[OpenPower-Firmware] github security and opsec

[Stewart Smith]

Jeremy and I were brainstorming a bunch of security related things over
the past week, and I wanted to start a conversation about our opsec for
OpenPOWER github and code workflow.

Considering who the customers and users are for POWER and OpenPOWER,
we're an increasingly high value target (especially when we have
secure/trusted boot).

What about the following as a first step, that we can evolve over time?

- anyone with write access to any OpenPOWER repository *MUST* have
  GitHub two factor authentication enabled
- Anyone tagging releases in an OpenPOWER repository *MUST* GPG sign
  those releases and have their GPG key used for signing in their github
  account.
- Anyone with write access to any OpenPOWER repository *MUST* use full
  disk encryption for drives where applicable SSH and GPG keys are
  stored.

We should probably have something in open-power/docs - maybe an
open-power/docs/maintainers/opsec.txt ?

There's already some suggestions out in the wild for linux kernel
maintainers (although due to being on an aircraft at 35,000ft over the
pacific ocean as I type this, I don't have the URL handy), maybe we
should start with that?

-- 
Stewart Smith
OPAL Architect, IBM.