OpenBMC Image Management
Patrick Williams
patrick at stwcx.xyz
Fri Jan 27 14:07:06 AEDT 2017
On Wed, Jan 25, 2017 at 05:50:46PM -0600, Chris Austen wrote:
> "openbmc" <openbmc-bounces+austenc=us.ibm.com at lists.ozlabs.org> wrote on
> 01/25/2017 04:15:27 PM:
>
> Are there any security goals that need to be considered?
>
There are a few different aspects to security that I can think of:
1. Is there a way to identify and reject an invalid image (Define
"invalid") before it is applied onto the system?
2. Is there a way to identify an applied image has been tampered with?
3. Is there a way for an image to expose a security flaw in the code
itself (such as by "fuzzing") to cause unintended effects?
A few statements to answer your question:
* If there is a fundamental flaw in any of these regards with our design,
we would like to know about it and will fix it.
* #1 is typically solved through image signing and a one-time
verification at the time an image is applied. Issue
openbmc/openbmc#356 is meant to implement this and would be a
later feature on top of Adriana's proposed work.
* #2 is typically solved through "Secureboot" or similar
functionality.
* The Power9 processor can implement Secureboot itself, so the IBM
team currently has no plans to implement additional per-use
verification of the Host firmware contents [in PNOR] by the BMC.
* IBM also does not currently plan to include BMC Secureboot for
the Witherspoon machine's initial delivery.
* Rick Altherr from Google has been contributing support for
U-Boot "FIT" images, which provide something like Secureboot
verification for the kernel and initramfs images.
* The project would certainly be interested in further
development here, but hopefully like most of our features, it
can be selectively enabled or disabled for different machines.
In particular, given that Power9 is itself performing
verification of images, verification of the PNOR by the BMC
should be a choice by the vendor weighing boot-speed and
security.
* Adriana is not intending on doing anything explicit to enable
or impede enablement of this. If there is something in the
design or implementation that would significantly impede
enablement, or if there is a relatively minor improvement that
can be done to aid future enablement, we are very interested
in this feedback.
* We don't intend to have purposeful flaws in the area of #3 (does
anyone?). No one has committed to doing explicit penetration
testing here, but we certainly will accept vulnerability reports
and, even better, fixes.
--
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20170126/91b7f1f5/attachment.sig>
More information about the openbmc
mailing list