Date   

Re: CIP IRC weekly meeting today

Nobuhiro Iwamatsu
 

Hi Kudo-san,

Sorry, I can not participate IRC meeting today.

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of
masashi.kudo@cybertrust.co.jp
Sent: Thursday, October 8, 2020 9:57 AM
To: cip-dev@lists.cip-project.org
Subject: [cip-dev] CIP IRC weekly meeting today

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according
to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=10&day=8&hour=9&min=0&sec=0&p1=224&p2=
179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-01-09.00.log.html

Agenda:

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
No update.

2. Check whether CVE-2020-25284 needs to be backported to 4.4-rt
-> Delete rbd ( Ceph block device ) from 4.4-rt x86 config - iwamatsu
-> Done, so will be closed today.

* Kernel maintenance updates
I reviewed 4.4.y-rc.

* Kernel testing
* Software update
* CIP Security
* AOB

The meeting will take 30 min, although it can be extended to an hour if it makes sense and those involved in the topics
can stay. Otherwise, the topic will be taken offline or in the next meeting.
Best regards,
Nobuhiro


Re: [ANNOUNCE] v4.19.148-cip35-rt15

Nobuhiro Iwamatsu
 

Hi,

-----Original Message-----
From: iwamatsu nobuhiro(岩松 信洋 □SWC◯ACT)
Sent: Thursday, October 8, 2020 2:32 PM
To: Pavel Machek <pavel@denx.de>
Cc: cip-dev@lists.cip-project.org; jan.kiszka@siemens.com; SZ.Lin@moxa.com; ben.hutchings@codethink.co.uk;
Chris.Paterson2@renesas.com
Subject: RE: [cip-dev] [ANNOUNCE] v4.19.148-cip35-rt15

Hi Pavel,

-----Original Message-----
From: Pavel Machek [mailto:pavel@denx.de]
Sent: Thursday, October 8, 2020 5:11 AM
To: iwamatsu nobuhiro(岩松 信洋 □SWC◯ACT) <nobuhiro1.iwamatsu@toshiba.co.jp>
Cc: cip-dev@lists.cip-project.org; pavel@denx.de; jan.kiszka@siemens.com; SZ.Lin@moxa.com;
ben.hutchings@codethink.co.uk; Chris.Paterson2@renesas.com
Subject: Re: [cip-dev] [ANNOUNCE] v4.19.148-cip35-rt15

Hi!

FYI:
https://patchwork.ozlabs.org/project/netdev/patch/20200922072931.2148-1-geert+renesas@glider.be/
Yes, and the revert is now queued to 4.19-stable, too.

So.. what do we want to do here?

We can merge 4.19.151 to -cip when it is released, and I can then
release new -cip-rt that works on renesas boards...
Yes, I think so.
Perhaps 4.19.151 will be released this weekend. And this week is the release week of the CIP kernel.
Sorry, this may be wrong.
If 151 isn't released this weekend, I'll cherry pick this commit, and release new CIP kernel.

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-4.19.y&id=1fa5848fae409511eda2c6ee4f8ad9e42a0cb3c1

And I think we can use it to release the cip-rt tree.
Best regards,
Nobuhiro


Re: [ANNOUNCE] v4.19.148-cip35-rt15

Nobuhiro Iwamatsu
 

Hi Pavel,

-----Original Message-----
From: Pavel Machek [mailto:pavel@denx.de]
Sent: Thursday, October 8, 2020 5:11 AM
To: iwamatsu nobuhiro(岩松 信洋 □SWC◯ACT) <nobuhiro1.iwamatsu@toshiba.co.jp>
Cc: cip-dev@lists.cip-project.org; pavel@denx.de; jan.kiszka@siemens.com; SZ.Lin@moxa.com;
ben.hutchings@codethink.co.uk; Chris.Paterson2@renesas.com
Subject: Re: [cip-dev] [ANNOUNCE] v4.19.148-cip35-rt15

Hi!

