Security Working Group meeting - Wednesday January 19

Security Working Group meeting - Wednesday January 19

[Joseph Reynolds]

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday January 19 at 10:00am PDT.

We'll discuss the following items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
and anything else that comes up:

1.



Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

- Joseph

Re: Security Working Group meeting - Wednesday January 19

[Michael Richardson]

[-- Attachment #1: Type: text/plain, Size: 787 bytes --]


Joseph Reynolds <jrey@linux.ibm.com> wrote:
    > We'll discuss the following items on the agenda
    > <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
    > and anything else that comes up:

I went through the effort to become a CNA for tcpdump.org.
Lots of stupid marketing overhead as mitre thinks they need to tell your
marketing people what it's about :-(

It took me many tries to generate a valid JSON file for my CVE reports, but I
did finally get it.  Unicast me when you get there if you need help.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 398 bytes --]

Re: Security Working Group meeting - Wednesday January 19 - results

[Joseph Reynolds]

On 1/18/22 10:03 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday January 19 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
> and anything else that comes up:
>
>

Attended: Joseph, Dhananjay, James Mihm, Aviram from Kameleon, Dick 
Wilkins, Daniil, Jiang Zhang.


1 James mentioned two topics from last time: (a) integrate OpenBMC 
Security Response Team (SRT) docs into github, and (2) enhance the SRT 
process (as the OpenBMC CNA) to follow the correct process to write CVEs.

James renewed the call to push to writeup security issues in (private 
repo) https://github.com/openbmc/security-response/issues 
<https://github.com/openbmc/security-response/issues>

We are still working on this, with the limited amount of time we have.


2 Aviram from Kameleon briefly outlined interest in an OpenBMC Root of 
Trust (RoT).

The RoT controls access to the flash for both the BMC and host, 
following WIP standards from OCP: 
https://www.opencompute.org/blog/ocp-security-announces-version-10-specs-for-root-of-trust 
<https://www.opencompute.org/blog/ocp-security-announces-version-10-specs-for-root-of-trust>


-Joseph

>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph