Re: [isar-cip-core] README.secuirty-testing.md: Add steps to verify CIP security image


Shreyas.Karmahe@...
 

Hi Jan-San,

I have shared the below MR patch request that covers the documentation steps to verify IEC Layer Test on CIP security image but unable to see this request in mailing list.
Kindly let me know status of this MR

Regards,
Shreyas

-----Original Message-----
From: Shreyas.Karmahe@... <Shreyas.Karmahe@...>
Sent: Friday, July 8, 2022 1:21 PM
To: cip-dev@...; jan.kiszka@...
Cc: karmahe shreyas(TSIP TMIEC ODG Porting) <Shreyas.Karmahe@...>; dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@...>; pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@...>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@...>
Subject: [isar-cip-core] README.secuirty-testing.md: Add steps to verify CIP security image

From: Shreyas Karmahe <Shreyas.Karmahe@...>

This document helps to build cip security image and verify the IEC layer using cip-security-tests[1].

[1] https://gitlab.com/cip-project/cip-testing/cip-security-tests

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
---
doc/README.security-testing.md | 80 ++++++++++++++++++++++++++++++++++
1 file changed, 80 insertions(+)
create mode 100644 doc/README.security-testing.md

diff --git a/doc/README.security-testing.md b/doc/README.security-testing.md new file mode 100644 index 0000000..b29531c
--- /dev/null
+++ b/doc/README.security-testing.md
@@ -0,0 +1,80 @@
+# CIP security testing
+This document explains how to verify basic implementations of [CIP security requirements](https://gitlab.com/cip-project/cip-documents/-/blob/master/security/security_requirements.md) in the isar-cip-core security image using [cip-security-tests](https://gitlab.com/cip-project/cip-testing/cip-security-tests).
+
+# Pre-requisite
+- Necessary debian packages to implement CIP security requirements,
+include them in the recipe
+[cip-core-image-security.bb](recipes-core/images/cip-core-image-securit
+y.bb)
+
+- Pre configurations in the image, should be added in the `postinst`
+script of security-customizations
+[security-customizations/files/postinst](recipes-core/security-customiz
+ations/files/postinst)
+
+- To run `cip-security-tests` the image should need additional package `sshpass` and rootfs size should need atleast 5GB, add the below configuration in kas/opt/security.yml file
+ ```
+ local_conf_header:
+ security_testing: |
+ IMAGE_PREINSTALL_append=" sshpass"
+ ROOTFS_EXTRA="5120"
+ ```
+
+
+# Build CIP security Linux image
+Clone isar-cip-core repository
+```
+host$ git clone
+https://gitlab.com/cip-project/cip-core/isar-cip-core.git
+host$ cd isar-cip-core
+```
+Build Security Linux image by selecting necessary options ``` host$
+./kas-container menu
+ Select QEMU AMD64 (x86-64) as Target Board
+ Select Kernel 5.10.x-cip as Kernel Options
+ Select bullseye (11) as Debian Release
+ Select Flashable image as Image formats
+ Select Security extensions Options
+Save & Build
+```
+# Boot the Linux image
+```
+host$ ./start-qemu.sh x86
+```
+
+# Copy security tests in to the Linux image
+- Clone the cip-security-tests from following URL ``` host$ git clone
+https://gitlab.com/cip-project/cip-testing/cip-security-tests
+```
+- Add test user in Linux image to use while scp the
+`cip-security-tests` ``` image$ adduser test ```
+- Copy `cip-security-tests` to Linux image using scp command ``` host$
+scp -r -P 22222 TCs/ test@....0.1:/home/test/ ```
+
+# Run the test in Linux image
+- Go to following directory and execute IEC Layer test ``` image$ cd
+/home/test/TCs/cip-security-tests/iec-security-tests/singlenode-testcas
+es/
+image$ ./run_all.sh
+```
+`run_all.sh` generates the test result in file `result_file.txt`, and output look like below.
+```
+TC_CR1.1-RE1_1+pass+11
+TC_CR1.11_1+pass+22
+TC_CR1.11_2+pass+30
+TC_CR1.1_1+pass+5
+TC_CR1.1_2+pass+6
+TC_CR1.3_1+pass+7
+TC_CR1.3_2+pass+4
+TC_CR1.3_3+pass+5
+TC_CR1.4_1+pass+7
+TC_CR1.5_2+pass+13
+TC_CR1.5_3+pass+10
+TC_CR1.7-RE1_1+pass+5
+ :
+ .
+[Truncated]
+```
+Each line of the output will have this \<requirement
+number\>+<requirement pass/fail>+\<time took to execute this test
+case\>
+- pass - The security image is meeting this requirement.
+- fail - The security image is failed to met this requirement.
+- skip - The test case not supported by IEC layer.
--
2.30.2

Join cip-dev@lists.cip-project.org to automatically receive all group messages.