Date   

Re: Backporting "net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup"

punit1.agrawal@...
 

Hi Pavel,

Not sure if the email was intended for any specific recipient so my
comments below may not make sense...

Pavel Machek <pavel@ucw.cz> writes:

Hi!

Here's backport of `subj` to 4.19. ip6_dst_lookup_flow() prototype
changed between 4.19 and mainline, files were moved around, and I
could not find some instances to update. Fun!
It would be helpful for readers / reviewers if this was sent following
the same format / guidelines as expected by the stable tree
(Documentation/process/stable-kernel-rules.rst). Especially including
the commit hash so it's easier to lookup the context.

Thanks,
Punit

I did minimal compile testing, I'll need to run it behind gitlab ci;
but... if you are using IPv6 and can test this, it would be nice.

Best regards,
Pavel



diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
index 46b855a42884..e3c948617c73 100644
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -415,9 +415,9 @@ static int addr6_resolve(struct sockaddr_in6 *src_in,
fl6.saddr = src_in->sin6_addr;
fl6.flowi6_oif = addr->bound_dev_if;
- ret = ipv6_stub->ipv6_dst_lookup(addr->net, NULL, &dst, &fl6);
- if (ret < 0)
- return ret;
+ dst = ipv6_stub->ipv6_dst_lookup_flow(addr->net, NULL, &fl6, NULL);
+ if (IS_ERR(dst))
+ return PTR_ERR(dst);
rt = (struct rt6_info *)dst;
if (ipv6_addr_any(&src_in->sin6_addr)) {
diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
index 8094cbaa54a9..95cf4fd69c55 100644
--- a/drivers/infiniband/sw/rxe/rxe_net.c
+++ b/drivers/infiniband/sw/rxe/rxe_net.c
@@ -154,10 +154,12 @@ static struct dst_entry *rxe_find_route6(struct net_device *ndev,
memcpy(&fl6.daddr, daddr, sizeof(*daddr));
fl6.flowi6_proto = IPPROTO_UDP;
- if (unlikely(ipv6_stub->ipv6_dst_lookup(sock_net(recv_sockets.sk6->sk),
- recv_sockets.sk6->sk, &ndst, &fl6))) {
+ ndst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(recv_sockets.sk6->sk),
+ recv_sockets.sk6->sk, &fl6,
+ NULL);
+ if (unlikely(IS_ERR(ndst))) {
pr_err_ratelimited("no route to %pI6\n", daddr);
- goto put;
+ return NULL;
}
if (unlikely(ndst->error)) {
diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index 493cd382b8aa..f22f187a91cd 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -796,7 +796,9 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb,
if (dst)
return dst;
}
- if (ipv6_stub->ipv6_dst_lookup(geneve->net, gs6->sock->sk, &dst, fl6)) {
+ dst = ipv6_stub->ipv6_dst_lookup_flow(geneve->net, gs6->sock->sk, fl6,
+ NULL);
+ if (IS_ERR(dst)) {
netdev_dbg(dev, "no route to %pI6\n", &fl6->daddr);
return ERR_PTR(-ENETUNREACH);
}
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 27bd586b94b0..0b6e899bd02e 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1952,7 +1952,6 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan,
bool use_cache = ip_tunnel_dst_cache_usable(skb, info);
struct dst_entry *ndst;
struct flowi6 fl6;
- int err;
if (!sock6)
return ERR_PTR(-EIO);
@@ -1975,10 +1974,9 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan,
fl6.fl6_dport = dport;
fl6.fl6_sport = sport;
- err = ipv6_stub->ipv6_dst_lookup(vxlan->net,
- sock6->sock->sk,
- &ndst, &fl6);
- if (unlikely(err < 0)) {
+ ndst = ipv6_stub->ipv6_dst_lookup_flow(vxlan->net, sock6->sock->sk,
+ &fl6, NULL);
+ if (unlikely(IS_ERR(ndst))) {
netdev_dbg(dev, "no route to %pI6\n", daddr);
return ERR_PTR(-ENETUNREACH);
}
diff --git a/include/net/addrconf.h b/include/net/addrconf.h
index 6def0351bcc3..ceb36cce91ee 100644
--- a/include/net/addrconf.h
+++ b/include/net/addrconf.h
@@ -235,9 +235,10 @@ struct ipv6_stub {
const struct in6_addr *addr);
int (*ipv6_sock_mc_drop)(struct sock *sk, int ifindex,
const struct in6_addr *addr);
- int (*ipv6_dst_lookup)(struct net *net, struct sock *sk,
- struct dst_entry **dst, struct flowi6 *fl6);
-
+ struct dst_entry *(*ipv6_dst_lookup_flow)(struct net *net,
+ const struct sock *sk,
+ struct flowi6 *fl6,
+ const struct in6_addr *final_dst);
struct fib6_table *(*fib6_get_table)(struct net *net, u32 id);
struct fib6_info *(*fib6_lookup)(struct net *net, int oif,
struct flowi6 *fl6, int flags);
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index ff33f498c137..035cd7dc3836 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -961,6 +961,13 @@ int ip6_dst_lookup(struct net *net, struct sock *sk, struct dst_entry **dst,
struct flowi6 *fl6);
struct dst_entry *ip6_dst_lookup_flow(const struct sock *sk, struct flowi6 *fl6,
const struct in6_addr *final_dst);
+
+static inline struct dst_entry *ip6_dst_lookup_flow_net(struct net *ign, const struct sock *sk, struct flowi6 *fl6,
+ const struct in6_addr *final_dst)
+{
+ return ip6_dst_lookup_flow(sk, fl6, final_dst);
+}
+
struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
const struct in6_addr *final_dst,
bool connected);
diff --git a/net/ipv6/addrconf_core.c b/net/ipv6/addrconf_core.c
index 5cd0029d930e..fe7f59193bb1 100644
--- a/net/ipv6/addrconf_core.c
+++ b/net/ipv6/addrconf_core.c
@@ -127,11 +127,12 @@ int inet6addr_validator_notifier_call_chain(unsigned long val, void *v)
}
EXPORT_SYMBOL(inet6addr_validator_notifier_call_chain);
-static int eafnosupport_ipv6_dst_lookup(struct net *net, struct sock *u1,
- struct dst_entry **u2,
- struct flowi6 *u3)
+static struct dst_entry *eafnosupport_ipv6_dst_lookup_flow(struct net *net,
+ const struct sock *sk,
+ struct flowi6 *fl6,
+ const struct in6_addr *final_dst)
{
- return -EAFNOSUPPORT;
+ return ERR_PTR(-EAFNOSUPPORT);
}
static struct fib6_table *eafnosupport_fib6_get_table(struct net *net, u32 id)
@@ -169,7 +170,7 @@ eafnosupport_ip6_mtu_from_fib6(struct fib6_info *f6i, struct in6_addr *daddr,
}
const struct ipv6_stub *ipv6_stub __read_mostly = &(struct ipv6_stub) {
- .ipv6_dst_lookup = eafnosupport_ipv6_dst_lookup,
+ .ipv6_dst_lookup_flow = eafnosupport_ipv6_dst_lookup_flow,
.fib6_get_table = eafnosupport_fib6_get_table,
.fib6_table_lookup = eafnosupport_fib6_table_lookup,
.fib6_lookup = eafnosupport_fib6_lookup,
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 9a4261e50272..e44534f22e00 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -889,7 +889,7 @@ static struct pernet_operations inet6_net_ops = {
static const struct ipv6_stub ipv6_stub_impl = {
.ipv6_sock_mc_join = ipv6_sock_mc_join,
.ipv6_sock_mc_drop = ipv6_sock_mc_drop,
- .ipv6_dst_lookup = ip6_dst_lookup,
+ .ipv6_dst_lookup_flow = ip6_dst_lookup_flow_net,
.fib6_get_table = fib6_get_table,
.fib6_table_lookup = fib6_table_lookup,
.fib6_lookup = fib6_lookup,
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index 8fbe6cdbe255..e42ef8f835fa 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -618,16 +618,15 @@ static struct net_device *inet6_fib_lookup_dev(struct net *net,
struct net_device *dev;
struct dst_entry *dst;
struct flowi6 fl6;
- int err;
if (!ipv6_stub)
return ERR_PTR(-EAFNOSUPPORT);
memset(&fl6, 0, sizeof(fl6));
memcpy(&fl6.daddr, addr, sizeof(struct in6_addr));
- err = ipv6_stub->ipv6_dst_lookup(net, NULL, &dst, &fl6);
- if (err)
- return ERR_PTR(err);
+ dst = ipv6_stub->ipv6_dst_lookup_flow(net, NULL, &fl6, NULL);
+ if (IS_ERR(dst))
+ return ERR_CAST(dst);
dev = dst->dev;
dev_hold(dev);
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 9783101bc4a9..1ab684a4f565 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -190,6 +190,14 @@ static int tipc_udp_xmit(struct net *net, struct sk_buff *skb,
.saddr = src->ipv6,
.flowi6_proto = IPPROTO_UDP
};
+ ndst = ipv6_stub->ipv6_dst_lookup_flow(net,
+ ub->ubsock->sk,
+ &fl6, NULL);
+ if (IS_ERR(ndst)) {
+ err = PTR_ERR(ndst);
+ goto tx_error;
+ }
+
err = ipv6_stub->ipv6_dst_lookup(net, ub->ubsock->sk, &ndst,
&fl6);
if (err)


Re: I need de0-nano testing for -rt release was Re: 4.19.106-cip21-rt8 problems on de0-nano

Pavel Machek
 

Hi!

Both de0-nano and IPC227E targets are up and running. I have monitored for test jobs on it and those completed successfully.

Thank You!!
There's still something broken with the testing. renesas_shmobile
initially failed (okay after restart), rest failed:

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/126355890

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Backporting "net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup"

Pavel Machek
 

Hi!

Here's backport of `subj` to 4.19. ip6_dst_lookup_flow() prototype
changed between 4.19 and mainline, files were moved around, and I
could not find some instances to update. Fun!

I did minimal compile testing, I'll need to run it behind gitlab ci;
but... if you are using IPv6 and can test this, it would be nice.

