[cip-dev] [PATCH 1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.

[cip-dev] [PATCH 1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.

[Venkata Pyla]

[-- Attachment #1: Type: text/plain, Size: 2534 bytes --]

From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>

Identified security packages are added to the target image
and that will be used for IEC-62443-4-2 evaluation

Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>
---
 .../images/cip-core-image-security.bb         | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 recipes-core/images/cip-core-image-security.bb

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
new file mode 100644
index 0000000..8253952
--- /dev/null
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -0,0 +1,37 @@
+#
+# A reference image which includes security packages
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit image
+
+DESCRIPTION = "CIP Core image including security packages"
+
+# Use the same customizations as cip-core-image
+IMAGE_INSTALL += "customizations"
+
+# Debian packages that provide security features
+IMAGE_PREINSTALL += " \
+	openssl libssl1.1 \
+	fail2ban \
+	openssh-server openssh-sftp-server openssh-client \
+	syslog-ng-core syslog-ng-mod-journal \
+	aide aide-common \
+	libnftables0 nftables \
+	libpam-pkcs11 \
+	chrony \
+	tpm2-tools \
+	tpm2-abrmd \
+	libtss2-esys0 libtss2-udev \
+	libpam-cracklib \
+	acl \
+	libauparse0 audispd-plugins auditd \
+	uuid-runtime \
+	sudo \
+"
-- 
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4946): https://lists.cip-project.org/g/cip-dev/message/4946
Mute This Topic: https://lists.cip-project.org/mt/75699592/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] [PATCH 2/3] start-qemu.sh: use TARGET_IMAGE to pick respective image file

[Venkata Pyla]

[-- Attachment #1: Type: text/plain, Size: 2020 bytes --]

From: venkata <venkata.pyla@toshiba-tsip.com>

if 'TARGET_IMAGE' variable is not set then it pick "cip-core-image",
to pick different target image set the 'TARGET_IMAGE' variable as below
e.g: $TARGET_IMAGE=cip-core-image-security ./start-qemu.sh amd64

Signed-off-by: venkata <venkata.pyla@toshiba-tsip.com>
---
 start-qemu.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index 49f0266..5c17d74 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -75,7 +75,11 @@ if [ -z "${DISTRO_RELEASE}" ]; then
 	DISTRO_RELEASE="buster"
 fi
 
-IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/cip-core-image-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
+if [ -z "${TARGET_IMAGE}" ]; then
+	TARGET_IMAGE="cip-core-image"
+fi
+
+IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
 IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
 
 if [ -z "${DISPLAY}" ]; then
-- 
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4947): https://lists.cip-project.org/g/cip-dev/message/4947
Mute This Topic: https://lists.cip-project.org/mt/75699593/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] [PATCH 3/3] README: Add steps to build cip-security image

[Venkata Pyla]

[-- Attachment #1: Type: text/plain, Size: 1777 bytes --]

From: venkata <venkata.pyla@toshiba-tsip.com>

Signed-off-by: venkata <venkata.pyla@toshiba-tsip.com>
---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index bbad1a0..b2c4166 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,16 @@ card, run
     dd if=build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.img \
        of=/dev/<medium-device> bs=1M status=progress
 
+## Building Security target images
+Building images for QEMU x86-64bit machine
+
+    ./kas-docker --isar build --target cip-core-image-security kas.yml:board-qemu-amd64.yml
+
+Run the generated securiy images on QEMU (x86-64bit)
+
+    TARGET_IMAGE=cip-core-image-security ./start-qemu.sh amd64
+
+
 ## Community Resources
 
 TBD
-- 
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4948): https://lists.cip-project.org/g/cip-dev/message/4948
Mute This Topic: https://lists.cip-project.org/mt/75699595/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [PATCH 1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 2406 bytes --]

On 21.07.20 10:16, Venkata Pyla wrote:
> From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> 
> Identified security packages are added to the target image
> and that will be used for IEC-62443-4-2 evaluation
> 
> Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>
                  ^^^^^^^^^
Can you configure your git to add you written name here as well? It's in 
the email, yes, but it would be nicer to have it displayed as well.

