From: Joseph Reynolds <jrey@linux.ibm.com>
To: openbmc@lists.ozlabs.org
Subject: Re: Security Working Group meeting - Wednesday February 17 - results
Date: Wed, 17 Feb 2021 17:19:18 -0600 [thread overview]
Message-ID: <ec572762-8edc-83dc-219a-6d9cdb5b13c5@linux.ibm.com> (raw)
In-Reply-To: <f6a11337-711a-81db-23a8-44bc24b0072f@linux.ibm.com>
On 2/16/21 5:53 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday February 17 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
> and anything else that comes up:
>
> 1. Gerrit review FYI: log failed authentication attempts
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39872
No discussion.
>
> 2. Gerrit review FTI: tie-in between Redfish sessions and IPMI
> sessions. Redfish will GET & DELETE IMPI sessions
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/37785
Why is this function needed?
>
> 3. (Joseph) Discuss adding Web-based SSH to BMCWeb ~
> https://github.com/ibm-openbmc/dev/issues/2243
Sounds good. But don’t call this SSH because it is not. Do the webui
part the same as the host console. Do the BMCWeb portion using a new
D-Bus service (do not fork in bmcweb).
Bonus topics:
4. Interested in improving the documentation for the OpenBMC interface
overview > Physical interfaces
<https://github.com/openbmc/docs/blob/master/architecture/interface-overview.md#physical-interfaces>?
https://github.com/openbmc/docs/blob/master/architecture/interface-overview.md#physical-interfaces
(See related review
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/40424.)
ANSWER: Yes, this is worthwhile. Add to the agenda for next time.
Is the ASCII art helpful or distracting?
We discusses some ideas: Diagram for BMC cards and PCIe cards.
Alternate Placement of TPMs, TOD battery.
5. Openssl released version 1.1.1j.
This led to a discussion of how much the OpenBMC project should be
tracking and announcing CVEs -- Security Incident Response Team (SIRT)
work. Currently various members are tracking this privately. Is it
even worthwhile, for example, for the OpenBMC project to announce that
CVE-whatever affects OpenBMC and the fix is going to the latest kernel
version going into OpenBMC commmit whatever? (No clear consensus was
reached.)
Inhibitors to open source SIRT work includes: (A) some members are
already doing this privately, and are not able to share due to
confidentiality and repeating in open source is just extra work, (B) we
are not all on the same release - that is: OpenBMC has not identified
any Long Term Support (LTS) releases.
At present, there is no OpenBMC effort to show which CVEs are fixed.
This is left as an exercise to interested downstream projects.
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
next prev parent reply other threads:[~2021-02-17 23:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-16 23:53 Security Working Group meeting - Wednesday February 17 Joseph Reynolds
2021-02-17 23:19 ` Joseph Reynolds [this message]
2021-02-17 23:55 ` Security Working Group - threat model progress Joseph Reynolds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ec572762-8edc-83dc-219a-6d9cdb5b13c5@linux.ibm.com \
--to=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).