Security Working Group meeting - Wednesday August 17

Security Working Group meeting - Wednesday August 17

[Joseph Reynolds]

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday August 17 at 10:00am PDT.

We'll discuss the following items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
and anything else that comes up:
1. Continue discussing Measured Boot.

2. Continue discussing CVE response.

3. BMC FIPS compliance.

4. Add guidance to 
https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md 
<https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md>for 
submitting proof-of-concept exploits.



Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

- Joseph

Re: Security Working Group meeting - Wednesday August 17

[Andrew Jeffery]

On Wed, 17 Aug 2022, at 12:37, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday August 17 at 10:00am PDT.

Given the discussion from last meeting, is this on Discord?

Andrew

Re: Security Working Group meeting - Wednesday August 17

[Joseph Reynolds]

On 8/17/22 12:11 AM, Andrew Jeffery wrote:
>
> On Wed, 17 Aug 2022, at 12:37, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting
>> scheduled for this Wednesday August 17 at 10:00am PDT.
> Given the discussion from last meeting, is this on Discord?

No.  The meeting access for Aug 17 is the same as before:
https://ibm.webex.com/meet/joseph.reynolds1

I wanted to give a couple of weeks notice (A) for attendees to firm up 
any objections to moving, and (B) to announce the change.

Joseph

>
> Andrew

Re: Security Working Group meeting - Wednesday August 17

[Brad Bishop]

On Wed, 2022-08-17 at 11:13 -0500, Joseph Reynolds wrote:
> On 8/17/22 12:11 AM, Andrew Jeffery wrote:
> > 
> > On Wed, 17 Aug 2022, at 12:37, Joseph Reynolds wrote:
> > > This is a reminder of the OpenBMC Security Working Group meeting
> > > scheduled for this Wednesday August 17 at 10:00am PDT.
> > Given the discussion from last meeting, is this on Discord?
> 
> No.  The meeting access for Aug 17 is the same as before:
> https://ibm.webex.com/meet/joseph.reynolds1
> 
> I wanted to give a couple of weeks notice (A) for attendees to firm up
> any objections to moving

Injecting my opinions in case they are helpful...but probably not 🤣

I likely sound cliché but someone will always be unhappy with every
decision, including this one.  As the WG host, have -you- been convinced
that improved collalboration between the security working group and the
developer community is worthwhile, and that moving to Discord will
improve that?  If so - go for it!

People were (and still are) opposed to moving from IRC to Discord, but
we now have 500 people on our server and levels of collaboration in the
developer community never before seen in OpenBMC...

Thanks,
Brad

Re: Security Working Group meeting - Wednesday August 17

[Joseph Reynolds]

On 8/16/22 10:07 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday August 17 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
> and anything else that comes up:

I added topic 0: Move the meeting access from ebex to discord voice.
I combined topic 4 (how to submit proof-of-concept exploits) into topic 2.

Attendees: Joseph Reynolds, Yutaka Sugawara, Ruud Haring, James Mihm, 
Dhananjay, Krishnan Sugavanam, Sandhya Koteshwara, Dick from Phoenix, 
Chris Engel, Paul Crumley, Mark McCawley, Angelo Ruocco, Daniil, Robert 
Senger.


0 Move the next meeting access to Discord?  Discord > OpenBMC > Voice 
channels >  Security ~ 
https://discord.com/channels/775381525260664832/1002376534377635860 
<https://discord.com/channels/775381525260664832/1002376534377635860>

Yes, agreed.

The next meeting planned for 2022-08-31 will be on discord.


1 Measured Boot.

DISCUSSION:

Single design or separate designs?  Let’s have separate designs:


1a. Enable measured boot: Kernel Device driver is available. Collect 
measurements into TPM.  See 
https://review.trustedfirmware.org/q/measured-boot 
<https://review.trustedfirmware.org/q/measured-boot>


1b. Enable attestation: use the Keylime-Agent REST server on default BMC 
port 8890.

Design Question: Keylime vs Redfish vs other (VMWare is not OSS, Intel’s 
design is proprietary).

Design Question: what gets measured by the TPM?  Follow the TCG 
standard. 
https://trustedcomputinggroup.org/resource/tcg-server-management-domain-firmware-profile-specification/ 
<https://trustedcomputinggroup.org/resource/tcg-server-management-domain-firmware-profile-specification/>

Design question: when and how to init the TPM?  This is partly in scope 
to community project, but some parts will depend on hardware outside the 
scope of OpenBMC.