> ---
>   .../images/cip-core-image-security.bb         | 37 +++++++++++++++++++
>   1 file changed, 37 insertions(+)
>   create mode 100644 recipes-core/images/cip-core-image-security.bb
> 
> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
> new file mode 100644
> index 0000000..8253952
> --- /dev/null
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -0,0 +1,37 @@
> +#
> +# A reference image which includes security packages
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# Authors:
> +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit image
> +
> +DESCRIPTION = "CIP Core image including security packages"
> +
> +# Use the same customizations as cip-core-image

That comment is not needed. It just creates the risk of becoming 
outdated if cip-core-image decides to do something else.

> +IMAGE_INSTALL += "customizations"
> +
> +# Debian packages that provide security features
> +IMAGE_PREINSTALL += " \
> +	openssl libssl1.1 \
> +	fail2ban \
> +	openssh-server openssh-sftp-server openssh-client \
> +	syslog-ng-core syslog-ng-mod-journal \
> +	aide aide-common \
> +	libnftables0 nftables \
> +	libpam-pkcs11 \
> +	chrony \
> +	tpm2-tools \
> +	tpm2-abrmd \
> +	libtss2-esys0 libtss2-udev \
> +	libpam-cracklib \
> +	acl \
> +	libauparse0 audispd-plugins auditd \
> +	uuid-runtime \
> +	sudo \
> +"
> 

Can you close 
https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/8 
if this series obsoletes it?

BTW, a cover letter would help structuring the patches together. And 
please add a tag like "[isar-cip-core]" in order to clarify the series 
target. That is all configurable in git format-patch/send-email.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4984): https://lists.cip-project.org/g/cip-dev/message/4984
Mute This Topic: https://lists.cip-project.org/mt/75699592/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [PATCH 3/3] README: Add steps to build cip-security image

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 1086 bytes --]

On 21.07.20 10:16, Venkata Pyla wrote:
> From: venkata <venkata.pyla@toshiba-tsip.com>
> 
> Signed-off-by: venkata <venkata.pyla@toshiba-tsip.com>
> ---
>   README.md | 10 ++++++++++
>   1 file changed, 10 insertions(+)
> 
> diff --git a/README.md b/README.md
> index bbad1a0..b2c4166 100644
> --- a/README.md
> +++ b/README.md
> @@ -36,6 +36,16 @@ card, run
>       dd if=build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.img \
>          of=/dev/<medium-device> bs=1M status=progress
>   
> +## Building Security target images
> +Building images for QEMU x86-64bit machine
> +
> +    ./kas-docker --isar build --target cip-core-image-security kas.yml:board-qemu-amd64.yml
> +
> +Run the generated securiy images on QEMU (x86-64bit)
> +
> +    TARGET_IMAGE=cip-core-image-security ./start-qemu.sh amd64
> +
> +
>   ## Community Resources
>   
>   TBD
> 

This patch is fine, but I'm missing 4/4: Add this image to CI (same 
comment as I had on the MR on gitlab).

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4985): https://lists.cip-project.org/g/cip-dev/message/4985
Mute This Topic: https://lists.cip-project.org/mt/75699595/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [PATCH 1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.

