[SecurityWorkGroup] Security Working Group meeting - Wednesday June 9 - results
jrey at linux.ibm.com
Thu Jun 10 09:44:48 AEST 2021
On 6/9/21 9:14 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday June 9 at 10:00am PDT.
> We'll discuss the following items on the agenda
> and anything else that comes up:
> 1. (Joseph) Updated the wiki “Purpose” section.
> 2. (Joseph) Will resume recording meeting attendance
> 3. (Joseph) Cancel the July 7 meeting (US Holiday)? Interest in
> someone else running? And possibly scheduling for daytime in
> 4. (Discord discussion June 3) Interest in BMC command line via BMC
> web interface. See
> https://github.com/openbmc/obmc-console/issues/17. IBM’s interest
> here: https://github.com/ibm-openbmc/dev/issues/2243.
> 5. (gerrit review) BMCWeb change affects login/authentication function
> “Move Sessions to non Node structure”
This email has a new tag in the subject line to better identify its
content. I intend to use [SecurityWorkGroup] consistently on future
emails. Let me know how you like it.
Here are the results of today's discussion.
Prof. Dick Wilkins
Daniil Egranov Arm
1 Updated the wiki “Purpose” section. Specifically
2 Will resume recording meeting attendance
Discussion: good idea
3 Cancel the July 7 meeting? Interest in someone else running? And
possibly scheduling for daytime in Australia/China/India?
Discussion: The US-based attendees agreed to cancel.
I (Joseph reynolds) would be happy to have someone else run the
meeting. There was interest in having the meeting sometime when people
from Australia/China/India time zones could attend.
4 Interest in BMC command line via BMC web interface. See
<https://github.com/openbmc/obmc-console/issues/17>. IBM’s interest
5 (gerrit review) BMCWeb change affects login/authentication function
“Move Sessions to non Node structure”
No discussion. Joseph plans to review.
6 (Discord discussion) Do we need a more general way to support Redfish
PrivilegeRegistry SubordinateOverrides. Per discord discussion June 3,
Sunitha EthernetInterface SubordinateOverride questions
Described in Redfish spec DSP0266 "Security details > Authorization
> Redfish service operation-to-privilege mapping > Subordinate
Apply to URI=/redfish/v1/Managers/bmc/EthernetInterfaces/ in
This was really two discussions (6a) Sunitha’s issue with
EthernetInterface privileges required, and (6b) a more general way to
represent the Redfish operation-to-privilege mapping within BMCWeb.
Joseph will write email describing how BMCWeb’s privileges required for
URIs like /redfish/v1/Managers/bmc/EthernetInterfaces/ should be
changed (from ConfigureComponents to ConfigureManager) because of the
EthernetInterface SubordinateOverride. This change means BMC
role=Operator users would no longer be able to configure the network.
We discussed the fact that BMCWeb hard codes the privilege registry.(For
example, the code here:
hard-codes the privileges required to work with a
ManagerAccountCollection under URI
/redfish/v1/AccountService/Accounts/. For example, to POST (create) a
new account requires the ConfigureUsers privilege. This corresponds to
the entry in the Redfish PrivilegeRegistry in the OperationMap for the
We had previously agreed on an approach to remove this hard-coded code
and directly consume the PrivilegeRegistry provided by Redfish. See
minutes below for 2020-12-09 and related community emails. However,
that work has not yet been started.
Topics added after the meeting started
7 We need a bug tracker for the OpenBMC security response team, where
only that team (and possibly the problem subimitter) can see work on the
bug. This would be used by the security response team to keep track of
bugs until they are resolved. (See item 11 below for continued
discussion). Can we ask Kurt Taylor or the Linux Foundation or a member
company for help here?
8 Can we populate the link https://github.com/openbmc/openbmc/security
See previous efforts here: agenda item 2 from the 2020-10-14 entry below
James will follow up
9 Surya was introduced.
10 Can we use a tag like [SecurityWorkGroup] in relevant email headers?
DISCUSSION: Yes, let’s try it
11 The security response team has difficulty tracking reported security
vulnerabilities to closure and writing CVEs in a timely manner. Can
OpenBMC become a CVE numbering authority (CNA)? [CNAs can directly
write CVEs without having to ask Mitre.]
Having a confidential bug tracker would help.
Per Dick, the UEFI team uses bugzilla and has a restructured corner for
the security response team: anyone can write a bug, but only they and
the security response team members can see it. Also, the UEFI is a CNA
with folks from more than one company contributing.
OpenBMC (Joseph) attempted to become a CNA; see agenda item 3 on
2019-2-6 and https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621>. At the
time, OpenBMC had few CVEs and little interest in them. Now we have
more interest and can try again.
> Access, agenda and notes are in the wiki:
> - Joseph
More information about the openbmc