[cip-dev] Needs of security patches on reference platforms

[cip-dev] Needs of security patches on reference platforms

[masashi.kudo]

[-- Attachment #1: Type: text/plain, Size: 753 bytes --]

Hi, board owners,
 
At the IRC meeting (May 14th), the following two security patches were discussed. 

 a. CVE related to KVM SVM on x86,
 b. XDP sockets enabled for Cyclone V

They were recently ported to upstream, and we would like to decide whether they should be backported to CIP or not.

Regarding a., SVM is for AMD CPUs only, so it might not actually be used.
If it is the case, we would like to ignore this patch.

Regarding b., XDP (express data path) is used for network intensive workloads to bypass certain parts of the network stack
So, it may be used by big tech / web stuff, not embedded.
If it is the case, we would like to ignore this patch as well.

Please let us know your comments.

Best regards,
--
M. Kudo


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4636): https://lists.cip-project.org/g/cip-dev/message/4636
Mute This Topic: https://lists.cip-project.org/mt/74364844/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] FW: Needs of security patches on reference platforms

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 1965 bytes --]

Hi Kudo-san,

On 27.05.20 10:34, masashi.kudo@cybertrust.co.jp wrote:
> Hello, Jan-san,
> 
> I wonder whether you can respond to the following query.
> If you know an appropriate person to answer the below, I would appreciate it if you can point him/her.

Just CC me on the list. I'm not receiving all emails of the list directly.

> 
> Best regards,
> --
> M. Kudo
> 
> -----Original Message-----
> From: 工藤　雅司（CTJ　OSS事業推進室） 
> Sent: Thursday, May 21, 2020 9:52 AM
> To: cip-dev@lists.cip-project.org
> Subject: Needs of security patches on reference platforms
> 
> Hi, board owners,
>  
> At the IRC meeting (May 14th), the following two security patches were discussed. 
> 
>  a. CVE related to KVM SVM on x86,
>  b. XDP sockets enabled for Cyclone V
> 
> They were recently ported to upstream, and we would like to decide whether they should be backported to CIP or not.

Why did not stable pick them up? Because they require active backporting
work to make them apply?

> 
> Regarding a., SVM is for AMD CPUs only, so it might not actually be used.
> If it is the case, we would like to ignore this patch.

In general, KVM on AMD was surely a niche over the past years. Since
Ryzen, this changed again, also for embedded.

That said, I'm not aware of active use on our side at this point, but I
may not have the full overview, and I can't speak for other members.

> 
> Regarding b., XDP (express data path) is used for network intensive workloads to bypass certain parts of the network stack So, it may be used by big tech / web stuff, not embedded.

XDP plays an essential role in deterministic networking, thus is
absolutely an embedded thing as well. But that usually goes along with
TSN, though it may not be limited to it.

For the Cyclone V, you likely need to ask the config contributor for the
concrete background.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4647): https://lists.cip-project.org/g/cip-dev/message/4647
Mute This Topic: https://lists.cip-project.org/mt/74496040/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] FW: Needs of security patches on reference platforms

[masashi.kudo]

[-- Attachment #1: Type: text/plain, Size: 3398 bytes --]

Hi, Jan-san,

Thanks very much for your comments and pointers.

> Why did not stable pick them up? Because they require active backporting work to make them apply?

Can anybody from Kernel Team respond to this?

> >  a. CVE related to KVM SVM on x86,
(snip)
> That said, I'm not aware of active use on our side at this point, but I may not have the full overview, and I can't speak for other members.

Thanks for your comment.

CIP-Members,
Please speak up if you need this patch. Otherwise, we will *NOT* backport the patch.

> >  b. XDP sockets enabled for Cyclone V
(snip)
> XDP plays an essential role in deterministic networking, thus is absolutely an embedded thing as well. But that usually goes along with TSN, though it may not be limited to it.
> For the Cyclone V, you likely need to ask the config contributor for the concrete background.

Thanks for your comment and a pointer.

CIP-Members, (or maybe Mine-san?)
Please speak up if you use XDP on Cyclone V. Otherwise, we will *NOT* backport the patch.

Best regards,
--
M. Kudo

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com> 
Sent: Wednesday, May 27, 2020 5:56 PM
To: 工藤　雅司（CTJ　OSS事業推進室） <masashi.kudo@cybertrust.co.jp>; cip-dev <cip-dev@lists.cip-project.org>
Subject: Re: FW: Needs of security patches on reference platforms

Hi Kudo-san,

On 27.05.20 10:34, masashi.kudo@cybertrust.co.jp wrote:
> Hello, Jan-san,
> 
> I wonder whether you can respond to the following query.
> If you know an appropriate person to answer the below, I would appreciate it if you can point him/her.