[Venkata Pyla]

[-- Attachment #1.1: Type: text/plain, Size: 2950 bytes --]

Hi Jan,

On Thu, Jul 23, 2020 at 04:07 PM, Jan Kiszka wrote:

>
> On 21.07.20 10:16, Venkata Pyla wrote:
> > From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > 
> > Identified security packages are added to the target image
> > and that will be used for IEC-62443-4-2 evaluation
> > 
> > Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>
>                   ^^^^^^^^^
> Can you configure your git to add you written name here as well? It's in 
> the email, yes, but it would be nicer to have it displayed as well.
> 
sure, i didn't notice, it was missed in my git config

> > ---
> >   .../images/cip-core-image-security.bb         | 37 +++++++++++++++++++
> >   1 file changed, 37 insertions(+)
> >   create mode 100644 recipes-core/images/cip-core-image-security.bb
> > 
> > diff --git a/recipes-core/images/cip-core-image-security.bb
> b/recipes-core/images/cip-core-image-security.bb
> > new file mode 100644
> > index 0000000..8253952
> > --- /dev/null
> > +++ b/recipes-core/images/cip-core-image-security.bb
> > @@ -0,0 +1,37 @@
> > +#
> > +# A reference image which includes security packages
> > +#
> > +# Copyright (c) Toshiba Corporation, 2020
> > +#
> > +# Authors:
> > +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > +#
> > +# SPDX-License-Identifier: MIT
> > +#
> > +
> > +inherit image
> > +
> > +DESCRIPTION = "CIP Core image including security packages"
> > +
> > +# Use the same customizations as cip-core-image
> 
> That comment is not needed. It just creates the risk of becoming 
> outdated if cip-core-image decides to do something else.
> 
Understood, i will modify and resend this patch series.

> > +IMAGE_INSTALL += "customizations"
> > +
> > +# Debian packages that provide security features
> > +IMAGE_PREINSTALL += " \
> > +	openssl libssl1.1 \
> > +	fail2ban \
> > +	openssh-server openssh-sftp-server openssh-client \
> > +	syslog-ng-core syslog-ng-mod-journal \
> > +	aide aide-common \
> > +	libnftables0 nftables \
> > +	libpam-pkcs11 \
> > +	chrony \
> > +	tpm2-tools \
> > +	tpm2-abrmd \
> > +	libtss2-esys0 libtss2-udev \
> > +	libpam-cracklib \
> > +	acl \
> > +	libauparse0 audispd-plugins auditd \
> > +	uuid-runtime \
> > +	sudo \
> > +"
> > 
> 
> Can you close 
> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/8 
> if this series obsoletes it?
I have rebased the branch and sent the patches over mail,
I think i should close this MR in gitlab, i will do that.

> BTW, a cover letter would help structuring the patches together. And 
> please add a tag like "[isar-cip-core]" in order to clarify the series 
> target. That is all configurable in git format-patch/send-email.
> 
> Jan
> 
> -- 
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE
> Corporate Competence Center Embedded Linux
>

[-- Attachment #1.2: Type: text/html, Size: 3318 bytes --]

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4988): https://lists.cip-project.org/g/cip-dev/message/4988
Mute This Topic: https://lists.cip-project.org/mt/75699592/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [PATCH 1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.

[Venkata Pyla]

[-- Attachment #1: Type: text/plain, Size: 3169 bytes --]

Hi Jan,

sorry i am resending this mail

On Thu, Jul 23, 2020 at 04:07 PM, Jan Kiszka wrote:

>
> On 21.07.20 10:16, Venkata Pyla wrote:
> > From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > 
> > Identified security packages are added to the target image
> > and that will be used for IEC-62443-4-2 evaluation
> > 
> > Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>
>                   ^^^^^^^^^
> Can you configure your git to add you written name here as well? It's in 
> the email, yes, but it would be nicer to have it displayed as well.

sure, i didn't notice, it was missed in my git config

> > ---
> >   .../images/cip-core-image-security.bb         | 37 +++++++++++++++++++
> >   1 file changed, 37 insertions(+)
> >   create mode 100644 recipes-core/images/cip-core-image-security.bb
> > 
> > diff --git a/recipes-core/images/cip-core-image-security.bb
> b/recipes-core/images/cip-core-image-security.bb
> > new file mode 100644
> > index 0000000..8253952
> > --- /dev/null
> > +++ b/recipes-core/images/cip-core-image-security.bb
> > @@ -0,0 +1,37 @@
> > +#
> > +# A reference image which includes security packages
> > +#
> > +# Copyright (c) Toshiba Corporation, 2020
> > +#
> > +# Authors:
> > +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > +#
> > +# SPDX-License-Identifier: MIT
> > +#
> > +
> > +inherit image
> > +
> > +DESCRIPTION = "CIP Core image including security packages"
> > +
> > +# Use the same customizations as cip-core-image
> 
> That comment is not needed. It just creates the risk of becoming 
> outdated if cip-core-image decides to do something else.
> 

