Request new repo for IBM-specific code

[Joseph Reynolds]

On 3/8/21 10:03 AM, Ed Tanous wrote:
> On Thu, Mar 4, 2021 at 7:15 PM Joseph Reynolds <jrey at linux.ibm.com> wrote:
>> What is the right repository for a new Linux-PAM module to implement an
>> IBM-specific ACF authentication?
>>
>> The access control file (ACF) design was introduced to the OpenBMC
>> security working group and is described in [IBM issue 1737][] and
>> further explained in [IBM issue 2562][].
> Could you describe it in a design doc?

It would be an IBM-specific design, specific to IBM Enterprise systems.  
We're still working out the design.  I think I can share big parts of it 
with OpenBMC.

> Implementing ACL seems like
> something that's going to affect a lot of the system (at a minimum
> every outward facing client).  Unless you really think that you can do
> this with no changes to the client repos or phosphor-user-manager, it
> seems like it's worth discussion.

I anticipate the implementation would affect OpenBMC in three places:
1. New REST APIs to upload the ACF certificate, under URI /ibm/v1.
2. New Linux-PAM modules to validate the service login, along with 
enhanced /etc/pam.d/ config files for IBM Enterprise systems.
3. New Redfish role Oem.IBM.ServiceAgent (see comment below).

> For what it's worth, I really don't
> want to branch the authorization code in bmcweb depending on what
> company compiled the code.  They were hard enough to get right in the
> general case, and matter a lot for security.  The likelihood we get
> them right for every flavor of auth that a company might want to do
> seems unlikely.  If we as a project need an "ultra user" that seems
> like it shouldn't be specific to IBM, or should be a generic
> configuration that IBM systems apply on top, using common routines.

The BMCWeb pieces are:
1. A new Redfish role: Oem.IBM.ServiceAgent.
2. A new Redfish privilege: Oem.IBM.ProvideService.  For example, allows 
you to PATCH EEPROM data.
3. Implement the Redfish (new in Redfish 2020.4) RestrictedRoles and 
Restricted privileges.

> I've already detailed a path toward this in a previous email on this
> topic.

Thanks, I believe we have agreed on a path forward.

>
>> Note the [pam-ipmi modules][] are scoped to the OpenBMC project because
>> the IPMI implementation is shared by all of OpenBMC.  By comparison, the
>> proposed ibm-pam-acf module is intended only for IBM Enterprise
>> systems.  The intended implementation is based on standard cryptography
>> techniques and could be developed into a general authentication
>> solution, but the ACF is specific to IBM in terms of its exact format
>> and content, and I expect it will only be used by IBM and its partners.
> Have you released the specifications for this file format with an
> appropriate license?  That seems like a good first step to figuring
> out if these could find a home in OpenBMC.  If you've already done
> that, could you link them?
>
>> Can we create a new OpenBMC repo for this?  Perhaps ibm-pam-acf?  Or
>> should this go into some other repo?
> Could you please post the code you're planning on putting there
> somewhere that we can see it in gerrit?  I suspect that would help
> review whether or not a new repo is warranted, and probably give hints
> as to what design you're planning on implementing.

[Addressing both comment blocs above:]  I am investigating open sourcing 
the entire set of tools: ACF create/display/validate.
I plan to push the Linux-PAM module for early review as soon as 
possible, and it will reveal the content of the ACF.

Thanks!

> - Joseph
>
> [IBM issue 1737]: https://github.com/ibm-openbmc/dev/issues/1737
> [IBM issue 2562]: https://github.com/ibm-openbmc/dev/issues/2562
> [pam-ipmi modules]: https://github.com/openbmc/pam-ipmi