Security Working Group - Wednesday July 22 - results

Joseph Reynolds jrey at linux.ibm.com
Fri Jul 24 00:11:29 AEST 2020 


On 7/20/20 8:57 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday July 22 at 10:00am PDT.
>
> We'll discuss current development items, and anything else that comes up.
>
> 1. The OpenBMC interface overview is merged into the docs repository 
> here: 
> https://github.com/openbmc/docs/blob/master/architecture/interface-overview.md. 
> Is there interest in building a threat model on top of this?
No discussion.

>
> 2. A gerrit review merged. It is a rework of BMCWeb authorization 
> flow: https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/30994
>
> and tweaks some security settings.  Is there interest in reviewing the 
> code or changed settings?  (Please note: This changed was introduced 
> Months ago and it went unnoticed in the security workgroup.  Better 
> late than never.)
No discussion
>
> 3.Gerrit review: Firmware minimum ship level (can help with host 
> firmware anti-rollback protection) 
> https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-bmc-code-mgmt/+/29914
> Access, agenda, and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
No discussion

Topics added after the meeting notice was sent:

4 Question: If BMCWeb finds an unusable HTTPS site identity certificate, 
it DELETES it and self-generates one.  This has caused problems for 
certificates that are not valid until a future date. In general, what 
certificate management support should we have for BMCWeb?  What is needed?
ANSWER:
There were two discussion threads: The BMC’s notion of time of day 
(TOD), and how BMCWeb should handle certificates.

Does the BMC have a battery backed TOD clock?  Depends on BMC model.  
Can it validate if it has access to its NTP server (when configured)?  
Does the BMC know if its time was set correctly?

How does the BMC know if the BMC has the correct time?  Have a BMC flag 
that says, “Look like the BMC TOD clock is not working.”  Does the BMC 
know if we got a good time from an  NTP server?  Can we read the GPS 
signal?  What is the industry solution?
Should the BMC store its idea of what date it is?  So it can report if 
the time changes significantly.  Or will this lead to a bigger problem?  
Is it better/simpler to check for TOD = beginning-of-era-1/1/1970?  → 
start an email thread

BMCWeb configuration?  Configure option: delete cert and generate 
self-signed -vs- use defective certificate.  What is the purpose of 
deleting the unusable cert?  Should “out of date” not be part of the 
“unusable” definition? ⇒ Ideas: 1. If bmcweb finds a usable cert but is 
out of date, that cert can still be used.  2. Leave the defective 
certificate (do not delete it) and log an error.

The group consensus was that BMCWeb should treat its HTTPS site identity 
certificate like this:
1 certificate is perfectly good - Use the certificate
2 certificate is good but expired or not yet valid - Use the certificate 
and log a warning
3 certificate is missing or bad format or algorithm too old - Use 
another certificate or self-generate a certificate (and log that action)
There are no cases where BMCWeb should delete any certificate.

Next steps: discuss on email list, write patch.

5 Fuzzing.  We briefly discussed the existing test infrastructure 
https://github.com/openbmc/openbmc-test-automation/ and previous calls 
for fuzzing.
If someone wanted to perform fuzzing, where would they start, what tools 
should they use, etc.

6. Can we fill out the information in 
https://github.com/openbmc/openbmc/security ?


- Joseph

>
> - Joseph

More information about the openbmc mailing list