Understood, i will modify and resend this patch series

> > +IMAGE_INSTALL += "customizations"
> > +
> > +# Debian packages that provide security features
> > +IMAGE_PREINSTALL += " \
> > +	openssl libssl1.1 \
> > +	fail2ban \
> > +	openssh-server openssh-sftp-server openssh-client \
> > +	syslog-ng-core syslog-ng-mod-journal \
> > +	aide aide-common \
> > +	libnftables0 nftables \
> > +	libpam-pkcs11 \
> > +	chrony \
> > +	tpm2-tools \
> > +	tpm2-abrmd \
> > +	libtss2-esys0 libtss2-udev \
> > +	libpam-cracklib \
> > +	acl \
> > +	libauparse0 audispd-plugins auditd \
> > +	uuid-runtime \
> > +	sudo \
> > +"
> > 
> 
> Can you close 
> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/8 
> if this series obsoletes it?
> 

I have rebased the branch and sent the patches over mail, 
I think i should close this MR in gitlab, i will do that.

> BTW, a cover letter would help structuring the patches together. And 
> please add a tag like "[isar-cip-core]" in order to clarify the series 
> target. That is all configurable in git format-patch/send-email.
> 

Got it,
i was sending the patches to the community for the first time so i was missing some basic stuff.
next time i will do care of it,
thanks for showing patience on me

> Jan
> 
> -- 
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE
> Corporate Competence Center Embedded Linux
>

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4989): https://lists.cip-project.org/g/cip-dev/message/4989
Mute This Topic: https://lists.cip-project.org/mt/75699592/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [PATCH 1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 3678 bytes --]

On 23.07.20 15:13, Venkata Pyla wrote:
> Hi Jan,
> 
> sorry i am resending this mail
> 
> On Thu, Jul 23, 2020 at 04:07 PM, Jan Kiszka wrote:
> 
>>
>> On 21.07.20 10:16, Venkata Pyla wrote:
>>> From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>>
>>> Identified security packages are added to the target image
>>> and that will be used for IEC-62443-4-2 evaluation
>>>
>>> Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>> Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>
>>                    ^^^^^^^^^
>> Can you configure your git to add you written name here as well? It's in
>> the email, yes, but it would be nicer to have it displayed as well.
> 
> sure, i didn't notice, it was missed in my git config
> 
>>> ---
>>>    .../images/cip-core-image-security.bb         | 37 +++++++++++++++++++
>>>    1 file changed, 37 insertions(+)
>>>    create mode 100644 recipes-core/images/cip-core-image-security.bb
>>>
>>> diff --git a/recipes-core/images/cip-core-image-security.bb
>> b/recipes-core/images/cip-core-image-security.bb
>>> new file mode 100644
>>> index 0000000..8253952
>>> --- /dev/null
>>> +++ b/recipes-core/images/cip-core-image-security.bb
>>> @@ -0,0 +1,37 @@
>>> +#
>>> +# A reference image which includes security packages
>>> +#
>>> +# Copyright (c) Toshiba Corporation, 2020
>>> +#
>>> +# Authors:
>>> +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +#
>>> +
>>> +inherit image
>>> +
>>> +DESCRIPTION = "CIP Core image including security packages"
>>> +
>>> +# Use the same customizations as cip-core-image
>>
>> That comment is not needed. It just creates the risk of becoming
>> outdated if cip-core-image decides to do something else.
>>
> 
> Understood, i will modify and resend this patch series
> 
>>> +IMAGE_INSTALL += "customizations"
>>> +
>>> +# Debian packages that provide security features
>>> +IMAGE_PREINSTALL += " \
>>> +	openssl libssl1.1 \
>>> +	fail2ban \
>>> +	openssh-server openssh-sftp-server openssh-client \
>>> +	syslog-ng-core syslog-ng-mod-journal \
>>> +	aide aide-common \
>>> +	libnftables0 nftables \
>>> +	libpam-pkcs11 \
>>> +	chrony \
>>> +	tpm2-tools \
>>> +	tpm2-abrmd \
>>> +	libtss2-esys0 libtss2-udev \
>>> +	libpam-cracklib \
>>> +	acl \
>>> +	libauparse0 audispd-plugins auditd \
>>> +	uuid-runtime \
>>> +	sudo \
>>> +"
>>>
>>
>> Can you close
>> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/8
>> if this series obsoletes it?
>>
> 
> I have rebased the branch and sent the patches over mail,
> I think i should close this MR in gitlab, i will do that.
> 
>> BTW, a cover letter would help structuring the patches together. And
>> please add a tag like "[isar-cip-core]" in order to clarify the series
>> target. That is all configurable in git format-patch/send-email.
>>
> 
> Got it,
> i was sending the patches to the community for the first time so i was missing some basic stuff.
> next time i will do care of it,
> thanks for showing patience on me

