|
Re: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
Venkata Pyla
On Fri, Sep 18, 2020 at 10:23 AM, Venkata Pyla wrote:
Hi Daniel-san, I have created the merge request for all the security layer changes including your suggestions. Kindly review and letme know if you have any more suggestions. Thanks venkata.
|
|
|
|
Re: Is CVE-2020-25284 backporting needed for 4.4-rt x86?
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi, Jan-san,
Thanks for your quick response! Is that the only config in our repo carrying rbd/ceph? The we should likely dropWhen we discussed at the IRC, the config carrying rbd/ceph is only 4.4-rt x86. So, I understood that the backporting is not required. Best regards, -- M. Kudo -----Original Message-----
|
|
|
|
Re: Is CVE-2020-25284 backporting needed for 4.4-rt x86?
Jan Kiszka
On 18.09.20 15:58, masashi.kudo@... wrote:
Hi, Jan-san, Siemens team,Not to my best knowledge. This is very likely an accidental choice. Is that the only config in our repo carrying rbd/ceph? The we should likely drop that, to be clear also in the future. Jan Please take a look about the discussion at the IRC meeting yesterday.-- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux
|
|
|
|
Is CVE-2020-25284 backporting needed for 4.4-rt x86?
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi, Jan-san, Siemens team,
There was some query to Siemens about the need of CVE-2020-25284 backporting. - CVE-2020-25284 is in rbd ( Ceph block device ). - it is only fixed for v4.19 and later stable kernels - Siemens has this built as a module in their 4.4-rt x86 config, but not their 4.19 one So the question from the Kernel Team is whether Siemens needs its backporting to 4.4-rt or not. Please take a look about the discussion at the IRC meeting yesterday. https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-17-09.00.log.html Best regards, -- M. Kudo
|
|
|
|
Re: [isar-cip-core][PATCH] classes/image_uuid: Generate new uuid if a new package is added
Jan Kiszka
On 18.09.20 10:04, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>Why not using an undefined or empty IMAGE_UUID as "generate me one" indication? - base_hash = d.getVar("BB_BASEHASH_task-do_rootfs_install", True)Is that namespace random, or does that have specific meaning? do_generate_image_uuid[vardeps] += "IMAGE_UUID"Please separate variable for job definitions be a blank line. Also the job specifications above should be visually separated from the code below that way. IOW: IMAGER_INSTALL += "uuid-runtime" do_generate_image_uuid[vardeps] += "IMAGE_UUID" do_generate_image_uuid[depends] = "buildchroot-target:do_build" do_generate_image_uuid() { do_generate_image_uuid() {Why do we need to switch to uuidgen from the buildchroot, rather than using python's uuid? And what ensures that uuidgen is available there? + fiJan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux
|
|
|
|
[isar-cip-core][PATCH] classes/image_uuid: Generate new uuid if a new package is added
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
BB_BASEHASH only includes the task itself and its metadata. Dependencies are not taken into account when this hash is generated which means updating a package will not generate a new UUID. BB_TASKHASH takes the changes into account. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- classes/image_uuid.bbclass | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass index d5337b8..873abc5 100644 --- a/classes/image_uuid.bbclass +++ b/classes/image_uuid.bbclass @@ -9,23 +9,23 @@ # SPDX-License-Identifier: MIT # -def generate_image_uuid(d): - import uuid +IMAGE_UUID ?= "random" - base_hash = d.getVar("BB_BASEHASH_task-do_rootfs_install", True) - if base_hash is None: - return None - return str(uuid.UUID(base_hash[:32], version=4)) - -IMAGE_UUID ?= "${@generate_image_uuid(d)}" +IMAGE_UUID_NAMESPACE = "6090f47e-b068-475c-b125-7be7c24cdd4e" do_generate_image_uuid[vardeps] += "IMAGE_UUID" do_generate_image_uuid[depends] = "buildchroot-target:do_build" +IMAGER_INSTALL += "uuid-runtime" do_generate_image_uuid() { + image_do_mounts + if [ "${IMAGE_UUID}" != "random" ]; then + IMAGE_UUID_FINAL="${IMAGE_UUID}" + else + IMAGE_UUID_FINAL="$(sudo -E chroot ${BUILDCHROOT_DIR} uuidgen -s -n "${IMAGE_UUID_NAMESPACE}" -N "${BB_TASKHASH}")" + fi sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release' - echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \ + echo "IMAGE_UUID=\"${IMAGE_UUID_FINAL}\"" | \ sudo tee -a '${IMAGE_ROOTFS}/etc/os-release' - image_do_mounts # update initramfs to add uuid sudo chroot '${IMAGE_ROOTFS}' update-initramfs -u -- 2.20.1
|
|
|
|
Re: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
Venkata Pyla
HI Daniel-san,
toggle quoted messageShow quoted text
Thank you for your feedback. sorry for spell checks issues in the commits, I will correct it and send another merge request. Also I will apply other security configuration suggestions. Thanks Venkata.
-----Original Message-----
From: daniel.sangorrin@... <daniel.sangorrin@...> Sent: 17 September 2020 08:32 To: Venkata Seshagiri Pyla <Venkata.Pyla@...> Cc: Venkata Seshagiri Pyla <Venkata.Pyla@...>; cip-dev@... Subject: RE: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend Hi Venkata-san Please check my inline comments and send me a merge request when you solve them. -----Original Message-----bbappend the security configurations likeIdeally, you would separate the patches for each file unless they have something in common. diff --gitAppend "for audit" to the description. +Don't you need to specify the values for space_left and admin_space_left? Perhaps these variables should be configurable and have a default value. Example: AUDIT_SPACE_LEFT ?= "100" Then you can change the value in local.conf (or using kas's local_conf_headers) +Please check if you need other options as well here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service diff --gitIs this related to the security layer? If not, please separate it into a different patch and explain why it is necessary. diff --gitSame as before, append "for openssh". The description for different things should be different. +Perhaps make the value for ClientAliveInterval configurable and use 120 as default. +}Same thing: "for libpam" +Perhaps set minlen configurable. +Thanks, Daniel The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
|
|
|
|
Re: CIP IRC weekly meeting today
Akihiro Suzuki
Hi Kudo-san,
toggle quoted messageShow quoted text
Sorry, I will be absent today's IRC meeting because I've got a plan already today. SW Updates WG don't have any updates this week. Thanks, Suzuki
-----Original Message-----
|
|
|
|
Re: [cip-core:deby 3/3] aide-static: enable aide to build statically
Daniel Sangorrin <daniel.sangorrin@...>
Thanks, it looks good.
toggle quoted messageShow quoted text
Perhaps you can write in the commit id what is the effect in size compared to not using static compilation. Please send me a merge request
-----Original Message-----
|
|
|
|
Re: [cip-core:deby 1/3] cip-security: Create new layer for cip security
Daniel Sangorrin <daniel.sangorrin@...>
Thanks, it looks good
toggle quoted messageShow quoted text
Please send me a merge request
-----Original Message-----
|
|
|
|
Re: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
Daniel Sangorrin <daniel.sangorrin@...>
Hi Venkata-san
toggle quoted messageShow quoted text
Please check my inline comments and send me a merge request when you solve them.
