<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 11.00.10570.1001">
<STYLE><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Microsoft YaHei";
panose-1:2 11 5 3 2 2 4 2 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"\@Microsoft YaHei";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.DefaultFontHxMailStyle
{mso-style-name:"Default Font HxMail Style";
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
--></STYLE>
<!-- flashmail style begin -->
<STYLE type=text/css>
body {border-width:0;margin:0}
img {border:0;margin:0;padding:0}
</STYLE>
<BASE target=_blank><!-- flashmail style end --></HEAD>
<BODY
style="BORDER-LEFT-WIDTH: 0px; FONT-SIZE: 10.5pt; FONT-FAMILY: arial; BORDER-RIGHT-WIDTH: 0px; BORDER-BOTTOM-WIDTH: 0px; COLOR: #000000; MARGIN: 12px; LINE-HEIGHT: 1.5; BORDER-TOP-WIDTH: 0px"
marginheight="0" marginwidth="0">
<DIV>You could use redfish firmware update instead.</DIV>
<DIV> </DIV>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; COLOR: #c0c0c0"
align=left>2021-02-20
<HR id=SignNameHR
style="BORDER-TOP: #c0c0c0 1px solid; HEIGHT: 1px; BORDER-RIGHT: 0px; WIDTH: 122px; BORDER-BOTTOM: 0px; BORDER-LEFT: 0px"
align=left>
<SPAN id=_FlashSignName>chunhui.jia</SPAN> </DIV>
<HR
style="BORDER-TOP: #c0c0c0 1px solid; HEIGHT: 1px; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; BORDER-LEFT: 0px">
<BLOCKQUOTE id=ntes-flashmail-quote
style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; PADDING-LEFT: 0px; MARGIN-LEFT: 0px">
<DIV><STRONG>发件人:</STRONG>Kun Zhao <zkxz@hotmail.com></DIV>
<DIV><STRONG>发送时间:</STRONG>2021-02-20 09:13</DIV>
<DIV><STRONG>主题:</STRONG>RE: overlayFS security concern</DIV>
<DIV><STRONG>收件人:</STRONG>"chunhui.jia"<chunhui.jia@linux.intel.com>,"openbmc@lists.ozlabs.org"<openbmc@lists.ozlabs.org></DIV>
<DIV><STRONG>抄送:</STRONG></DIV>
<DIV> </DIV>
<DIV>
<DIV class=WordSection1>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>Thank you, Chunhui. But
you mean to disable scp, right? Firmware upload through scp function will be
lost in this way. Maybe not a good choice for us.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>BTW, is scp still a
recommended way for OpenBMC firmware update?<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
class=DefaultFontHxMailStyle><o:p> </o:p></SPAN></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Thanks.<o:p></o:p></P>
<P class=MsoNormal>Kun<o:p></o:p></P>
<P class=MsoNormal><SPAN
class=DefaultFontHxMailStyle><o:p> </o:p></SPAN></P>
<DIV
style="BORDER-TOP: #e1e1e1 1pt solid; BORDER-RIGHT: medium none; BORDER-BOTTOM: medium none; PADDING-BOTTOM: 0in; PADDING-TOP: 3pt; PADDING-LEFT: 0in; BORDER-LEFT: medium none; PADDING-RIGHT: 0in; mso-element: para-border-div">
<P class=MsoNormal
style="BORDER-TOP: medium none; BORDER-RIGHT: medium none; BORDER-BOTTOM: medium none; PADDING-BOTTOM: 0in; PADDING-TOP: 0in; PADDING-LEFT: 0in; BORDER-LEFT: medium none; PADDING-RIGHT: 0in"><B>From:
</B><A href="mailto:chunhui.jia@linux.intel.com">chunhui.jia</A><BR><B>Sent:
</B>Friday, February 19, 2021 4:53 PM<BR><B>To: </B><A
href="mailto:zkxz@hotmail.com">Kun Zhao</A>; <A
href="mailto:openbmc@lists.ozlabs.org">openbmc@lists.ozlabs.org</A><BR><B>Subject:
</B>Re: overlayFS security concern</P></DIV>
<P class=MsoNormal><SPAN
class=DefaultFontHxMailStyle><o:p> </o:p></SPAN></P>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10.5pt; FONT-FAMILY: "Arial",sans-serif; COLOR: black'>Maintaining
2 different build configurations would be possible solution: dev build
and release build. <o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10.5pt; FONT-FAMILY: "Arial",sans-serif; COLOR: black'>1.
