Security Working Group - Wednesday August 21 - results
Joseph Reynolds
jrey at linux.ibm.com
Thu Aug 22 04:37:02 AEST 2019
On 8/19/19 1:58 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday August 21 at 10:00am PDT.
>
> Current topics:
> - Development work:
> + expired password design
> + phosphor-audit design
> - Recent discussion of CVEs that apply to OpenBMC
Meeting held 2019-08-21:
Note: The 2019-09-04 meeting is cancelled. Next meeting: 2019-09-18.
See notes for details.
1.
Current development items:
- Expired password design:
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849 and email --
joseph discussed - no comments
- Auditing user actions:
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23870 -- no comments
- Prevent overlay filesystem corruption:
https://lists.ozlabs.org/pipermail/openbmc/2019-August/017704.html --
general agreement that filesystem overlays are problematic, and we
should move to a model where we don’t need overlays, and just mount
read-write file systems as needed.
- Nancy mentioned they are reviewing security features related to the
Nuvaton BMC boot ROM and boot block.
2.
There was a question about flashing the firmware (host, and similarly BMC).
- The current OpenBMC firmware update is described here:
https://github.com/openbmc/docs/blob/master/code-update/code-update.md
- There is interest in using Redfish support for this.(Use the email
list to follow up.)
3.
We discussed “verified boot” and “One Time Programmable” (OTP) memory to
hold secret keys needed to establish a root of trust.We talked about
Aspeed’s AST2500 and AST2600 support for this. Designs are coming soon!
4.
Joseph: Review level of effort in handling CVEs
(https://lists.ozlabs.org/pipermail/openbmc/2019-August/017578.html).
- Dick mentioned how this works in the UEFI project...following
responsible disclosure guidelines:
+ We can freely discuss CVEs, issues, and fixes when fixes are available.
+ However, if someone asks about a CVE or an issue for which we don’t
have a fix, ideally we would not respond to the problem, not even to say
that we were invoking the OpenBMC security response team
(https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md).Then
followup with the response team.
- Dick mentioned that the information embargo period for security fixes
is 6 months.This gives time for the fixes to be built, tested, deployed,
and activated.
- TODO: Joseph will propose similar guidelines for the response team.
5.
Joseph: Added web security wish list items (under
https://github.com/openbmc/openbmc/wiki/Security-working-group#security-feature-wish-list).There
were no comments.
6.
We elected to cancel the Sep 4 meeting and meet again on Sep 18 because
of the Open Source Firmware Conference (OSFC ~ https://osfc.io/).
7.
Joseph gave highlights from attending the Blackhat conference
(https://www.blackhat.com/us-19/) related to firmware security.He plans
to send an email with details.
- Joseph
> Access, agenda, and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> - Joseph
More information about the openbmc
mailing list