How to handle security vulnerabilities (was: OpenBMC security workgroup status)

Joseph Reynolds joseph-reynolds at charter.net
Fri Jul 13 12:47:49 AEST 2018


On 7/11/2018 12:18 AM, openbmc-request at lists.ozlabs.org wrote:
> Message: 1
> Date: Wed, 11 Jul 2018 12:49:36 +0930
> From: Andrew Jeffery <andrew at aj.id.au>
> To: Joseph Reynolds <joseph-reynolds at charter.net>,
> 	openbmc at lists.ozlabs.org
> Cc: James Mihm <james.mihm at intel.com>, bradleyb at fuzziesquirrel.com
> Subject: Re: OpenBMC security workgroup status
> Message-ID:
> 	<1531279176.3103610.1436766272.6E940CAB at webmail.messagingengine.com>
> Content-Type: text/plain; charset="utf-8"
>
> On Tue, 10 Jul 2018, at 11:50, Joseph Reynolds wrote:
>> Here is the OpenBMC security work group status.
>>
>> The OpenBMC security work has been partitioned into four areas:
>> hardware, firmware (Linux, phosphor, etc.), OpenBMC development
>> activity, and downstream development.? Reviews are out for three areas;
>> see https://gerrit.openbmc-project.xyz/#/c/11120/ and 11164.? Work to
>> sketch out firmware security topics is beginning.? We are also beginning
>> to look at topics such as release planning and how to handle security
>> flaws.? For more details, see the group?s agenda and minutes at
>> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI.
> What's the short-term strategy for handling vulnerability reports received in the gap between now and getting some formal process in place?
We don't have a strategy.  Let's discuss it here.

Officially (https://github.com/openbmc/openbmc/ section "Bug Reporting") 
issues are managed on GitHub.

Unofficially, Brad volunteered to accept one batch of security 
vulnerability reports and distribute them, presumably to the OpenBMC TSC 
members (https://github.com/openbmc/docs section "Technical Steering 
Committee") or their delegates.  I assume they would privately contact a 
trusted OpenBMC contributor who could address the problem.

We could adapt the Linux model 
(https://www.kernel.org/doc/html/v4.16/admin-guide/security-bugs.html), 
although I am still looking for information on what the Linux security 
team does with the bug report.  For example, how security group members 
track and discuss problems among themselves, how they pull in additional 
resources to fix or mitigate the problem, and how they inform downstream 
distros before announcing the problem, etc.

I think the first step for the OpenBMC team should be to establish an 
email address (like security at openbmc.org), subscribe only trusted people 
to that email list, and update the docs to explain that you should email 
the security team for security questions, and use issues for everything 
else.  Presumably, the security team would communicate privately among 
themselves and the submitter to assess the situation, and contact 
OpenBMC community members privately to address the problem.

This would be an easy step to take, and would move the team in the right 
direction.  What do you think?


More information about the openbmc mailing list