<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Microsoft YaHei";
panose-1:2 11 5 3 2 2 4 2 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"\@Microsoft YaHei";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.DefaultFontHxMailStyle
{mso-style-name:"Default Font HxMail Style";
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span class="DefaultFontHxMailStyle">Thank you, Chunhui. But you mean to disable scp, right? Firmware upload through scp function will be lost in this way. Maybe not a good choice for us.<o:p></o:p></span></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle">BTW, is scp still a recommended way for OpenBMC firmware update?<o:p></o:p></span></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks.<o:p></o:p></p>
<p class="MsoNormal">Kun<o:p></o:p></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle"><o:p> </o:p></span></p>
<div style="mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="border:none;padding:0in"><b>From: </b><a href="mailto:chunhui.jia@linux.intel.com">chunhui.jia</a><br>
<b>Sent: </b>Friday, February 19, 2021 4:53 PM<br>
<b>To: </b><a href="mailto:zkxz@hotmail.com">Kun Zhao</a>; <a href="mailto:openbmc@lists.ozlabs.org">
openbmc@lists.ozlabs.org</a><br>
<b>Subject: </b>Re: overlayFS security concern</p>
</div>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black">Maintaining 2 different build configurations would be possible solution: dev build and release build.
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black">1. enable debugging tech in dev build.
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black">2. when using openbmc for product, disable all potential ways that could harm security.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:silver">2021-02-20
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:silver"><img border="0" width="122" height="1" style="width:1.2708in;height:.0104in" id="Horizontal_x0020_Line_x0020_1" src="cid:image001.png@01D706E2.906431E0"></span><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:silver"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:silver">chunhui.jia
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black"><img border="0" width="684" height="1" style="width:7.125in;height:.0104in" id="Horizontal_x0020_Line_x0020_2" src="cid:image002.png@01D706E2.906431E0"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<blockquote style="margin-left:0in;margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><strong><span lang="ZH-CN" style="font-size:10.0pt;font-family:"Microsoft YaHei",sans-serif;color:black">发件人:</span></strong><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">Kun Zhao <zkxz@hotmail.com><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><strong><span lang="ZH-CN" style="font-size:10.0pt;font-family:"Microsoft YaHei",sans-serif;color:black">发送时间:</span></strong><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">2021-02-20 08:31<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><strong><span lang="ZH-CN" style="font-size:10.0pt;font-family:"Microsoft YaHei",sans-serif;color:black">主题:</span></strong><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">overlayFS security concern<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><strong><span lang="ZH-CN" style="font-size:10.0pt;font-family:"Microsoft YaHei",sans-serif;color:black">收件人:</span></strong><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">"openbmc@lists.ozlabs.org"<openbmc@lists.ozlabs.org><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><strong><span lang="ZH-CN" style="font-size:10.0pt;font-family:"Microsoft YaHei",sans-serif;color:black">抄送:</span></strong><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle">Hi Team,<o:p></o:p></span></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle"><o:p> </o:p></span></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle">Have the following case ever been discussed before?,<o:p></o:p></span></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle">Anyone knows the root password will be able to let bmc run their own code by scp the code into bmc with the same file path as any services in rootfs. It will make the secure boot totally useless.<o:p></o:p></span></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle"><o:p> </o:p></span></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle">So besides,<o:p></o:p></span></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle">1. disable scp (but scp is one of the firmware upload way)<o:p></o:p></span></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle">2. don’t use overlayFS (but it’s really useful for debugging during develop, and configuration management)<o:p></o:p></span></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle">Any other solutions?<o:p></o:p></span></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:black">Thanks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Kun<o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:45.0pt;margin-bottom:9.0pt;margin-left:9.0pt">
<span class="DefaultFontHxMailStyle"><o:p> </o:p></span></p>
<p class="MsoNormal"><span class="DefaultFontHxMailStyle"><o:p> </o:p></span></p>
</div>
</body>
</html>