Security Working Group - Wednesday August 5 - results
Joseph Reynolds
jrey at linux.ibm.com
Thu Aug 6 09:26:40 AEST 2020
On 8/3/20 4:09 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday August 5 at 10:00am PDT.
>
> We'll discuss current development items, and anything else that comes up.
Bonus topic discussed before the meeting:
We discussed the "security working group" email notices intended to get
folks to attend this meeting. Parth volunteered to send these emails
beginning next meeting.
We discussed the "security working group - results" email (this email)
that summarizes the discussion and may contain a call to action.
See example emails archived here:
invitation: https://lists.ozlabs.org/pipermail/openbmc/2020-July/022296.html
results: https://lists.ozlabs.org/pipermail/openbmc/2020-July/022330.html
>
> 1. Review/create OpenBMC security policy:
> https://github.com/openbmc/openbmc/security
Sounds good. Joseph to follow up.
>
> 2. Make OpenBMC security advisories available under:
> https://github.com/openbmc/openbmc/security
Sounds good. Joseph to follow up.
>
> 3. Do we need a followup discussion for the recent HTTPS certificate
> email threads?
No. The consensus from the email thread sounds good.
>
> 4. Is there interest in enhancing OpenBMC firmware image update
> uploads using the Redfish-specified multipart HTTP push updates (that
> is, support the MultipartHttpPushUri property?
Sounds good, but nobody is working on it. We also discussed use cases
for golden/primary/active/alternate images.
New topics after the invitation email was sent:
5. Call for BMC hardware vendors (like ASPEED and Nuvaton) to
collaborate with OCP security -
https://lists.ozlabs.org/pipermail/openbmc/2020-July/022413.htmlto help
define platform root of trust.
6. The Google GLOME project was introduced; this can be a way to
authorize BMC users.
See https://github.com/google/glome/blob/master/docs/glome-login.md
A GLOME talk is scheduled for the next meeting: Wednesday August 19.
7. Can we add new “security” label for GitHub issues and for Gerrit?
ANSWER: Yes. Joseph to followup.
8. The CSIS (Cloud Security Industry Summit) wants feedback on improving
BMC security. ANSWER: Joseph volunteered to attend the meetings.
>
> Access, agenda, and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> - Joseph
More information about the openbmc
mailing list