Don't worry. The submission looked fairly good otherwise, not like 
first-time!

BTW, I'm still ambivalent whether to do UI (MRs) or cip-dev based patch 
reviews for isar-cip-core. As contributions increase, you contributors 
need to express your preference. I'm used to both by now, I have 
troubles with both by now. However, we just need to consolidate over one 
system because we can't couple them reasonably.

And then we should document the current state of affairs, I know. There 
is a CONTRIBUTING guild missing for this repo.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4991): https://lists.cip-project.org/g/cip-dev/message/4991
Mute This Topic: https://lists.cip-project.org/mt/75699592/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [PATCH 3/3] README: Add steps to build cip-security image

[Venkata Pyla]

[-- Attachment #1: Type: text/plain, Size: 2007 bytes --]

Hi Jan,

On Thu, Jul 23, 2020 at 04:10 PM, Jan Kiszka wrote:

>
> On 21.07.20 10:16, Venkata Pyla wrote:
> > From: venkata <venkata.pyla@toshiba-tsip.com>
> > 
> > Signed-off-by: venkata <venkata.pyla@toshiba-tsip.com>
> > ---
> >   README.md | 10 ++++++++++
> >   1 file changed, 10 insertions(+)
> > 
> > diff --git a/README.md b/README.md
> > index bbad1a0..b2c4166 100644
> > --- a/README.md
> > +++ b/README.md
> > @@ -36,6 +36,16 @@ card, run
> >       dd
> if=build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.img \
> >          of=/dev/<medium-device> bs=1M status=progress
> >   
> > +## Building Security target images
> > +Building images for QEMU x86-64bit machine
> > +
> > +    ./kas-docker --isar build --target cip-core-image-security
> kas.yml:board-qemu-amd64.yml
> > +
> > +Run the generated securiy images on QEMU (x86-64bit)
> > +
> > +    TARGET_IMAGE=cip-core-image-security ./start-qemu.sh amd64
> > +
> > +
> >   ## Community Resources
> >   
> >   TBD
> > 
> 
> This patch is fine, but I'm missing 4/4: Add this image to CI (same 
> comment as I had on the MR on gitlab).
> 

Adding cip security image to CI, 
i need some suggestions to use the current format present in .gitlab-ci.yml

Currently i have the below problem for using script deploy-cip-core.sh:
1. image name formation in the script should have another variable
         .../$IMG_PREFIX-cip-core-$RELEASE-$TARGET
         where $IMG_PREFIX is default to "cip-core-image"  if not specified
          for security image it will be passed as 4th argument "cip-core-image-security"
2. currently scrit is expecting the image format in *.wic.img so,
       for qemu i think we should have wks file to generate image with format .wic.img

or for this security image do we need to deploy it seperatley?
please guide me

Thanks

> Jan
> 
> -- 
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE
> Corporate Competence Center Embedded Linux
>

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4992): https://lists.cip-project.org/g/cip-dev/message/4992
Mute This Topic: https://lists.cip-project.org/mt/75699595/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [PATCH 1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.

