-----Original Message-----
From: Chris Paterson <Chris.Paterson2@...>
Sent: 16 March 2023 19:09
To: cip-dev@...; dinesh kumar(ＴＳＩＰ TMIEC ODG Porting) <dinesh.kumar@...>
Cc: stefan.ss.schroeder@...; GeorgeY.Hsiao@...; Kento Yoshida <kento.yoshida.wz@...>; Philipp.Ahmann@...; shivaraju sandeep(ＴＳＩＰ TEUR) <sandeep.shivaraju@...>
Subject: RE: About CIP Security image generation

Hello Dinesh,

From: cip-dev@... <cip-dev@...> On
Behalf Of Dinesh Kumar via lists.cip-project.org
Sent: 14 March 2023 12:43

Hello All,



We would like to know if anyone has any preference or specific
opinions about how CIP Security images should be generated from
isar-cip-core meta data [1].

In current configuration, by default no security packages are added
for IEC-
62443 compliance, user needs to explicitly select
cip-core-image-security or through KAS menu security image option to generate CIP IEC security image.



From IEC-62443 perspective it does not matter how security image is
created, it’s up to CIP members to decide.



If we want to use current approach then in my understanding we have to
test two images in future (one default image and another Security image).

The options which we have are. (Feel free to add)



Option-1: Continue to use existing recipes/meta data and generate
security image on need basis (Already supported)



Pros: 1. Only those users who need security enabled can generate
CIP security image

2. Default image remains minimal and smaller footprint

Cons: CIP Testing WG needs to separately test each image.

This may not be much of a con in reality. At least not unless we start running a lot more tests with these images.

If we have multiple versions of cip-core - which do we use for kernel testing?

Dinesh> As of now only two images of isar-cip-core (one without security packages and one with security packages).

Option-2: By default include all security packages & security
customizations (Currently not supported, needs recipe refactoring)

Cons: 1. Users who don’t need security packages have no choice to
exclude security packages

2. Larger image size

Do we have any figures?

Dinesh> Image sizes are as below (Not very big difference though), but some devices may have limited memory constraints.
388M Mar 17 11:51 cip-core-image-security-cip-core-bullseye-qemu-amd64.ext4 
317M Mar 17 11:47 cip-core-image-cip-core-bullseye-qemu-amd64.ext4

Kind regards, Chris

Pros: CIP Testing WG can test only one image



Option-3: Create a small debian package which will include all
security packages & security customizations (Currently not supported,
needs further investigation etc)

Pros: At run time security packages & customizations can be
enabled or disabled.

Cons: May need lots of extra effort for development and
maintenance



Any other options???



Please share your opinion or suggestions which option is preferable by
24th Mar.



Note: 1. As CIP Core WG is planning to make release of isar-cip-core
meta data very soon, we need to finalize the approach.

2. In case of no suggestions/inputs, current approach to
create security image will be followed in future and accordingly CIP
Core WG would proceed to make isar-cip-core meta-data releases.





@Chris, if you want to add any other perspective from testing point of
view, please feel free :)



[1]
https://gitlab.com/cip-project/cip-core/isar-cip-core/-/tree/master
<https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
la
b.com%2Fcip-project%2Fcip-core%2Fisar-cip-core%2F-
%2Ftree%2Fmaster&data=05%7C01%7Cchris.paterson2%40renesas.com%7C
a9e5fcf71dea4976398c08db2489bdd3%7C53d82571da1947e49cb4625a166a4a
2a%7C0%7C0%7C638143946235804034%7CUnknown%7CTWFpbGZsb3d8eyJ
WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
7C3000%7C%7C%7C&sdata=3IMNg%2BoxT0jqzH%2BbbEXqSdcZ%2BupqCu%
2BOpLB6HrS0XD0%3D&reserved=0>



Thanks & Regards,

Dinesh Kumar

-----Original Message-----
From: dinesh kumar(ＴＳＩＰ TMIEC ODG Porting)
Sent: 17 March 2023 12:07
To: 'Chris Paterson' <Chris.Paterson2@...>; cip-dev@...
project.org
Cc: stefan.ss.schroeder@...; GeorgeY.Hsiao@...; Kento
Yoshida <kento.yoshida.wz@...>;
Philipp.Ahmann@...; shivaraju sandeep(ＴＳＩＰ TEUR)
<sandeep.shivaraju@...>
Subject: RE: About CIP Security image generation

Hello Chris,

Please see my response.

