Security Working Group - Wednesday August 5 - results

Joseph Reynolds jrey at
Thu Aug 6 09:26:40 AEST 2020

On 8/3/20 4:09 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday August 5 at 10:00am PDT.
> We'll discuss current development items, and anything else that comes up.

Bonus topic discussed before the meeting:
We discussed the "security working group" email notices intended to get 
folks to attend this meeting.  Parth volunteered to send these emails 
beginning next meeting.
We discussed the "security working group - results" email (this email) 
that summarizes the discussion and may contain a call to action.
See example emails archived here:

> 1. Review/create OpenBMC security policy: 
Sounds good.  Joseph to follow up.

> 2. Make OpenBMC security advisories available under: 
Sounds good.  Joseph to follow up.

> 3. Do we need a followup discussion for the recent HTTPS certificate 
> email threads?
No. The consensus from the email thread sounds good.

> 4. Is there interest in enhancing OpenBMC firmware image update 
> uploads using the Redfish-specified multipart HTTP push updates (that 
> is, support the MultipartHttpPushUri property?
Sounds good, but nobody is working on it.  We also discussed use cases 
for golden/primary/active/alternate images.

New topics after the invitation email was sent:

5. Call for BMC hardware vendors (like ASPEED and Nuvaton) to 
collaborate with OCP security - help 
define platform root of trust.

6. The Google GLOME project was introduced; this can be a way to 
authorize BMC users.
A GLOME talk is scheduled for the next meeting: Wednesday August 19.

7. Can we add new “security” label for GitHub issues and for Gerrit? 
ANSWER: Yes. Joseph to followup.
8. The CSIS (Cloud Security Industry Summit) wants feedback on improving 
BMC security. ANSWER: Joseph volunteered to attend the meetings.
> Access, agenda, and notes are in the wiki:
> - Joseph

More information about the openbmc mailing list