OpenBMC Learning Series - security
Joseph Reynolds
jrey at linux.ibm.com
Thu Oct 15 02:00:05 AEDT 2020
On 10/9/20 2:51 PM, Patrick Williams wrote:
> On Fri, Oct 09, 2020 at 12:33:17PM -0500, Joseph Reynolds wrote:
>> On 7/24/20 7:13 PM, Sai Dasari wrote:
...snip...
>>> Sai and the OpenBMC community,
>>>
>>> Here is my big-picture idea to organize OpenBMC's security effort. I
>>> hope this material will guide the project's overall security effort,
>>> including the learning series.
>>>
>>> I want to take this process one step at a time to help build consensus
>>> for my approach.
>>>
>>> My big idea is to apply the world's best publicly available security
>>> schemes to the OpenBMC project. Schemes like Microsoft Security
>>> Engineering, IBM Secure Engineering, and the Common Criteria evaluation
>>> have been developed over decades of experience and give us the most
>>> complete guidance for the OpenBMC project and its users. We should use
>>> them.
>>>
>>> Does this seem like the right approach? See discussion in footnote 1.
> Hi Joseph,
>
> What I can't tell is if you're describing the current state of affairs
> or where you'd like to go. My impression is that these education
> sessions should be more current state of affairs with only a taste of
> the future. The education sessions are for people who have little-to-no
> experience with OpenBMC already in order to make them more productive
> quickly.
My email recommends a way to organize the security work. Once we agree
[1], I think we should organize project documentation, presentations,
and working group activity in the same way. The presentation would give
a simplified overview of project security and link to the project's
security documentation. Does that make sense?
- Joseph
[1]: We are discussing this in today's security working group meeting:
https://github.com/openbmc/openbmc/wiki/Security-working-group
More information about the openbmc
mailing list