[cip-dev] [isar-cip-core 0/3] Security Branch patches

[cip-dev] [isar-cip-core 0/3] Security Branch patches

[Venkata Pyla]

[-- Attachment #1: Type: text/plain, Size: 1637 bytes --]

From: Venkata Pyla <venkata.pyla@toshiba-tsip.com>

Patch series for Security changes for IEC-62443-4-2 evaluation

Kazuhiro Hayashi (1):
  cip-security: Add packages for IEC-62443-4-2 evaluation

Venkata Pyla (2):
  start-qemu.sh: Use 'TARGET_IMAGE' to pick respective image file
  README: Add steps to build cip-security image

 README.md                                     | 10 ++++++
 .../images/cip-core-image-security.bb         | 36 +++++++++++++++++++
 start-qemu.sh                                 |  6 +++-
 3 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 recipes-core/images/cip-core-image-security.bb

-- 
2.20.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5020): https://lists.cip-project.org/g/cip-dev/message/5020
Mute This Topic: https://lists.cip-project.org/mt/75820360/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] [isar-cip-core 1/3] cip-security: Add packages for IEC-62443-4-2 evaluation

[Venkata Pyla]

[-- Attachment #1: Type: text/plain, Size: 2478 bytes --]

From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>

Identified security packages are added to the target image
and that will be used for IEC-62443-4-2 evaluation

Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
Signed-off-by: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
---
 .../images/cip-core-image-security.bb         | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 recipes-core/images/cip-core-image-security.bb

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
new file mode 100644
index 0000000..a17c522
--- /dev/null
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -0,0 +1,36 @@
+#
+# A reference image which includes security packages
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit image
+
+DESCRIPTION = "CIP Core image including security packages"
+
+IMAGE_INSTALL += "customizations"
+
+# Debian packages that provide security features
+IMAGE_PREINSTALL += " \
+	openssl libssl1.1 \
+	fail2ban \
+	openssh-server openssh-sftp-server openssh-client \
+	syslog-ng-core syslog-ng-mod-journal \
+	aide aide-common \
+	libnftables0 nftables \
+	libpam-pkcs11 \
+	chrony \
+	tpm2-tools \
+	tpm2-abrmd \
+	libtss2-esys0 libtss2-udev \
+	libpam-cracklib \
+	acl \
+	libauparse0 audispd-plugins auditd \
+	uuid-runtime \
+	sudo \
+"
-- 
2.20.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5021): https://lists.cip-project.org/g/cip-dev/message/5021
Mute This Topic: https://lists.cip-project.org/mt/75820361/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] [isar-cip-core 2/3] start-qemu.sh: Use 'TARGET_IMAGE' to pick respective image file

[Venkata Pyla]

[-- Attachment #1: Type: text/plain, Size: 2069 bytes --]

From: Venkata Pyla <venkata.pyla@toshiba-tsip.com>

Use 'TARGET_IMAGE' to pick respective image file when starting qemu
by default 'TARGET_IMAGE' uses "cip-core-image".

to pick different target image set the 'TARGET_IMAGE' variable as below
e.g: $TARGET_IMAGE=cip-core-image-security ./start-qemu.sh amd64

Signed-off-by: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
---
 start-qemu.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index 49f0266..5c17d74 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -75,7 +75,11 @@ if [ -z "${DISTRO_RELEASE}" ]; then
 	DISTRO_RELEASE="buster"
 fi
 
-IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/cip-core-image-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
+if [ -z "${TARGET_IMAGE}" ]; then
+	TARGET_IMAGE="cip-core-image"
+fi
+
+IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
 IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
 
 if [ -z "${DISPLAY}" ]; then
-- 
2.20.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5022): https://lists.cip-project.org/g/cip-dev/message/5022
Mute This Topic: https://lists.cip-project.org/mt/75820362/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] [isar-cip-core 3/3] README: Add steps to build cip-security image

[Venkata Pyla]

[-- Attachment #1: Type: text/plain, Size: 1777 bytes --]

From: Venkata Pyla <venkata.pyla@toshiba-tsip.com>

Signed-off-by: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index 59a014b..26fbbef 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,16 @@ card, run
     dd if=build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.img \
        of=/dev/<medium-device> bs=1M status=progress
 
+## Building Security target images
+Building images for QEMU x86-64bit machine
+
+    ./kas-docker --isar build --target cip-core-image-security kas.yml:board-qemu-amd64.yml
+
+Run the generated securiy images on QEMU (x86-64bit)
+
+    TARGET_IMAGE=cip-core-image-security ./start-qemu.sh amd64
+
+
 ## Community Resources
 
 TBD
-- 
2.20.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5023): https://lists.cip-project.org/g/cip-dev/message/5023
Mute This Topic: https://lists.cip-project.org/mt/75820363/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [isar-cip-core 1/3] cip-security: Add packages for IEC-62443-4-2 evaluation

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 1846 bytes --]

On 27.07.20 13:41, venkata.pyla@toshiba-tsip.com wrote:
> From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> 
> Identified security packages are added to the target image
> and that will be used for IEC-62443-4-2 evaluation
> 
> Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> Signed-off-by: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
> ---
>   .../images/cip-core-image-security.bb         | 36 +++++++++++++++++++
>   1 file changed, 36 insertions(+)
>   create mode 100644 recipes-core/images/cip-core-image-security.bb
> 
> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
> new file mode 100644
> index 0000000..a17c522
> --- /dev/null
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -0,0 +1,36 @@
> +#
> +# A reference image which includes security packages
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# Authors:
> +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit image
> +
> +DESCRIPTION = "CIP Core image including security packages"
> +
> +IMAGE_INSTALL += "customizations"
> +
> +# Debian packages that provide security features
> +IMAGE_PREINSTALL += " \
> +	openssl libssl1.1 \
> +	fail2ban \
> +	openssh-server openssh-sftp-server openssh-client \
> +	syslog-ng-core syslog-ng-mod-journal \
> +	aide aide-common \
> +	libnftables0 nftables \
> +	libpam-pkcs11 \
> +	chrony \
> +	tpm2-tools \
> +	tpm2-abrmd \
> +	libtss2-esys0 libtss2-udev \
> +	libpam-cracklib \
> +	acl \
> +	libauparse0 audispd-plugins auditd \
> +	uuid-runtime \
> +	sudo \
> +"
> 

Still no CI for this. You can send that separately on top, the series 
looks fine otherwise.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5030): https://lists.cip-project.org/g/cip-dev/message/5030
Mute This Topic: https://lists.cip-project.org/mt/75820361/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [isar-cip-core 1/3] cip-security: Add packages for IEC-62443-4-2 evaluation

[Venkata Pyla]

[-- Attachment #1: Type: text/plain, Size: 2444 bytes --]

On Mon, Jul 27, 2020 at 08:04 PM, Jan Kiszka wrote:

>
> On 27.07.20 13:41, venkata.pyla@toshiba-tsip.com wrote:
> > From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > 
> > Identified security packages are added to the target image
> > and that will be used for IEC-62443-4-2 evaluation
> > 
> > Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > Signed-off-by: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
> > ---
> >   .../images/cip-core-image-security.bb         | 36 +++++++++++++++++++
> >   1 file changed, 36 insertions(+)
> >   create mode 100644 recipes-core/images/cip-core-image-security.bb
> > 
> > diff --git a/recipes-core/images/cip-core-image-security.bb
> b/recipes-core/images/cip-core-image-security.bb
> > new file mode 100644
> > index 0000000..a17c522
> > --- /dev/null
> > +++ b/recipes-core/images/cip-core-image-security.bb
> > @@ -0,0 +1,36 @@
> > +#
> > +# A reference image which includes security packages
> > +#
> > +# Copyright (c) Toshiba Corporation, 2020
> > +#
> > +# Authors:
> > +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > +#
> > +# SPDX-License-Identifier: MIT
> > +#
> > +
> > +inherit image
> > +
> > +DESCRIPTION = "CIP Core image including security packages"
> > +
> > +IMAGE_INSTALL += "customizations"
> > +
> > +# Debian packages that provide security features
> > +IMAGE_PREINSTALL += " \
> > +	openssl libssl1.1 \
> > +	fail2ban \
> > +	openssh-server openssh-sftp-server openssh-client \
> > +	syslog-ng-core syslog-ng-mod-journal \
> > +	aide aide-common \
> > +	libnftables0 nftables \
> > +	libpam-pkcs11 \
> > +	chrony \
> > +	tpm2-tools \
> > +	tpm2-abrmd \
> > +	libtss2-esys0 libtss2-udev \
> > +	libpam-cracklib \
> > +	acl \
> > +	libauparse0 audispd-plugins auditd \
> > +	uuid-runtime \
> > +	sudo \
> > +"
> > 
> 
> Still no CI for this. You can send that separately on top, the series 
> looks fine otherwise.
>

To add security image in gitlab-ci.yml i need some suggestions...
in deploy-cip-core script that is used in gitlab-ci is expecting *.wic image for copying the files, 
but because there is no wks file yet for QEMU it is not generating the image.

i think we should add wks file for the qemu target, can you guide me how to do that?

