Security Working Group meeting - Wednesday August 17

Joseph Reynolds jrey at linux.ibm.com
Thu Aug 18 06:11:46 AEST 2022 

On 8/16/22 10:07 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday August 17 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
> and anything else that comes up:

I added topic 0: Move the meeting access from ebex to discord voice.
I combined topic 4 (how to submit proof-of-concept exploits) into topic 2.

Attendees: Joseph Reynolds, Yutaka Sugawara, Ruud Haring, James Mihm, 
Dhananjay, Krishnan Sugavanam, Sandhya Koteshwara, Dick from Phoenix, 
Chris Engel, Paul Crumley, Mark McCawley, Angelo Ruocco, Daniil, Robert 
Senger.


0 Move the next meeting access to Discord?  Discord > OpenBMC > Voice 
channels >  Security ~ 
https://discord.com/channels/775381525260664832/1002376534377635860 
<https://discord.com/channels/775381525260664832/1002376534377635860>

Yes, agreed.

The next meeting planned for 2022-08-31 will be on discord.


1 Measured Boot.

DISCUSSION:

Single design or separate designs?  Let’s have separate designs:


1a. Enable measured boot: Kernel Device driver is available. Collect 
measurements into TPM.  See 
https://review.trustedfirmware.org/q/measured-boot 
<https://review.trustedfirmware.org/q/measured-boot>


1b. Enable attestation: use the Keylime-Agent REST server on default BMC 
port 8890.

Design Question: Keylime vs Redfish vs other (VMWare is not OSS, Intel’s 
design is proprietary).

Design Question: what gets measured by the TPM?  Follow the TCG 
standard. 
https://trustedcomputinggroup.org/resource/tcg-server-management-domain-firmware-profile-specification/ 
<https://trustedcomputinggroup.org/resource/tcg-server-management-domain-firmware-profile-specification/>

Design question: when and how to init the TPM?  This is partly in scope 
to community project, but some parts will depend on hardware outside the 
scope of OpenBMC.

Root-of-trust Issue: Does BMC hardware (for example, the next ASPEED 
AST2x00 BMC hw) init the TPM and measure the Uboot image?  ⇒  Or does 
Uboot init the TPM?  Can ew use a FIP image?

Pre-req design: the measured boot design requires the signatures 
provided by secure boot.


2 CVE Response.

DISCUSSION:

Add guidance to 
https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md 
<https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md>for 
submitting proof-of-concept exploits. How to ensure the exploit is not 
harmful to the recipient , and is not tagged by the email sanitizers?   
Encrypt? Or quoted with: > text  Or add to the security advisory?

We are still working on:

  *

    Github repo maintainers need to create security tabs so they can
    handle security advisories.

  *

    Proposal to restructure repos

  *

    Which CNA to use?  The Openbmc CNA vs the github CNA?


3 FIPS compliance.

DISCUSSION:

Note that OpenBMC is not the kind of thing which can be FIPS compliant.  
The way it works is this: a system “built on OpenBMC” seeks FIPS 
compliance.  As part of the compliance process, they need to ask 
questions about the portions of the system which OpenBMC provides, 
therefore the OpenBMC project needs to answer those questions.

FIPS reference: https://en.wikipedia.org/wiki/FIPS_140 
<https://en.wikipedia.org/wiki/FIPS_140>

The way I (Joseph) see the next steps are:


3a. What FIPS requirements apply to the BMC?  Note that some FIPS 
requirements will not apply to the BMC and will apply only to the 
overall system.  (OpenBMC does not need to address those requirements.)  
The work is to go through the FIPS standards, and list which 
requirements apply to the BMC, and if needed, how they apply.  For 
example, the BMC is part of the management component of the system, and 
the FIPS requirements apply to the management subsystem.


3b. Given the requirements from the previous work item, what can the 
OpenBMC community say about them?  For example, if OpenBMC documentation 
shows how a default build of OpenBMC would pick up some code or 
configuration to satisfy the requirement, that would go a long way to 
help the FIPS evaluator.  More specifically for example, the BMC does 
provide role-based authentication to help satisfy the FIPS requirements.


3c. Create a new openbmc document to capture the answers above.  This 
document use case is as a starting point for the information someone 
needs when they are working to FIPS-certify their system and try to roll 
down the FIPS requirements to their BMC.  A secondary use of this 
document is to identify any gaps in BMC security function.


BONUS TOPIC:

4 SELinux design.  Request for re-review. 
https://gerrit.openbmc.org/c/openbmc/docs/+/53205 
<https://gerrit.openbmc.org/c/openbmc/docs/+/53205>

Advice on how to create interest in re-reviewing a design.  Use Discord: 
Ping specific reviewers and ask specific questions about design issues, 
if it is solved; ask if the design can be approved.



Joseph

>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph

More information about the openbmc mailing list