Security Working Group meeting - Wednesday December 9 - results
jrey at linux.ibm.com
Fri Dec 11 02:10:39 AEDT 2020
On 12/8/20 10:01 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday December 9 at 10:00am PDT.
> We'll discuss the following items on the agenda
> and anything else that comes up:
> Discord discussion #webui: Dumps and logs may contain sensitive
> information as documented
> and https://github.com/openbmc/openbmc/wiki/Configuration-guide
It is worthwhile to document sensitive info stored in dump and log
items. Where are dumps stored? Encrypted? Who *should* have read
access to dumps and logs that may contain sensitive information? Note
different use cases with different details in terms of what information
is present, how sensitive it is, if it needs to be encrypted as it sits
in the BMC, and who should have read access.
The consensus was to keep these details in the wiki.
> Joseph: Proposed PerformService privilege enhancement to BMCWeb
The question is how to implement Redfish custom roles and Redfish OEM
privileges in BMCWeb.
Use the email thread for discussion. The direction is NOT to sprinkle
customizations throughout the code, instead to implement BMCWeb so we
can consume Redfish's published PrivilegeRegistry at BMCWeb compile
time. Then downstream users can supply customized PrivilegeRegistry
files that have OEM privileges. (Refer to the email thread for details,
corrections to the above, and evolving discussion.)
Bonus topic: The December 23 meeting is cancelled, Next meeting
scheduled for January 6.
> Access, agenda and notes are in the wiki:
More information about the openbmc