enable debugging tech in dev build. <o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10.5pt; FONT-FAMILY: "Arial",sans-serif; COLOR: black'>2.
when using openbmc for product, disable all potential ways that could
harm security.<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10.5pt; FONT-FAMILY: "Arial",sans-serif; COLOR: black'> <o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10.5pt; FONT-FAMILY: "Arial",sans-serif; COLOR: black'> <o:p></o:p></SPAN></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Verdana",sans-serif; COLOR: silver'>2021-02-20
<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Verdana",sans-serif; COLOR: silver'><IMG
id=Horizontal_x0020_Line_x0020_1 style="HEIGHT: 0.01in; WIDTH: 1.27in"
border=0 src="cid:flashmail$TyrWuRyq$1613783833__0@nmmp" width=122
height=1></SPAN><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Verdana",sans-serif; COLOR: silver'><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Verdana",sans-serif; COLOR: silver'>chunhui.jia
<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10.5pt; FONT-FAMILY: "Arial",sans-serif; COLOR: black'><IMG
id=Horizontal_x0020_Line_x0020_2 style="HEIGHT: 0.01in; WIDTH: 7.125in"
border=0 src="cid:flashmail$eRlsPAZD$1613783833__1@nmmp" width=684
height=1></SPAN><SPAN
style='FONT-SIZE: 10.5pt; FONT-FAMILY: "Arial",sans-serif; COLOR: black'><o:p></o:p></SPAN></P>
<BLOCKQUOTE style="MARGIN-BOTTOM: 5pt; MARGIN-TOP: 5pt; MARGIN-LEFT: 0in">
<DIV>
<P class=MsoNormal><STRONG><SPAN lang=ZH-CN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Microsoft YaHei",sans-serif; COLOR: black'>发件人:</SPAN></STRONG><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Verdana",sans-serif; COLOR: black'>Kun
Zhao <zkxz@hotmail.com><o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><STRONG><SPAN lang=ZH-CN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Microsoft YaHei",sans-serif; COLOR: black'>发送时间:</SPAN></STRONG><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Verdana",sans-serif; COLOR: black'>2021-02-20 08:31<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><STRONG><SPAN lang=ZH-CN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Microsoft YaHei",sans-serif; COLOR: black'>主题:</SPAN></STRONG><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Verdana",sans-serif; COLOR: black'>overlayFS
security concern<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><STRONG><SPAN lang=ZH-CN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Microsoft YaHei",sans-serif; COLOR: black'>收件人:</SPAN></STRONG><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Verdana",sans-serif; COLOR: black'>"openbmc@lists.ozlabs.org"<openbmc@lists.ozlabs.org><o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><STRONG><SPAN lang=ZH-CN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Microsoft YaHei",sans-serif; COLOR: black'>抄送:</SPAN></STRONG><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Verdana",sans-serif; COLOR: black'><o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Verdana",sans-serif; COLOR: black'> <o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>Hi
Team,<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
class=DefaultFontHxMailStyle><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>Have the following
case ever been discussed before?,<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>Anyone knows the root
password will be able to let bmc run their own code by scp the code into bmc
with the same file path as any services in rootfs. It will make the secure
boot totally useless.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
class=DefaultFontHxMailStyle><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>So
besides,<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>1. disable scp (but
scp is one of the firmware upload way)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>2. don’t use overlayFS
(but it’s really useful for debugging during develop, and configuration
management)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN class=DefaultFontHxMailStyle>Any other
solutions?<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
class=DefaultFontHxMailStyle><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: black"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: black"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: black">Thanks.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: black">Kun<o:p></o:p></SPAN></P></DIV></BLOCKQUOTE>
<P class=MsoNormal
style="MARGIN-BOTTOM: 9pt; MARGIN-LEFT: 9pt; MARGIN-RIGHT: 45pt; mso-margin-top-alt: 0in"><SPAN
class=DefaultFontHxMailStyle><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
class=DefaultFontHxMailStyle><o:p> </o:p></SPAN></P></DIV></DIV></BLOCKQUOTE></BODY></HTML>