Date   

CIP IRC weekly meeting today

masashi.kudo@cybertrust.co.jp
 

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=9&day=24&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-17-09.00.log.html

Agenda:

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
2. Check whether CVE-2020-25284 needs to be backported to 4.4-rt - masashi910

* Kernel maintenance updates
* Kernel testing
* Software update
* CIP Security
* AOB

The meeting will take 30 min, although it can be extended to an hour if it makes sense and those involved in the topics can stay. Otherwise, the topic will be taken offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


Re: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

Venkata Pyla
 

On Fri, Sep 18, 2020 at 10:23 AM, Venkata Pyla wrote:
Hi Daniel-san,

I have created the merge request for all the security layer changes including your suggestions.
Kindly review and letme know if you have any more suggestions.

Thanks
venkata.


Re: Is CVE-2020-25284 backporting needed for 4.4-rt x86?

masashi.kudo@cybertrust.co.jp
 

Hi, Jan-san,

Thanks for your quick response!

Is that the only config in our repo carrying rbd/ceph? The we should likely drop
that, to be clear also in the future.
When we discussed at the IRC, the config carrying rbd/ceph is only 4.4-rt x86.

So, I understood that the backporting is not required.

Best regards,
--
M. Kudo

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com>
Sent: Saturday, September 19, 2020 2:36 AM
To: 工藤 雅司(CTJ OSS事業推進室) <masashi.kudo@cybertrust.co.jp>;
cip-dev@lists.cip-project.org
Subject: Re: Is CVE-2020-25284 backporting needed for 4.4-rt x86?

On 18.09.20 15:58, masashi.kudo@cybertrust.co.jp wrote:
Hi, Jan-san, Siemens team,

There was some query to Siemens about the need of CVE-2020-25284
backporting.

- CVE-2020-25284 is in rbd ( Ceph block device ).
- it is only fixed for v4.19 and later stable kernels
- Siemens has this built as a module in their 4.4-rt x86 config, but
not their 4.19 one

So the question from the Kernel Team is whether Siemens needs its backporting
to 4.4-rt or not.
Not to my best knowledge. This is very likely an accidental choice.

Is that the only config in our repo carrying rbd/ceph? The we should likely drop
that, to be clear also in the future.

Jan

Please take a look about the discussion at the IRC meeting yesterday.

https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-17-09.00
.log.html

Best regards,
--
M. Kudo
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence
Center Embedded Linux


Re: Is CVE-2020-25284 backporting needed for 4.4-rt x86?

Jan Kiszka
 

On 18.09.20 15:58, masashi.kudo@cybertrust.co.jp wrote:
Hi, Jan-san, Siemens team,
There was some query to Siemens about the need of CVE-2020-25284 backporting.
- CVE-2020-25284 is in rbd ( Ceph block device ).
- it is only fixed for v4.19 and later stable kernels
- Siemens has this built as a module in their 4.4-rt x86 config, but not their 4.19 one
So the question from the Kernel Team is whether Siemens needs its backporting to 4.4-rt or not.
Not to my best knowledge. This is very likely an accidental choice.

Is that the only config in our repo carrying rbd/ceph? The we should likely drop that, to be clear also in the future.

Jan

Please take a look about the discussion at the IRC meeting yesterday.
https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-17-09.00.log.html
Best regards,
--
M. Kudo
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux


Is CVE-2020-25284 backporting needed for 4.4-rt x86?

masashi.kudo@cybertrust.co.jp
 

Hi, Jan-san, Siemens team,

There was some query to Siemens about the need of CVE-2020-25284 backporting.

- CVE-2020-25284 is in rbd ( Ceph block device ).
- it is only fixed for v4.19 and later stable kernels
- Siemens has this built as a module in their 4.4-rt x86 config, but not their 4.19 one

So the question from the Kernel Team is whether Siemens needs its backporting to 4.4-rt or not.

Please take a look about the discussion at the IRC meeting yesterday.

https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-17-09.00.log.html

Best regards,
--
M. Kudo


Re: [isar-cip-core][PATCH] classes/image_uuid: Generate new uuid if a new package is added

Jan Kiszka
 

On 18.09.20 10:04, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
BB_BASEHASH only includes the task itself and its metadata.
Dependencies are not taken into account when this hash is
generated which means updating a package will not generate a new
UUID.
BB_TASKHASH takes the changes into account.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/image_uuid.bbclass | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass
index d5337b8..873abc5 100644
--- a/classes/image_uuid.bbclass
+++ b/classes/image_uuid.bbclass
@@ -9,23 +9,23 @@
# SPDX-License-Identifier: MIT
#
-def generate_image_uuid(d):
- import uuid
+IMAGE_UUID ?= "random"
Why not using an undefined or empty IMAGE_UUID as "generate me one" indication?

- base_hash = d.getVar("BB_BASEHASH_task-do_rootfs_install", True)
- if base_hash is None:
- return None
- return str(uuid.UUID(base_hash[:32], version=4))
-
-IMAGE_UUID ?= "${@generate_image_uuid(d)}"
+IMAGE_UUID_NAMESPACE = "6090f47e-b068-475c-b125-7be7c24cdd4e"
Is that namespace random, or does that have specific meaning?

do_generate_image_uuid[vardeps] += "IMAGE_UUID"
do_generate_image_uuid[depends] = "buildchroot-target:do_build"
+IMAGER_INSTALL += "uuid-runtime"
Please separate variable for job definitions be a blank line. Also the job specifications above should be visually separated from the code below that way. IOW:

IMAGER_INSTALL += "uuid-runtime"

do_generate_image_uuid[vardeps] += "IMAGE_UUID"
do_generate_image_uuid[depends] = "buildchroot-target:do_build"

do_generate_image_uuid() {

do_generate_image_uuid() {
+ image_do_mounts
+ if [ "${IMAGE_UUID}" != "random" ]; then
+ IMAGE_UUID_FINAL="${IMAGE_UUID}"
+ else
+ IMAGE_UUID_FINAL="$(sudo -E chroot ${BUILDCHROOT_DIR} uuidgen -s -n "${IMAGE_UUID_NAMESPACE}" -N "${BB_TASKHASH}")"
Why do we need to switch to uuidgen from the buildchroot, rather than using python's uuid?

And what ensures that uuidgen is available there?

+ fi
sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release'
- echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \
+ echo "IMAGE_UUID=\"${IMAGE_UUID_FINAL}\"" | \
sudo tee -a '${IMAGE_ROOTFS}/etc/os-release'
- image_do_mounts
# update initramfs to add uuid
sudo chroot '${IMAGE_ROOTFS}' update-initramfs -u
Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux


[isar-cip-core][PATCH] classes/image_uuid: Generate new uuid if a new package is added

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

BB_BASEHASH only includes the task itself and its metadata.
Dependencies are not taken into account when this hash is
generated which means updating a package will not generate a new
UUID.

BB_TASKHASH takes the changes into account.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/image_uuid.bbclass | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass
index d5337b8..873abc5 100644
--- a/classes/image_uuid.bbclass
+++ b/classes/image_uuid.bbclass
@@ -9,23 +9,23 @@
# SPDX-License-Identifier: MIT
#

-def generate_image_uuid(d):
- import uuid
+IMAGE_UUID ?= "random"

- base_hash = d.getVar("BB_BASEHASH_task-do_rootfs_install", True)
- if base_hash is None:
- return None
- return str(uuid.UUID(base_hash[:32], version=4))
-
-IMAGE_UUID ?= "${@generate_image_uuid(d)}"
+IMAGE_UUID_NAMESPACE = "6090f47e-b068-475c-b125-7be7c24cdd4e"

do_generate_image_uuid[vardeps] += "IMAGE_UUID"
do_generate_image_uuid[depends] = "buildchroot-target:do_build"
+IMAGER_INSTALL += "uuid-runtime"
do_generate_image_uuid() {
+ image_do_mounts
+ if [ "${IMAGE_UUID}" != "random" ]; then
+ IMAGE_UUID_FINAL="${IMAGE_UUID}"
+ else
+ IMAGE_UUID_FINAL="$(sudo -E chroot ${BUILDCHROOT_DIR} uuidgen -s -n "${IMAGE_UUID_NAMESPACE}" -N "${BB_TASKHASH}")"
+ fi
sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release'
- echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \
+ echo "IMAGE_UUID=\"${IMAGE_UUID_FINAL}\"" | \
sudo tee -a '${IMAGE_ROOTFS}/etc/os-release'
- image_do_mounts

# update initramfs to add uuid
sudo chroot '${IMAGE_ROOTFS}' update-initramfs -u
--
2.20.1


Re: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

Venkata Pyla
 

HI Daniel-san,

Thank you for your feedback.

sorry for spell checks issues in the commits, I will correct it and send another merge request.
Also I will apply other security configuration suggestions.

Thanks
Venkata.

-----Original Message-----
From: daniel.sangorrin@toshiba.co.jp <daniel.sangorrin@toshiba.co.jp>
Sent: 17 September 2020 08:32
To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>
Cc: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Subject: RE: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

Hi Venkata-san

Please check my inline comments and send me a merge request when you solve them.

