[yocto-security] Default dropbear cipers should disallow SHA1

Joseph Reynolds jrey at linux.ibm.com
Thu Jun 20 09:28:33 PDT 2019 

On 2019-05-14 10:41, Joseph Reynolds wrote:
> On 2019-05-11 06:02, richard.purdie at linuxfoundation.org wrote:
>> On Wed, 2019-05-08 at 13:18 -0500, Joseph Reynolds wrote:
>>> Richard and Bernhard,
>>> 
>>> Thanks for your response.  I am glad we are having this discussion.
>>> 
>>> 
>>> To be clear about my purpose:
>>> The OpenBMC project has decided to remove all uses of DH group1 and
>>> SHA1
>>> in KEX and MAC and encryption ciphers because we have security
>>> conscious
>>> users.  My question is if (a) OpenBMC carries that patch, or (b)
>>> Yocto/poky or dropbear carries the patch (which means OpenBMC gets
>>> that
>>> change from its upstream projects).  I just want that answer so I
>>> know
>>> where to target this patch (and I understand it's a complicated
>>> question).
>> 
>> I was asking some questions as we need data to make this decision. I
>> think right now the approach which would work best for everyone would
>> be to add the patch to OE-Core but making the configuration 
>> conditional
>> on a PACKAGECONFIG to control it. We may or may not decide to do this
>> by default, that discussion needs to happen on the OE-Core mailing 
>> list
>> through normal patch review.
>> 
>> Does that give us a way forward?
> 
> That works for me and sounds like the right approach.  To clarify: The
> dropbear package would have a new PACKAGECONFIG feature like
> "disable-weak-ciphers" which, when enabled, would patch dropbear's
> config file.
> 
> Who wants to make the patch? :-)

I made the patch and attempted to sent it to 
openembedded-core at lists.openembedded.org.
However, I am a Linux patch sendmail noob.

I guess the right place to discuss the patch is on the email list.  Here 
are some points:
- I've enabled disable-weak-ciphers by default.
- All CBC, SHA1, and DH group1 ciphers are disabled.
- I have weak Bitbake skills, and I am happy to tweak the recipe.
- I didn't give a way to version the dropbear patch file.  If the 
dropbear default_options.h file doesn't change, the patch file will 
continue to work.  When dropbear default_options.h changes, the patch 
may fail.  The idea is: if dropbear defaults change in a way that breaks 
us, we'll want to investigate the new settings.

- Joseph

> FYA, my timeline for this is early July 2019 the OpenBMC project
> branches its 2.7 release.  At that time, we would pick up either this
> config feature, or (if that feature is not ready) do our own patch.
> 
> - Joseph
> 
> 
>> Cheers,
>> 
>> Richard
>> 
>>

More information about the yocto-security mailing list