Best regards,
Pavel



diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
index 46b855a42884..e3c948617c73 100644
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -415,9 +415,9 @@ static int addr6_resolve(struct sockaddr_in6 *src_in,
fl6.saddr = src_in->sin6_addr;
fl6.flowi6_oif = addr->bound_dev_if;

- ret = ipv6_stub->ipv6_dst_lookup(addr->net, NULL, &dst, &fl6);
- if (ret < 0)
- return ret;
+ dst = ipv6_stub->ipv6_dst_lookup_flow(addr->net, NULL, &fl6, NULL);
+ if (IS_ERR(dst))
+ return PTR_ERR(dst);

rt = (struct rt6_info *)dst;
if (ipv6_addr_any(&src_in->sin6_addr)) {
diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
index 8094cbaa54a9..95cf4fd69c55 100644
--- a/drivers/infiniband/sw/rxe/rxe_net.c
+++ b/drivers/infiniband/sw/rxe/rxe_net.c
@@ -154,10 +154,12 @@ static struct dst_entry *rxe_find_route6(struct net_device *ndev,
memcpy(&fl6.daddr, daddr, sizeof(*daddr));
fl6.flowi6_proto = IPPROTO_UDP;

- if (unlikely(ipv6_stub->ipv6_dst_lookup(sock_net(recv_sockets.sk6->sk),
- recv_sockets.sk6->sk, &ndst, &fl6))) {
+ ndst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(recv_sockets.sk6->sk),
+ recv_sockets.sk6->sk, &fl6,
+ NULL);
+ if (unlikely(IS_ERR(ndst))) {
pr_err_ratelimited("no route to %pI6\n", daddr);
- goto put;
+ return NULL;
}

if (unlikely(ndst->error)) {
diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index 493cd382b8aa..f22f187a91cd 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -796,7 +796,9 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb,
if (dst)
return dst;
}
- if (ipv6_stub->ipv6_dst_lookup(geneve->net, gs6->sock->sk, &dst, fl6)) {
+ dst = ipv6_stub->ipv6_dst_lookup_flow(geneve->net, gs6->sock->sk, fl6,
+ NULL);
+ if (IS_ERR(dst)) {
netdev_dbg(dev, "no route to %pI6\n", &fl6->daddr);
return ERR_PTR(-ENETUNREACH);
}
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 27bd586b94b0..0b6e899bd02e 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1952,7 +1952,6 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan,
bool use_cache = ip_tunnel_dst_cache_usable(skb, info);
struct dst_entry *ndst;
struct flowi6 fl6;
- int err;

if (!sock6)
return ERR_PTR(-EIO);
@@ -1975,10 +1974,9 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan,
fl6.fl6_dport = dport;
fl6.fl6_sport = sport;

- err = ipv6_stub->ipv6_dst_lookup(vxlan->net,
- sock6->sock->sk,
- &ndst, &fl6);
- if (unlikely(err < 0)) {
+ ndst = ipv6_stub->ipv6_dst_lookup_flow(vxlan->net, sock6->sock->sk,
+ &fl6, NULL);
+ if (unlikely(IS_ERR(ndst))) {
netdev_dbg(dev, "no route to %pI6\n", daddr);
return ERR_PTR(-ENETUNREACH);
}
diff --git a/include/net/addrconf.h b/include/net/addrconf.h
index 6def0351bcc3..ceb36cce91ee 100644
--- a/include/net/addrconf.h
+++ b/include/net/addrconf.h
@@ -235,9 +235,10 @@ struct ipv6_stub {
const struct in6_addr *addr);
int (*ipv6_sock_mc_drop)(struct sock *sk, int ifindex,
const struct in6_addr *addr);
- int (*ipv6_dst_lookup)(struct net *net, struct sock *sk,
- struct dst_entry **dst, struct flowi6 *fl6);
-
+ struct dst_entry *(*ipv6_dst_lookup_flow)(struct net *net,
+ const struct sock *sk,
+ struct flowi6 *fl6,
+ const struct in6_addr *final_dst);
struct fib6_table *(*fib6_get_table)(struct net *net, u32 id);
struct fib6_info *(*fib6_lookup)(struct net *net, int oif,
struct flowi6 *fl6, int flags);
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index ff33f498c137..035cd7dc3836 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -961,6 +961,13 @@ int ip6_dst_lookup(struct net *net, struct sock *sk, struct dst_entry **dst,
struct flowi6 *fl6);
struct dst_entry *ip6_dst_lookup_flow(const struct sock *sk, struct flowi6 *fl6,
const struct in6_addr *final_dst);
+
+static inline struct dst_entry *ip6_dst_lookup_flow_net(struct net *ign, const struct sock *sk, struct flowi6 *fl6,
+ const struct in6_addr *final_dst)
+{
+ return ip6_dst_lookup_flow(sk, fl6, final_dst);
+}
+
struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
const struct in6_addr *final_dst,
bool connected);
diff --git a/net/ipv6/addrconf_core.c b/net/ipv6/addrconf_core.c
index 5cd0029d930e..fe7f59193bb1 100644
--- a/net/ipv6/addrconf_core.c
+++ b/net/ipv6/addrconf_core.c
@@ -127,11 +127,12 @@ int inet6addr_validator_notifier_call_chain(unsigned long val, void *v)
}
EXPORT_SYMBOL(inet6addr_validator_notifier_call_chain);

-static int eafnosupport_ipv6_dst_lookup(struct net *net, struct sock *u1,
- struct dst_entry **u2,
- struct flowi6 *u3)
+static struct dst_entry *eafnosupport_ipv6_dst_lookup_flow(struct net *net,
+ const struct sock *sk,
+ struct flowi6 *fl6,
+ const struct in6_addr *final_dst)
{
- return -EAFNOSUPPORT;
+ return ERR_PTR(-EAFNOSUPPORT);
}

static struct fib6_table *eafnosupport_fib6_get_table(struct net *net, u32 id)
@@ -169,7 +170,7 @@ eafnosupport_ip6_mtu_from_fib6(struct fib6_info *f6i, struct in6_addr *daddr,
}

const struct ipv6_stub *ipv6_stub __read_mostly = &(struct ipv6_stub) {
- .ipv6_dst_lookup = eafnosupport_ipv6_dst_lookup,
+ .ipv6_dst_lookup_flow = eafnosupport_ipv6_dst_lookup_flow,
.fib6_get_table = eafnosupport_fib6_get_table,
.fib6_table_lookup = eafnosupport_fib6_table_lookup,
.fib6_lookup = eafnosupport_fib6_lookup,
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 9a4261e50272..e44534f22e00 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -889,7 +889,7 @@ static struct pernet_operations inet6_net_ops = {
static const struct ipv6_stub ipv6_stub_impl = {
.ipv6_sock_mc_join = ipv6_sock_mc_join,
.ipv6_sock_mc_drop = ipv6_sock_mc_drop,
- .ipv6_dst_lookup = ip6_dst_lookup,
+ .ipv6_dst_lookup_flow = ip6_dst_lookup_flow_net,
.fib6_get_table = fib6_get_table,
.fib6_table_lookup = fib6_table_lookup,
.fib6_lookup = fib6_lookup,
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index 8fbe6cdbe255..e42ef8f835fa 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -618,16 +618,15 @@ static struct net_device *inet6_fib_lookup_dev(struct net *net,
struct net_device *dev;
struct dst_entry *dst;
struct flowi6 fl6;
- int err;

if (!ipv6_stub)
return ERR_PTR(-EAFNOSUPPORT);

memset(&fl6, 0, sizeof(fl6));
memcpy(&fl6.daddr, addr, sizeof(struct in6_addr));
- err = ipv6_stub->ipv6_dst_lookup(net, NULL, &dst, &fl6);
- if (err)
- return ERR_PTR(err);
+ dst = ipv6_stub->ipv6_dst_lookup_flow(net, NULL, &fl6, NULL);
+ if (IS_ERR(dst))
+ return ERR_CAST(dst);

dev = dst->dev;
dev_hold(dev);
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 9783101bc4a9..1ab684a4f565 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -190,6 +190,14 @@ static int tipc_udp_xmit(struct net *net, struct sk_buff *skb,
.saddr = src->ipv6,
.flowi6_proto = IPPROTO_UDP
};
+ ndst = ipv6_stub->ipv6_dst_lookup_flow(net,
+ ub->ubsock->sk,
+ &fl6, NULL);
+ if (IS_ERR(ndst)) {
+ err = PTR_ERR(ndst);
+ goto tx_error;
+ }
+
err = ipv6_stub->ipv6_dst_lookup(net, ub->ubsock->sk, &ndst,
&fl6);
if (err)

--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


April 6 cutover from Mailman2 to Group.io

Neal Caidin
 

[x-posted]
Dear CIP community,

These Mailman2 email lists will be converted starting on Monday, April 6 and may take up to 24 hours to complete. 

There is no action required on your part. 

Any emails that are sent during the downtime will be queued up and come through when the system is up and running.

Please let me know if you have any questions.

Best regards,
Neal

Neal Caidin
Program Manager, Program Management & Operations
The Linux Foundation
+1 (919) 238-9104 (w/h)
+1 (919) 949-1861 (m)


Re: Package Proposal #1 (Security packages), rev03

punit1.agrawal@...
 

Hi Yoshida-san,

Thanks for the clarifications. Where applicable please include them in
the requirements text and / or comments for the relevant packages for
the next update.

One additional comment below -

Kento Yoshida <kento.yoshida.wz@renesas.com> writes:

[...]

* uuid-runtime

It’s not clear how the package is related to the requirement -

"Account Identifier shall be unique on a component or system wide
level. Protection of relevant information in rest and transit shall
be supported."

Can you add more details to the requirement to clarify this?
As is, identifier shall be unique, so we need universally unique identifier generator.
Sorry but I don't know what you don't know. This is very simple
requirement.
I understand the requirement for having ’unique account identifier’
(usernames) but using uuidgen to achieve this seems quite impractical.

For reference, I checked the output of uuidgen included in the package -

$ uuidgen
b865c278-4230-4d5a-b7de-0ee528910095

It generates a 37 character long string of what seems like random hex
values. Are you recommending that we have these kind of strings for
usernames?

Thanks,
Punit


-----Original Message-----
From: Punit Agrawal <punit1.agrawal@toshiba.co.jp>
Sent: Monday, March 9, 2020 7:31 PM
To: Kento Yoshida <kento.yoshida.wz@renesas.com>
Cc: cip-dev@lists.cip-project.org; cip-security@lists.cip-project.org
Subject: Re: [cip-dev] Package Proposal #1 (Security packages), rev03

Hi,

As mentioned earlier, I had some questions / queries regarding the requirements
for the proposed packages. Sending them here for discussion.

