From: Joseph Reynolds <jrey@linux.ibm.com>
To: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Security Working Group - Wednesday March 31 - results
Date: Wed, 31 Mar 2021 13:57:48 -0500 [thread overview]
Message-ID: <925affec-2bf6-e3a6-7388-36d3e80ee443@linux.ibm.com> (raw)
In-Reply-To: <a8366b66-4a8a-2492-7034-a35b06421961@linux.ibm.com>
On 3/30/21 7:56 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday March 31 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
> and anything else that comes up:
>
> 1.
>
> Joseph: https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/41560
> <https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/41560> Add
> PerformService privilege.
Dropping the OemOpenBMCPerformService privilege and custom
OemOpenBMCServiceAgent role in favor of a more general design.
>
> 2.
>
> Joseph: Design for User role configuration
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/41652
> <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/41652>
DISCUSSION:
The design above will intersect with its counterpart
operation-to-privilege design - in that they both specify privileges.
We should sketch out that design before proceeding with this one. Next
piece is operation-to-privilege customization design because it affects
this design.
>
> 3.
>
> Joseph: Interest in OpenBMC learning series talk “OpenBMC secure
> engineering”?
Nope. Joseph plans to give the talk.
>
> 4.
>
> Anton: Privilege separation
> <https://docs.google.com/document/d/1EI-HfPb_NMp9GD0fY6-XCpnKAX6-ZsdpDEsmiX5d6fc/edit#heading=h.b167mnkkse22>
Anton reviewed his doc. We discussed having the D-bus broker use ACLs.
Key to get reviews: create something each maintainer can test.
Need to cover all D-Bus users with ACL before we can throw the secure
switch (rough number of services to be changed
<https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/37844>for
a based set of targets runnable under qemu).
>
>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
>
>
prev parent reply other threads:[~2021-03-31 18:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-31 0:56 Security Working Group - Wednesday March 31 Joseph Reynolds
2021-03-31 18:57 ` Joseph Reynolds [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=925affec-2bf6-e3a6-7388-36d3e80ee443@linux.ibm.com \
--to=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.