Security Working Group meeting - Wednesday December 8 - results

Joseph Reynolds jrey at linux.ibm.com
Thu Dec 9 06:14:01 AEDT 2021 

On 12/7/21 3:55 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday December 8 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
> and anything else that comes up:
>

Attendance: James, Joseph, Anton, Dhananjay, Ratan


1 OpenBMC CNA onboarding

DISCUSSION:

James started the process to onboard the OpenBMC project as a CNA.  (See 
agenda item 2 from 2021-11-10.)   Onboarding process is next week for 
James, Joseph, and Dhananjay.

Onboarding time commitment: unknown  -  watch  videos

Here are the training links:

please view the six on-boarding videos, available on the CNA On-Boarding 
Channel on YouTube--> Click 
here<https://www.youtube.com/playlist?list=PLWfD9RQVdJ6c4eMkdqbOKqF7zPCqXkgX3 
<https://www.youtube.com/playlist?list=PLWfD9RQVdJ6c4eMkdqbOKqF7zPCqXkgX3>>


   1.  CVE Program Overview

   2.  Becoming a CNA

   3.  CNA Processes

   4.  Assigning CVE IDs

   5.  CVE Record (previously “CVE Entry”) Creation

   6.  CVE Record Submission Process to the MITRE Top-Level Root Only

      *   CVE Record (previously “CVE Entry”) GitHub Submissions


Softcopies of the presentations are available here  
(https://www.cve.org/ResourcesSupport/Resources#CVENumberingAuthorities 
<https://www.cve.org/ResourcesSupport/Resources#CVENumberingAuthorities>)


2 Daemon privilege separation design doc for review 
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49100>(PoC 
<https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/42748>change for 
ACLs)

DISCUSSION:

This is a multi-stage project, and having a design will make it easier 
to move forward.

Next steps:

  *

    approve design doc (need reviewers),

  *

    then write acl rules

  *

    Then change process to an unique user

  *

    List all services which need to participate  - all D-bus service
    owners and clients

  *

    Move to a role-based approach?

Idea: Complete the privilege separation work for a service to use as a 
model for other services.  When this is done, repo maintainers will have 
an easier time to understand what changes are needed.

We briefly talked through an example set of rules for bmcweb and  ipmid 
talking to phosphor-user-manager.


3 Move meeting earlier by 1 hour?  Let’s renegotiate the meeting time.


4 Progress on BMC secure boot?

AST2600 hardware secure U-boot  boot, then secure booting the Linux 
kernel. No additional pieces.

See the AST security guide.  How is signing-key management done?

Dhananjay to  follow up.



Joseph


>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph

More information about the openbmc mailing list