OpenBMC Learning Series - list of security topics

Joseph Reynolds jrey at linux.ibm.com
Sat Oct 17 05:06:32 AEDT 2020


On 10/15/20 5:39 PM, Lee Fisher wrote:
> Looks pretty good.
>
> One thing I'm concerned with: dev -vs- sysadmin focus.
>
> You need to cover dev focus for OpenBMC dev. But you also need to cover
> run-time use, by sysadmins/users, including security automation.
>
> Don't have a single set of OpenBMC security guidance for both audiences,
> they are very different.

Lee,  +cc:openbmc email list

Point taken.  I agree.  I'll have separate topics for the system 
integrator and the BMC admin.  Along with the existing set of topics for 
the development community (coding standards, static scans, etc.).

I started a BMC configuration guide here: 
https://github.com/openbmc/openbmc/wiki/Configuration-guide
and have just now separated the build -vs- admin sections.  I'll use it 
to guide the presentation.

Thank you!

- Joseph

> For example, see how the NIST Secure Boot docs are for implementors
> *AND* users, but most users will navigate through all the
> implementor-centric docs for run-time guidance. Similar problem with
> DMTF Redfish docs, blurring implementors and users.
>
> Sysadmins/users will need a checklist of guidance and some
> security/update automation tools. At least one tool for security checks,
> and one tool for firmware updates. Vendors will work hard to screw up
> the tools, when trying to make their platform vendor-centric, so be
> careful of that.
>
> Thanks.
>
> On 10/15/20 11:55 AM, Joseph Reynolds wrote:
>> On 10/9/20 12:33 PM, Joseph Reynolds wrote:
>>> On 7/24/20 7:13 PM, Sai Dasari wrote:
>>>> Team,
>>>>
>>>> Thanks to all volunteer speakers stepping up to share their
>>>> expertise with community. For speaker convenience, the sessions will
>>>> be held on two *TimeZones* (USA/PDT and INDIA/IST) on
>>>> *Thursdays at 10AM* starting from 8/20 onwards.
>>>>
>>>> I encourage you to take a look at the shared doc @
>>>> https://docs.google.com/spreadsheets/d/1RRO5cgutKE7zRPcjcFjrNn-GI5AYoW0FivEZJe_EyWs/edit?usp=sharing
>>>> for more information regarding this series. If you would like to see
>>>> more topics (either as speakers or new community members), please
>>>> feel free to add them for extending the topics in future sessions.
>>>>
>>> ...snip...
>>>
>>>
>>> Sai and the OpenBMC community,
>>>
>>> Here is my big-picture idea to organize OpenBMC's security effort. I
>>> hope this material will guide the project's overall security effort,
>>> including the learning series.
>> ...snip...
>>> For the learning series presentation, I suggest picking up a dozen or
>>> so categories from below, including authentication and user
>>> management, testing and coding, documentation and threat models,
>>> incident response, etc.  Does that sound right?
>> Sai, thanks for helping to push this forward.
>>
>>
>> OpenBMC community,
>>
>> We agreed [1] to a list "security topics" drawn from Microsoft
>> Security Engineering, Common Criteria, and IBM Secure Engineering. The
>> idea is that a project that uses OpenBMC and follows a similar
>> security approach should be able to find what they need in the OpenBMC
>> security topics, but the topics themselves are not tightly coupled to
>> any specific approach.  Then each of the OpenBMC security topics will
>> give whatever the project offers.
>>
>> [1]: General agreement at the 2020-10-14 OpenBMC security working
>> group meeting.  Notes here:
>> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
>>
>>
>> To clarify, I intend for these topics to be the organizing principle
>> for the security working group and the learning series.  I am not
>> announcing any intention to meet any guidelines, follow any specific
>> practices, or perform any security assessments.  One step at a time.
>>
>> Here is my initial proposal for topics.  This most certainly reflects
>> my bias.  Feel free to suggest corrections, changes, and additions.
>> - Education and awareness
>> - Threat model
>> - Code scans
>> - Security tests (includes dynamic scans and penetration testing)
>> - Vulnerability management and incident response
>> - Development process (include planning, designs, reviews, secure coding)
>> - Documentation (includes specs, architecture, designs, code, and
>> configuration) - see breakout below
>> - Incident response
>> - Guidance documentation (for downstream projects and for BMC admins)
>> - Supply chain (includes source code from Yocto and projects built
>> into the image)
>>
>> BMC security function documentation:
>> - Audit logs
>> - Communication paths
>> - Cryptographic support
>> - User data protection
>> - Authentication
>> - Security Management
>> - Privacy
>> - Protection of the BMC
>> - Resource Utilization
>> - BMC access, Trusted paths
