[cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations

[cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

cleanup the customizations scripts by:
  - Move the ssh configuration from postinst to /etc/ssh/sshd_config.d
  - Move systemd service overrides to files instead of setting it in
    postinst
  - fix formatting
  - fix scripting error in security customizations

Changes v2:
  - Remove explicit installation of libtss2-esys* as it is required by
    tpm2-tools.
  - Add note about used style checker

Quirin Gylstorff (9):
  scripts/deploy-kernelci: Format python code and remove unused import
  customizations: Add variable to set the HOSTNAME
  customizations: Move ssh configuration from postinst to sshd_config.d
  security-customizations: Add dependency to customizations
  security-customizations: Fix shell error
  security-customizations: Extract sshd config from postinst to files
  cip-core-image-security: Move packages to security-customization
  customization-kernelci: Add dependency to customizations
  kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf

 conf/layer.conf                               |  2 ++
 kas/opt/reproducible.yml                      |  1 -
 kas/opt/security.yml                          |  2 ++
 recipes-core/customizations/common.inc        |  6 +++-
 recipes-core/customizations/customizations.bb | 10 ++++++
 .../files/{postinst => postinst.tmpl}         |  8 ++---
 .../customizations/files/ssh-permit-root.conf |  1 +
 .../images/cip-core-image-security.bb         | 12 +------
 .../kernelci-customizations/files/postinst    | 11 -------
 .../files/serial-getty-kernelci-override.conf |  3 ++
 .../files/ssh-permit-empty-passwords.conf     |  2 ++
 .../kernelci-customizations.bb                | 18 ++++++++---
 .../security-customizations/files/postinst    | 24 ++------------
 .../files/ssh-pam-remote.conf                 |  4 +++
 .../files/ssh-remote-session-term.conf        |  5 +++
 .../security-customizations.bb                | 22 ++++++++++---
 scripts/deploy-kernelci.py                    | 31 ++++++++++---------
 17 files changed, 86 insertions(+), 76 deletions(-)
 rename recipes-core/customizations/files/{postinst => postinst.tmpl} (62%)
 create mode 100644 recipes-core/customizations/files/ssh-permit-root.conf
 create mode 100644 recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
 create mode 100644 recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
 create mode 100644 recipes-core/security-customizations/files/ssh-pam-remote.conf
 create mode 100644 recipes-core/security-customizations/files/ssh-remote-session-term.conf

-- 
2.42.0

[cip-dev][isar-cip-core][RFC v2 1/9] scripts/deploy-kernelci: Format python code and remove unused import

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Use flake8 for to check for issues.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 scripts/deploy-kernelci.py | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/scripts/deploy-kernelci.py b/scripts/deploy-kernelci.py
index 5a8adca..62f3f01 100755
--- a/scripts/deploy-kernelci.py
+++ b/scripts/deploy-kernelci.py
@@ -1,30 +1,30 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 
-import subprocess
 import requests
 import os
 import sys
 import time
 from urllib.parse import urljoin
 
-cdate=time.strftime("%Y%m%d")
-api="https://api.kernelci.org/upload"
-token=os.getenv("KERNELCI_TOKEN")
+cdate = time.strftime("%Y%m%d")
+api = "https://api.kernelci.org/upload"
+token = os.getenv("KERNELCI_TOKEN")
 
-release=sys.argv[1]
-target=sys.argv[2]
-extension=sys.argv[3]
+release = sys.argv[1]
+target = sys.argv[2]
+extension = sys.argv[3]
 
-rootfs_filename="cip-core-image-kernelci-cip-core-"+release+"-"+target+".tar.gz"
-initrd_filename="cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img"
-initrd_gz_filename="cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img.gz"
+rootfs_filename = "cip-core-image-kernelci-cip-core-"+release+"-"+target+".tar.gz"
+initrd_filename = "cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img"
+initrd_gz_filename = "cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img.gz"
+
+input_dir = "build/tmp/deploy/images/"+target
+upload_path = "/images/rootfs/cip/"+cdate+"/"+target+"/"
+upload_path_latest = "/images/rootfs/cip/latest/"+target+"/"
+rootfs = input_dir+"/"+rootfs_filename
+initrd = input_dir+"/"+initrd_filename
 
-input_dir="build/tmp/deploy/images/"+target
-upload_path="/images/rootfs/cip/"+cdate+"/"+target+"/"
-upload_path_latest="/images/rootfs/cip/latest/"+target+"/"
-rootfs=input_dir+"/"+rootfs_filename
-initrd=input_dir+"/"+initrd_filename
 
 def upload_file(api, token, path, input_file, input_filename):
     headers = {
@@ -40,6 +40,7 @@ def upload_file(api, token, path, input_file, input_filename):
     resp = requests.post(url, headers=headers, data=data, files=files)
     resp.raise_for_status()
 
+
 if os.path.exists(rootfs) and os.path.exists(initrd):
     print("uploading rootfs to KernelCI")
     upload_file(api, token, upload_path, rootfs, rootfs_filename)
-- 
2.42.0

[cip-dev][isar-cip-core][RFC v2 2/9] customizations: Add variable to set the HOSTNAME

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add the variable CUSTOM_HOSTNAME to modify the hostname of
the image.

The default value of CUSTOM_HOSTNAME is "demo".

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-core/customizations/common.inc                      | 6 +++++-
 .../customizations/files/{postinst => postinst.tmpl}        | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)
 rename recipes-core/customizations/files/{postinst => postinst.tmpl} (85%)

diff --git a/recipes-core/customizations/common.inc b/recipes-core/customizations/common.inc
index 680a4d6..79bf80d 100644
--- a/recipes-core/customizations/common.inc
+++ b/recipes-core/customizations/common.inc
@@ -14,16 +14,20 @@ inherit dpkg-raw
 FILESPATH:append := ":${FILE_DIRNAME}/files"
 
 SRC_URI = " \
-    file://postinst \
+    file://postinst.tmpl \
     file://ethernet \
     file://99-silent-printk.conf \
     file://99-watchdog.conf"
 
 SRC_URI:append:swupdate = " file://swupdate.cfg"
 
+CUSTOM_HOSTNAME ??= "demo"
 WIRELESS_FIRMWARE_PACKAGE ?= ""
 INSTALL_WIRELESS_TOOLS ??= "0"
 
+TEMPLATE_FILES += "postinst.tmpl"
+TEMPLATE_VARS += "CUSTOM_HOSTNAME"
+
 DEPENDS += "sshd-regen-keys change-root-homedir"
 
 DEBIAN_DEPENDS = " \
diff --git a/recipes-core/customizations/files/postinst b/recipes-core/customizations/files/postinst.tmpl
similarity index 85%
rename from recipes-core/customizations/files/postinst
rename to recipes-core/customizations/files/postinst.tmpl
index 7e7ea36..2668a93 100644
--- a/recipes-core/customizations/files/postinst
+++ b/recipes-core/customizations/files/postinst.tmpl
@@ -2,7 +2,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2019
+# Copyright (c) Siemens AG, 2019-2023
 #
 # Authors:
 #  Jan Kiszka <jan.kiszka@siemens.com>
@@ -18,6 +18,6 @@ if ! grep -e "^PermitRootLogin.*yes" -q /etc/ssh/sshd_config; then
 	echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
 fi
 
-HOSTNAME=demo
+HOSTNAME="${CUSTOM_HOSTNAME}"
 echo "$HOSTNAME" > /etc/hostname
 echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
-- 
2.42.0

[cip-dev][isar-cip-core][RFC v2 3/9] customizations: Move ssh configuration from postinst to sshd_config.d

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Make the ssh configuration in line with Debian guidelines by adding
an additional file to /etc/ssh/sshd_config.d/.

This also allows to disable these changes with a customization.bbappend
instead of overwritting the postinst script.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-core/customizations/customizations.bb          | 8 ++++++++
 recipes-core/customizations/files/postinst.tmpl        | 4 ----
 recipes-core/customizations/files/ssh-permit-root.conf | 1 +
 3 files changed, 9 insertions(+), 4 deletions(-)
 create mode 100644 recipes-core/customizations/files/ssh-permit-root.conf

diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb
index ad16a90..3dbeb3f 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -11,6 +11,7 @@
 
 require common.inc
 
+SRC_URI += "file://ssh-permit-root.conf"
 DESCRIPTION = "CIP Core image demo & customizations"
 
 do_prepare_build:prepend:qemu-riscv64() {
@@ -20,3 +21,10 @@ do_prepare_build:prepend:qemu-riscv64() {
 		echo "systemctl mask serial-getty@hvc0.service" >> ${WORKDIR}/postinst
 	fi
 }
+
+do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/"
+do_install:append () {
+	if [ -f "${WORKDIR}/ssh-permit-root.conf" ]; then
+		install -v -m 644 ${WORKDIR}/ssh-permit-root.conf ${D}/etc/ssh/sshd_config.d/
+	fi
+}
diff --git a/recipes-core/customizations/files/postinst.tmpl b/recipes-core/customizations/files/postinst.tmpl
index 2668a93..62e9a1a 100644
--- a/recipes-core/customizations/files/postinst.tmpl
+++ b/recipes-core/customizations/files/postinst.tmpl
@@ -14,10 +14,6 @@ set -e
 
 echo "CIP Core Demo & Test Image (login: root/root)" > /etc/issue
 
-if ! grep -e "^PermitRootLogin.*yes" -q /etc/ssh/sshd_config; then
-	echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
-fi
-
 HOSTNAME="${CUSTOM_HOSTNAME}"
 echo "$HOSTNAME" > /etc/hostname
 echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
diff --git a/recipes-core/customizations/files/ssh-permit-root.conf b/recipes-core/customizations/files/ssh-permit-root.conf
new file mode 100644
index 0000000..1073982
--- /dev/null
+++ b/recipes-core/customizations/files/ssh-permit-root.conf
@@ -0,0 +1 @@
+PermitRootLogin yes
-- 
2.42.0

[cip-dev][isar-cip-core][RFC v2 4/9] security-customizations: Add dependency to customizations

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

To simplify package structure Security customizations no
longer set the hostname and use a dependency instead of a include.

Add the OVERRIDE `security` to enable or disable security related
configuration settings.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 kas/opt/security.yml                                      | 2 ++
 recipes-core/customizations/customizations.bb             | 2 ++
 recipes-core/security-customizations/files/postinst       | 4 ----
 .../security-customizations/security-customizations.bb    | 8 ++++----
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/kas/opt/security.yml b/kas/opt/security.yml
index d87235a..000c522 100644
--- a/kas/opt/security.yml
+++ b/kas/opt/security.yml
@@ -24,3 +24,5 @@ local_conf_header:
   adjust-swupdate: |
     ABROOTFS_IMAGE_RECIPE = "cip-core-image-security"
     VERITY_IMAGE_RECIPE = "cip-core-image-security"
+  security-override: |
+    OVERRIDES .= ":security"
diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb
index 3dbeb3f..3f6b5de 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -12,6 +12,8 @@
 require common.inc
 
 SRC_URI += "file://ssh-permit-root.conf"
+SRC_URI:remove:security = "file://ssh-permit-root.conf"
+
 DESCRIPTION = "CIP Core image demo & customizations"
 
 do_prepare_build:prepend:qemu-riscv64() {
diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 620c863..bbd21bd 100755
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -8,10 +8,6 @@ set -e
 
 echo "CIP Core Security Image (login: root/CIPsecurity@123)" > /etc/issue
 
-HOSTNAME=demo
-echo "$HOSTNAME" > /etc/hostname
-echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
-
 # CR1.7: Strength of password-based authentication
 # Pam configuration to  enforce password strength
 PAM_PWD_FILE="/etc/pam.d/common-password"
diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
index 240a577..d5249a2 100644
--- a/recipes-core/security-customizations/security-customizations.bb
+++ b/recipes-core/security-customizations/security-customizations.bb
@@ -9,12 +9,12 @@
 # SPDX-License-Identifier: MIT
 #
 
-require recipes-core/customizations/common.inc
+inherit dpkg-raw
 
 DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
 
-SRC_URI += "file://postinst"
+SRC_URI = "file://postinst"
 
