Security Working Group - Wednesday July 24 - results

[Joseph Reynolds]

> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday July 24 at 10:00am PDT.
>
> * * * The call-in access changed on July 10 (the previous meeting) - 
> details below * * *
>
> Current topics:
> - Development work (including approved network security considerations)
> - SPDM
> - Default user config: root, ipmi group, password limited to char[20]

We discussed using the emerging SPDM standard which negotiates security 
with other endpoints via MCTP/PLDM or similar (example: trusted platform 
module (TPM), or host firmware elements). As OpenBMC uses MCTP/PLDM we 
would naturally be interested in using the SPDM standard.

We discussed changing OpenBMC's default users, for example, root/0penBmc 
is in the IPMI group. Joseph will push a design for this. We discussed 
difficulties in how to identify and track security fixes (as CVEs) as 
they flow into OpenBMC from Yocto and other upstream projects. We 
touched on how Yocto long term support (LTS) might be desirable. Joseph 
advertised the BMC Threat Model review: 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/22404- Joseph
> Access, agenda, and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> - Joseph
>
> The Security Working Group meeting access changed on July 10.  The old 
> access
> will not be used.  The new access is given in the wiki and in this
> email.  This is effective now, so please update your calendars.
> Here is the information for the web video conference and telephone 
> access:
> - Join via Web:https://ibm.webex.com/meet/joseph.reynolds1
> - Join via Phone: Use access code: 927 034 486 -- United States Toll
> Free: 1-844-531-0958. Click here for other phone numbers
> <https://ibm.webex.com/cmp3300/webcomponents/widget/globalcallin/globalcallin.do?siteurl=ibm&serviceType=MC&ED=756982637&tollFree=1> 
>
> - Visit the Webex web site for more ways to join or for an updated
> access code.
>