openbmc-specific dynamic security scanner

[Alexander Tereschenko]

On 17-Mar-20 20:57, Joseph Reynolds wrote:
>> CHIPSEC is a firmware security-centric tool from Intel. It has existing
>> security checks that OpenBMC could use. Main downside -- IMO -- is that
>> it only works on Intel hardware, no support for
>> AMD/ARM/RISC-V/POWER/etc. GPL Python codebase with a bit of asm.
>>
>> https://github.com/chipsec/chipsec
>
> I've been advised before to use CHIPSEC, but my use case is OpenPOWER, 
> and I want this work to be accessible to everyone.
> I would be okay if someone else to incorporate the checks I want check 
> into CHIPSEC, but I don't think I could use the results.

But the BMC itself is ARM (I've just glanced at the IBM OpenBMC recipes, 
looks like it's ol' good ASPEED), right? If so, looks like there's some 
work being done in CHIPSEC for enabling that [1]. Also, AFAIU those 
architecture-specific pieces are not necessarily required, they're just 
there as helpers to read memory, ports, etc. If all you need is to run a 
bunch of commands, I guess just writing a module in Python would do.

A simple script may be okay initially, but I guess over time it will 
grow and people will want to have modularity, fancy logging, whatnot - 
and there using an established framework like CHIPSEC could be a save of 
time and effort. And it being an open source project would only help 
others reuse it, which is one of your goals here. I personally haven't 
used CHIPSEC much so far, but I think the idea behind was to make it a 
generic framework for namely this sort of checks, so at the first glance 
it looks like a perfect location, if only the one that'd require some 
initial assistance from the project maintainers to make sure you can run 
it on ARM - but then again, you'll anyway need to do some foundational 
work in the "script" approach anyway.

regards,
Alexander

[1] https://github.com/chipsec/chipsec/issues/461