Security Working Group Meeting - Wed 30 September - results

[Joseph Reynolds]

On 9/29/20 12:52 PM, Parth Shukla wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this...
> This Message Is From an External Sender
> This message came from outside your organization.
>
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday September 30 at 10:00am PDT.
>
> There are currently no items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>. 
> Assuming no items are added before the meeting then we have the option 
> of 1) cancelling or 2) joining to see if anyone wants to bring up any 
> topics for discussion. What are people's preferences?

Thanks Parth.  We added 4 agenda items and discussed them, as summarized 
below.

- Joseph


1 Call for “Additional Topics for Learning Series” includes a security 
topic: how project report/handle CVEs, designing for security, secure 
boot, privileges etc.  What topics should this cover?

ANSWER:

Joseph will email an outline for the talk.


2 Do we want to look at items from our “security assurance workflow” 
linked above?  For example, what items from the CSIS paper are high 
priority for OpenBMC?

DISCUSSION:

Which processes should the OpenBMC project prioritize? Example:

  *

    Follow the code review process to prevent malicious code being inserted.

  *

    Inadequate project docs.

  *

    Use interface docs to move toward threat modeling.

  *

    What will OpenBMC do if github fails and loses the source code?  How
    do we implement secure disaster recovery?  (Ideas discussed were to
    establish a secure server and then collaborate to merge our private
    copies into the “official” source.)

NEXT Step: Joseph to send email.


3 Getting mTLS-only option to be supported by Redfish standard: 
https://redfishforum.com/thread/375/mtls-enforcement-openbmcs-redfish-implementation

ANSWER:

There is interest in OpenBMC supporting mTLS-only use case.  This is a 
good example of disabling interfaces that are not needed (specifically, 
password authentication).

Please contribute to the Redfish thread.  Attend the private Redfish 
forum meeting to push this forward.


4 Short update on privilege separation progress

ANSWER:

Anton walked us through his progress, including:

  *

    D-bus broker has support for ACLs.

  *

    Enable systemd-nss - Use supplementary groups for dynamic users.

  *

    Working on net ipmid privileges, next is bmcweb.

Start a wiki to track daemons capabilities needed, sandboxing models, 
file access, etc.


>
> I'll assume option 2 as the default and dial in unless we get some 
> consensus on this thread to cancel the meeting instead.
>
> Access, and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> Regards,
> Parth