* Re: [Potential Spoof] OpenBMC Learning Series
@ 2020-07-25 0:13 Sai Dasari
2020-10-09 17:33 ` OpenBMC Learning Series - security Joseph Reynolds
0 siblings, 1 reply; 7+ messages in thread
From: Sai Dasari @ 2020-07-25 0:13 UTC (permalink / raw)
To: Openbmc
[-- Attachment #1.1: Type: text/plain, Size: 5187 bytes --]
Team,
Thanks to all volunteer speakers stepping up to share their expertise with community. For speaker convenience, the sessions will be held on two TimeZones (USA/PDT and INDIA/IST) on Thursdays@10AM starting from 8/20 onwards.
I encourage you to take a look at the shared doc @ https://docs.google.com/spreadsheets/d/1RRO5cgutKE7zRPcjcFjrNn-GI5AYoW0FivEZJe_EyWs/edit?usp=sharing for more information regarding this series. If you would like to see more topics (either as speakers or new community members), please feel free to add them for extending the topics in future sessions.
Following table is for a quick reference (Apologies for those using text based email clients if the following table does not render properly). The same information is available at the above shared doc.
And also please find the calendar appointment for the scheduled sessions as attachments to reserve/plan your time.
Thanks,
Sai
Session#
Title
Speaker
Meeting Info (password: openbmc)
1
OpenBMC User Management
Richard Thomaiyar
https://us02web.zoom.us/j/81386216701?pwd=aU1Sd1lrclNqN05aREtzcmFMTG1Kdz09
Date: 8/20@10AM PDT
2
Adding new platform to OpenBMC
Vijay Khemka
https://us02web.zoom.us/j/84964981135?pwd=UFY3cVRCdHpHVmpUSXNtdjBjZ2pQUT09
Date: 8/27@10AM PDT
3
Redfish EventService
AppaRao
https://us02web.zoom.us/j/83980904008?pwd=eDRlMTZpUm56TkpNaWxac2h1czdhUT09
Dte: 8/27@10AM IST
4
sdbusplus and phosphor-dbus-interfaces
Patrick Williams
https://us02web.zoom.us/j/86726018083?pwd=a1FqeUNEcHhud25WKzJORzdZQ0tsUT09
Date: 9/3@10AM PDT
5
Entity Manager on S2600WF
James Feist
https://us02web.zoom.us/j/82785505636?pwd=U3N3eWVOYkdhdVFod1FFeVRiQTA3UT09
Date: 9/10@10AM PDT
6
Remote BIOS configuration
Suryakanth Sekar
https://us02web.zoom.us/j/82943666703?pwd=UjRURnZJc01RSFJLa3RHb2ZycDR1QT09
Date: 9/10@10AM IST
7
PLDM Modelling for Add-on card
Richard Thomaiyar
https://us02web.zoom.us/j/87446140838?pwd=ZVdZOFlCdzU2RlpLaVFVUG1pUUFBZz09
Date: 9/17@10AM PDT
8
SPDM
Vikram Bodireddy
https://us02web.zoom.us/j/82356547887?pwd=NmpOUmNzKzJyTzFWck5yZTJySGs2dz09
Date: 9/17@10AM IST
9
PLDM Stack on OpenBMC
Deepak Kodihalli
https://us02web.zoom.us/j/81854376605?pwd=R25UMkd6VTNMU2dnOU1HS0Z4NUJ6dz09
Date: 9/24@10AM PDT
10
OpenBMC's Redfish implementation
Gunnar Mills
https://us02web.zoom.us/j/83152526283?pwd=c1g2d1BzbWgvVVVaRU53S2VzT2Vjdz09
Date: 10/1@10AM PDT
11
OpenBMC Vue GUI/ Vue development
Dixsie Wolmers
https://us02web.zoom.us/j/87423100421?pwd=YzNCaWlKd3lqN24zUmtsUXcvQmFHdz09
Date: 10/8@10AM PDT
12
Qemu for OpenBMC development and testing
Joel Stanley
To Be Scheduled
13
IPMI subsystem
Saravanan Palanisamy
To Be Scheduled
From: openbmc <openbmc-bounces+sdasari=fb.com@lists.ozlabs.org> on behalf of Sai Dasari <sdasari@fb.com>
Date: Wednesday, June 3, 2020 at 11:11 AM
To: Openbmc <openbmc@lists.ozlabs.org>
Subject: [Potential Spoof] OpenBMC Learning Series
Team,
Our OpenBMC community continues to grow at rapid pace as can be observed by various metrics like number of CCLAs, industry adoption rate, design/code contributions, numerous technical conversations over Mailing List/IRC/Gerritt, and more. Because of this rapid growth the project might appear to be a bit complex for a new contributor evaluating our stack. I believe there are multiple ongoing efforts of reducing this barrier for a potential contributor to ramp them up quickly on this stack that includes documentation, wiki pages, tutorials in our github repo.
In addition to these ongoing efforts, I propose to start a video based learning series that aims to introduce OpenBMC stack for a potential contributor. I hope such video series will help disseminate tribal knowledge that we built in this community over a period of time and ramp up the new contributors quickly. To make this series useful, I seek volunteer speakers who are interesting in sharing their expertise and help plan this series to be more effective. For those of you who are interested, please add yourself as speaker with title/description before 6/17 @ https://docs.google.com/spreadsheets/d/1RRO5cgutKE7zRPcjcFjrNn-GI5AYoW0FivEZJe_EyWs/edit?usp=sharing<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_spreadsheets_d_1RRO5cgutKE7zRPcjcFjrNn-2DGI5AYoW0FivEZJe-5FEyWs_edit-3Fusp-3Dsharing&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=D804Bb_g8FkIaCjjb_rg7A&m=jiieokO0uAODRnnQ20XixFHfnFjjOHrRUFA1TPRE9SQ&s=7CaN4ZLtu3M2jAphmv6hTsbPxuPeZnbEDkcY2AiHc08&e=>
Some topics for consideration include OpenBMC project overview, Software stack architecture, community developer guidelines, Repo structure and guidelines, Usage of Yocto in OpenBMC, Usage of D-Bus in OpenBMC, C++ coding standards in OpenBMC, IPMI sub-system, Redfish sub-system, Using QEMU effectively, Sensor sub-system, Best practices in debugging, Logging, metrics/telemetry etc. And this is not an exhaustive list and feel free to add any topic that you plan to share with community.
I will reach out to volunteer speakers and facilitate logistics and update the ML with next steps. Please let me know for any info regarding this effort.
Thanks,
Sai.
