Security Working Group meeting - Wednesday December 8 - results

Joseph Reynolds jrey at
Thu Dec 9 06:14:01 AEDT 2021

On 12/7/21 3:55 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday December 8 at 10:00am PDT.
> We'll discuss the following items on the agenda 
> <>, 
> and anything else that comes up:

Attendance: James, Joseph, Anton, Dhananjay, Ratan

1 OpenBMC CNA onboarding


James started the process to onboard the OpenBMC project as a CNA.  (See 
agenda item 2 from 2021-11-10.)   Onboarding process is next week for 
James, Joseph, and Dhananjay.

Onboarding time commitment: unknown  -  watch  videos

Here are the training links:

please view the six on-boarding videos, available on the CNA On-Boarding 
Channel on YouTube--> Click 

   1.  CVE Program Overview

   2.  Becoming a CNA

   3.  CNA Processes

   4.  Assigning CVE IDs

   5.  CVE Record (previously “CVE Entry”) Creation

   6.  CVE Record Submission Process to the MITRE Top-Level Root Only

      *   CVE Record (previously “CVE Entry”) GitHub Submissions

Softcopies of the presentations are available here  

2 Daemon privilege separation design doc for review 
<>change for 


This is a multi-stage project, and having a design will make it easier 
to move forward.

Next steps:


    approve design doc (need reviewers),


    then write acl rules


    Then change process to an unique user


    List all services which need to participate  - all D-bus service
    owners and clients


    Move to a role-based approach?

Idea: Complete the privilege separation work for a service to use as a 
model for other services.  When this is done, repo maintainers will have 
an easier time to understand what changes are needed.

We briefly talked through an example set of rules for bmcweb and  ipmid 
talking to phosphor-user-manager.

3 Move meeting earlier by 1 hour?  Let’s renegotiate the meeting time.

4 Progress on BMC secure boot?

AST2600 hardware secure U-boot  boot, then secure booting the Linux 
kernel. No additional pieces.

See the AST security guide.  How is signing-key management done?

Dhananjay to  follow up.


> Access, agenda and notes are in the wiki:
> <>
> - Joseph

More information about the openbmc mailing list