Security Working Group meeting - Wednesday February 2
Joseph Reynolds
jrey at linux.ibm.com
Thu Feb 3 08:21:21 AEDT 2022
On 2/1/22 9:24 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday February 2 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
Attended: Joseph, Jiang, Dick, Michael Richardson, Daniil, Surya, James,
Dhananjay
Note that we started on topic 1 (RoT), and then covered topic 3 (CNA)
before returning to topic 1. Topic 2 (NoAccess users) was not covered.
>
> 1. followup from previous meeting: OpenBMC’s AST2600 RoT work 2.
> discuss the concept and need for NoAccess users and how they would be
> different from disabled BMC user accounts
1 followup from previous meeting: OpenBMC’s AST2600 RoT work is here
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/49789
<https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/49789>with the
underlying OE/bitbake recipe here:
https://github.com/openbmc/openbmc/blob/master/meta-aspeed/classes/socsec-sign.bbclass
<https://github.com/openbmc/openbmc/blob/master/meta-aspeed/classes/socsec-sign.bbclass>.
Note OTP refers to one-time programmable memory used to set the signing
key, etc. Also I (Joseph Reynolds) believe the AST2600 specs are not
public domain.
… and general OpenBMC Root of Trust (RoT) discussion
DISCUSSION:
Secure boot trust chain: the BMC hardware performs secure boot of the
bootloader (e.g., U-Boot, then U-Boot verifies
{kernel,devicetree,rootfs}, etc., up to starting the application.
Secure boot has three layers: 1 hardware validates uboot, 2 U-Boot
validates the Readonly fs, 3 the operation system validates applications.
To validate before starting applications: DMverity, IMA
The OpenBMC project is working to support the first layer, specifically
AST2600 secure booting U-Boot. The intention is then to support U-Boot
securely booting the next layer (kernel, etc.) Also there is interest
in using DMverity and IMA, but no agreements.
Who programs the BMC’s OTP memory? Different use cases: one of: BMC
vendor, board manufacturer, or customer/installation.
How to validate the BMC hardware? Different use cases: RoT is the BMC
-vs- an external component.
Does BMC download applications as part of its intended operation?
Different use cases.
In the base use case, the BMC read only file system has all
applications. Only developers (and advanced diagnostics) download code,
presumably to test fixes or collect more diagnostic data.
Use cases include both validating the filesystem which has the code, and
validating the app itself as it is loaded (exec’d) into a Linux process.
Does OpenBMC support Firmware encryption? symmetric/asymmetric.
AST2600 supports AES encrypted bootloaders. But there is not currently
support for this in OpenBMC.
Note that the latest U-Boot version supports encrypted firmware (for
example, it decrypts the kernel).
2 Do we need to discuss the concept and need for NoAccess users and how
they would be different from disabled BMC user accounts? See discussion
in https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49295
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49295>
DISCUSSION - was not discussed because we were out of time.
3 CNA Organization Admin account and authorized users
DISCUSSION:
James is working with Mitre to get a “CNA organizational admin” account
so OpenBMC can write CVEs in its role as a CNA.
Working the OpenBMC vulnerability backlog…intends to write CVEs.
We briefly discussed our direction to use Github security workflow to
publish OpenBMC security bulletins on github.
Joseph
>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
More information about the openbmc
mailing list