Security Working Group meeting - Wednesday May 11 - results
Joseph Reynolds
jrey at linux.ibm.com
Fri May 13 01:54:51 AEST 2022
On 5/10/22 9:51 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday May 11 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
Attended: (did not record attendance)
1 Dhananjay - progress on writing CVEs?
DISCUSSION:
James has credentials (as a CNA) to write CVEs for the OpenBMC project.
TODO: Dhananjay and Joseph need to get credentials, then the response
team to start working vulnerabilities through the new workflow, and
approve the workflow.
2 Review D-Bus threat analysis is work in progress
DISCUSSION:
What bmc resources do we need to protect?
Idea: Push the authority model bmcweb has into the D-Bus layer. That
is, currently services like ipmi and bmcweb perform authority checks,
and then use their root authority to invoke the D-Bus APIs. The idea is
for BMCWeb to drop from root to the user who is requesting the
operation, and use that user’s authority to invoke the D-Bus API. The
D-Bus layer sould have to be enhanced to support this. (It currently
requires root to perform most operations.)
Protect interfaces which implement sensitive functions, for example
mctp/pldm/spdm. Or explain existing protection mechanisms. For
example: a bmc non-root user should not have the ability to run
arbitrary spdm commands. (The BMC should only ever use a subset of the
commands.)
TODO Nirav Shah: Document BMC/host interfaces in a way similar to
https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md
<https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md>as
a way to get started with a model for what need to be protected.
For example: Both bmcweb and the network IPMI service both have user
management functions, that is, they can create new admin users. They
use the phosphor-user-manager D-Bus interface to do this, and user
manager uses Linux functions (useradd and usermod commands, etc.) This
model would help us systematically identify interfaces which need to be
protected.
3 What is the current status of bmc secure boot?
DISCUSSION:
Progress to date: Uboot merged, secure booting the Linux kernel
The design is under review here:
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/26169
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/26169>
Some discussion here:
https://lore.kernel.org/openbmc/20220131034147.106415-1-andrew@aj.id.au/
<https://lore.kernel.org/openbmc/20220131034147.106415-1-andrew@aj.id.au/>
Some of the discussion related to system lifecycle (like how re-key the
BMC, or how to temporarily disable secure boot). TODO: describe use
cases for system lifecycle.
TODO: Follow up on design review.
Ref:
https://www.opencompute.org/blog/ocp-security-announces-version-10-specs-for-root-of-trust
<https://www.opencompute.org/blog/ocp-security-announces-version-10-specs-for-root-of-trust>
Use case example: Example: Always enable first stage secure booting with
no way to disable it: hardware checking uboot spl. How to use secure
boot jumpers?
-Joseph
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
More information about the openbmc
mailing list