Kento Yoshida <kento.yoshida.wz@renesas.com> writes:

Requirements_for_proposal_SecurityWG_rev03.xlsx: the same file which
I've already sent before to explain the requirement in the standard
* sudo-ldap

Is there a specific requirement to include sudo-ldap in favour of plain sudo? IIUC,
sudo is a minimal dependency version while ldap requires additional packages to
be available.


* openssh

Based on the listed requierments, it is not clear why ftp and ssh clients are needed.
Can you please clarify the requirements' text to motivate inclusion of the client
binaries as well.


* pam-pkcs11
From my understanding, the package enables login using public / private keys.
But the requirements talk about enforcing the strength of passwords -

"A minimum strength of used passwords needs to be enforced."

Possibly a mixup of package and requirements?


* tpm2*

I think libtss2-esys0 is mistakenly included as explicit requirement. It seems to be a
dependency of tpm2-abrmd and will get pulled in automatically as per my
understanding.


* uuid-runtime

It’s not clear how the package is related to the requirement -

"Account Identifier shall be unique on a component or system wide
level. Protection of relevant information in rest and transit shall
be supported."

Can you add more details to the requirement to clarify this?
---


Thanks,
Punit


Re: Sample image including security packages

Kazuhiro Hayashi
 

Hello Venkata,


Hello Kazu-san,

Thank you for confirming.
Below is the merge request for the same.
https://gitlab.com/zuka0828/isar-cip-core/-/merge_requests/1
Merged. Thank you for quick response.

Best regards,
Kazu


Thanks
Venkata.

-----Original Message-----
From: kazuhiro3.hayashi@toshiba.co.jp [mailto:kazuhiro3.hayashi@toshiba.co.jp]
Sent: 12 March 2020 12:42
To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hello Venkata,

Thank you for checking the result.
I confirmed that this variable should not be overwritten in the image recipe.
Could you send MR including this update to https://gitlab.com/zuka0828/isar-cip-core ?

Best regards,
Kazu

-----Original Message-----
From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
Sent: Thursday, March 12, 2020 12:56 PM
To: hayashi kazuhiro(林 和宏 ○SWC□OST) <kazuhiro3.hayashi@toshiba.co.jp>;
dinesh kumar(TSIP DS Company) <dinesh.kumar@toshiba-tsip.com>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hello Kazu-san,

I observed 'init' system is not included in the image when append
operator is not used and so booting the image is not successful.

Here is the output of `bitbake -e cip-core-image-security | grep
'IMAGE_PREINSTALL'` when append is not used
----------------------------------------------------------------------
---------------------------
# $IMAGE_PREINSTALL [2 operations]
IMAGE_PREINSTALL=" openssl libssl1.1 fail2ban openssh-server openssh-sftp-server openssh-client
syslog-ng-core syslog-ng-mod-journal aide aide-common libnftables0 nftables libpam-pkcs11
chrony tpm2-tools tpm2-abrmd libtss2-esys0 libtss2-udev libpam-cracklib acl
libauparse0 audispd-plugins auditd uuid-runtime vim "
# "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
# " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
----------------------------------------------------------------------
---------------------------

Output when append is used
----------------------------------------------------------------------
---------------------------
# $IMAGE_PREINSTALL [2 operations]
IMAGE_PREINSTALL=" init openssl libssl1.1 fail2ban openssh-server openssh-sftp-server
openssh-client syslog-ng-core syslog-ng-mod-journal aide aide-common libnftables0 nftables
libpam-pkcs11 chrony tpm2-tools tpm2-abrmd libtss2-esys0 libtss2-udev libpam-cracklib
acl libauparse0 audispd-plugins auditd uuid-runtime vim "
# "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
# " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
----------------------------------------------------------------------
---------------------------


Thanks,
Venkata.
-----Original Message-----
From: kazuhiro3.hayashi@toshiba.co.jp
[mailto:kazuhiro3.hayashi@toshiba.co.jp]
Sent: 12 March 2020 05:16
To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh
Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hello Venkata,

Thank you for the information.

Regarding the usage of `IMAGE_PREINSTALL`, I'm not sure if we always need `+` in the image recipe.
Example:
https://github.com/ilbers/isar/blob/master/doc/user_manual.md#create-a
-custom-image-recipe Could you dump the value of `IMAGE_PREINSTALL`
with/without `+` by `bitbake -e` command?

Best regards,
Kazu

-----Original Message-----
From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
Sent: Thursday, March 5, 2020 6:06 PM
To: hayashi kazuhiro(林 和宏 ○SWC□OST)
<kazuhiro3.hayashi@toshiba.co.jp>;
dinesh kumar(TSIP DS Company) <dinesh.kumar@toshiba-tsip.com>
Cc: cip-security@lists.cip-project.org;
cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hi Kazu-san and Dinesh,

I have created the image with all proposed security packages included.
applied the below change, and booted the image in QEMU correctly.
-----------------
diff --git a/recipes-core/images/cip-core-image-security.bb
b/recipes-core/images/cip-core-image-security.bb
index 70571f8..b883414 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"

# Debian packages that provide security features # TODO: Add sudo
or sudo-ldap which conflict each other -IMAGE_PREINSTALL = " \
+IMAGE_PREINSTALL += " \
openssl libssl1.1 \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
--
-----------------

Thanks
venkata
-----Original Message-----
From: Venkata Seshagiri Pyla
Sent: 02 March 2020 19:38
To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>;
kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org;
cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hi Kazu-san and Dinesh,

We found most of the packages are not included in the isar image,
could you please confirm whether all the proposed packages
are included in the given source?
If it is included, could you please let us know how to install them in the image?
I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".

All the security packages are configured to install are present in this file "cip-core-image-security.bb".

I will generate the image for target "cip-core-image-security" and recheck all the security functionality.

Thanks,
Venkata.

-----Original Message-----
From: Cip-security
[mailto:cip-security-bounces@lists.cip-project.org]
On Behalf Of Dinesh Kumar
Sent: 02 March 2020 15:29
To: kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org;
cip-dev@lists.cip-project.org
Subject: Re: [Cip-security] Sample image including security packages

Dear Kazu-san,

Thanks for sharing the isar-cip-core repository details with us.

We followed below steps to first confirm whether all the proposed
binaries are included when we create CIP isar based image.
1. Create CIP isar based image from
"https://gitlab.com/zuka0828/isar-cip-core/-/tree/master" for
QEMU_x86-64 platform 2. Booted the image in QEMU virtual machine 3.
For each security package we compared the binaries
listed on Debian page e.g. for acl package at
(https://packages.debian.org/buster/amd64/acl/filelist)
According to the Debian page there are three binaries which
should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
Then we check in the CIP running image at /bin whether all three packages are included or not.
4. Based on this kind of investigation we have prepare the attached
list of missing binary packages in current CIP isar image.

We found most of the packages are not included in the isar image,
could you please confirm whether all the proposed packages are included in the given source?
If it is included, could you please let us know how to install them in the image?

Once all the security packages are included in the CIP isar image,
we will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.

Thanks & Regards,
Dinesh Kumar


-----Original Message-----
From: Cip-security <cip-security-bounces@lists.cip-project.org> On
Behalf Of kazuhiro3.hayashi@toshiba.co.jp
Sent: 21 February 2020 10:58
To: cip-security@lists.cip-project.org
Cc: cip-dev@lists.cip-project.org
Subject: [Cip-security] Sample image including security packages

Hello CIP Security WG,

I've created a sample setting to customize CIP Core generic profile.
https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
(Now in my personal account)

Introduction:
https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md

Please ask in cip-dev if you need more development information :)

Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
We need to select one from them.
I temporally removed the both from `IMAGE_PREINSTALL`.

Best regards,
Kazu

_______________________________________________
Cip-security mailing list
Cip-security@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-security
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the recipient and may contain privileged information.
If you are not the intended recipient, please notify the sender and
delete the message along with any attachments/annexure/appendices.
You should not disclose, copy or otherwise use the information
contained in the message or any annexure. Any views expressed in
this e-mail are those of the individual sender except where the
sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the
responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded
Software India Pvt.
Ltd, for any loss or damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the recipient and
may contain privileged information.
If you are not the intended recipient, please notify the sender and
delete the message along with any attachments/annexure/appendices.
You should not disclose, copy or otherwise use the information
contained in the message or any annexure. Any views expressed in
this e-mail are those of the individual sender except where the
sender specifically states them to be the views of Toshiba Software India Pvt. Ltd.
(TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the
responsibility of the recipient to ensure that it is virus free and
no responsibility is accepted by Toshiba Embedded Software India
Pvt. Ltd, for any loss or damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the recipient and
may contain privileged information.
If you are not the intended recipient, please notify the sender and
delete the message along with any attachments/annexure/appendices. You
should not disclose, copy or otherwise use the information contained
in the message or any annexure. Any views expressed in this e-mail are
those of the individual sender except where the sender specifically
states them to be the views of Toshiba Software India Pvt. Ltd.
(TSIP),Bangalore.

Although this transmission and any attachments are believed to be free
of any virus or other defect that might affect any computer system
into which it is received and opened, it is the responsibility of the
recipient to ensure that it is virus free and no responsibility is
accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


Re: Sample image including security packages

Venkata Pyla
 

Hello Kazu-san,

Thank you for confirming.
Below is the merge request for the same.
https://gitlab.com/zuka0828/isar-cip-core/-/merge_requests/1

Thanks
Venkata.

-----Original Message-----
From: kazuhiro3.hayashi@toshiba.co.jp [mailto:kazuhiro3.hayashi@toshiba.co.jp]
Sent: 12 March 2020 12:42
To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hello Venkata,

Thank you for checking the result.
I confirmed that this variable should not be overwritten in the image recipe.
Could you send MR including this update to https://gitlab.com/zuka0828/isar-cip-core ?

Best regards,
Kazu

-----Original Message-----
From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
Sent: Thursday, March 12, 2020 12:56 PM
To: hayashi kazuhiro(林 和宏 ○SWC□OST) <kazuhiro3.hayashi@toshiba.co.jp>;
dinesh kumar(TSIP DS Company) <dinesh.kumar@toshiba-tsip.com>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hello Kazu-san,

I observed 'init' system is not included in the image when append
operator is not used and so booting the image is not successful.

