[OpenPower-Firmware] github security and opsec
Murilo Opsfelder Araújo
muriloo at linux.vnet.ibm.com
Tue Apr 12 05:40:39 AEST 2016
On 04/09/2016 07:01 PM, Stewart Smith wrote:
> Jeremy and I were brainstorming a bunch of security related things over
> the past week, and I wanted to start a conversation about our opsec for
> OpenPOWER github and code workflow.
>
> Considering who the customers and users are for POWER and OpenPOWER,
> we're an increasingly high value target (especially when we have
> secure/trusted boot).
>
> What about the following as a first step, that we can evolve over time?
>
> - anyone with write access to any OpenPOWER repository *MUST* have
> GitHub two factor authentication enabled
> - Anyone tagging releases in an OpenPOWER repository *MUST* GPG sign
> those releases and have their GPG key used for signing in their github
> account.
> - Anyone with write access to any OpenPOWER repository *MUST* use full
> disk encryption for drives where applicable SSH and GPG keys are
> stored.
>
> We should probably have something in open-power/docs - maybe an
> open-power/docs/maintainers/opsec.txt ?
>
> There's already some suggestions out in the wild for linux kernel
> maintainers (although due to being on an aircraft at 35,000ft over the
> pacific ocean as I type this, I don't have the URL handy), maybe we
> should start with that?
Hi, Stewart.
The Linux Foundation provides their staff with some guidance on how to
harden their workstations and how team members should communicate securely:
https://github.com/lfit/itpol/blob/master/linux-workstation-security.md
https://github.com/lfit/itpol/blob/master/trusted-team-communication.md
Perhaps the above is a good start.
Besides to what you pointed out, I'd add:
- Encrypt swap partition (along with full disk encryption).
- Do not suspend (only hibernate!) to avoid Cold Boot attack if laptop
is stolen.
--
Murilo
More information about the OpenPower-Firmware
mailing list