| /openbmc/docs/security/ |
| H A D | obmc-security-response-team-guidelines.md | 1 # Security response team guidelines
3 These are the guidelines for OpenBMC security responders, including the security
5 problems reported by the [security vulnerability reporting process][].
7 Each project within OpenBMC works independently to resolve security
8 vulnerabilities. The security response team helps the maintainers, provides
9 consistency within the OpenBMC project, and helps to get CVEs assigned.
13 - Keep problems private until announce.
14 - Work with diligence.
15 - Keep stakeholders informed.
21 - Within a day, acknowledge you received the report. Note that reports are
[all …]
|
| H A D | how-to-report-a-security-vulnerability.md | 1 # How to report a security vulnerability
3 This describes how you can report an OpenBMC security vulnerability privately to
8 - You have information about a security problem or vulnerability which is not
10 - You want the problem fixed before public disclosure and you are willing to
12 - You understand the problem will eventually be publicly disclosed.
14 To begin the process: Privately contact the OpenBMC security response team and
17 - Suggest sending an email. Use `openbmc-security at lists.ozlabs.org`.
18 - If you know which source code repository is affected, find the repository
20 not, the security response team will help route the problem.
21 - Include details about the security problem such as:
[all …]
|
| H A D | obmc-security-response-team.md | 1 # The OpenBMC security vulnerability reporting process
3 This describes the OpenBMC security vulnerability reporting process which is
4 intended to give the project time to address security problems before public
9 - a procedure to privately report security vulnerabilities
10 - a security response team to address reported vulnerabilities
11 - the openbmc-security email address for the response team
12 - guidelines for security response team members
16 1. A community member reports a problem privately to the security response team
18 2. The responders (including the security response team, the repository
20 3. The repository maintainer creates an OpenBMC security advisory which
[all …]
|
| H A D | network-security-considerations.md | 1 # Network Security Considerations
3 This describes network services provided by OpenBMC-based systems, some threats
4 the BMC faces from its network interfaces, and steps OpenBMC takes to address
7 This is only intended to be a guide; security is ultimately the responsibility
8 of projects which choose to incorporate OpenBMC into their project. If you find
9 a security vulnerability, please consider [how to report a security
12 [how to report a security vulnerability]:
13 https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md
18 - Confidentiality: If an attacker can get data from the BMC, they may be able to
21 - Integrity: If an attacker can modify BMC settings or data, they may be able to
[all …]
|
| H A D | obmc-github-security-advisory-template.md | 1 # OpenBMC Security Advisory Template
3 This has guidelines for OpenBMC repository maintainers to follow when creating
4 new draft GitHub security advisories as part of the [Security response team
8 security advisory "Description" field
10 [security response team guidelines]: ./obmc-security-response-team-guidelines.md
14 Ecosystem: Other OpenBMC Package name: <TBD> Affected versions: 2.9 Patched
27 Please coordinate with the security response team
54 OpenBMC 2.9
58 Please include the commit-id in the affected repo, the commit id for the
70 - Email openbmc-security at lists.ozlabs.org
|
| /openbmc/docs/ |
| H A D | SECURITY.md | 1 # Security Policy
3 ## How to report a security vulnerability
5 This describes how you can report an OpenBMC security vulnerability privately to
10 - You have information about a security problem which is not yet publicly
12 - You want the problem fixed before public disclosure and you are willing to
14 - You understand the problem will eventually be publicly disclosed.
18 - Send an email to `openbmc-security at lists.ozlabs.org` with details about the
19 security problem such as:
20 - the version and configuration of OpenBMC the problem appears in
21 - how to reproduce the problem
[all …]
|
| H A D | discord-rules.md | 8 2. OpenBMC community members are volunteering their time to answer your
25 6. Do not discuss undisclosed bugs that may have a security impact in Discord.
26 Instead, email `openbmc-security@lists.ozlabs.org` and follow the [documented
30 https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md
|
| /openbmc/bmcweb/.github/ISSUE_TEMPLATE/ |
| H A D | bug_report.yml | 4 - type: markdown
8 - type: checkboxes
9 id: security-check
12 description: |-
14 …To report a security vulnerability, please follow <https://github.com/openbmc/docs/blob/master/sec…
15 Any crashes are potentially security vulnerabilities and should be treated as such.
16 … To ask questions about how to use OpenBMC, please visit <https://discord.gg/69Km47zH98>.
18 - label: "This is not a security vulnerability or a crashing bug"
20 - label: "This is not a question about how to use OpenBMC"
22 - label:
[all …]
|
| H A D | config.yml | 2 - name: "Feature"
3 url: https://github.com/openbmc/openbmc/issues
4 about: "Please file any feature requests to the main openbmc project."
5 - name: "Crash bug"
6 url: https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md
9 openbmc-security@lists.ozlabs.org."
|
| /openbmc/bmcweb/ |
| H A D | DEVELOPING.md | 1 # OpenBMC Webserver Development
7 As OpenBMC is intended to be deployed on an embedded system, care should be
11 - Binaries and static files should take up < 1MB of filesystem size
12 - Memory usage should remain below 10MB at all times
13 - Application startup time should be less than 1 second on target hardware
29 - All buffer boundaries must be checked before indexing or using values
30 - All pointers and iterators must be checked for null before dereferencing
31 - All input from outside the application is considered untrusted, and should be
34 - All error statuses are checked and accounted for in control flow.