[-- Attachment #1.2: Type: text/html, Size: 30956 bytes --]
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: OpenBMC-GUI.ics --]
[-- Type: text/calendar; name="OpenBMC-GUI.ics", Size: 1778 bytes --]
BEGIN:VCALENDAR
PRODID:-//zoom.us//iCalendar Event//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:PUBLISH
CLASS:PUBLIC
BEGIN:VTIMEZONE
TZID:America/Los_Angeles
TZURL:http://tzurl.org/zoneinfo-outlook/America/Los_Angeles
X-LIC-LOCATION:America/Los_Angeles
BEGIN:DAYLIGHT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
TZNAME:PDT
DTSTART:19700308T020000
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
TZNAME:PST
DTSTART:19701101T020000
RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20200723T234421Z
DTSTART;TZID=America/Los_Angeles:20201008T100000
DTEND;TZID=America/Los_Angeles:20201008T110000
SUMMARY:OpenBMC: GUI/Vue
UID:20200723T234421Z-9396880476@fe80:0:0:0:14a5:61ff:fe48:5471ens5
TZID:America/Los_Angeles
DESCRIPTION:Sai Dasari is inviting you to a scheduled Zoom meeting.\n\nJo
in Zoom Meeting\nhttps://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZE
thQUQzcEF2QjRXUT09\n\nMeeting ID: 939 688 0476\nPasscode: openbmc\nOne t
ap mobile\n+16699009128\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (San
Jose)\n+12532158782\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (Tacoma
)\n\nDial by your location\n +1 669 900 9128 US (San Jose)\n
+1 253 215 8782 US (Tacoma)\n +1 346 248 7799 US (Houston)\n
+1 301 715 8592 US (Germantown)\n +1 312 626 6799 US (Chica
go)\n +1 646 558 8656 US (New York)\nMeeting ID: 939 688 0476\nPa
sscode: 8592515\nFind your local number: https://us02web.zoom.us/u/kddfS
pAkEj\n\n
LOCATION:https://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZEthQUQzcEF
2QjRXUT09
BEGIN:VALARM
TRIGGER:-PT10M
ACTION:DISPLAY
DESCRIPTION:Reminder
END:VALARM
END:VEVENT
END:VCALENDAR
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: OpenBMC-Redfish.ics --]
[-- Type: text/calendar; name="OpenBMC-Redfish.ics", Size: 1776 bytes --]
BEGIN:VCALENDAR
PRODID:-//zoom.us//iCalendar Event//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:PUBLISH
CLASS:PUBLIC
BEGIN:VTIMEZONE
TZID:America/Los_Angeles
TZURL:http://tzurl.org/zoneinfo-outlook/America/Los_Angeles
X-LIC-LOCATION:America/Los_Angeles
BEGIN:DAYLIGHT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
TZNAME:PDT
DTSTART:19700308T020000
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
TZNAME:PST
DTSTART:19701101T020000
RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20200723T234232Z
DTSTART;TZID=America/Los_Angeles:20201001T100000
DTEND;TZID=America/Los_Angeles:20201001T110000
SUMMARY:OpenBMC: Redfish
UID:20200723T234232Z-9396880476@fe80:0:0:0:4c9:1ff:fe3a:76efens3
TZID:America/Los_Angeles
DESCRIPTION:Sai Dasari is inviting you to a scheduled Zoom meeting.\n\nJo
in Zoom Meeting\nhttps://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZE
thQUQzcEF2QjRXUT09\n\nMeeting ID: 939 688 0476\nPasscode: openbmc\nOne t
ap mobile\n+16699009128\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (San
Jose)\n+12532158782\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (Tacoma
)\n\nDial by your location\n +1 669 900 9128 US (San Jose)\n
+1 253 215 8782 US (Tacoma)\n +1 346 248 7799 US (Houston)\n
+1 301 715 8592 US (Germantown)\n +1 312 626 6799 US (Chica
go)\n +1 646 558 8656 US (New York)\nMeeting ID: 939 688 0476\nPa
sscode: 8592515\nFind your local number: https://us02web.zoom.us/u/kddfS
pAkEj\n\n
LOCATION:https://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZEthQUQzcEF
2QjRXUT09
BEGIN:VALARM
TRIGGER:-PT10M
ACTION:DISPLAY
DESCRIPTION:Reminder
END:VALARM
END:VEVENT
END:VCALENDAR
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #4: OpenBMC-PLDM.ics --]
[-- Type: text/calendar; name="OpenBMC-PLDM.ics", Size: 1775 bytes --]
BEGIN:VCALENDAR
PRODID:-//zoom.us//iCalendar Event//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:PUBLISH
CLASS:PUBLIC
BEGIN:VTIMEZONE
TZID:America/Los_Angeles
TZURL:http://tzurl.org/zoneinfo-outlook/America/Los_Angeles
X-LIC-LOCATION:America/Los_Angeles
BEGIN:DAYLIGHT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
TZNAME:PDT
DTSTART:19700308T020000
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
TZNAME:PST
DTSTART:19701101T020000
RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20200723T234211Z
DTSTART;TZID=America/Los_Angeles:20200924T100000
DTEND;TZID=America/Los_Angeles:20200924T110000
SUMMARY:OpenBMC: PLDM
UID:20200723T234211Z-9396880476@fe80:0:0:0:1487:5dff:fe61:86e7ens5
TZID:America/Los_Angeles
DESCRIPTION:Sai Dasari is inviting you to a scheduled Zoom meeting.\n\nJo
in Zoom Meeting\nhttps://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZE
thQUQzcEF2QjRXUT09\n\nMeeting ID: 939 688 0476\nPasscode: openbmc\nOne t
ap mobile\n+16699009128\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (San
Jose)\n+12532158782\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (Tacoma
)\n\nDial by your location\n +1 669 900 9128 US (San Jose)\n
+1 253 215 8782 US (Tacoma)\n +1 346 248 7799 US (Houston)\n
+1 301 715 8592 US (Germantown)\n +1 312 626 6799 US (Chica
go)\n +1 646 558 8656 US (New York)\nMeeting ID: 939 688 0476\nPa
sscode: 8592515\nFind your local number: https://us02web.zoom.us/u/kddfS
pAkEj\n\n
LOCATION:https://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZEthQUQzcEF
2QjRXUT09
BEGIN:VALARM
TRIGGER:-PT10M
ACTION:DISPLAY
DESCRIPTION:Reminder
END:VALARM
END:VEVENT
END:VCALENDAR
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #5: OpenBMC-PLDM-Addon.ics --]
[-- Type: text/calendar; name="OpenBMC-PLDM-Addon.ics", Size: 1800 bytes --]
BEGIN:VCALENDAR
PRODID:-//zoom.us//iCalendar Event//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:PUBLISH
CLASS:PUBLIC
BEGIN:VTIMEZONE
TZID:America/Los_Angeles
TZURL:http://tzurl.org/zoneinfo-outlook/America/Los_Angeles
X-LIC-LOCATION:America/Los_Angeles
BEGIN:DAYLIGHT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
TZNAME:PDT
DTSTART:19700308T020000
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
TZNAME:PST
DTSTART:19701101T020000
RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20200723T234147Z
DTSTART;TZID=America/Los_Angeles:20200917T100000
DTEND;TZID=America/Los_Angeles:20200917T110000
SUMMARY:OpenBMC: PLDM Modelling for Add-on card
UID:20200723T234147Z-9396880476@fe80:0:0:0:495:4bff:fed3:5473ens3
TZID:America/Los_Angeles
DESCRIPTION:Sai Dasari is inviting you to a scheduled Zoom meeting.\n\nJo
in Zoom Meeting\nhttps://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZE
thQUQzcEF2QjRXUT09\n\nMeeting ID: 939 688 0476\nPasscode: openbmc\nOne t
ap mobile\n+16699009128\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (San
Jose)\n+12532158782\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (Tacoma
)\n\nDial by your location\n +1 669 900 9128 US (San Jose)\n
+1 253 215 8782 US (Tacoma)\n +1 346 248 7799 US (Houston)\n
+1 301 715 8592 US (Germantown)\n +1 312 626 6799 US (Chica
go)\n +1 646 558 8656 US (New York)\nMeeting ID: 939 688 0476\nPa
sscode: 8592515\nFind your local number: https://us02web.zoom.us/u/kddfS
pAkEj\n\n
LOCATION:https://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZEthQUQzcEF
2QjRXUT09
BEGIN:VALARM
TRIGGER:-PT10M
ACTION:DISPLAY
DESCRIPTION:Reminder
END:VALARM
END:VEVENT
END:VCALENDAR
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #6: OpenBMC-SPDM.ics --]
