Security Working Group meeting - Wednesday June 23 - results

Joseph Reynolds jrey at linux.ibm.com
Thu Jun 24 13:12:10 AEST 2021 

On 6/23/21 8:45 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday June 23 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> and anything else that comes up:
>

Attended:

Joseph Reynolds, Andrei Yadro, James Mihm, Bruce Mitchell, Chris Engel, 
Daniil Engranov, Dhananjay Phadke, Jiang Zhang.



We switched the order of topics from the original agenda.

Note the July 7 meeting is tentatively cancelled unless someone hosts 
and runs it.

BONUS ITEM:

1 How can the security response team track items reported to openbmc?

DISCUSSION:

Urgency?  The security response team is not losing track of issues, but 
is having difficulty keeping focus on issues.  Will create a spreadsheet 
of currently open issues and email it to the private email list.

We want a database to track issues (see ideas below).

The database needs to be secure.  Meaning (a) a secure database which 
has an active security community, (b) hosted on a secure system, (c) 
handled by a trusted admin.

Options for secure database:

 1.

    Redmine

 2.

    Github based?  Does github have a solution?  TODO: Joseph to look at
    a private issues database.

 3.

    Bugzilla?  Note UEFI uses bugzilla with a “security attribute”


Idea: Set up a secure bug database on a server donated to OpenBMC.  
TODO: Joseph talk to AndrewG

TODO Joseph to ask for help from the Linux Foundation.


> 1. Gerrit review BMCWeb “Automate PrivilegeRegistry to code” 
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/43939 
> <https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/43939>.
>
Gerrit review BMCWeb “Automate PrivilegeRegistry to code” 
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/43939 
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/43939>.

DISCUSSION:

Item 1:

Yes, the consensus is: please separate the tools to (A) download the new 
privilegeRegistry JSON file, and (B) transform a Redfish 
PrivilegeRegistry into the privilege_registry.hpp header file.  The tool 
(B) to transform a Redfish PrivilegeRegistry into the 
privilege_registry.hpp header file should run when the image is being 
built, that is, during bmcweb build-time.


Item 2: Joseph brought up the Redfish spec DSP0266 and described how the 
Redfish operation to privilege mapping worked, and described privilege 
overrides.  The consensus was: the way BMCWeb currently handles property 
overrides and subordinate overrides seems okay.  And: having separate 
follow-on commits to change which privileges are required seems like the 
right approach.


- Joseph

>
> The July 6 meeting is tentatively cancelled, unless someone want to 
> run it.
>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph

More information about the openbmc mailing list