Security Working Group meeting - Wednesday January 8
Joseph Reynolds
jrey at linux.ibm.com
Wed Jan 8 06:54:22 AEDT 2020
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday January 8 at 10:00am PDT.
We'll discuss current development items, and anything else that comes
up. The current topics:
1. Gerrit review: Overview of BMC interfaces which either (1) someone
might want to dynamically enable or disable, or (2) form an interesting
part of the BMC’s attack surface.
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/27969
2. Gerrit review: Prompted by IRC #openbmc discussion: Idea: List
applicable security standards and best practices which might apply to
OpenBMC for folks who want to use OpenBMC in their higher-security
project which needs to meet security standards.
3. Review composition of the openbmc-security email list per
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md#team-composition-and-email-maintenance
4. Code review to redirect HTTP to HTTPS (via nc netcat) -
https://gerrit.openbmc-project.xyz/c/openbmc/meta-openpower/+/28099 This
is currently scoped to OpenPOWER; can it be moved to meta-phosphor. Are
there security concerns with adding the “netcat” (nc) command?
5. Gerrit review: Denial of service (DoS) considerations -
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/28213 (Joseph:)
Specifically, I want to know if this is mergeable, and I want to start
with the BMCWeb rate-limiting defences.
Access, agenda, and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group
- Joseph
More information about the openbmc
mailing list