[SecurityWorkGroup] Security Working Group meeting - Wednesday June 9 - results

Joseph Reynolds jrey at linux.ibm.com
Thu Jun 10 09:44:48 AEST 2021 

On 6/9/21 9:14 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday June 9 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
> and anything else that comes up:
>
> 1. (Joseph) Updated the wiki “Purpose” section.
> 2. (Joseph) Will resume recording meeting attendance
> 3. (Joseph) Cancel the July 7 meeting (US Holiday)?  Interest in 
> someone else running?  And possibly scheduling for daytime in 
> Australia/China/India?
> 4. (Discord discussion June 3) Interest in BMC command line via BMC 
> web interface.  See 
> https://github.com/openbmc/obmc-console/issues/17.  IBM’s interest 
> here: https://github.com/ibm-openbmc/dev/issues/2243.
> 5. (gerrit review) BMCWeb change affects login/authentication function 
> “Move Sessions to non Node structure” 
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/43759

This email has a new tag in the subject line to better identify its 
content.  I intend to use [SecurityWorkGroup] consistently on future 
emails.  Let me know how you like it.

Here are the results of today's discussion.

Attendance:

 1.

    Prof. Dick Wilkins

 2.

    Jiang Zhang

 3.

    Surya

 4.

    Bruce Mitchell

 5.

    Daniil Egranov Arm

 6.

    Joseph Reynolds

 7.

    Dhananjay MSFT

 8.

    James Mihm



1 Updated the wiki “Purpose” section.  Specifically

https://github.com/openbmc/openbmc/wiki/Security-working-group#purpose 
<https://github.com/openbmc/openbmc/wiki/Security-working-group#purpose>

No discussion.


2 Will resume recording meeting attendance

Discussion: good idea


3 Cancel the July 7 meeting?  Interest in someone else running?  And 
possibly scheduling for daytime in Australia/China/India?

Discussion: The US-based attendees agreed to cancel.

I (Joseph reynolds) would be happy to have someone else run the 
meeting.  There was interest in having the meeting sometime when people 
from Australia/China/India time zones could attend.


4 Interest in BMC command line via BMC web interface.  See 
https://github.com/openbmc/obmc-console/issues/17 
<https://github.com/openbmc/obmc-console/issues/17>.  IBM’s interest 
here: https://github.com/ibm-openbmc/dev/issues/2243 
<https://github.com/ibm-openbmc/dev/issues/2243>.

No discussion.


5 (gerrit review) BMCWeb change affects login/authentication function 
“Move Sessions to non Node structure” 
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/43759 
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/43759>

No discussion.  Joseph plans to review.


6 (Discord discussion) Do we need a more general way to support Redfish 
PrivilegeRegistry SubordinateOverrides.  Per discord discussion June 3, 
June 9:

 1.

    Sunitha EthernetInterface SubordinateOverride questions

 2.

    Described in Redfish spec DSP0266 "Security details > Authorization
     > Redfish service operation-to-privilege mapping > Subordinate
    override"

 3.

    Apply to URI=/redfish/v1/Managers/bmc/EthernetInterfaces/ in
    https://github.com/ibm-openbmc/bmcweb/blob/master/redfish-core/lib/network_protocol.hpp
    and in
    https://github.com/ibm-openbmc/bmcweb/blob/master/redfish-core/lib/ethernet.hpp

DISCUSSION:

This was really two discussions (6a) Sunitha’s issue with 
EthernetInterface privileges required, and (6b) a more general way to 
represent the Redfish operation-to-privilege mapping within BMCWeb.

6a:

Joseph will write email describing how BMCWeb’s privileges required for 
URIs like /redfish/v1/Managers/bmc/EthernetInterfaces/  should be 
changed (from ConfigureComponents to ConfigureManager) because of the 
EthernetInterface SubordinateOverride.  This change means BMC 
role=Operator users would no longer be able to configure the network.


6b:

We discussed the fact that BMCWeb hard codes the privilege registry.(For 
example, the code here: 
https://github.com/ibm-openbmc/bmcweb/blob/900f949773795141266271107219ea019f2839cd/redfish-core/lib/account_service.hpp#L1333 
<https://github.com/ibm-openbmc/bmcweb/blob/900f949773795141266271107219ea019f2839cd/redfish-core/lib/account_service.hpp#L1333>

hard-codes the privileges required to work with a 
ManagerAccountCollection under URI 
/redfish/v1/AccountService/Accounts/.  For example, to POST (create) a 
new account requires the ConfigureUsers privilege.  This corresponds to 
the entry in the Redfish PrivilegeRegistry in the OperationMap for the 
ManagerAccountCollection.


We had previously agreed on an approach to remove this hard-coded code 
and directly consume the PrivilegeRegistry provided by Redfish.  See 
minutes below for 2020-12-09 and related community emails.   However, 
that work has not yet been started.


Topics added after the meeting started

7 We need a bug tracker for the OpenBMC security response team, where 
only that team (and possibly the problem subimitter) can see work on the 
bug.  This would be used by the security response team to keep track of 
bugs until they are resolved. (See item 11 below for continued 
discussion).  Can we ask Kurt Taylor or the Linux Foundation or a member 
company for help here?


8 Can we populate the link https://github.com/openbmc/openbmc/security 
<https://github.com/openbmc/openbmc/security>

DISCUSSION: Yes

See previous efforts here: agenda item 2 from the 2020-10-14 entry below

James will follow up


9 Surya was introduced.


10 Can we use a tag like [SecurityWorkGroup] in relevant email headers?

DISCUSSION: Yes, let’s try it


11 The security response team has difficulty tracking reported security 
vulnerabilities to closure and writing CVEs in a timely manner.  Can 
OpenBMC become a CVE numbering authority (CNA)?  [CNAs can directly 
write CVEs without having to ask Mitre.]

DISCUSSION:

Having a confidential bug tracker would help.

Per Dick, the UEFI team uses bugzilla and has a restructured corner for 
the security response team: anyone can write a bug, but only they and 
the security response team members can see it.  Also, the UEFI is a CNA 
with folks from more than one company contributing.


OpenBMC (Joseph) attempted to become a CNA; see agenda item 3 on 
2019-2-6 and https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621 
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621>.  At the 
time, OpenBMC had few CVEs and little interest in them.  Now we have 
more interest and can try again.


______
Joseph


>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
>

More information about the openbmc mailing list