From: Joseph Reynolds <jrey@linux.ibm.com>
To: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Security Working Group meeting - Wednesday March 16 - results
Date: Wed, 16 Mar 2022 12:51:11 -0500 [thread overview]
Message-ID: <fcc5d68f-a8d7-e857-370d-d1bf9971d018@linux.ibm.com> (raw)
In-Reply-To: <bcdc1bcd-857c-9110-2ecc-aa3719ce1d10@linux.ibm.com>
On 3/15/22 9:45 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday March 16 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
>
Attended: Joseph, Ratan, James, Mark, Daniil, Dhananjay, Dick, Jiang
1 Please review the phosphor audit design
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/46023
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/46023>and related
code under https://github.com/openbmc/phosphor-logging
<https://github.com/openbmc/phosphor-logging>directory phosphor-audit.
IBM is interested in working on this.
We also discussed encrypting data like logs, and storing keys in a vault
/ trust zone / TPM.
See also encrypted volume https://github.com/openbmc/estoraged
<https://github.com/openbmc/estoraged>
2 CNA work update
James is working on the OpenBMC vulnerability backlog. First
transferring each one to our private github issues database together
with its reserved CVE. James will share JSON-formatted CVEs with the
security response team (SRT). Currently working to upload/submit CVEs
to mitre. (Note these are not yet public.)
Helpful tools: formatted vulnerabilities using vulnogram. Use
Redhat’s Cvelib Python-based tool
TODO: Joseph and Dhananjay (as the OpenBMC CNAs): get credentials from
mitre to allow you to create CVEs.
-Joseph
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
>
>
next prev parent reply other threads:[~2022-03-16 17:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-16 2:45 Security Working Group meeting - Wednesday March 16 Joseph Reynolds
2022-03-16 17:51 ` Joseph Reynolds [this message]
2022-03-16 19:45 ` Security Working Group meeting - Wednesday March 16 - results Michael Richardson
2022-03-18 22:23 ` Security Working Group meeting - Wednesday March 16 - results - audit log handling Joseph Reynolds
2022-03-16 23:21 ` Security Working Group meeting - Wednesday March 16 - results Patrick Williams
2022-03-18 22:49 ` Joseph Reynolds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fcc5d68f-a8d7-e857-370d-d1bf9971d018@linux.ibm.com \
--to=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).