Security Working Group meeting - Wednesday February 2

Joseph Reynolds jrey at linux.ibm.com
Thu Feb 3 08:21:21 AEDT 2022



On 2/1/22 9:24 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday February 2 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
> and anything else that comes up:

Attended: Joseph, Jiang, Dick, Michael Richardson, Daniil, Surya, James, 
Dhananjay

Note that we started on topic 1 (RoT), and then covered topic 3 (CNA) 
before returning to topic 1.  Topic 2 (NoAccess users) was not covered.


>
> 1. followup from previous meeting: OpenBMC’s AST2600 RoT work 2. 
> discuss the concept and need for NoAccess users and how they would be 
> different from disabled BMC user accounts

1 followup from previous meeting: OpenBMC’s AST2600 RoT work is here 
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/49789 
<https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/49789>with the 
underlying OE/bitbake recipe here: 
https://github.com/openbmc/openbmc/blob/master/meta-aspeed/classes/socsec-sign.bbclass 
<https://github.com/openbmc/openbmc/blob/master/meta-aspeed/classes/socsec-sign.bbclass>.  
Note OTP refers to one-time programmable memory used to set the signing 
key, etc.  Also I (Joseph Reynolds) believe the AST2600 specs are not 
public domain.

…  and general  OpenBMC Root of Trust (RoT) discussion


DISCUSSION:

Secure boot trust chain: the BMC hardware performs secure boot of the 
bootloader (e.g., U-Boot, then U-Boot verifies 
{kernel,devicetree,rootfs}, etc., up to starting the application.


Secure boot has three layers: 1 hardware validates uboot, 2 U-Boot 
validates the Readonly fs, 3 the operation system validates applications.

To validate before starting applications:  DMverity, IMA


The OpenBMC project is working to support the first layer, specifically 
AST2600 secure booting U-Boot.  The intention is then to support U-Boot  
securely booting the next layer (kernel, etc.)  Also there is interest 
in using DMverity and IMA, but no agreements.


Who programs the BMC’s OTP memory?  Different use cases: one of: BMC 
vendor, board manufacturer, or customer/installation.


How to validate the BMC hardware?  Different use cases: RoT is the BMC 
-vs- an external component.


Does BMC download applications as part of its intended operation?  
Different use cases.

In the base use case, the BMC read only file system has all 
applications.  Only developers (and advanced diagnostics) download code, 
presumably to test fixes or collect more diagnostic data.

Use cases include both validating the filesystem which has the code, and 
validating the app itself as it is loaded (exec’d) into a Linux process.


Does OpenBMC support Firmware encryption?  symmetric/asymmetric.    
AST2600 supports AES encrypted bootloaders. But there is not currently 
support for this in OpenBMC.

Note that the latest U-Boot version supports encrypted firmware (for 
example, it decrypts the kernel).



2 Do we need to discuss the concept and need for NoAccess users and how 
they would be different from disabled BMC user accounts?  See discussion 
in https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49295 
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49295>

DISCUSSION - was not discussed because we were out of time.



3 CNA Organization Admin account and authorized users

DISCUSSION:

James is working with Mitre to get a “CNA organizational admin” account 
so OpenBMC can write CVEs in its role as a CNA.

Working the OpenBMC vulnerability backlog…intends to write CVEs.

We briefly discussed our direction to use Github security workflow to 
publish OpenBMC security bulletins on github.



Joseph

>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph



More information about the openbmc mailing list