openbmc-specific dynamic security scanner
aleksandr.v.tereschenko at linux.intel.com
Thu Mar 19 02:25:32 AEDT 2020
On 17-Mar-20 20:57, Joseph Reynolds wrote:
>> CHIPSEC is a firmware security-centric tool from Intel. It has existing
>> security checks that OpenBMC could use. Main downside -- IMO -- is that
>> it only works on Intel hardware, no support for
>> AMD/ARM/RISC-V/POWER/etc. GPL Python codebase with a bit of asm.
> I've been advised before to use CHIPSEC, but my use case is OpenPOWER,
> and I want this work to be accessible to everyone.
> I would be okay if someone else to incorporate the checks I want check
> into CHIPSEC, but I don't think I could use the results.
But the BMC itself is ARM (I've just glanced at the IBM OpenBMC recipes,
looks like it's ol' good ASPEED), right? If so, looks like there's some
work being done in CHIPSEC for enabling that . Also, AFAIU those
architecture-specific pieces are not necessarily required, they're just
there as helpers to read memory, ports, etc. If all you need is to run a
bunch of commands, I guess just writing a module in Python would do.
A simple script may be okay initially, but I guess over time it will
grow and people will want to have modularity, fancy logging, whatnot -
and there using an established framework like CHIPSEC could be a save of
time and effort. And it being an open source project would only help
others reuse it, which is one of your goals here. I personally haven't
used CHIPSEC much so far, but I think the idea behind was to make it a
generic framework for namely this sort of checks, so at the first glance
it looks like a perfect location, if only the one that'd require some
initial assistance from the project maintainers to make sure you can run
it on ARM - but then again, you'll anyway need to do some foundational
work in the "script" approach anyway.
More information about the openbmc