Security Working Group meeting - Wednesday April 13 - results
Joseph Reynolds
jrey at linux.ibm.com
Thu Apr 14 07:29:59 AEST 2022
On 4/12/22 11:28 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday April 13 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
>
Attended: Joseph Reynolds, Ruud Haring, Chris Engel, Dick (Phoenix),
Dong Chen, Jesse Arroyo, Yakatawa Sugawara, Russel Wilson, Krishnan
Sugvanam, Manojkiran Eda, McCawley, Robert Senger, Sandhya Keteshwara,
Surya (Intel), James Mihm, Terry Duncan, (and unknown caller who joined
as the meeting was ending).
> 1. Renewed interest in securing D-Bus interfaces and using SELinux.
Ruud Haring and Yataka Sugawara and Russel Wilson from IBM Research
presented a proposal.
A recording was made of the presentation and discussion. TODO: Post the
recording.
DISCUSSION:
The proposal PDF will be shared with the OpenBMC community. Here is my
summary of the main points: SELinux is preferred by IBM and some large
customers to solve several related access control problems: limiting
access of root processes, application trust, systemd, and D-Bus. See
previous discussion 2020-05-13 below: SELinux email use cases and email
https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html
<https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html>
Next steps: Follow
https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes
<https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes>with
email discussion, Discord (per
https://github.com/openbmc/openbmc#contact
<https://github.com/openbmc/openbmc#contact>) and creating a design for
phase 1 (below).
TODO: Joseph to send email to begin the discussion about SELinux use
cases which might be shared by multiple OpenBMC users.
IBM plans to work in the OpenBMC community project: stage 1 is an opt-in
SELinux in permissive mode to collect data about which policies are
needed. Later stages are to create SELinux policies for access control,
and then to change configure SELinux to enforce them.
Does OpenBMC have existing SELinux policies? None are known, but see
the Yocto/OE meta-selinux layer and associated docs.
We discussed some difficulties in using SELinux: Configuring the
meta-selinux layer, configuring the Linux Kernel, and additional space
requirements (about 20MB)
We discussed SELinux vs AppArmor. IBM has chosen SELinux because it is
well known to IBM and customers, and has an active community. Note the
planned SELinux support is opt-in, so another contributor can add
AppArmor as needed.
The intended reference platform is an x86 system running with the
AST2600 and 256Mb (or more) flash storage..
We discussed SELinux & D-Bus tie-ins. (OpenBMC D-Bus runs in system
mode.) Note that D-Bus has built-in support for SELinux.
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
>
More information about the openbmc
mailing list