Security Working Group meeting - Wednesday March 16 - results
Joseph Reynolds
jrey at linux.ibm.com
Thu Mar 17 04:51:11 AEDT 2022
On 3/15/22 9:45 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday March 16 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
>
Attended: Joseph, Ratan, James, Mark, Daniil, Dhananjay, Dick, Jiang
1 Please review the phosphor audit design
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/46023
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/46023>and related
code under https://github.com/openbmc/phosphor-logging
<https://github.com/openbmc/phosphor-logging>directory phosphor-audit.
IBM is interested in working on this.
We also discussed encrypting data like logs, and storing keys in a vault
/ trust zone / TPM.
See also encrypted volume https://github.com/openbmc/estoraged
<https://github.com/openbmc/estoraged>
2 CNA work update
James is working on the OpenBMC vulnerability backlog. First
transferring each one to our private github issues database together
with its reserved CVE. James will share JSON-formatted CVEs with the
security response team (SRT). Currently working to upload/submit CVEs
to mitre. (Note these are not yet public.)
Helpful tools: formatted vulnerabilities using vulnogram. Use
Redhat’s Cvelib Python-based tool
TODO: Joseph and Dhananjay (as the OpenBMC CNAs): get credentials from
mitre to allow you to create CVEs.
-Joseph
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
>
>
More information about the openbmc
mailing list