Security Working Group meeting - Wednesday September 28 - results
Joseph Reynolds
jrey at linux.ibm.com
Thu Sep 29 05:01:04 AEST 2022
There was no reminder for the Sep 28 meeting. Here are the results
as-if that reminder was sent.
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday September 18 at 10:00am PDT.
>
>
> ATTENTION - Venue Change. The meeting recently moved to Discord
> voice. Please update your calendars.
>
> === MEETING ACCESS ON DISCORD VOICE ===
> First, join Discord via https://discord.gg/69Km47zH98
> <https://discord.gg/69Km47zH98> and confirm via email.
> Then, to join: navigate Discord > OpenBMC > Voice channels > Security
> ~ https://discord.com/channels/775381525260664832/1002376534377635860
> <https://discord.com/channels/775381525260664832/1002376534377635860>
>
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
>
Meeting held 2022-09-28
Attendees: Joseph Reynolds, Dick Wilkins, krishnan, russWilson, ddaniil,
RuudHaring, dsp, YutakaSugawara, edtanous, skoteshwara, radsquirrel.
1 Question about user management over interfaces: Redfish, IPMI, SSH.
And related password management (change expired password with same
password).
DISCUSSION:
https://github.com/openbmc/docs/blob/master/architecture/user-management.md
<https://github.com/openbmc/docs/blob/master/architecture/user-management.md>
https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md
<https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md>
Please followup by re-asking in public forum: email, discord…
Please push changes for better project docs.
2 Measured boot.
DISCUSSION:
Port Facebook Measured boot to openbmc
Also need work from uboot community , and revisit openbmc’s uboot fork
(and update to newer version) -or- use uefi boot
Follow Up in gerrit review.
3 General issue: firmware image size limits. New features require more
space. There is an ongoing need and effort to reduce image size by
removing unused pieces. New features which consume image size must be
configurable (out of image by default).
To help find how much space a change takes up, see
https://github.com/openbmc/openbmc-tools/tree/master/rootfs_size
<https://github.com/openbmc/openbmc-tools/tree/master/rootfs_size>
4 (Joseph:) Can BMCWeb require additional authentication for sensitive
operations (like changing a password)?
DISCUSSION:
See Redfish public discussion:
https://redfishforum.com/thread/540/additional-auth-sensitive-operations
<https://redfishforum.com/thread/540/additional-auth-sensitive-operations>
See previous discussions in discord, email list. Example:
https://lore.kernel.org/openbmc/959CAFA1E282D14FB901BE9A7BF4E7724E51562F@shsmsx102.ccr.corp.intel.com/
<https://lore.kernel.org/openbmc/959CAFA1E282D14FB901BE9A7BF4E7724E51562F@shsmsx102.ccr.corp.intel.com/>
Joseph
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
More information about the openbmc
mailing list