Security Working Group - Wednesday March 4

Joseph Reynolds jrey at
Thu Mar 5 11:08:57 AEDT 2020

On 3/2/20 6:05 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday March 4 at 10:00am PDT.
> We'll discuss current development items, and anything else that comes up.
> The current topics:
> 1. Proposal to add new Redfish roles for ServiceRep & OemRep. 2. 
> Implement the Redfish PasswordChangeRequired property. 3. Proposal to 
> delete BMCWeb sessions after some kinds of account changes.
> 4. Intel hackathon (pen test, code reviews, etc) results. 5. Security 
> issue: BMCWEB_ENABLE_DBUS_REST=ON enables information leak
> 6. Discuss making contributions toward 
> for the May 2020 OpenBMC release based on Yocto 3.1.
> Access, agenda, and notes are in the wiki:

Here is a summary of the discussion.  More details are in the minutes 
linked below.

1. Weagreed that ServiceRep and ManufacturingRep Privileges are useful 
to articulate. We found two use cases: Admin same as service agent and 
manufacturer, and Admin/Service/manufacturer are different roles. Joseph 
will pursue getting these roles and privileges defined in Redfish. We 
also discussed the problem of how to prevent the admin from escalating 
to the Service role given they control User management. (With possible 
solutions discussed), and some alternate designs.
The next step is: Joseph will send an email to the openbmc list with 
updated details and proposal.

2. Joseph is working on a new D-Bus property for UserPasswordExpired 
that is needed for BMCWeb.

3. Terminating BMCWeb sessions when there are severe account changes 
sounds like a good idea.
Nobody signed up to work on it. :)

4. James asked about how to report security vulnerabilities.  The plan 
to is to follow
and make a judgment call, sending some to the email list (thus 
disclosing them) and some to the OpenBMC security response team.
The response team can then sort out which issues can be disclosed, and 
which we want to fix.
That will be a good stress test.

5. We want definite plans and a timeline for changing the default to 

6. Joseph will propose an OpenBMC-customized dynamic-security-scan tool 
via email.

- Joseph

> - Joseph

More information about the openbmc mailing list