-----Original Message-----
From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
Sent: Tuesday, September 15, 2020 11:24 PM
To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT)
<daniel.sangorrin@toshiba.co.jp>
Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>;
cip-dev@lists.cip-project.org
Subject: [cip-core:deby 2/3] security-configuration: apply security
polcies using package bbappend

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

add package bbappaned files in the security layer that will apply
bbappend

the security configurations like
e.g: Set password strength in pam configurations
Set audit failure actions in audit package configurations
etc.
Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
.../audit/audit_debian.bbappend | 20 ++++++++++
.../base-files/base-files_debian.bbappend | 3 ++
.../openssh/openssh_debian.bbappend | 19 +++++++++
.../recipes-debian/pam/libpam_debian.bbappend | 39
+++++++++++++++++++
4 files changed, 81 insertions(+)
create mode 100644
meta-cip-security/recipes-debian/audit/audit_debian.bbappend
create mode 100644
meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
create mode 100644
meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
create mode 100644
meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
Ideally, you would separate the patches for each file unless they have something in common.

diff --git
a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
b/meta-cip-security/recipes- debian/audit/audit_debian.bbappend
new file mode 100644
index 0000000..c148f27
--- /dev/null
+++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
@@ -0,0 +1,20 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020 # #
+SPDX-License-Identifier: MIT #
+
+DESCRIPTION = "CIP Security customizations"
Append "for audit" to the description.

+
+pkg_postinst_audit_append() {
+ # CR2.9: Audit storage capacity
+ # CR2.9 RE-1: Warn when audit record storage capacity threshold reached
+ AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
+ sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+ sed -i 's/admin_space_left_action = .*/admin_space_left_action =
+SYSLOG/' $AUDIT_CONF_FILE
Don't you need to specify the values for space_left and admin_space_left?
Perhaps these variables should be configurable and have a default value.
Example:
AUDIT_SPACE_LEFT ?= "100"

Then you can change the value in local.conf (or using kas's local_conf_headers)

+
+ # CR2.10: Response to audit processing failures
+ sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/'
+$AUDIT_CONF_FILE }
Please check if you need other options as well here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service

diff --git
a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappe
nd b/meta-cip-security/recipes-debian/base-
files/base-files_debian.bbappend
new file mode 100644
index 0000000..895dc9f
--- /dev/null
+++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bb
+++ append
@@ -0,0 +1,3 @@
+do_install_append() {
+ echo "${MACHINE}" > ${D}${sysconfdir}/hostname }
Is this related to the security layer?
If not, please separate it into a different patch and explain why it is necessary.

diff --git
a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
b/meta-cip-security/recipes- debian/openssh/openssh_debian.bbappend
new file mode 100644
index 0000000..ddd2bfc
--- /dev/null
+++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
@@ -0,0 +1,19 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020 # #
+SPDX-License-Identifier: MIT #
+
+DESCRIPTION = "CIP Security customizations"
Same as before, append "for openssh". The description for different things should be different.

+
+pkg_postinst_${PN}_append() {
+ # CR2.6: Remote session termination
+ # Terminate remote session after inactive time period
+ SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
+ alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
+ alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
+ sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}"
+ sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
Perhaps make the value for ClientAliveInterval configurable and use 120 as default.

+}
diff --git
a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
b/meta-cip-security/recipes- debian/pam/libpam_debian.bbappend new
file mode 100644 index 0000000..c9c1605
--- /dev/null
+++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
@@ -0,0 +1,39 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020 # #
+SPDX-License-Identifier: MIT #
+
+DESCRIPTION = "CIP Security customizations"
Same thing: "for libpam"

+
+pkg_postinst_pam-plugin-cracklib_append() {
+ # CR1.7: Strength of password-based authentication
+ # Pam configuration to enforce password strength
+ PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
+ CRACKLIB_CONFIG="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1
ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
+ if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+ sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+ fi
+ sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
+}
Perhaps set minlen configurable.

+
+pkg_postinst_pam-plugin-tally2_append() {
+ # CR1.11: Unsuccessful login attempts
+ # Lock user account after unsuccessful login attempts
+ PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
+ pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
+ sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
+ fi
+ sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+}
+
+
+pkg_postinst_libpam_append() {
+ # CR2.7: Concurrent session control
+ # Limit the concurrent login sessions
+ LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
+ echo "* hard maxlogins 2" >> ${LIMITS_CONFIG} }
Thanks,
Daniel
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


Re: CIP IRC weekly meeting today

Akihiro Suzuki
 

Hi Kudo-san,

Sorry, I will be absent today's IRC meeting because I've got a plan already today.
SW Updates WG don't have any updates this week.

Thanks,
Suzuki

-----Original Message-----
From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On
Behalf Of masashi.kudo@cybertrust.co.jp
Sent: Thursday, September 17, 2020 10:21 AM
To: cip-dev@lists.cip-project.org
Subject: [cip-dev] CIP IRC weekly meeting today

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss
technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00
starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&
month=9&day=17&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=
37&p5=241&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-10-09.00.log.
html

Agenda:

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
2. Post LTP results to KernelCI - patersonc

* Kernel maintenance updates
* Kernel testing
* Software update
* CIP Security
* AOB

Since there will be another meeting at 9:30GMT, the meeting will take less than
30 min today.
If some topics may take long, they will be taken offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


Re: [cip-core:deby 3/3] aide-static: enable aide to build statically

Daniel Sangorrin
 

Thanks, it looks good.
Perhaps you can write in the commit id what is the effect in size compared to not using static compilation.
Please send me a merge request

-----Original Message-----
From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
Sent: Tuesday, September 15, 2020 11:24 PM
To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Subject: [cip-core:deby 3/3] aide-static: enable aide to build statically

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

To build aide statically, its dependencies also compile staticalliy, so all aide dependent library packages enabled static compiling in an
include file and added to the layer configuration.

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
meta-cip-security/conf/include/aide-static-libs.inc | 10 ++++++++++
meta-cip-security/conf/layer.conf | 2 ++
2 files changed, 12 insertions(+)
create mode 100644 meta-cip-security/conf/include/aide-static-libs.inc

diff --git a/meta-cip-security/conf/include/aide-static-libs.inc b/meta-cip-security/conf/include/aide-static-libs.inc
new file mode 100644
index 0000000..1dc4374
--- /dev/null
+++ b/meta-cip-security/conf/include/aide-static-libs.inc
@@ -0,0 +1,10 @@
+DISABLE_STATIC ?= " --disable-static"
+
+# aide dependencies to build statically DISABLE_STATIC_pn-aide = " "
+DISABLE_STATIC_pn-libgpg-error = " "
+DISABLE_STATIC_pn-libmhash = " "
+DISABLE_STATIC_pn-attr = " "
+DISABLE_STATIC_pn-acl = " "
+DISABLE_STATIC_pn-libpcre = " "
+EXTRA_OECONF_append_pn-aide = " --without-audit"
diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf
index b015436..158d75c 100644
--- a/meta-cip-security/conf/layer.conf
+++ b/meta-cip-security/conf/layer.conf
@@ -16,3 +16,5 @@ LAYERVERSION_cip-security = "1"
LAYERDEPENDS_cip-security = "debian"

LAYERSERIES_COMPAT_cip-security = "warrior"
+
+require conf/include/aide-static-libs.inc
--
2.27.0.windows.1

The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may
contain privileged information.
If you are not the intended recipient, please notify the sender and delete the message along with any
attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any
annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be
the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is
accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.


Re: [cip-core:deby 1/3] cip-security: Create new layer for cip security

Daniel Sangorrin
 

Thanks, it looks good
Please send me a merge request

-----Original Message-----
From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
Sent: Tuesday, September 15, 2020 11:24 PM
To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Subject: [cip-core:deby 1/3] cip-security: Create new layer for cip security

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

This layer enables security packages and default configurations
required to evaluate IEC62443-4-2 assessment

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
README.md | 5 +++++
kas/opt/security.yml | 32 +++++++++++++++++++++++++++++++
meta-cip-security/conf/layer.conf | 18 +++++++++++++++++
3 files changed, 55 insertions(+)
create mode 100644 kas/opt/security.yml
create mode 100644 meta-cip-security/conf/layer.conf

diff --git a/README.md b/README.md
index f90e040..f59dd0c 100644
--- a/README.md
+++ b/README.md
@@ -88,3 +88,8 @@ LTP test image for QEMU arm64 / hihope-rzg2m

$ ./scripts/kas-build.sh kas/board/qemuarm64.yml:kas/opt/deby.yml:kas/opt/dhcp.yml:kas/opt/ltp.yml

+Create Security image for QEMU x86-64
+-------------------------------------
+
+ $ ./scripts/kas-build.sh kas/board/qemux86-64.yml:kas/opt/deby.yml:kas/opt/security.yml
+
diff --git a/kas/opt/security.yml b/kas/opt/security.yml
new file mode 100644
index 0000000..e84290c
--- /dev/null
+++ b/kas/opt/security.yml
@@ -0,0 +1,32 @@
+#
+# CIP Core tiny profile with Security
+# packages and configuration
+#
+# Copyright (c) 2019 TOSHIBA Corp.
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+
+repos:
+ meta-cip-security:
+ layers:
+ meta-cip-security:
+
+local_conf_header:
+ security: |
+ DISTRO_FEATURES_append += " pam"
+ CORE_IMAGE_EXTRA_INSTALL += " \
+ aide aide-common \
+ openssl openssl-bin \
+ openssh openssh-misc \
+ chrony chronyc \
+ libpam pam-plugin-cracklib pam-plugin-tally2 \
+ syslog-ng \
+ acl \
+ sudo \
+ auditd \
+ util-linux \
+ "
diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf
new file mode 100644
index 0000000..b015436
--- /dev/null
+++ b/meta-cip-security/conf/layer.conf
@@ -0,0 +1,18 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH =. "${LAYERDIR}:"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+ ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "cip-security"
+BBFILE_PATTERN_cip-security = "^${LAYERDIR}/"
+BBFILE_PRIORITY_cip-security = "11"
+
+# This should only be incremented on significant changes that will
+# cause compatibility issues with other layers
+LAYERVERSION_cip-security = "1"
+
+LAYERDEPENDS_cip-security = "debian"
+
+LAYERSERIES_COMPAT_cip-security = "warrior"
--
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


Re: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

Daniel Sangorrin
 

Hi Venkata-san

Please check my inline comments and send me a merge request when you solve them.

