security patches in the Linux kernel

security patches in the Linux kernel

[Sona Sarmadi]

Hi,

My name is Sona Sarmadi and I am responsible for security in Enea Linux.

Our goal is to apply security patches to the Linux kernels in our distribution, in order to test and make the patches available for our customers as soon as possible. When we apply a patch, we always build an image (e.g. for P4080) and run ptest to verify the patch.

So far we have fixed security patches for chip-vendor-supplied kernels in our own layer meta-enea, but we would like to change this policy and apply the security patches directly in the hardware-specific layer, e.g. meta-fsl-ppc, and upstream them to the layer maintainers. In this way, others can also get the patch. There are more advantages with fixing the patches in the hardware-specific layer and upstreaming them compared to fixing them in our own meta-enea layer.

We are very interested in your maintenance policy and your opinion about receiving patches from Enea.

Best Regards
Sona


Sona Sarmadi
Software Engineer/Security Responsible for Enea Linux
Enea
Jan Stenbecks torg 17,
Box 1033, SE-164 21 Kista, Sweden
Direct: +46 8 5071  4475
Mobile: +46 70 971 4475
sona.sarmadi@enea.com
www.enea.com 



This message, including attachments, is CONFIDENTIAL. It may also be privileged or otherwise protected by law. If you received this email by mistake please let us know by reply and then delete it from your system; you should not copy it or disclose its contents to anyone.

Re: security patches in the Linux kernel

[Otavio Salvador]

Hello Sona,

On Wed, Jul 2, 2014 at 3:34 AM, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
> My name is Sona Sarmadi and I am responsible for security in Enea Linux.

Nice to meet you.

> Our goal is to apply security patches to the Linux kernels in our distribution, in order to test and make the patches available for our customers as soon as possible. When we apply a patch, we always build an image (e.g. for P4080) and run ptest to verify the patch.

Great.

> So far we have fixed security patches for chip-vendor-supplied kernels in our own layer meta-enea, but we would like to change this policy and apply the security patches directly in the hardware-specific layer, e.g. meta-fsl-ppc, and upstream them to the layer maintainers. In this way, others can also get the patch. There are more advantages with fixing the patches in the hardware-specific layer and upstreaming them compared to fixing them in our own meta-enea layer.
>
> We are very interested in your maintenance policy and your opinion about receiving patches from Enea.

I am very happy to see this initiative from Enea and I look forward to
see more software vendors adopting same strategy.

I think you can prepare a patch which includes the fixes (security
related or not) and send them. Those are going to be reviewed and
applied accordingly. Regarding the maintenance policy we follow same
guidelines as the Yocto Project but this does not mean we cannot
include fixes for previous branches, if someone send them.

Tomorrow we'll have our monthly meeting[1] and it'd be good if you
could join us.

1. https://lists.yoctoproject.org/pipermail/meta-freescale/2014-June/008987.html

Please note that the time has changed and it'll take place at 14:00 GMT.

Regards,

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: security patches in the Linux kernel

[zhenhua.luo]

Hello Sona, 

Except what Otavio mentioned(send the Yocto patches to meta-freescale maillist). It will be great if those patches can be sent to kernel upstream(http://patchwork.ozlabs.org/project/linuxppc-dev/list/) directly. 


Best Regards,

Zhenhua

> -----Original Message-----
> From: meta-freescale-bounces@yoctoproject.org [mailto:meta-freescale-
> bounces@yoctoproject.org] On Behalf Of Otavio Salvador
> Sent: Wednesday, July 02, 2014 10:17 PM
> To: Sona Sarmadi
> Cc: meta-freescale@yoctoproject.org; meta-freescale@git.freescale.com
> Subject: Re: [meta-freescale] security patches in the Linux kernel
> 
> Hello Sona,
> 
> On Wed, Jul 2, 2014 at 3:34 AM, Sona Sarmadi <sona.sarmadi@enea.com>
> wrote:
> > My name is Sona Sarmadi and I am responsible for security in Enea Linux.
> 
> Nice to meet you.
> 
> > Our goal is to apply security patches to the Linux kernels in our
> distribution, in order to test and make the patches available for our
> customers as soon as possible. When we apply a patch, we always build an
> image (e.g. for P4080) and run ptest to verify the patch.
> 
> Great.
> 
> > So far we have fixed security patches for chip-vendor-supplied kernels
> in our own layer meta-enea, but we would like to change this policy and
> apply the security patches directly in the hardware-specific layer, e.g.
> meta-fsl-ppc, and upstream them to the layer maintainers. In this way,
> others can also get the patch. There are more advantages with fixing the
> patches in the hardware-specific layer and upstreaming them compared to
> fixing them in our own meta-enea layer.
> >
> > We are very interested in your maintenance policy and your opinion
> about receiving patches from Enea.
> 
> I am very happy to see this initiative from Enea and I look forward to
> see more software vendors adopting same strategy.
> 
> I think you can prepare a patch which includes the fixes (security
> related or not) and send them. Those are going to be reviewed and applied
> accordingly. Regarding the maintenance policy we follow same guidelines
> as the Yocto Project but this does not mean we cannot include fixes for
> previous branches, if someone send them.
> 
> Tomorrow we'll have our monthly meeting[1] and it'd be good if you could
> join us.
> 
> 1. https://lists.yoctoproject.org/pipermail/meta-freescale/2014-
> June/008987.html
> 
> Please note that the time has changed and it'll take place at 14:00 GMT.
> 
> Regards,
> 
> --
> Otavio Salvador                             O.S. Systems
> http://www.ossystems.com.br        http://code.ossystems.com.br
> Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750
> --
> _______________________________________________
> meta-freescale mailing list
> meta-freescale@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-freescale

Re: security patches in the Linux kernel

[Otavio Salvador]

On Thu, Jul 3, 2014 at 3:44 AM, zhenhua.luo@freescale.com
<zhenhua.luo@freescale.com> wrote:
> Except what Otavio mentioned(send the Yocto patches to meta-freescale maillist). It will be great if those patches can be sent to kernel upstream(http://patchwork.ozlabs.org/project/linuxppc-dev/list/) directly.

Sure but these are two parallel actions. Adding them to Yocto  Project
BSP and getting those merged upstream.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: security patches in the Linux kernel

[Sona Sarmadi]

Zhenhua, Otavio,

Thanks guys for your feedback. I am very glad to hear that you accept security or other patches from Enea.

Some background:

We scan oss-security public mailing list (oss-security@lists.openwall.com) and other reliable open source mailing lists. Whenever a vulnerability (e.g. CVE-2014-4667 Linux kernel: sctp: sk_ack_backlog wrap-around problem) gets published/announced on these lists, we try to apply the patch in all Linux kernels (or other open source packages) in our distribution and run some tests. We want to help the community and contribute back the results of our work, that is why we want to apply patches in the vendor-layer (e.g met-fsl-ppc) so others can get the security fixes without extra work.   


> Tomorrow we'll have our monthly meeting[1] and it'd be good if you 
> could join us.

Unfortunately I am on vacation and couldn't join this meeting but hopefully I can attend in your future meetings.

BR - Sona

-----Original Message-----
From: otavio.salvador@gmail.com [mailto:otavio.salvador@gmail.com] On Behalf Of Otavio Salvador
Sent: den 3 juli 2014 14:09
To: zhenhua.luo@freescale.com
Cc: Sona Sarmadi; meta-freescale@yoctoproject.org; meta-freescale@git.freescale.com
Subject: Re: [meta-freescale] security patches in the Linux kernel

On Thu, Jul 3, 2014 at 3:44 AM, zhenhua.luo@freescale.com <zhenhua.luo@freescale.com> wrote:
> Except what Otavio mentioned(send the Yocto patches to meta-freescale maillist). It will be great if those patches can be sent to kernel upstream(http://patchwork.ozlabs.org/project/linuxppc-dev/list/) directly.

Sure but these are two parallel actions. Adding them to Yocto  Project BSP and getting those merged upstream.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: security patches in the Linux kernel

[zhenhua.luo]

Hello Sona, 

> -----Original Message-----
> From: Sona Sarmadi [mailto:sona.sarmadi@enea.com]
> Sent: Thursday, July 03, 2014 10:56 PM
> 
> Some background:
> 
> We scan oss-security public mailing list (oss-security@lists.openwall.com)
> and other reliable open source mailing lists. Whenever a vulnerability
> (e.g. CVE-2014-4667 Linux kernel: sctp: sk_ack_backlog wrap-around
> problem) gets published/announced on these lists, we try to apply the
> patch in all Linux kernels (or other open source packages) in our
> distribution and run some tests. We want to help the community and
> contribute back the results of our work, that is why we want to apply
> patches in the vendor-layer (e.g met-fsl-ppc) so others can get the
> security fixes without extra work.
[Luo Zhenhua-B19537] It is great to apply such security patches in ppc layer to ensure community users can use them.
	Will those patches go to kernel opensource git repository or only maintained separately by community? If the latter, I think patches rework might be needed along with kernel(or other OS package) upgrade. 
 