-DEPENDS += "sshd-regen-keys"
-DEBIAN_DEPENDS += ", sshd-regen-keys, libpam-google-authenticator"
+DEPENDS = "customizations, sshd-regen-keys"
+DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator"
 
-- 
2.42.0

[cip-dev][isar-cip-core][RFC v2 5/9] security-customizations: Fix shell error

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

if [ -f ... ] does not work with globbing.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-core/security-customizations/files/postinst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index bbd21bd..717b7ac 100755
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -32,11 +32,11 @@ fi
 # Lock user account after unsuccessful login attempts
 PAM_AUTH_FILE="/etc/pam.d/common-auth"
 # pam_tally2 is deprecated from pam version 1.4.0-7
-if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then
+if readlink -f /lib/*-linux-gnu*/security/pam_tally2.so; then
        PAM_MODULE="pam_tally2.so"
        PAM_CONFIG="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60
                  \naccount required pam_tally2.so"
-elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then
+elif readlink -f /lib/*-linux-gnu*/security/pam_faillock.so; then
        PAM_MODULE="pam_faillock.so"
        PAM_CONFIG="auth   required  pam_faillock.so preauth silent  deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
                \nauth   required  pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
-- 
2.42.0

[cip-dev][isar-cip-core][RFC v2 6/9] security-customizations: Extract sshd config from postinst to files

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

For easier maintenance extract the ssh configuration to
/etc/sshd_config.d/.

Configuration entries in sshd_config.d will overwrite elements in
sshd_config.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../security-customizations/files/postinst       | 16 ----------------
 .../files/ssh-pam-remote.conf                    |  4 ++++
 .../files/ssh-remote-session-term.conf           |  5 +++++
 .../security-customizations.bb                   |  9 ++++++++-
 4 files changed, 17 insertions(+), 17 deletions(-)
 create mode 100644 recipes-core/security-customizations/files/ssh-pam-remote.conf
 create mode 100644 recipes-core/security-customizations/files/ssh-remote-session-term.conf

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 717b7ac..daade83 100755
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -51,14 +51,6 @@ if grep -c "${PAM_MODULE}" "${PAM_AUTH_FILE}";then
 fi
 sed -i "0,/^auth.*/s/^auth.*/${PAM_CONFIG}\n&/" "${PAM_AUTH_FILE}"
 
-# CR2.6: Remote session termination
-# Terminate remote session after inactive time period
-SSHD_CONFIG="/etc/ssh/sshd_config"
-alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
-alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
-sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
-sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
-
 # CR2.7: Concurrent session control
 # Limit the concurrent login sessions
 LIMITS_CONFIG="/etc/security/limits.conf"
@@ -80,12 +72,4 @@ if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
         sed -i '/pam_google_authenticator.so/ s/^#*/#/'  "${SSHD_AUTH_CONFIG}"
 fi
 echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
-# Enable PAM configuration for Remote Session
-if grep -s -q "ChallengeResponseAuthentication" "${SSHD_CONFIG}";then
-       sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
-fi
 
-if grep -s -q "KbdInteractiveAuthentication" "${SSHD_CONFIG}";then
-       sed -i 's/KbdInteractiveAuthentication no/KbdInteractiveAuthentication yes/g' "${SSHD_CONFIG}"
-fi
-echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
diff --git a/recipes-core/security-customizations/files/ssh-pam-remote.conf b/recipes-core/security-customizations/files/ssh-pam-remote.conf
new file mode 100644
index 0000000..d460b0c
--- /dev/null
+++ b/recipes-core/security-customizations/files/ssh-pam-remote.conf
@@ -0,0 +1,4 @@
+# Enable PAM configuration for Remote Session
+ChallengeResponseAuthentication yes
+KbdInteractiveAuthentication yes
+AuthenticationMethods keyboard-interactive
diff --git a/recipes-core/security-customizations/files/ssh-remote-session-term.conf b/recipes-core/security-customizations/files/ssh-remote-session-term.conf
new file mode 100644
index 0000000..d11b92e
--- /dev/null
+++ b/recipes-core/security-customizations/files/ssh-remote-session-term.conf
@@ -0,0 +1,5 @@
+# CR2.6: Remote session termination
+# Terminate remote session after inactive time period
+
+ClientAliveInterval 120
+ClientAliveCountMax 0
diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
index d5249a2..d3cede8 100644
--- a/recipes-core/security-customizations/security-customizations.bb
+++ b/recipes-core/security-customizations/security-customizations.bb
@@ -13,8 +13,15 @@ inherit dpkg-raw
 
 DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
 
-SRC_URI = "file://postinst"
+SRC_URI = "file://postinst \
+           file://ssh-remote-session-term.conf \
+           file://ssh-pam-remote.conf"
 
 DEPENDS = "customizations, sshd-regen-keys"
 DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator"
 
+do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/"
+do_install () {
+    install -m 600 ${WORKDIR}/ssh-remote-session-term.conf ${D}/etc/ssh/sshd_config.d/
+    install -m 600 ${WORKDIR}/ssh-pam-remote.conf ${D}/etc/ssh/sshd_config.d/
+}
-- 
2.42.0

[cip-dev][isar-cip-core][RFC v2 7/9] cip-core-image-security: Move packages to security-customization

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

To ensure that the package security-customizations is installable
move packages from cip-core-image-security as dependencies to
security-packges.

Remove libtss2-esys* as it is already installed together with
tpm2-tools.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-core/images/cip-core-image-security.bb       | 12 +-----------
 .../security-customizations.bb                       | 11 ++++++++---
 2 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 3421ce5..525a346 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -28,24 +28,14 @@ IMAGE_PREINSTALL += " \
 	tpm2-tools \
 	tpm2-abrmd \
 	acl \
-	audispd-plugins auditd \
+	audispd-plugins \
 	uuid-runtime \
 	sudo \
 	aide-common \
-	libpam-google-authenticator \
 	passwd \
 	login \
-	libpam-runtime \
 	util-linux \
 "
 
-# Package names based on the distro version
-IMAGE_PREINSTALL:append:buster = " libtss2-esys0 \
-                                   libpam-cracklib"
-IMAGE_PREINSTALL:append:bullseye = " libtss2-esys-3.0.2-0 \
-                                     libpam-cracklib"
-IMAGE_PREINSTALL:append:bookworm = " libtss2-esys-3.0.2-0 \
-                                     libpam-passwdqc"
-
 CIP_IMAGE_OPTIONS ?= ""
 require ${CIP_IMAGE_OPTIONS}
diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
index d3cede8..75a6a99 100644
--- a/recipes-core/security-customizations/security-customizations.bb
+++ b/recipes-core/security-customizations/security-customizations.bb
@@ -11,14 +11,19 @@
 
 inherit dpkg-raw
 
-DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
+DESCRIPTION = "CIP Security configuration for IEC62443-4-2 evaluation"
 
 SRC_URI = "file://postinst \
            file://ssh-remote-session-term.conf \
            file://ssh-pam-remote.conf"
 
-DEPENDS = "customizations, sshd-regen-keys"
-DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator"
+DEPENDS = "customizations sshd-regen-keys"
+DEBIAN_DEPENDS = "customizations, sshd-regen-keys, libpam-google-authenticator, libpam-modules, libpam-runtime, auditd"
+
+# Package names based on the distro version
+DEBIAN_DEPENDS:append:buster = ", libpam-cracklib"
+DEBIAN_DEPENDS:append:bullseye = ", libpam-cracklib"
+DEBIAN_DEPENDS:append:bookworm = ", libpam-passwdqc"
 
 do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/"
 do_install () {
-- 
2.42.0

[cip-dev][isar-cip-core][RFC v2 8/9] customization-kernelci: Add dependency to customizations

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This is to simplify maintenance.