FYI:
https://patchwork.ozlabs.org/project/netdev/patch/20200922072931.2148-1-geert+renesas@glider.be/
Yes, and the revert is now queued to 4.19-stable, too.

So.. what do we want to do here?

We can merge 4.19.151 to -cip when it is released, and I can then
release new -cip-rt that works on renesas boards...
Yes, I think so.
Perhaps 4.19.151 will be released this weekend. And this week is the release week of the CIP kernel.
And I think we can use it to release the cip-rt tree.


Best regards,
Pavel
Best regards,
Nobuhiro


Re: CIP IRC weekly meeting today

Kento Yoshida
 

Hi Kudo-san and all,

I'll be absent today.

And, I'll report here as an alternative to attendance.
Both minor updates were once reported, but since they are protracted, I will summarize again here.

Major updates:
There is no major update this week.

Minor updates:
1. Gap assessment for the development process (IEC 62443-4-1):
The report from the certification body, whether development process for OSS meets to the IEC 62443-4-1 standard, is delayed.
But, perhaps we can get it the end of this week.
And then, we'll plan to share the documents on the development process that reflects the feedback from the report.
2. Gap assessment for security features of security packages we suggested (IEC 62443-4-2):
We started review security features of security packages we suggested to add as CIP core packages.
The completion date is scheduled by the end of December.
After this, we'll continue to proceed our suggestion, now it's pended.

Regards,
Kent

-----Original Message-----
From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of
masashi.kudo@cybertrust.co.jp via lists.cip-project.org
Sent: Thursday, October 8, 2020 9:57 AM
To: cip-dev@lists.cip-project.org
Subject: [cip-dev] CIP IRC weekly meeting today

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss technical
topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting
from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&mont
h=10&day=8&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=24
1&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-01-09.00.log.htm
l

Agenda:

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
2. Check whether CVE-2020-25284 needs to be backported to 4.4-rt
-> Delete rbd ( Ceph block device ) from 4.4-rt x86 config - iwamatsu
-> Done, so will be closed today.

* Kernel maintenance updates
* Kernel testing
* Software update
* CIP Security
* AOB

The meeting will take 30 min, although it can be extended to an hour if it makes
sense and those involved in the topics can stay. Otherwise, the topic will be taken
offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


CIP IRC weekly meeting today

masashi.kudo@cybertrust.co.jp
 

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=10&day=8&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-01-09.00.log.html

Agenda:

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
2. Check whether CVE-2020-25284 needs to be backported to 4.4-rt
-> Delete rbd ( Ceph block device ) from 4.4-rt x86 config - iwamatsu
-> Done, so will be closed today.

* Kernel maintenance updates
* Kernel testing
* Software update
* CIP Security
* AOB

The meeting will take 30 min, although it can be extended to an hour if it makes sense and those involved in the topics can stay. Otherwise, the topic will be taken offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


Re: [ANNOUNCE] v4.19.148-cip35-rt15

Pavel Machek
 

Hi!

FYI:
https://patchwork.ozlabs.org/project/netdev/patch/20200922072931.2148-1-geert+renesas@glider.be/
Yes, and the revert is now queued to 4.19-stable, too.

So.. what do we want to do here?

We can merge 4.19.151 to -cip when it is released, and I can then
release new -cip-rt that works on renesas boards...

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: [cip-kernel-sec] reports: add script to convert reports to csv format

Daniel Sangorrin
 

Hello Ben,

Thanks a lot for your review and sorry for taking your time.
We will have an internal review and take your comments into account to prepare a new proposal.

Kind regards,
Daniel

-----Original Message-----
From: Ben Hutchings <ben.hutchings@codethink.co.uk>
Sent: Wednesday, October 7, 2020 6:28 AM
To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>; sz.lin@moxa.com; wens@csie.org
Cc: cip-dev@lists.cip-project.org
Subject: Re: [cip-kernel-sec] reports: add script to convert reports to csv format

On Fri, 2020-09-25 at 14:07 +0900, Daniel Sangorrin wrote:
The text version is probably enough for developers but customers
usually prefer to have a CSV that you can open with a spreadsheet
program and contains additional information. CVEs are sorted in rows
according to their criticality.
[...]

