port 2200, I understand the flow is:
1. When the obmc-console-ssh.socket gets a new connection, it activates 
an instance of obmc-console-ssh@.service.
2. The obmc-console-ssh instance runs the dropbear program.
3. The dropbear program creates an SSH session which connects the 
network session user to the obmc-console-client program.

Given that flow, I see the following choices for where to enforce an 
idle timeout:
1. Do systemd sockets have a timeout mechanism?  I found controls for 
when the listening socket is idle, but not for a socket handling  
connection instance.  However, my knowledge in this area is very limited.
2. The dropbear SSH server has a session idle timeout mechanism (command 
line parameter: `dropbear ... -I 3600`).
3. Add a new parameter to the obmc-console-client.  See 
https://github.com/openbmc/obmc-console/issues/18
4. Run a new program between dropbear and obmc-console-client to provide 
the idle timeout, for example, like the`screen` command with TMOUT set 
to the desired timeout.

Of these options, I think the easiest is to have dropbear provide the 
timeout, but note that OpenSSH does not provide an idle session 
timeout.  I believe the right solution is to add a timeout to 
obmc-console-client, as proposed in obmc-console/issues/18.

Joseph

>
> [obmc-console-client is just a *really* simple bridge between stdio and
> a unix domain socket. It doesn't own the network socket, nor do any
> authentication or authorisation]
>
> We can definitely do an optional timeout in obmc-console-client, but I
> want to make sure that's really what you want first.
>
> Cheers,
>
>
>
> Jeremy
>