Root-of-trust Issue: Does BMC hardware (for example, the next ASPEED 
AST2x00 BMC hw) init the TPM and measure the Uboot image?  ⇒  Or does 
Uboot init the TPM?  Can ew use a FIP image?

Pre-req design: the measured boot design requires the signatures 
provided by secure boot.


2 CVE Response.

DISCUSSION:

Add guidance to 
https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md 
<https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md>for 
submitting proof-of-concept exploits. How to ensure the exploit is not 
harmful to the recipient , and is not tagged by the email sanitizers?   
Encrypt? Or quoted with: > text  Or add to the security advisory?

We are still working on:

  *

    Github repo maintainers need to create security tabs so they can
    handle security advisories.

  *

    Proposal to restructure repos

  *

    Which CNA to use?  The Openbmc CNA vs the github CNA?


3 FIPS compliance.

DISCUSSION:

Note that OpenBMC is not the kind of thing which can be FIPS compliant.  
The way it works is this: a system “built on OpenBMC” seeks FIPS 
compliance.  As part of the compliance process, they need to ask 
questions about the portions of the system which OpenBMC provides, 
therefore the OpenBMC project needs to answer those questions.

FIPS reference: https://en.wikipedia.org/wiki/FIPS_140 
<https://en.wikipedia.org/wiki/FIPS_140>

The way I (Joseph) see the next steps are:


3a. What FIPS requirements apply to the BMC?  Note that some FIPS 
requirements will not apply to the BMC and will apply only to the 
overall system.  (OpenBMC does not need to address those requirements.)  
The work is to go through the FIPS standards, and list which 
requirements apply to the BMC, and if needed, how they apply.  For 
example, the BMC is part of the management component of the system, and 
the FIPS requirements apply to the management subsystem.


3b. Given the requirements from the previous work item, what can the 
OpenBMC community say about them?  For example, if OpenBMC documentation 
shows how a default build of OpenBMC would pick up some code or 
configuration to satisfy the requirement, that would go a long way to 
help the FIPS evaluator.  More specifically for example, the BMC does 
provide role-based authentication to help satisfy the FIPS requirements.


3c. Create a new openbmc document to capture the answers above.  This 
document use case is as a starting point for the information someone 
needs when they are working to FIPS-certify their system and try to roll 
down the FIPS requirements to their BMC.  A secondary use of this 
document is to identify any gaps in BMC security function.


BONUS TOPIC:

4 SELinux design.  Request for re-review. 
https://gerrit.openbmc.org/c/openbmc/docs/+/53205 
<https://gerrit.openbmc.org/c/openbmc/docs/+/53205>

Advice on how to create interest in re-reviewing a design.  Use Discord: 
Ping specific reviewers and ask specific questions about design issues, 
if it is solved; ask if the design can be approved.



Joseph

>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph

Security Working Group meeting - moved to Discord Voice channel

[Joseph Reynolds]

OpenBMC community members,

Please update your calendar.

The OpenBMC Security Working Group meeting call is moving to the Discord 
OpenBMC Security voice channel.
- Effective for the next scheduled meeting on August 31, 2022 and all 
future meetings (every other week).
- New access is via Discord > OpenBMC > Voice channels > Security -- 
https://discord.com/channels/775381525260664832/1002376534377635860
- Permanent project link: 
https://github.com/openbmc/openbmc/wiki/Security-working-group
- Attendees agreed to this change today: see the 2022-08-17 notes in 
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI

Threre are no other changes.  We'll continue to use Google Docs for the 
meeting modules.

I plan to start the old Webex meeting to help any stragglers get to the 
new venue.

-Joseph


-------- Forwarded Message --------
Subject: 	Re: Security Working Group meeting - Wednesday August 17
Date: 	Wed, 17 Aug 2022 15:11:46 -0500
From: 	Joseph Reynolds <jrey@linux.ibm.com>
To: 	openbmc <openbmc@lists.ozlabs.org>



On 8/16/22 10:07 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday August 17 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
> and anything else that comes up:

...snip...

0 Move the next meeting access to Discord?  Discord > OpenBMC > Voice 
channels >  Security ~ 
https://discord.com/channels/775381525260664832/1002376534377635860 
<https://discord.com/channels/775381525260664832/1002376534377635860>

Yes, agreed.

The next meeting planned for 2022-08-31 will be on discord.

