Security Working Group - Wednesday April 1 - highlights
Joseph Reynolds
jrey at linux.ibm.com
Fri Apr 3 05:44:45 AEDT 2020
On 3/31/20 11:21 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday April 1 at 10:00am PDT.
>
> We'll discuss current development items, and anything else that comes up.
>
> The current topics:
>
> 1. SELinux or AppArmor plans
Topic 1 has three points:
1a. We would also want to move away from all processes running as root.
https://github.com/openbmc/openbmc/issues/3383 Next step is create
issue for each repo.
1b. A next step is to determine criteria for selecting SELinux or
AppArmor. What direction should the project go?
1c. There is continued interest, but no active work on this. Next step:
Followup with email.
Topic 2 was added: Admin-controlled security settings -- Discuss plans
for BMC admin-controlled security settings. Access per NIC. Disable
ipmi cipher 3.
This topic was discussed recently by the Web design who have access to
user feedback.
See IBM’s plans here: https://github.com/ibm-openbmc/dev/issues/612.
- Issue 612 does not quite cover all the items. There are a few changes
and clarifications from issue 612
.
The group discussed how a BMC admin can control access to the BMC via
its network in terms of the following areas.
More details are in the minutes (link below).
1. The admin can control each NIC individually. Example: data-center
wide network, vs, private management network.
The admin can control
which network interface the BMC brings up.
2. We would like to be able to control which services are available on a
per-NIC basis. For example, REST APIs to directly model if service X is
accessible from network Y.
Then we can, for example, provide IPMI
RMCP+ service to a private network but not to the data-center-wide network.
We don't have this mechanism, but individual services may be able to
discriminate based on ingress network.
I this the direction toward a solution remains open.
For the near team (this year), we’ll work on allowing the admin to
disable and enable services. For example, the admin can disable SSH and
IPMI RMCP+, but will not have the capability offer RMCP+ to a network A
but not network B.
3. We would like to allow the admin to enable or disable bridges like
KCS or BT, and also protocols over thosse bridges such as IPMB.
(However, my understanding this this area is very limited. Please
contribute your understanding.)
4. We want to allow the admin to be able to disable RMCP+ cipher suite
3, leaving only 17. Is there an IPMI command to do that? And is that
command implemented in OpenBMC?
Note that after the meeting, a patch was created to remove suite 3:
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-net-ipmid/+/30814
Note the BMC's IPMI function has two very different access vectors:
- via RMCP+ out-of-band or network
- via in-band IPMI via host connections
Enabling these should be separately controllable.
>
> Access, agenda, and notes are in the wiki:
>
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> - Joseph
- Joseph
More information about the openbmc
mailing list