-----Original Message-----
From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
Sent: Tuesday, September 15, 2020 11:24 PM
To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Subject: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

add package bbappaned files in the security layer that will apply
bbappend

the security configurations like
e.g: Set password strength in pam configurations
Set audit failure actions in audit package configurations
etc.
Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
.../audit/audit_debian.bbappend | 20 ++++++++++
.../base-files/base-files_debian.bbappend | 3 ++
.../openssh/openssh_debian.bbappend | 19 +++++++++
.../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
4 files changed, 81 insertions(+)
create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
Ideally, you would separate the patches for each file unless they have something in common.

diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-
debian/audit/audit_debian.bbappend
new file mode 100644
index 0000000..c148f27
--- /dev/null
+++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
@@ -0,0 +1,20 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
Append "for audit" to the description.

+
+pkg_postinst_audit_append() {
+ # CR2.9: Audit storage capacity
+ # CR2.9 RE-1: Warn when audit record storage capacity threshold reached
+ AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
+ sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
Don't you need to specify the values for space_left and admin_space_left?
Perhaps these variables should be configurable and have a default value.
Example:
AUDIT_SPACE_LEFT ?= "100"

Then you can change the value in local.conf (or using kas's local_conf_headers)

+
+ # CR2.10: Response to audit processing failures
+ sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+}
Please check if you need other options as well here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service

diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-
files/base-files_debian.bbappend
new file mode 100644
index 0000000..895dc9f
--- /dev/null
+++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
@@ -0,0 +1,3 @@
+do_install_append() {
+ echo "${MACHINE}" > ${D}${sysconfdir}/hostname
+}
Is this related to the security layer?
If not, please separate it into a different patch and explain why it is necessary.

diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-
debian/openssh/openssh_debian.bbappend
new file mode 100644
index 0000000..ddd2bfc
--- /dev/null
+++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
@@ -0,0 +1,19 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
Same as before, append "for openssh". The description for different things should be different.

+
+pkg_postinst_${PN}_append() {
+ # CR2.6: Remote session termination
+ # Terminate remote session after inactive time period
+ SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
+ alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
+ alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
+ sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}"
+ sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
Perhaps make the value for ClientAliveInterval configurable and use 120 as default.

+}
diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-
debian/pam/libpam_debian.bbappend
new file mode 100644
index 0000000..c9c1605
--- /dev/null
+++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
@@ -0,0 +1,39 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
Same thing: "for libpam"

+
+pkg_postinst_pam-plugin-cracklib_append() {
+ # CR1.7: Strength of password-based authentication
+ # Pam configuration to enforce password strength
+ PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
+ CRACKLIB_CONFIG="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1
ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
+ if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+ sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+ fi
+ sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
+}
Perhaps set minlen configurable.

+
+pkg_postinst_pam-plugin-tally2_append() {
+ # CR1.11: Unsuccessful login attempts
+ # Lock user account after unsuccessful login attempts
+ PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
+ pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
+ sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
+ fi
+ sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+}
+
+
+pkg_postinst_libpam_append() {
+ # CR2.7: Concurrent session control
+ # Limit the concurrent login sessions
+ LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
+ echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
+}
Thanks,
Daniel


CIP IRC weekly meeting today

masashi.kudo@cybertrust.co.jp
 

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=9&day=17&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-10-09.00.log.html

Agenda:

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
2. Post LTP results to KernelCI - patersonc

* Kernel maintenance updates
* Kernel testing
* Software update
* CIP Security
* AOB

Since there will be another meeting at 9:30GMT, the meeting will take less than 30 min today.
If some topics may take long, they will be taken offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


[cip-core:deby 3/3] aide-static: enable aide to build statically

Venkata Pyla
 

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

To build aide statically, its dependencies also compile staticalliy,
so all aide dependent library packages enabled static compiling in
an include file and added to the layer configuration.

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
meta-cip-security/conf/include/aide-static-libs.inc | 10 ++++++++++
meta-cip-security/conf/layer.conf | 2 ++
2 files changed, 12 insertions(+)
create mode 100644 meta-cip-security/conf/include/aide-static-libs.inc

diff --git a/meta-cip-security/conf/include/aide-static-libs.inc b/meta-cip-security/conf/include/aide-static-libs.inc
new file mode 100644
index 0000000..1dc4374
--- /dev/null
+++ b/meta-cip-security/conf/include/aide-static-libs.inc
@@ -0,0 +1,10 @@
+DISABLE_STATIC ?= " --disable-static"
+
+# aide dependencies to build statically
+DISABLE_STATIC_pn-aide = " "
+DISABLE_STATIC_pn-libgpg-error = " "
+DISABLE_STATIC_pn-libmhash = " "
+DISABLE_STATIC_pn-attr = " "
+DISABLE_STATIC_pn-acl = " "
+DISABLE_STATIC_pn-libpcre = " "
+EXTRA_OECONF_append_pn-aide = " --without-audit"
diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf
index b015436..158d75c 100644
--- a/meta-cip-security/conf/layer.conf
+++ b/meta-cip-security/conf/layer.conf
@@ -16,3 +16,5 @@ LAYERVERSION_cip-security = "1"
LAYERDEPENDS_cip-security = "debian"

LAYERSERIES_COMPAT_cip-security = "warrior"
+
+require conf/include/aide-static-libs.inc
--
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

Venkata Pyla
 

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

add package bbappaned files in the security layer that will apply
the security configurations like
e.g: Set password strength in pam configurations
Set audit failure actions in audit package configurations
etc.

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
.../audit/audit_debian.bbappend | 20 ++++++++++
.../base-files/base-files_debian.bbappend | 3 ++
.../openssh/openssh_debian.bbappend | 19 +++++++++
.../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
4 files changed, 81 insertions(+)
create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend

diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
new file mode 100644
index 0000000..c148f27
--- /dev/null
+++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
@@ -0,0 +1,20 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_audit_append() {
+ # CR2.9: Audit storage capacity
+ # CR2.9 RE-1: Warn when audit record storage capacity threshold reached
+ AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
+ sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+
+ # CR2.10: Response to audit processing failures
+ sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+}
diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
new file mode 100644
index 0000000..895dc9f
--- /dev/null
+++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
@@ -0,0 +1,3 @@
+do_install_append() {
+ echo "${MACHINE}" > ${D}${sysconfdir}/hostname
+}
diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
new file mode 100644
index 0000000..ddd2bfc
--- /dev/null
+++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
@@ -0,0 +1,19 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_${PN}_append() {
+ # CR2.6: Remote session termination
+ # Terminate remote session after inactive time period
+ SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
+ alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
+ alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
+ sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}"
+ sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
+}
diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
new file mode 100644
index 0000000..c9c1605
--- /dev/null
+++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
@@ -0,0 +1,39 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_pam-plugin-cracklib_append() {
+ # CR1.7: Strength of password-based authentication
+ # Pam configuration to enforce password strength
+ PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
+ CRACKLIB_CONFIG="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
+ if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+ sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+ fi
+ sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
+}
+
+pkg_postinst_pam-plugin-tally2_append() {
+ # CR1.11: Unsuccessful login attempts
+ # Lock user account after unsuccessful login attempts
+ PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
+ pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
+ sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
+ fi
+ sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+}
+
+
+pkg_postinst_libpam_append() {
+ # CR2.7: Concurrent session control
+ # Limit the concurrent login sessions
+ LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
+ echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
+}
--
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[cip-core:deby 1/3] cip-security: Create new layer for cip security

Venkata Pyla
 

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

This layer enables security packages and default configurations
required to evaluate IEC62443-4-2 assessment

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
README.md | 5 +++++
kas/opt/security.yml | 32 +++++++++++++++++++++++++++++++
meta-cip-security/conf/layer.conf | 18 +++++++++++++++++
3 files changed, 55 insertions(+)
create mode 100644 kas/opt/security.yml
create mode 100644 meta-cip-security/conf/layer.conf

diff --git a/README.md b/README.md
index f90e040..f59dd0c 100644
--- a/README.md
+++ b/README.md
@@ -88,3 +88,8 @@ LTP test image for QEMU arm64 / hihope-rzg2m

$ ./scripts/kas-build.sh kas/board/qemuarm64.yml:kas/opt/deby.yml:kas/opt/dhcp.yml:kas/opt/ltp.yml