I think this script is trying to do too many different things:

1. Importing data from NVD
2. Importing data from Debian security tracker 3. Parsing an existing report (!) 4. Generating a new report

1. If there's useful information from NVD that belongs in reports, and the license allows us to redistribute it, we should add an import
script that adds that to the issue files (and extend the schema if necessary). We can then use that in any of the reporting scripts.

2. I'm not sure why the script is using Debian's general security tracker. Debian's kernel-sec normally has better information for kernel
issues, and the import_debian.py script already imports that.

3. The output of report_affected.py is intended to be human-readable, and just happens to be relatively easy to parse. If you want to
use its output as input, that should either be done by adding a structured format (e.g. JSON) for the intermediate file, or by sharing
code between the two reporting scripts so there's no need to use an intermediate file.

Other comments:

- The new script needs to be documented in README.md.

- Any files created in the process of importing data should go under the import/ subdirectory.

- Error handling needs improvement, e.g.:

+def download_file(src, file, bar=""):
+ """Re-download file when an error occurred due to network connection problem.
+ """
+ for i in range(3):
+ try:
+ wget.download(src, file, bar)
+ break
+ except:
+ pass
This doesn't check whether there was a network error; it retries in case of *any* error. The except block should specify which
exception types we want to handle.

+ if not os.path.exists(file):
+ print("ERROR: Can't download %s" % src)
Error messages should go to stderr.

+ exit(1)
This should call sys.exit.

Ben.

--
Ben Hutchings, Software Developer Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom


Re: [ANNOUNCE] v4.19.148-cip35-rt15

Nobuhiro Iwamatsu
 

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Nobuhiro Iwamatsu
Sent: Tuesday, October 6, 2020 3:49 PM
To: cip-dev@lists.cip-project.org; pavel@denx.de
Cc: jan.kiszka@siemens.com; SZ.Lin@moxa.com; ben.hutchings@codethink.co.uk; Chris.Paterson2@renesas.com
Subject: Re: [cip-dev] [ANNOUNCE] v4.19.148-cip35-rt15

Hi,

This issue seems to occur randomly.

# cip+rt kernel
NG: https://lava.ciplatform.org/scheduler/job/57129
https://lava.ciplatform.org/scheduler/job/57842
OK: https://lava.ciplatform.org/scheduler/job/57851
https://lava.ciplatform.org/scheduler/job/57841

# 4.19.148+cip kernel
NG: https://lava.ciplatform.org/scheduler/job/58836
OK: https://lava.ciplatform.org/scheduler/job/58837


We may need to confirm these relationships with CIP kernel patches.

Best regards,
Nobuhiro

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Pavel Machek
Sent: Monday, October 5, 2020 6:39 AM
To: Chris Paterson <Chris.Paterson2@renesas.com>
Cc: Pavel Machek <pavel@denx.de>; jan.kiszka@siemens.com; cip-dev@lists.cip-project.org; SZ.Lin@moxa.com;
ben.hutchings@codethink.co.uk
Subject: Re: [cip-dev] [ANNOUNCE] v4.19.148-cip35-rt15

Hi!

New realtime trees should be available at kernel.org.

Trees are available at

https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-
cip.git/log/?h=linux-4.19.y-cip-rt
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-
cip.git/log/?h=linux-4.19.y-cip-rt-rebase

And their content should be identical.
Thank you for the release.


This patch merges 4.19.148-stable into -cip-rt (because that's what
recent -rt is based on, and older -rt tree is too old). Unfortunately,
that brings regression with ethernet on Renesas Arm64 targets, which
will prevent boot, and fail tests etc.

Kernel that should work ok on Renesas Arm64 machines can be obtained
by reverting fb3a780e7a76cf8efb055f8322ec039923cee41f "ravb: Fixed to
be able to unload modules" on top of -cip-rt release.
So we're releasing a Kernel that we know doesn't boot on one of CIP's reference platforms?
Or did you already revert the above patch as part of your release?
Yes, I did that, as the changelog explains. Sorry.