[-- Type: text/calendar; name="OpenBMC-SPDM.ics", Size: 1549 bytes --]
BEGIN:VCALENDAR
PRODID:-//zoom.us//iCalendar Event//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:PUBLISH
CLASS:PUBLIC
BEGIN:VTIMEZONE
TZID:Asia/Kolkata
TZURL:http://tzurl.org/zoneinfo-outlook/Asia/Kolkata
X-LIC-LOCATION:Asia/Kolkata
BEGIN:STANDARD
TZOFFSETFROM:+0530
TZOFFSETTO:+0530
TZNAME:IST
DTSTART:19700101T000000
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20200723T234109Z
DTSTART;TZID=Asia/Kolkata:20200917T100000
DTEND;TZID=Asia/Kolkata:20200917T110000
SUMMARY:OpenBMC: SPDM
UID:20200723T234109Z-9396880476@fe80:0:0:0:452:d0ff:fe6b:94afens3
TZID:Asia/Kolkata
DESCRIPTION:Sai Dasari is inviting you to a scheduled Zoom meeting.\n\nJo
in Zoom Meeting\nhttps://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZE
thQUQzcEF2QjRXUT09\n\nMeeting ID: 939 688 0476\nPasscode: openbmc\nOne t
ap mobile\n+16699009128\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (San
Jose)\n+12532158782\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (Tacoma
)\n\nDial by your location\n +1 669 900 9128 US (San Jose)\n
+1 253 215 8782 US (Tacoma)\n +1 346 248 7799 US (Houston)\n
+1 301 715 8592 US (Germantown)\n +1 312 626 6799 US (Chica
go)\n +1 646 558 8656 US (New York)\nMeeting ID: 939 688 0476\nPa
sscode: 8592515\nFind your local number: https://us02web.zoom.us/u/kddfS
pAkEj\n\n
LOCATION:https://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZEthQUQzcEF
2QjRXUT09
BEGIN:VALARM
TRIGGER:-PT10M
ACTION:DISPLAY
DESCRIPTION:Reminder
END:VALARM
END:VEVENT
END:VCALENDAR
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #7: OpenBMC-EntityMgr.ics --]
[-- Type: text/calendar; name="OpenBMC-EntityMgr.ics", Size: 1796 bytes --]
BEGIN:VCALENDAR
PRODID:-//zoom.us//iCalendar Event//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:PUBLISH
CLASS:PUBLIC
BEGIN:VTIMEZONE
TZID:America/Los_Angeles
TZURL:http://tzurl.org/zoneinfo-outlook/America/Los_Angeles
X-LIC-LOCATION:America/Los_Angeles
BEGIN:DAYLIGHT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
TZNAME:PDT
DTSTART:19700308T020000
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
TZNAME:PST
DTSTART:19701101T020000
RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20200723T234031Z
DTSTART;TZID=America/Los_Angeles:20200910T100000
DTEND;TZID=America/Los_Angeles:20200910T110000
SUMMARY:OpenBMC: Entity-Manager on S2600WF
UID:20200723T234031Z-9396880476@fe80:0:0:0:1417:fcff:fed3:deddens5
TZID:America/Los_Angeles
DESCRIPTION:Sai Dasari is inviting you to a scheduled Zoom meeting.\n\nJo
in Zoom Meeting\nhttps://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZE
thQUQzcEF2QjRXUT09\n\nMeeting ID: 939 688 0476\nPasscode: openbmc\nOne t
ap mobile\n+16699009128\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (San
Jose)\n+12532158782\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (Tacoma
)\n\nDial by your location\n +1 669 900 9128 US (San Jose)\n
+1 253 215 8782 US (Tacoma)\n +1 346 248 7799 US (Houston)\n
+1 301 715 8592 US (Germantown)\n +1 312 626 6799 US (Chica
go)\n +1 646 558 8656 US (New York)\nMeeting ID: 939 688 0476\nPa
sscode: 8592515\nFind your local number: https://us02web.zoom.us/u/kddfS
pAkEj\n\n
LOCATION:https://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZEthQUQzcEF
2QjRXUT09
BEGIN:VALARM
TRIGGER:-PT10M
ACTION:DISPLAY
DESCRIPTION:Reminder
END:VALARM
END:VEVENT
END:VCALENDAR
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #8: OpenBMC-remoteBIOS.ics --]
[-- Type: text/calendar; name="OpenBMC-remoteBIOS.ics", Size: 1569 bytes --]
BEGIN:VCALENDAR
PRODID:-//zoom.us//iCalendar Event//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:PUBLISH
CLASS:PUBLIC
BEGIN:VTIMEZONE
TZID:Asia/Kolkata
TZURL:http://tzurl.org/zoneinfo-outlook/Asia/Kolkata
X-LIC-LOCATION:Asia/Kolkata
BEGIN:STANDARD
TZOFFSETFROM:+0530
TZOFFSETTO:+0530
TZNAME:IST
DTSTART:19700101T000000
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20200723T234000Z
DTSTART;TZID=Asia/Kolkata:20200910T100000
DTEND;TZID=Asia/Kolkata:20200910T110000
SUMMARY:OpenBMC: Remote BIOS Configuration
UID:20200723T234000Z-9396880476@fe80:0:0:0:1456:eff:fe7b:6f8dens5
TZID:Asia/Kolkata
DESCRIPTION:Sai Dasari is inviting you to a scheduled Zoom meeting.\n\nJo
in Zoom Meeting\nhttps://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZE
thQUQzcEF2QjRXUT09\n\nMeeting ID: 939 688 0476\nPasscode: openbmc\nOne t
ap mobile\n+16699009128\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (San
Jose)\n+12532158782\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (Tacoma
)\n\nDial by your location\n +1 669 900 9128 US (San Jose)\n
+1 253 215 8782 US (Tacoma)\n +1 346 248 7799 US (Houston)\n
+1 301 715 8592 US (Germantown)\n +1 312 626 6799 US (Chica
go)\n +1 646 558 8656 US (New York)\nMeeting ID: 939 688 0476\nPa
sscode: 8592515\nFind your local number: https://us02web.zoom.us/u/kddfS
pAkEj\n\n
LOCATION:https://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZEthQUQzcEF
2QjRXUT09
BEGIN:VALARM
TRIGGER:-PT10M
ACTION:DISPLAY
DESCRIPTION:Reminder
END:VALARM
END:VEVENT
END:VCALENDAR
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #9: OpenBMC-sdbus.ics --]
[-- Type: text/calendar; name="OpenBMC-sdbus.ics", Size: 1808 bytes --]
BEGIN:VCALENDAR
PRODID:-//zoom.us//iCalendar Event//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:PUBLISH
CLASS:PUBLIC
BEGIN:VTIMEZONE
TZID:America/Los_Angeles
TZURL:http://tzurl.org/zoneinfo-outlook/America/Los_Angeles
X-LIC-LOCATION:America/Los_Angeles
BEGIN:DAYLIGHT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
TZNAME:PDT
DTSTART:19700308T020000
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
TZNAME:PST
DTSTART:19701101T020000
RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20200723T233935Z
DTSTART;TZID=America/Los_Angeles:20200903T100000
DTEND;TZID=America/Los_Angeles:20200903T110000
SUMMARY:OpenBMC: sdbusplus and phosphor-dbus-interfaces
UID:20200723T233935Z-9396880476@fe80:0:0:0:1468:fbff:fe9f:1ebens5
TZID:America/Los_Angeles
DESCRIPTION:Sai Dasari is inviting you to a scheduled Zoom meeting.\n\nJo
in Zoom Meeting\nhttps://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZE
thQUQzcEF2QjRXUT09\n\nMeeting ID: 939 688 0476\nPasscode: openbmc\nOne t
ap mobile\n+16699009128\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (San
Jose)\n+12532158782\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (Tacoma
)\n\nDial by your location\n +1 669 900 9128 US (San Jose)\n
+1 253 215 8782 US (Tacoma)\n +1 346 248 7799 US (Houston)\n
+1 301 715 8592 US (Germantown)\n +1 312 626 6799 US (Chica
go)\n +1 646 558 8656 US (New York)\nMeeting ID: 939 688 0476\nPa
sscode: 8592515\nFind your local number: https://us02web.zoom.us/u/kddfS
pAkEj\n\n
LOCATION:https://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZEthQUQzcEF
2QjRXUT09
BEGIN:VALARM
TRIGGER:-PT10M
ACTION:DISPLAY
DESCRIPTION:Reminder
END:VALARM
END:VEVENT
END:VCALENDAR
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #10: OpenBMC-NewPlatform.ics --]
[-- Type: text/calendar; name="OpenBMC-NewPlatform.ics", Size: 1789 bytes --]
BEGIN:VCALENDAR
PRODID:-//zoom.us//iCalendar Event//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:PUBLISH
CLASS:PUBLIC
BEGIN:VTIMEZONE
TZID:America/Los_Angeles
TZURL:http://tzurl.org/zoneinfo-outlook/America/Los_Angeles
X-LIC-LOCATION:America/Los_Angeles