+Create Security image for QEMU x86-64
+-------------------------------------
+
+ $ ./scripts/kas-build.sh kas/board/qemux86-64.yml:kas/opt/deby.yml:kas/opt/security.yml
+
diff --git a/kas/opt/security.yml b/kas/opt/security.yml
new file mode 100644
index 0000000..e84290c
--- /dev/null
+++ b/kas/opt/security.yml
@@ -0,0 +1,32 @@
+#
+# CIP Core tiny profile with Security
+# packages and configuration
+#
+# Copyright (c) 2019 TOSHIBA Corp.
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+
+repos:
+ meta-cip-security:
+ layers:
+ meta-cip-security:
+
+local_conf_header:
+ security: |
+ DISTRO_FEATURES_append += " pam"
+ CORE_IMAGE_EXTRA_INSTALL += " \
+ aide aide-common \
+ openssl openssl-bin \
+ openssh openssh-misc \
+ chrony chronyc \
+ libpam pam-plugin-cracklib pam-plugin-tally2 \
+ syslog-ng \
+ acl \
+ sudo \
+ auditd \
+ util-linux \
+ "
diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf
new file mode 100644
index 0000000..b015436
--- /dev/null
+++ b/meta-cip-security/conf/layer.conf
@@ -0,0 +1,18 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH =. "${LAYERDIR}:"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+ ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "cip-security"
+BBFILE_PATTERN_cip-security = "^${LAYERDIR}/"
+BBFILE_PRIORITY_cip-security = "11"
+
+# This should only be incremented on significant changes that will
+# cause compatibility issues with other layers
+LAYERVERSION_cip-security = "1"
+
+LAYERDEPENDS_cip-security = "debian"
+
+LAYERSERIES_COMPAT_cip-security = "warrior"
--
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[cip-core:deby 0/3] deby security layer changes

Venkata Pyla
 

From: venkata-pyla <venkata.pyla@toshiba-tsip.com>

Added a security layer in deby that will be used for IEC 62443-4-2
certification

venkata pyla (3):
cip-security: Create new layer for cip security
security-configuration: apply security polcies using package bbappend
aide-static: enable aide to build statically

README.md | 5 +++
kas/opt/security.yml | 32 +++++++++++++++
.../conf/include/aide-static-libs.inc | 10 +++++
meta-cip-security/conf/layer.conf | 20 ++++++++++
.../audit/audit_debian.bbappend | 20 ++++++++++
.../base-files/base-files_debian.bbappend | 3 ++
.../openssh/openssh_debian.bbappend | 19 +++++++++
.../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
8 files changed, 148 insertions(+)
create mode 100644 kas/opt/security.yml
create mode 100644 meta-cip-security/conf/include/aide-static-libs.inc
create mode 100644 meta-cip-security/conf/layer.conf
create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend

--
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


Re: [cip-kernel-config ][ RFC 1/1] 4.19.y-cip/cip_bbb_defconfig: Add config switches from isar-cip-core

Nobuhiro Iwamatsu
 

Hi,

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Quirin Gylstorff
Sent: Friday, August 21, 2020 6:52 PM
To: cip-dev@lists.cip-project.org; sangorrin daniel(サンゴリン ダニエル □SWC◯ACT)
<daniel.sangorrin@toshiba.co.jp>; jan.kiszka@siemens.com
Subject: Re: [cip-dev] [cip-kernel-config ][ RFC 1/1] 4.19.y-cip/cip_bbb_defconfig: Add config switches from
isar-cip-core



On 8/21/20 1:34 AM, Nobuhiro Iwamatsu wrote:
Hi,

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Quirin Gylstorff
Sent: Monday, August 17, 2020 6:29 PM
To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>;
cip-dev@lists.cip-project.org; jan.kiszka@siemens.com
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Subject: [cip-dev] [cip-kernel-config ][ RFC 1/1] 4.19.y-cip/cip_bbb_defconfig: Add config switches from
isar-cip-core

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add the config switches which exist only in isar-cip-core
to the defconfig in cip-kernel-config for the beagle bone black.
Thanks for your patch.
The cip_bbb_defconfig created by me had minimal functionality enabled. I didn't know that Siemens didn't include
the required features.
So I think this patch is necessary.
However, we think that it is difficult to do it with one defconfig when testing the necessary functions as CIP in
the future.
Therefore, it may be necessary to prepare defconfig for each required function in the future.

By the way, is this only 4.19? Do I need to change RT or 4.4.y?
This patch is only for 4.19. I can prepare a v2 which includes v4.4. As
posted it was intented to show the current difference between the bbb
config in isar-cip-core and cip-kernel-config.
I see.
Would you send a patch for v4.4 as well?

Best regards,
Nobuhiro

Best regards,
Quirin

Best regards,
Nobuhiro

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
4.19.y-cip/arm/cip_bbb_defconfig | 339 +++++++++++++++++++++++++++++++
1 file changed, 339 insertions(+)

diff --git a/4.19.y-cip/arm/cip_bbb_defconfig b/4.19.y-cip/arm/cip_bbb_defconfig
index 3e22365..445cdee 100644
--- a/4.19.y-cip/arm/cip_bbb_defconfig
+++ b/4.19.y-cip/arm/cip_bbb_defconfig
@@ -1,6 +1,9 @@
# CONFIG_LOCALVERSION_AUTO is not set
+CONFIG_KERNEL_LZMA=y
CONFIG_SYSVIPC=y
CONFIG_POSIX_MQUEUE=y
+CONFIG_FHANDLE=y
+CONFIG_AUDIT=y
CONFIG_NO_HZ=y
CONFIG_HIGH_RES_TIMERS=y
CONFIG_PREEMPT=y
@@ -8,6 +11,7 @@ CONFIG_BSD_PROCESS_ACCT=y
CONFIG_BSD_PROCESS_ACCT_V3=y
CONFIG_IKCONFIG=y
CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=16
CONFIG_CGROUPS=y
CONFIG_MEMCG=y
CONFIG_MEMCG_SWAP=y
@@ -17,24 +21,67 @@ CONFIG_RT_GROUP_SCHED=y
CONFIG_CGROUP_PIDS=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_DEVICE=y
+CONFIG_CPUSETS=y
CONFIG_CGROUP_CPUACCT=y
+CONFIG_MEMCG=y
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_KMEM=y
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_DEBUG=y
CONFIG_USER_NS=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_CFS_BANDWIDTH=y
+CONFIG_RT_GROUP_SCHED=y
+CONFIG_BLK_CGROUP=y
+CONFIG_NAMESPACES=y
CONFIG_BLK_DEV_INITRD=y
CONFIG_CC_OPTIMIZE_FOR_SIZE=y
CONFIG_BPF_SYSCALL=y
+CONFIG_EXPERT=y
+CONFIG_SLAB=y
CONFIG_PROFILING=y
CONFIG_ARCH_VIRT=y
+CONFIG_OPROFILE=y
+CONFIG_KPROBES=y
+CONFIG_MODULES=y
+CONFIG_MODULE_FORCE_LOAD=y
+CONFIG_MODULE_UNLOAD=y
+CONFIG_MODULE_FORCE_UNLOAD=y
+CONFIG_MODVERSIONS=y
+CONFIG_MODULE_SRCVERSION_ALL=y
+# CONFIG_BLK_DEV_BSG is not set
+CONFIG_PARTITION_ADVANCED=y
+CONFIG_POWER_AVS_OMAP=y
+CONFIG_POWER_AVS_OMAP_CLASS3=y
CONFIG_OMAP_RESET_CLOCKS=y
CONFIG_ARCH_OMAP3=y
+CONFIG_OMAP_MUX_DEBUG=y
CONFIG_SOC_AM33XX=y
CONFIG_ARM_THUMBEE=y
CONFIG_OABI_COMPAT=y
+CONFIG_ARM_ERRATA_411920=y
+CONFIG_ARM_ERRATA_430973=y
+CONFIG_SMP=y
+CONFIG_NR_CPUS=2
+CONFIG_CMA=y
+CONFIG_SECCOMP=y
+CONFIG_ZBOOT_ROM_TEXT=0x0
+CONFIG_ZBOOT_ROM_BSS=0x0
CONFIG_ARM_APPENDED_DTB=y
CONFIG_ARM_ATAG_DTB_COMPAT=y
+CONFIG_CMDLINE=""
+CONFIG_KEXEC=y
+CONFIG_CPU_FREQ=y
+CONFIG_CPU_FREQ_STAT_DETAILS=y
+CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
+CONFIG_CPU_FREQ_GOV_POWERSAVE=y
+CONFIG_CPU_FREQ_GOV_USERSPACE=y
+CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y
+CONFIG_CPUFREQ_DT=y
+# CONFIG_ARM_OMAP2PLUS_CPUFREQ is not set
CONFIG_CPU_IDLE=y
CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_BINFMT_MISC=y
CONFIG_PM_DEBUG=y
CONFIG_OPROFILE=y
CONFIG_KPROBES=y
@@ -48,6 +95,8 @@ CONFIG_UNIX=y
CONFIG_XFRM_USER=m
CONFIG_XFRM_SUB_POLICY=y
CONFIG_NET_KEY=m
+CONFIG_XFRM_USER=y
+CONFIG_NET_KEY=y
CONFIG_NET_KEY_MIGRATE=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
@@ -74,6 +123,7 @@ CONFIG_INET6_AH=y
CONFIG_INET6_ESP=y
CONFIG_INET6_IPCOMP=m
CONFIG_IPV6_TUNNEL=m
+# CONFIG_INET_LRO is not set
CONFIG_NETFILTER=y
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_AMANDA=m
@@ -196,40 +246,108 @@ CONFIG_NET_PKTGEN=m
CONFIG_CFG80211=y
CONFIG_MAC80211=y
CONFIG_RFKILL=y
+CONFIG_PHONET=m
+CONFIG_CAN=m
+CONFIG_CAN_C_CAN=m
+CONFIG_CAN_C_CAN_PLATFORM=m
+CONFIG_BT=m
+CONFIG_BT_RFCOMM=m
+CONFIG_BT_RFCOMM_TTY=y
+CONFIG_BT_BNEP=m
+CONFIG_BT_BNEP_MC_FILTER=y
+CONFIG_BT_BNEP_PROTO_FILTER=y
+CONFIG_BT_HIDP=m
+CONFIG_BT_HCIBTUSB=m
+CONFIG_BT_HCIBTSDIO=m
+CONFIG_BT_HCIUART=m
+CONFIG_BT_HCIUART_H4=y
+CONFIG_BT_HCIUART_BCSP=y
+CONFIG_BT_HCIUART_LL=y
+CONFIG_BT_HCIUART_3WIRE=y
+CONFIG_BT_HCIBCM203X=m
+CONFIG_BT_HCIBPA10X=m
+CONFIG_CFG80211=m
+CONFIG_BT_HCIBFUSB=m
+CONFIG_BT_HCIVHCI=m
+CONFIG_BT_MRVL=m
+CONFIG_BT_MRVL_SDIO=m
+CONFIG_AF_RXRPC=m
+CONFIG_RXKAD=m
+CONFIG_MAC80211=m
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
CONFIG_DMA_CMA=y
CONFIG_OMAP_OCP2SCP=y
+CONFIG_CONNECTOR=m
CONFIG_MTD=y
CONFIG_MTD_CMDLINE_PARTS=y
CONFIG_MTD_BLOCK=y
CONFIG_MTD_OOPS=y
CONFIG_MTD_CFI=y
CONFIG_MTD_CFI_INTELEXT=y
+CONFIG_MTD_PHYSMAP=y
+CONFIG_MTD_PHYSMAP_OF=y
CONFIG_MTD_NAND=y
+CONFIG_MTD_NAND_ECC_BCH=y
CONFIG_MTD_NAND_OMAP2=y
CONFIG_MTD_NAND_OMAP_BCH=y
+CONFIG_MTD_ONENAND=y
+CONFIG_MTD_ONENAND_VERIFY_WRITE=y
+CONFIG_MTD_ONENAND_OMAP2=y
CONFIG_MTD_UBI=y
CONFIG_OF_OVERLAY=y
CONFIG_BLK_DEV_LOOP=m
CONFIG_BLK_DEV_CRYPTOLOOP=m
CONFIG_BLK_DEV_NBD=m
+CONFIG_MTD_SPI_NOR=m
+CONFIG_MTD_M25P80=m
+CONFIG_BLK_DEV_LOOP=y
CONFIG_BLK_DEV_RAM=y
CONFIG_VIRTIO_BLK=y
CONFIG_EEPROM_93CX6=y
CONFIG_SCSI=y
# CONFIG_SCSI_MQ_DEFAULT is not set
+CONFIG_BLK_DEV_RAM_SIZE=16384
+CONFIG_SENSORS_TSL2550=m
+CONFIG_BMP085_I2C=m
+CONFIG_SRAM=y
+CONFIG_SENSORS_LIS3_I2C=m
CONFIG_BLK_DEV_SD=y
CONFIG_SCSI_VIRTIO=y
+CONFIG_SCSI_SCAN_ASYNC=y
+CONFIG_ATA=y
+CONFIG_SATA_AHCI_PLATFORM=y
CONFIG_NETDEVICES=y
CONFIG_BONDING=m
CONFIG_DUMMY=m
CONFIG_NETCONSOLE=y
CONFIG_TUN=m
CONFIG_VIRTIO_NET=y
+# CONFIG_NET_VENDOR_ARC is not set
+# CONFIG_NET_CADENCE is not set
+# CONFIG_NET_VENDOR_BROADCOM is not set
+# CONFIG_NET_VENDOR_CIRRUS is not set
+CONFIG_DM9000=y
+# CONFIG_NET_VENDOR_FARADAY is not set
+# CONFIG_NET_VENDOR_HISILICON is not set
+# CONFIG_NET_VENDOR_INTEL is not set
+# CONFIG_NET_VENDOR_MARVELL is not set
+CONFIG_KS8851=y
+CONFIG_KS8851_MLL=y
+# CONFIG_NET_VENDOR_MICROCHIP is not set
+# CONFIG_NET_VENDOR_NATSEMI is not set
+# CONFIG_NET_VENDOR_QUALCOMM is not set
+# CONFIG_NET_VENDOR_SAMSUNG is not set
+# CONFIG_NET_VENDOR_SEEQ is not set
CONFIG_SMC91X=y
CONFIG_SMSC911X=y
+# CONFIG_NET_VENDOR_STMICRO is not set
+CONFIG_TI_DAVINCI_EMAC=y
CONFIG_TI_CPSW=y
+CONFIG_TI_CPTS=y
+# CONFIG_NET_VENDOR_VIA is not set
+# CONFIG_NET_VENDOR_WIZNET is not set
+CONFIG_AT803X_PHY=y
CONFIG_SMSC_PHY=y
CONFIG_PPP=m
CONFIG_PPP_BSDCOMP=m
@@ -257,16 +375,49 @@ CONFIG_USB_NET_MCS7830=m
CONFIG_USB_NET_RNDIS_HOST=m
CONFIG_USB_ALI_M5632=y
CONFIG_USB_AN2720=y
+CONFIG_USB_EPSON2888=y
+CONFIG_USB_EHCI_HCD=m
+CONFIG_USB_OHCI_HCD=m
CONFIG_USB_KC2190=y
CONFIG_INPUT_FF_MEMLESS=y
CONFIG_INPUT_EVDEV=y
CONFIG_KEYBOARD_GPIO=y
+CONFIG_USB_CDC_PHONET=m
+CONFIG_LIBERTAS=m
+CONFIG_LIBERTAS_USB=m
+CONFIG_LIBERTAS_SDIO=m
+CONFIG_LIBERTAS_DEBUG=y
+CONFIG_WL_TI=y
+CONFIG_WL12XX=m
+CONFIG_WL18XX=m
+CONFIG_WLCORE_SPI=m
+CONFIG_WLCORE_SDIO=m
+CONFIG_MWIFIEX=m
+CONFIG_MWIFIEX_SDIO=m
+CONFIG_MWIFIEX_USB=m
+CONFIG_INPUT_JOYDEV=m
+CONFIG_INPUT_EVDEV=m
+CONFIG_KEYBOARD_ATKBD=m
+CONFIG_KEYBOARD_GPIO=m
CONFIG_KEYBOARD_MATRIX=m
CONFIG_KEYBOARD_TWL4030=y
+CONFIG_KEYBOARD_OMAP4=m
+CONFIG_KEYBOARD_TWL4030=m
+# CONFIG_INPUT_MOUSE is not set
CONFIG_INPUT_TOUCHSCREEN=y
CONFIG_TOUCHSCREEN_ADS7846=y
+CONFIG_TOUCHSCREEN_ADS7846=m
+CONFIG_TOUCHSCREEN_EDT_FT5X06=m
+CONFIG_TOUCHSCREEN_PIXCIR=m
+CONFIG_TOUCHSCREEN_TSC2005=m
+CONFIG_TOUCHSCREEN_TSC2007=m
+CONFIG_TOUCHSCREEN_TI_AM335X_TSC=m
CONFIG_INPUT_MISC=y
CONFIG_INPUT_TWL4030_PWRBUTTON=y
+CONFIG_INPUT_TPS65218_PWRBUTTON=m
+CONFIG_INPUT_TWL4030_PWRBUTTON=m
+CONFIG_INPUT_PALMAS_PWRBUTTON=m
+CONFIG_SERIO=m
# CONFIG_LEGACY_PTYS is not set
CONFIG_SERIAL_8250=y
CONFIG_SERIAL_8250_CONSOLE=y
@@ -276,30 +427,79 @@ CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
CONFIG_VIRTIO_CONSOLE=y
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_VIRTIO=y
+CONFIG_SERIAL_8250_NR_UARTS=32
+CONFIG_SERIAL_8250_RUNTIME_UARTS=6
+CONFIG_SERIAL_8250_EXTENDED=y
+CONFIG_SERIAL_8250_MANY_PORTS=y
+CONFIG_SERIAL_8250_SHARE_IRQ=y
+CONFIG_SERIAL_8250_DETECT_IRQ=y