Here is the output of `bitbake -e cip-core-image-security | grep
'IMAGE_PREINSTALL'` when append is not used
----------------------------------------------------------------------
---------------------------
# $IMAGE_PREINSTALL [2 operations]
IMAGE_PREINSTALL=" openssl libssl1.1 fail2ban openssh-server openssh-sftp-server openssh-client
syslog-ng-core syslog-ng-mod-journal aide aide-common libnftables0 nftables libpam-pkcs11
chrony tpm2-tools tpm2-abrmd libtss2-esys0 libtss2-udev libpam-cracklib acl
libauparse0 audispd-plugins auditd uuid-runtime vim "
# "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
# " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
----------------------------------------------------------------------
---------------------------

Output when append is used
----------------------------------------------------------------------
---------------------------
# $IMAGE_PREINSTALL [2 operations]
IMAGE_PREINSTALL=" init openssl libssl1.1 fail2ban openssh-server openssh-sftp-server
openssh-client syslog-ng-core syslog-ng-mod-journal aide aide-common libnftables0 nftables
libpam-pkcs11 chrony tpm2-tools tpm2-abrmd libtss2-esys0 libtss2-udev libpam-cracklib
acl libauparse0 audispd-plugins auditd uuid-runtime vim "
# "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
# " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
----------------------------------------------------------------------
---------------------------


Thanks,
Venkata.
-----Original Message-----
From: kazuhiro3.hayashi@toshiba.co.jp
[mailto:kazuhiro3.hayashi@toshiba.co.jp]
Sent: 12 March 2020 05:16
To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh
Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hello Venkata,

Thank you for the information.

Regarding the usage of `IMAGE_PREINSTALL`, I'm not sure if we always need `+` in the image recipe.
Example:
https://github.com/ilbers/isar/blob/master/doc/user_manual.md#create-a
-custom-image-recipe Could you dump the value of `IMAGE_PREINSTALL`
with/without `+` by `bitbake -e` command?

Best regards,
Kazu

-----Original Message-----
From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
Sent: Thursday, March 5, 2020 6:06 PM
To: hayashi kazuhiro(林 和宏 ○SWC□OST)
<kazuhiro3.hayashi@toshiba.co.jp>;
dinesh kumar(TSIP DS Company) <dinesh.kumar@toshiba-tsip.com>
Cc: cip-security@lists.cip-project.org;
cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hi Kazu-san and Dinesh,

I have created the image with all proposed security packages included.
applied the below change, and booted the image in QEMU correctly.
-----------------
diff --git a/recipes-core/images/cip-core-image-security.bb
b/recipes-core/images/cip-core-image-security.bb
index 70571f8..b883414 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"

# Debian packages that provide security features # TODO: Add sudo
or sudo-ldap which conflict each other -IMAGE_PREINSTALL = " \
+IMAGE_PREINSTALL += " \
openssl libssl1.1 \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
--
-----------------

Thanks
venkata
-----Original Message-----
From: Venkata Seshagiri Pyla
Sent: 02 March 2020 19:38
To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>;
kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org;
cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hi Kazu-san and Dinesh,

We found most of the packages are not included in the isar image,
could you please confirm whether all the proposed packages
are included in the given source?
If it is included, could you please let us know how to install them in the image?
I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".

All the security packages are configured to install are present in this file "cip-core-image-security.bb".

I will generate the image for target "cip-core-image-security" and recheck all the security functionality.

Thanks,
Venkata.

-----Original Message-----
From: Cip-security
[mailto:cip-security-bounces@lists.cip-project.org]
On Behalf Of Dinesh Kumar
Sent: 02 March 2020 15:29
To: kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org;
cip-dev@lists.cip-project.org
Subject: Re: [Cip-security] Sample image including security packages

Dear Kazu-san,

Thanks for sharing the isar-cip-core repository details with us.

We followed below steps to first confirm whether all the proposed
binaries are included when we create CIP isar based image.
1. Create CIP isar based image from
"https://gitlab.com/zuka0828/isar-cip-core/-/tree/master" for
QEMU_x86-64 platform 2. Booted the image in QEMU virtual machine 3.
For each security package we compared the binaries
listed on Debian page e.g. for acl package at
(https://packages.debian.org/buster/amd64/acl/filelist)
According to the Debian page there are three binaries which
should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
Then we check in the CIP running image at /bin whether all three packages are included or not.
4. Based on this kind of investigation we have prepare the attached
list of missing binary packages in current CIP isar image.

We found most of the packages are not included in the isar image,
could you please confirm whether all the proposed packages are included in the given source?
If it is included, could you please let us know how to install them in the image?

Once all the security packages are included in the CIP isar image,
we will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.

Thanks & Regards,
Dinesh Kumar


-----Original Message-----
From: Cip-security <cip-security-bounces@lists.cip-project.org> On
Behalf Of kazuhiro3.hayashi@toshiba.co.jp
Sent: 21 February 2020 10:58
To: cip-security@lists.cip-project.org
Cc: cip-dev@lists.cip-project.org
Subject: [Cip-security] Sample image including security packages

Hello CIP Security WG,

I've created a sample setting to customize CIP Core generic profile.
https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
(Now in my personal account)

Introduction:
https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md

Please ask in cip-dev if you need more development information :)

Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
We need to select one from them.
I temporally removed the both from `IMAGE_PREINSTALL`.

Best regards,
Kazu

_______________________________________________
Cip-security mailing list
Cip-security@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-security
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the recipient and may contain privileged information.
If you are not the intended recipient, please notify the sender and
delete the message along with any attachments/annexure/appendices.
You should not disclose, copy or otherwise use the information
contained in the message or any annexure. Any views expressed in
this e-mail are those of the individual sender except where the
sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the
responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt.
Ltd, for any loss or damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the recipient and
may contain privileged information.
If you are not the intended recipient, please notify the sender and
delete the message along with any attachments/annexure/appendices.
You should not disclose, copy or otherwise use the information
contained in the message or any annexure. Any views expressed in
this e-mail are those of the individual sender except where the
sender specifically states them to be the views of Toshiba Software India Pvt. Ltd.
(TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the
responsibility of the recipient to ensure that it is virus free and
no responsibility is accepted by Toshiba Embedded Software India
Pvt. Ltd, for any loss or damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the recipient and
may contain privileged information.
If you are not the intended recipient, please notify the sender and
delete the message along with any attachments/annexure/appendices. You
should not disclose, copy or otherwise use the information contained
in the message or any annexure. Any views expressed in this e-mail are
those of the individual sender except where the sender specifically
states them to be the views of Toshiba Software India Pvt. Ltd.
(TSIP),Bangalore.

Although this transmission and any attachments are believed to be free
of any virus or other defect that might affect any computer system
into which it is received and opened, it is the responsibility of the
recipient to ensure that it is virus free and no responsibility is
accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


Re: Sample image including security packages

Kazuhiro Hayashi
 

Hello Venkata,

Thank you for checking the result.
I confirmed that this variable should not be overwritten in the image recipe.
Could you send MR including this update to https://gitlab.com/zuka0828/isar-cip-core ?

Best regards,
Kazu

-----Original Message-----
From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
Sent: Thursday, March 12, 2020 12:56 PM
To: hayashi kazuhiro(林 和宏 ○SWC□OST) <kazuhiro3.hayashi@toshiba.co.jp>; dinesh kumar(TSIP DS Company)
<dinesh.kumar@toshiba-tsip.com>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hello Kazu-san,

I observed 'init' system is not included in the image when append operator is not used and so booting the image is not
successful.

Here is the output of `bitbake -e cip-core-image-security | grep 'IMAGE_PREINSTALL'` when append is not used
-------------------------------------------------------------------------------------------------
# $IMAGE_PREINSTALL [2 operations]
IMAGE_PREINSTALL=" openssl libssl1.1 fail2ban openssh-server openssh-sftp-server openssh-client
syslog-ng-core syslog-ng-mod-journal aide aide-common libnftables0 nftables libpam-pkcs11
chrony tpm2-tools tpm2-abrmd libtss2-esys0 libtss2-udev libpam-cracklib acl
libauparse0 audispd-plugins auditd uuid-runtime vim "
# "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
# " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
-------------------------------------------------------------------------------------------------

Output when append is used
-------------------------------------------------------------------------------------------------
# $IMAGE_PREINSTALL [2 operations]
IMAGE_PREINSTALL=" init openssl libssl1.1 fail2ban openssh-server openssh-sftp-server
openssh-client syslog-ng-core syslog-ng-mod-journal aide aide-common libnftables0 nftables
libpam-pkcs11 chrony tpm2-tools tpm2-abrmd libtss2-esys0 libtss2-udev libpam-cracklib
acl libauparse0 audispd-plugins auditd uuid-runtime vim "
# "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
# " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
-------------------------------------------------------------------------------------------------


Thanks,
Venkata.
-----Original Message-----
From: kazuhiro3.hayashi@toshiba.co.jp [mailto:kazuhiro3.hayashi@toshiba.co.jp]
Sent: 12 March 2020 05:16
To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hello Venkata,

Thank you for the information.

Regarding the usage of `IMAGE_PREINSTALL`, I'm not sure if we always need `+` in the image recipe.
Example: https://github.com/ilbers/isar/blob/master/doc/user_manual.md#create-a-custom-image-recipe
Could you dump the value of `IMAGE_PREINSTALL` with/without `+` by `bitbake -e` command?

Best regards,
Kazu

-----Original Message-----
From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
Sent: Thursday, March 5, 2020 6:06 PM
To: hayashi kazuhiro(林 和宏 ○SWC□OST) <kazuhiro3.hayashi@toshiba.co.jp>;
dinesh kumar(TSIP DS Company) <dinesh.kumar@toshiba-tsip.com>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hi Kazu-san and Dinesh,

I have created the image with all proposed security packages included.
applied the below change, and booted the image in QEMU correctly.
-----------------
diff --git a/recipes-core/images/cip-core-image-security.bb
b/recipes-core/images/cip-core-image-security.bb
index 70571f8..b883414 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"

# Debian packages that provide security features # TODO: Add sudo or
sudo-ldap which conflict each other -IMAGE_PREINSTALL = " \
+IMAGE_PREINSTALL += " \
openssl libssl1.1 \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
--
-----------------

Thanks
venkata
-----Original Message-----
From: Venkata Seshagiri Pyla
Sent: 02 March 2020 19:38
To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>;
kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hi Kazu-san and Dinesh,

We found most of the packages are not included in the isar image,
could you please confirm whether all the proposed packages
are included in the given source?
If it is included, could you please let us know how to install them in the image?
I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".

All the security packages are configured to install are present in this file "cip-core-image-security.bb".

I will generate the image for target "cip-core-image-security" and recheck all the security functionality.

Thanks,
Venkata.