Just CC me on the list. I'm not receiving all emails of the list directly.

> 
> Best regards,
> --
> M. Kudo
> 
> -----Original Message-----
> From: 工藤　雅司（CTJ　OSS事業推進室） 
> Sent: Thursday, May 21, 2020 9:52 AM
> To: cip-dev@lists.cip-project.org
> Subject: Needs of security patches on reference platforms
> 
> Hi, board owners,
>  
> At the IRC meeting (May 14th), the following two security patches were discussed. 
> 
>  a. CVE related to KVM SVM on x86,
>  b. XDP sockets enabled for Cyclone V
> 
> They were recently ported to upstream, and we would like to decide whether they should be backported to CIP or not.

Why did not stable pick them up? Because they require active backporting work to make them apply?

> 
> Regarding a., SVM is for AMD CPUs only, so it might not actually be used.
> If it is the case, we would like to ignore this patch.

In general, KVM on AMD was surely a niche over the past years. Since Ryzen, this changed again, also for embedded.

That said, I'm not aware of active use on our side at this point, but I may not have the full overview, and I can't speak for other members.

> 
> Regarding b., XDP (express data path) is used for network intensive workloads to bypass certain parts of the network stack So, it may be used by big tech / web stuff, not embedded.

XDP plays an essential role in deterministic networking, thus is absolutely an embedded thing as well. But that usually goes along with TSN, though it may not be limited to it.

For the Cyclone V, you likely need to ask the config contributor for the concrete background.

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4648): https://lists.cip-project.org/g/cip-dev/message/4648
Mute This Topic: https://lists.cip-project.org/mt/74496040/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] FW: Needs of security patches on reference platforms

[Chen-Yu Tsai]

[-- Attachment #1: Type: text/plain, Size: 4142 bytes --]

Hi Jan,

On Wed, May 27, 2020 at 5:15 PM masashi.kudo@cybertrust.co.jp
<masashi.kudo@cybertrust.co.jp> wrote:
>
> Hi, Jan-san,
>
> Thanks very much for your comments and pointers.
>
> > Why did not stable pick them up? Because they require active backporting work to make them apply?
>
> Can anybody from Kernel Team respond to this?
>
> > >  a. CVE related to KVM SVM on x86,
> (snip)
> > That said, I'm not aware of active use on our side at this point, but I may not have the full overview, and I can't speak for other members.

This was not CC-ed to stable, and neither did Sasha's bot pick it up.

Ben has requested its inclusion in 4.19 and 5.4, and it is in this
week's stable review bunch from Greg.

> Thanks for your comment.
>
> CIP-Members,
> Please speak up if you need this patch. Otherwise, we will *NOT* backport the patch.
>
> > >  b. XDP sockets enabled for Cyclone V
> (snip)
> > XDP plays an essential role in deterministic networking, thus is absolutely an embedded thing as well. But that usually goes along with TSN, though it may not be limited to it.
> > For the Cyclone V, you likely need to ask the config contributor for the concrete background.
>
> Thanks for your comment and a pointer.

The fix for this is already in stable kernels. This feature is relatively new
and so I was wondering what the use-cases were in CIP, given that the feature
was touted mainly by web technology companies, such as Facebook and Cloudflare.
(Or maybe that's due to my sysadmin background.)


Regards
ChenYu


> CIP-Members, (or maybe Mine-san?)
> Please speak up if you use XDP on Cyclone V. Otherwise, we will *NOT* backport the patch.
>
> Best regards,
> --
> M. Kudo
>
> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@siemens.com>
> Sent: Wednesday, May 27, 2020 5:56 PM
> To: 工藤　雅司（CTJ　OSS事業推進室） <masashi.kudo@cybertrust.co.jp>; cip-dev <cip-dev@lists.cip-project.org>
> Subject: Re: FW: Needs of security patches on reference platforms
>
> Hi Kudo-san,
>
> On 27.05.20 10:34, masashi.kudo@cybertrust.co.jp wrote:
> > Hello, Jan-san,
> >
> > I wonder whether you can respond to the following query.
> > If you know an appropriate person to answer the below, I would appreciate it if you can point him/her.
>
> Just CC me on the list. I'm not receiving all emails of the list directly.
>
> >
> > Best regards,
> > --
> > M. Kudo
> >
> > -----Original Message-----
> > From: 工藤　雅司（CTJ　OSS事業推進室）
> > Sent: Thursday, May 21, 2020 9:52 AM
> > To: cip-dev@lists.cip-project.org
> > Subject: Needs of security patches on reference platforms
> >
> > Hi, board owners,
> >
> > At the IRC meeting (May 14th), the following two security patches were discussed.
> >
> >  a. CVE related to KVM SVM on x86,
> >  b. XDP sockets enabled for Cyclone V
> >
> > They were recently ported to upstream, and we would like to decide whether they should be backported to CIP or not.
>
> Why did not stable pick them up? Because they require active backporting work to make them apply?
>
> >
> > Regarding a., SVM is for AMD CPUs only, so it might not actually be used.
> > If it is the case, we would like to ignore this patch.
>
> In general, KVM on AMD was surely a niche over the past years. Since Ryzen, this changed again, also for embedded.
>
> That said, I'm not aware of active use on our side at this point, but I may not have the full overview, and I can't speak for other members.
>
> >
> > Regarding b., XDP (express data path) is used for network intensive workloads to bypass certain parts of the network stack So, it may be used by big tech / web stuff, not embedded.
>
> XDP plays an essential role in deterministic networking, thus is absolutely an embedded thing as well. But that usually goes along with TSN, though it may not be limited to it.
>
> For the Cyclone V, you likely need to ask the config contributor for the concrete background.
>
> Jan
>
> --
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux
> 

