Re: Security Working Group meeting - Wednesday September 29

[Joseph Reynolds <jrey@linux.ibm.com>]

On 9/28/21 8:35 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday September 29 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> and anything else that comes up:
>
> 1. Continue discussion: Password based auth for IPMI over DTLS 
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/31548 
> <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/31548>

DISCUSSION:

The planned IPMI over DLTS function will have certificate-based 
authuentication.  For our use cases, we would like to add password-based 
authentication, and we want to do so as securely as possible, meaning 
what protocol we should use.  In particular, we want to know if we 
should avoid sending a “cleartext” password (tunneled over DTLS) to the 
server.

However note the Redfish password authentication passes in the cleartext 
password to the Redfish/HTTP server (tunneled over HTTPS). Does not need 
the existing ipmi_pass file, or will at least store the password 
securely in it.

Contrast with Redfish password change and with Basic Auth.

Consider RAKP which does not require the password to be transmitted in 
cleartext.

Can we use consider SRP (dropped in OpenSSL 3.0 -- why?) or other 
implementations such as GnuTLS?

Want to know what protocol to use for password auth over DTLS.  And then 
implement it correctly.

TODO: Call for experts to weigh on.

> 2. (Joseph) Who wants a function to enable/disable BMC USB ports? 
> https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/47180 
> <https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/47180> 
>

What does disable USB port mean?  USB for BMC use.  [Discussion excludes 
host USB ports, and any USB ports further from the BMC.]

DISCUSSION:

Threats: USB protocol attack, power-based attack, epoxy-based DoS 
attacks, use of functions built on top of USB function.

Can disable ports independently: Does Redfish want to model topology?  
Sets of USB ports, such as those with physical external connectors, and 
internal.  ANSWER: Yes, see below.

Need to model topology (machine architecture, USB hubs, etc.) as part of 
understanding the issues?  Or can we partition USB ports and call it 
either BMC or host?

Consider essential connections such as USB-based BMC keyboards, 
USB-based BMC/host connections, etc.

The design is interested specifically in used-by-BMC external-to-the-box 
USB ports.

Note that if USB ports are needed for BMC recovery (such as a USB key), 
then disabling the USB will remove that recovery option.

Note: The U-Boot is an independent OS which may have access to a 
“disabled” BMC.

Where to disable USB ports?  In OpenBMC kernel?  In Uboot kernel (does 
not have support for USB?)?  Via pgood gpio?

What does the Redfish endpoint control?  TODO: Joseph to investigate.  
DONE:  After the meeting.  Notes:

Summary: Redfish models USB Controllers (as USBController),  USB Port 
Collections (as PortCollection), and USB Ports (as Port).  
Implementations who want to implement powering off ports can use the 
USBController Resource_PowerState schema.  Implementations who want to 
disable USB ports can use the USBController Resource_State schema or the 
Port Enabled property.


DETAILS: A Redfish USBController:

http://redfish.dmtf.org/schemas/v1/USBController.v1_0_0.yaml#/components/schemas/USBController_v1_0_0_USBController 
<http://redfish.dmtf.org/schemas/v1/USBController.v1_0_0.yaml#/components/schemas/USBController_v1_0_0_USBController>where 
properties include: Ports (PortCollection), Status (which can have a 
Resource_PowerState schema or a Resource_State schema (includes 
enabled/disabled))

Ref: https://redfish.dmtf.org/schemas/PortCollection.yaml 
<https://redfish.dmtf.org/schemas/PortCollection.yaml>has property 
Members which somehow presumably can get to a 
https://redfish.dmtf.org/schemas/Port.yaml 
<https://redfish.dmtf.org/schemas/Port.yaml>where Port_v1_5_0_Port has 
an “Enabled” property.


Do we need a custom OEM solution?

How do testers check if a USB port is disabled?  Power?  Signals?



>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph