Security Working Group meeting - Wednesday March 16 - results - audit log handling

[Joseph Reynolds]

On 3/16/22 2:45 PM, Michael Richardson wrote:
> Joseph Reynolds <jrey at linux.ibm.com> wrote:
>      > We also discussed encrypting data like logs, and storing keys in a
>      > vault / trust zone /  TPM.
>
> Wouldn't it make most sense to encrypt them *to* an asymmetric (public) key that is
> not on the BMC?   Or one can send them over encrypted syslog, or netconf to
> another server for safe keeping.
> Or are you thinking that you need to sign the logs?
>
> If the key is stored locally, even in a TPM, and the point is to be able to
> review logs locally, then the logs need to get decrypted, and that means that
> the key needs to be enabled/opened/activated locally, and which point,
> if there was a compromised system, the bad guy wins.
>
> I guess I wonder what the goals are here.

Goals?  We didn't mention any goals, and the discussion about encryption 
was lighthearted and introductory.
I had not thought past storing the audit log on the BMC, and realizing 
that it should be encrypted or streamed off the BMC.
I agree that using symmetric keys is not a good idea.

I'll ask my requirement providers what their needs are in this space.

- Joseph

>
>      > See also encrypted volume https://github.com/openbmc/estoraged
>      > <https://github.com/openbmc/estoraged>
>
> Same issue: where is the key stored?
same