Also extract serial getty override and sshd_config
changes from postinstall to seperate files.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../kernelci-customizations/files/postinst     | 11 -----------
 .../files/serial-getty-kernelci-override.conf  |  3 +++
 .../files/ssh-permit-empty-passwords.conf      |  2 ++
 .../kernelci-customizations.bb                 | 18 ++++++++++++++----
 4 files changed, 19 insertions(+), 15 deletions(-)
 create mode 100644 recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
 create mode 100644 recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf

diff --git a/recipes-core/kernelci-customizations/files/postinst b/recipes-core/kernelci-customizations/files/postinst
index 7ae30e8..08544a4 100644
--- a/recipes-core/kernelci-customizations/files/postinst
+++ b/recipes-core/kernelci-customizations/files/postinst
@@ -15,20 +15,9 @@
 echo "CIP Core Demo & Test Image" > /etc/issue
 
 # permit root login without password
-echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
-echo "PermitEmptyPasswords yes" >> /etc/ssh/sshd_config
 passwd root -d
 
-# serial getty service for autologin
-mkdir -p /etc/systemd/system/serial-getty@.service.d/
-echo "[Service]" > /etc/systemd/system/serial-getty@.service.d/override.conf
-echo "ExecStart=" >> /etc/systemd/system/serial-getty@.service.d/override.conf
-echo "ExecStart=-/sbin/agetty --autologin root --keep-baud 115200,38400,9600 %I $TERM" >> /etc/systemd/system/serial-getty@.service.d/override.conf
-
 # set the profile for KernelCI
 echo "PS1='\$(pwd) # '" > /root/.profile
 echo "cd /" >> /root/.profile
 
-HOSTNAME=demo
-echo "$HOSTNAME" > /etc/hostname
-echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
diff --git a/recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf b/recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
new file mode 100644
index 0000000..a1472c5
--- /dev/null
+++ b/recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty --autologin root --keep-baud 115200,38400,9600 %I $TERM
diff --git a/recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf b/recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
new file mode 100644
index 0000000..b958fec
--- /dev/null
+++ b/recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
@@ -0,0 +1,2 @@
+PermitEmptyPasswords yes
+
diff --git a/recipes-core/kernelci-customizations/kernelci-customizations.bb b/recipes-core/kernelci-customizations/kernelci-customizations.bb
index f972be5..3a99884 100644
--- a/recipes-core/kernelci-customizations/kernelci-customizations.bb
+++ b/recipes-core/kernelci-customizations/kernelci-customizations.bb
@@ -11,13 +11,23 @@
 # SPDX-License-Identifier: MIT
 #
 
-require recipes-core/customizations/common.inc
+inherit dpkg-raw
 
 DESCRIPTION = "CIP Core KernelCI image customizations"
 
-SRC_URI += "file://dmesg.sh"
+DEPENDS += "customizations"
+DEBIAN_DEPENDS += "customizations"
 
-do_install:append() {
-  install -v -d ${D}/opt/kernelci
+SRC_URI = "file://postinst \
+           file://dmesg.sh \
+           file://serial-getty-kernelci-override.conf \
+           file://ssh-permit-empty-passwords.conf"
+
+do_install[cleandirs] = "${D}/opt/kernelci/ \
+                         ${D}/etc/systemd/system/serial-getty@.service.d/ \
+                         ${D}/etc/ssh/sshd_config.d/"
+do_install() {
   install -v -m 744 ${WORKDIR}/dmesg.sh ${D}/opt/kernelci/
+  install -v -m 644 ${WORKDIR}/serial-getty-kernelci-override.conf ${D}/etc/systemd/system/serial-getty@.service.d/serial-getty-kernelci-override.conf
+  install -v -m 600 ${WORKDIR}/ssh-permit-empty-passwords.conf ${D}/etc/ssh/sshd_config.d/ssh-permit-empty-passwords.conf
 }
-- 
2.42.0

[cip-dev][isar-cip-core][RFC v2 9/9] kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This ensures that all images are build reproducible.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 conf/layer.conf          | 2 ++
 kas/opt/reproducible.yml | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 2c888b2..82b4084 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -24,3 +24,5 @@ LAYERDIR_cip-core = "${LAYERDIR}"
 LAYERDIR_cip-core[vardepvalue] = "isar-cip-core"
 
