overlayFS security concern

Kun Zhao zkxz at hotmail.com
Sat Feb 20 12:13:40 AEDT 2021 

Thank you, Chunhui. But you mean to disable scp, right? Firmware upload through scp function will be lost in this way. Maybe not a good choice for us.
BTW, is scp still a recommended way for OpenBMC firmware update?



Thanks.
Kun

From: chunhui.jia<mailto:chunhui.jia at linux.intel.com>
Sent: Friday, February 19, 2021 4:53 PM
To: Kun Zhao<mailto:zkxz at hotmail.com>; openbmc at lists.ozlabs.org<mailto:openbmc at lists.ozlabs.org>
Subject: Re: overlayFS security concern

Maintaining 2 different build configurations would be possible solution:  dev build and release build.
1. enable debugging tech in dev build.
2. when using openbmc for product, disable all potential ways that could harm security.


2021-02-20

chunhui.jia

发件人:Kun Zhao <zkxz at hotmail.com>
发送时间:2021-02-20 08:31
主题:overlayFS security concern
收件人:"openbmc at lists.ozlabs.org"<openbmc at lists.ozlabs.org>
抄送:

Hi Team,

Have the following case ever been discussed before?,
Anyone knows the root password will be able to let bmc run their own code by scp the code into bmc with the same file path as any services in rootfs. It will make the secure boot totally useless.

So besides,
1. disable scp (but scp is one of the firmware upload way)
2. don’t use overlayFS (but it’s really useful for debugging during develop, and configuration management)
Any other solutions?



Thanks.
Kun


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210220/288d220f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: A24FB62FC7144662BA1C9A0C79685324.png
Type: image/png
Size: 122 bytes
Desc: A24FB62FC7144662BA1C9A0C79685324.png
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210220/288d220f/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 82282195F0154A20AF6CCE387F3ED633.png
Type: image/png
Size: 133 bytes
Desc: 82282195F0154A20AF6CCE387F3ED633.png
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210220/288d220f/attachment-0001.png>

More information about the openbmc mailing list