Security Working Group meeting - Wednesday February 17 - results
Joseph Reynolds
jrey at linux.ibm.com
Thu Feb 18 10:19:18 AEDT 2021
On 2/16/21 5:53 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday February 17 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
> and anything else that comes up:
>
> 1. Gerrit review FYI: log failed authentication attempts
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39872
No discussion.
>
> 2. Gerrit review FTI: tie-in between Redfish sessions and IPMI
> sessions. Redfish will GET & DELETE IMPI sessions
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/37785
Why is this function needed?
>
> 3. (Joseph) Discuss adding Web-based SSH to BMCWeb ~
> https://github.com/ibm-openbmc/dev/issues/2243
Sounds good. But don’t call this SSH because it is not. Do the webui
part the same as the host console. Do the BMCWeb portion using a new
D-Bus service (do not fork in bmcweb).
Bonus topics:
4. Interested in improving the documentation for the OpenBMC interface
overview > Physical interfaces
<https://github.com/openbmc/docs/blob/master/architecture/interface-overview.md#physical-interfaces>?
https://github.com/openbmc/docs/blob/master/architecture/interface-overview.md#physical-interfaces
(See related review
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/40424.)
ANSWER: Yes, this is worthwhile. Add to the agenda for next time.
Is the ASCII art helpful or distracting?
We discusses some ideas: Diagram for BMC cards and PCIe cards.
Alternate Placement of TPMs, TOD battery.
5. Openssl released version 1.1.1j.
This led to a discussion of how much the OpenBMC project should be
tracking and announcing CVEs -- Security Incident Response Team (SIRT)
work. Currently various members are tracking this privately. Is it
even worthwhile, for example, for the OpenBMC project to announce that
CVE-whatever affects OpenBMC and the fix is going to the latest kernel
version going into OpenBMC commmit whatever? (No clear consensus was
reached.)
Inhibitors to open source SIRT work includes: (A) some members are
already doing this privately, and are not able to share due to
confidentiality and repeating in open source is just extra work, (B) we
are not all on the same release - that is: OpenBMC has not identified
any Long Term Support (LTS) releases.
At present, there is no OpenBMC effort to show which CVEs are fixed.
This is left as an exercise to interested downstream projects.
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
More information about the openbmc
mailing list