Security Working Group - Wednesday April 1 - highlights

Joseph Reynolds jrey at linux.ibm.com
Fri Apr 3 05:44:45 AEDT 2020 

On 3/31/20 11:21 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday April 1 at 10:00am PDT.
>
> We'll discuss current development items, and anything else that comes up.
>
> The current topics:
>
> 1. SELinux or AppArmor plans

Topic 1 has three points:
1a. We would also want to move away from all processes running as root. 
https://github.com/openbmc/openbmc/issues/3383  Next step is create 
issue for each repo.
1b. A next step is to determine criteria for selecting SELinux or 
AppArmor.  What direction should the project go?
1c. There is continued interest, but no active work on this.  Next step: 
Followup with email.


Topic 2 was added:  Admin-controlled security settings -- Discuss plans 
for BMC admin-controlled security settings.  Access per NIC. Disable 
ipmi cipher 3.
This topic was discussed recently by the Web design who have access to 
user feedback.

See IBM’s plans here: https://github.com/ibm-openbmc/dev/issues/612.
- Issue 612 does not quite cover all the items.  There are a few changes 
and clarifications from issue 612
.

The group discussed how a BMC admin can control access to the BMC via 
its network in terms of the following areas.
More details are in the minutes (link below).

1. The admin can control each NIC individually.  Example: data-center 
wide network, vs, private management network.  
  The admin can control 
which network interface the BMC brings up.

2. We would like to be able to control which services are available on a 
per-NIC basis.  For example, REST APIs to directly model if service X is 
accessible from network Y.
  Then we can, for example, provide IPMI 
RMCP+ service to a private network but not to the data-center-wide network.
We don't have this mechanism, but individual services may be able to 
discriminate based on ingress network.
I this the direction toward a solution remains open.
For the near team (this year), we’ll work on allowing the admin to 
disable and enable services.  For example, the admin can disable SSH and 
IPMI RMCP+, but will not have the capability offer RMCP+ to a network A 
but not network B.

3. We would like to allow the admin to enable or disable bridges like 
KCS or BT, and also protocols over thosse bridges such as IPMB.
(However, my understanding this this area is very limited.  Please 
contribute your understanding.)

4. We want to allow the admin to be able to disable RMCP+ cipher suite 
3, leaving only 17.  Is there an IPMI command to do that?  And is that 
command implemented in OpenBMC?

Note that after the meeting, a patch was created to remove suite 3: 
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-net-ipmid/+/30814

Note the BMC's IPMI function has two very different access vectors:
- via RMCP+ out-of-band or network
- via in-band IPMI via host connections

Enabling these should be separately controllable.


>
> Access, agenda, and notes are in the wiki:
>
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> - Joseph

- Joseph

More information about the openbmc mailing list