BEGIN:DAYLIGHT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
TZNAME:PDT
DTSTART:19700308T020000
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
TZNAME:PST
DTSTART:19701101T020000
RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20200723T233909Z
DTSTART;TZID=America/Los_Angeles:20200827T100000
DTEND;TZID=America/Los_Angeles:20200827T110000
SUMMARY:OpenBMC: Adding New Platform
UID:20200723T233909Z-9396880476@fe80:0:0:0:448:b3ff:feba:1f7dens3
TZID:America/Los_Angeles
DESCRIPTION:Sai Dasari is inviting you to a scheduled Zoom meeting.\n\nJo
in Zoom Meeting\nhttps://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZE
thQUQzcEF2QjRXUT09\n\nMeeting ID: 939 688 0476\nPasscode: openbmc\nOne t
ap mobile\n+16699009128\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (San
Jose)\n+12532158782\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (Tacoma
)\n\nDial by your location\n +1 669 900 9128 US (San Jose)\n
+1 253 215 8782 US (Tacoma)\n +1 346 248 7799 US (Houston)\n
+1 301 715 8592 US (Germantown)\n +1 312 626 6799 US (Chica
go)\n +1 646 558 8656 US (New York)\nMeeting ID: 939 688 0476\nPa
sscode: 8592515\nFind your local number: https://us02web.zoom.us/u/kddfS
pAkEj\n\n
LOCATION:https://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZEthQUQzcEF
2QjRXUT09
BEGIN:VALARM
TRIGGER:-PT10M
ACTION:DISPLAY
DESCRIPTION:Reminder
END:VALARM
END:VEVENT
END:VCALENDAR
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #11: OpenBMC-RedfishEvent.ics --]
[-- Type: text/calendar; name="OpenBMC-RedfishEvent.ics", Size: 1571 bytes --]
BEGIN:VCALENDAR
PRODID:-//zoom.us//iCalendar Event//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:PUBLISH
CLASS:PUBLIC
BEGIN:VTIMEZONE
TZID:Asia/Kolkata
TZURL:http://tzurl.org/zoneinfo-outlook/Asia/Kolkata
X-LIC-LOCATION:Asia/Kolkata
BEGIN:STANDARD
TZOFFSETFROM:+0530
TZOFFSETTO:+0530
TZNAME:IST
DTSTART:19700101T000000
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20200723T233520Z
DTSTART;TZID=Asia/Kolkata:20200827T100000
DTEND;TZID=Asia/Kolkata:20200827T110000
SUMMARY:OpenBMC: Redfish Event Logs/Service
UID:20200723T233520Z-9396880476@fe80:0:0:0:145b:9dff:fe58:1cd3ens5
TZID:Asia/Kolkata
DESCRIPTION:Sai Dasari is inviting you to a scheduled Zoom meeting.\n\nJo
in Zoom Meeting\nhttps://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZE
thQUQzcEF2QjRXUT09\n\nMeeting ID: 939 688 0476\nPasscode: openbmc\nOne t
ap mobile\n+16699009128\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (San
Jose)\n+12532158782\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (Tacoma
)\n\nDial by your location\n +1 669 900 9128 US (San Jose)\n
+1 253 215 8782 US (Tacoma)\n +1 346 248 7799 US (Houston)\n
+1 301 715 8592 US (Germantown)\n +1 312 626 6799 US (Chica
go)\n +1 646 558 8656 US (New York)\nMeeting ID: 939 688 0476\nPa
sscode: 8592515\nFind your local number: https://us02web.zoom.us/u/kddfS
pAkEj\n\n
LOCATION:https://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZEthQUQzcEF
2QjRXUT09
BEGIN:VALARM
TRIGGER:-PT10M
ACTION:DISPLAY
DESCRIPTION:Reminder
END:VALARM
END:VEVENT
END:VCALENDAR
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #12: OpenBMC-UserMgmt.ics --]
[-- Type: text/calendar; name="OpenBMC-UserMgmt.ics", Size: 1785 bytes --]
BEGIN:VCALENDAR
PRODID:-//zoom.us//iCalendar Event//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:PUBLISH
CLASS:PUBLIC
BEGIN:VTIMEZONE
TZID:America/Los_Angeles
TZURL:http://tzurl.org/zoneinfo-outlook/America/Los_Angeles
X-LIC-LOCATION:America/Los_Angeles
BEGIN:DAYLIGHT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
TZNAME:PDT
DTSTART:19700308T020000
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
TZNAME:PST
DTSTART:19701101T020000
RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20200723T233430Z
DTSTART;TZID=America/Los_Angeles:20200820T100000
DTEND;TZID=America/Los_Angeles:20200820T110000
SUMMARY:OpenBMC: User Management
UID:20200723T233430Z-9396880476@fe80:0:0:0:495:4bff:fed3:5473ens3
TZID:America/Los_Angeles
DESCRIPTION:Sai Dasari is inviting you to a scheduled Zoom meeting.\n\nJo
in Zoom Meeting\nhttps://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZE
thQUQzcEF2QjRXUT09\n\nMeeting ID: 939 688 0476\nPasscode: openbmc\nOne t
ap mobile\n+16699009128\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (San
Jose)\n+12532158782\,\,9396880476#\,\,\,\,\,\,0#\,\,8592515# US (Tacoma
)\n\nDial by your location\n +1 669 900 9128 US (San Jose)\n
+1 253 215 8782 US (Tacoma)\n +1 346 248 7799 US (Houston)\n
+1 301 715 8592 US (Germantown)\n +1 312 626 6799 US (Chica
go)\n +1 646 558 8656 US (New York)\nMeeting ID: 939 688 0476\nPa
sscode: 8592515\nFind your local number: https://us02web.zoom.us/u/kddfS
pAkEj\n\n
LOCATION:https://us02web.zoom.us/j/9396880476?pwd=a2gyYkVpRjhBZEthQUQzcEF
2QjRXUT09
BEGIN:VALARM
TRIGGER:-PT10M
ACTION:DISPLAY
DESCRIPTION:Reminder
END:VALARM
END:VEVENT
END:VCALENDAR
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: OpenBMC Learning Series - security
2020-07-25 0:13 [Potential Spoof] OpenBMC Learning Series Sai Dasari
@ 2020-10-09 17:33 ` Joseph Reynolds
2020-10-09 19:51 ` Patrick Williams
2020-10-15 18:55 ` OpenBMC Learning Series - list of security topics Joseph Reynolds
0 siblings, 2 replies; 7+ messages in thread
From: Joseph Reynolds @ 2020-10-09 17:33 UTC (permalink / raw)
To: Openbmc, Sai Dasari
On 7/24/20 7:13 PM, Sai Dasari wrote:
>
> Team,
>
> Thanks to all volunteer speakers stepping up to share their expertise
> with community. For speaker convenience, the sessions will be held on
> two *TimeZones* (USA/PDT and INDIA/IST) on *Thursdays@10AM* starting
> from 8/20 onwards.
>
> I encourage you to take a look at the shared doc @
> https://docs.google.com/spreadsheets/d/1RRO5cgutKE7zRPcjcFjrNn-GI5AYoW0FivEZJe_EyWs/edit?usp=sharing
> for more information regarding this series. If you would like to see
> more topics (either as speakers or new community members), please feel
> free to add them for extending the topics in future sessions.
>
...snip...
Sai and the OpenBMC community,
Here is my big-picture idea to organize OpenBMC's security effort. I
hope this material will guide the project's overall security effort,
including the learning series.
I want to take this process one step at a time to help build consensus
for my approach.
My big idea is to apply the world's best publicly available security
schemes to the OpenBMC project. Schemes like Microsoft Security
Engineering, IBM Secure Engineering, and the Common Criteria evaluation
have been developed over decades of experience and give us the most
complete guidance for the OpenBMC project and its users. We should use
them.
Does this seem like the right approach? See discussion in footnote 1.
These schemes have a lot in common. For example, they all advocate for
threat modeling, security testing, and development process steps like
design and code reviews. I am trying to get at that common portion and
I would like to hear your ideas.
The elements of each scheme are listed in footnote 2 below. Which of
these seem most important? It is so easy (and fun) to focus on security
functions like authentication and transport layer security algorithms.
But we might be served better by documenting BMC's architecture to
understand where its weaknesses are, or making better security tests. I
would like to hear your ideas, and I can help sort them into the
big-picture.
