From: Joseph Reynolds <jrey@linux.ibm.com>
To: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Security Working Group meeting - Wednesday September 1 - results
Date: Wed, 1 Sep 2021 16:34:09 -0500 [thread overview]
Message-ID: <ed8cad7f-e275-1544-8183-e05b6f884f22@linux.ibm.com> (raw)
In-Reply-To: <f0cee41f-51d8-1ef5-18f7-4ea12b3c9212@linux.ibm.com>
On 9/1/21 9:22 AM, Joseph Reynolds wrote:
> On 8/31/21 10:19 PM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting
>> scheduled for this Wednesday September 1 at 10:00am PDT.
>>
>> We'll discuss the following items on the agenda
>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
>> and anything else that comes up:
Attended: Joseph Reynolds, Milton Miller (attended first half: IPMI over
DTLS topic), James Mihm, Ratan Gupta, Andrei Kartashev, Daniil Engranov,
Dhananjay MSFT, Dick [Phoenix], Jiang Zhang
>>
>> 1.
>>
>> Ratan Gupta wants to join the Security Response Team for NVIDIA.
>> See
>> https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md#team-composition-and-email-maintenance
>>
>> <https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md#team-composition-and-email-maintenance>
>>
>>
DISCUSSION:
We discussed some criteria for SRT membership:
*
Although individuals join the SRT, it is really organizations which
join as represented by their SRT members. The SRT member candidate
should be able to affirm that they participate in their company’s SRT.
*
The organization should have a “vested interest” in OpenBMC security
response. Here are some examples to consider:
o
Organizations which use OpenBMC to produce products or services
which are publicly available, and disclose security bugs to
their users. For example, any org which produces systems which
use OpenBMC and have a sufficiently mature SRT.
o
Downstream organizations, for example, who aggregate BMC-based
systems into larger systems.
o
Security research orgs, open source SRTs, etc. which have a
significant interest in BMCs.
*
The default stance should be to deny membership in the SRT. This is
to support the requirement to limit membership so as to not
prematurely disclose security vulnerabilities.
History: The initial SRT membership was the TSC members plus their
delegates.
In UEFI Forum, the founder companies formed the initial SRT, and then
explicitly invited select organizations to join, such as OS orgs like
RedHat and Debian. Call for more orgs who use OpenBMC who fit these
criteria to join the SRT.
> Additional agenda item:
> 2.(gerrit review)
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/31548
> <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/31548>IPMI over
> DTLS - questions about basic direction and sharing of private keys
>
2 (gerrit review)
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/31548
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/31548>IPMI over
DTLS - questions about use of OpenSSL and sharing of private keys
DISCUSSION:
Structure: The IPMI server and the BMCWeb server belong to the same
BMC. So should they share the same certificate? Or should they have
different certificates because they are different services?
Opinion: Have separate certificates for each service. The BMC admin can
install the same certificate for both, if they wish.
Items to add to the design:
*
Describe certificate management.
*
If DTLS and Redfish share a cert, what happens when the cert changes
because of a Redfish API operation?
*
Talk about how DTLS will configure or consume OpenSSL.
Call to action: please comment in the review.
Let’s invite Ed and Vernon next time if open questions remain from the
gerrit review.
>>
>> Access, agenda and notes are in the wiki:
>> https://github.com/openbmc/openbmc/wiki/Security-working-group
>> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>>
>> - Joseph
>
prev parent reply other threads:[~2021-09-01 21:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-01 3:19 Security Working Group meeting - Wednesday September 1 Joseph Reynolds
2021-09-01 14:22 ` Joseph Reynolds
2021-09-01 21:34 ` Joseph Reynolds [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ed8cad7f-e275-1544-8183-e05b6f884f22@linux.ibm.com \
--to=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).