Security Working Group meeting - Wednesday June 8 - results

Joseph Reynolds jrey at linux.ibm.com
Thu Jun 9 05:06:37 AEST 2022


On 6/7/22 11:12 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday June 8 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
> and anything else that comes up:
>

Attended: Joseph Reynolds, Yutaka, Ruud Haring, Dick from Phoenix, 
Krishnan Sugavanam, Mark McCawley, Russel Wilson


The meeting went about 20 minutes over time (80 minutes total).


1 Progress on SELinux gerrit review 
https://gerrit.openbmc.org/c/openbmc/docs/+/53205 
<https://gerrit.openbmc.org/c/openbmc/docs/+/53205>

Note the design is intended for BMC which have a larger flash image 
size.  For example the OpenBMC witherspoon reference platform has a 64Mb 
flash divided into 2 sides, with space for a 20Mb readonly filesystem, 
so it is too small.  SELinux is intended for BMC with 256Mb SPI flash, 
where SELinux adds  about  20Mb (initial guess).


Ruud is continuing to work on the design.  Discovering what config 
changes are needed by enabling SElinux.  For example, SELinux adds a 
`-Z` flag to many commands to show SELinux attributes.  SELinux-enabled 
busybox (-Z flag) exists.  Attempting to build from Yocto recipe.

Attempting to follow meta-selinux docs.  Debugging.  Reach out with 
questions to the yocto community (perhaps via email list in 
https://wiki.yoctoproject.org/wiki/Security).


We did a deep dive on BMCWeb authority checking by following a Redfish 
API call:

  *

    After a Redfish session is created, that session has a role and a
    set of privileges.

  *

    When that session is used to invoke an HTTP operation, that
    operation’s  privileges are checked against the session’s privileges.

  *

    The Redfish spec described this in DSP0266 > Security details >
    Authorization.  We peeked at this spec.

  *

    We looked at the Redfish “delete user” API as implemented by BMCWeb.
    https://github.com/openbmc/bmcweb/blob/002d39b4a7a5ed7166e2acad84e0943c3def9492/redfish-core/lib/account_service.hpp#L1941
    <https://github.com/openbmc/bmcweb/blob/002d39b4a7a5ed7166e2acad84e0943c3def9492/redfish-core/lib/account_service.hpp#L1941> 
    This defines:

      o

        the HTTP operation (DELETE
        /redfish/v1/AccountService/Accounts/<str> where <str> is a
        username).

      o

        along with the privileges required to perform that operation:
        namely redfish::privileges::deleteManagerAccount, which only
        Administrator users have.

      o

        The C++ code to implement the operation (which basically invoke
        the phosphor-user-manager API via D-Bus system bus with parameters

          +

            Bus: xyz.openbmc_project.User.Manager

          +

            Object path: (as C++ variable userPath)

          +

            Interface: xyz.openbmc_project.Object.Delete

          +

            Method: Delete

  *

    We talked about, but did not look at BMCWeb’s router function, which
    routes operations to their implementation (such as “delete user”
    above), and we talked about but did not look at the authority check
    it performs.  That code is in the “handle” method, here:
    https://github.com/openbmc/bmcweb/blob/002d39b4a7a5ed7166e2acad84e0943c3def9492/http/routing.hpp#L1236
    <https://github.com/openbmc/bmcweb/blob/002d39b4a7a5ed7166e2acad84e0943c3def9492/http/routing.hpp#L1236>

  *

    We looked at BMCWeb’s implementation of the Redfish privilege
    registry.  Specifically, the generated header file here
    https://github.com/openbmc/bmcweb/blob/master/redfish-core/include/registries/privilege_registry.hpp
    <https://github.com/openbmc/bmcweb/blob/master/redfish-core/include/registries/privilege_registry.hpp>is
    a translation of the redfish spec’s privilege registry.  The BMCWeb
    contributors maintain this file (runs as needed and checked in to
    the repo), and the definitions are used within the operations
    handlers (such as “delete user”).


A basic understanding is that OpenBMC’s authority checking (which asks: 
“am I allowed to perform this operation?”) is handled by BMCWeb, and 
there is no authority checking at the D-Bus layer.  (Currently anyone 
who needs to use a D-Bus API must have root authority). This is a 
security problem we are trying to solve.  (TODO: articulate why this is 
a problem.)

Two approaches were briefly discussed (not necessarily as complete 
solutions):

  *

    BMCWeb drops to the logged-in user (switch user command (su) or the
    setuid kernel call).

  *

    SELinux labeling model.


For example, if desired, we can use SELinux to ensure the “delete user” 
dbus api can only be used by bmcweb and that it cannot be used by any 
other service (like IPMI or by SSH/bash).  Then we can ensure only the 
phosphor-user-manager service is allowed to modify the /etc/passwd & 
shadow files.  Doing so will lock down who is allowed to perform BMC 
user management.


Revisit some initial use cases for selinux (examples):

 1.

    Limit what files bmcweb process can reach.  In my opinion (Joseph)
    this would be an easy initial use case for SELinux because BMCWeb
    only touches a small set of files,and has no reason to touch other
    files.  Also phosphor-user-manager only touches a small set of files
    (including /etc/shadow), and has no reason to touch other files or
    to reach out to the network.

 2.

    Control which D-Bus apis bmcweb is allowed to use. (All of them?)


Here is an attempt to state a security problem more clearly: How do we 
limit specific dbus calls to specific users or to specific processes?  
Alternatively: How do we push down the BMCWeb’s authority model into the 
D-Bus APIs?  And what additional security would this give us?



Joseph

>
>
>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph



More information about the openbmc mailing list