| Message ID | 20230712113153.1194397-1-Sai.Sathujoda@toshiba-tsip.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [isar-cip-core] security.yml: Add additional features to security image | expand |
On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote: > From: Sai <Sai.Sathujoda@toshiba-tsip.com> > > From IEC certification perspective, a security image is needed which has the below features along with security customizations. > 1. Data encryption (CR4.1) > 2. Secure boot (EDR 3.14) > 3. SWupdate (NDR 3.10) > > The config.yaml will not have the extra enabled features as true. Hence they > should be passed in the image run command. > > Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com> > --- > doc/README.security-testing.md | 2 +- > kas/opt/security.yml | 3 +++ > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/doc/README.security-testing.md b/doc/README.security-testing.md > index c9540be..97000da 100644 > --- a/doc/README.security-testing.md > +++ b/doc/README.security-testing.md > @@ -33,7 +33,7 @@ Save & Build > ``` > # Boot the Linux image > ``` > -host$ ./start-qemu.sh x86 > +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86 > ``` > > # Copy security tests in to the Linux image > diff --git a/kas/opt/security.yml b/kas/opt/security.yml > index 1f3745b..b21f330 100644 > --- a/kas/opt/security.yml > +++ b/kas/opt/security.yml > @@ -10,6 +10,9 @@ > # > header: > version: 12 > + includes: > + - kas/opt/encrypt-partitions.yml > + - kas/opt/ebg-secure-boot-snakeoil.yml > > target: cip-core-image-security > Thanks, still applied for the release. Jan
On 13.07.23 19:32, Jan Kiszka wrote: > On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote: >> From: Sai <Sai.Sathujoda@toshiba-tsip.com> >> >> From IEC certification perspective, a security image is needed which has the below features along with security customizations. >> 1. Data encryption (CR4.1) >> 2. Secure boot (EDR 3.14) >> 3. SWupdate (NDR 3.10) >> >> The config.yaml will not have the extra enabled features as true. Hence they >> should be passed in the image run command. >> >> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com> >> --- >> doc/README.security-testing.md | 2 +- >> kas/opt/security.yml | 3 +++ >> 2 files changed, 4 insertions(+), 1 deletion(-) >> >> diff --git a/doc/README.security-testing.md b/doc/README.security-testing.md >> index c9540be..97000da 100644 >> --- a/doc/README.security-testing.md >> +++ b/doc/README.security-testing.md >> @@ -33,7 +33,7 @@ Save & Build >> ``` >> # Boot the Linux image >> ``` >> -host$ ./start-qemu.sh x86 >> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86 >> ``` >> >> # Copy security tests in to the Linux image >> diff --git a/kas/opt/security.yml b/kas/opt/security.yml >> index 1f3745b..b21f330 100644 >> --- a/kas/opt/security.yml >> +++ b/kas/opt/security.yml >> @@ -10,6 +10,9 @@ >> # >> header: >> version: 12 >> + includes: >> + - kas/opt/encrypt-partitions.yml >> + - kas/opt/ebg-secure-boot-snakeoil.yml >> >> target: cip-core-image-security >> > > Thanks, still applied for the release. > Artifact upload was broken by this. And the should still adjust Kconfig to reflect the implicit selection of security.yml. I'm dropping this for now, it's more complicated, likely too much for this release. Jan
Hi Jan, So you mean to say that, Kconfig file needs to modified so that the extra features are selected when Security extensions is selected ? Regards, Sai Ashrith (T S I P) -----Original Message----- From: Jan Kiszka <jan.kiszka@siemens.com> Sent: Friday, July 14, 2023 11:40 AM To: ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; cip-dev@lists.cip-project.org Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp> Subject: Re: [isar-cip-core] security.yml: Add additional features to security image On 13.07.23 19:32, Jan Kiszka wrote: > On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote: >> From: Sai <Sai.Sathujoda@toshiba-tsip.com> >> >> From IEC certification perspective, a security image is needed which has the below features along with security customizations. >> 1. Data encryption (CR4.1) >> 2. Secure boot (EDR 3.14) >> 3. SWupdate (NDR 3.10) >> >> The config.yaml will not have the extra enabled features as true. >> Hence they should be passed in the image run command. >> >> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com> >> --- >> doc/README.security-testing.md | 2 +- >> kas/opt/security.yml | 3 +++ >> 2 files changed, 4 insertions(+), 1 deletion(-) >> >> diff --git a/doc/README.security-testing.md >> b/doc/README.security-testing.md index