-----Original Message-----
From: Cip-security [mailto:cip-security-bounces@lists.cip-project.org]
On Behalf Of Dinesh Kumar
Sent: 02 March 2020 15:29
To: kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: Re: [Cip-security] Sample image including security packages

Dear Kazu-san,

Thanks for sharing the isar-cip-core repository details with us.

We followed below steps to first confirm whether all the proposed
binaries are included when we create CIP isar based image.
1. Create CIP isar based image from
"https://gitlab.com/zuka0828/isar-cip-core/-/tree/master" for
QEMU_x86-64 platform 2. Booted the image in QEMU virtual machine 3. For each security package we compared the binaries
listed on Debian page e.g. for acl package at (https://packages.debian.org/buster/amd64/acl/filelist)
According to the Debian page there are three binaries which
should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
Then we check in the CIP running image at /bin whether all three packages are included or not.
4. Based on this kind of investigation we have prepare the attached
list of missing binary packages in current CIP isar image.

We found most of the packages are not included in the isar image,
could you please confirm whether all the proposed packages are included in the given source?
If it is included, could you please let us know how to install them in the image?

Once all the security packages are included in the CIP isar image, we
will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.

Thanks & Regards,
Dinesh Kumar


-----Original Message-----
From: Cip-security <cip-security-bounces@lists.cip-project.org> On
Behalf Of kazuhiro3.hayashi@toshiba.co.jp
Sent: 21 February 2020 10:58
To: cip-security@lists.cip-project.org
Cc: cip-dev@lists.cip-project.org
Subject: [Cip-security] Sample image including security packages

Hello CIP Security WG,

I've created a sample setting to customize CIP Core generic profile.
https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
(Now in my personal account)

Introduction:
https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md

Please ask in cip-dev if you need more development information :)

Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
We need to select one from them.
I temporally removed the both from `IMAGE_PREINSTALL`.

Best regards,
Kazu

_______________________________________________
Cip-security mailing list
Cip-security@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-security
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the recipient and may contain privileged information.
If you are not the intended recipient, please notify the sender and
delete the message along with any attachments/annexure/appendices. You
should not disclose, copy or otherwise use the information contained
in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the
sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be free
of any virus or other defect that might affect any computer system
into which it is received and opened, it is the responsibility of the
recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt.
Ltd, for any loss or damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the recipient and
may contain privileged information.
If you are not the intended recipient, please notify the sender and
delete the message along with any attachments/annexure/appendices. You
should not disclose, copy or otherwise use the information contained
in the message or any annexure. Any views expressed in this e-mail are
those of the individual sender except where the sender specifically
states them to be the views of Toshiba Software India Pvt. Ltd.
(TSIP),Bangalore.

Although this transmission and any attachments are believed to be free
of any virus or other defect that might affect any computer system
into which it is received and opened, it is the responsibility of the
recipient to ensure that it is virus free and no responsibility is
accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


Re: Package Proposal #1 (Security packages), rev03

Kento Yoshida
 

Thank you for your comments, Punit.

I'll reply to your queries, see the followings.

* sudo-ldap

Is there a specific requirement to include sudo-ldap in favour of plain sudo? IIUC,
sudo is a minimal dependency version while ldap requires additional packages to
be available.
We considered and decided to adopt only sudo binary. As the result, sudo source code includes both sudo and sudo-ldap binaries, but we only need sudo.
LDAP is just example in the requirement and will be needed only specific case. At least, nobody in security working group members want that.

* openssh

Based on the listed requierments, it is not clear why ftp and ssh clients are needed.
Can you please clarify the requirements' text to motivate inclusion of the client
binaries as well.
SSH client is needed as just a run-time dependency for SSH server.

* pam-pkcs11

From my understanding, the package enables login using public / private keys.
But the requirements talk about enforcing the strength of passwords -

"A minimum strength of used passwords needs to be enforced."

Possibly a mixup of package and requirements?
Indeed, the package functionality and the requirement do not match.
In addition, pam-pkcs11 is only required for CR 1.7, it's mean "A minimum strength of used passwords needs to be enforced.", so we should consider again whether we need pam-pkcs11 or not.
Thank you for pointing out this.

* tpm2*

I think libtss2-esys0 is mistakenly included as explicit requirement. It seems to be a
dependency of tpm2-abrmd and will get pulled in automatically as per my
understanding.
Yes. libtss2-esys0 is a dependency tpm2-abrmd and tpm2-tools.
But, it is not just a mistake. The TSS and TCTI libraries located in libtss2-esys0 is important to meet the requirement shown in the description for tpm2*.
So, I expressly include libtss2-esys0 as a required binary not just a dependency.

* uuid-runtime

It’s not clear how the package is related to the requirement -

"Account Identifier shall be unique on a component or system wide
level. Protection of relevant information in rest and transit shall
be supported."

Can you add more details to the requirement to clarify this?
As is, identifier shall be unique, so we need universally unique identifier generator.
Sorry but I don't know what you don't know. This is very simple requirement.

-----Original Message-----
From: Punit Agrawal <punit1.agrawal@toshiba.co.jp>
Sent: Monday, March 9, 2020 7:31 PM
To: Kento Yoshida <kento.yoshida.wz@renesas.com>
Cc: cip-dev@lists.cip-project.org; cip-security@lists.cip-project.org
Subject: Re: [cip-dev] Package Proposal #1 (Security packages), rev03

Hi,

As mentioned earlier, I had some questions / queries regarding the requirements
for the proposed packages. Sending them here for discussion.

Kento Yoshida <kento.yoshida.wz@renesas.com> writes:

Requirements_for_proposal_SecurityWG_rev03.xlsx: the same file which
I've already sent before to explain the requirement in the standard
* sudo-ldap

Is there a specific requirement to include sudo-ldap in favour of plain sudo? IIUC,
sudo is a minimal dependency version while ldap requires additional packages to
be available.


* openssh

Based on the listed requierments, it is not clear why ftp and ssh clients are needed.
Can you please clarify the requirements' text to motivate inclusion of the client
binaries as well.


* pam-pkcs11

From my understanding, the package enables login using public / private keys.
But the requirements talk about enforcing the strength of passwords -

"A minimum strength of used passwords needs to be enforced."

Possibly a mixup of package and requirements?


* tpm2*

I think libtss2-esys0 is mistakenly included as explicit requirement. It seems to be a
dependency of tpm2-abrmd and will get pulled in automatically as per my
understanding.


* uuid-runtime

It’s not clear how the package is related to the requirement -

"Account Identifier shall be unique on a component or system wide
level. Protection of relevant information in rest and transit shall
be supported."

Can you add more details to the requirement to clarify this?
---


Thanks,
Punit


Re: Sample image including security packages

Venkata Pyla
 

Hello Kazu-san,

I observed 'init' system is not included in the image when append operator is not used and so booting the image is not successful.

Here is the output of `bitbake -e cip-core-image-security | grep 'IMAGE_PREINSTALL'` when append is not used
-------------------------------------------------------------------------------------------------
# $IMAGE_PREINSTALL [2 operations]
IMAGE_PREINSTALL=" openssl libssl1.1 fail2ban openssh-server openssh-sftp-server openssh-client syslog-ng-core syslog-ng-mod-journal aide aide-common libnftables0 nftables libpam-pkcs11 chrony tpm2-tools tpm2-abrmd libtss2-esys0 libtss2-udev libpam-cracklib acl libauparse0 audispd-plugins auditd uuid-runtime vim "
# "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
# " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
-------------------------------------------------------------------------------------------------

Output when append is used
-------------------------------------------------------------------------------------------------
# $IMAGE_PREINSTALL [2 operations]
IMAGE_PREINSTALL=" init openssl libssl1.1 fail2ban openssh-server openssh-sftp-server openssh-client syslog-ng-core syslog-ng-mod-journal aide aide-common libnftables0 nftables libpam-pkcs11 chrony tpm2-tools tpm2-abrmd libtss2-esys0 libtss2-udev libpam-cracklib acl libauparse0 audispd-plugins auditd uuid-runtime vim "
# "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
# " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
-------------------------------------------------------------------------------------------------


Thanks,
Venkata.

-----Original Message-----
From: kazuhiro3.hayashi@toshiba.co.jp [mailto:kazuhiro3.hayashi@toshiba.co.jp]
Sent: 12 March 2020 05:16
To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hello Venkata,

Thank you for the information.

Regarding the usage of `IMAGE_PREINSTALL`, I'm not sure if we always need `+` in the image recipe.
Example: https://github.com/ilbers/isar/blob/master/doc/user_manual.md#create-a-custom-image-recipe
Could you dump the value of `IMAGE_PREINSTALL` with/without `+` by `bitbake -e` command?

Best regards,
Kazu

-----Original Message-----
From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
Sent: Thursday, March 5, 2020 6:06 PM
To: hayashi kazuhiro(林 和宏 ○SWC□OST) <kazuhiro3.hayashi@toshiba.co.jp>;
dinesh kumar(TSIP DS Company) <dinesh.kumar@toshiba-tsip.com>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hi Kazu-san and Dinesh,

I have created the image with all proposed security packages included.
applied the below change, and booted the image in QEMU correctly.
-----------------
diff --git a/recipes-core/images/cip-core-image-security.bb
b/recipes-core/images/cip-core-image-security.bb
index 70571f8..b883414 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"

# Debian packages that provide security features # TODO: Add sudo or
sudo-ldap which conflict each other -IMAGE_PREINSTALL = " \
+IMAGE_PREINSTALL += " \
openssl libssl1.1 \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
--
-----------------

Thanks
venkata
-----Original Message-----
From: Venkata Seshagiri Pyla
Sent: 02 March 2020 19:38
To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>;
kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hi Kazu-san and Dinesh,

We found most of the packages are not included in the isar image,
could you please confirm whether all the proposed packages
are included in the given source?
If it is included, could you please let us know how to install them in the image?
I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".

All the security packages are configured to install are present in this file "cip-core-image-security.bb".

I will generate the image for target "cip-core-image-security" and recheck all the security functionality.

Thanks,
Venkata.

-----Original Message-----
From: Cip-security [mailto:cip-security-bounces@lists.cip-project.org]
On Behalf Of Dinesh Kumar
Sent: 02 March 2020 15:29
To: kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: Re: [Cip-security] Sample image including security packages

Dear Kazu-san,

Thanks for sharing the isar-cip-core repository details with us.

