Security Working Group meeting - this Wednesday February 19

[Joseph Reynolds]

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday February 19 at 10:00am PDT.

We'll discuss current development items, and anything else that comes up.

Ratan intends to participate and has requested that we cover the 
following two items first:
(A) service discovery direction, (B) using pam_abl

The current topics:

1. (Joseph): Is OpenBMC affected by the Chrome browser’s SameSite cookie 
changes 
(https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html)? 
Do we want to enhance BMCWeb 
(https://github.com/openbmc/bmcweb/blob/master/include/token_authorization_middleware.hpp#L430) 
to create cookies with SameSite=None; Secure when 
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION is also used, to allow the BMC to 
be used by the Chrome browser.  Perhaps by default BMCWeb should 
generate cookies with SameSite=Strict?  


2. (Joseph, follow up to agenda item 3 from 2020-02-05): Redfish 
Privilege updates: 
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881 and 
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28878  Update Feb 
11: See 
https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 
clarified the intention to NOT enumerate all accounts (unless you are 
the admin)


3. (email) FYA.  BMC aggregator - includes a security topic. 
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020433.html 


4. (email) FYA - BMC Secure Boot / U-Boot - use dm-verity or alternate? 
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020452.html 


5. Redfish forum question: Direction for channel based restrictions - 
https://redfishforum.com/thread/279/channel-privilege-support-direction-redfish 


6. (Bruce via email):  BMCWeb Cert valid for 10 years - 
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020488.html 


7. (Joseph / James / Richard email): Rate limiting, use pam_abl - 
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020430.html 


8. (Joseph via email): New Redfish roles ServiceRep & OemRep - 
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020540.html 


9. (Joseph email): Implement the Redfish PasswordChangeRequired property 
  https://lists.ozlabs.org/pipermail/openbmc/2020-February/020554.html 


10. (Joseph email): delete BMCWeb sessions after some kinds of account 
changes
 
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020555.html 




Access, agenda, and notes are in the wiki:

https://github.com/openbmc/openbmc/wiki/Security-working-group

- Joseph