overlayFS security concern

chunhui.jia chunhui.jia at linux.intel.com
Sat Feb 20 11:52:58 AEDT 2021


Maintaining 2 different build configurations would be possible solution:  dev build and release build. 
1. enable debugging tech in dev build. 
2. when using openbmc for product, disable all potential ways that could harm security.


2021-02-20 

chunhui.jia 



发件人:Kun Zhao <zkxz at hotmail.com>
发送时间:2021-02-20 08:31
主题:overlayFS security concern
收件人:"openbmc at lists.ozlabs.org"<openbmc at lists.ozlabs.org>
抄送:

Hi Team,
 
Have the following case ever been discussed before?,
Anyone knows the root password will be able to let bmc run their own code by scp the code into bmc with the same file path as any services in rootfs. It will make the secure boot totally useless.
 
So besides,
1. disable scp (but scp is one of the firmware upload way)
2. don’t use overlayFS (but it’s really useful for debugging during develop, and configuration management)
Any other solutions?
 
 
 
Thanks.
Kun
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210220/7eca290b/attachment-0001.htm>


More information about the openbmc mailing list