<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 11.00.10570.1001">
<STYLE><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.DefaultFontHxMailStyle
{mso-style-name:"Default Font HxMail Style";
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:890070051;
mso-list-type:hybrid;
mso-list-template-ids:-1237923318 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></STYLE>
<!-- flashmail style begin -->
<STYLE type=text/css>
body {border-width:0;margin:0}
img {border:0;margin:0;padding:0}
</STYLE>
<BASE target=_blank><!-- flashmail style end --></HEAD>
<BODY
style="BORDER-LEFT-WIDTH: 0px; FONT-SIZE: 10.5pt; FONT-FAMILY: arial; BORDER-RIGHT-WIDTH: 0px; BORDER-BOTTOM-WIDTH: 0px; COLOR: #000000; MARGIN: 12px; LINE-HEIGHT: 1.5; BORDER-TOP-WIDTH: 0px"
marginheight="0" marginwidth="0">
<DIV>Maintaining 2 different build configurations would be possible solution:
dev build and release build. </DIV>
<DIV>1. enable debugging tech in dev build. </DIV>
<DIV>2. when using openbmc for product, disable all potential ways that
could harm security.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; COLOR: #c0c0c0"
align=left>2021-02-20
<HR id=SignNameHR
style="BORDER-TOP: #c0c0c0 1px solid; HEIGHT: 1px; BORDER-RIGHT: 0px; WIDTH: 122px; BORDER-BOTTOM: 0px; BORDER-LEFT: 0px"
align=left>
<SPAN id=_FlashSignName>chunhui.jia</SPAN> </DIV>
<HR
style="BORDER-TOP: #c0c0c0 1px solid; HEIGHT: 1px; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; BORDER-LEFT: 0px">
<BLOCKQUOTE id=ntes-flashmail-quote
style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; PADDING-LEFT: 0px; MARGIN-LEFT: 0px">
<DIV><STRONG>发件人:</STRONG>Kun Zhao <zkxz@hotmail.com></DIV>
<DIV><STRONG>发送时间:</STRONG>2021-02-20 08:31</DIV>
<DIV><STRONG>主题:</STRONG>overlayFS security concern</DIV>
<DIV><STRONG>收件人:</STRONG>"openbmc@lists.ozlabs.org"<openbmc@lists.ozlabs.org></DIV>
<DIV><STRONG>抄送:</STRONG></DIV>
<DIV> </DIV>
<DIV>
<DIV class=WordSection1>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>Hi
Team,<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
class=DefaultFontHxMailStyle><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>Have the following case
ever been discussed before?,<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>Anyone knows the root
password will be able to let bmc run their own code by scp the code into bmc
with the same file path as any services in rootfs. It will make the secure
boot totally useless.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
class=DefaultFontHxMailStyle><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>So
besides,<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>1. disable scp (but scp
is one of the firmware upload way)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>2. don’t use overlayFS
(but it’s really useful for debugging during develop, and configuration
management)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>Any other
solutions?<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
class=DefaultFontHxMailStyle><o:p> </o:p></SPAN></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Thanks.<o:p></o:p></P>
<P class=MsoNormal>Kun<o:p></o:p></P>
<P class=MsoNormal><SPAN
class=DefaultFontHxMailStyle><o:p> </o:p></SPAN></P></DIV></DIV></BLOCKQUOTE></BODY></HTML>