Security workgroup meeting times

Joseph Reynolds jrey at linux.ibm.com
Tue Jan 28 04:42:04 AEDT 2020


Team,

Let's try again to establish another OpenBMC Security Workgroup meeting 
time.  The current meeting time (every other week 10am Pacific Daylight 
Time) is working for some, but not for others.  To be clear, we would 
use the same workgroup, just have alternate meeting times.

First, let's find a time that works for Australia, Asia, and Europe.  
I've seen participation and continued interest from folks in those time 
zones. Because the current meeting time is bad for them, let's establish 
alternate times.

Second, I am thinking we could establish alternating meeting times. We 
will not find a time that works for everyone.  I try to accommodate 
folks who cannot attend by writing a summary of the topics and 
conclusions, and by pushing the work back out into this email list.  But 
that is not the same as attending a meeting.  I feel that the meetings 
foster better responses and more participation than using the email list 
alone.  For that reason, I want to continue to meet.  Hence, I am 
proposing alternating meeting times.

Third, I have been running the meetings.  I plan to continue to handle 
the Security workgroup meeting agenda, and can help set up the initial 
workgroup meetings at alternate times, I would not plan to run them.  I 
hope you will solve all the security problems while I am sleeping.  
Fortunately, running meetings is easy: just go through the agenda, 
introduce each item, wait for people to talk, and summarize the 
outcome.  We need a volunteer leader for that.

Send me your ideas,
- Joseph


On 1/22/20 3:23 PM, Joseph Reynolds wrote:
> Notes from the security working group meeting 2020-01-22:
> Highlights below; details in 
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
>
> 1. Discuss BMCWeb’s site identity certificate handling, specifically 
> intermediate certificates.  See 
> https://github.com/openbmc/bmcweb/#configuration 

>
> Other web servers have directives to concatenate the intermediate 
> certificates (excluding the root CA certificates) and send that. What 
> does BMCWeb do?

>  - What is BMCWeb's default default?
>  - Need better docs, for example: How can a BMC admin replace 
> theBMCWeb site cert?  Is it okay to concatenate intermediate certs? 
> Can we document this for BMCWeb?
>
>
> 2. Design discussions about aggregation broached the security topic : 
> https://lists.ozlabs.org/pipermail/openbmc/2020-January/020142.html 

>
> We are not sure what security help is needed. at this point.
>
>
> 3. Revisit "Daemons should not run as root" - 
> https://github.com/openbmc/openbmc/issues/3383
>
> There is definite interest.  Who can work on this?  Possible initial 
> goal: convert bmcweb so it runs as a non-root user. BMCWeb is selected 
> because it is higher risk because implements a network interface.

>
>
> 4. Merged BMCWeb commit to allow slower image uploads: 
> https://github.com/openbmc/bmcweb/commit/2b5e08e2915d886655a78aaabff40745dca6b517 
>   See also commit: 0e1cf26b1cd98e0ec069e6187434fcabf1e9c200 “Make the 
> max http request body size configurable”.

>
> Minimal discussion.

>
>
> 5. Merged BMCWeb commit that added new messages for security events: 
> https://github.com/openbmc/bmcweb/commit/8988dda41319950476ebb146df06c2e7b3fbf44d

>
> Minimal discussion.

>
>
> 6. How do we bring security assurance work into the OpenBMC project?  
> Is there interest in considering Protection Profiles that apply to 
> OpenBMC?  We can use these as a systematic way review security 
> topics.  For example, the Operating System Protection Profile (OSPP) 
> talks about cryptographic functions, audit logging, network security, 
> secure boot, etc.  The Virtualization Protection Profile (VPP) 
> considers the BMC to be part of the platform management system.

>
> There was agreement that these security schemes are good starting 
> points to use as a guide.  DONE: Joseph added new “Security Assurance 
> Workflow” section to guide future work in this area - 
> https://github.com/openbmc/openbmc/wiki/Security-working-group#security-assurance-workflow 
> .
>
>
> - Joseph
>



More information about the openbmc mailing list