Security Working Group meeting - Wednesday August 4 - ibm-acf repo

Joseph Reynolds jrey at linux.ibm.com
Tue Aug 10 00:09:04 AEST 2021 

On 8/3/21 10:22 PM, Patrick Williams wrote:
> On Tue, Aug 03, 2021 at 05:57:52PM -0500, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting
>> scheduled for this Wednesday August 4 at 10:00am PDT.
>>
>> We'll discuss the following items on the agenda
>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
>> and anything else that comes up:
>>
>>   1. (Joseph): IBM ACF design (2FA authentication for the special IBM
>>      service account) is in review -
>>      https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201
>>      <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201>
> I still feel like the "Alternatives considered" are pretty weak in this
> document.  Rather than paint broad brushes ("Other were considered.  They were
> not suitable.") I think you should enumerate _which_ alternatives were
> considered and _why_ they don't fit the problem at hand.

You're right, I rushed that section.  I will fill in some details. Thanks!

> ```
> - Takes four parameters: machine serial number, expiration date, password, and
>    private key.
> - Algorithm:
>     - Hashes the password.
>     - Creates the ACF from the hashed password, serial number, and expiration date.
>     - Digitally signs the ACF using the private key.
>     - Returns the ACF to the caller.
> ```
>
> This sounds a lot like U2F.  The "4 parameters" are the challenge, IBM's key
> signing server is the U2F device, and PAM is the "Relying Party".  There are
> already PAM modules for some aspects of U2F and the token you need to exchange
> is reasonably short (my Yubikey output is 33 characters).
>
> https://developers.yubico.com/U2F/Protocol_details/Overview.html
>
> The nice aspect if you can reuse portions of the U2F protocol is that you go a
> long way towards enabling others to add more typical 2FA like Yubikeys.

We discussed this an email exchange ending 2021 March 9 "Request new 
repo for IBM-specific code - pam_2fa discussion".  Although I could use 
the U2F module, it is not a good fit because the ACF credential flow 
does not fit well under the U2F protocol.  I'll excerpt that 
conversation and add details to the design.

Joseph

More information about the openbmc mailing list