c9540be..97000da 100644 >> --- a/doc/README.security-testing.md >> +++ b/doc/README.security-testing.md >> @@ -33,7 +33,7 @@ Save & Build >> ``` >> # Boot the Linux image >> ``` >> -host$ ./start-qemu.sh x86 >> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86 >> ``` >> >> # Copy security tests in to the Linux image diff --git >> a/kas/opt/security.yml b/kas/opt/security.yml index 1f3745b..b21f330 >> 100644 >> --- a/kas/opt/security.yml >> +++ b/kas/opt/security.yml >> @@ -10,6 +10,9 @@ >> # >> header: >> version: 12 >> + includes: >> + - kas/opt/encrypt-partitions.yml >> + - kas/opt/ebg-secure-boot-snakeoil.yml >> >> target: cip-core-image-security >> > > Thanks, still applied for the release. > Artifact upload was broken by this. And the should still adjust Kconfig to reflect the implicit selection of security.yml. I'm dropping this for now, it's more complicated, likely too much for this release. Jan -- Siemens AG, Technology Competence Center Embedded Linux
On 17.07.23 09:37, Sai.Sathujoda@toshiba-tsip.com wrote: > Hi Jan, > > So you mean to say that, Kconfig file needs to modified so that the extra features are selected when Security extensions is selected ? > For example. Or make them invisible. Jan > Regards, > Sai Ashrith (T S I P) > > -----Original Message----- > From: Jan Kiszka <jan.kiszka@siemens.com> > Sent: Friday, July 14, 2023 11:40 AM > To: ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; cip-dev@lists.cip-project.org > Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp> > Subject: Re: [isar-cip-core] security.yml: Add additional features to security image > > On 13.07.23 19:32, Jan Kiszka wrote: >> On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote: >>> From: Sai <Sai.Sathujoda@toshiba-tsip.com> >>> >>> From IEC certification perspective, a security image is needed which has the below features along with security customizations. >>> 1. Data encryption (CR4.1) >>> 2. Secure boot (EDR 3.14) >>> 3. SWupdate (NDR 3.10) >>> >>> The config.yaml will not have the extra enabled features as true. >>> Hence they should be passed in the image run command. >>> >>> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com> >>> --- >>> doc/README.security-testing.md | 2 +- >>> kas/opt/security.yml | 3 +++ >>> 2 files changed, 4 insertions(+), 1 deletion(-) >>> >>> diff --git a/doc/README.security-testing.md >>> b/doc/README.security-testing.md index c9540be..97000da 100644 >>> --- a/doc/README.security-testing.md >>> +++ b/doc/README.security-testing.md >>> @@ -33,7 +33,7 @@ Save & Build >>> ``` >>> # Boot the Linux image >>> ``` >>> -host$ ./start-qemu.sh x86 >>> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86 >>> ``` >>> >>> # Copy security tests in to the Linux image diff --git >>> a/kas/opt/security.yml b/kas/opt/security.yml index 1f3745b..b21f330 >>> 100644 >>> --- a/kas/opt/security.yml >>> +++ b/kas/opt/security.yml >>> @@ -10,6 +10,9 @@ >>> # >>> header: >>> version: 12 >>> + includes: >>> + - kas/opt/encrypt-partitions.yml >>> + - kas/opt/ebg-secure-boot-snakeoil.yml >>> >>> target: cip-core-image-security >>> >> >> Thanks, still applied for the release. >> > > Artifact upload was broken by this. And the should still adjust Kconfig to reflect the implicit selection of security.yml. > > I'm dropping this for now, it's more complicated, likely too much for this release. > > Jan > > -- > Siemens AG, Technology > Competence Center Embedded Linux
Hi Jan, Since the artifact upload is failing in CI with initrd image name mismatch if we include the additional feature related .yml files in security.yml, can we consider switching back to this patch https://lists.cip-project.org/g/cip-dev/message/12304 or do you expect any other changes ? Thanks and regards, Sai Ashrith -----Original Message----- From: Jan Kiszka <jan.kiszka@siemens.com> Sent: Friday, July 14, 2023 11:40 AM To: ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; cip-dev@lists.cip-project.org Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp> Subject: Re: [isar-cip-core] security.yml: Add additional features to security image On 13.07.23 19:32, Jan Kiszka wrote: > On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote: >> From: Sai <Sai.Sathujoda@toshiba-tsip.com> >> >> From IEC certification perspective, a security image is needed which has the below features along with security customizations. >> 1. Data encryption (CR4.1) >> 2. Secure boot (EDR 3.14) >> 3. SWupdate (NDR 3.10) >> >> The config.yaml will not have the extra enabled features as true. >> Hence they should be passed in the image run