[Daniel Sangorrin]

[-- Attachment #1: Type: text/plain, Size: 1094 bytes --]

Hi Jan,

> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Jan Kiszka
> Sent: Thursday, July 23, 2020 10:53 PM
> Don't worry. The submission looked fairly good otherwise, not like first-time!
> 
> BTW, I'm still ambivalent whether to do UI (MRs) or cip-dev based patch reviews for isar-cip-core. As contributions increase, you
> contributors need to express your preference. I'm used to both by now, I have troubles with both by now. However, we just need to
> consolidate over one system because we can't couple them reasonably.

Patches give you greater visibility (all cip-dev members), but I can see some benefits in using MRs as well:
* merge when the pipeline succeeds
* map issues with the patches that close them
* discussions are kept close to the code
* no need for guru e-mail clients that don't mesh with your TABs Lol.
* they are more user friendly (push the merge request button instead of having to configure git send-email which can be problematic in corporate environments)

I am open to use any of them.

Thanks,
Daniel


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5016): https://lists.cip-project.org/g/cip-dev/message/5016
Mute This Topic: https://lists.cip-project.org/mt/75699592/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [PATCH 3/3] README: Add steps to build cip-security image

[Daniel Sangorrin]

[-- Attachment #1: Type: text/plain, Size: 2461 bytes --]

Hi Venkata-san

Maybe Jan didn't see your e-mail because he wasn't in the CC.

> -----Original Message-----
> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Venkata Pyla
> Sent: Friday, July 24, 2020 3:58 PM
> To: cip-dev@lists.cip-project.org
> Subject: Re: [cip-dev] [PATCH 3/3] README: Add steps to build cip-security image
> 
> Hi Jan,
> 
> On Thu, Jul 23, 2020 at 04:10 PM, Jan Kiszka wrote:
> 
> >
> > On 21.07.20 10:16, Venkata Pyla wrote:
> > > From: venkata <venkata.pyla@toshiba-tsip.com>
> > >
> > > Signed-off-by: venkata <venkata.pyla@toshiba-tsip.com>
> > > ---
> > >   README.md | 10 ++++++++++
> > >   1 file changed, 10 insertions(+)
> > >
> > > diff --git a/README.md b/README.md
> > > index bbad1a0..b2c4166 100644
> > > --- a/README.md
> > > +++ b/README.md
> > > @@ -36,6 +36,16 @@ card, run
> > >       dd
> > if=build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.
> > img \
> > >          of=/dev/<medium-device> bs=1M status=progress
> > >
> > > +## Building Security target images
> > > +Building images for QEMU x86-64bit machine
> > > +
> > > +    ./kas-docker --isar build --target cip-core-image-security
> > kas.yml:board-qemu-amd64.yml
> > > +
> > > +Run the generated securiy images on QEMU (x86-64bit)
> > > +
> > > +    TARGET_IMAGE=cip-core-image-security ./start-qemu.sh amd64
> > > +
> > > +
> > >   ## Community Resources
> > >
> > >   TBD
> > >
> >
> > This patch is fine, but I'm missing 4/4: Add this image to CI (same
> > comment as I had on the MR on gitlab).
> >
> 
> Adding cip security image to CI,
> i need some suggestions to use the current format present in .gitlab-ci.yml
> 
> Currently i have the below problem for using script deploy-cip-core.sh:
> 1. image name formation in the script should have another variable
>          .../$IMG_PREFIX-cip-core-$RELEASE-$TARGET
>          where $IMG_PREFIX is default to "cip-core-image"  if not specified
>           for security image it will be passed as 4th argument "cip-core-image-security"
> 2. currently scrit is expecting the image format in *.wic.img so,
>        for qemu i think we should have wks file to generate image with format .wic.img
> 
> or for this security image do we need to deploy it seperatley?
> please guide me

Sometimes it is better to send a patch instead of trying to explain it with words.

