* Security Working Group Meeting - Wed 30 September
@ 2020-09-29 17:52 Parth Shukla
2020-09-30 18:56 ` Security Working Group Meeting - Wed 30 September - results Joseph Reynolds
0 siblings, 1 reply; 2+ messages in thread
From: Parth Shukla @ 2020-09-29 17:52 UTC (permalink / raw)
To: openbmc
[-- Attachment #1: Type: text/plain, Size: 689 bytes --]
This is a reminder of the OpenBMC Security Working Group meeting scheduled
for this Wednesday September 30 at 10:00am PDT.
There are currently no items on the agenda
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>.
Assuming no items are added before the meeting then we have the option of
1) cancelling or 2) joining to see if anyone wants to bring up any topics
for discussion. What are people's preferences?
I'll assume option 2 as the default and dial in unless we get some
consensus on this thread to cancel the meeting instead.
Access, and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group
Regards,
Parth
[-- Attachment #2: Type: text/html, Size: 962 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Security Working Group Meeting - Wed 30 September - results
2020-09-29 17:52 Security Working Group Meeting - Wed 30 September Parth Shukla
@ 2020-09-30 18:56 ` Joseph Reynolds
0 siblings, 0 replies; 2+ messages in thread
From: Joseph Reynolds @ 2020-09-30 18:56 UTC (permalink / raw)
To: openbmc
On 9/29/20 12:52 PM, Parth Shukla wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this...
> This Message Is From an External Sender
> This message came from outside your organization.
>
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday September 30 at 10:00am PDT.
>
> There are currently no items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>.
> Assuming no items are added before the meeting then we have the option
> of 1) cancelling or 2) joining to see if anyone wants to bring up any
> topics for discussion. What are people's preferences?
Thanks Parth. We added 4 agenda items and discussed them, as summarized
below.
- Joseph
1 Call for “Additional Topics for Learning Series” includes a security
topic: how project report/handle CVEs, designing for security, secure
boot, privileges etc. What topics should this cover?
ANSWER:
Joseph will email an outline for the talk.
2 Do we want to look at items from our “security assurance workflow”
linked above? For example, what items from the CSIS paper are high
priority for OpenBMC?
DISCUSSION:
Which processes should the OpenBMC project prioritize? Example:
*
Follow the code review process to prevent malicious code being inserted.
*
Inadequate project docs.
*
Use interface docs to move toward threat modeling.
*
What will OpenBMC do if github fails and loses the source code? How
do we implement secure disaster recovery? (Ideas discussed were to
establish a secure server and then collaborate to merge our private
copies into the “official” source.)
NEXT Step: Joseph to send email.
3 Getting mTLS-only option to be supported by Redfish standard:
https://redfishforum.com/thread/375/mtls-enforcement-openbmcs-redfish-implementation
ANSWER:
There is interest in OpenBMC supporting mTLS-only use case. This is a
good example of disabling interfaces that are not needed (specifically,
password authentication).
Please contribute to the Redfish thread. Attend the private Redfish
forum meeting to push this forward.
4 Short update on privilege separation progress
ANSWER:
Anton walked us through his progress, including:
*
D-bus broker has support for ACLs.
*
Enable systemd-nss - Use supplementary groups for dynamic users.
*
Working on net ipmid privileges, next is bmcweb.
Start a wiki to track daemons capabilities needed, sandboxing models,
file access, etc.
>
> I'll assume option 2 as the default and dial in unless we get some
> consensus on this thread to cancel the meeting instead.
>
> Access, and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> Regards,
> Parth
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-09-30 18:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-29 17:52 Security Working Group Meeting - Wed 30 September Parth Shukla
2020-09-30 18:56 ` Security Working Group Meeting - Wed 30 September - results Joseph Reynolds
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).