Security Working Group meeting - Wednesday July 20 - results

Joseph Reynolds jrey at
Thu Jul 21 09:05:20 AEST 2022

On 7/19/22 10:47 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday July 20 at 10:00am PDT.
> We'll discuss the following items on the agenda 
> <>, 
> and anything else that comes up:
> 1. Continue discussing CVE response, SELinux, and Measured Boot 2.

Meeting held 2022-07-20

Attendees: Daniil Engranov, Russel Wilson, Yutaka Sugawara, Ruud Haring, 
James Mihm, Joseph Reynolds, Dhananjay, Jiang Zhang, Krishnan Sugavanam, 
Sandhya Koteshwara

1 CVE Response guidelines

The OpenBMC Security Response Team is meeting regularly to determine 
next steps for how to improve the vulnerability handling process.  See 
background docs here: 

The direction is to move new problems into github advisories as quickly 
as possible.

For example, security vulnerabilities in OpenBMC documentation are 
reported in 
<>, BMCWeb defects 
reported in 
<>, etc.  Each repo 
has its own set of security advisories.

The team is working to understand how to give security responders access 
to private security advisories.  Obviously, then we would have to work 
with each repository maintainer to set up its security tab.

2 SELinux updates.

We discussed ideas for the right way to structure the code.  The 
consensus is there are three layers:

Layer 1. Use the existing meta-selinuxbitbake layer.  This layer has the 
poky/meta config changes to use selinux: adds the SELinux support, 
updates coreutils, and introduces policies.

Layer 2: Propose a new bitbake layer, meta-phosphor-selinux, to work on 
top of the meta-selinux layer, to adapt the OpenBMC phosphor 
applications to use SElinux.  This approach avoids changing the base 
repos, so they don’t need to know or care about SELinux.  This further 
customizes openbmc:


    Override various recipes via *.bbappend to add selinux to recipes
    like busybox, pam, more updates to coreutils, etc.


    Define minimal/trivial SELinux policies for OpenBMC applications

Layer 3: Add detailed SELinux policy files to the existing meta- layers 
for each target.  For example, add SELinux policies to the OpenPOWER 
platform (the OpenBMC reference platform)

This would do thing like:


    Increase size of the readonly file system (which is per TARGET).


    Introduce policy files for that target (test FEATURE to know if
    selinux is enabled).

This three layer approach puts the parts that can be shared into the new 
meta-phosphor-selinux layer, and leaves policy decisions to each TARGET 

To add SELinux to a machine or a build, the configuration work would be 


    Insert the meta-selinux layer


    Insert the meta-phosphor-selinux layer


    Enhance the layer for your target.

3 TPM/attestation updates.

Working on PoC for the following:


    Working to extend measurements to the TPM


    Working to integrate keylime for remote attestation.

Next steps are to create a design for the step above.  For remote 
attestation: An agent on the BMC collects data.  How can a network 
client get that data?  WIP: Redfish schema for network clients to get 
access to read attestation.  Is there a common solution? We want to 
avoid OEM APIs.

Redfish public discussion here: 

> Access, agenda and notes are in the wiki:
> <>
> - Joseph

More information about the openbmc mailing list