Security Working Group meeting - Wednesday December 8 - results
jrey at linux.ibm.com
Thu Dec 9 06:14:01 AEDT 2021
On 12/7/21 3:55 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday December 8 at 10:00am PDT.
> We'll discuss the following items on the agenda
> and anything else that comes up:
Attendance: James, Joseph, Anton, Dhananjay, Ratan
1 OpenBMC CNA onboarding
James started the process to onboard the OpenBMC project as a CNA. (See
agenda item 2 from 2021-11-10.) Onboarding process is next week for
James, Joseph, and Dhananjay.
Onboarding time commitment: unknown - watch videos
Here are the training links:
please view the six on-boarding videos, available on the CNA On-Boarding
Channel on YouTube--> Click
1. CVE Program Overview
2. Becoming a CNA
3. CNA Processes
4. Assigning CVE IDs
5. CVE Record (previously “CVE Entry”) Creation
6. CVE Record Submission Process to the MITRE Top-Level Root Only
* CVE Record (previously “CVE Entry”) GitHub Submissions
Softcopies of the presentations are available here
2 Daemon privilege separation design doc for review
This is a multi-stage project, and having a design will make it easier
to move forward.
approve design doc (need reviewers),
then write acl rules
Then change process to an unique user
List all services which need to participate - all D-bus service
owners and clients
Move to a role-based approach?
Idea: Complete the privilege separation work for a service to use as a
model for other services. When this is done, repo maintainers will have
an easier time to understand what changes are needed.
We briefly talked through an example set of rules for bmcweb and ipmid
talking to phosphor-user-manager.
3 Move meeting earlier by 1 hour? Let’s renegotiate the meeting time.
4 Progress on BMC secure boot?
AST2600 hardware secure U-boot boot, then secure booting the Linux
kernel. No additional pieces.
See the AST security guide. How is signing-key management done?
Dhananjay to follow up.
> Access, agenda and notes are in the wiki:
> - Joseph
More information about the openbmc