For the learning series presentation, I suggest picking up a dozen or so
categories from below, including authentication and user management,
testing and coding, documentation and threat models, incident response,
etc. Does that sound right?
- Joseph
## Footnote 1 - How we can use the world's best security schemes
I foresee several difficulties in trying to apply the schemes:
1. The project has not agreed to any particular security scheme and is
unlikely to choose one, because...
2. Performing any security evaluation is expensive in terms of
person-hours investment by subject matter experts and we have limited
resources, and...
3. The big-picture security schemes apply to an entire IT project (like
a server) while OpenBMC is only source code for one part of any such
project, so we cannot apply the full methodology.
Why a big-picture scheme? Security schemes that have a smaller scope
will not take the project security to the highest levels. The OpenBMC
project itself should perform security work needed by various
big-picture security schemes (such as listed above). This includes not
only features like transport security and authentication, but also
documentation, evidence of design and code reviews, testing, and bug
fixes, as required by big-picture secure engineering mandates. Yes, the
project does all that already, but that work does not have a security
context. I would like to help define that context.
Would it be helpful to show how more targeted guidelines from OWASP,
OCP, and CSIS fit into the big-picture schemes?
[OWASP]: https://www.owasp.org/
[OCP]: https://www.opencompute.org/wiki/Security
[CSIS]:
https://github.com/opencomputeproject/Security/blob/master/SecureFirmwareDevelopmentBestPractices.md
NOTE: This is a refresh of the effort started in the [security working
group][] under the headings of "security assurance workflow" and
"applicable standards".
[security working group]:
https://github.com/openbmc/openbmc/wiki/Security-working-group
## Footnote 2 - Elements of high-level security schemes
Here are three high-level security schemes. Is this the right set of
schemes?
I've started to break these down.
==> Microsoft Security Engineering
https://www.microsoft.com/en-us/securityengineering
Security Development Lifecycle (SDL)
Operational Security Assurance (OSA)
Open Source Security
(Will someone help articulate which elements apply to OpenBMC?)
==> Common Criteria
https://www.commoncriteriaportal.org/cc/
Functional requirements:
- Security Audit (audit logs)
- Communication
- Cryptographic Support
- User data protection
- Authentication
- Security Management
- Privacy
- Protection of the BMC
- Resource Utilization
- BMC access, Trusted paths
Assurance requirements:
- Document BMC architecture and configuration
- Development (architecture, functions spec, implementation)
- Internal representation (source code)
- Guidance documentation
- Life-cycle support
- Tests
- Vulnerability Assessment.
Note: I've annotated and substituted some terminology to make this more
readable (for example, TOE means BMC). Also, I've skipped over some
topics and grossly oversimplified others. My goal is to make this list
understandable to the BMC community and the organize OpenBMC work so it
can be understood by security folks who do not have a BMC background.
==> IBM Secure Engineering
ibm.com/redbooks: Security in Development, The IBM Secure Engineering
Framework
Development process: protect source code, planing, testing
Product lifecycle management: vulnerabilities, fixes
Secure Engineering Framework:
- Education and awareness
- Project Planning
- Risk assessment and threat modeling
- Security requirements
- Secure coding
- Test and vulnerability assessment
- Documentation
- Incident response
- Supply chain
Includes https://www.ibm.com/trust/security-spbd
- Assessment
- Threat Model
- Code Scan
- Security Tests
- Penetration Test
- Vulnerability Management
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: OpenBMC Learning Series - security
2020-10-09 17:33 ` OpenBMC Learning Series - security Joseph Reynolds
@ 2020-10-09 19:51 ` Patrick Williams
2020-10-14 15:00 ` Joseph Reynolds
2020-10-15 18:55 ` OpenBMC Learning Series - list of security topics Joseph Reynolds
1 sibling, 1 reply; 7+ messages in thread
From: Patrick Williams @ 2020-10-09 19:51 UTC (permalink / raw)
To: Joseph Reynolds; +Cc: Openbmc
[-- Attachment #1: Type: text/plain, Size: 1974 bytes --]
On Fri, Oct 09, 2020 at 12:33:17PM -0500, Joseph Reynolds wrote:
> On 7/24/20 7:13 PM, Sai Dasari wrote:
> >
> > Team,
> >
> > Thanks to all volunteer speakers stepping up to share their expertise
> > with community. For speaker convenience, the sessions will be held on
> > two *TimeZones* (USA/PDT and INDIA/IST) on *Thursdays@10AM* starting
> > from 8/20 onwards.
> >
> > I encourage you to take a look at the shared doc @
> > https://docs.google.com/spreadsheets/d/1RRO5cgutKE7zRPcjcFjrNn-GI5AYoW0FivEZJe_EyWs/edit?usp=sharing
> > for more information regarding this series. If you would like to see
> > more topics (either as speakers or new community members), please feel
> > free to add them for extending the topics in future sessions.
> >
> ...snip...
>
>
> Sai and the OpenBMC community,
>
> Here is my big-picture idea to organize OpenBMC's security effort. I
> hope this material will guide the project's overall security effort,
> including the learning series.
>
> I want to take this process one step at a time to help build consensus
> for my approach.
>
> My big idea is to apply the world's best publicly available security
> schemes to the OpenBMC project. Schemes like Microsoft Security
> Engineering, IBM Secure Engineering, and the Common Criteria evaluation
> have been developed over decades of experience and give us the most
> complete guidance for the OpenBMC project and its users. We should use
> them.
>
> Does this seem like the right approach? See discussion in footnote 1.
Hi Joseph,
What I can't tell is if you're describing the current state of affairs
or where you'd like to go. My impression is that these education
sessions should be more current state of affairs with only a taste of
the future. The education sessions are for people who have little-to-no
experience with OpenBMC already in order to make them more productive
quickly.
--
Patrick Williams
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: OpenBMC Learning Series - security
2020-10-09 19:51 ` Patrick Williams
@ 2020-10-14 15:00 ` Joseph Reynolds
0 siblings, 0 replies; 7+ messages in thread
From: Joseph Reynolds @ 2020-10-14 15:00 UTC (permalink / raw)
To: Patrick Williams; +Cc: Openbmc
On 10/9/20 2:51 PM, Patrick Williams wrote:
> On Fri, Oct 09, 2020 at 12:33:17PM -0500, Joseph Reynolds wrote:
>> On 7/24/20 7:13 PM, Sai Dasari wrote:
...snip...
>>> Sai and the OpenBMC community,
>>>
>>> Here is my big-picture idea to organize OpenBMC's security effort. I
>>> hope this material will guide the project's overall security effort,
>>> including the learning series.
>>>
>>> I want to take this process one step at a time to help build consensus
>>> for my approach.
>>>
>>> My big idea is to apply the world's best publicly available security
>>> schemes to the OpenBMC project. Schemes like Microsoft Security
>>> Engineering, IBM Secure Engineering, and the Common Criteria evaluation
>>> have been developed over decades of experience and give us the most
>>> complete guidance for the OpenBMC project and its users. We should use
>>> them.
>>>
>>> Does this seem like the right approach? See discussion in footnote 1.
> Hi Joseph,
>
> What I can't tell is if you're describing the current state of affairs
> or where you'd like to go. My impression is that these education
> sessions should be more current state of affairs with only a taste of
> the future. The education sessions are for people who have little-to-no
> experience with OpenBMC already in order to make them more productive
> quickly.
My email recommends a way to organize the security work. Once we agree
[1], I think we should organize project documentation, presentations,
and working group activity in the same way. The presentation would give
a simplified overview of project security and link to the project's
security documentation. Does that make sense?