+CONFIG_SERIAL_8250_RSA=y
+CONFIG_SERIAL_OF_PLATFORM=y
+CONFIG_SERIAL_OMAP=y
+CONFIG_SERIAL_OMAP_CONSOLE=y
CONFIG_I2C_CHARDEV=y
CONFIG_SPI=y
CONFIG_SPI_OMAP24XX=y
CONFIG_SPI_PL022=y
+CONFIG_SPI_TI_QSPI=m
+CONFIG_HSI=m
+CONFIG_OMAP_SSI=m
+CONFIG_NOKIA_MODEM=m
+CONFIG_SSI_PROTOCOL=m
CONFIG_PINCTRL_SINGLE=y
+CONFIG_DEBUG_GPIO=y
CONFIG_GPIO_SYSFS=y
+CONFIG_GPIO_PCA953X=m
CONFIG_GPIO_PCF857X=y
CONFIG_GPIO_TWL4030=y
CONFIG_POWER_SUPPLY=y
+CONFIG_GPIO_PALMAS=y
+CONFIG_W1=m
+CONFIG_HDQ_MASTER_OMAP=m
+CONFIG_BATTERY_BQ27XXX=m
+CONFIG_CHARGER_ISP1704=m
+CONFIG_CHARGER_TWL4030=m
+CONFIG_CHARGER_BQ2415X=m
+CONFIG_CHARGER_BQ24190=m
+CONFIG_CHARGER_BQ24735=m
+CONFIG_POWER_RESET=y
+CONFIG_POWER_AVS=y
+CONFIG_HWMON=m
+CONFIG_SENSORS_GPIO_FAN=m
+CONFIG_SENSORS_LM75=m
+CONFIG_SENSORS_TMP102=m
+CONFIG_THERMAL=m
+CONFIG_THERMAL_GOV_FAIR_SHARE=y
+CONFIG_THERMAL_GOV_USER_SPACE=y
+CONFIG_CPU_THERMAL=y
+CONFIG_TI_SOC_THERMAL=m
+CONFIG_TI_THERMAL=y
+CONFIG_OMAP4_THERMAL=y
+CONFIG_OMAP5_THERMAL=y
+CONFIG_DRA752_THERMAL=y
CONFIG_WATCHDOG=y
CONFIG_WATCHDOG_NOWAYOUT=y
CONFIG_SOFT_WATCHDOG=m
CONFIG_ARM_SP805_WATCHDOG=y
CONFIG_OMAP_WATCHDOG=y
CONFIG_TWL4030_WATCHDOG=y
+CONFIG_OMAP_WATCHDOG=m
+CONFIG_TWL4030_WATCHDOG=m
CONFIG_MFD_PALMAS=y
CONFIG_MFD_TPS65217=y
+CONFIG_MFD_TPS65218=y
CONFIG_MFD_TPS65910=y
CONFIG_MFD_TWL4030_AUDIO=y
+CONFIG_MFD_TI_AM335X_TSCADC=m
CONFIG_TWL6040_CORE=y
CONFIG_REGULATOR_PALMAS=y
+CONFIG_REGULATOR_PBIAS=y
+CONFIG_REGULATOR_TI_ABB=y
+CONFIG_REGULATOR_TPS62360=m
CONFIG_REGULATOR_TPS65023=y
CONFIG_REGULATOR_TPS6507X=y
CONFIG_REGULATOR_TPS65217=y
+CONFIG_REGULATOR_TPS65218=y
CONFIG_REGULATOR_TPS65910=y
CONFIG_REGULATOR_TWL4030=y
CONFIG_DRM=y
@@ -308,15 +508,55 @@ CONFIG_DRM_OMAP=y
CONFIG_OMAP2_DSS_DSI=y
CONFIG_DRM_TILCDC=y
CONFIG_DRM_VIRTIO_GPU=y
+CONFIG_FB=y
+CONFIG_FIRMWARE_EDID=y
CONFIG_FB_MODE_HELPERS=y
CONFIG_FB_TILEBLITTING=y
+CONFIG_OMAP2_DSS=m
+CONFIG_OMAP5_DSS_HDMI=y
+CONFIG_OMAP2_DSS_SDI=y
+CONFIG_OMAP2_DSS_DSI=y
+CONFIG_FB_OMAP2=m
+CONFIG_DISPLAY_ENCODER_TFP410=m
+CONFIG_DISPLAY_ENCODER_TPD12S015=m
+CONFIG_DISPLAY_CONNECTOR_DVI=m
+CONFIG_DISPLAY_CONNECTOR_HDMI=m
+CONFIG_DISPLAY_CONNECTOR_ANALOG_TV=m
+CONFIG_DISPLAY_PANEL_DPI=m
+CONFIG_DISPLAY_PANEL_DSI_CM=m
+CONFIG_DISPLAY_PANEL_SONY_ACX565AKM=m
+CONFIG_DISPLAY_PANEL_LGPHILIPS_LB035Q02=m
+CONFIG_DISPLAY_PANEL_SHARP_LS037V7DW01=m
+CONFIG_DISPLAY_PANEL_TPO_TD028TTEC1=m
+CONFIG_DISPLAY_PANEL_TPO_TD043MTEA1=m
+CONFIG_DISPLAY_PANEL_NEC_NL8048HL11=m
+CONFIG_BACKLIGHT_LCD_SUPPORT=y
CONFIG_LCD_CLASS_DEVICE=y
CONFIG_LCD_PLATFORM=y
+CONFIG_BACKLIGHT_CLASS_DEVICE=y
+CONFIG_BACKLIGHT_GENERIC=m
+CONFIG_BACKLIGHT_PWM=m
+CONFIG_BACKLIGHT_PANDORA=m
+CONFIG_BACKLIGHT_GPIO=m
+CONFIG_FRAMEBUFFER_CONSOLE=y
+CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
CONFIG_LOGO=y
CONFIG_SOUND=m
CONFIG_SND=m
+CONFIG_SND_MIXER_OSS=m
+CONFIG_SND_PCM_OSS=m
+CONFIG_SND_VERBOSE_PRINTK=y
+CONFIG_SND_DEBUG=y
+CONFIG_SND_USB_AUDIO=m
CONFIG_SND_SOC=m
+CONFIG_SND_EDMA_SOC=m
+CONFIG_SND_AM33XX_SOC_EVM=m
+CONFIG_SND_DAVINCI_SOC_MCASP=m
+CONFIG_SND_OMAP_SOC=m
+CONFIG_SND_OMAP_SOC_OMAP_TWL4030=m
+CONFIG_SND_OMAP_SOC_OMAP_ABE_TWL6040=m
+CONFIG_SND_OMAP_SOC_OMAP3_PANDORA=m
CONFIG_SND_SIMPLE_CARD=m
CONFIG_USB=y
CONFIG_USB_EHCI_HCD=y
@@ -324,22 +564,79 @@ CONFIG_USB_STORAGE=y
CONFIG_USB_MUSB_HDRC=y
CONFIG_USB_MUSB_OMAP2PLUS=y
CONFIG_USB_MUSB_DSPS=y
+CONFIG_SND_SOC_TLV320AIC3X=m
+CONFIG_HID_GENERIC=m
+CONFIG_USB_HIDDEV=y
+CONFIG_USB_KBD=m
+CONFIG_USB_MOUSE=m
+CONFIG_USB=m
+CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
+CONFIG_USB_MON=m
+CONFIG_USB_XHCI_HCD=m
+CONFIG_USB_WDM=m
+CONFIG_USB_STORAGE=m
+CONFIG_USB_MUSB_HDRC=m
+CONFIG_USB_MUSB_OMAP2PLUS=m
+CONFIG_USB_MUSB_AM35X=m
+CONFIG_USB_MUSB_DSPS=m
+CONFIG_USB_INVENTRA_DMA=y
CONFIG_USB_TI_CPPI41_DMA=y
CONFIG_NOP_USB_XCEIV=y
+CONFIG_USB_DWC3=m
+CONFIG_USB_TEST=m
CONFIG_AM335X_PHY_USB=y
CONFIG_USB_GADGET=y
CONFIG_USB_G_NCM=m
CONFIG_USB_MASS_STORAGE=m
+CONFIG_USB_GADGET=m
+CONFIG_USB_GADGET_DEBUG=y
+CONFIG_USB_GADGET_DEBUG_FILES=y
+CONFIG_USB_GADGET_DEBUG_FS=y
+CONFIG_USB_CONFIGFS=m
+CONFIG_USB_CONFIGFS_SERIAL=y
+CONFIG_USB_CONFIGFS_ACM=y
+CONFIG_USB_CONFIGFS_OBEX=y
+CONFIG_USB_CONFIGFS_NCM=y
+CONFIG_USB_CONFIGFS_ECM=y
+CONFIG_USB_CONFIGFS_ECM_SUBSET=y
+CONFIG_USB_CONFIGFS_RNDIS=y
+CONFIG_USB_CONFIGFS_EEM=y
+CONFIG_USB_CONFIGFS_PHONET=y
+CONFIG_USB_CONFIGFS_MASS_STORAGE=y
+CONFIG_USB_CONFIGFS_F_LB_SS=y
+CONFIG_USB_CONFIGFS_F_FS=y
+CONFIG_USB_CONFIGFS_F_UAC1=y
+CONFIG_USB_CONFIGFS_F_UAC2=y
+CONFIG_USB_CONFIGFS_F_MIDI=y
+CONFIG_USB_CONFIGFS_F_HID=y
+CONFIG_USB_ZERO=m
+CONFIG_USB_G_NOKIA=m
CONFIG_MMC=y
CONFIG_SDIO_UART=y
CONFIG_MMC_OMAP=y
CONFIG_MMC_OMAP_HS=y
CONFIG_NEW_LEDS=y
+CONFIG_LEDS_CLASS=m
+CONFIG_LEDS_GPIO=m
+CONFIG_LEDS_PWM=m
+CONFIG_LEDS_TRIGGERS=y
+CONFIG_LEDS_TRIGGER_TIMER=m
+CONFIG_LEDS_TRIGGER_ONESHOT=m
+CONFIG_LEDS_TRIGGER_HEARTBEAT=m
+CONFIG_LEDS_TRIGGER_BACKLIGHT=m
+CONFIG_LEDS_TRIGGER_CPU=y
+CONFIG_LEDS_TRIGGER_GPIO=m
+CONFIG_LEDS_TRIGGER_DEFAULT_ON=m
CONFIG_RTC_CLASS=y
CONFIG_RTC_DRV_TWL4030=y
CONFIG_RTC_DRV_PALMAS=y
CONFIG_RTC_DRV_OMAP=y
CONFIG_RTC_DRV_PL031=y
+CONFIG_RTC_DRV_DS1307=m
+CONFIG_RTC_DRV_PALMAS=m
+CONFIG_RTC_DRV_TWL92330=y
+CONFIG_RTC_DRV_TWL4030=m
+CONFIG_RTC_DRV_OMAP=m
CONFIG_DMADEVICES=y
CONFIG_PL330_DMA=y
CONFIG_VIRTIO_BALLOON=y
@@ -348,6 +645,27 @@ CONFIG_VIRTIO_MMIO=y
CONFIG_ARM_TIMER_SP804=y
CONFIG_EXTCON_PALMAS=y
CONFIG_OMAP_USB2=y
+CONFIG_TI_EDMA=y
+CONFIG_DMA_OMAP=y
+# CONFIG_IOMMU_SUPPORT is not set
+CONFIG_EXTCON=m
+CONFIG_EXTCON_USB_GPIO=m
+CONFIG_EXTCON_PALMAS=m
+CONFIG_TI_EMIF=m
+CONFIG_IIO=m
+CONFIG_TI_AM335X_ADC=m
+CONFIG_PWM=y
+CONFIG_PWM_TIECAP=m
+CONFIG_PWM_TIEHRPWM=m
+CONFIG_PWM_TWL=m
+CONFIG_PWM_TWL_LED=m
+CONFIG_PHY_DM816X_USB=m
+CONFIG_OMAP_USB2=m
+CONFIG_TI_PIPE3=y
+CONFIG_TWL4030_USB=m
+CONFIG_EXT2_FS=y
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_FS_XATTR is not set
CONFIG_EXT4_FS=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
@@ -355,12 +673,20 @@ CONFIG_EXT4_ENCRYPTION=y
CONFIG_AUTOFS4_FS=y
CONFIG_FUSE_FS=m
CONFIG_CUSE=m
+CONFIG_FANOTIFY=y
+CONFIG_QUOTA=y
+CONFIG_QFMT_V2=y
+CONFIG_AUTOFS4_FS=m
CONFIG_MSDOS_FS=y
CONFIG_VFAT_FS=y
CONFIG_TMPFS=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_ROMFS_FS=m
+CONFIG_CONFIGFS_FS=y
+CONFIG_UBIFS_FS=y
+CONFIG_CRAMFS=y
CONFIG_NFS_FS=y
+CONFIG_NFS_V3_ACL=y
CONFIG_NFS_V4=y
CONFIG_ROOT_NFS=y
CONFIG_CIFS=m
@@ -405,6 +731,13 @@ CONFIG_NLS_KOI8_R=m
CONFIG_NLS_KOI8_U=m
CONFIG_NLS_UTF8=m
CONFIG_ENCRYPTED_KEYS=y
+CONFIG_PRINTK_TIME=y
+CONFIG_DEBUG_INFO=y
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_SCHEDSTATS=y
+CONFIG_TIMER_STATS=y
+CONFIG_PROVE_LOCKING=y
+# CONFIG_DEBUG_BUGVERBOSE is not set
CONFIG_SECURITY=y
CONFIG_CRYPTO_TEST=m
CONFIG_CRYPTO_XCBC=m
@@ -419,6 +752,12 @@ CONFIG_CRYPTO_KHAZAD=m
CONFIG_CRYPTO_SERPENT=m
CONFIG_CRYPTO_TEA=m
CONFIG_CRYPTO_TWOFISH=m
+CONFIG_CRYPTO_MICHAEL_MIC=y
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRC_CCITT=y
+CONFIG_CRC_T10DIF=y
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC7=y
CONFIG_LIBCRC32C=y
CONFIG_FONTS=y
CONFIG_FONT_8x8=y
--
2.20.1