35 - Where applicable, noexcept methods should be preferred to methods that use
[all …]
|
| H A D | OWNERS | 2 # different contexts, and is one of the few nearly-universally used core
3 # components in OpenBMC. As such, given the severe consequences of mistakes
5 # - Have a solid understanding of the bmcweb core code, and how it's used.
7 # - Have access to at least one upstream platform to test relevant patchsets.
9 # - Help to manage the orderly merging of patchsets onto master through review.
12 # responsibilities into sub-parts the codebase, it is expected that maintainers
15 # - Provide help in testing and triage of cross-platform issues that arise as a
18 # - Have an in-depth understanding of the Redfish standard, its constraints in
19 # how it interacts with OpenBMC, and how the bmcweb implementation compares to
23 # - Be capable of, and have a track record of posing questions, clarifications,
[all …]
|
| /openbmc/docs/process/ |
| H A D | subproject-maintainership.md | 3 <!--toc:start-->
5 - [Subproject Maintainership and Forward Progress](#subproject-maintainership-and-forward-progress)
6 - [Process](#process)
7 - [Problem Description](#problem-description)
8 - [Scope](#scope)
9 - [Considerations](#considerations)
10 - [Social](#social)
11 - [Technical](#technical)
12 - [Security](#security)
13 - [Synthesis of Considerations](#synthesis-of-considerations)
[all …]
|
| /openbmc/docs/architecture/code-update/ |
| H A D | firmware-update-over-redfish.md | 5 Created: 2019-02-11
9 OpenBMC is moving to [Redfish][1] as its standard for out of band management.
15 OpenBMC's existing firmware update implementation over to Redfish.
19 The existing firmware update details for OpenBMC can be found [here][2]. It uses
27 Some differences between the Redfish API and OpenBMC's existing API:
29 - Redfish has a single upload and update API. OpenBMC has a concept of uploading
31 - Redfish does not support multiple firmware images being associated with the
32 same target. OpenBMC does have support for this concept (for example when a
35 - OpenBMC has the concept of a priority that allows a user to chose an image
39 - Redfish does not support deleting a firmware image (this happens by default
[all …]
|
| /openbmc/openbmc-test-automation/redfish/service_root/ |
| H A D | test_service_root_security.robot | 2 Documentation Test Redfish service root login security.
14 &{header_requirements} Strict-Transport-Security=max-age=31536000; includeSubdomains
15 ... X-Frame-Options=DENY
16 ... Pragma=no-cache
17 ... Cache-Control=no-store, max-age=0
18 ... Referrer-Policy=no-referrer
19 ... X-Content-Type-Options=nosniff
20 ... X-Permitted-Cross-Domain-Policies=none
21 ... Cross-Origin-Embedder-Policy=require-corp
22 ... Cross-Origin-Opener-Policy=same-origin
[all …]
|
| /openbmc/docs/designs/ |
| H A D | redfish-resource-supplement-for-pfr.md | 7 Created: 2019-09-12
13 NIST SP 800-193 provides technical guidelines and recommendations supporting
23 OpenBMC message registry metadata for logging events associated with PFR.
27 Platform Firmware Resilience technology in NIST SP 800-93 provide common
29 and component/device suppliers, to build stronger security mechanisms into
35 - [NIST.SP.180-193](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-193.pdf)
36 - [Redfish schema supplement](https://www.dmtf.org/sites/default/files/standards/documents/DSP0268_…
37 - [Redfish Logging in bmcweb](https://github.com/openbmc/docs/blob/master/architecture/redfish-logg…
43 - BMC shall provide the way to represent Platform Firmware Resilience
46 - Event logs should be logged to redfish for Platform Firmware Resilience.
[all …]
|
| H A D | firmware-update-via-usb.md | 1 # In-Band Update of BMC Firmware using USB
5 Created: 2021-10-12
14 The openbmc project currently has a [phosphor-software-manager][1] repository.
26 - Monitor whether the USB key is inserted.
27 - The first tar file found in the sorted list of files on the USB device is
29 - Manually trigger firmware upgrade.
30 - Disable automatic reboot the BMC firmware after upgrade is complete to prevent
32 - This mechanism attempts to maintain security, for example this feature is
37 The new code would be part of the phosphor-software-manager repository(eg:
38 phosphor-usb-code-update). The design process is as follows:
[all …]
|
| H A D | redfish-spdm-attestation.md | 14 [TPM](https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/)
17 unified interface for device security attestation in data centers, and provide a
18 generic implementation for the SPDM D-Bus Daemon.
24 SPDM (Security Protocols and Data Models) is a spec published by
27 [libspdm](https://github.com/DMTF/libspdm) provides an open-source
30 adds support for doing SPDM-based device attestation over Redfish API.