- Joseph
[1]: We are discussing this in today's security working group meeting:
https://github.com/openbmc/openbmc/wiki/Security-working-group
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: OpenBMC Learning Series - list of security topics
2020-10-09 17:33 ` OpenBMC Learning Series - security Joseph Reynolds
2020-10-09 19:51 ` Patrick Williams
@ 2020-10-15 18:55 ` Joseph Reynolds
2020-10-15 19:33 ` Sai Dasari
[not found] ` <9bfccd5e-79ae-f1fb-6771-0514e3d1b2fd@preossec.com>
1 sibling, 2 replies; 7+ messages in thread
From: Joseph Reynolds @ 2020-10-15 18:55 UTC (permalink / raw)
To: openbmc, Sai Dasari
On 10/9/20 12:33 PM, Joseph Reynolds wrote:
> On 7/24/20 7:13 PM, Sai Dasari wrote:
>>
>> Team,
>>
>> Thanks to all volunteer speakers stepping up to share their expertise
>> with community. For speaker convenience, the sessions will be held on
>> two *TimeZones* (USA/PDT and INDIA/IST) on *Thursdays@10AM* starting
>> from 8/20 onwards.
>>
>> I encourage you to take a look at the shared doc @
>> https://docs.google.com/spreadsheets/d/1RRO5cgutKE7zRPcjcFjrNn-GI5AYoW0FivEZJe_EyWs/edit?usp=sharing
>> for more information regarding this series. If you would like to see
>> more topics (either as speakers or new community members), please
>> feel free to add them for extending the topics in future sessions.
>>
> ...snip...
>
>
> Sai and the OpenBMC community,
>
> Here is my big-picture idea to organize OpenBMC's security effort. I
> hope this material will guide the project's overall security effort,
> including the learning series.
...snip...
> For the learning series presentation, I suggest picking up a dozen or
> so categories from below, including authentication and user
> management, testing and coding, documentation and threat models,
> incident response, etc. Does that sound right?
Sai, thanks for helping to push this forward.
OpenBMC community,
We agreed [1] to a list "security topics" drawn from Microsoft Security
Engineering, Common Criteria, and IBM Secure Engineering. The idea is
that a project that uses OpenBMC and follows a similar security approach
should be able to find what they need in the OpenBMC security topics,
but the topics themselves are not tightly coupled to any specific
approach. Then each of the OpenBMC security topics will give whatever
the project offers.
[1]: General agreement at the 2020-10-14 OpenBMC security working group
meeting. Notes here:
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
To clarify, I intend for these topics to be the organizing principle for
the security working group and the learning series. I am not announcing
any intention to meet any guidelines, follow any specific practices, or
perform any security assessments. One step at a time.
Here is my initial proposal for topics. This most certainly reflects my
bias. Feel free to suggest corrections, changes, and additions.
- Education and awareness
- Threat model
- Code scans
- Security tests (includes dynamic scans and penetration testing)
- Vulnerability management and incident response
- Development process (include planning, designs, reviews, secure coding)
- Documentation (includes specs, architecture, designs, code, and
configuration) - see breakout below
- Incident response
- Guidance documentation (for downstream projects and for BMC admins)
- Supply chain (includes source code from Yocto and projects built into
the image)
BMC security function documentation:
- Audit logs
- Communication paths
- Cryptographic support
- User data protection
- Authentication
- Security Management
- Privacy
- Protection of the BMC
- Resource Utilization
- BMC access, Trusted paths
Excluded topics:
- Threat assessment - varies between use cases
- Supply chain (physical) - not applicable
For the learning series presentation I propose one slide to motivate why
security focus is important, and another explain how OpenBMC security
topics relate to high-level security schemes and to more focused
guidance from OWASP, OCP, and CSIS. Then slides for each security
topic. My feeling is that even professional developers need help to
understand how everything relates back to security. :-)
Let me know if you expect the learning series presentation to have any
specific content.
- Joseph
>
> - Joseph
>
> ## Footnote 1 - How we can use the world's best security schemes
>
> I foresee several difficulties in trying to apply the schemes:
> 1. The project has not agreed to any particular security scheme and is
> unlikely to choose one, because...
> 2. Performing any security evaluation is expensive in terms of
> person-hours investment by subject matter experts and we have limited
> resources, and...
> 3. The big-picture security schemes apply to an entire IT project
> (like a server) while OpenBMC is only source code for one part of any
> such project, so we cannot apply the full methodology.
>
> Why a big-picture scheme? Security schemes that have a smaller scope
> will not take the project security to the highest levels. The OpenBMC
> project itself should perform security work needed by various
> big-picture security schemes (such as listed above). This includes
> not only features like transport security and authentication, but also
> documentation, evidence of design and code reviews, testing, and bug
> fixes, as required by big-picture secure engineering mandates. Yes,
> the project does all that already, but that work does not have a
> security context. I would like to help define that context.
>
> Would it be helpful to show how more targeted guidelines from OWASP,
> OCP, and CSIS fit into the big-picture schemes?
> [OWASP]: https://www.owasp.org/
> [OCP]: https://www.opencompute.org/wiki/Security
> [CSIS]:
> https://github.com/opencomputeproject/Security/blob/master/SecureFirmwareDevelopmentBestPractices.md
>
> NOTE: This is a refresh of the effort started in the [security working
> group][] under the headings of "security assurance workflow" and
> "applicable standards".
> [security working group]:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> ## Footnote 2 - Elements of high-level security schemes
>
> Here are three high-level security schemes. Is this the right set of
> schemes?
> I've started to break these down.
>
> ==> Microsoft Security Engineering
> https://www.microsoft.com/en-us/securityengineering
> Security Development Lifecycle (SDL)
> Operational Security Assurance (OSA)
> Open Source Security
> (Will someone help articulate which elements apply to OpenBMC?)
>
> ==> Common Criteria
> https://www.commoncriteriaportal.org/cc/
> Functional requirements:
> - Security Audit (audit logs)
> - Communication
> - Cryptographic Support
> - User data protection
> - Authentication
> - Security Management
> - Privacy
> - Protection of the BMC
> - Resource Utilization
> - BMC access, Trusted paths
> Assurance requirements:
> - Document BMC architecture and configuration
> - Development (architecture, functions spec, implementation)
> - Internal representation (source code)
> - Guidance documentation
> - Life-cycle support
> - Tests
> - Vulnerability Assessment.
> Note: I've annotated and substituted some terminology to make this
> more readable (for example, TOE means BMC). Also, I've skipped over
> some topics and grossly oversimplified others. My goal is to make
> this list understandable to the BMC community and the organize OpenBMC
> work so it can be understood by security folks who do not have a BMC
> background.
>
> ==> IBM Secure Engineering
> ibm.com/redbooks: Security in Development, The IBM Secure Engineering
> Framework
> Development process: protect source code, planing, testing
> Product lifecycle management: vulnerabilities, fixes
> Secure Engineering Framework:
> - Education and awareness
> - Project Planning
> - Risk assessment and threat modeling
> - Security requirements
> - Secure coding
> - Test and vulnerability assessment
> - Documentation
> - Incident response
> - Supply chain
>
> Includes https://www.ibm.com/trust/security-spbd
> - Assessment
> - Threat Model
> - Code Scan
> - Security Tests
> - Penetration Test
> - Vulnerability Management
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: OpenBMC Learning Series - list of security topics
2020-10-15 18:55 ` OpenBMC Learning Series - list of security topics Joseph Reynolds
@ 2020-10-15 19:33 ` Sai Dasari
[not found] ` <9bfccd5e-79ae-f1fb-6771-0514e3d1b2fd@preossec.com>
1 sibling, 0 replies; 7+ messages in thread
From: Sai Dasari @ 2020-10-15 19:33 UTC (permalink / raw)
To: Joseph Reynolds, openbmc
On 10/15/20, 11:55 AM, "Joseph Reynolds" <jrey@linux.ibm.com> wrote:
On 10/9/20 12:33 PM, Joseph Reynolds wrote:
> On 7/24/20 7:13 PM, Sai Dasari wrote:
>>
>> Team,
>>
>> Thanks to all volunteer speakers stepping up to share their expertise
>> with community. For speaker convenience, the sessions will be held on
>> two *TimeZones* (USA/PDT and INDIA/IST) on *Thursdays@10AM* starting
>> from 8/20 onwards.
>>
>> I encourage you to take a look at the shared doc @
>> https://docs.google.com/spreadsheets/d/1RRO5cgutKE7zRPcjcFjrNn-GI5AYoW0FivEZJe_EyWs/edit?usp=sharing
>> for more information regarding this series. If you would like to see
>> more topics (either as speakers or new community members), please
>> feel free to add them for extending the topics in future sessions.