> Jan
> 
> -- 
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE
> Corporate Competence Center Embedded Linux
>

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5046): https://lists.cip-project.org/g/cip-dev/message/5046
Mute This Topic: https://lists.cip-project.org/mt/75820361/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [isar-cip-core 1/3] cip-security: Add packages for IEC-62443-4-2 evaluation

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 2898 bytes --]

On 29.07.20 14:39, Venkata Pyla wrote:
> On Mon, Jul 27, 2020 at 08:04 PM, Jan Kiszka wrote:
> 
>>
>> On 27.07.20 13:41, venkata.pyla@toshiba-tsip.com wrote:
>>> From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>>
>>> Identified security packages are added to the target image
>>> and that will be used for IEC-62443-4-2 evaluation
>>>
>>> Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>> Signed-off-by: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
>>> ---
>>>    .../images/cip-core-image-security.bb         | 36 +++++++++++++++++++
>>>    1 file changed, 36 insertions(+)
>>>    create mode 100644 recipes-core/images/cip-core-image-security.bb
>>>
>>> diff --git a/recipes-core/images/cip-core-image-security.bb
>> b/recipes-core/images/cip-core-image-security.bb
>>> new file mode 100644
>>> index 0000000..a17c522
>>> --- /dev/null
>>> +++ b/recipes-core/images/cip-core-image-security.bb
>>> @@ -0,0 +1,36 @@
>>> +#
>>> +# A reference image which includes security packages
>>> +#
>>> +# Copyright (c) Toshiba Corporation, 2020
>>> +#
>>> +# Authors:
>>> +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +#
>>> +
>>> +inherit image
>>> +
>>> +DESCRIPTION = "CIP Core image including security packages"
>>> +
>>> +IMAGE_INSTALL += "customizations"
>>> +
>>> +# Debian packages that provide security features
>>> +IMAGE_PREINSTALL += " \
>>> +	openssl libssl1.1 \
>>> +	fail2ban \
>>> +	openssh-server openssh-sftp-server openssh-client \
>>> +	syslog-ng-core syslog-ng-mod-journal \
>>> +	aide aide-common \
>>> +	libnftables0 nftables \
>>> +	libpam-pkcs11 \
>>> +	chrony \
>>> +	tpm2-tools \
>>> +	tpm2-abrmd \
>>> +	libtss2-esys0 libtss2-udev \
>>> +	libpam-cracklib \
>>> +	acl \
>>> +	libauparse0 audispd-plugins auditd \
>>> +	uuid-runtime \
>>> +	sudo \
>>> +"
>>>
>>
>> Still no CI for this. You can send that separately on top, the series
>> looks fine otherwise.
>>
> 
> To add security image in gitlab-ci.yml i need some suggestions...
> in deploy-cip-core script that is used in gitlab-ci is expecting *.wic image for copying the files,
> but because there is no wks file yet for QEMU it is not generating the image.
> 
> i think we should add wks file for the qemu target, can you guide me how to do that?

Such a wks file only makes sense when we switch QEMU to image-based 
booting, like Quirin does in [1].

For adding CI coverage to the security image, it would already be enough 
to just build it, skipping the deployment. Of course, if you'd like to 
feed the build result into automated testing, that needs deployment 
again, but possibly also more. So, let's postpone it until that is on 
the agenda of the day, I would say.

Jan

[1] https://lists.cip-project.org/g/cip-dev/message/4997

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5047): https://lists.cip-project.org/g/cip-dev/message/5047
Mute This Topic: https://lists.cip-project.org/mt/75820361/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [isar-cip-core 0/3] Security Branch patches

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 894 bytes --]

On 27.07.20 13:41, Venkata Pyla wrote:
> From: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
> 
> Patch series for Security changes for IEC-62443-4-2 evaluation
> 
> Kazuhiro Hayashi (1):
>    cip-security: Add packages for IEC-62443-4-2 evaluation
> 
> Venkata Pyla (2):
>    start-qemu.sh: Use 'TARGET_IMAGE' to pick respective image file
>    README: Add steps to build cip-security image
> 
>   README.md                                     | 10 ++++++
>   .../images/cip-core-image-security.bb         | 36 +++++++++++++++++++
>   start-qemu.sh                                 |  6 +++-
>   3 files changed, 51 insertions(+), 1 deletion(-)
>   create mode 100644 recipes-core/images/cip-core-image-security.bb
> 

Applied to next - now awaiting the patch for .gitlab-ci.yml ;)

Thanks,
Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5049): https://lists.cip-project.org/g/cip-dev/message/5049
Mute This Topic: https://lists.cip-project.org/mt/75820360/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-