 IMAGE_CLASSES += "squashfs verity swupdate"
+
+SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core} log -1 --pretty=%ct | tr -d '\n'")[0]}"
diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml
index 5d6a896..bc71f28 100644
--- a/kas/opt/reproducible.yml
+++ b/kas/opt/reproducible.yml
@@ -13,5 +13,4 @@ header:
 
 local_conf_header:
   reproducible-builds: |
-    SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core} log -1 --pretty=%ct | tr -d '\n'")[0]}"
     WIC_DEPLOY_PARTITIONS = "1"
-- 
2.42.0

RE: [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations

[Venkata.Pyla]

> -----Original Message-----
> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf
> Of Quirin Gylstorff via lists.cip-project.org
> Sent: Tuesday, October 31, 2023 2:08 PM
> To: jan.kiszka@siemens.com; cip-dev@lists.cip-project.org; pyla
> venkata(ＴＳＩＰ TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>;
> dinesh kumar(ＴＳＩＰ TMIEC ODG Porting) <dinesh.kumar@toshiba-
> tsip.com>; hayashi kazuhiro(林 和宏 ＤＭＥ ○ＤＩＧ□ＭＰＳ○ＭＰ４)
> <kazuhiro3.hayashi@toshiba.co.jp>
> Subject: [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations
> 
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> cleanup the customizations scripts by:
>   - Move the ssh configuration from postinst to /etc/ssh/sshd_config.d
>   - Move systemd service overrides to files instead of setting it in
>     postinst
>   - fix formatting
>   - fix scripting error in security customizations
> 
> Changes v2:
>   - Remove explicit installation of libtss2-esys* as it is required by
>     tpm2-tools.
LGTM, I don't have any other comments thanks.

>   - Add note about used style checker
> 
> Quirin Gylstorff (9):
>   scripts/deploy-kernelci: Format python code and remove unused import
>   customizations: Add variable to set the HOSTNAME
>   customizations: Move ssh configuration from postinst to sshd_config.d
>   security-customizations: Add dependency to customizations
>   security-customizations: Fix shell error
>   security-customizations: Extract sshd config from postinst to files
>   cip-core-image-security: Move packages to security-customization
>   customization-kernelci: Add dependency to customizations
>   kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf
> 
>  conf/layer.conf                               |  2 ++
>  kas/opt/reproducible.yml                      |  1 -
>  kas/opt/security.yml                          |  2 ++
>  recipes-core/customizations/common.inc        |  6 +++-
>  recipes-core/customizations/customizations.bb | 10 ++++++
>  .../files/{postinst => postinst.tmpl}         |  8 ++---
>  .../customizations/files/ssh-permit-root.conf |  1 +
>  .../images/cip-core-image-security.bb         | 12 +------
>  .../kernelci-customizations/files/postinst    | 11 -------
>  .../files/serial-getty-kernelci-override.conf |  3 ++
>  .../files/ssh-permit-empty-passwords.conf     |  2 ++
>  .../kernelci-customizations.bb                | 18 ++++++++---
>  .../security-customizations/files/postinst    | 24 ++------------
>  .../files/ssh-pam-remote.conf                 |  4 +++
>  .../files/ssh-remote-session-term.conf        |  5 +++
>  .../security-customizations.bb                | 22 ++++++++++---
>  scripts/deploy-kernelci.py                    | 31 ++++++++++---------
>  17 files changed, 86 insertions(+), 76 deletions(-)  rename recipes-
> core/customizations/files/{postinst => postinst.tmpl} (62%)  create mode
> 100644 recipes-core/customizations/files/ssh-permit-root.conf
>  create mode 100644 recipes-core/kernelci-customizations/files/serial-getty-
> kernelci-override.conf
>  create mode 100644 recipes-core/kernelci-customizations/files/ssh-permit-
> empty-passwords.conf
>  create mode 100644 recipes-core/security-customizations/files/ssh-pam-
> remote.conf
>  create mode 100644 recipes-core/security-customizations/files/ssh-remote-
> session-term.conf
> 
> --
> 2.42.0

Re: [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations

[Jan Kiszka]