Thanks,
Daniel




[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5053): https://lists.cip-project.org/g/cip-dev/message/5053
Mute This Topic: https://lists.cip-project.org/mt/75699595/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [PATCH 3/3] README: Add steps to build cip-security image

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 2809 bytes --]

On 30.07.20 02:07, daniel.sangorrin@toshiba.co.jp wrote:
> Hi Venkata-san
> 
> Maybe Jan didn't see your e-mail because he wasn't in the CC.
> 
>> -----Original Message-----
>> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Venkata Pyla
>> Sent: Friday, July 24, 2020 3:58 PM
>> To: cip-dev@lists.cip-project.org
>> Subject: Re: [cip-dev] [PATCH 3/3] README: Add steps to build cip-security image
>>
>> Hi Jan,
>>
>> On Thu, Jul 23, 2020 at 04:10 PM, Jan Kiszka wrote:
>>
>>>
>>> On 21.07.20 10:16, Venkata Pyla wrote:
>>>> From: venkata <venkata.pyla@toshiba-tsip.com>
>>>>
>>>> Signed-off-by: venkata <venkata.pyla@toshiba-tsip.com>
>>>> ---
>>>>    README.md | 10 ++++++++++
>>>>    1 file changed, 10 insertions(+)
>>>>
>>>> diff --git a/README.md b/README.md
>>>> index bbad1a0..b2c4166 100644
>>>> --- a/README.md
>>>> +++ b/README.md
>>>> @@ -36,6 +36,16 @@ card, run
>>>>        dd
>>> if=build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.
>>> img \
>>>>           of=/dev/<medium-device> bs=1M status=progress
>>>>
>>>> +## Building Security target images
>>>> +Building images for QEMU x86-64bit machine
>>>> +
>>>> +    ./kas-docker --isar build --target cip-core-image-security
>>> kas.yml:board-qemu-amd64.yml
>>>> +
>>>> +Run the generated securiy images on QEMU (x86-64bit)
>>>> +
>>>> +    TARGET_IMAGE=cip-core-image-security ./start-qemu.sh amd64
>>>> +
>>>> +
>>>>    ## Community Resources
>>>>
>>>>    TBD
>>>>
>>>
>>> This patch is fine, but I'm missing 4/4: Add this image to CI (same
>>> comment as I had on the MR on gitlab).
>>>
>>
>> Adding cip security image to CI,
>> i need some suggestions to use the current format present in .gitlab-ci.yml
>>
>> Currently i have the below problem for using script deploy-cip-core.sh:
>> 1. image name formation in the script should have another variable
>>           .../$IMG_PREFIX-cip-core-$RELEASE-$TARGET
>>           where $IMG_PREFIX is default to "cip-core-image"  if not specified
>>            for security image it will be passed as 4th argument "cip-core-image-security"
>> 2. currently scrit is expecting the image format in *.wic.img so,
>>         for qemu i think we should have wks file to generate image with format .wic.img
>>
>> or for this security image do we need to deploy it seperatley?
>> please guide me
> 
> Sometimes it is better to send a patch instead of trying to explain it with words.
> 

I've replied on the deployment question already.

If there is a need for the security artifacts already, we need to 
enhance the deployment for that particular use case - but I doubt there 
is at this point, otherwise the series had carried CI in the first place.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5059): https://lists.cip-project.org/g/cip-dev/message/5059
Mute This Topic: https://lists.cip-project.org/mt/75699595/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-