-----Original Message-----bbappend the security configurations likeIdeally, you would separate the patches for each file unless they have something in common. diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-Append "for audit" to the description. +Don't you need to specify the values for space_left and admin_space_left? Perhaps these variables should be configurable and have a default value. Example: AUDIT_SPACE_LEFT ?= "100" Then you can change the value in local.conf (or using kas's local_conf_headers) +Please check if you need other options as well here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-Is this related to the security layer? If not, please separate it into a different patch and explain why it is necessary. diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-Same as before, append "for openssh". The description for different things should be different. +Perhaps make the value for ClientAliveInterval configurable and use 120 as default. +}Same thing: "for libpam" +Perhaps set minlen configurable. +Thanks, Daniel
|
|
|
|
CIP IRC weekly meeting today
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi all,
Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today. *Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting* https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=9&day=17&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248 USWest USEast UK DE TW JP 02:00 05:00 10:00 11:00 17:00 18:00 Channel: * irc:chat.freenode.net:6667/cip Last meeting minutes: https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-10-09.00.log.html Agenda: * Action item 1. Combine root filesystem with kselftest binary - iwamatsu 2. Post LTP results to KernelCI - patersonc * Kernel maintenance updates * Kernel testing * Software update * CIP Security * AOB Since there will be another meeting at 9:30GMT, the meeting will take less than 30 min today. If some topics may take long, they will be taken offline or in the next meeting. Best regards, -- M. Kudo Cybertrust Japan Co., Ltd.
|
|
|
|
[cip-core:deby 3/3] aide-static: enable aide to build statically
Venkata Pyla
From: venkata pyla <venkata.pyla@...>
To build aide statically, its dependencies also compile staticalliy, so all aide dependent library packages enabled static compiling in an include file and added to the layer configuration. Signed-off-by: venkata pyla <venkata.pyla@...> --- meta-cip-security/conf/include/aide-static-libs.inc | 10 ++++++++++ meta-cip-security/conf/layer.conf | 2 ++ 2 files changed, 12 insertions(+) create mode 100644 meta-cip-security/conf/include/aide-static-libs.inc diff --git a/meta-cip-security/conf/include/aide-static-libs.inc b/meta-cip-security/conf/include/aide-static-libs.inc new file mode 100644 index 0000000..1dc4374 --- /dev/null +++ b/meta-cip-security/conf/include/aide-static-libs.inc @@ -0,0 +1,10 @@ +DISABLE_STATIC ?= " --disable-static" + +# aide dependencies to build statically +DISABLE_STATIC_pn-aide = " " +DISABLE_STATIC_pn-libgpg-error = " " +DISABLE_STATIC_pn-libmhash = " " +DISABLE_STATIC_pn-attr = " " +DISABLE_STATIC_pn-acl = " " +DISABLE_STATIC_pn-libpcre = " " +EXTRA_OECONF_append_pn-aide = " --without-audit" diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf index b015436..158d75c 100644 --- a/meta-cip-security/conf/layer.conf +++ b/meta-cip-security/conf/layer.conf @@ -16,3 +16,5 @@ LAYERVERSION_cip-security = "1" LAYERDEPENDS_cip-security = "debian" LAYERSERIES_COMPAT_cip-security = "warrior" + +require conf/include/aide-static-libs.inc -- 2.27.0.windows.1 The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
|
|
|
|
[cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
Venkata Pyla
From: venkata pyla <venkata.pyla@...>
add package bbappaned files in the security layer that will apply the security configurations like e.g: Set password strength in pam configurations Set audit failure actions in audit package configurations etc. Signed-off-by: venkata pyla <venkata.pyla@...> --- .../audit/audit_debian.bbappend | 20 ++++++++++ .../base-files/base-files_debian.bbappend | 3 ++ .../openssh/openssh_debian.bbappend | 19 +++++++++ .../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++ 4 files changed, 81 insertions(+) create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend new file mode 100644 index 0000000..c148f27 --- /dev/null +++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend @@ -0,0 +1,20 @@ +# +# CIP Security, tiny profile +# +# Copyright (c) Toshiba Corporation, 2020 +# +# SPDX-License-Identifier: MIT +# + +DESCRIPTION = "CIP Security customizations" + +pkg_postinst_audit_append() { + # CR2.9: Audit storage capacity + # CR2.9 RE-1: Warn when audit record storage capacity threshold reached + AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf" + sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE + sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE + + # CR2.10: Response to audit processing failures + sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE +} diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend new file mode 100644 index 0000000..895dc9f --- /dev/null +++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend @@ -0,0 +1,3 @@ +do_install_append() { + echo "${MACHINE}" > ${D}${sysconfdir}/hostname +} diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend new file mode 100644 index 0000000..ddd2bfc --- /dev/null +++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend @@ -0,0 +1,19 @@ +# +# CIP Security, tiny profile +# +# Copyright (c) Toshiba Corporation, 2020 +# +# SPDX-License-Identifier: MIT +# + +DESCRIPTION = "CIP Security customizations" + +pkg_postinst_${PN}_append() { + # CR2.6: Remote session termination + # Terminate remote session after inactive time period + SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config" + alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}") + alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}") + sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}" + sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}" +} diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend new file mode 100644 index 0000000..c9c1605 --- /dev/null +++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend @@ -0,0 +1,39 @@ +# +# CIP Security, tiny profile +# +# Copyright (c) Toshiba Corporation, 2020 +# +# SPDX-License-Identifier: MIT +# + +DESCRIPTION = "CIP Security customizations" + +pkg_postinst_pam-plugin-cracklib_append() { + # CR1.7: Strength of password-based authentication + # Pam configuration to enforce password strength + PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password" + CRACKLIB_CONFIG="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" + if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then + sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" + fi + sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}" +} + +pkg_postinst_pam-plugin-tally2_append() { + # CR1.11: Unsuccessful login attempts + # Lock user account after unsuccessful login attempts + PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth" + pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60" + if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then + sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}" + fi + sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}" +} + + +pkg_postinst_libpam_append() { + # CR2.7: Concurrent session control + # Limit the concurrent login sessions + LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf" + echo "* hard maxlogins 2" >> ${LIMITS_CONFIG} +} -- 2.27.0.windows.1 The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
