Work in progress
This has information about development work currently in progress such as requirements, designs, code, documentation, and tests. The primary use cases include testers and developers to quickly locate functions, security working group reviews, and input to the changelog.
You can help by (a) adding items that matter to you, (b) adding or correcting information, and (c) moving completed items to the Changelog. Links are encouraged:
- To email list.
- To Gerrit code reviews.
- To test plans.
- To OpenBMC organization docs or issues.
Remove unused SetPassword D-Bus method [#security] https://lists.ozlabs.org/pipermail/openbmc/2019-March/015427.html
BMC Secure Boot [#security] https://lists.ozlabs.org/pipermail/openbmc/2019-February/014998.html
Certificate management [#security] https://lists.ozlabs.org/pipermail/openbmc/2019-January/014837.html https://github.com/openbmc/openbmc-test-automation/issues/1501
mTLS HTTP authentication [#security] https://lists.ozlabs.org/pipermail/openbmc/2019-January/014861.html) Design: https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/22410
CVE 2019-6260 [#security] Tests to validate the hardware configuration. https://lists.ozlabs.org/pipermail/openbmc/2019-January/014963.html
Redfish User Auth [#security] https://lists.ozlabs.org/pipermail/openbmc/2019-February/015237.html Are the authorities correct; is everyone admin? https://github.com/openbmc/bmcweb/issues/62
IPMI Redfish combinations for user management [#security] Test results - https://github.com/openbmc/openbmc-test-automation/issues/1717
IPMI User Management[#security] IPMI Test results - https://github.com/openbmc/openbmc-test-automation/issues/1523
IPMI redesign [#security] https://lists.ozlabs.org/pipermail/openbmc/2019-February/015255.html
Don't offer a default user account or password [#security] https://lists.ozlabs.org/pipermail/openbmc/2019-March/015488.html For IPMI: https://github.com/openbmc/docs/blob/master/user_management.md#deployment---out-of-factory
API authentication [#security] Additional layer of access control. Manufacturer, vendor, or system owner can authorize access to certain APIs which are needed only for extraordinary situations such as manufacturing test or BMC debugging service calls. https://lists.ozlabs.org/pipermail/openbmc/2019-March/015485.html
Backup & restore BMC settings [#security] https://gerrit.openbmc-project.xyz/#/c/openbmc/docs/+/18163
Firmware update over Redfish [#security] https://gerrit.openbmc-project.xyz/#/c/openbmc/docs/+/18186
LDAP config https://gerrit.openbmc-project.xyz/q/LDAP and https://github.com/openbmc/phosphor-user-manager#ldap-configuration Testing: https://github.com/openbmc/openbmc-test-automation/issues/1567
Redfish logging BMCWeb function: https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/19790 Docs in docs/redfish-logging-in-bmcweb.md: https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/20110 Testing: https://github.com/openbmc/openbmc-test-automation/issues/1559
Virtual media https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/16747
Return 404 when URLs are Not Found [#security] https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/21163
Firmware update over TFTP [#security] Allows firmware downloads via TFTP. https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/20700/2/designs/firmware-update-over-redfish.md NOTE: This is opt-in at compile time due to security considerations.
OpenBMC Community Test Specification https://github.com/openbmc/openbmc-test-automation/issues/1769