openbmc.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed
From: Zhenfei Tai <ztai@google.com>
To: OpenBMC Maillist <openbmc@lists.ozlabs.org>,
	Ed Tanous <edtanous@google.com>,
	gmills@us.ibm.com
Cc: Justin Chen <juschen@google.com>, Richard Hanley <rhanley@google.com>
Subject: bmcweb: Install encrypted certificate to BMC
Date: Fri, 16 Apr 2021 17:23:52 -0700	[thread overview]
Message-ID: <CAMXw96PmAoSb5LJj-CzYA-47D-nCy81gBa=T94N_u2fqWL54EQ@mail.gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 1014 bytes --]

Hi,

Currently certificate installation is supported by bmcweb via
*redfish/v1/Managers/bmc/Truststore/Certificates*, where the certificate
content is part of the JSON request.

For our use case it's a more restricted environment in which we don't want
to have plaintext certificates in the request. Instead we want to send a
pair of encrypted key and certificate from the host to the BMC and there
will be another daemon to decrypt them using an internal library.

Since it's not supported by the Redfish schema, my plan is to use the
*redfish/v1/CertificateSerivce/OemActions* URI and a request payload like
below:
{
  "key": "encrypted key in binary",
  "certificate": "encrypted certificate in binary"
}

The reasons to use the URI and payload are:
1. It's related to certificate service although in opaque blobs.
2. It's fairly company specific that probably isn't universally applicable.

My questions are:
1. Is this a reasonable approach?
2. Shall we define an OEM schema for our request?

Thanks,
Zhenfei

[-- Attachment #2: Type: text/html, Size: 1379 bytes --]

             reply	other threads:[~2021-04-17  0:24 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-17  0:23 Zhenfei Tai [this message]
2021-04-17 18:50 ` bmcweb: Install encrypted certificate to BMC Michael Richardson
2021-04-19  7:18   ` Ed Tanous
2021-04-23 13:26     ` Patrick Williams
2021-04-23 16:37       ` Ed Tanous

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAMXw96PmAoSb5LJj-CzYA-47D-nCy81gBa=T94N_u2fqWL54EQ@mail.gmail.com' \
    --to=ztai@google.com \
    --cc=edtanous@google.com \
    --cc=gmills@us.ibm.com \
    --cc=juschen@google.com \
    --cc=openbmc@lists.ozlabs.org \
    --cc=rhanley@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).