Security Working Group meeting - Wednesday February 17

Security Working Group meeting - Wednesday February 17

[Joseph Reynolds]

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday February 17 at 10:00am PDT.

We'll discuss the following items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
and anything else that comes up:

1. Gerrit review FYI: log failed authentication attempts 
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39872

2. Gerrit review FTI: tie-in between Redfish sessions and IPMI 
sessions.  Redfish will GET & DELETE IMPI sessions 
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/37785

3. (Joseph) Discuss adding Web-based SSH to BMCWeb ~ 
https://github.com/ibm-openbmc/dev/issues/2243

Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

Re: Security Working Group meeting - Wednesday February 17 - results

[Joseph Reynolds]

On 2/16/21 5:53 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday February 17 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> and anything else that comes up:
>
> 1. Gerrit review FYI: log failed authentication attempts 
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39872
No discussion.

>
> 2. Gerrit review FTI: tie-in between Redfish sessions and IPMI 
> sessions.  Redfish will GET & DELETE IMPI sessions 
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/37785
Why is this function needed?
>
> 3. (Joseph) Discuss adding Web-based SSH to BMCWeb ~ 
> https://github.com/ibm-openbmc/dev/issues/2243

Sounds good. But don’t call this SSH because it is not.  Do the webui 
part the same as the host console.  Do the BMCWeb portion using a new 
D-Bus service (do not fork in bmcweb).


Bonus topics:
4. Interested in improving the documentation for the OpenBMC interface 
overview > Physical interfaces 
<https://github.com/openbmc/docs/blob/master/architecture/interface-overview.md#physical-interfaces>? 
https://github.com/openbmc/docs/blob/master/architecture/interface-overview.md#physical-interfaces 
(See related review 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/40424.)

ANSWER: Yes, this is worthwhile.  Add to the agenda for next time.

Is the ASCII art helpful or distracting?

We discusses some ideas: Diagram for BMC cards and PCIe cards.  
Alternate Placement of TPMs, TOD battery.


5. Openssl released version 1.1.1j.

This led to a discussion of how much the OpenBMC project should be 
tracking and announcing CVEs -- Security Incident Response Team (SIRT) 
work.  Currently various members are tracking this privately.  Is it 
even worthwhile, for example, for the OpenBMC project to announce that 
CVE-whatever affects OpenBMC and the fix is going to the latest kernel 
version going into OpenBMC commmit whatever?  (No clear consensus was 
reached.)

Inhibitors to open source SIRT work includes: (A) some members are 
already doing this privately, and are not able to share due to 
confidentiality and repeating in open source is just extra work, (B) we 
are not all on the same release - that is: OpenBMC has not identified 
any Long Term Support (LTS) releases.

At present, there is no OpenBMC effort to show which CVEs are fixed.  
This is left as an exercise to interested downstream projects.

>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>

Re: Security Working Group - threat model progress

[Joseph Reynolds]

On 2/17/21 5:19 PM, Joseph Reynolds wrote:
> On 2/16/21 5:53 PM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting 
>> scheduled for this Wednesday February 17 at 10:00am PDT.
[...snip...]
> 4. Interested in improving the documentation for the OpenBMC interface 
> overview   [...snip...]

I tried to capture the BMC threat model discussion from today's security 
working group meeting.  This gives the basic BMC architecture elements 
from the [interface-overview][], supplemented by [OpenBMC features][], 
and added some ideas from [network security considerations][].  I tried 
to organize them at the level of abstraction needed for threat modeling: 
physical elements first, a physical threat model boundary, and started 
on the conceptual elements needed to describe the BMC's interfaces and 
functions. Please consider this to be a simple incomplete draft 
proposal.  Help wanted.

The overall OpenBMC threat modeling effort is rooted in the [OpenBMC 
security working group wiki][].

[OpenBMC security working group wiki]: 
https://github.com/openbmc/openbmc/wiki/Security-working-group
[interface-overview]: 
https://github.com/openbmc/docs/blob/master/architecture/interface-overview.md
[OpenBMC features]: https://github.com/openbmc/docs/blob/master/features.md
[network security considerations]: 
https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md

OpenBMC threat model components:
- Physical elements:
     - BMC SoC on BMC card plugged into host system
     - Optional cabinet encloses system and prevents physical access to 
most controls
     - BMC's network connection
     - Optional BMC elements:
         - TPM
         - TOD clock with battery
         - security jumpers
         - serial port
         - USB port
     - Host elements:
         - Power on/off control (to the BMC, and to the chassis)
         - Control panel (power button, varies: LED or LCD displays, etc.)
         - CPU
         - Cooling fans and associated sensors: rotation speed and 
temperature
         - Serial UART for host console
         - Keyboard, video, mouse
         - Optional PCIe devices reachable by the BMC
- Candidates for the threat model boundary:
     - The physical pins on the BMC card
     - The BMC card plus elements under BMC's exclusing control:
         - power button and related displays
         - BMC's network interface, NC-SI or whatever
     - Items that transition between BMC and host control: fans, console?
     - Mention the enclosing cabinet (if present).
- Host elements the BMC interacts with:
     - Host firmware upload
     - Host booting status
     - Host error logging
     - Host requests to power off
     - FRUs
- BMC functions: TODO