[isar-cip-core v2 0/3] Security extensions for bullseye image

[isar-cip-core v2 0/3] Security extensions for bullseye image

[venkata.pyla]

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

This patch series enable security extension for bullseye image.

It fixes the below two problems
- package not found due to dependency package names are changed in
  bullseye version, so remove the dependency packages and allowed
  package manager to install correct package names.
- package not found due to main package name is changed in bullseye
  version, so install the packages based on DISTRO version selected.

venkata pyla (3):
  cip-core-image-security: remove unnecessary dependency package names
  cip-core-image-security: Install packages based on DISTRO version
  Kconfig: Enable Security extensions for bullseye image

 Kconfig                                        |  1 -
 recipes-core/images/cip-core-image-security.bb | 15 ++++++++++-----
 2 files changed, 10 insertions(+), 6 deletions(-)

-- 
2.20.1

[isar-cip-core v2 1/3] cip-core-image-security: remove unnecessary dependency package names

[venkata.pyla]

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

It is not necessary to mention the dependency package names in the recipe
because their names are changed when different distribution version
is used, and anyway the package manager will install the correct version
of dependencies when installing the main package, so it is safer to remove
the dependency packages here.

e.g:
 For the Package: nftables
 Dependecy package name in buster:   libnftables0
 Dependecy package name in bullseye: libnftables1

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
 recipes-core/images/cip-core-image-security.bb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 61ddc39..c613dc9 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -17,20 +17,20 @@ IMAGE_INSTALL += "security-customizations"
 
 # Debian packages that provide security features
 IMAGE_PREINSTALL += " \
-	openssl libssl1.1 \
+	openssl \
 	fail2ban \
 	openssh-server openssh-sftp-server openssh-client \
 	syslog-ng-core syslog-ng-mod-journal \
-	aide aide-common \
-	libnftables0 nftables \
+	aide \
+	nftables \
 	libpam-pkcs11 \
 	chrony \
 	tpm2-tools \
 	tpm2-abrmd \
-	libtss2-esys0 libtss2-udev \
+	libtss2-esys0 \
 	libpam-cracklib \
 	acl \
-	libauparse0 audispd-plugins auditd \
+	audispd-plugins auditd \
 	uuid-runtime \
 	sudo \
 "
-- 
2.20.1

[isar-cip-core v2 2/3] cip-core-image-security: Install packages based on DISTRO version

[venkata.pyla]

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

Package names like below have different names in different DISTRO versions
and those packages should be installed based on the Distro version is
selected.

Package name in Buster:   libtss2-esys0
Package name in Bullseye: libtss2-esys-3.0.2-0

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
 recipes-core/images/cip-core-image-security.bb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index c613dc9..3ea544a 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -27,10 +27,15 @@ IMAGE_PREINSTALL += " \
 	chrony \
 	tpm2-tools \
 	tpm2-abrmd \
-	libtss2-esys0 \
 	libpam-cracklib \
 	acl \
 	audispd-plugins auditd \
 	uuid-runtime \
 	sudo \
 "
+
+OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"
+
+# Package names based on the distro version
+IMAGE_PREINSTALL_append_buster = " libtss2-esys0"
+IMAGE_PREINSTALL_append_bullseye = " libtss2-esys-3.0.2-0"
-- 
2.20.1

[isar-cip-core v2 3/3] Kconfig: Enable Security extensions for bullseye image

[venkata.pyla]

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
 Kconfig | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Kconfig b/Kconfig
index 8421f1b..3b882d6 100644
--- a/Kconfig
+++ b/Kconfig
@@ -115,7 +115,6 @@ config KAS_INCLUDE_IMAGE_FORMAT
 
 config IMAGE_SECURITY
 	bool "Security extensions"
-	depends on DEBIAN_BUSTER
 
 config KAS_INCLUDE_SECURITY
 	string
-- 
2.20.1

Re: [isar-cip-core v2 0/3] Security extensions for bullseye image

[Jan Kiszka]

On 17.11.21 11:54, venkata.pyla@toshiba-tsip.com wrote:
> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
> 
> This patch series enable security extension for bullseye image.
> 
> It fixes the below two problems
> - package not found due to dependency package names are changed in
>   bullseye version, so remove the dependency packages and allowed
>   package manager to install correct package names.
> - package not found due to main package name is changed in bullseye
>   version, so install the packages based on DISTRO version selected.
> 
> venkata pyla (3):
>   cip-core-image-security: remove unnecessary dependency package names
>   cip-core-image-security: Install packages based on DISTRO version
>   Kconfig: Enable Security extensions for bullseye image
> 
>  Kconfig                                        |  1 -
>  recipes-core/images/cip-core-image-security.bb | 15 ++++++++++-----
>  2 files changed, 10 insertions(+), 6 deletions(-)
> 

thanks, applied

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux