From: Jan Kiszka <jan.kiszka@siemens.com>
To: Sai.Sathujoda@toshiba-tsip.com, cip-dev@lists.cip-project.org
Cc: dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp
Subject: Re: [isar-cip-core] security.yml: Add additional features to security image
Date: Fri, 14 Jul 2023 08:10:12 +0200 [thread overview]
Message-ID: <fd3970a0-2375-6838-2d7d-182c6d392826@siemens.com> (raw)
In-Reply-To: <5b400f7b-4039-2fc8-5f84-2fe647ff8a3d@siemens.com>
On 13.07.23 19:32, Jan Kiszka wrote:
> On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote:
>> From: Sai <Sai.Sathujoda@toshiba-tsip.com>
>>
>> From IEC certification perspective, a security image is needed which has the below features along with security customizations.
>> 1. Data encryption (CR4.1)
>> 2. Secure boot (EDR 3.14)
>> 3. SWupdate (NDR 3.10)
>>
>> The config.yaml will not have the extra enabled features as true. Hence they
>> should be passed in the image run command.
>>
>> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
>> ---
>> doc/README.security-testing.md | 2 +-
>> kas/opt/security.yml | 3 +++
>> 2 files changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/doc/README.security-testing.md b/doc/README.security-testing.md
>> index c9540be..97000da 100644
>> --- a/doc/README.security-testing.md
>> +++ b/doc/README.security-testing.md
>> @@ -33,7 +33,7 @@ Save & Build
>> ```
>> # Boot the Linux image
>> ```
>> -host$ ./start-qemu.sh x86
>> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86
>> ```
>>
>> # Copy security tests in to the Linux image
>> diff --git a/kas/opt/security.yml b/kas/opt/security.yml
>> index 1f3745b..b21f330 100644
>> --- a/kas/opt/security.yml
>> +++ b/kas/opt/security.yml
>> @@ -10,6 +10,9 @@
>> #
>> header:
>> version: 12
>> + includes:
>> + - kas/opt/encrypt-partitions.yml
>> + - kas/opt/ebg-secure-boot-snakeoil.yml
>>
>> target: cip-core-image-security
>>
>
> Thanks, still applied for the release.
>
Artifact upload was broken by this. And the should still adjust Kconfig
to reflect the implicit selection of security.yml.
I'm dropping this for now, it's more complicated, likely too much for
this release.
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
next prev parent reply other threads:[~2023-07-14 6:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-12 11:31 [isar-cip-core] security.yml: Add additional features to security image Sai.Sathujoda
2023-07-13 17:32 ` Jan Kiszka
2023-07-14 6:10 ` Jan Kiszka [this message]
2023-07-17 7:37 ` Sai.Sathujoda
2023-07-17 7:52 ` Jan Kiszka
2023-08-03 4:19 ` Sai.Sathujoda
2023-08-10 10:31 ` Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fd3970a0-2375-6838-2d7d-182c6d392826@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=Sai.Sathujoda@toshiba-tsip.com \
--cc=cip-dev@lists.cip-project.org \
--cc=dinesh.kumar@toshiba-tsip.com \
--cc=kazuhiro3.hayashi@toshiba.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.