Security Working Group meeting - this Wednesday February 19
jrey at linux.ibm.com
Tue Feb 18 09:29:23 AEDT 2020
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday February 19 at 10:00am PDT.
We'll discuss current development items, and anything else that comes up.
Ratan intends to participate and has requested that we cover the
following two items first:
(A) service discovery direction, (B) using pam_abl
The current topics:
1. (Joseph): Is OpenBMC affected by the Chrome browser’s SameSite cookie
Do we want to enhance BMCWeb
to create cookies with SameSite=None; Secure when
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION is also used, to allow the BMC to
be used by the Chrome browser. Perhaps by default BMCWeb should
generate cookies with SameSite=Strict?
2. (Joseph, follow up to agenda item 3 from 2020-02-05): Redfish
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28878 Update Feb
clarified the intention to NOT enumerate all accounts (unless you are
3. (email) FYA. BMC aggregator - includes a security topic.
4. (email) FYA - BMC Secure Boot / U-Boot - use dm-verity or alternate?
5. Redfish forum question: Direction for channel based restrictions -
6. (Bruce via email): BMCWeb Cert valid for 10 years -
7. (Joseph / James / Richard email): Rate limiting, use pam_abl -
8. (Joseph via email): New Redfish roles ServiceRep & OemRep -
9. (Joseph email): Implement the Redfish PasswordChangeRequired property
10. (Joseph email): delete BMCWeb sessions after some kinds of account
Access, agenda, and notes are in the wiki:
More information about the openbmc