Security Working Group meeting - Wednesday July 21 - results

Joseph Reynolds jrey at linux.ibm.com
Thu Jul 22 05:49:11 AEST 2021 

On 7/20/21 5:45 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday July 21 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> and anything else that comes up:
>

Attended: James Mihm, Sorya Intel, Dhananjay Phadke, Dick Wilkins, Jiang 
Zhang, Joseph Reynolds, mbhavsar, guptar (Ratan Gupta)

Bonus item 0: What support fore sOpenBMC have for mTLS client

DISCUSSION: See the Redfish APIs referenced below.  Redfish doesn’t 
support mTLS, but BMCWeb does support mTLS.  Is there a supported 
interface for the BMC admin to upload an mTLS client cert to the BMC?

References:

  *

    https://github.com/openbmc/openbmc/wiki/Configuration-guide#bmcweb
    <https://github.com/openbmc/openbmc/wiki/Configuration-guide#bmcweb>(mTLS)

  *

    https://github.com/openbmc/openbmc/wiki/Configuration-guide#site-identity-certificate
    <https://github.com/openbmc/openbmc/wiki/Configuration-guide#site-identity-certificate>

> 1. See Google’s “unified vulnerability schema for open source”
> https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html?m=1
> <https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html?m=1>

DISCUSSION:

This was included for awareness only, not to propose using this schema.

This seems similar to the forms needed to create CVEs such as here: 
https://cveform.mitre.org/ <https://cveform.mitre.org/>

OpenBMC’s current guidelines for collecting this kind of information are 
here: 
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md 
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md>

Related discussion: Should OpenBMC consider becoming CNA?  See previous 
effort here: https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621 
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621>(“Proposed 
answers to DWF CNA Registration Form”)



> 2. Email: Update phosphor-defaults with stronger root password hash
>   algorithm -
> https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u
> <https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u>

2 Email: Update phosphor-defaults with stronger root password hash 
algorithm - 
https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u 
<https://lore.kernel.org/openbmc/34f5b89a-3919-e214-a744-4277fba0bbbb@linux.ibm.com/T/#u>

DISCUSSION:

The group agreed to change the project’s default root password hash, 
while leaving the cleartext password the same.  TODO: Joseph will 
propose the change via a gerrit review.



Topics added after the meeting started:

3 What is the status of the OpenBMC BMC secure boot function?  Who is 
working on it?

DISCUSSION:

ASpeed AST2600 BMC secure boot using AST2600 hardware without TPM and 
without any special hardware (other than pullup resistors).  Interest in 
avoiding Cerberus.

See also Design 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/26169 
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/26169>


Two ways to validate uboot: via AST2600 hardware, via Cerberus

Once uboot is running, use uboot to validate the FIT image, kernel, etc.


4 What is happening with the Intel Hack-a-thon 2?

DISCUSSION: Creating CVEs.


5 What is happening with getting a private database to track 
vulnerability submissions?  This would be used by the OpenBMC security 
response team 
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md 
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md>to 
record security vulnerabilities which were reported to OpenBMC and not 
yet fixed or publicly disclosed.  Only members of the OpenBMC security 
response team would have access (read/write access).

DISCUSSION:

Surya plans to set up bugzilla.

Contact Andrew Geissler in his role as OpenBMC community infrastructure 
if you need a server.


6 What is happening with deploying AppArmor?

DISCUSSION:

Nobody was tracking it closely enough to answer.  Anton had been working 
on it.  See reviews under 
https://gerrit.openbmc-project.xyz/q/owner:rnouse%2540google.com 
<https://gerrit.openbmc-project.xyz/q/owner:rnouse%2540google.com>



>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph

More information about the openbmc mailing list