--
Quirin Gylstorff

Siemens AG
Corporate Technology
Research in Digitalization and Automation
Smart Embedded Systems
CT RDA IOT SES-DE
Otto-Hahn-Ring 6
81739 Muenchen, Germany
Mobile: +49 173 3746683
mailto:quirin.gylstorff@siemens.com
www.siemens.com/ingenuityforlife

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim
Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and
Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich,
Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin
and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB
12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

Important notice: This e-mail and any attachment thereof contain
corporate proprietary information. If you have received it by mistake,
please notify us immediately by reply e-mail and delete this e-mail and
its attachments from your system. Thank you.


[ANNOUNCE] Release v4.19.144-cip34 and v4.4.235-cip49

Nobuhiro Iwamatsu
 

Hi,

I was late for release due to a LAVA issue.
(Thanks to Chris for fixing this.)

CIP kernel team has released Linux kernel v4.19.144-cip34 and v4.4.235-cip49.
The linux-4.19.y-cip has been updated base version from v4.19.140 to v4.19.144,
and The linux-4.4.y-cip tree has been updated base version from
v4.4.231 to v4.4.235.

This release includes many backport patches for each version.
4.19.y-cip adds a new revision board for HiHope RZ/G2M and many IP support patches
for r8a774e1 and r8a7795. And 4.4.y-cip has added support for Renesas ARM SoC RZ/G1H
(r8a7742) and iWave G21D-Q7 board. Also, the cpufreq driver for TI
platforms (am33xx and etc) has been backported.

We can get this release via the git tree at:

v4.19.144-cip34:
repository:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git

branch:
linux-4.19.y-cip

commit hash:
1d9c4c7e291d5f49ab07402ef739f98fac6e7adb

added commits:
CIP: Bump version suffix to -cip34 after merge from stable
arm64: dts: renesas: Fix SD Card/eMMC interface device node names
arm64: dts: renesas: r8a774e1: Add RWDT node
dt-bindings: watchdog: renesas,wdt: Document r8a774e1 support
arm64: dts: renesas: r8a774e1: Add MSIOF nodes
spi: renesas,sh-msiof: Add r8a774e1 support
arm64: dts: renesas: r8a774e1: Add I2C and IIC-DVFS support
dt-bindings: i2c: renesas,iic: Document r8a774e1 support
dt-bindings: i2c: renesas,i2c: Document r8a774e1 support
arm64: dts: renesas: r8a774e1: Add SDHI nodes
mmc: renesas_sdhi_internal_dmac: Add r8a774e1 support
arm64: dts: renesas: r8a774e1: Add SCIF and HSCIF nodes
arm64: dts: renesas: r8a774e1: Add CAN[FD] support
can: rcar_can: Remove unused platform data support
arm64: dts: renesas: r8a774e1: Add TMU device nodes
arm64: dts: renesas: r8a774e1: Add CMT device nodes
arm64: dts: renesas: r8a774e1: Add RZ/G2H thermal support
thermal: rcar_gen3_thermal: Add r8a774e1 support
thermal/drivers/rcar_gen3: Fix undefined temperature if negative
thermal: rcar_gen3_thermal: Generate interrupt when temperature changes
thermal: rcar_gen3_thermal: Remove temperature bound
arm64: dts: renesas: r8a774e1: Add operating points
arm64: dts: renesas: r8a774e1: Add Ethernet AVB node
arm64: dts: renesas: r8a774e1: Add GPIO device nodes
arm64: dts: renesas: r8a774e1: Add SYS-DMAC device nodes
dt-bindings: dma: renesas,rcar-dmac: Document R8A774E1 bindings
arm64: dts: renesas: r8a774e1: Add IPMMU device nodes
iommu/ipmmu-vmsa: Hook up R8A774E1 DT matching code
dt-bindings: iommu: renesas,ipmmu-vmsa: Add r8a774e1 support
arm64: dts: renesas: Add HiHope RZ/G2H sub board support
arm64: dts: renesas: Add HiHope RZ/G2H main board support
dt-bindings: arm: renesas: Add HopeRun RZ/G2H boards
arm64: dts: renesas: Initial r8a774e1 SoC device tree
pinctrl: sh-pfc: pfc-r8a77951: Add R8A774E1 PFC support
dt-bindings: pinctrl: sh-pfc: Document r8a774e1 PFC support
pinctrl: sh-pfc: Split R-Car H3 support in two independent drivers
pinctrl: sh-pfc: pfc-r8a7795: Fix typo in pinmux macro for SCL3
pinctrl: sh-pfc: pfc-r8a7795-es1: Fix typo in pinmux macro for SCL3
pinctrl: sh-pfc: r8a7795: Use new macros for non-GPIO pins
pinctrl: sh-pfc: r8a7795-es1: Use new macros for non-GPIO pins
pinctrl: sh-pfc: r8a7795: Add TPU pins, groups and functions
pinctrl: sh-pfc: r8a7795-es1: Add TPU pins, groups and functions
pinctrl: sh-pfc: rcar-gen3: Rename RTS{0,1,3,4}# pin function definitions
pinctrl: sh-pfc: rcar-gen3: Retain TDSELCTRL register across suspend/resume
pinctrl: sh-pfc: r8a7795: Deduplicate VIN5 pin definitions
pinctrl: sh-pfc: r8a7795: Add I2C{0,3,5} pins, groups and functions
pinctrl: sh-pfc: r8a7795-es1: Add I2C{0,3,5} pins, groups and functions
pinctrl: sh-pfc: r8a7795: Fix VIN versioned groups
pinctrl: sh-pfc: r8a77965: Fix DU_DOTCLKIN3 drive/bias control
arm64: defconfig: Enable R8A774E1 SoC
clk: renesas: cpg-mssr: Add r8a774e1 support
dt-bindings: clock: renesas,cpg-mssr: Document r8a774e1
clk: renesas: rzg2: Mark RWDT clocks as critical
clk: renesas: cpg-mssr: Mark clocks as critical only if on at boot
clk: renesas: rcar-gen3: Allow changing the RPC[D2] clocks
clk: renesas: Add r8a774e1 CPG Core Clock Definitions
clk: renesas: rcar-gen3: Add RPC clocks
soc: renesas: rcar-rst: Add support for RZ/G2H
dt-bindings: reset: rcar-rst: Document r8a774e1 reset module
soc: renesas: Identify RZ/G2H
dt-bindings: arm: renesas: Document RZ/G2H SoC DT bindings
soc: renesas: Add Renesas R8A774E1 config option
soc: renesas: rcar-sysc: Add r8a774e1 support
dt-bindings: power: renesas,rcar-sysc: Document r8a774e1 SYSC binding
dt-bindings: power: Add r8a774e1 SYSC power domain definitions
arm64: dts: renesas: r8a774a1: Remove audio port node
arm64: dts: renesas: Add HiHope RZ/G2N Rev2.0/3.0/4.0 board with idk-1110wr display
arm64: dts: renesas: Add HiHope RZ/G2N Rev.3.0/4.0 sub board support
arm64: dts: renesas: Add HiHope RZ/G2N Rev.3.0/4.0 main board support
arm64: dts: renesas: Add HiHope RZ/G2M Rev.3.0/4.0 board with idk-1110wr display
arm64: dts: renesas: hihope-rzg2-ex: Separate out lvds specific nodes into common file
arm64: dts: renesas: Add HiHope RZ/G2M Rev.3.0/4.0 sub board support
arm64: dts: renesas: Add HiHope RZ/G2M Rev.3.0/4.0 main board support
arm64: dts: renesas: Add HiHope RZ/G2M[N] Rev.3.0/4.0 specific into common file
arm64: dts: renesas: hihope-common: Separate out Rev.2.0 specific into hihope-rev2.dtsi file
arm64: dts: renesas: r8a774b1-hihope-rzg2n[-ex]: Rename HiHope RZ/G2N boards
arm64: dts: renesas: r8a774a1-hihope-rzg2m[-ex/-ex-idk-1110wr]: Rename HiHope RZ/G2M boards