Best Regards,

Zhenhua


> 
> BR - Sona
> 
> -----Original Message-----
> From: otavio.salvador@gmail.com [mailto:otavio.salvador@gmail.com] On
> Behalf Of Otavio Salvador
> Sent: den 3 juli 2014 14:09
> To: zhenhua.luo@freescale.com
> Cc: Sona Sarmadi; meta-freescale@yoctoproject.org; meta-
> freescale@git.freescale.com
> Subject: Re: [meta-freescale] security patches in the Linux kernel
> 
> On Thu, Jul 3, 2014 at 3:44 AM, zhenhua.luo@freescale.com
> <zhenhua.luo@freescale.com> wrote:
> > Except what Otavio mentioned(send the Yocto patches to meta-freescale
> maillist). It will be great if those patches can be sent to kernel
> upstream(http://patchwork.ozlabs.org/project/linuxppc-dev/list/) directly.
> 
> Sure but these are two parallel actions. Adding them to Yocto  Project
> BSP and getting those merged upstream.
> 
> --
> Otavio Salvador                             O.S. Systems
> http://www.ossystems.com.br        http://code.ossystems.com.br
> Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: security patches in the Linux kernel

[Sona Sarmadi]

Hi Zhenhua,

These patches are fixed by community and published/discussed in the oss-security mailing list (http://www.openwall.com/lists/oss-security/2014/06/). These are normally fixed in the "git.kernel.org" later version and we try to backport them to the kernel versions we are using (e.g. meta-fsl-pps layer which is using 3.8.13 kernel). 

If we find the bug at Enea and fix it, we will send the patch to the relevant kernel mailing list.

Best regards
Sona 

-----Original Message-----
From: zhenhua.luo@freescale.com [mailto:zhenhua.luo@freescale.com] 
Sent: den 7 juli 2014 05:56
To: Sona Sarmadi; Otavio Salvador
Cc: meta-freescale@yoctoproject.org; meta-freescale@git.freescale.com
Subject: RE: [meta-freescale] security patches in the Linux kernel

Hello Sona, 



> -----Original Message-----
> From: Sona Sarmadi [mailto:sona.sarmadi@enea.com]
> Sent: Thursday, July 03, 2014 10:56 PM
> 
> Some background:
> 
> We scan oss-security public mailing list 
> (oss-security@lists.openwall.com) and other reliable open source 
> mailing lists. Whenever a vulnerability (e.g. CVE-2014-4667 Linux 
> kernel: sctp: sk_ack_backlog wrap-around
> problem) gets published/announced on these lists, we try to apply the 
> patch in all Linux kernels (or other open source packages) in our 
> distribution and run some tests. We want to help the community and 
> contribute back the results of our work, that is why we want to apply 
> patches in the vendor-layer (e.g met-fsl-ppc) so others can get the 
> security fixes without extra work.
[Luo Zhenhua-B19537] It is great to apply such security patches in ppc layer to ensure community users can use them.
	Will those patches go to kernel opensource git repository or only maintained separately by community? If the latter, I think patches rework might be needed along with kernel(or other OS package) upgrade. 
 

Best Regards,

Zhenhua


> 
> BR - Sona
> 
> -----Original Message-----
> From: otavio.salvador@gmail.com [mailto:otavio.salvador@gmail.com] On 
> Behalf Of Otavio Salvador
> Sent: den 3 juli 2014 14:09
> To: zhenhua.luo@freescale.com
> Cc: Sona Sarmadi; meta-freescale@yoctoproject.org; meta- 
> freescale@git.freescale.com
> Subject: Re: [meta-freescale] security patches in the Linux kernel
> 
> On Thu, Jul 3, 2014 at 3:44 AM, zhenhua.luo@freescale.com 
> <zhenhua.luo@freescale.com> wrote:
> > Except what Otavio mentioned(send the Yocto patches to 
> > meta-freescale
> maillist). It will be great if those patches can be sent to kernel
> upstream(http://patchwork.ozlabs.org/project/linuxppc-dev/list/) directly.
> 
> Sure but these are two parallel actions. Adding them to Yocto  Project 
> BSP and getting those merged upstream.
> 
> --
> Otavio Salvador                             O.S. Systems
> http://www.ossystems.com.br        http://code.ossystems.com.br
> Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750