Security Working Group meeting - Wednesday August 31 - results

Patrick Williams patrick at
Thu Sep 1 21:25:24 AEST 2022

On Wed, Aug 31, 2022 at 01:09:10PM -0500, Joseph Reynolds wrote:

> DISCUSSION: Create two separate designs for:
>     Enable Keylime Agent.  Direction is for the keylime agent to open
>     the BMC network port (using systemd, sort of like how SSH works). 
>     The intention is to engage with Redfish for how to configure the
>     Keylime Agent: certificates, start/stop the application, etc.

I guess you said someone is working on a design for this.  The Keylime
website seems light on details to me, but I'm having trouble
conceptualizing how it is applicable to the BMC.  It seems more like it
is geared towards a self-selecting cluster of services (which reject
peers they don't trust).  Keylime does have the unfortunate aspect of being
written entirely in Python, which makes it very difficult for us to support
on any of the NOR-based systems (all of them except IBM's latest).

Are we also planning on providing attestation information over Redfish?

Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the openbmc mailing list