Security Working Group Meeting - Wed 16 September - meeting highlights

Joseph Reynolds jrey at linux.ibm.com
Sat Sep 19 01:15:52 AEST 2020 

On 9/15/20 2:08 PM, Parth Shukla wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday September 16 at 10:00am PDT.
>
Thanks for the reminder.  Here are highlights from the meeting.  See the 
minutes (linked below) for details.

> We'll discuss the following items on the agenda, and anything else 
> that comes up:
>
>  1. (Parth) Common Remote API for TLS certificate management?
>      1. Certificate management = installation, rotation, revocation
>

Meeting held 2020-09-16:

1 Common Remote API for TLS certificate management?

     1.

        Certificate management = installation, rotation, revocation

ANSWER: OpenBMC desire manage certs via Redfish APIs.

Please create a design; start with email discussion.

Some difficulties were foreseen with cert rotation; need to work out issues.


>  1. FYI: BMCWeb Code review: Admin-configurable session timeouts
>     https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/36016
>
No discussion.
>
>  1. FYI: BMCWeb core review: moving to Meson build system (from
>     cmake): A security concern is ensuring project defaults are
>     preserved so that builders get the same options when they use the
>     new build system.
>     https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/32816
>

No discussion.

>  1. BMCWeb code review: WIP toward HTTP-HTTPS redirect:
>     https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/36245
>

No discussion.


>  1. (Joseph): Interest in implementing Redfish ManagerNetworkProtocol
>     properties: HTTPS, IPMI, SSH, VirtualMedia, KVMIP, HTTP
>     (redirect), Oem.OpenBMC.TFTP, and Oem.OpenBMC.mDNS?  This allows
>     the BMC admin to enable and disable these services. Previous
>     discussion on 2019-11-13.
>
Joseph intends to add pieces we need to the existing implementation.

>  1. (Joseph): Interest in implementing Redfish
>     ManagerAccount.AccountTypes.  This allows the BMC admin to control
>     which users are allowed to access specific BMC interfaces (like
>     SSH or IPMI).  See
>     https://redfishforum.com/thread/219/account-groups-property
>

We are working out the issues; see links above.  Joseph wants to implement.


>  1. (email): Protect BMCWeb against password guessing attacks.  See
>     https://lists.ozlabs.org/pipermail/openbmc/2020-September/023054.html
>
There were several discussions about which defense is appropriate, how 
rate limiting interacts with account lockouts, and how to apply this to 
all interfaces not just Redfish.

Do we have different use cases within OpenBMC?  Different use cases:

  *

    Protected datacenter.

  *

    Connected to less-well protected network or to internet.


>  1. Gerrit code review for “EventService: https client support”
>     https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/31735/
>
No discussion.

>  1.  (Anton) PoC work for daemons’ privilege separation
>     <https://github.com/openbmc/openbmc/issues/3383>
>     Use systemd features for privilege drop & sandboxing.
>
Anton debriefed efforts to make this work using systemd users created 
on-demand and process groups.

Next steps: List the daemon processes and characterize capabilities each 
of them need.  Joseph is interested in helping and adding this to the 
nascent OpenBMC threat model.

BONUS TOPIC:

10 Heads up on alternatives to the filesystem overlay 
<https://lists.ozlabs.org/pipermail/openbmc/2019-August/017611.html>. 
https://lists.ozlabs.org/pipermail/openbmc/2019-August/017611.html

There is renewed desire to move away from the overlayfs and use a better 
feature to handle mutable files.

- Joseph

>
> Access, agenda, and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> Regards,
> Parth

More information about the openbmc mailing list