>>
> ...snip...
>
>
> Sai and the OpenBMC community,
>
> Here is my big-picture idea to organize OpenBMC's security effort. I
> hope this material will guide the project's overall security effort,
> including the learning series.
...snip...
> For the learning series presentation, I suggest picking up a dozen or
> so categories from below, including authentication and user
> management, testing and coding, documentation and threat models,
> incident response, etc. Does that sound right?
Sai, thanks for helping to push this forward.
OpenBMC community,
We agreed [1] to a list "security topics" drawn from Microsoft Security
Engineering, Common Criteria, and IBM Secure Engineering. The idea is
that a project that uses OpenBMC and follows a similar security approach
should be able to find what they need in the OpenBMC security topics,
but the topics themselves are not tightly coupled to any specific
approach. Then each of the OpenBMC security topics will give whatever
the project offers.
[1]: General agreement at the 2020-10-14 OpenBMC security working group
meeting. Notes here:
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
To clarify, I intend for these topics to be the organizing principle for
the security working group and the learning series. I am not announcing
any intention to meet any guidelines, follow any specific practices, or
perform any security assessments. One step at a time.
Here is my initial proposal for topics. This most certainly reflects my
bias. Feel free to suggest corrections, changes, and additions.
- Education and awareness
- Threat model
- Code scans
- Security tests (includes dynamic scans and penetration testing)
- Vulnerability management and incident response
- Development process (include planning, designs, reviews, secure coding)
- Documentation (includes specs, architecture, designs, code, and
configuration) - see breakout below
- Incident response
- Guidance documentation (for downstream projects and for BMC admins)
- Supply chain (includes source code from Yocto and projects built into
the image)
BMC security function documentation:
- Audit logs
- Communication paths
- Cryptographic support
- User data protection
- Authentication
- Security Management
- Privacy
- Protection of the BMC
- Resource Utilization
- BMC access, Trusted paths
Excluded topics:
- Threat assessment - varies between use cases
- Supply chain (physical) - not applicable
For the learning series presentation I propose one slide to motivate why
security focus is important, and another explain how OpenBMC security
topics relate to high-level security schemes and to more focused
guidance from OWASP, OCP, and CSIS. Then slides for each security
topic. My feeling is that even professional developers need help to
understand how everything relates back to security. :-)
Let me know if you expect the learning series presentation to have any
specific content.
Thanks Joseph for alignment for this important security area and identifying detailed topics of interest. For learning series, since the intended audience are beginners to the project, I like your idea of providing motivation for security focus followed by introducing various topics at high level for further exploration. In addition, if you believe we have enough topics/speakers (4+), we can create security specific learning (mini) series in 2021 (March timeframe) where you can build up the material from basic->intermediate->advanced topics. I will be happy to work with you to create such series, if there is enough interest.
- Joseph
>
> - Joseph
>
> ## Footnote 1 - How we can use the world's best security schemes
>
> I foresee several difficulties in trying to apply the schemes:
> 1. The project has not agreed to any particular security scheme and is
> unlikely to choose one, because...
> 2. Performing any security evaluation is expensive in terms of
> person-hours investment by subject matter experts and we have limited
> resources, and...
> 3. The big-picture security schemes apply to an entire IT project
> (like a server) while OpenBMC is only source code for one part of any
> such project, so we cannot apply the full methodology.
>
> Why a big-picture scheme? Security schemes that have a smaller scope
> will not take the project security to the highest levels. The OpenBMC
> project itself should perform security work needed by various
> big-picture security schemes (such as listed above). This includes
> not only features like transport security and authentication, but also
> documentation, evidence of design and code reviews, testing, and bug
> fixes, as required by big-picture secure engineering mandates. Yes,
> the project does all that already, but that work does not have a
> security context. I would like to help define that context.
>
> Would it be helpful to show how more targeted guidelines from OWASP,
> OCP, and CSIS fit into the big-picture schemes?
> [OWASP]: https://www.owasp.org/
> [OCP]: https://www.opencompute.org/wiki/Security
> [CSIS]:
> https://github.com/opencomputeproject/Security/blob/master/SecureFirmwareDevelopmentBestPractices.md
>
> NOTE: This is a refresh of the effort started in the [security working
> group][] under the headings of "security assurance workflow" and
> "applicable standards".
> [security working group]:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> ## Footnote 2 - Elements of high-level security schemes
>
> Here are three high-level security schemes. Is this the right set of
> schemes?
> I've started to break these down.
>
> ==> Microsoft Security Engineering
> https://www.microsoft.com/en-us/securityengineering
> Security Development Lifecycle (SDL)
> Operational Security Assurance (OSA)
> Open Source Security
> (Will someone help articulate which elements apply to OpenBMC?)
>
> ==> Common Criteria
> https://www.commoncriteriaportal.org/cc/
> Functional requirements:
> - Security Audit (audit logs)
> - Communication
> - Cryptographic Support
> - User data protection
> - Authentication
> - Security Management
> - Privacy
> - Protection of the BMC
> - Resource Utilization
> - BMC access, Trusted paths
> Assurance requirements:
> - Document BMC architecture and configuration
> - Development (architecture, functions spec, implementation)
> - Internal representation (source code)
> - Guidance documentation
> - Life-cycle support
> - Tests
> - Vulnerability Assessment.
> Note: I've annotated and substituted some terminology to make this
> more readable (for example, TOE means BMC). Also, I've skipped over
> some topics and grossly oversimplified others. My goal is to make
> this list understandable to the BMC community and the organize OpenBMC
> work so it can be understood by security folks who do not have a BMC
> background.
>
> ==> IBM Secure Engineering
> ibm.com/redbooks: Security in Development, The IBM Secure Engineering
> Framework
> Development process: protect source code, planing, testing
> Product lifecycle management: vulnerabilities, fixes
> Secure Engineering Framework:
> - Education and awareness
> - Project Planning
> - Risk assessment and threat modeling
> - Security requirements
> - Secure coding
> - Test and vulnerability assessment
> - Documentation
> - Incident response
> - Supply chain
>
> Includes https://www.ibm.com/trust/security-spbd
> - Assessment
> - Threat Model
> - Code Scan
> - Security Tests
> - Penetration Test
> - Vulnerability Management
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: OpenBMC Learning Series - list of security topics
[not found] ` <9bfccd5e-79ae-f1fb-6771-0514e3d1b2fd@preossec.com>
@ 2020-10-16 18:06 ` Joseph Reynolds
0 siblings, 0 replies; 7+ messages in thread
From: Joseph Reynolds @ 2020-10-16 18:06 UTC (permalink / raw)
To: Lee Fisher, openbmc
On 10/15/20 5:39 PM, Lee Fisher wrote:
> Looks pretty good.
>
> One thing I'm concerned with: dev -vs- sysadmin focus.
>
> You need to cover dev focus for OpenBMC dev. But you also need to cover
> run-time use, by sysadmins/users, including security automation.
>
> Don't have a single set of OpenBMC security guidance for both audiences,
> they are very different.
Lee, +cc:openbmc email list
Point taken. I agree. I'll have separate topics for the system
integrator and the BMC admin. Along with the existing set of topics for
the development community (coding standards, static scans, etc.).
I started a BMC configuration guide here:
https://github.com/openbmc/openbmc/wiki/Configuration-guide
and have just now separated the build -vs- admin sections. I'll use it
to guide the presentation.
Thank you!
- Joseph
> For example, see how the NIST Secure Boot docs are for implementors
> *AND* users, but most users will navigate through all the
> implementor-centric docs for run-time guidance. Similar problem with
> DMTF Redfish docs, blurring implementors and users.
>
> Sysadmins/users will need a checklist of guidance and some
> security/update automation tools. At least one tool for security checks,
> and one tool for firmware updates. Vendors will work hard to screw up
> the tools, when trying to make their platform vendor-centric, so be
> careful of that.
>
> Thanks.
