Security Working Group Meeting - Wed 30 September

Security Working Group Meeting - Wed 30 September

[Parth Shukla]

[-- Attachment #1: Type: text/plain, Size: 689 bytes --]

This is a reminder of the OpenBMC Security Working Group meeting scheduled
for this Wednesday September 30 at 10:00am PDT.

There are currently no items on the agenda
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>.
Assuming no items are added before the meeting then we have the option of
1) cancelling or 2) joining to see if anyone wants to bring up any topics
for discussion. What are people's preferences?

I'll assume option 2 as the default and dial in unless we get some
consensus on this thread to cancel the meeting instead.

Access, and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group

Regards,
Parth

[-- Attachment #2: Type: text/html, Size: 962 bytes --]

Re: Security Working Group Meeting - Wed 30 September - results

[Joseph Reynolds]

On 9/29/20 12:52 PM, Parth Shukla wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this...
> This Message Is From an External Sender
> This message came from outside your organization.
>
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday September 30 at 10:00am PDT.
>
> There are currently no items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>. 
> Assuming no items are added before the meeting then we have the option 
> of 1) cancelling or 2) joining to see if anyone wants to bring up any 
> topics for discussion. What are people's preferences?

Thanks Parth.  We added 4 agenda items and discussed them, as summarized 
below.

- Joseph


1 Call for “Additional Topics for Learning Series” includes a security 
topic: how project report/handle CVEs, designing for security, secure 
boot, privileges etc.  What topics should this cover?

ANSWER:

Joseph will email an outline for the talk.


2 Do we want to look at items from our “security assurance workflow” 
linked above?  For example, what items from the CSIS paper are high 
priority for OpenBMC?

DISCUSSION:

Which processes should the OpenBMC project prioritize? Example:

  *

    Follow the code review process to prevent malicious code being inserted.

  *

    Inadequate project docs.

  *

    Use interface docs to move toward threat modeling.

  *

    What will OpenBMC do if github fails and loses the source code?  How
    do we implement secure disaster recovery?  (Ideas discussed were to
    establish a secure server and then collaborate to merge our private
    copies into the “official” source.)

NEXT Step: Joseph to send email.


3 Getting mTLS-only option to be supported by Redfish standard: 
https://redfishforum.com/thread/375/mtls-enforcement-openbmcs-redfish-implementation

ANSWER:

There is interest in OpenBMC supporting mTLS-only use case.  This is a 
good example of disabling interfaces that are not needed (specifically, 
password authentication).

Please contribute to the Redfish thread.  Attend the private Redfish 
forum meeting to push this forward.


4 Short update on privilege separation progress

ANSWER:

Anton walked us through his progress, including:

  *

    D-bus broker has support for ACLs.

  *

    Enable systemd-nss - Use supplementary groups for dynamic users.

  *

    Working on net ipmid privileges, next is bmcweb.

Start a wiki to track daemons capabilities needed, sandboxing models, 
file access, etc.


>
> I'll assume option 2 as the default and dial in unless we get some 
> consensus on this thread to cancel the meeting instead.
>
> Access, and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> Regards,
> Parth