From: Ed Tanous <ed@tanous.net>
To: Michael Richardson <mcr@sandelman.ca>
Cc: Justin Chen <juschen@google.com>,
OpenBMC Maillist <openbmc@lists.ozlabs.org>,
Ed Tanous <edtanous@google.com>,
Richard Hanley <rhanley@google.com>,
gmills@us.ibm.com, Zhenfei Tai <ztai@google.com>
Subject: Re: bmcweb: Install encrypted certificate to BMC
Date: Mon, 19 Apr 2021 00:18:15 -0700 [thread overview]
Message-ID: <CACWQX8166T=3-ZKo+EtC-e67KzTgfgh0JxKA3G3ap1LVucbQYg@mail.gmail.com> (raw)
In-Reply-To: <10871.1618685448@localhost>
On Sat, Apr 17, 2021 at 11:56 AM Michael Richardson <mcr@sandelman.ca> wrote:
>
>
> Zhenfei Tai <ztai@google.com> wrote:
> > For our use case it's a more restricted environment in which we don't want
> > to have plaintext certificates in the request. Instead we want to send a
> > pair of encrypted key and certificate from the host to the BMC and there
> > will be another daemon to decrypt them using an internal library.
>
> certificates are public objects.
> Perhaps you are transfering a private key?
Correct; This wasn't made clear in the initial email, but this
"certificate" is really a certificate and the private key.
> Is this an IDevID-like installed by the manufacturer, or is this a cert/key
> to be used on the production floor (DC).
DC.
>
> If you have a daemon present that can decrypt things, then you already have a
> private key (or symmetric key) present, and that key is subject to attack.
> (Unless you add yet another layer of indirection via TPM chip....)
This wasn't clear in the initial email, but yes, this would be a case
of exactly what you described in the "unless" part. The TPM-like chip
has a specific format that we're hoping to upload to it through the
OOB interfaces that would give it a form of identity.
>
> I strongly recommend that you do not invent new technology here.
> EST (RFC7030) is considered the best technology here, with SCEP (RFC8894)
> being a legacy choice.
I read through that spec a bit. The issue there is that it has no
compatibility with Redfish, so implementing that would be yet another
subsystem to build and maintain, and wouldn't work in tandem with
Redfish aggregators once the key was decoded. While I wouldn't be
against anyone implementing that on OpenBMC, that wouldn't meet the
needs of what we're trying to accomplish; Also, it isn't clear that
RFC8894 has provisions for custom certificate formats, of which this
would definitely be one.
>
> > My questions are:
> > 1. Is this a reasonable approach?
> > 2. Shall we define an OEM schema for our request?
>
> Finally, I am working on a BRSKI (RFC8995, aka
> draft-ietf-anima-bootstrapping-keyinfra, not quite published, still in middle
> of AUTH48) module for OpenBMC.
Neat. Looking forward to seeing it.
> You may prefer help with that instead of
> inventing something that hasn't gone through the same level of review.
>
> --
> ] Never tell me the odds! | ipv6 mesh networks [
> ] Michael Richardson, Sandelman Software Works | IoT architect [
> ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
>
>
While there are efforts to standardize these kinds of payloads (see
cerberus and opentitan) the systems today will never be physically
capable of implementing whatever protocol gets standardized, so we
will need some solution regardless.
In this case, I see 3 options for how to proceed.
1. Create an OEM action within CertificateService, specific to Google,
and namespaced as such. I'm imagining something like "Google/SetKey".
Considering the TPM-like devices have a device-specific format, and
will only ever be seen on a Google system, this seems like an
appropriate and intended use of Redfish OEM schemas. If we went this
route, I would commit our team to at least make progress on solving
the existing OEM schema tech debt
(https://github.com/openbmc/bmcweb/issues?q=is%3Aissue+is%3Aopen+label%3A%22OEM+schema%22)
so as this would not make the situation worse.
2. Similar to 1, but the action would be namespaced within OpenBMC.
While this would also solve the problem, in-lies another problem with
how a client would know what the format of the file should be. Other
systems that implement ROT solutions will likely have their own
format, and clients won't be able to inspect the format.
3. Put it within a google/v1 namespace path similar to ibm/v1. This
would prevent using Redfish aggregators, which would be a problem for
the intended use case of deploying this to many bmcs.
next prev parent reply other threads:[~2021-04-19 7:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-17 0:23 bmcweb: Install encrypted certificate to BMC Zhenfei Tai
2021-04-17 18:50 ` Michael Richardson
2021-04-19 7:18 ` Ed Tanous [this message]
2021-04-23 13:26 ` Patrick Williams
2021-04-23 16:37 ` Ed Tanous
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACWQX8166T=3-ZKo+EtC-e67KzTgfgh0JxKA3G3ap1LVucbQYg@mail.gmail.com' \
--to=ed@tanous.net \
--cc=edtanous@google.com \
--cc=gmills@us.ibm.com \
--cc=juschen@google.com \
--cc=mcr@sandelman.ca \
--cc=openbmc@lists.ozlabs.org \
--cc=rhanley@google.com \
--cc=ztai@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).