Security Working Group meeting - this Wednesday February 19

Joseph Reynolds jrey at
Tue Feb 18 09:29:23 AEDT 2020

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday February 19 at 10:00am PDT.

We'll discuss current development items, and anything else that comes up.

Ratan intends to participate and has requested that we cover the 
following two items first:
(A) service discovery direction, (B) using pam_abl

The current topics:

1. (Joseph): Is OpenBMC affected by the Chrome browser’s SameSite cookie 
Do we want to enhance BMCWeb 
to create cookies with SameSite=None; Secure when 
be used by the Chrome browser.  Perhaps by default BMCWeb should 
generate cookies with SameSite=Strict?  

2. (Joseph, follow up to agenda item 3 from 2020-02-05): Redfish 
Privilege updates: and  Update Feb 
11: See 
clarified the intention to NOT enumerate all accounts (unless you are 
the admin)

3. (email) FYA.  BMC aggregator - includes a security topic. 

4. (email) FYA - BMC Secure Boot / U-Boot - use dm-verity or alternate? 

5. Redfish forum question: Direction for channel based restrictions - 

6. (Bruce via email):  BMCWeb Cert valid for 10 years - 

7. (Joseph / James / Richard email): Rate limiting, use pam_abl - 

8. (Joseph via email): New Redfish roles ServiceRep & OemRep - 

9. (Joseph email): Implement the Redfish PasswordChangeRequired property 

10. (Joseph email): delete BMCWeb sessions after some kinds of account 

Access, agenda, and notes are in the wiki:

- Joseph

More information about the openbmc mailing list