>
> On 10/15/20 11:55 AM, Joseph Reynolds wrote:
>> On 10/9/20 12:33 PM, Joseph Reynolds wrote:
>>> On 7/24/20 7:13 PM, Sai Dasari wrote:
>>>> Team,
>>>>
>>>> Thanks to all volunteer speakers stepping up to share their
>>>> expertise with community. For speaker convenience, the sessions will
>>>> be held on two *TimeZones* (USA/PDT and INDIA/IST) on
>>>> *Thursdays@10AM* starting from 8/20 onwards.
>>>>
>>>> I encourage you to take a look at the shared doc @
>>>> https://docs.google.com/spreadsheets/d/1RRO5cgutKE7zRPcjcFjrNn-GI5AYoW0FivEZJe_EyWs/edit?usp=sharing
>>>> for more information regarding this series. If you would like to see
>>>> more topics (either as speakers or new community members), please
>>>> feel free to add them for extending the topics in future sessions.
>>>>
>>> ...snip...
>>>
>>>
>>> Sai and the OpenBMC community,
>>>
>>> Here is my big-picture idea to organize OpenBMC's security effort. I
>>> hope this material will guide the project's overall security effort,
>>> including the learning series.
>> ...snip...
>>> For the learning series presentation, I suggest picking up a dozen or
>>> so categories from below, including authentication and user
>>> management, testing and coding, documentation and threat models,
>>> incident response, etc. Does that sound right?
>> Sai, thanks for helping to push this forward.
>>
>>
>> OpenBMC community,
>>
>> We agreed [1] to a list "security topics" drawn from Microsoft
>> Security Engineering, Common Criteria, and IBM Secure Engineering. The
>> idea is that a project that uses OpenBMC and follows a similar
>> security approach should be able to find what they need in the OpenBMC
>> security topics, but the topics themselves are not tightly coupled to
>> any specific approach. Then each of the OpenBMC security topics will
>> give whatever the project offers.
>>
>> [1]: General agreement at the 2020-10-14 OpenBMC security working
>> group meeting. Notes here:
>> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
>>
>>
>> To clarify, I intend for these topics to be the organizing principle
>> for the security working group and the learning series. I am not
>> announcing any intention to meet any guidelines, follow any specific
>> practices, or perform any security assessments. One step at a time.
>>
>> Here is my initial proposal for topics. This most certainly reflects
>> my bias. Feel free to suggest corrections, changes, and additions.
>> - Education and awareness
>> - Threat model
>> - Code scans
>> - Security tests (includes dynamic scans and penetration testing)
>> - Vulnerability management and incident response
>> - Development process (include planning, designs, reviews, secure coding)
>> - Documentation (includes specs, architecture, designs, code, and
>> configuration) - see breakout below
>> - Incident response
>> - Guidance documentation (for downstream projects and for BMC admins)
>> - Supply chain (includes source code from Yocto and projects built
>> into the image)
>>
>> BMC security function documentation:
>> - Audit logs
>> - Communication paths
>> - Cryptographic support
>> - User data protection
>> - Authentication
>> - Security Management
>> - Privacy
>> - Protection of the BMC
>> - Resource Utilization
>> - BMC access, Trusted paths
>>
>> Excluded topics:
>> - Threat assessment - varies between use cases
>> - Supply chain (physical) - not applicable
>>
>> For the learning series presentation I propose one slide to motivate
>> why security focus is important, and another explain how OpenBMC
>> security topics relate to high-level security schemes and to more
>> focused guidance from OWASP, OCP, and CSIS. Then slides for each
>> security topic. My feeling is that even professional developers need
>> help to understand how everything relates back to security. :-)
>>
>> Let me know if you expect the learning series presentation to have any
>> specific content.
>>
>> - Joseph
>>
>>> - Joseph
>>>
>>> ## Footnote 1 - How we can use the world's best security schemes
>>>
>>> I foresee several difficulties in trying to apply the schemes:
>>> 1. The project has not agreed to any particular security scheme and
>>> is unlikely to choose one, because...
>>> 2. Performing any security evaluation is expensive in terms of
>>> person-hours investment by subject matter experts and we have limited
>>> resources, and...
>>> 3. The big-picture security schemes apply to an entire IT project
>>> (like a server) while OpenBMC is only source code for one part of any
>>> such project, so we cannot apply the full methodology.
>>>
>>> Why a big-picture scheme? Security schemes that have a smaller scope
>>> will not take the project security to the highest levels. The OpenBMC
>>> project itself should perform security work needed by various
>>> big-picture security schemes (such as listed above). This includes
>>> not only features like transport security and authentication, but
>>> also documentation, evidence of design and code reviews, testing, and
>>> bug fixes, as required by big-picture secure engineering mandates.
>>> Yes, the project does all that already, but that work does not have a
>>> security context. I would like to help define that context.
>>>
>>> Would it be helpful to show how more targeted guidelines from OWASP,
>>> OCP, and CSIS fit into the big-picture schemes?
>>> [OWASP]: https://www.owasp.org/
>>> [OCP]: https://www.opencompute.org/wiki/Security
>>> [CSIS]:
>>> https://github.com/opencomputeproject/Security/blob/master/SecureFirmwareDevelopmentBestPractices.md
>>>
>>> NOTE: This is a refresh of the effort started in the [security
>>> working group][] under the headings of "security assurance workflow"
>>> and "applicable standards".
>>> [security working group]:
>>> https://github.com/openbmc/openbmc/wiki/Security-working-group
>>>
>>> ## Footnote 2 - Elements of high-level security schemes
>>>
>>> Here are three high-level security schemes. Is this the right set of
>>> schemes?
>>> I've started to break these down.
>>>
>>> ==> Microsoft Security Engineering
>>> https://www.microsoft.com/en-us/securityengineering
>>> Security Development Lifecycle (SDL)
>>> Operational Security Assurance (OSA)
>>> Open Source Security
>>> (Will someone help articulate which elements apply to OpenBMC?)
>>>
>>> ==> Common Criteria
>>> https://www.commoncriteriaportal.org/cc/
>>> Functional requirements:
>>> - Security Audit (audit logs)
>>> - Communication
>>> - Cryptographic Support
>>> - User data protection
>>> - Authentication
>>> - Security Management
>>> - Privacy
>>> - Protection of the BMC
>>> - Resource Utilization
>>> - BMC access, Trusted paths
>>> Assurance requirements:
>>> - Document BMC architecture and configuration
>>> - Development (architecture, functions spec, implementation)
>>> - Internal representation (source code)
>>> - Guidance documentation
>>> - Life-cycle support
>>> - Tests
>>> - Vulnerability Assessment.
>>> Note: I've annotated and substituted some terminology to make this
>>> more readable (for example, TOE means BMC). Also, I've skipped over
>>> some topics and grossly oversimplified others. My goal is to make
>>> this list understandable to the BMC community and the organize
>>> OpenBMC work so it can be understood by security folks who do not
>>> have a BMC background.
>>>
>>> ==> IBM Secure Engineering
>>> ibm.com/redbooks: Security in Development, The IBM Secure Engineering
>>> Framework
>>> Development process: protect source code, planing, testing
>>> Product lifecycle management: vulnerabilities, fixes
>>> Secure Engineering Framework:
>>> - Education and awareness
>>> - Project Planning
>>> - Risk assessment and threat modeling
>>> - Security requirements
>>> - Secure coding
>>> - Test and vulnerability assessment
>>> - Documentation
>>> - Incident response
>>> - Supply chain
>>>
>>> Includes https://www.ibm.com/trust/security-spbd
>>> - Assessment
>>> - Threat Model
>>> - Code Scan
>>> - Security Tests
>>> - Penetration Test
>>> - Vulnerability Management
>>>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-10-16 18:08 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-25 0:13 [Potential Spoof] OpenBMC Learning Series Sai Dasari
2020-10-09 17:33 ` OpenBMC Learning Series - security Joseph Reynolds
2020-10-09 19:51 ` Patrick Williams
2020-10-14 15:00 ` Joseph Reynolds
2020-10-15 18:55 ` OpenBMC Learning Series - list of security topics Joseph Reynolds
2020-10-15 19:33 ` Sai Dasari
[not found] ` <9bfccd5e-79ae-f1fb-6771-0514e3d1b2fd@preossec.com>
2020-10-16 18:06 ` Joseph Reynolds
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).