* Re: Document Yocto config items (was: Configure command shell idle timeout default?)
[not found] ` <0acd3699-0c59-79ec-a690-957e6db94ee6@linux.ibm.com>
@ 2021-08-05 16:14 ` Michael Opdenacker
[not found] ` <1698752D53722E14.11152@lists.yoctoproject.org>
1 sibling, 0 replies; 3+ messages in thread
From: Michael Opdenacker @ 2021-08-05 16:14 UTC (permalink / raw)
To: Joseph Reynolds, yocto-security, Richard Purdie; +Cc: YP docs mailing list
Hi Joseph,
On 8/4/21 10:35 PM, Joseph Reynolds wrote:
> On 8/4/21 11:00 AM, Richard Purdie wrote:
>
> ...snip...
>>> I've tried to push
>>> https://github.com/openbmc/openbmc/wiki/Configuration-guide into
>>> https://github.com/openbmc/docs, but there was not enough interest. And
>>> yet questions come up regularly in the project's email list which
>>> can be
>>> answered by providing a link to the configuration guide. So I know a
>>> configuration guide is useful.
>> Yocto Project has extensive docs:
>>
>> http://docs.yoctoproject.org/
>
>
> Please note the security configuration guides are generally applicable
> to everyone, but is focused on the needs of higher-security
> applications such as those involving human safety, or processing
> personal or financial information.
>
> I suggest two new sections: one for the system integrator who build
> the image, and one for the system admin (or initial user) who uses the
> system which contains the image.
>
>
> 1. Bitbake configuration.
>
> WHERE TO PUT THE INFO: New section under
> Yocto Project Development Tasks Manual > 3. Common Tasks > 3.2.
> Customizing Images or 3.18 Making Images More Secure
> called: "Security Configuration Items"
>
> DRAFT TEXT: Yocto comes pre-configured with security in mind. For
> higher security applications, you should review the following security
> configuration items, adapt them to meet your needs, and test if they
> are effective.
>
> TODO: insert items here...adapt from downstream project
> https://github.com/openbmc/openbmc/wiki/Configuration-guide#build-configuration
>
>
>
> 2. Admin user configuration.
>
> WHERE TO PUT THE INFO: Does Yocto have a configuration guide for the
> initial user or system admin? These are often not needed in consumer
> electronics, but are expected in high-end computers. I understand
> this topic is very broad and varies by use case, and I only propose
> one specific use case: A list of security items the admin can configure.
>
> I believe this task is for the development team, so it could be added
> to the
> Yocto Project Development Tasks Manual > 3. Common Tasks >
>
> This is akin to the following in that it is something you do with the
> installed image:
> - Yocto Project Profiling and Tracing Manual"
> - Common Tasks > 3.29 Performing Automated Runtime Testing
>
> New section called "Security Configuration Guide".
>
> DRAFT TEXT: Consider producing a configuration guide for your users
> who need to operate the system in a secure manner. This guide should
> describe all the controls they can operate which affect the security
> of the system. Common items from the default Yocto configuration are
> given below. You should customize these according to how you
> customized your image (see Common Tasks > Customizing Images), make
> the advice relevant to your users, and ensure your users have access
> to your guide.
>
> TODO: insert items here...adapt from downstream project
> https://github.com/openbmc/openbmc/wiki/Configuration-guide#admin-configuration
>
>> from
>>
>> http://git.yoctoproject.org/cgit.cgi/yocto-docs
>>
>> and I'd love to see a security section added to these where we could
>> start to collect
>> best practises. Would you be interested in sending something for our
>> docs on that
>> subject?
>
> Yes, I can work with the Yocto writers to get this started. (Hi
> Michael!)
>
> I've proposed two new sections above. If it seems okay-ish, I can
> start the list of items. But please note my previous focus was on the
> items which the OpenBMC projects adds to Yocto, and I don't have a lot
> if items here. I plan to contribute items I know about, but need help
> here.
>
> Thank you!
>
> - Joseph
>
>>
>> Yocto Project does have people helping collate and edit the
>> information if someone
>> is able to write out the "bare bones" information for them (cc'd
>> Michael).
>>
>> Cheers,
>>
>> Richard
Many for your suggestions !
I'm copying our docs mailing list so that this topic gets tracked
properly and other people can contribute.
I should be able to get back to you next week.
Thanks again,
Michael.
--
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [docs] Document Yocto config items (was: Configure command shell idle timeout default?)
[not found] ` <1698752D53722E14.11152@lists.yoctoproject.org>
@ 2021-08-13 10:30 ` Michael Opdenacker
2021-08-13 20:57 ` Joseph Reynolds
0 siblings, 1 reply; 3+ messages in thread
From: Michael Opdenacker @ 2021-08-13 10:30 UTC (permalink / raw)
To: Joseph Reynolds, yocto-security, Richard Purdie; +Cc: YP docs mailing list
Hi Joseph,
On 8/5/21 6:14 PM, Michael Opdenacker wrote:
>
>
> Many for your suggestions !
> I'm copying our docs mailing list so that this topic gets tracked
> properly and other people can contribute.
>
> I should be able to get back to you next week.
Unfortunately, the week was busier than expected and I won't be able to
work on this before September.
I filed a new bug so that we track this task properly:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14509
Don't hesitate to subscribe to the bug.
I'll post updates through this thread anyway.
Cheers,
Michael.
--
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [docs] Document Yocto config items (was: Configure command shell idle timeout default?)
2021-08-13 10:30 ` [docs] " Michael Opdenacker
@ 2021-08-13 20:57 ` Joseph Reynolds
0 siblings, 0 replies; 3+ messages in thread
From: Joseph Reynolds @ 2021-08-13 20:57 UTC (permalink / raw)
To: Michael Opdenacker, yocto-security, Richard Purdie; +Cc: YP docs mailing list
On 8/13/21 5:30 AM, Michael Opdenacker wrote:
> Hi Joseph,
>
> On 8/5/21 6:14 PM, Michael Opdenacker wrote:
>>
>> Many for your suggestions !
>> I'm copying our docs mailing list so that this topic gets tracked
>> properly and other people can contribute.
>>
>> I should be able to get back to you next week.
>
> Unfortunately, the week was busier than expected and I won't be able to
> work on this before September.
> I filed a new bug so that we track this task properly:
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=14509
Thank you. Getting this started sometime this year would be fantastic!
Please ping me directly.
I've added a link from the OpenBMC project configuration guide to your
Yocto work item, so we can track progress.
Joseph
>
> Don't hesitate to subscribe to the bug.
> I'll post updates through this thread anyway.
>
> Cheers,
> Michael.
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-13 20:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1b70ecb4-d1c7-c913-6e84-d70d69baaa7c@linux.ibm.com>
[not found] ` <3a45d0f8b91c750544e232171c0b8a650ead3889.camel@linuxfoundation.org>
[not found] ` <298b3fc4-64f7-c70f-4ec6-e9e52ec71a86@kernel.crashing.org>
[not found] ` <4e7ff3e4-3dca-d140-51b4-340f16fe66a3@linux.ibm.com>
[not found] ` <7e70596bee4e54bbaf0ab6da36f41957c19a8673.camel@linuxfoundation.org>
[not found] ` <0acd3699-0c59-79ec-a690-957e6db94ee6@linux.ibm.com>
2021-08-05 16:14 ` Document Yocto config items (was: Configure command shell idle timeout default?) Michael Opdenacker
[not found] ` <1698752D53722E14.11152@lists.yoctoproject.org>
2021-08-13 10:30 ` [docs] " Michael Opdenacker
2021-08-13 20:57 ` Joseph Reynolds
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).