>>
>> Excluded topics:
>> - Threat assessment - varies between use cases
>> - Supply chain (physical) - not applicable
>>
>> For the learning series presentation I propose one slide to motivate
>> why security focus is important, and another explain how OpenBMC
>> security topics relate to high-level security schemes and to more
>> focused guidance from OWASP, OCP, and CSIS.  Then slides for each
>> security topic.  My feeling is that even professional developers need
>> help to understand how everything relates back to security. :-)
>>
>> Let me know if you expect the learning series presentation to have any
>> specific content.
>>
>> - Joseph
>>
>>> - Joseph
>>>
>>> ## Footnote 1 - How we can use the world's best security schemes
>>>
>>> I foresee several difficulties in trying to apply the schemes:
>>> 1. The project has not agreed to any particular security scheme and
>>> is unlikely to choose one, because...
>>> 2. Performing any security evaluation is expensive in terms of
>>> person-hours investment by subject matter experts and we have limited
>>> resources, and...
>>> 3. The big-picture security schemes apply to an entire IT project
>>> (like a server) while OpenBMC is only source code for one part of any
>>> such project, so we cannot apply the full methodology.
>>>
>>> Why a big-picture scheme?  Security schemes that have a smaller scope
>>> will not take the project security to the highest levels. The OpenBMC
>>> project itself should perform security work needed by various
>>> big-picture security schemes (such as listed above).  This includes
>>> not only features like transport security and authentication, but
>>> also documentation, evidence of design and code reviews, testing, and
>>> bug fixes, as required by big-picture secure engineering mandates.
>>> Yes, the project does all that already, but that work does not have a
>>> security context.  I would like to help define that context.
>>>
>>> Would it be helpful to show how more targeted guidelines from OWASP,
>>> OCP, and CSIS fit into the big-picture schemes?
>>> [OWASP]: https://www.owasp.org/
>>> [OCP]: https://www.opencompute.org/wiki/Security
>>> [CSIS]:
>>> https://github.com/opencomputeproject/Security/blob/master/SecureFirmwareDevelopmentBestPractices.md
>>>
>>> NOTE: This is a refresh of the effort started in the [security
>>> working group][] under the headings of "security assurance workflow"
>>> and "applicable standards".
>>> [security working group]:
>>> https://github.com/openbmc/openbmc/wiki/Security-working-group
>>>
>>> ## Footnote 2 - Elements of high-level security schemes
>>>
>>> Here are three high-level security schemes.  Is this the right set of
>>> schemes?
>>> I've started to break these down.
>>>
>>> ==> Microsoft Security Engineering
>>> https://www.microsoft.com/en-us/securityengineering
>>> Security Development Lifecycle (SDL)
>>> Operational Security Assurance (OSA)
>>> Open Source Security
>>> (Will someone help articulate which elements apply to OpenBMC?)
>>>
>>> ==> Common Criteria
>>> https://www.commoncriteriaportal.org/cc/
>>> Functional requirements:
>>> - Security Audit (audit logs)
>>> - Communication
>>> - Cryptographic Support
>>> - User data protection
>>> - Authentication
>>> - Security Management
>>> - Privacy
>>> - Protection of the BMC
>>> - Resource Utilization
>>> - BMC access, Trusted paths
>>> Assurance requirements:
>>> - Document BMC architecture and configuration
>>> - Development (architecture, functions spec, implementation)
>>> - Internal representation (source code)
>>> - Guidance documentation
>>> - Life-cycle support
>>> - Tests
>>> - Vulnerability Assessment.
>>> Note: I've annotated and substituted some terminology to make this
>>> more readable (for example, TOE means BMC).  Also, I've skipped over
>>> some topics and grossly oversimplified others.  My goal is to make
>>> this list understandable to the BMC community and the organize
>>> OpenBMC work so it can be understood by security folks who do not
>>> have a BMC background.
>>>
>>> ==> IBM Secure Engineering
>>> ibm.com/redbooks: Security in Development, The IBM Secure Engineering
>>> Framework
>>> Development process: protect source code, planing, testing
>>> Product lifecycle management: vulnerabilities, fixes
>>> Secure Engineering Framework:
>>> - Education and awareness
>>> - Project Planning
>>> - Risk assessment and threat modeling
>>> - Security requirements
>>> - Secure coding
>>> - Test and vulnerability assessment
>>> - Documentation
>>> - Incident response
>>> - Supply chain
>>>
>>> Includes https://www.ibm.com/trust/security-spbd
>>> - Assessment
>>> - Threat Model
>>> - Code Scan
>>> - Security Tests
>>> - Penetration Test
>>> - Vulnerability Management
>>>



More information about the openbmc mailing list