Security Working Group meeting - Wednesday January 8

Joseph Reynolds jrey at linux.ibm.com
Wed Jan 8 06:54:22 AEDT 2020


This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday January 8 at 10:00am PDT.

We'll discuss current development items, and anything else that comes 
up.  The current topics:

1. Gerrit review: Overview of BMC interfaces which either (1) someone 
might want to dynamically enable or disable, or (2) form an interesting 
part of the BMC’s attack surface. 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/27969 


2. Gerrit review: Prompted by IRC #openbmc discussion: Idea: List 
applicable security standards and best practices which might apply to 
OpenBMC for folks who want to use OpenBMC in their higher-security 
project which needs to meet security standards.

3. Review composition of the openbmc-security email list per 
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md#team-composition-and-email-maintenance 


4. Code review to redirect HTTP to HTTPS (via nc netcat) - 
https://gerrit.openbmc-project.xyz/c/openbmc/meta-openpower/+/28099 This 
is currently scoped to OpenPOWER; can it be moved to meta-phosphor.  Are 
there security concerns with adding the “netcat” (nc) command?


5. Gerrit review: Denial of service (DoS) considerations - 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/28213  (Joseph:) 
Specifically, I want to know if this is mergeable, and I want to start 
with the BMCWeb rate-limiting defences. 



Access, agenda, and notes are in the wiki:

https://github.com/openbmc/openbmc/wiki/Security-working-group

- Joseph


More information about the openbmc mailing list