Security Working Group meeting - Wednesday June 24 - results
Joseph Reynolds
jrey at linux.ibm.com
Fri Jun 26 00:32:56 AEST 2020
On 6/23/20 8:17 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday June 24 at 10:00am PDT.
>
> We'll discuss current development items, and anything else that comes up.
>
> 1. Is there interest in documenting privacy considerations (as
> personal data stored on the BMC's flash drive)?
TODO: Joseph to push notes into openbmc/docs.
>
> 2. Planning for dropbear 2020.79 configuration.
TODO: When we pick up a Yocto that updates to dropbear 2020.79, we
should revisit some patches:
Per https://matt.ucc.asn.au/dropbear/CHANGES -
- CBC ciphers, 3DES, hmac-sha1-96, and x11 forwarding are now disabled by default.
They can be set in localoptions.h if required.
Blowfish has been removed.
And a number of ciphers have been added. Our patches are here:
https://github.com/openbmc/openbmc/blob/master/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/dropbear/dropbear/options.patch
>
> 3. Proposal: Create new email address for OpenBMC security announcements:
> - openbmc at lists.ozlabs.org -- is for the community.
> - openbmc-security at lists.ozlabs.org -- is to report security
> vulnerabilities and the the OpenBMC security response team's private
> discussions of non-public vulnerabilities.
> - openbmc-public-security-announcements at lists.ozlabs.org -- could be
> for public security discussions, including announcements of OpenBMC
> security fixes
We agreed this is a good idea if Joseph does all the work for it. To
make it useful for subscribers, we need to moderate the list and have
only actionable items (such as CVE fixes, significant security relevant
configuration changes, and the like).
TODO: Joseph to move forward to the email list.
>
> 4. Discuss OpenBMC 2.8 security audit results and feedback for the
> release notes.
The security audit exercise seemed beneficial, cost effective, and
generated some discussion and release notes. Next time can we use more
open source scanners? (Links are in the minutes.)
5. (Bonus item): The project is using PLDM over MCTP. Is there interest
in SPDM?
ANSWER: Yes, and SPDM is new.
- Joseph
>
>
> Access, agenda, and notes are in the wiki:
>
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> - Joseph
>
More information about the openbmc
mailing list