We followed below steps to first confirm whether all the proposed
binaries are included when we create CIP isar based image.
1. Create CIP isar based image from
"https://gitlab.com/zuka0828/isar-cip-core/-/tree/master" for
QEMU_x86-64 platform 2. Booted the image in QEMU virtual machine 3. For each security package we compared the binaries listed on Debian page e.g. for acl package at (https://packages.debian.org/buster/amd64/acl/filelist)
According to the Debian page there are three binaries which
should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
Then we check in the CIP running image at /bin whether all three packages are included or not.
4. Based on this kind of investigation we have prepare the attached
list of missing binary packages in current CIP isar image.

We found most of the packages are not included in the isar image,
could you please confirm whether all the proposed packages are included in the given source?
If it is included, could you please let us know how to install them in the image?

Once all the security packages are included in the CIP isar image, we
will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.

Thanks & Regards,
Dinesh Kumar


-----Original Message-----
From: Cip-security <cip-security-bounces@lists.cip-project.org> On
Behalf Of kazuhiro3.hayashi@toshiba.co.jp
Sent: 21 February 2020 10:58
To: cip-security@lists.cip-project.org
Cc: cip-dev@lists.cip-project.org
Subject: [Cip-security] Sample image including security packages

Hello CIP Security WG,

I've created a sample setting to customize CIP Core generic profile.
https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
(Now in my personal account)

Introduction:
https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md

Please ask in cip-dev if you need more development information :)

Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
We need to select one from them.
I temporally removed the both from `IMAGE_PREINSTALL`.

Best regards,
Kazu

_______________________________________________
Cip-security mailing list
Cip-security@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-security
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the recipient and may contain privileged information.
If you are not the intended recipient, please notify the sender and
delete the message along with any attachments/annexure/appendices. You
should not disclose, copy or otherwise use the information contained
in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be free
of any virus or other defect that might affect any computer system
into which it is received and opened, it is the responsibility of the
recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the recipient and
may contain privileged information.
If you are not the intended recipient, please notify the sender and
delete the message along with any attachments/annexure/appendices. You
should not disclose, copy or otherwise use the information contained
in the message or any annexure. Any views expressed in this e-mail are
those of the individual sender except where the sender specifically
states them to be the views of Toshiba Software India Pvt. Ltd.
(TSIP),Bangalore.

Although this transmission and any attachments are believed to be free
of any virus or other defect that might affect any computer system
into which it is received and opened, it is the responsibility of the
recipient to ensure that it is virus free and no responsibility is
accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


Re: How to handle diffs created in -rebase branch

Nobuhiro Iwamatsu
 

# Add cip-dev@lists.cip-project.org to CC
Hi Pavel,

Thanks for your comment.

-----Original Message-----
From: Pavel Machek [mailto:pavel@denx.de]
Sent: Tuesday, March 3, 2020 9:00 PM
To: iwamatsu nobuhiro(岩松 信洋 ○SWC□OST)
<nobuhiro1.iwamatsu@toshiba.co.jp>
Subject: Re: How to handle diffs created in -rebase branch

Hi!

(I believe we should cc cip-dev for this discussion).
Yes, I added cip-dev to CC.


Commit 9c075d325ec23a9bd99b7097f0b82ec04b007093 [1] has this fix
in
v4.4.211, but commit edeed5f910db5962f4ecc097ad6d935a33041ee0 [2]
deletes the file once and commit
5a0d157b6153b462eabd8afcf827877e885336b9 [3] recreated the file.
If we rebase this, since the order of commits is 2, 3, 1 to 1,
2,
3, the above diffs was created.
I believe commit [1] is good, and we should not undo its effects
with other commits. Thus linux-4.4.y-cip is okay, and
linux-4.4.y-cip-rebase should be fixed. One way would be to
cherry-pick 1 into linux-4.4.y-cip-rebase.
I see, but commit [1] was already applied to v4.4.211 by upstream. So
the same commit is apply twice. Is this understanding same your suggest?

1. commit [1] / in v4.4.211
.....
x. commit / release v4.4.213
.....
x + 1. commit [2] / Delete fix by commit [1] / CIP's commit
x + 2. commit [3] / CIP's commit
x + 3. cherry-pick commit [1] <--- your suggest

-rebase branch is a branch that manages commits in the LTS tree and
CIP tree.
So a fix like this one always makes a difference.
I think there are two measures.

1. Ignore differences because it is a branch that manages commits.
2. If a difference occurs, commit to fix it. (Your suggestion)

I think that both are useful, but I want to get consensus with you as
kernel maintainers of CIP.
It is important for me for both branches to end up with same result.
OK.


"If a difference occurs, commit to fix it" is an acceptable solution to
it. But thinking about it some more, there may be even better one.

Central problem is that we delete fixed version of file, then re-create
the file without the fix. We should simply modify the re-creating patch
to create the fixed version.
I understood.


If you want, I can try to do just that; but at the moment, current versions
do not seem to be on kernel.org:

4.4.213-based:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/lo
g/?h=linux-4.4.y-cip
4.4.208-based:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/lo
g/?h=linux-4.4.y-cip-rebase
Yes, we haven't resolved this issue, so I haven't committed to the rebase branch yet.
And, I fixes suggested above.

Current tree:
https://gitlab.com/iwamatsu/linux-cip/-/tree/rebase-check/linux-4.4.y-cip-rebase-base
Cause commit:
https://gitlab.com/iwamatsu/linux-cip/-/commit/5b451956c2c67656f1c6dcb5caa9fd7b9ab75613
- 5b451956c2c6 firmware: Restore support for built-in firmware

Fixed tree:
https://gitlab.com/iwamatsu/linux-cip/-/tree/rebase-check/linux-4.4.y-cip-rebase-fix0
Fixed commit:
https://gitlab.com/iwamatsu/linux-cip/-/commit/d841fec71b9bf4117b9859d7ffba68210160c484
- d841fec71b9b firmware: Restore support for built-in firmware

---
$ git diff rebase-check/linux-4.4.y-cip-rebase-base rebase-check/linux-4.4.y-cip-rebase-fix0
diff --git a/firmware/Makefile b/firmware/Makefile
index fa0808853883..c944cf092926 100644
--- a/firmware/Makefile
+++ b/firmware/Makefile
@@ -18,7 +18,7 @@ quiet_cmd_fwbin = MK_FW $@
PROGBITS=$(if $(CONFIG_ARM),%,@)progbits; \
echo "/* Generated by firmware/Makefile */" > $@;\
echo " .section .rodata" >>$@;\
- echo " .p2align $${ASM_ALIGN}" >>$@;\
+ echo " .p2align 4" >>$@;\
echo "_fw_$${FWSTR}_bin:" >>$@;\
echo " .incbin \"$(2)\"" >>$@;\
echo "_fw_end:" >>$@;\
---

Could you please check and comment on fixed commit?

Best regards,
Nobuhiro


Re: Sample image including security packages

Kazuhiro Hayashi
 

Hello Venkata,

Thank you for the information.

Regarding the usage of `IMAGE_PREINSTALL`, I'm not sure if we always need `+` in the image recipe.
Example: https://github.com/ilbers/isar/blob/master/doc/user_manual.md#create-a-custom-image-recipe
Could you dump the value of `IMAGE_PREINSTALL` with/without `+` by `bitbake -e` command?

Best regards,
Kazu

-----Original Message-----
From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
Sent: Thursday, March 5, 2020 6:06 PM
To: hayashi kazuhiro(林 和宏 ○SWC□OST) <kazuhiro3.hayashi@toshiba.co.jp>; dinesh kumar(TSIP DS Company)
<dinesh.kumar@toshiba-tsip.com>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hi Kazu-san and Dinesh,

I have created the image with all proposed security packages included.
applied the below change, and booted the image in QEMU correctly.
-----------------
diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 70571f8..b883414 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"

# Debian packages that provide security features
# TODO: Add sudo or sudo-ldap which conflict each other
-IMAGE_PREINSTALL = " \
+IMAGE_PREINSTALL += " \
openssl libssl1.1 \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
--
-----------------

Thanks
venkata
-----Original Message-----
From: Venkata Seshagiri Pyla
Sent: 02 March 2020 19:38
To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>; kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hi Kazu-san and Dinesh,

We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages
are included in the given source?
If it is included, could you please let us know how to install them in the image?
I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".

All the security packages are configured to install are present in this file "cip-core-image-security.bb".

I will generate the image for target "cip-core-image-security" and recheck all the security functionality.

Thanks,
Venkata.

-----Original Message-----
From: Cip-security [mailto:cip-security-bounces@lists.cip-project.org] On Behalf Of Dinesh Kumar
Sent: 02 March 2020 15:29
To: kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: Re: [Cip-security] Sample image including security packages

Dear Kazu-san,

Thanks for sharing the isar-cip-core repository details with us.

We followed below steps to first confirm whether all the proposed binaries are included when we create CIP isar based
image.
1. Create CIP isar based image from "https://gitlab.com/zuka0828/isar-cip-core/-/tree/master" for QEMU_x86-64 platform
2. Booted the image in QEMU virtual machine 3. For each security package we compared the binaries listed on Debian page
e.g. for acl package at (https://packages.debian.org/buster/amd64/acl/filelist)
According to the Debian page there are three binaries which should be present in the image "/bin/chacl", "/bin/getfacl",
"/bin/setfacl".
Then we check in the CIP running image at /bin whether all three packages are included or not.
4. Based on this kind of investigation we have prepare the attached list of missing binary packages in current CIP isar
image.

We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages
are included in the given source?
If it is included, could you please let us know how to install them in the image?

Once all the security packages are included in the CIP isar image, we will proceed to next step of verifying applicable
IEC 62443-4-2 security requirements.

Thanks & Regards,
Dinesh Kumar


-----Original Message-----
From: Cip-security <cip-security-bounces@lists.cip-project.org> On Behalf Of kazuhiro3.hayashi@toshiba.co.jp
Sent: 21 February 2020 10:58
To: cip-security@lists.cip-project.org
Cc: cip-dev@lists.cip-project.org
Subject: [Cip-security] Sample image including security packages

Hello CIP Security WG,

I've created a sample setting to customize CIP Core generic profile.
https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
(Now in my personal account)

Introduction: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md

Please ask in cip-dev if you need more development information :)

Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
We need to select one from them.
I temporally removed the both from `IMAGE_PREINSTALL`.

Best regards,
Kazu

_______________________________________________
Cip-security mailing list
Cip-security@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-security
The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient
and may contain privileged information.
If you are not the intended recipient, please notify the sender and delete the message along with any
attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message
or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically
states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be free of any virus or other defect that might affect
any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it
is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising
in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


CIP IRC weekly meeting today

masashi.kudo@...
 