From your response it seems then current configuration is fine even from
testing perspective.

Thank you.

Regards,
Dinesh kumar

-----Original Message-----
From: Chris Paterson <Chris.Paterson2@...>
Sent: 16 March 2023 19:09
To: cip-dev@...; dinesh kumar(ＴＳＩＰ TMIEC ODG
Porting) <dinesh.kumar@...>
Cc: stefan.ss.schroeder@...; GeorgeY.Hsiao@...; Kento
Yoshida <kento.yoshida.wz@...>;
Philipp.Ahmann@...; shivaraju sandeep(ＴＳＩＰ TEUR)
<sandeep.shivaraju@...>
Subject: RE: About CIP Security image generation

Hello Dinesh,

From: cip-dev@... <cip-dev@...> On
Behalf Of Dinesh Kumar via lists.cip-project.org
Sent: 14 March 2023 12:43

Hello All,



We would like to know if anyone has any preference or specific
opinions about how CIP Security images should be generated from
isar-cip-core meta data [1].

In current configuration, by default no security packages are added
for IEC-
62443 compliance, user needs to explicitly select
cip-core-image-security or through KAS menu security image option to

generate CIP IEC security image.

From IEC-62443 perspective it does not matter how security image is
created, it’s up to CIP members to decide.



If we want to use current approach then in my understanding we have to
test two images in future (one default image and another Security image).

The options which we have are. (Feel free to add)



Option-1: Continue to use existing recipes/meta data and generate
security image on need basis (Already supported)



Pros: 1. Only those users who need security enabled can generate
CIP security image

2. Default image remains minimal and smaller footprint

Cons: CIP Testing WG needs to separately test each image.

This may not be much of a con in reality. At least not unless we start running
a lot more tests with these images.

If we have multiple versions of cip-core - which do we use for kernel testing?

Dinesh> As of now only two images of isar-cip-core (one without security
packages and one with security packages).

Is this reponse sufficient for your query?
As you know we are planning to release isar-cip-core meta data, so we want latest kernel testing with latest Debian version.
Also we will require test reports for CIP IEC-62443 evaluation.

Option-2: By default include all security packages & security
customizations (Currently not supported, needs recipe refactoring)

Cons: 1. Users who don’t need security packages have no choice to
exclude security packages

2. Larger image size

Do we have any figures?

Dinesh> Image sizes are as below (Not very big difference though), but some
devices may have limited memory constraints.
388M Mar 17 11:51 cip-core-image-security-cip-core-bullseye-qemu-
amd64.ext4
317M Mar 17 11:47 cip-core-image-cip-core-bullseye-qemu-
amd64.ext4

Kind regards, Chris

Pros: CIP Testing WG can test only one image



Option-3: Create a small debian package which will include all
security packages & security customizations (Currently not supported,
needs further investigation etc)

Pros: At run time security packages & customizations can be
enabled or disabled.

Cons: May need lots of extra effort for development and
maintenance



Any other options???



Please share your opinion or suggestions which option is preferable by
24th Mar.



Note: 1. As CIP Core WG is planning to make release of isar-cip-core
meta data very soon, we need to finalize the approach.

2. In case of no suggestions/inputs, current approach to
create security image will be followed in future and accordingly CIP
Core WG would proceed to make isar-cip-core meta-data releases.





@Chris, if you want to add any other perspective from testing point of
view, please feel free :)



[1]
https://gitlab.com/cip-project/cip-core/isar-cip-core/-/tree/master
<https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
la
b.com%2Fcip-project%2Fcip-core%2Fisar-cip-core%2F-

%2Ftree%2Fmaster&data=05%7C01%7Cchris.paterson2%40renesas.com%7C

a9e5fcf71dea4976398c08db2489bdd3%7C53d82571da1947e49cb4625a166a4a

2a%7C0%7C0%7C638143946235804034%7CUnknown%7CTWFpbGZsb3d8eyJ

WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%

7C3000%7C%7C%7C&sdata=3IMNg%2BoxT0jqzH%2BbbEXqSdcZ%2BupqCu%

2BOpLB6HrS0XD0%3D&reserved=0>



Thanks & Regards,

Dinesh Kumar