Proposal to merge code into openbmc 2.7 warrior branch
Joseph Reynolds
jrey at linux.ibm.com
Tue Sep 24 01:29:07 AEST 2019
This proposal is to merge code into the [OpenBMC 2.7 warrior fix
branch][]. There are three sets of changes:
1. Refresh our warrior branch with fixes from the yocto warrior branch.
2. Customize SSH ciphers to harmonize with our HTTPS ciphers.
3. Pick up a fix to make it easier to downgrade to earlier releases.
Details for each of these are below. Can we get these merged?
References:
- [OpenBMC 2.7 warrior fix branch]:
https://github.com/openbmc/openbmc/tree/warrior
- [release notes]:
https://github.com/openbmc/docs/blob/master/release/release-notes.md
- Joseph
1. Pick up fixes from yocto branch=warrior. This has security fixes
that we should pick up.
2. Pick up the [SSH dropbear patch] to disable medium strength ciphers
which brings SSH close to parity with [BMCWeb HTTPS ciphers][].
Specifically, it removes medium strength ciphers, leaving only strong
ciphers (Note that BMCWeb offers additional strong HTTPS ciphers which
our Dropbear SSH server does not yet support.) This change is in the
yocto master branch, so it is the new behavior going forward, but was
not accepted into yocto branch=warrior because it is a configuration
change and not a fix. We consider this to be a security fix. We should
pick it up to match the ciphers accepted by our HTTPS server.
References:
- [SSH dropbear patch]:
http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch?h=master
- [BMCWeb https config]:
https://github.com/openbmc/bmcweb/blob/27062605f8ddbafeec691ed9556fe90f2c1ab8d2/include/ssl_key_handler.hpp
3. Pick up the [nginx patch][] to mitigate a problem downgrading from
2.7 to earlier releases. The underlying [nginx downgrade issue][] is in
OpenBMC, so that's where the fix should go. This should be merged into
openbmc master branch first, then picked up by branch=warrior.
Refernces:
- [nginx patch]:
https://gerrit.openbmc-project.xyz/c/openbmc/meta-ibm/+/23203
- [nginx downgrade issue]: https://github.com/openbmc/openbmc/issues/3564
More information about the openbmc
mailing list