I had to select from few bad options: 4.19.147-rt release is not
available and previous release is too old. So -cip-rt is based on
4.19.148-rt, and it brings in the bad commit.

I thought about reverting it for release, but all I'd get would be
rejects, as it really needs to be solved in -cip, not -cip-rt.

Proper solution is likely updating 4.19-cip to 4.19.148, first. Then
figuring out what is the clean way to solve the problem, and then
creating new -rt release. But that will likely take more than few
days, and it will end up with different release number.

I can create new -cip-rt release when that is done.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: [cip-kernel-sec] reports: add script to convert reports to csv format

Ben Hutchings <ben.hutchings@...>
 

On Fri, 2020-09-25 at 14:07 +0900, Daniel Sangorrin wrote:
The text version is probably enough for developers but
customers usually prefer to have a CSV that you can
open with a spreadsheet program and contains additional
information. CVEs are sorted in rows according to their
criticality.
[...]

I think this script is trying to do too many different things:

1. Importing data from NVD
2. Importing data from Debian security tracker
3. Parsing an existing report (!)
4. Generating a new report

1. If there's useful information from NVD that belongs in reports, and
the license allows us to redistribute it, we should add an import
script that adds that to the issue files (and extend the schema if
necessary). We can then use that in any of the reporting scripts.

2. I'm not sure why the script is using Debian's general security
tracker. Debian's kernel-sec normally has better information for
kernel issues, and the import_debian.py script already imports that.

3. The output of report_affected.py is intended to be human-readable,
and just happens to be relatively easy to parse. If you want to use
its output as input, that should either be done by adding a structured
format (e.g. JSON) for the intermediate file, or by sharing code
between the two reporting scripts so there's no need to use an
intermediate file.

Other comments:

- The new script needs to be documented in README.md.

- Any files created in the process of importing data should go under
the import/ subdirectory.

- Error handling needs improvement, e.g.:

+def download_file(src, file, bar=""):
+ """Re-download file when an error occurred due to network connection problem.
+ """
+ for i in range(3):
+ try:
+ wget.download(src, file, bar)
+ break
+ except:
+ pass
This doesn't check whether there was a network error; it retries in
case of *any* error. The except block should specify which exception
types we want to handle.

+ if not os.path.exists(file):
+ print("ERROR: Can't download %s" % src)
Error messages should go to stderr.

+ exit(1)
This should call sys.exit.

Ben.

--
Ben Hutchings, Software Developer Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom


Re: [ANNOUNCE] v4.19.148-cip35-rt15

Nobuhiro Iwamatsu
 

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Pavel Machek
Sent: Monday, October 5, 2020 6:39 AM
To: Chris Paterson <Chris.Paterson2@renesas.com>
Cc: Pavel Machek <pavel@denx.de>; jan.kiszka@siemens.com; cip-dev@lists.cip-project.org; SZ.Lin@moxa.com;
ben.hutchings@codethink.co.uk
Subject: Re: [cip-dev] [ANNOUNCE] v4.19.148-cip35-rt15

Hi!

New realtime trees should be available at kernel.org.

Trees are available at

https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-
cip.git/log/?h=linux-4.19.y-cip-rt
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-
cip.git/log/?h=linux-4.19.y-cip-rt-rebase

And their content should be identical.
Thank you for the release.


This patch merges 4.19.148-stable into -cip-rt (because that's what
recent -rt is based on, and older -rt tree is too old). Unfortunately,
that brings regression with ethernet on Renesas Arm64 targets, which
will prevent boot, and fail tests etc.

Kernel that should work ok on Renesas Arm64 machines can be obtained
by reverting fb3a780e7a76cf8efb055f8322ec039923cee41f "ravb: Fixed to
be able to unload modules" on top of -cip-rt release.
So we're releasing a Kernel that we know doesn't boot on one of CIP's reference platforms?
Or did you already revert the above patch as part of your release?
Yes, I did that, as the changelog explains. Sorry.

