openbmc.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed
From: Ed Tanous <ed@tanous.net>
To: Joseph Reynolds <jrey@linux.ibm.com>
Cc: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Request new repo for IBM-specific code
Date: Mon, 8 Mar 2021 08:03:40 -0800	[thread overview]
Message-ID: <CACWQX8048sDqehYaRAS9-T8G8ffWgLo-1fOVsozAC=4TtJdFqw@mail.gmail.com> (raw)
In-Reply-To: <b8af3438-f85a-cb82-c88c-9c4e120399e9@linux.ibm.com>

On Thu, Mar 4, 2021 at 7:15 PM Joseph Reynolds <jrey@linux.ibm.com> wrote:
>
> What is the right repository for a new Linux-PAM module to implement an
> IBM-specific ACF authentication?
>
> The access control file (ACF) design was introduced to the OpenBMC
> security working group and is described in [IBM issue 1737][] and
> further explained in [IBM issue 2562][].

Could you describe it in a design doc?  Implementing ACL seems like
something that's going to affect a lot of the system (at a minimum
every outward facing client).  Unless you really think that you can do
this with no changes to the client repos or phosphor-user-manager, it
seems like it's worth discussion.  For what it's worth, I really don't
want to branch the authorization code in bmcweb depending on what
company compiled the code.  They were hard enough to get right in the
general case, and matter a lot for security.  The likelihood we get
them right for every flavor of auth that a company might want to do
seems unlikely.  If we as a project need an "ultra user" that seems
like it shouldn't be specific to IBM, or should be a generic
configuration that IBM systems apply on top, using common routines.
I've already detailed a path toward this in a previous email on this
topic.

>
> Note the [pam-ipmi modules][] are scoped to the OpenBMC project because
> the IPMI implementation is shared by all of OpenBMC.  By comparison, the
> proposed ibm-pam-acf module is intended only for IBM Enterprise
> systems.  The intended implementation is based on standard cryptography
> techniques and could be developed into a general authentication
> solution, but the ACF is specific to IBM in terms of its exact format
> and content, and I expect it will only be used by IBM and its partners.

Have you released the specifications for this file format with an
appropriate license?  That seems like a good first step to figuring
out if these could find a home in OpenBMC.  If you've already done
that, could you link them?

>
> Can we create a new OpenBMC repo for this?  Perhaps ibm-pam-acf?  Or
> should this go into some other repo?

Could you please post the code you're planning on putting there
somewhere that we can see it in gerrit?  I suspect that would help
review whether or not a new repo is warranted, and probably give hints
as to what design you're planning on implementing.




>
> - Joseph
>
> [IBM issue 1737]: https://github.com/ibm-openbmc/dev/issues/1737
> [IBM issue 2562]: https://github.com/ibm-openbmc/dev/issues/2562
> [pam-ipmi modules]: https://github.com/openbmc/pam-ipmi

  parent reply	other threads:[~2021-03-08 16:04 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-05  3:14 Request new repo for IBM-specific code Joseph Reynolds
2021-03-05 19:15 ` Patrick Williams
2021-03-05 22:05   ` Patrick Williams
2021-03-07  4:09   ` Joseph Reynolds
2021-03-08 18:45     ` Patrick Williams
2021-03-08 20:30       ` Request new repo for IBM-specific code - pam_2fa discussion Joseph Reynolds
2021-03-08 22:41         ` Patrick Williams
2021-03-09 17:43           ` Joseph Reynolds
2021-04-29 21:09       ` Request new repo for IBM-specific code Joseph Reynolds
2021-04-29 21:24         ` Ed Tanous
2021-04-30  0:47           ` Joseph Reynolds
2021-04-30 13:29         ` Patrick Williams
2021-05-01  5:30           ` Request new repo for IBM-specific code: ibm-acf Joseph Reynolds
2021-05-02 23:46             ` Andrew Jeffery
2021-05-03  1:37               ` Andrew Jeffery
2021-05-03 16:21         ` Request new repo for IBM-specific code Ed Tanous
2021-03-08 16:03 ` Ed Tanous [this message]
2021-03-08 17:30   ` Joseph Reynolds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACWQX8048sDqehYaRAS9-T8G8ffWgLo-1fOVsozAC=4TtJdFqw@mail.gmail.com' \
    --to=ed@tanous.net \
    --cc=jrey@linux.ibm.com \
    --cc=openbmc@lists.ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).