Security Working Group - threat model progress

[Joseph Reynolds]

On 2/17/21 5:19 PM, Joseph Reynolds wrote:
> On 2/16/21 5:53 PM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting 
>> scheduled for this Wednesday February 17 at 10:00am PDT.
[...snip...]
> 4. Interested in improving the documentation for the OpenBMC interface 
> overview   [...snip...]

I tried to capture the BMC threat model discussion from today's security 
working group meeting.  This gives the basic BMC architecture elements 
from the [interface-overview][], supplemented by [OpenBMC features][], 
and added some ideas from [network security considerations][].  I tried 
to organize them at the level of abstraction needed for threat modeling: 
physical elements first, a physical threat model boundary, and started 
on the conceptual elements needed to describe the BMC's interfaces and 
functions. Please consider this to be a simple incomplete draft 
proposal.  Help wanted.

The overall OpenBMC threat modeling effort is rooted in the [OpenBMC 
security working group wiki][].

[OpenBMC security working group wiki]: 
https://github.com/openbmc/openbmc/wiki/Security-working-group
[interface-overview]: 
https://github.com/openbmc/docs/blob/master/architecture/interface-overview.md
[OpenBMC features]: https://github.com/openbmc/docs/blob/master/features.md
[network security considerations]: 
https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md

OpenBMC threat model components:
- Physical elements:
     - BMC SoC on BMC card plugged into host system
     - Optional cabinet encloses system and prevents physical access to 
most controls
     - BMC's network connection
     - Optional BMC elements:
         - TPM
         - TOD clock with battery
         - security jumpers
         - serial port
         - USB port
     - Host elements:
         - Power on/off control (to the BMC, and to the chassis)
         - Control panel (power button, varies: LED or LCD displays, etc.)
         - CPU
         - Cooling fans and associated sensors: rotation speed and 
temperature
         - Serial UART for host console
         - Keyboard, video, mouse
         - Optional PCIe devices reachable by the BMC
- Candidates for the threat model boundary:
     - The physical pins on the BMC card
     - The BMC card plus elements under BMC's exclusing control:
         - power button and related displays
         - BMC's network interface, NC-SI or whatever
     - Items that transition between BMC and host control: fans, console?
     - Mention the enclosing cabinet (if present).
- Host elements the BMC interacts with:
     - Host firmware upload
     - Host booting status
     - Host error logging
     - Host requests to power off
     - FRUs
- BMC functions: TODO