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=3&day=12&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

US-West US-East UK DE TW JP
02:00 05:00 09:00 10:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2020/03/cip.2020-03-05-09.00.log.html

Agenda:

* Action item
1. Combine root filesystem with kselftest binary - Iwamatsu-san
2. Assign the owner of "CIP kernel config" - masashi910
3. Refine statistics figures of Kernel Team contributions to upstream (LTS) - masashi910
4. Strengthen sustainable process to backport patches from Mainline/LTS - TBD
4-1. Workflow for identifying important fixes, backporting, and reviewing them
4-2. Prepare the tools to be used for this workflow
4-3. Get practice in backporting patches
5. Upload a guideline for reference hardware platform addition - masashi910

The following action item was defined at the team call on Feb 27th.
We will work on this when time comes.
x. Explore the possibilities to work on security fixes proactively

* Kernel maintenance updates
* Kernel testing
* CIP Core
* Software update
* AOB
1. Summer Time
US summer time started on March 8. CEST starts on March 29.
This IRC meeting starts at UTC (GMT) 09:00.

The meeting will take 30 min, although it can be extended to an hour if it makes sense and those involved in the topics can stay. Otherwise, the topic will be taken offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


Re: I need de0-nano testing for -rt release was Re: 4.19.106-cip21-rt8 problems on de0-nano

Bhola, Bikram <Bikram_Bhola@...>
 

Hi Jan and All,

Both de0-nano and IPC227E targets are up and running. I have monitored for test jobs on it and those completed successfully.

Thank You!!

Regards,
Bikram

-----Original Message-----
From: Bhola, Bikram
Sent: 10 March 2020 22:20
To: 'Jan Kiszka' <jan.kiszka@siemens.com>; Pavel Machek <pavel@denx.de>; Quirin Gylstorff <quirin.gylstorff@siemens.com>
Cc: cip-dev@lists.cip-project.org
Subject: RE: I need de0-nano testing for -rt release was Re: [cip-dev] 4.19.106-cip21-rt8 problems on de0-nano

Hi Jan and All,,

We are working on it.

Looks like we have a slow network in last few days in our lab that results in rootfs download timeout failure. Time being we need to increase the current timeout from 15 mins to 30 mins for safer side (its failing in between 90% completion). Meantime I am working with our network team to diagnose the slowness.

Thank You!!

Regards,
Bikram

-----Original Message-----
From: Jan Kiszka [mailto:jan.kiszka@siemens.com]
Sent: 10 March 2020 00:23
To: Pavel Machek <pavel@denx.de>; Bhola, Bikram <Bikram_Bhola@mentor.com>; Quirin Gylstorff <quirin.gylstorff@siemens.com>
Cc: cip-dev@lists.cip-project.org
Subject: Re: I need de0-nano testing for -rt release was Re: [cip-dev] 4.19.106-cip21-rt8 problems on de0-nano

On 09.03.20 11:21, Pavel Machek wrote:
Hi!

I pushed candidate for -cip-rt, but it seems to fail on de0-nano
board. Code under testing is at:

https://gitlab.com/cip-project/cip-kernel/linux-cip/tree/ci/pavel
/linux-cip
It is pipeline

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/1227
62401

I'll reuse the branch for more testing.
I managed to narrow the bad commit to the -rt tree, between:

OK 122904930 pick 69aa73357e6a rcu: Don't allow to change
rcu_normal_after_boot on RT pick 849ef8789077 pci/switchtec: fix
stream_open.cocci warnings pick ad8a5e8279c4 sched/core: Drop a
preempt_disable_rt() statement pick 966f066d96cb timers: Redo the
notification of canceling timers on -RT pick 0393fd5a4f9a Revert "futex: Ensure lock/unlock symetry versus pi_lock and hash bucket lock"
pick 84eb0b64a27a Revert "futex: Fix bug on when a requeued RT task times out"
pick fcc893280f4e Revert "rtmutex: Handle the various new futex race conditions"
pick 2eac93cf9d16 Revert "futex: workaround migrate_disable/enable in different context"
pick 9b8964629f4f futex: Make the futex_hash_bucket lock raw pick
cc1812bf198b futex: Delay deallocation of pi_state
pick f5e115c43100 mm/zswap: Do not disable preemption in
zswap_frontswap_store()
pick e0d0d09a08ad revert-aio
pick a0a40bfb4300 fs/aio: simple simple work pick 0fae581d8c5e
revert-thermal pick c0d95b4a8a1b thermal: Defer thermal wakups to
threads pick 700fbb4afb6e revert-block pick 4cda50ff12cf block:
blk-mq: move blk_queue_usage_counter_release() into process context
pick 9e982f55745b workqueue: rework pick c0db53dc3bf4 i2c: exynos5:
Remove IRQF_ONESHOT pick 1f160d170203 i2c: hix5hd2: Remove
IRQF_ONESHOT BAD 122882826 eae5a7cab722 sched/deadline: Ensure
inactive_timer runs in hardirq context
And something went seriously wrong after these tests. I submitted
same tree twice, and got different results.

First this -- de0-nano succeeds:

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/122904
930

Now this -- de0-nano fails (and ipc227e is unfinished for long time):

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/122959
477

I'll need some help here.
The logs read like the targets are not (always) coming up, e.g.
https://gitlab.com/cip-project/cip-kernel/linux-cip/-/jobs/457824214#
L377
Yes... I don't need that target, but I need de0-nano... and it did not
work last time I checked.
Bikram, could someone on your side check the board status in the Mentor lab? Thanks!


On a related note... it would be good to somehow show difference
between "kernel test failure" and "target failure".

If we see bootloader in the logs, and then test fails/timeouts =>
"kernel test failure", I need to solve it.

If we don't get messages from the bootloader => "target failure",
someone needs to check the power relays or something...
I'm not happy about the parsability of those LAVA logs either, but I have no idea if/how that can be improved best. Maybe Quirin has some idea based on his work with them.

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux


Re: I need de0-nano testing for -rt release was Re: 4.19.106-cip21-rt8 problems on de0-nano

Bhola, Bikram <Bikram_Bhola@...>
 

Hi Jan and All,,

We are working on it.

Looks like we have a slow network in last few days in our lab that results in rootfs download timeout failure. Time being we need to increase the current timeout from 15 mins to 30 mins for safer side (its failing in between 90% completion). Meantime I am working with our network team to diagnose the slowness.

Thank You!!

Regards,
Bikram

-----Original Message-----
From: Jan Kiszka [mailto:jan.kiszka@siemens.com]
Sent: 10 March 2020 00:23
To: Pavel Machek <pavel@denx.de>; Bhola, Bikram <Bikram_Bhola@mentor.com>; Quirin Gylstorff <quirin.gylstorff@siemens.com>
Cc: cip-dev@lists.cip-project.org
Subject: Re: I need de0-nano testing for -rt release was Re: [cip-dev] 4.19.106-cip21-rt8 problems on de0-nano

On 09.03.20 11:21, Pavel Machek wrote:
Hi!

I pushed candidate for -cip-rt, but it seems to fail on de0-nano
board. Code under testing is at:

https://gitlab.com/cip-project/cip-kernel/linux-cip/tree/ci/pavel
/linux-cip
It is pipeline

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/1227
62401

I'll reuse the branch for more testing.
I managed to narrow the bad commit to the -rt tree, between:

OK 122904930 pick 69aa73357e6a rcu: Don't allow to change
rcu_normal_after_boot on RT pick 849ef8789077 pci/switchtec: fix
stream_open.cocci warnings pick ad8a5e8279c4 sched/core: Drop a
preempt_disable_rt() statement pick 966f066d96cb timers: Redo the
notification of canceling timers on -RT pick 0393fd5a4f9a Revert "futex: Ensure lock/unlock symetry versus pi_lock and hash bucket lock"
pick 84eb0b64a27a Revert "futex: Fix bug on when a requeued RT task times out"
pick fcc893280f4e Revert "rtmutex: Handle the various new futex race conditions"
pick 2eac93cf9d16 Revert "futex: workaround migrate_disable/enable in different context"
pick 9b8964629f4f futex: Make the futex_hash_bucket lock raw pick
cc1812bf198b futex: Delay deallocation of pi_state
pick f5e115c43100 mm/zswap: Do not disable preemption in
zswap_frontswap_store()
pick e0d0d09a08ad revert-aio
pick a0a40bfb4300 fs/aio: simple simple work pick 0fae581d8c5e
revert-thermal pick c0d95b4a8a1b thermal: Defer thermal wakups to
threads pick 700fbb4afb6e revert-block pick 4cda50ff12cf block:
blk-mq: move blk_queue_usage_counter_release() into process context
pick 9e982f55745b workqueue: rework pick c0db53dc3bf4 i2c: exynos5:
Remove IRQF_ONESHOT pick 1f160d170203 i2c: hix5hd2: Remove
IRQF_ONESHOT BAD 122882826 eae5a7cab722 sched/deadline: Ensure
inactive_timer runs in hardirq context
And something went seriously wrong after these tests. I submitted
same tree twice, and got different results.

First this -- de0-nano succeeds:

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/122904
930

Now this -- de0-nano fails (and ipc227e is unfinished for long time):

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/122959
477

I'll need some help here.
The logs read like the targets are not (always) coming up, e.g.
https://gitlab.com/cip-project/cip-kernel/linux-cip/-/jobs/457824214#
L377
Yes... I don't need that target, but I need de0-nano... and it did not
work last time I checked.
Bikram, could someone on your side check the board status in the Mentor lab? Thanks!


On a related note... it would be good to somehow show difference
between "kernel test failure" and "target failure".

If we see bootloader in the logs, and then test fails/timeouts =>
"kernel test failure", I need to solve it.

If we don't get messages from the bootloader => "target failure",
someone needs to check the power relays or something...
I'm not happy about the parsability of those LAVA logs either, but I have no idea if/how that can be improved best. Maybe Quirin has some idea based on his work with them.

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux


Re: I need de0-nano testing for -rt release was Re: 4.19.106-cip21-rt8 problems on de0-nano

Jan Kiszka
 

On 09.03.20 11:21, Pavel Machek wrote:
Hi!