v4.4.235-cip49:
repository:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git

branch:
linux-4.4.y-cip

commit hash:
c9f71781108017f6e3fc8d3326cf24bb234b5399

added commits:
CIP: Bump version suffix to -cip49 after merge from stable
ARM: dts: am33xx: Add updated operating-points-v2 table for cpu
ARM: omap2plus_defconfig: Enable support for ti-cpufreq
cpufreq: dt: Don't use generic platdev driver for ti-cpufreq platforms
cpufreq: ti-cpufreq: Fix an incorrect error return value
cpufreq: ti-cpufreq: add missing of_node_put()
cpufreq: ti-cpufreq: kfree opp_data when failure
cpufreq: ti: Fix 'of_node_put' being called twice in error handling path
cpufreq: ti: Add cpufreq driver to determine available OPPs at runtime
Documentation: dt: add bindings for ti-cpufreq
PM / OPP: Expose _of_get_opp_desc_node as dev_pm_opp API
PM / OPP: Parse clock-latency and voltage-tolerance for v1 bindings
ARM: dts: r8a7742-iwg21d-q7-dbcm-ca: Add device tree for camera DB
ARM: dts: r8a7742: Add [H]SCIF{A|B} support
ARM: dts: r8a7742: Drop undocumented compatible string from scifa2 node
ARM: dts: r8a7742: Add Ether support
sh_eth: Add compatible string for R8A7742 SoC
dt-bindings: net: renesas,ether: Document R8A7742 SoC
gpio: rcar: Avoid NULL pointer access in gpio_rcar_set_multiple()
of: Add missing exports of node name compare functions
ARM: dts: r8a7742-iwg21d-q7: Enable cmt0
ARM: dts: r8a7742: Add MSIOF[0123] support
spi: renesas,sh-msiof: Add r8a7742 support
ARM: dts: r8a7742: Add CMT SoC specific support
ARM: dts: r8a7742: Add thermal device to DT
dt-bindings: thermal: rcar-thermal: Add device tree support for r8a7742
ARM: dts: r8a7742-iwg21d-q7: Add RWDT support
ARM: dts: r8a7742: Add RWDT node
dt-bindings: watchdog: renesas,wdt: Document r8a7742 support
ARM: dts: renesas: Fix SD Card/eMMC interface device node names
ARM: dts: r8a7742-iwg21d-q7: Enable SDHI2 controller
ARM: dts: r8a7742: Add MMC0 node
ARM: dts: r8a7742: Add SDHI nodes
dt-bindings: mmc: renesas,sdhi: Document r8a7742 support
ARM: dts: r8a7742: Add APMU nodes
dt-bindings: power: renesas,apmu: Document r8a7742 support
ARM: dts: r8a7742-iwg21d-q7: Enable Ethernet AVB
ARM: dts: r8a7742: Add Ethernet AVB support
dt-bindings: net: renesas, ravb: Add support for r8a7742 SoC
ARM: dts: r8a7742: Add I2C and IIC support
dt-bindings: i2c: renesas, iic: Document r8a7742 support
dt-bindings: i2c: renesas, i2c: Document r8a7742 support
ARM: dts: r8a7742: Add IRQC support
dt-bindings: irqchip: renesas-irqc: Document r8a7742 bindings
ARM: dts: r8a7742-iwg21d-q7: Add iWave G21D-Q7 board based on RZ/G1H
dt-bindings: arm: renesas: Document iW-RainboW-G21D-Qseven-RZG1H board
ARM: dts: r8a7742-iwg21m: Add iWave RZ/G1H Qseven SOM
dt-bindings: arm: renesas: Document iW-RainboW-G21M-Qseven-RZG1H SoM
ARM: dts: r8a7742: Add GPIO nodes
dt-bindings: gpio: renesas, rcar-gpio: Add r8a7742 (RZ/G1H) support
ARM: dts: r8a7742: Initial SoC device tree
pinctrl: sh-pfc: r8a7790: Add r8a7742 PFC support
pinctrl: sh-pfc: r8a7790: Add missing TX_ER pin to avb_mii group
pinctrl: sh-pfc: r8a7790: Add SCIF_CLK support
pinctrl: sh-pfc: r8a7790: Use PINMUX_SINGLE() instead of raw PINMUX_DATA()
dt-bindings: pinctrl: sh-pfc: Document r8a7742 PFC support
dt-bindings: mmc: renesas,mmcif: Document r8a7742 DT bindings
dt-bindings: serial: renesas,hscif: Document r8a7742 bindings
dt-bindings: serial: renesas,scifb: Document r8a7742 bindings
dt-bindings: serial: renesas,scif: Document r8a7742 bindings
dt-bindings: serial: renesas,scifa: Document r8a7742 bindings
ARM: multi_v7_defconfig: Enable r8a7742 SoC
ARM: shmobile: defconfig: Enable r8a7742 SoC
ARM: debug-ll: Add support for r8a7742
soc: renesas: Add Renesas R8A7742 config option
ARM: shmobile: r8a7742: Basic SoC support
clk: shmobile: Compile clk-rcar-gen2.c when using the r8a7742
clk: shmobile: Document r8a7742 CPG DIV6 clock support
clk: shmobile: Document r8a7742 MSTP clock support
clk: shmobile: Document r8a7742 CPG clock support
ARM: shmobile: r8a7742: Add clock index macros for DT sources
soc: renesas: rcar-rst: Add support for RZ/G1H
dt-bindings: reset: rcar-rst: Document r8a7742 reset module
ARM: shmobile: Document RZ/G1H SoC DT binding

Best regards,
Nobuhiro


Re: [PATCH 4.4.y-cip 0/4] Add RZ/G1H Audio support

Nobuhiro Iwamatsu
 

Hi,

-----Original Message-----
From: Pavel Machek [mailto:pavel@denx.de]
Sent: Monday, September 14, 2020 6:11 AM
To: iwamatsu nobuhiro(岩松 信洋 □SWC◯ACT) <nobuhiro1.iwamatsu@toshiba.co.jp>
Cc: biju.das.jz@bp.renesas.com; cip-dev@lists.cip-project.org; pavel@denx.de; chris.paterson2@renesas.com;
prabhakar.mahadev-lad.rj@bp.renesas.com
Subject: Re: [PATCH 4.4.y-cip 0/4] Add RZ/G1H Audio support

Hi!

This patch series add audio support for iWave RZ/G1H board based on
r8a7742 SoC to 4.4.y-cip kernel. All patches in this series
are cherry-picked from mainline.

Lad Prabhakar (4):
dt-bindings: ASoC: renesas,rsnd: Add r8a7742 support
ARM: dts: r8a7742: Add audio support
ARM: dts: r8a7742-iwg21d-q7: Enable SGTL5000 audio codec
ARM: dts: r8a7742-iwg21d-q7: Sound DMA support via DVC on DTS

.../bindings/sound/renesas,rsnd.txt | 1 +
arch/arm/boot/dts/r8a7742-iwg21d-q7.dts | 100 +++++++
arch/arm/boot/dts/r8a7742.dtsi | 272 ++++++++++++++++++
3 files changed, 373 insertions(+)
I reviewd this patch series.
Looks good to me. If If no objection, I will apply and push this.
And I am testing on https://gitlab.com/cip-project/cip-kernel/linux-cip/-/pipelines/188827239.
Looks good to me, too. I have no objections.
Thanks! I applied and pushed.

Best regards,
Nobuhiro

1161 - 1180 of 6628