Security working group meeting 2020-01-22

Joseph Reynolds jrey at linux.ibm.com
Thu Jan 23 08:23:21 AEDT 2020


Notes from the security working group meeting 2020-01-22:
Highlights below; details in 
https://github.com/openbmc/openbmc/wiki/Security-working-group


1. Discuss BMCWeb’s site identity certificate handling, specifically 
intermediate certificates.  See 
https://github.com/openbmc/bmcweb/#configuration 


Other web servers have directives to concatenate the intermediate 
certificates (excluding the root CA certificates) and send that. What 
does BMCWeb do?

  - What is BMCWeb's default default?
  - Need better docs, for example: How can a BMC admin replace theBMCWeb 
site cert?  Is it okay to concatenate intermediate certs? Can we 
document this for BMCWeb?


2. Design discussions about aggregation broached the security topic : 
https://lists.ozlabs.org/pipermail/openbmc/2020-January/020142.html 


We are not sure what security help is needed. at this point.


3. Revisit "Daemons should not run as root" - 
https://github.com/openbmc/openbmc/issues/3383

There is definite interest.  Who can work on this?  Possible initial 
goal: convert bmcweb so it runs as a non-root user.  BMCWeb is selected 
because it is higher risk because implements a network interface.



4. Merged BMCWeb commit to allow slower image uploads: 
https://github.com/openbmc/bmcweb/commit/2b5e08e2915d886655a78aaabff40745dca6b517 
   See also commit: 0e1cf26b1cd98e0ec069e6187434fcabf1e9c200 “Make the 
max http request body size configurable”.


Minimal discussion.



5. Merged BMCWeb commit that added new messages for security events: 
https://github.com/openbmc/bmcweb/commit/8988dda41319950476ebb146df06c2e7b3fbf44d


Minimal discussion.



6. How do we bring security assurance work into the OpenBMC project?  Is 
there interest in considering Protection Profiles that apply to 
OpenBMC?  We can use these as a systematic way review security topics.  
For example, the Operating System Protection Profile (OSPP) talks about 
cryptographic functions, audit logging, network security, secure boot, 
etc.  The Virtualization Protection Profile (VPP) considers the BMC to 
be part of the platform management system.


There was agreement that these security schemes are good starting points 
to use as a guide.  DONE: Joseph added new “Security Assurance Workflow” 
section to guide future work in this area - 
https://github.com/openbmc/openbmc/wiki/Security-working-group#security-assurance-workflow 
.


- Joseph



More information about the openbmc mailing list