I had to select from few bad options: 4.19.147-rt release is not
available and previous release is too old. So -cip-rt is based on
4.19.148-rt, and it brings in the bad commit.

I thought about reverting it for release, but all I'd get would be
rejects, as it really needs to be solved in -cip, not -cip-rt.

Proper solution is likely updating 4.19-cip to 4.19.148, first. Then
figuring out what is the clean way to solve the problem, and then
creating new -rt release. But that will likely take more than few
days, and it will end up with different release number.

I can create new -cip-rt release when that is done.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: [ANNOUNCE] v4.19.148-cip35-rt15

Pavel Machek
 

Hi!

New realtime trees should be available at kernel.org.

Trees are available at

https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-
cip.git/log/?h=linux-4.19.y-cip-rt
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-
cip.git/log/?h=linux-4.19.y-cip-rt-rebase

And their content should be identical.
Thank you for the release.


This patch merges 4.19.148-stable into -cip-rt (because that's what
recent -rt is based on, and older -rt tree is too old). Unfortunately,
that brings regression with ethernet on Renesas Arm64 targets, which
will prevent boot, and fail tests etc.

Kernel that should work ok on Renesas Arm64 machines can be obtained
by reverting fb3a780e7a76cf8efb055f8322ec039923cee41f "ravb: Fixed to
be able to unload modules" on top of -cip-rt release.
So we're releasing a Kernel that we know doesn't boot on one of CIP's reference platforms?
Or did you already revert the above patch as part of your release?
Yes, I did that, as the changelog explains. Sorry.

I had to select from few bad options: 4.19.147-rt release is not
available and previous release is too old. So -cip-rt is based on
4.19.148-rt, and it brings in the bad commit.

I thought about reverting it for release, but all I'd get would be
rejects, as it really needs to be solved in -cip, not -cip-rt.

Proper solution is likely updating 4.19-cip to 4.19.148, first. Then
figuring out what is the clean way to solve the problem, and then
creating new -rt release. But that will likely take more than few
days, and it will end up with different release number.

I can create new -cip-rt release when that is done.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: [ANNOUNCE] v4.19.148-cip35-rt15

Chris Paterson
 

Hello Pavel,

From: Pavel Machek <pavel@denx.de>
Sent: 04 October 2020 10:07

*** gpg4o | The signature of this email could not be verified because the
following public key is missing. Click here to search and import the key
30E7F06A95DBFAF2 ***

Hi!

New realtime trees should be available at kernel.org.

Trees are available at

https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-
cip.git/log/?h=linux-4.19.y-cip-rt
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-
cip.git/log/?h=linux-4.19.y-cip-rt-rebase

And their content should be identical.
Thank you for the release.


This patch merges 4.19.148-stable into -cip-rt (because that's what
recent -rt is based on, and older -rt tree is too old). Unfortunately,
that brings regression with ethernet on Renesas Arm64 targets, which
will prevent boot, and fail tests etc.

Kernel that should work ok on Renesas Arm64 machines can be obtained
by reverting fb3a780e7a76cf8efb055f8322ec039923cee41f "ravb: Fixed to
be able to unload modules" on top of -cip-rt release.
So we're releasing a Kernel that we know doesn't boot on one of CIP's reference platforms?
Or did you already revert the above patch as part of your release?

Thanks, Chris


Best regards,
                                                                 Pavel

--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures)
http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


Re: [isar-cip-core] image: export dpkg status file for debsecan

Jan Kiszka <jan.kiszka@...>
 

On 30.09.20 04:08, Daniel Sangorrin wrote:
Although the currently exported manifest probably has
enough information, the tool debsecan and our wrapper
cip-core-sec depend on the dpkg status format.

Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
---
recipes-core/images/cip-core-image-security.bb | 8 ++++++++
recipes-core/images/cip-core-image.bb | 8 ++++++++
2 files changed, 16 insertions(+)

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 61ddc39..928774c 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -34,3 +34,11 @@ IMAGE_PREINSTALL += " \
uuid-runtime \
sudo \
"
+
+# for cip-core-sec/debsecan
+ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
+export_dpkg_status() {
+ sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
+ cat /var/lib/dpkg/status > \
+ ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
This is just a copy-out, I don't see the chroot need here.

