6/11 Meeting Notes for OpenBMC Security Working Group

Tue Jun 19 04:18:16 AEST 2018

Meeting notes and agendas are recorded in this document
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit?usp=sharing>
.

*2018.06.11*
*Attendees: James Mihm, Joseph Reynolds, Brad Bishop, Ed Tanous, Sub,
Christopher Engel, Jayanth, Supreeth Venkatesh*

*1. The group needs an online forum for agendas, meeting notes, and
discussion. - Use #openbmc_security IRC chat and git/gerrit for threaded
topic conversations  Joseph: ...and use google docs (this document) to add
agenda items and meeting minutes.2. The "meeting in secret" topic came up
several times. - cve.mitre.org <http://cve.mitre.org>- Some secrets, if
there’s a vulnerability that doesn’t have a mitigation, keep it secret
until there’s a fix- Need to provide a process that allows external
reporting of vulnerabilities- Difference between vulnerabilities in
deployment and in development- AI: read up on cve.mitre.org
<http://cve.mitre.org> processes   Joseph: Where in this website does it
describe how a project like OpenBMC should set up a process for its users
to report vulnerabilities?  The closest things I found was:
https://cve.mitre.org/compatible/guidelines.html
<https://cve.mitre.org/compatible/guidelines.html> x3. I think OpenBMC may
need multiple security frameworks to address different concerns. - Need
different frameworks for different things- Joseph: We need stories for
functional security, product lifecycle, functional security requirements
implemented by development team- Ben: agreed, but CC isn’t the right
approach- Joseph: Backing off CC.  Joseph: 6/14/2018- I’ve written the
OpenBMC lifecycle security story and pushed it for review at
https://gerrit.openbmc-project.xyz/#/c/11120/
<https://gerrit.openbmc-project.xyz/#/c/11120/>.  Please add yourself as a
reviewer if interested.  I plan to abandon the previous security review
(but refactor the material -- thanks for your comments!).4. Protection
Profiles. - Joseph: Not the right person to work on protection profiles-
Ensuring OpenBMC is following the requirements to enable certification is
important, not everyone is getting certifications though- OpenBMC
protection profile could be a piece of a larger certification- James: will
upload Intel security architecture document- Joseph: No need to publish the
CC work since it’s covered by James’ effort, but will still pursue it5.
Authentication, Authorization, and Auditing - Joseph: Is there a way to put
in a AAA server that could be used by an enterprise datacenter?- It’s being
worked on…- Who and what’s the solution like?- There’s a mailing list post
on user management, Richard (from Intel?)- Brad: There isn’t any code in
OpenBMC, we need something- Ed: dBus wrapper around PAM, - Brad: dBus
allows you to make a data model, proposal for data model for AAA (user
management)- Look for things by Richard in gerrit- How do we get people to
review things?- Cc ppl on reviews directly, could use a mailing list-
AndrewJ maintains the tools repo but there’s no group for general OpenBMC
tools (gerrit for auto adding reviews)- AndrewJ wrote a tool, wrapper
around doing git pushes that will automatically cc people in maintainers
file.- Ben: the tool promotes best practices- Gerrit support running this
automatically, just needs to scripted- Brad: ok but no one is volunteering-
AndrewG is the person to talk to about getting admin privileges for anyone
who wants to tackle itLet’s meet weekly, some day 10AM PTSub: Trusted
Computing Group (TCG) and OCP Security Group, what do we want to see being
discussed.  Maybe check out their minutes or get someone from these groups
to come to our meeting*

----------
Nancy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20180618/aeb66fc8/attachment-0001.html>