command. >> >> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com> >> --- >> doc/README.security-testing.md | 2 +- >> kas/opt/security.yml | 3 +++ >> 2 files changed, 4 insertions(+), 1 deletion(-) >> >> diff --git a/doc/README.security-testing.md >> b/doc/README.security-testing.md index c9540be..97000da 100644 >> --- a/doc/README.security-testing.md >> +++ b/doc/README.security-testing.md >> @@ -33,7 +33,7 @@ Save & Build >> ``` >> # Boot the Linux image >> ``` >> -host$ ./start-qemu.sh x86 >> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86 >> ``` >> >> # Copy security tests in to the Linux image diff --git >> a/kas/opt/security.yml b/kas/opt/security.yml index 1f3745b..b21f330 >> 100644 >> --- a/kas/opt/security.yml >> +++ b/kas/opt/security.yml >> @@ -10,6 +10,9 @@ >> # >> header: >> version: 12 >> + includes: >> + - kas/opt/encrypt-partitions.yml >> + - kas/opt/ebg-secure-boot-snakeoil.yml >> >> target: cip-core-image-security >> > > Thanks, still applied for the release. > Artifact upload was broken by this. And the should still adjust Kconfig to reflect the implicit selection of security.yml. I'm dropping this for now, it's more complicated, likely too much for this release. Jan -- Siemens AG, Technology Competence Center Embedded Linux
On 03.08.23 06:19, Sai.Sathujoda@toshiba-tsip.com wrote: > Hi Jan, > > Since the artifact upload is failing in CI with initrd image name mismatch if we include the additional feature related .yml files in security.yml, can we consider switching back to this patch https://lists.cip-project.org/g/cip-dev/message/12304 or do you expect any other changes ? > Just fix things and *also* adjust Kconfig as written below. Jan > Thanks and regards, > Sai Ashrith > > -----Original Message----- > From: Jan Kiszka <jan.kiszka@siemens.com> > Sent: Friday, July 14, 2023 11:40 AM > To: ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; cip-dev@lists.cip-project.org > Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp> > Subject: Re: [isar-cip-core] security.yml: Add additional features to security image > > On 13.07.23 19:32, Jan Kiszka wrote: >> On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote: >>> From: Sai <Sai.Sathujoda@toshiba-tsip.com> >>> >>> From IEC certification perspective, a security image is needed which has the below features along with security customizations. >>> 1. Data encryption (CR4.1) >>> 2. Secure boot (EDR 3.14) >>> 3. SWupdate (NDR 3.10) >>> >>> The config.yaml will not have the extra enabled features as true. >>> Hence they should be passed in the image run command. >>> >>> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com> >>> --- >>> doc/README.security-testing.md | 2 +- >>> kas/opt/security.yml | 3 +++ >>> 2 files changed, 4 insertions(+), 1 deletion(-) >>> >>> diff --git a/doc/README.security-testing.md >>> b/doc/README.security-testing.md index c9540be..97000da 100644 >>> --- a/doc/README.security-testing.md >>> +++ b/doc/README.security-testing.md >>> @@ -33,7 +33,7 @@ Save & Build >>> ``` >>> # Boot the Linux image >>> ``` >>> -host$ ./start-qemu.sh x86 >>> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86 >>> ``` >>> >>> # Copy security tests in to the Linux image diff --git >>> a/kas/opt/security.yml b/kas/opt/security.yml index 1f3745b..b21f330 >>> 100644 >>> --- a/kas/opt/security.yml >>> +++ b/kas/opt/security.yml >>> @@ -10,6 +10,9 @@ >>> # >>> header: >>> version: 12 >>> + includes: >>> + - kas/opt/encrypt-partitions.yml >>> + - kas/opt/ebg-secure-boot-snakeoil.yml >>> >>> target: cip-core-image-security >>> >> >> Thanks, still applied for the release. >> > > Artifact upload was broken by this. And the should still adjust Kconfig to reflect the implicit selection of security.yml. > > I'm dropping this for now, it's more complicated, likely too much for this release. > > Jan > > -- > Siemens AG, Technology > Competence Center Embedded Linux
diff --git a/doc/README.security-testing.md b/doc/README.security-testing.md index c9540be..97000da 100644 --- a/doc/README.security-testing.md +++ b/doc/README.security-testing.md @@ -33,7 +33,7 @@ Save & Build ``` # Boot the Linux image ``` -host$ ./start-qemu.sh x86 +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86 ``` # Copy security tests in to the Linux image diff --git a/kas/opt/security.yml b/kas/opt/security.yml index 1f3745b..b21f330 100644 --- a/kas/opt/security.yml +++ b/kas/opt/security.yml @@ -10,6 +10,9 @@ # header: version: 12 + includes: + - kas/opt/encrypt-partitions.yml + - kas/opt/ebg-secure-boot-snakeoil.yml target: cip-core-image-security