+}
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index 2cecde3..0139819 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -19,3 +19,11 @@ IMAGE_INSTALL += "customizations"
# for swupdate
SWU_DESCRIPTION ??= "swupdate"
include ${SWU_DESCRIPTION}.inc
+
+# for cip-core-sec/debsecan
+ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
+export_dpkg_status() {
+ sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
+ cat /var/lib/dpkg/status > \
+ ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
+}
Please avoid code duplication. We have means like "require some.inc" in
bitbake.

I'm also wondering if this should go to isar upstream directly. debsecan
is a generic Debian tool, nothing CIP-specific per se.

Jan


[ANNOUNCE] v4.19.148-cip35-rt15

Pavel Machek
 

Hi!

New realtime trees should be available at kernel.org.

Trees are available at

https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/log/?h=linux-4.19.y-cip-rt
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/log/?h=linux-4.19.y-cip-rt-rebase

And their content should be identical.

This patch merges 4.19.148-stable into -cip-rt (because that's what
recent -rt is based on, and older -rt tree is too old). Unfortunately,
that brings regression with ethernet on Renesas Arm64 targets, which
will prevent boot, and fail tests etc.

Kernel that should work ok on Renesas Arm64 machines can be obtained
by reverting fb3a780e7a76cf8efb055f8322ec039923cee41f "ravb: Fixed to
be able to unload modules" on top of -cip-rt release.

Best regards,
Pavel

--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


Pending problem in v4.19.148 -- arm64/renesas test failing for v4.19.148-cip35-rt15 (-rt64)

Pavel Machek
 

Hi!

commit fb3a780e7a76cf8efb055f8322ec039923cee41f
Author: Yuusuke Ashizuka <ashiduka@fujitsu.com>
Date: Thu Aug 20 18:43:07 2020 +0900

ravb: Fixed to be able to unload modules

Let me investigate some more.
And this one seems to be responsible. I believe -cip will need to do
something with it when it tries to merge 4.19.148... I hit it early
because 4.19.147-rt is not available, so I merged 4.19.148-rt with
4.19.147-cip.

Fix can be as simple as reverting
fb3a780e7a76cf8efb055f8322ec039923cee41f... I'm pretty sure noone
unloads modules in production.

Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


Re: arm64/renesas test failing for v4.19.148-cip35-rt15 (-rt64)

Pavel Machek
 

Hi!

I got test failure when I submitted -rt branch for testing.

https://gitlab.com/cip-project/cip-kernel/linux-cip/-/pipelines/197703780

This seems to be "real" failure:
I re-ran the test with same sources, and failure is still there.

I tried rt+v4.19.147-cip35 -- e8bcfc1349886ef3cf6625a0bc9cd25ddf80112c
-- fails, too.

Let me try commit 1d9c4c7e291d5f49ab07402ef739f98fac6e7adb (tag:
v4.19.144-cip34). ... that one works.

To be sure, let's try older rt commit:
f15040b9d853b9cfbcdd4707d9be2593b42b000b ( v4.19.142-cip33-rt14 /
-rt63). That one works ok.

-rt63-rebase and -rt64-rebase trees have same commits on top.. in
fact, they seem to have same commits. That probably means nothing
changed in -rt. But it looks like there's commit in -stable, touching
relevant area.

commit fb3a780e7a76cf8efb055f8322ec039923cee41f
Author: Yuusuke Ashizuka <ashiduka@fujitsu.com>
Date: Thu Aug 20 18:43:07 2020 +0900

ravb: Fixed to be able to unload modules

Let me investigate some more.

With no network, it is easy to understand that tests would fail.

x86_siemens, OTOH, seems to be infrastructure error
(bootloader-interrupt timed out after 599 seconds).
This one went away when I resubmitted same kernel... so lets ignore it.

Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


arm64/renesas test failing for v4.19.148-cip35-rt15 (-rt64)

Pavel Machek
 

Hi!

