openbmc.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed
From: Joseph Reynolds <jrey@linux.ibm.com>
To: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Security Working Group meeting - Wednesday July 21 - results
Date: Wed, 21 Jul 2021 14:49:11 -0500	[thread overview]
Message-ID: <b4456eee-79c2-6704-ae6f-63cd7485ae9d@linux.ibm.com> (raw)
In-Reply-To: <cd15ec44-5c29-096b-187d-f3c05680f8a2@linux.ibm.com>

On 7/20/21 5:45 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday July 21 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> and anything else that comes up:
>

Attended: James Mihm, Sorya Intel, Dhananjay Phadke, Dick Wilkins, Jiang 
Zhang, Joseph Reynolds, mbhavsar, guptar (Ratan Gupta)

Bonus item 0: What support fore sOpenBMC have for mTLS client

DISCUSSION: See the Redfish APIs referenced below.  Redfish doesn’t 
support mTLS, but BMCWeb does support mTLS.  Is there a supported 
interface for the BMC admin to upload an mTLS client cert to the BMC?

References:

  *

    https://github.com/openbmc/openbmc/wiki/Configuration-guide#bmcweb
    <https://github.com/openbmc/openbmc/wiki/Configuration-guide#bmcweb>(mTLS)

  *

    https://github.com/openbmc/openbmc/wiki/Configuration-guide#site-identity-certificate
    <https://github.com/openbmc/openbmc/wiki/Configuration-guide#site-identity-certificate>

> 1. See Google’s “unified vulnerability schema for open source”
> https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html?m=1
> <https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html?m=1>

DISCUSSION:

This was included for awareness only, not to propose using this schema.

This seems similar to the forms needed to create CVEs such as here: 
https://cveform.mitre.org/ <https://cveform.mitre.org/>

OpenBMC’s current guidelines for collecting this kind of information are 
here: 
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md 
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md>

Related discussion: Should OpenBMC consider becoming CNA?  See previous 
effort here: https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621 
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621>(“Proposed 
answers to DWF CNA Registration Form”)



> 2. Email: Update phosphor-defaults with stronger root password hash
>   algorithm -
> https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u
> <https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u>

2 Email: Update phosphor-defaults with stronger root password hash 
algorithm - 
https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u 
<https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u>

DISCUSSION:

The group agreed to change the project’s default root password hash, 
while leaving the cleartext password the same.  TODO: Joseph will 
propose the change via a gerrit review.



Topics added after the meeting started:

3 What is the status of the OpenBMC BMC secure boot function?  Who is 
working on it?

DISCUSSION:

ASpeed AST2600 BMC secure boot using AST2600 hardware without TPM and 
without any special hardware (other than pullup resistors).  Interest in 
avoiding Cerberus.

See also Design 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/26169 
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/26169>


Two ways to validate uboot: via AST2600 hardware, via Cerberus

Once uboot is running, use uboot to validate the FIT image, kernel, etc.


4 What is happening with the Intel Hack-a-thon 2?

DISCUSSION: Creating CVEs.


5 What is happening with getting a private database to track 
vulnerability submissions?  This would be used by the OpenBMC security 
response team 
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md 
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md>to 
record security vulnerabilities which were reported to OpenBMC and not 
yet fixed or publicly disclosed.  Only members of the OpenBMC security 
response team would have access (read/write access).

DISCUSSION:

Surya plans to set up bugzilla.

Contact Andrew Geissler in his role as OpenBMC community infrastructure 
if you need a server.


6 What is happening with deploying AppArmor?

DISCUSSION:

Nobody was tracking it closely enough to answer.  Anton had been working 
on it.  See reviews under 
https://gerrit.openbmc-project.xyz/q/owner:rnouse%2540google.com 
<https://gerrit.openbmc-project.xyz/q/owner:rnouse%2540google.com>



>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph


  reply	other threads:[~2021-07-21 19:49 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-20 22:45 Security Working Group meeting - Wednesday July 21 Joseph Reynolds
2021-07-21 19:49 ` Joseph Reynolds [this message]
2021-07-21 21:00   ` Security Working Group meeting - Wednesday July 21 - results Patrick Williams

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b4456eee-79c2-6704-ae6f-63cd7485ae9d@linux.ibm.com \
    --to=jrey@linux.ibm.com \
    --cc=openbmc@lists.ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).