On 31.10.23 09:37, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> cleanup the customizations scripts by:
>   - Move the ssh configuration from postinst to /etc/ssh/sshd_config.d
>   - Move systemd service overrides to files instead of setting it in
>     postinst
>   - fix formatting
>   - fix scripting error in security customizations
> 
> Changes v2:
>   - Remove explicit installation of libtss2-esys* as it is required by
>     tpm2-tools.
>   - Add note about used style checker
> 
> Quirin Gylstorff (9):
>   scripts/deploy-kernelci: Format python code and remove unused import
>   customizations: Add variable to set the HOSTNAME
>   customizations: Move ssh configuration from postinst to sshd_config.d
>   security-customizations: Add dependency to customizations
>   security-customizations: Fix shell error
>   security-customizations: Extract sshd config from postinst to files
>   cip-core-image-security: Move packages to security-customization
>   customization-kernelci: Add dependency to customizations
>   kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf
> 
>  conf/layer.conf                               |  2 ++
>  kas/opt/reproducible.yml                      |  1 -
>  kas/opt/security.yml                          |  2 ++
>  recipes-core/customizations/common.inc        |  6 +++-
>  recipes-core/customizations/customizations.bb | 10 ++++++
>  .../files/{postinst => postinst.tmpl}         |  8 ++---
>  .../customizations/files/ssh-permit-root.conf |  1 +
>  .../images/cip-core-image-security.bb         | 12 +------
>  .../kernelci-customizations/files/postinst    | 11 -------
>  .../files/serial-getty-kernelci-override.conf |  3 ++
>  .../files/ssh-permit-empty-passwords.conf     |  2 ++
>  .../kernelci-customizations.bb                | 18 ++++++++---
>  .../security-customizations/files/postinst    | 24 ++------------
>  .../files/ssh-pam-remote.conf                 |  4 +++
>  .../files/ssh-remote-session-term.conf        |  5 +++
>  .../security-customizations.bb                | 22 ++++++++++---
>  scripts/deploy-kernelci.py                    | 31 ++++++++++---------
>  17 files changed, 86 insertions(+), 76 deletions(-)
>  rename recipes-core/customizations/files/{postinst => postinst.tmpl} (62%)
>  create mode 100644 recipes-core/customizations/files/ssh-permit-root.conf
>  create mode 100644 recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
>  create mode 100644 recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
>  create mode 100644 recipes-core/security-customizations/files/ssh-pam-remote.conf
>  create mode 100644 recipes-core/security-customizations/files/ssh-remote-session-term.conf
> 

Thanks, applied.

Jan

-- 
Siemens AG, Technology
Linux Expert Center

Re: [cip-dev][isar-cip-core][RFC v2 9/9] kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf

[MOESSBAUER, Felix]

On Tue, 2023-10-31 at 09:37 +0100, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This ensures that all images are build reproducible.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  conf/layer.conf          | 2 ++
>  kas/opt/reproducible.yml | 1 -
>  2 files changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/conf/layer.conf b/conf/layer.conf
> index 2c888b2..82b4084 100644
> --- a/conf/layer.conf
> +++ b/conf/layer.conf
> @@ -24,3 +24,5 @@ LAYERDIR_cip-core = "${LAYERDIR}"
>  LAYERDIR_cip-core[vardepvalue] = "isar-cip-core"
>  
>  IMAGE_CLASSES += "squashfs verity swupdate"
> +
> +SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core}

This change needs to be reverted, as it is too invasive.
The layer.conf is read after the local conf. By that, there is no way
for a downstream user to set it to a different value.

In fact, all downstream images now have a SDE based on the commit date
of CIP.

@Jan: please revert.

Felix

> log -1 --pretty=%ct | tr -d '\n'")[0]}"
> diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml
> index 5d6a896..bc71f28 100644
> --- a/kas/opt/reproducible.yml
> +++ b/kas/opt/reproducible.yml
> @@ -13,5 +13,4 @@ header:
>  
>  local_conf_header:
>    reproducible-builds: |
> -    SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-
> core} log -1 --pretty=%ct | tr -d '\n'")[0]}"
>      WIC_DEPLOY_PARTITIONS = "1"

-- 
Siemens AG, Technology
Linux Expert Center