...snip...

Re: Security Working Group meeting - Wednesday August 17

[Patrick Williams]

[-- Attachment #1: Type: text/plain, Size: 684 bytes --]

On Wed, Aug 17, 2022 at 03:11:46PM -0500, Joseph Reynolds wrote:
> On 8/16/22 10:07 PM, Joseph Reynolds wrote:
> 4 SELinux design.  Request for re-review. 
> https://gerrit.openbmc.org/c/openbmc/docs/+/53205 
> <https://gerrit.openbmc.org/c/openbmc/docs/+/53205>
> 
> Advice on how to create interest in re-reviewing a design.  Use Discord: 
> Ping specific reviewers and ask specific questions about design issues, 
> if it is solved; ask if the design can be approved.

Step 1.  Do not disappear for months at a time, without responding to
any feedback, and then expect reviewers to drop everything when you
decide it is time to show up again.

-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Security Working Group meeting - regular meetings discontinued

[Joseph Reynolds]

OpenBMC community,

I am discontinuing the OpenBMC Security Working Group meetings. About a 
year ago, these meetings moved to Discord voice and project's open 
security work moved to the Discord security channel. As intended, the 
content of the voice meeting has significantly reduced as the discussion 
increased in the Discord security channel.  Attendance and topics have 
fallen to zero.  So it is time to discontinue having regular meetings.  
Thanks to everyone who helped move the project forward during this time!

As a direct consequence, the meeting agenda and minutes will no longer 
be appended:
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
Instead of this wiki, please use the Discord OpenBMC security channel 
for this discussion.

To discuss OpenBMC security topics on Discord.
- first join Discord via https://discord.gg/69Km47zH98
- then go to the Discord OpenBMC server: 
https://discord.com/channels/775381525260664832
- and browse to the #security channel - or any other appropriate channel.

Also feel free to email questions to the community.

If you need to talk to someone so you can move forward, please use the 
regular security channel to schedule a call on the Discord OpenBMC 
Security voice channel.  (NOTE: This is a voice channel, different from 
the regular security channel.) See Discord > OpenBMC > Voice channels > 
Security ~ 
https://discord.com/channels/775381525260664832/1002376534377635860
^^ Typically used only for discussion about the voice channel itself.

Note the OpenBMC project's security wiki is here:
https://github.com/openbmc/openbmc/wiki/Security-working-group
I don't have any plans to change this wiki, and I wish for the security 
assurance work it outlines to continue.


To *privately* report a security vulnerability to the project (or think 
you want to ask about reporting such as vulnerability), please do not 
use public channels.  Instead follow the process here:
https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md

Yours truly,
Joseph Reynolds


On 8/17/22 3:26 PM, Joseph Reynolds wrote:
> OpenBMC community members,
>
> Please update your calendar.
>
> The OpenBMC Security Working Group meeting call is moving to the 
> Discord OpenBMC Security voice channel.
> - Effective for the next scheduled meeting on August 31, 2022 and all 
> future meetings (every other week).
> - New access is via Discord > OpenBMC > Voice channels > Security -- 
> https://discord.com/channels/775381525260664832/1002376534377635860
> - Permanent project link: 
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> - Attendees agreed to this change today: see the 2022-08-17 notes in 
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
>
> Threre are no other changes.  We'll continue to use Google Docs for 
> the meeting modules.
>
> I plan to start the old Webex meeting to help any stragglers get to 
> the new venue.
>
> -Joseph
>
>
> -------- Forwarded Message --------
> Subject:     Re: Security Working Group meeting - Wednesday August 17
> Date:     Wed, 17 Aug 2022 15:11:46 -0500
> From:     Joseph Reynolds <jrey@linux.ibm.com>
> To:     openbmc <openbmc@lists.ozlabs.org>
>
>
>
> On 8/16/22 10:07 PM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting 
>> scheduled for this Wednesday August 17 at 10:00am PDT.
>>
>> We'll discuss the following items on the agenda 
>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
>> and anything else that comes up:
>
> ...snip...
>
> 0 Move the next meeting access to Discord?  Discord > OpenBMC > Voice 
> channels >  Security ~ 
> https://discord.com/channels/775381525260664832/1002376534377635860 
> <https://discord.com/channels/775381525260664832/1002376534377635860>
>
> Yes, agreed.
>
> The next meeting planned for 2022-08-31 will be on discord.
>
> ...snip...