Re: [isar-cip-core] security.yml: Add additional features to security image

From: Jan Kiszka <jan.kiszka@siemens.com>
To: Sai.Sathujoda@toshiba-tsip.com, cip-dev@lists.cip-project.org
Cc: dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp
Subject: Re: [isar-cip-core] security.yml: Add additional features to security image
Date: Thu, 10 Aug 2023 12:31:53 +0200	[thread overview]
Message-ID: <7e6f35f5-d719-4fa8-9e8b-d549be9c6c87@siemens.com> (raw)
In-Reply-To: <OSAPR01MB494502FCB30FAE2544D7E5FBC208A@OSAPR01MB4945.jpnprd01.prod.outlook.com>

On 03.08.23 06:19, Sai.Sathujoda@toshiba-tsip.com wrote:
> Hi Jan,
> 
> Since the artifact upload is failing in CI with initrd image name mismatch if we include the additional feature related .yml files in security.yml, can we consider switching back to this patch https://lists.cip-project.org/g/cip-dev/message/12304 or do you expect any other changes ?
> 

Just fix things and *also* adjust Kconfig as written below.

Jan

> Thanks and regards,
> Sai Ashrith
> 
> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@siemens.com> 
> Sent: Friday, July 14, 2023 11:40 AM
> To: ashrith sai(ＴＳＩＰ) <Sai.Sathujoda@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Cc: dinesh kumar(ＴＳＩＰ TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 ＤＭＥ ○ＤＩＧ□ＭＰＳ○ＭＰ４) <kazuhiro3.hayashi@toshiba.co.jp>
> Subject: Re: [isar-cip-core] security.yml: Add additional features to security image
> 
> On 13.07.23 19:32, Jan Kiszka wrote:
>> On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote:
>>> From: Sai <Sai.Sathujoda@toshiba-tsip.com>
>>>
>>> From IEC certification perspective, a security image is needed which has the below features along with security customizations.
>>> 1. Data encryption (CR4.1)
>>> 2. Secure boot (EDR 3.14)
>>> 3. SWupdate (NDR 3.10)
>>>
>>> The config.yaml will not have the extra enabled features as true. 
>>> Hence they should be passed in the image run command.
>>>
>>> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
>>> ---
>>>  doc/README.security-testing.md | 2 +-
>>>  kas/opt/security.yml           | 3 +++
>>>  2 files changed, 4 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/doc/README.security-testing.md 
>>> b/doc/README.security-testing.md index c9540be..97000da 100644
>>> --- a/doc/README.security-testing.md
>>> +++ b/doc/README.security-testing.md
>>> @@ -33,7 +33,7 @@ Save & Build
>>>  ```
>>>  # Boot the Linux image
>>>  ```
>>> -host$ ./start-qemu.sh x86
>>> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86
>>>  ```
>>>  
>>>  # Copy security tests in to the Linux image diff --git 
>>> a/kas/opt/security.yml b/kas/opt/security.yml index 1f3745b..b21f330 
>>> 100644
>>> --- a/kas/opt/security.yml
>>> +++ b/kas/opt/security.yml
>>> @@ -10,6 +10,9 @@
>>>  #
>>>  header:
>>>    version: 12
>>> +  includes:
>>> +    - kas/opt/encrypt-partitions.yml
>>> +    - kas/opt/ebg-secure-boot-snakeoil.yml
>>>  
>>>  target: cip-core-image-security
>>>  
>>
>> Thanks, still applied for the release.
>>
> 
> Artifact upload was broken by this. And the should still adjust Kconfig to reflect the implicit selection of security.yml.
> 
> I'm dropping this for now, it's more complicated, likely too much for this release.
> 
> Jan
> 
> --
> Siemens AG, Technology
> Competence Center Embedded Linux

-- 
Siemens AG, Technology
Linux Expert Center