openbmc Digest, Vol 66, Issue 67

Li, Jie N. (NSB - CN/Shanghai) jie.n.li at nokia-sbell.com
Sun Feb 21 15:42:02 AEDT 2021 

Subscribe



-----Original Message-----
From: openbmc <openbmc-bounces+jie.n.li=nokia-sbell.com at lists.ozlabs.org> On Behalf Of openbmc-request at lists.ozlabs.org
Sent: Saturday, February 20, 2021 9:18 AM
To: openbmc at lists.ozlabs.org
Subject: openbmc Digest, Vol 66, Issue 67

Send openbmc mailing list submissions to
	openbmc at lists.ozlabs.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.ozlabs.org/listinfo/openbmc
or, via email, send a message with subject or body 'help' to
	openbmc-request at lists.ozlabs.org

You can reach the person managing the list at
	openbmc-owner at lists.ozlabs.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of openbmc digest..."


Today's Topics:

   1. RE:  overlayFS security concern (Kun Zhao)
   2. Re:  RE:  overlayFS security concern (chunhui.jia)


----------------------------------------------------------------------

Message: 1
Date: Sat, 20 Feb 2021 01:13:40 +0000
From: Kun Zhao <zkxz at hotmail.com>
To: chunhui.jia <chunhui.jia at linux.intel.com>,
	"openbmc at lists.ozlabs.org" <openbmc at lists.ozlabs.org>
Subject: RE:  overlayFS security concern
Message-ID:
	<BYAPR14MB2342F147732017184BC1C58ACF839 at BYAPR14MB2342.namprd14.prod.outlook.com>
	
Content-Type: text/plain; charset="gb2312"

Thank you, Chunhui. But you mean to disable scp, right? Firmware upload through scp function will be lost in this way. Maybe not a good choice for us.
BTW, is scp still a recommended way for OpenBMC firmware update?



Thanks.
Kun

From: chunhui.jia<mailto:chunhui.jia at linux.intel.com>
Sent: Friday, February 19, 2021 4:53 PM
To: Kun Zhao<mailto:zkxz at hotmail.com>; openbmc at lists.ozlabs.org<mailto:openbmc at lists.ozlabs.org>
Subject: Re: overlayFS security concern

Maintaining 2 different build configurations would be possible solution:  dev build and release build.
1. enable debugging tech in dev build.
2. when using openbmc for product, disable all potential ways that could harm security.


2021-02-20

chunhui.jia

????Kun Zhao <zkxz at hotmail.com>
?????2021-02-20 08:31
???overlayFS security concern
????"openbmc at lists.ozlabs.org"<openbmc at lists.ozlabs.org>
???

Hi Team,

Have the following case ever been discussed before?, Anyone knows the root password will be able to let bmc run their own code by scp the code into bmc with the same file path as any services in rootfs. It will make the secure boot totally useless.

So besides,
1. disable scp (but scp is one of the firmware upload way) 2. don?t use overlayFS (but it?s really useful for debugging during develop, and configuration management) Any other solutions?



Thanks.
Kun


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210220/288d220f/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: A24FB62FC7144662BA1C9A0C79685324.png
Type: image/png
Size: 122 bytes
Desc: A24FB62FC7144662BA1C9A0C79685324.png
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210220/288d220f/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 82282195F0154A20AF6CCE387F3ED633.png
Type: image/png
Size: 133 bytes
Desc: 82282195F0154A20AF6CCE387F3ED633.png
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210220/288d220f/attachment-0003.png>

------------------------------

Message: 2
Date: Sat, 20 Feb 2021 09:17:16 +0800
From: "chunhui.jia" <chunhui.jia at linux.intel.com>
To: "Kun Zhao" <zkxz at hotmail.com>, "openbmc at lists.ozlabs.org"
	<openbmc at lists.ozlabs.org>
Subject: Re:  RE:  overlayFS security concern
Message-ID: 60306319.8090700 at linux.intel.com
Content-Type: text/plain; charset="utf-8"

You could use redfish firmware update instead.

2021-02-20 

chunhui.jia 



????Kun Zhao <zkxz at hotmail.com>
?????2021-02-20 09:13
???RE: overlayFS security concern
????"chunhui.jia"<chunhui.jia at linux.intel.com>,"openbmc at lists.ozlabs.org"<openbmc at lists.ozlabs.org>
???

Thank you, Chunhui. But you mean to disable scp, right? Firmware upload through scp function will be lost in this way. Maybe not a good choice for us.
BTW, is scp still a recommended way for OpenBMC firmware update?
 
 
 
Thanks.
Kun
 
From: chunhui.jia
Sent: Friday, February 19, 2021 4:53 PM
To: Kun Zhao; openbmc at lists.ozlabs.org
Subject: Re: overlayFS security concern
 
Maintaining 2 different build configurations would be possible solution:  dev build and release build. 
1. enable debugging tech in dev build. 
2. when using openbmc for product, disable all potential ways that could harm security.
 
 
2021-02-20 

chunhui.jia 

????Kun Zhao <zkxz at hotmail.com>
?????2021-02-20 08:31
???overlayFS security concern
????"openbmc at lists.ozlabs.org"<openbmc at lists.ozlabs.org>
???
 
Hi Team,
 
Have the following case ever been discussed before?, Anyone knows the root password will be able to let bmc run their own code by scp the code into bmc with the same file path as any services in rootfs. It will make the secure boot totally useless.
 
So besides,
1. disable scp (but scp is one of the firmware upload way) 2. don?t use overlayFS (but it?s really useful for debugging during develop, and configuration management) Any other solutions?
 
 
 
Thanks.
Kun
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210220/edec9e49/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: A24FB62FC7144662BA1C9A0C79685324.png
Type: image/png
Size: 122 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210220/edec9e49/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 82282195F0154A20AF6CCE387F3ED633.png
Type: image/png
Size: 133 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210220/edec9e49/attachment-0001.png>

End of openbmc Digest, Vol 66, Issue 67
***************************************

More information about the openbmc mailing list