Re: Security Working Group meeting - Wednesday February 17 - results

[Joseph Reynolds <jrey@linux.ibm.com>]

On 2/16/21 5:53 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday February 17 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> and anything else that comes up:
>
> 1. Gerrit review FYI: log failed authentication attempts 
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39872
No discussion.

>
> 2. Gerrit review FTI: tie-in between Redfish sessions and IPMI 
> sessions.  Redfish will GET & DELETE IMPI sessions 
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/37785
Why is this function needed?
>
> 3. (Joseph) Discuss adding Web-based SSH to BMCWeb ~ 
> https://github.com/ibm-openbmc/dev/issues/2243

Sounds good. But don’t call this SSH because it is not.  Do the webui 
part the same as the host console.  Do the BMCWeb portion using a new 
D-Bus service (do not fork in bmcweb).


Bonus topics:
4. Interested in improving the documentation for the OpenBMC interface 
overview > Physical interfaces 
<https://github.com/openbmc/docs/blob/master/architecture/interface-overview.md#physical-interfaces>? 
https://github.com/openbmc/docs/blob/master/architecture/interface-overview.md#physical-interfaces 
(See related review 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/40424.)

ANSWER: Yes, this is worthwhile.  Add to the agenda for next time.

Is the ASCII art helpful or distracting?

We discusses some ideas: Diagram for BMC cards and PCIe cards.  
Alternate Placement of TPMs, TOD battery.


5. Openssl released version 1.1.1j.

This led to a discussion of how much the OpenBMC project should be 
tracking and announcing CVEs -- Security Incident Response Team (SIRT) 
work.  Currently various members are tracking this privately.  Is it 
even worthwhile, for example, for the OpenBMC project to announce that 
CVE-whatever affects OpenBMC and the fix is going to the latest kernel 
version going into OpenBMC commmit whatever?  (No clear consensus was 
reached.)

Inhibitors to open source SIRT work includes: (A) some members are 
already doing this privately, and are not able to share due to 
confidentiality and repeating in open source is just extra work, (B) we 
are not all on the same release - that is: OpenBMC has not identified 
any Long Term Support (LTS) releases.

At present, there is no OpenBMC effort to show which CVEs are fixed.  
This is left as an exercise to interested downstream projects.

>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>