Security Working Group meeting - Wednesday July 10 - results

[Joseph Reynolds]

On 7/9/19 10:20 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday July 10 at 10:00am PDT.
>
> * * * The call-in access is new/changed for this meeting - details 
> below * * *
>
> Current topics:
> - Development work (including approved network security considerations)

We talked about the BMC initial setup, aka provisioning.
We also discussed ideas about how to secure the BMC against having a 
default password. The top two ideas were:
1. Have the password be expired, so the BMC admin has to change it to 
use the BMC.
2. Have the BMC start in a new "setup mode" which encourages its admin 
to change its password.

> - BMC use cases

We went around the room, and several folks mentioned interest in the 
DMTF's Security Protocol and Data Model (SPDM ~ 
https://www.dmtf.org/content/spdm-spec-feature).  I've added that topic 
to the agenda.

> - Release planning input

Only I stated an interest in providing security-related input to the 2.7 
release process.  So I will send that email with only my name on it..

>
>
> Access, agenda, and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> - Joseph
>
> The Security Working Group meeting access is changing.  The old access
> will not be used.  The new access is given in the wiki and in this
> email.  This is effective immediately, so please update your calendars.
> Here is the information for the web video conference and telephone 
> access:
> - Join via Web:https://ibm.webex.com/meet/joseph.reynolds1
> - Join via Phone: Use access code: 927 034 486 -- United States Toll
> Free: 1-844-531-0958. Click here for other phone numbers
> <https://ibm.webex.com/cmp3300/webcomponents/widget/globalcallin/globalcallin.do?siteurl=ibm&serviceType=MC&ED=756982637&tollFree=1> 
>
> - Visit the Webex web site for more ways to join or for an updated
> access code.
>
>