I got test failure when I submitted -rt branch for testing.

https://gitlab.com/cip-project/cip-kernel/linux-cip/-/pipelines/197703780

This seems to be "real" failure:

[ 2.791351] asoc-audio-graph-card sound: ASoC: no DMI vendor name!
[ 2.798301] [drm] Cannot find any crtc or sizes
[ 2.805866] hctosys: unable to open rtc device (rtc0)
[ 2.811937] libphy: ravb_mii: probed
[ 2.821001] RTL8211E Gigabit Ethernet e6800000.ethernet-ffffffff:00: attached PHY driver [RTL8211E Gigabit Ethernet] (mii_bus:phy_addr=e6800000.ethernet-ffffffff:00, irq=190)
[ 2.838052] RTL8211E Gigabit Ethernet e6800000.ethernet-ffffffff:00: Master/Slave resolution failed, maybe conflicting manual settings?
[ 12.841484] Waiting up to 110 more seconds for network.
[ 22.853482] Waiting up to 100 more seconds for network.
[ 32.865482] Waiting up to 90 more seconds for network.
[ 42.877482] Waiting up to 80 more seconds for network.
[ 52.889482] Waiting up to 70 more seconds for network.
[ 62.901482] Waiting up to 60 more seconds for network.
[ 72.913482] Waiting up to 50 more seconds for network.
[ 82.925482] Waiting up to 40 more seconds for network.
[ 92.937482] Waiting up to 30 more seconds for network.
[ 102.949482] Waiting up to 20 more seconds for network.
[ 112.961482] Waiting up to 10 more seconds for network.
[ 122.861490] Sending DHCP requests ...... timed out!
[ 209.890289] IP-Config: Retrying forever (NFS root)...
[ 209.895535] libphy: ravb_mii: probed
[ 209.899386] mdio_bus e6800000.ethernet-ffffffff: MDIO device at address 0 is missing.
[ 209.910604] ravb e6800000.ethernet eth0: failed to connect PHY
[ 209.916705] IP-Config: Failed to open eth0
[ 219.925483] Waiting up to 110 more seconds for network.
[ 229.937481] Waiting up to 100 more seconds for network.
[ 239.949481] Waiting up to 90 more seconds for network.
[ 249.961481] Waiting up to 80 more seconds for network.

With no network, it is easy to understand that tests would fail.

x86_siemens, OTOH, seems to be infrastructure error
(bootloader-interrupt timed out after 599 seconds).

Let me investigate it some more.

Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


[ANNOUNCE] v4.4.235-cip49-rt31

Pavel Machek
 

Hi!

v4.4.235-cip49-rt31 should be available at kernel.org.

Trees are available at

https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/log/?h=linux-4.4.y-cip-rt

https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/log/?h=linux-4.4.y-cip-rt-rebase

And their content should be identical.

Best regards,
Pavel


Re: Is CVE-2020-25284 backporting needed for 4.4-rt x86?

Nobuhiro Iwamatsu
 

Hi all,

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of
masashi.kudo@cybertrust.co.jp
Sent: Saturday, September 19, 2020 7:44 AM
To: jan.kiszka@siemens.com; cip-dev@lists.cip-project.org
Subject: Re: [cip-dev] Is CVE-2020-25284 backporting needed for 4.4-rt x86?

Hi, Jan-san,

Thanks for your quick response!

Is that the only config in our repo carrying rbd/ceph? The we should likely drop
that, to be clear also in the future.
When we discussed at the IRC, the config carrying rbd/ceph is only 4.4-rt x86.

So, I understood that the backporting is not required.
I removed CONFIG_BLK_DEV_RBD from 4.4.y-cip-rt/x86/siemens_i386-rt.config.

Best regards,
Nobuhiro


Re: CIP IRC weekly meeting today

Pavel Machek
 

Hi!

Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=10&day=1&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00
I may be able to make it, but in case I will not:

I reviewed 4.19.148 and 4.19.149.

Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

1121 - 1140 of 6628