I pushed candidate for -cip-rt, but it seems to fail on de0-nano
board. Code under testing is at:

https://gitlab.com/cip-project/cip-kernel/linux-cip/tree/ci/pavel/linux-cip
It is pipeline

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/122762401

I'll reuse the branch for more testing.
I managed to narrow the bad commit to the -rt tree, between:

OK 122904930 pick 69aa73357e6a rcu: Don't allow to change rcu_normal_after_boot on RT
pick 849ef8789077 pci/switchtec: fix stream_open.cocci warnings
pick ad8a5e8279c4 sched/core: Drop a preempt_disable_rt() statement
pick 966f066d96cb timers: Redo the notification of canceling timers on -RT
pick 0393fd5a4f9a Revert "futex: Ensure lock/unlock symetry versus pi_lock and hash bucket lock"
pick 84eb0b64a27a Revert "futex: Fix bug on when a requeued RT task times out"
pick fcc893280f4e Revert "rtmutex: Handle the various new futex race conditions"
pick 2eac93cf9d16 Revert "futex: workaround migrate_disable/enable in different context"
pick 9b8964629f4f futex: Make the futex_hash_bucket lock raw
pick cc1812bf198b futex: Delay deallocation of pi_state
pick f5e115c43100 mm/zswap: Do not disable preemption in zswap_frontswap_store()
pick e0d0d09a08ad revert-aio
pick a0a40bfb4300 fs/aio: simple simple work
pick 0fae581d8c5e revert-thermal
pick c0d95b4a8a1b thermal: Defer thermal wakups to threads
pick 700fbb4afb6e revert-block
pick 4cda50ff12cf block: blk-mq: move blk_queue_usage_counter_release() into process context
pick 9e982f55745b workqueue: rework
pick c0db53dc3bf4 i2c: exynos5: Remove IRQF_ONESHOT
pick 1f160d170203 i2c: hix5hd2: Remove IRQF_ONESHOT
BAD 122882826 eae5a7cab722 sched/deadline: Ensure inactive_timer runs in hardirq context
And something went seriously wrong after these tests. I submitted same
tree twice, and got different results.

First this -- de0-nano succeeds:

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/122904930

Now this -- de0-nano fails (and ipc227e is unfinished for long time):

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/122959477

I'll need some help here.
The logs read like the targets are not (always) coming up, e.g.
https://gitlab.com/cip-project/cip-kernel/linux-cip/-/jobs/457824214#L377
Yes... I don't need that target, but I need de0-nano... and it did not
work last time I checked.
Bikram, could someone on your side check the board status in the Mentor lab? Thanks!

On a related note... it would be good to somehow show difference
between "kernel test failure" and "target failure".
If we see bootloader in the logs, and then test fails/timeouts =>
"kernel test failure", I need to solve it.
If we don't get messages from the bootloader => "target failure",
someone needs to check the power relays or something...
I'm not happy about the parsability of those LAVA logs either, but I have no idea if/how that can be improved best. Maybe Quirin has some idea based on his work with them.

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux


Re: Package Proposal #1 (Security packages), rev03

punit1.agrawal@...
 

Hi,

As mentioned earlier, I had some questions / queries regarding the
requirements for the proposed packages. Sending them here for
discussion.

Kento Yoshida <kento.yoshida.wz@renesas.com> writes:

Requirements_for_proposal_SecurityWG_rev03.xlsx: the same file which I've already sent before to explain the requirement in the standard
* sudo-ldap

Is there a specific requirement to include sudo-ldap in favour of plain
sudo? IIUC, sudo is a minimal dependency version while ldap requires
additional packages to be available.


* openssh

Based on the listed requierments, it is not clear why ftp and ssh
clients are needed. Can you please clarify the requirements' text to
motivate inclusion of the client binaries as well.


* pam-pkcs11

From my understanding, the package enables login using public / private
keys. But the requirements talk about enforcing the strength of
passwords -

"A minimum strength of used passwords needs to be enforced."

Possibly a mixup of package and requirements?


* tpm2*

I think libtss2-esys0 is mistakenly included as explicit requirement. It
seems to be a dependency of tpm2-abrmd and will get pulled in
automatically as per my understanding.


* uuid-runtime

It’s not clear how the package is related to the requirement -

"Account Identifier shall be unique on a component or system wide
level. Protection of relevant information in rest and transit shall
be supported."

Can you add more details to the requirement to clarify this?
---


Thanks,
Punit


I need de0-nano testing for -rt release was Re: 4.19.106-cip21-rt8 problems on de0-nano

Pavel Machek
 

Hi!

I pushed candidate for -cip-rt, but it seems to fail on de0-nano
board. Code under testing is at:

https://gitlab.com/cip-project/cip-kernel/linux-cip/tree/ci/pavel/linux-cip
It is pipeline

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/122762401

I'll reuse the branch for more testing.
I managed to narrow the bad commit to the -rt tree, between:

OK 122904930 pick 69aa73357e6a rcu: Don't allow to change rcu_normal_after_boot on RT
pick 849ef8789077 pci/switchtec: fix stream_open.cocci warnings
pick ad8a5e8279c4 sched/core: Drop a preempt_disable_rt() statement
pick 966f066d96cb timers: Redo the notification of canceling timers on -RT
pick 0393fd5a4f9a Revert "futex: Ensure lock/unlock symetry versus pi_lock and hash bucket lock"
pick 84eb0b64a27a Revert "futex: Fix bug on when a requeued RT task times out"
pick fcc893280f4e Revert "rtmutex: Handle the various new futex race conditions"
pick 2eac93cf9d16 Revert "futex: workaround migrate_disable/enable in different context"
pick 9b8964629f4f futex: Make the futex_hash_bucket lock raw
pick cc1812bf198b futex: Delay deallocation of pi_state
pick f5e115c43100 mm/zswap: Do not disable preemption in zswap_frontswap_store()
pick e0d0d09a08ad revert-aio
pick a0a40bfb4300 fs/aio: simple simple work
pick 0fae581d8c5e revert-thermal
pick c0d95b4a8a1b thermal: Defer thermal wakups to threads
pick 700fbb4afb6e revert-block
pick 4cda50ff12cf block: blk-mq: move blk_queue_usage_counter_release() into process context
pick 9e982f55745b workqueue: rework
pick c0db53dc3bf4 i2c: exynos5: Remove IRQF_ONESHOT
pick 1f160d170203 i2c: hix5hd2: Remove IRQF_ONESHOT
BAD 122882826 eae5a7cab722 sched/deadline: Ensure inactive_timer runs in hardirq context
And something went seriously wrong after these tests. I submitted same
tree twice, and got different results.

First this -- de0-nano succeeds:

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/122904930

Now this -- de0-nano fails (and ipc227e is unfinished for long time):

https://gitlab.com/cip-project/cip-kernel/linux-cip/pipelines/122959477

I'll need some help here.
The logs read like the targets are not (always) coming up, e.g.
https://gitlab.com/cip-project/cip-kernel/linux-cip/-/jobs/457824214#L377
Yes... I don't need that target, but I need de0-nano... and it did not
work last time I checked.

On a related note... it would be good to somehow show difference
between "kernel test failure" and "target failure".

If we see bootloader in the logs, and then test fails/timeouts =>
"kernel test failure", I need to solve it.

If we don't get messages from the bootloader => "target failure",
someone needs to check the power relays or something...

Best regards,
Pavel

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Linux-cip: Kselftest plans

Vijai Kumar K
 

Hi All,

Is kselftest maintained in the cip-kernel tree? I do see some
branch[1] maintained by Nobuhiro-san for kselftest, but it's out of
5.6 linux tree.

The reason being to gather collective thoughts about the plan for
kselftest based tests for cip kernel. Are there any existing or future
plans for using kselftest for testing cip kernels? If so are we going
to use the latest tree from upstream or plan to fix/backport test
cases to current cip kernel versions?

[1] https://gitlab.com/cip-project/cip-kernel/linux-cip/-/tree/ci/iwamatsu/linux-cip-kselftest

Thanks,
Vijai Kumar K


Re: Sample image including security packages

Venkata Pyla
 

Hi Kazu-san and Dinesh,

I have created the image with all proposed security packages included.
applied the below change, and booted the image in QEMU correctly.
-----------------
diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 70571f8..b883414 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"

# Debian packages that provide security features
# TODO: Add sudo or sudo-ldap which conflict each other
-IMAGE_PREINSTALL = " \
+IMAGE_PREINSTALL += " \
openssl libssl1.1 \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
--
-----------------

Thanks
venkata

-----Original Message-----
From: Venkata Seshagiri Pyla
Sent: 02 March 2020 19:38
To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>; kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hi Kazu-san and Dinesh,

We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages are included in the given source?
If it is included, could you please let us know how to install them in the image?
I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".

All the security packages are configured to install are present in this file "cip-core-image-security.bb".

I will generate the image for target "cip-core-image-security" and recheck all the security functionality.

Thanks,
Venkata.

-----Original Message-----
From: Cip-security [mailto:cip-security-bounces@lists.cip-project.org] On Behalf Of Dinesh Kumar
Sent: 02 March 2020 15:29
To: kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: Re: [Cip-security] Sample image including security packages

Dear Kazu-san,

Thanks for sharing the isar-cip-core repository details with us.

We followed below steps to first confirm whether all the proposed binaries are included when we create CIP isar based image.
1. Create CIP isar based image from "https://gitlab.com/zuka0828/isar-cip-core/-/tree/master" for QEMU_x86-64 platform 2. Booted the image in QEMU virtual machine 3. For each security package we compared the binaries listed on Debian page e.g. for acl package at (https://packages.debian.org/buster/amd64/acl/filelist)
According to the Debian page there are three binaries which should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
Then we check in the CIP running image at /bin whether all three packages are included or not.
4. Based on this kind of investigation we have prepare the attached list of missing binary packages in current CIP isar image.

We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages are included in the given source?
If it is included, could you please let us know how to install them in the image?

Once all the security packages are included in the CIP isar image, we will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.

Thanks & Regards,
Dinesh Kumar


-----Original Message-----
From: Cip-security <cip-security-bounces@lists.cip-project.org> On Behalf Of kazuhiro3.hayashi@toshiba.co.jp
Sent: 21 February 2020 10:58
To: cip-security@lists.cip-project.org
Cc: cip-dev@lists.cip-project.org
Subject: [Cip-security] Sample image including security packages

Hello CIP Security WG,

I've created a sample setting to customize CIP Core generic profile.
https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
(Now in my personal account)

Introduction: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md

Please ask in cip-dev if you need more development information :)

Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
We need to select one from them.
I temporally removed the both from `IMAGE_PREINSTALL`.

Best regards,
Kazu

_______________________________________________
Cip-security mailing list
Cip-security@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-security
The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information.
If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.

2521 - 2540 of 7020