|
|
|
|
[cip-core:deby 1/3] cip-security: Create new layer for cip security
Venkata Pyla
From: venkata pyla <venkata.pyla@...>
This layer enables security packages and default configurations required to evaluate IEC62443-4-2 assessment Signed-off-by: venkata pyla <venkata.pyla@...> --- README.md | 5 +++++ kas/opt/security.yml | 32 +++++++++++++++++++++++++++++++ meta-cip-security/conf/layer.conf | 18 +++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 kas/opt/security.yml create mode 100644 meta-cip-security/conf/layer.conf diff --git a/README.md b/README.md index f90e040..f59dd0c 100644 --- a/README.md +++ b/README.md @@ -88,3 +88,8 @@ LTP test image for QEMU arm64 / hihope-rzg2m $ ./scripts/kas-build.sh kas/board/qemuarm64.yml:kas/opt/deby.yml:kas/opt/dhcp.yml:kas/opt/ltp.yml +Create Security image for QEMU x86-64 +------------------------------------- + + $ ./scripts/kas-build.sh kas/board/qemux86-64.yml:kas/opt/deby.yml:kas/opt/security.yml + diff --git a/kas/opt/security.yml b/kas/opt/security.yml new file mode 100644 index 0000000..e84290c --- /dev/null +++ b/kas/opt/security.yml @@ -0,0 +1,32 @@ +# +# CIP Core tiny profile with Security +# packages and configuration +# +# Copyright (c) 2019 TOSHIBA Corp. +# +# SPDX-License-Identifier: MIT +# + +header: + version: 8 + +repos: + meta-cip-security: + layers: + meta-cip-security: + +local_conf_header: + security: | + DISTRO_FEATURES_append += " pam" + CORE_IMAGE_EXTRA_INSTALL += " \ + aide aide-common \ + openssl openssl-bin \ + openssh openssh-misc \ + chrony chronyc \ + libpam pam-plugin-cracklib pam-plugin-tally2 \ + syslog-ng \ + acl \ + sudo \ + auditd \ + util-linux \ + " diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf new file mode 100644 index 0000000..b015436 --- /dev/null +++ b/meta-cip-security/conf/layer.conf @@ -0,0 +1,18 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH =. "${LAYERDIR}:" + +# We have recipes-* directories, add to BBFILES +BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ + ${LAYERDIR}/recipes-*/*/*.bbappend" + +BBFILE_COLLECTIONS += "cip-security" +BBFILE_PATTERN_cip-security = "^${LAYERDIR}/" +BBFILE_PRIORITY_cip-security = "11" + +# This should only be incremented on significant changes that will +# cause compatibility issues with other layers +LAYERVERSION_cip-security = "1" + +LAYERDEPENDS_cip-security = "debian" + +LAYERSERIES_COMPAT_cip-security = "warrior" -- 2.27.0.windows.1 The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
|
|
|
|
[cip-core:deby 0/3] deby security layer changes
Venkata Pyla
From: venkata-pyla <venkata.pyla@...>
Added a security layer in deby that will be used for IEC 62443-4-2 certification venkata pyla (3): cip-security: Create new layer for cip security security-configuration: apply security polcies using package bbappend aide-static: enable aide to build statically README.md | 5 +++ kas/opt/security.yml | 32 +++++++++++++++ .../conf/include/aide-static-libs.inc | 10 +++++ meta-cip-security/conf/layer.conf | 20 ++++++++++ .../audit/audit_debian.bbappend | 20 ++++++++++ .../base-files/base-files_debian.bbappend | 3 ++ .../openssh/openssh_debian.bbappend | 19 +++++++++ .../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++ 8 files changed, 148 insertions(+) create mode 100644 kas/opt/security.yml create mode 100644 meta-cip-security/conf/include/aide-static-libs.inc create mode 100644 meta-cip-security/conf/layer.conf create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend -- 2.27.0.windows.1 The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