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4649): https://lists.cip-project.org/g/cip-dev/message/4649
Mute This Topic: https://lists.cip-project.org/mt/74496040/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] FW: Needs of security patches on reference platforms

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 1729 bytes --]

Hi!

> > At the IRC meeting (May 14th), the following two security patches were discussed. 
> > 
> >  a. CVE related to KVM SVM on x86,
> >  b. XDP sockets enabled for Cyclone V
> > 
> > They were recently ported to upstream, and we would like to decide whether they should be backported to CIP or not.
> 
> Why did not stable pick them up? Because they require active backporting
> work to make them apply?

Yes, IIRC.

> > Regarding a., SVM is for AMD CPUs only, so it might not actually be used.
> > If it is the case, we would like to ignore this patch.
> 
> In general, KVM on AMD was surely a niche over the past years. Since
> Ryzen, this changed again, also for embedded.
> 
> That said, I'm not aware of active use on our side at this point, but I
> may not have the full overview, and I can't speak for other members.
> 
> > 
> > Regarding b., XDP (express data path) is used for network intensive workloads to bypass certain parts of the network stack So, it may be used by big tech / web stuff, not embedded.
> 
> XDP plays an essential role in deterministic networking, thus is
> absolutely an embedded thing as well. But that usually goes along with
> TSN, though it may not be limited to it.

Ok, good to know.

So... there are few reasons why it is important to know what is in use
or not:

1) If we see patch in stable, how much effort should be spent
reviewing it?

2) If we see a bad bug (probably CVE) that needs a backport, should we
backport this one? (or wait for someone else to do the work?)

Best regards,
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4667): https://lists.cip-project.org/g/cip-dev/message/4667
Mute This Topic: https://lists.cip-project.org/mt/74496040/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] FW: Needs of security patches on reference platforms

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 1982 bytes --]

On 03.06.20 17:21, Pavel Machek wrote:
> Hi!
> 
>>> At the IRC meeting (May 14th), the following two security patches were discussed. 
>>>
>>>  a. CVE related to KVM SVM on x86,
>>>  b. XDP sockets enabled for Cyclone V
>>>
>>> They were recently ported to upstream, and we would like to decide whether they should be backported to CIP or not.
>>
>> Why did not stable pick them up? Because they require active backporting
>> work to make them apply?
> 
> Yes, IIRC.
> 
>>> Regarding a., SVM is for AMD CPUs only, so it might not actually be used.
>>> If it is the case, we would like to ignore this patch.
>>
>> In general, KVM on AMD was surely a niche over the past years. Since
>> Ryzen, this changed again, also for embedded.
>>
>> That said, I'm not aware of active use on our side at this point, but I
>> may not have the full overview, and I can't speak for other members.
>>
>>>
>>> Regarding b., XDP (express data path) is used for network intensive workloads to bypass certain parts of the network stack So, it may be used by big tech / web stuff, not embedded.
>>
>> XDP plays an essential role in deterministic networking, thus is
>> absolutely an embedded thing as well. But that usually goes along with
>> TSN, though it may not be limited to it.
> 
> Ok, good to know.
> 
> So... there are few reasons why it is important to know what is in use
> or not:
> 
> 1) If we see patch in stable, how much effort should be spent
> reviewing it?
> 
> 2) If we see a bad bug (probably CVE) that needs a backport, should we
> backport this one? (or wait for someone else to do the work?)
> 

For the TSN case I would say it is rather unlikely that this is already
in use with any of our current CIP kernels. But I may miss earlier use
cases besides TSN. For now, I would not invest specifically until we
have a clearer indication of its relevance in our current kernels.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4670): https://lists.cip-project.org/g/cip-dev/message/4670
Mute This Topic: https://lists.cip-project.org/mt/74496040/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-