openbmc-specific dynamic security scanner
Joseph Reynolds
jrey at linux.ibm.com
Wed Mar 18 06:57:06 AEDT 2020
On 3/17/20 1:20 PM, Lee Fisher wrote:
> On 3/17/20 8:01 AM, Joseph Reynolds wrote:
>> [...] And I am looking for your feedback.
> Perhaps, instead of creating a new OpenBMC-centric security tool, add
> OpenBMC-centric tests to an existing firmware security testing tool.
> IMO, there are basically two existing firmware security tools, FWTS and
> CHIPSEC.
>
> FirmWare Test Suite (FWTS) is from Canonical to run diagnostics (not
> necessarily security-centric) to see if a system (HW/FW) is capable of
> running an OS. Runs on multiple ISAs. Has security tests, but not
> security-centric. Probably has the best set of ACPI tests available,
> recommended by UEFI Forum for PC vendors doing ACPI testing. GPL C codebase.
>
> https://launchpad.net/fwts
Lee,
Thanks for responding.
The tests I am proposing are specifically for OpenBMC firmware features,
not for its hardware or platform features. So I don't the fwts suite is
appropriate.
>
> CHIPSEC is a firmware security-centric tool from Intel. It has existing
> security checks that OpenBMC could use. Main downside -- IMO -- is that
> it only works on Intel hardware, no support for
> AMD/ARM/RISC-V/POWER/etc. GPL Python codebase with a bit of asm.
>
> https://github.com/chipsec/chipsec
I've been advised before to use CHIPSEC, but my use case is OpenPOWER,
and I want this work to be accessible to everyone.
I would be okay if someone else to incorporate the checks I want check
into CHIPSEC, but I don't think I could use the results.
- Joseph
>
> HTH,
> Lee
> blog: https://firmwaresecurity.com/
>
More information about the openbmc
mailing list