|
|
|
|
Re: [cip-kernel-config ][ RFC 1/1] 4.19.y-cip/cip_bbb_defconfig: Add config switches from isar-cip-core
Nobuhiro Iwamatsu
Hi,
toggle quoted messageShow quoted text
-----Original Message-----I see. Would you send a patch for v4.4 as well? Best regards, Nobuhiro
|
|
|
|
[ANNOUNCE] Release v4.19.144-cip34 and v4.4.235-cip49
Nobuhiro Iwamatsu
Hi,
I was late for release due to a LAVA issue. (Thanks to Chris for fixing this.) CIP kernel team has released Linux kernel v4.19.144-cip34 and v4.4.235-cip49. The linux-4.19.y-cip has been updated base version from v4.19.140 to v4.19.144, and The linux-4.4.y-cip tree has been updated base version from v4.4.231 to v4.4.235. This release includes many backport patches for each version. 4.19.y-cip adds a new revision board for HiHope RZ/G2M and many IP support patches for r8a774e1 and r8a7795. And 4.4.y-cip has added support for Renesas ARM SoC RZ/G1H (r8a7742) and iWave G21D-Q7 board. Also, the cpufreq driver for TI platforms (am33xx and etc) has been backported. We can get this release via the git tree at: v4.19.144-cip34: repository: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git branch: linux-4.19.y-cip commit hash: 1d9c4c7e291d5f49ab07402ef739f98fac6e7adb added commits: CIP: Bump version suffix to -cip34 after merge from stable arm64: dts: renesas: Fix SD Card/eMMC interface device node names arm64: dts: renesas: r8a774e1: Add RWDT node dt-bindings: watchdog: renesas,wdt: Document r8a774e1 support arm64: dts: renesas: r8a774e1: Add MSIOF nodes spi: renesas,sh-msiof: Add r8a774e1 support arm64: dts: renesas: r8a774e1: Add I2C and IIC-DVFS support dt-bindings: i2c: renesas,iic: Document r8a774e1 support dt-bindings: i2c: renesas,i2c: Document r8a774e1 support arm64: dts: renesas: r8a774e1: Add SDHI nodes mmc: renesas_sdhi_internal_dmac: Add r8a774e1 support arm64: dts: renesas: r8a774e1: Add SCIF and HSCIF nodes arm64: dts: renesas: r8a774e1: Add CAN[FD] support can: rcar_can: Remove unused platform data support arm64: dts: renesas: r8a774e1: Add TMU device nodes arm64: dts: renesas: r8a774e1: Add CMT device nodes arm64: dts: renesas: r8a774e1: Add RZ/G2H thermal support thermal: rcar_gen3_thermal: Add r8a774e1 support thermal/drivers/rcar_gen3: Fix undefined temperature if negative thermal: rcar_gen3_thermal: Generate interrupt when temperature changes thermal: rcar_gen3_thermal: Remove temperature bound arm64: dts: renesas: r8a774e1: Add operating points arm64: dts: renesas: r8a774e1: Add Ethernet AVB node arm64: dts: renesas: r8a774e1: Add GPIO device nodes arm64: dts: renesas: r8a774e1: Add SYS-DMAC device nodes dt-bindings: dma: renesas,rcar-dmac: Document R8A774E1 bindings arm64: dts: renesas: r8a774e1: Add IPMMU device nodes iommu/ipmmu-vmsa: Hook up R8A774E1 DT matching code dt-bindings: iommu: renesas,ipmmu-vmsa: Add r8a774e1 support arm64: dts: renesas: Add HiHope RZ/G2H sub board support arm64: dts: renesas: Add HiHope RZ/G2H main board support dt-bindings: arm: renesas: Add HopeRun RZ/G2H boards arm64: dts: renesas: Initial r8a774e1 SoC device tree pinctrl: sh-pfc: pfc-r8a77951: Add R8A774E1 PFC support dt-bindings: pinctrl: sh-pfc: Document r8a774e1 PFC support pinctrl: sh-pfc: Split R-Car H3 support in two independent drivers pinctrl: sh-pfc: pfc-r8a7795: Fix typo in pinmux macro for SCL3 pinctrl: sh-pfc: pfc-r8a7795-es1: Fix typo in pinmux macro for SCL3 pinctrl: sh-pfc: r8a7795: Use new macros for non-GPIO pins pinctrl: sh-pfc: r8a7795-es1: Use new macros for non-GPIO pins pinctrl: sh-pfc: r8a7795: Add TPU pins, groups and functions pinctrl: sh-pfc: r8a7795-es1: Add TPU pins, groups and functions pinctrl: sh-pfc: rcar-gen3: Rename RTS{0,1,3,4}# pin function definitions pinctrl: sh-pfc: rcar-gen3: Retain TDSELCTRL register across suspend/resume pinctrl: sh-pfc: r8a7795: Deduplicate VIN5 pin definitions pinctrl: sh-pfc: r8a7795: Add I2C{0,3,5} pins, groups and functions pinctrl: sh-pfc: r8a7795-es1: Add I2C{0,3,5} pins, groups and functions pinctrl: sh-pfc: r8a7795: Fix VIN versioned groups pinctrl: sh-pfc: r8a77965: Fix DU_DOTCLKIN3 drive/bias control arm64: defconfig: Enable R8A774E1 SoC clk: renesas: cpg-mssr: Add r8a774e1 support dt-bindings: clock: renesas,cpg-mssr: Document r8a774e1 clk: renesas: rzg2: Mark RWDT clocks as critical clk: renesas: cpg-mssr: Mark clocks as critical only if on at boot clk: renesas: rcar-gen3: Allow changing the RPC[D2] clocks clk: renesas: Add r8a774e1 CPG Core Clock Definitions clk: renesas: rcar-gen3: Add RPC clocks soc: renesas: rcar-rst: Add support for RZ/G2H dt-bindings: reset: rcar-rst: Document r8a774e1 reset module soc: renesas: Identify RZ/G2H dt-bindings: arm: renesas: Document RZ/G2H SoC DT bindings soc: renesas: Add Renesas R8A774E1 config option soc: renesas: rcar-sysc: Add r8a774e1 support dt-bindings: power: renesas,rcar-sysc: Document r8a774e1 SYSC binding dt-bindings: power: Add r8a774e1 SYSC power domain definitions arm64: dts: renesas: r8a774a1: Remove audio port node arm64: dts: renesas: Add HiHope RZ/G2N Rev2.0/3.0/4.0 board with idk-1110wr display arm64: dts: renesas: Add HiHope RZ/G2N Rev.3.0/4.0 sub board support arm64: dts: renesas: Add HiHope RZ/G2N Rev.3.0/4.0 main board support arm64: dts: renesas: Add HiHope RZ/G2M Rev.3.0/4.0 board with idk-1110wr display arm64: dts: renesas: hihope-rzg2-ex: Separate out lvds specific nodes into common file arm64: dts: renesas: Add HiHope RZ/G2M Rev.3.0/4.0 sub board support arm64: dts: renesas: Add HiHope RZ/G2M Rev.3.0/4.0 main board support arm64: dts: renesas: Add HiHope RZ/G2M[N] Rev.3.0/4.0 specific into common file arm64: dts: renesas: hihope-common: Separate out Rev.2.0 specific into hihope-rev2.dtsi file arm64: dts: renesas: r8a774b1-hihope-rzg2n[-ex]: Rename HiHope RZ/G2N boards arm64: dts: renesas: r8a774a1-hihope-rzg2m[-ex/-ex-idk-1110wr]: Rename HiHope RZ/G2M boards v4.4.235-cip49: repository: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git branch: linux-4.4.y-cip commit hash: c9f71781108017f6e3fc8d3326cf24bb234b5399 added commits: CIP: Bump version suffix to -cip49 after merge from stable ARM: dts: am33xx: Add updated operating-points-v2 table for cpu ARM: omap2plus_defconfig: Enable support for ti-cpufreq cpufreq: dt: Don't use generic platdev driver for ti-cpufreq platforms cpufreq: ti-cpufreq: Fix an incorrect error return value cpufreq: ti-cpufreq: add missing of_node_put() cpufreq: ti-cpufreq: kfree opp_data when failure cpufreq: ti: Fix 'of_node_put' being called twice in error handling path cpufreq: ti: Add cpufreq driver to determine available OPPs at runtime Documentation: dt: add bindings for ti-cpufreq PM / OPP: Expose _of_get_opp_desc_node as dev_pm_opp API PM / OPP: Parse clock-latency and voltage-tolerance for v1 bindings ARM: dts: r8a7742-iwg21d-q7-dbcm-ca: Add device tree for camera DB ARM: dts: r8a7742: Add [H]SCIF{A|B} support ARM: dts: r8a7742: Drop undocumented