Proposal to merge code into openbmc 2.7 warrior branch

Joseph Reynolds jrey at linux.ibm.com
Tue Sep 24 01:29:07 AEST 2019 

This proposal is to merge code into the [OpenBMC 2.7 warrior fix 
branch][].  There are three sets of changes:
1. Refresh our warrior branch with fixes from the yocto warrior branch.
2. Customize SSH ciphers to harmonize with our HTTPS ciphers.
3. Pick up a fix to make it easier to downgrade to earlier releases.

Details for each of these are below.  Can we get these merged?

References:
- [OpenBMC 2.7 warrior fix branch]: 
https://github.com/openbmc/openbmc/tree/warrior
- [release notes]: 
https://github.com/openbmc/docs/blob/master/release/release-notes.md


- Joseph



1. Pick up fixes from yocto branch=warrior.  This has security fixes 
that we should pick up.


2. Pick up the [SSH dropbear patch] to disable medium strength ciphers 
which brings SSH close to parity with [BMCWeb HTTPS ciphers][].  
Specifically, it removes medium strength ciphers, leaving only strong 
ciphers  (Note that BMCWeb offers additional strong HTTPS ciphers which 
our Dropbear SSH server does not yet support.)  This change is in the 
yocto master branch, so it is the new behavior going forward, but was 
not accepted into yocto branch=warrior because it is a configuration 
change and not a fix. We consider this to be a security fix.  We should 
pick it up to match the ciphers accepted by our HTTPS server.

References:
- [SSH dropbear patch]: 
http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch?h=master
- [BMCWeb https config]: 
https://github.com/openbmc/bmcweb/blob/27062605f8ddbafeec691ed9556fe90f2c1ab8d2/include/ssl_key_handler.hpp


3. Pick up the [nginx patch][] to mitigate a problem downgrading from 
2.7 to earlier releases.  The underlying [nginx downgrade issue][] is in 
OpenBMC, so that's where the fix should go.  This should be merged into 
openbmc master branch first, then picked up by branch=warrior.

Refernces:
- [nginx patch]: 
https://gerrit.openbmc-project.xyz/c/openbmc/meta-ibm/+/23203
- [nginx downgrade issue]: https://github.com/openbmc/openbmc/issues/3564

More information about the openbmc mailing list