Security Working Group meeting - Wednesday July 21 - results
jrey at linux.ibm.com
Thu Jul 22 05:49:11 AEST 2021
On 7/20/21 5:45 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday July 21 at 10:00am PDT.
> We'll discuss the following items on the agenda
> and anything else that comes up:
Attended: James Mihm, Sorya Intel, Dhananjay Phadke, Dick Wilkins, Jiang
Zhang, Joseph Reynolds, mbhavsar, guptar (Ratan Gupta)
Bonus item 0: What support fore sOpenBMC have for mTLS client
DISCUSSION: See the Redfish APIs referenced below. Redfish doesn’t
support mTLS, but BMCWeb does support mTLS. Is there a supported
interface for the BMC admin to upload an mTLS client cert to the BMC?
> 1. See Google’s “unified vulnerability schema for open source”
This was included for awareness only, not to propose using this schema.
This seems similar to the forms needed to create CVEs such as here:
OpenBMC’s current guidelines for collecting this kind of information are
Related discussion: Should OpenBMC consider becoming CNA? See previous
effort here: https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621
answers to DWF CNA Registration Form”)
> 2. Email: Update phosphor-defaults with stronger root password hash
> algorithm -
2 Email: Update phosphor-defaults with stronger root password hash
The group agreed to change the project’s default root password hash,
while leaving the cleartext password the same. TODO: Joseph will
propose the change via a gerrit review.
Topics added after the meeting started:
3 What is the status of the OpenBMC BMC secure boot function? Who is
working on it?
ASpeed AST2600 BMC secure boot using AST2600 hardware without TPM and
without any special hardware (other than pullup resistors). Interest in
See also Design
Two ways to validate uboot: via AST2600 hardware, via Cerberus
Once uboot is running, use uboot to validate the FIT image, kernel, etc.
4 What is happening with the Intel Hack-a-thon 2?
DISCUSSION: Creating CVEs.
5 What is happening with getting a private database to track
vulnerability submissions? This would be used by the OpenBMC security
record security vulnerabilities which were reported to OpenBMC and not
yet fixed or publicly disclosed. Only members of the OpenBMC security
response team would have access (read/write access).
Surya plans to set up bugzilla.
Contact Andrew Geissler in his role as OpenBMC community infrastructure
if you need a server.
6 What is happening with deploying AppArmor?
Nobody was tracking it closely enough to answer. Anton had been working
on it. See reviews under
> Access, agenda and notes are in the wiki:
> - Joseph
More information about the openbmc