40 - New D-Bus interfaces for Redfish resources `ComponentIntegrity` and
42 - BMCWeb changes for supporting the above Redfish resources.
43 - Design for SPDM Attestation D-Bus Daemon, demonstrating how to fetch the
44 attestation results over D-Bus.
[all …]
|
| H A D | device-tree-gpio-naming.md | 1 # Device Tree GPIO Naming in OpenBMC
12 subsystem. The replacement is a "descriptor-based" character device interface.
25 specific field used to name the GPIOs in the DTS is `gpio-line-names`. This
29 scheme in the face of a universe of potential use-cases.
31 Scoping the problem down to just the vastness of OpenBMC narrows the
37 - Ensure common function GPIOs within OpenBMC use the same naming convention
43 (when available on an OpenBMC system). This naming convention must be followed
46 This list below includes all common GPIOs within OpenBMC. Any OpenBMC system
52 Pattern: `*-button`
55 BMC-less machines use a button to trigger system behavior and in a BMC-managed
[all …]
|
| H A D | certificate-revocation-list.md | 10 OpenBMC.
21 Current OpenBMC certificate management architecture contains two main
24 1. [phosphor-certificate-manager](https://github.com/openbmc/phosphor-certificate-manager)
29 2. [BMCWeb](https://github.com/openbmc/bmcweb): the Redfish front-end which
34 [this discussion](https://redfishforum.com/thread/618/resource-certificate-revocation-list?page=1&s…
37 daemon interacts with the OpenBMC certificate management architecture via DBus
42 OpenBMC supports management interface for CRLs:
53 ### phosphor-dbus-interfaces
56 [Certs](https://github.com/openbmc/phosphor-dbus-interfaces/tree/master/yaml/xyz/openbmc_project/Ce…
62 ### phosphor-certificate-manager
[all …]
|
| /openbmc/openbmc/meta-phosphor/scripts/ |
| H A D | run-repotest | 1 #!/bin/bash -e
9 # openbmc doesn't control what upstream poky, or any of the other layers do,
11 # meta-phosphor is also included such that patches that the community agrees to
18 git ls-files -- \
21 ':!:meta-arm/**' \
22 ':!:meta-security/**' \
23 ':!:meta-raspberrypi/**' \
24 ':!:meta-openembedded/**' \
25 ':!:meta-phosphor/**' \
35 # https://github.com/openbmc/docs/blob/master/meta-layer-guidelines.md
[all …]
|
| /openbmc/docs/architecture/ |
| H A D | optionality.md | 3 OpenBMC does its best to be widely applicable to all BMC deployments in the
10 Required for the deployment of _any_ OpenBMC build. Examples of this include the
19 image, or might be done to reduce the security attack surface. These kids of
27 one of these categories. For non-trivial feature additions, the commit message
36 include, Http keep alive, Security features like timeouts and payload size
38 user-facing impact to function, although might do things like improve
41 Requires: Standards conformance, applicability to all flash-size systems, as
44 ### User opt-in features
46 User opt-in features are features for which an external user must explicitly
52 Requires: Explicit, non-default user opt-in to execute the various features.
[all …]
|
| /openbmc/phosphor-rest-server/ |
| H A D | README.md | 1 # phosphor-rest-server
3 Phosphor REST server was the original OpenBMC webserver. All of it's features
5 [bmcweb](https://github.com/openbmc/bmcweb), and if you are looking for a
7 Phosphor REST server is not maintained and very likely has security bugs.
|
| /openbmc/phosphor-webui/ |
| H A D | README.md | 1 # OpenBMC Web User Interface
3 phosphor-webui is a Web-based user interface for the OpenBMC firmware stack.
5 [webui-vue repository](https://github.com/openbmc/webui-vue) is a replacement
6 for phosphor-webui.
8 If you haven't switched to webui-vue, it is strongly recommended you do so now.
10 - phosphor-webui uses AngularJS which has gone [End of
12 - phosphor-webui uses the REST D-BUS API which has been [disabled by default in
13 bmcweb](https://github.com/openbmc/bmcweb/commit/47c9e106e0057dd70133d50e928e48cbc68e709a)
14 - webui-vue has many additional features not present in phosphor-webui
15 - Very little active development is happening in phosphor-webui and at a later
[all …]
|
| /openbmc/openbmc/meta-phosphor/recipes-extended/pam/ |
| H A D | pam-ipmi_git.bb | 3 HOMEPAGE = "http://github.com/openbmc/pam-ipmi"
4 LICENSE = "Apache-2.0"
11 SRC_URI = "git://github.com/openbmc/pam-ipmi;branch=master;protocol=https"
18 ${base_libdir}/security/ \
|
| /openbmc/openpower-host-ipmi-oem/ |
| H A D | README.md | 3 https://github.com/open-power/op-build
19 - Partial Add
20 - Prepare for host update
21 - BMC Factory Reset
37 repopulated during a host power on. An enhancement to OpenBMC would be to
49 …https://github.com/openbmc/phosphor-dbus-interfaces/tree/master/xyz/openbmc_project/Common/Factory…
51 …https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/yaml/xyz/openbmc_project/Control/S…
|