compatible string from scifa2 node ARM: dts: r8a7742: Add Ether support sh_eth: Add compatible string for R8A7742 SoC dt-bindings: net: renesas,ether: Document R8A7742 SoC gpio: rcar: Avoid NULL pointer access in gpio_rcar_set_multiple() of: Add missing exports of node name compare functions ARM: dts: r8a7742-iwg21d-q7: Enable cmt0 ARM: dts: r8a7742: Add MSIOF[0123] support spi: renesas,sh-msiof: Add r8a7742 support ARM: dts: r8a7742: Add CMT SoC specific support ARM: dts: r8a7742: Add thermal device to DT dt-bindings: thermal: rcar-thermal: Add device tree support for r8a7742 ARM: dts: r8a7742-iwg21d-q7: Add RWDT support ARM: dts: r8a7742: Add RWDT node dt-bindings: watchdog: renesas,wdt: Document r8a7742 support ARM: dts: renesas: Fix SD Card/eMMC interface device node names ARM: dts: r8a7742-iwg21d-q7: Enable SDHI2 controller ARM: dts: r8a7742: Add MMC0 node ARM: dts: r8a7742: Add SDHI nodes dt-bindings: mmc: renesas,sdhi: Document r8a7742 support ARM: dts: r8a7742: Add APMU nodes dt-bindings: power: renesas,apmu: Document r8a7742 support ARM: dts: r8a7742-iwg21d-q7: Enable Ethernet AVB ARM: dts: r8a7742: Add Ethernet AVB support dt-bindings: net: renesas, ravb: Add support for r8a7742 SoC ARM: dts: r8a7742: Add I2C and IIC support dt-bindings: i2c: renesas, iic: Document r8a7742 support dt-bindings: i2c: renesas, i2c: Document r8a7742 support ARM: dts: r8a7742: Add IRQC support dt-bindings: irqchip: renesas-irqc: Document r8a7742 bindings ARM: dts: r8a7742-iwg21d-q7: Add iWave G21D-Q7 board based on RZ/G1H dt-bindings: arm: renesas: Document iW-RainboW-G21D-Qseven-RZG1H board ARM: dts: r8a7742-iwg21m: Add iWave RZ/G1H Qseven SOM dt-bindings: arm: renesas: Document iW-RainboW-G21M-Qseven-RZG1H SoM ARM: dts: r8a7742: Add GPIO nodes dt-bindings: gpio: renesas, rcar-gpio: Add r8a7742 (RZ/G1H) support ARM: dts: r8a7742: Initial SoC device tree pinctrl: sh-pfc: r8a7790: Add r8a7742 PFC support pinctrl: sh-pfc: r8a7790: Add missing TX_ER pin to avb_mii group pinctrl: sh-pfc: r8a7790: Add SCIF_CLK support pinctrl: sh-pfc: r8a7790: Use PINMUX_SINGLE() instead of raw PINMUX_DATA() dt-bindings: pinctrl: sh-pfc: Document r8a7742 PFC support dt-bindings: mmc: renesas,mmcif: Document r8a7742 DT bindings dt-bindings: serial: renesas,hscif: Document r8a7742 bindings dt-bindings: serial: renesas,scifb: Document r8a7742 bindings dt-bindings: serial: renesas,scif: Document r8a7742 bindings dt-bindings: serial: renesas,scifa: Document r8a7742 bindings ARM: multi_v7_defconfig: Enable r8a7742 SoC ARM: shmobile: defconfig: Enable r8a7742 SoC ARM: debug-ll: Add support for r8a7742 soc: renesas: Add Renesas R8A7742 config option ARM: shmobile: r8a7742: Basic SoC support clk: shmobile: Compile clk-rcar-gen2.c when using the r8a7742 clk: shmobile: Document r8a7742 CPG DIV6 clock support clk: shmobile: Document r8a7742 MSTP clock support clk: shmobile: Document r8a7742 CPG clock support ARM: shmobile: r8a7742: Add clock index macros for DT sources soc: renesas: rcar-rst: Add support for RZ/G1H dt-bindings: reset: rcar-rst: Document r8a7742 reset module ARM: shmobile: Document RZ/G1H SoC DT binding Best regards, Nobuhiro
|
|
|
|
Re: [PATCH 4.4.y-cip 0/4] Add RZ/G1H Audio support
Nobuhiro Iwamatsu
Hi,
toggle quoted messageShow quoted text
-----Original Message-----Thanks! I applied and pushed. Best regards, Nobuhiro
|
|
|
|
Re: [PATCH 4.4.y-cip 0/4] Add RZ/G1H Audio support
Pavel Machek
Hi!
Looks good to me, too. I have no objections.This patch series add audio support for iWave RZ/G1H board based onI reviewd this patch series. Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
|