| Message ID | 20240704091803.3250609-1-Shivanand.Kunijadar@toshiba-tsip.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [isar-cip-core] Kconfig: Refactor Kconfig options | expand |
On 04.07.24 11:18, Shivanand wrote: > The security target should include both SWUpdate and Secure boot options > by default, so add the missing secure boot dependency in the security > option. Also enable kas-container menu in such way that user can select > individual features without security option. This is too unspecific. > > Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com> > --- > Kconfig | 23 ++++++++++++++--------- > 1 file changed, 14 insertions(+), 9 deletions(-) > > diff --git a/Kconfig b/Kconfig > index 96f590a..f73c8f2 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -163,11 +163,25 @@ if !KERNEL_4_4 && !KERNEL_4_19 > config IMAGE_SECURITY > bool "Security extensions" > select IMAGE_SWUPDATE > + select IMAGE_SECURE_BOOT Why is this change along not enough? > select IMAGE_DATA_ENCRYPTION > depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI > help > This enables security, encryption, secureboot and swupdate for IEC 62443-4-2. > > +config KAS_INCLUDE_SWUPDATE > + string > + default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE > + > +config KAS_INCLUDE_SECURE_BOOT > + string0 > + default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT > + > +config IMAGE_SECURE_BOOT > + bool "Secure boot support" > + select IMAGE_SWUPDATE > + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI > + Inconsistent indention. > config KAS_INCLUDE_SECURITY > string > default "kas/opt/security.yml" if IMAGE_SECURITY > @@ -189,15 +203,6 @@ config IMAGE_DELTA_SWUPDATE > > endchoice > > -config IMAGE_SECURE_BOOT > - bool "Secure boot support" > - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI > - > -config KAS_INCLUDE_SWUPDATE_SECBOOT > - string > - default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT > - default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT > - These structures and dependencies exist for reasons. My feeling is that you are breaking things, but maybe you just need to explain better what you want to achieve (besides enforcing secure boot for the security image). > config KAS_INCLUDE_DELTA_UPDATE > string > default "kas/opt/delta-update.yml" if IMAGE_DELTA_SWUPDATE Jan
Hi Jan, Let me explain the reason behind this patch. My understanding is that the security image should include SWUpdate and Secure boot features by default. Re. https://gitlab.com/cip-project/cip-core/isar-cip-core/-/commit/b95e256a5b05f87aab48b7bf3e7e4d8d45566ad3 I found there are some minor issues as below, 1. In the current menu when security extensions is selected, SWUpdate is enabled by default and secure boot is disabled. If I build with security extensions option, the build system is creating the image with secure boot enabled along with SWUpdate. The reason is security.yml internally includes "kas/opt/ebg-secure-boot-snakeoil.yml" kas option file. It is creating the wrong impression that the secure boot is disabled in the menu but in the final image it is enabled. So that is the reason, the secure boot is also enabled by default for security image now. > IMAGE_SECURITY > bool "Security extensions" > select IMAGE_SWUPDATE > + select IMAGE_SECURE_BOOT 2. In the current menu, there is no provision to select secure boot option without security extensions. It will show only when security extensions is selected. The patch changes will help to fix these issues. On top of my changes I confirmed things like, - SWUpdate and Secure boot options are visible along with security extensions option in the menu. - User can select SWUpdate alone and SWUpdate + secure boot features - SWUpdate and Secure boot features are enabled by default for security image > -config KAS_INCLUDE_SWUPDATE_SECBOOT > - string > - default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT > - default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT While testing locally it was adding same .yml file multiple times to the final .config file which is not necessary, so I removed this structure to fix it. Kindly check and let me know your view on this. Thanks & Regards Shivanand K -----Original Message----- From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Jan Kiszka via lists.cip-project.org Sent: Thursday, July 4, 2024 3:38 PM To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp> Subject: Re: [cip-dev] [isar-cip-core] Kconfig: Refactor Kconfig options On 04.07.24 11:18, Shivanand wrote: > The security target should include both SWUpdate and Secure boot > options by default, so add the missing secure boot dependency in the > security option. Also enable kas-container menu in such way that user > can select individual features without security option. This is too unspecific. > > Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com> > --- > Kconfig | 23 ++++++++++++++--------- > 1 file changed, 14 insertions(+), 9 deletions(-) > > diff --git a/Kconfig b/Kconfig > index 96f590a..f73c8f2 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -163,11 +163,25 @@ if !KERNEL_4_4 && !KERNEL_4_19 config > IMAGE_SECURITY > bool "Security extensions" > select IMAGE_SWUPDATE > + select IMAGE_SECURE_BOOT Why is this change along not enough? > select IMAGE_DATA_ENCRYPTION > depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI > help > This enables security, encryption, secureboot and swupdate for IEC 62443-4-2. > > +config KAS_INCLUDE_SWUPDATE > + string > + default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE > + > +config KAS_INCLUDE_SECURE_BOOT > + string0 > + default "kas/opt/ebg-secure-boot-snakeoil.yml" if > +IMAGE_SECURE_BOOT > + > +config IMAGE_SECURE_BOOT > + bool "Secure boot support" > + select IMAGE_SWUPDATE > + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || > +TARGET_QEMU_ARM || TARGET_X86_UEFI > + Inconsistent indention. > config KAS_INCLUDE_SECURITY > string > default "kas/opt/security.yml" if IMAGE_SECURITY @@ -189,15 +203,6 > @@ config IMAGE_DELTA_SWUPDATE > > endchoice > > -config IMAGE_SECURE_BOOT > - bool "Secure boot support" > - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI > - > -config KAS_INCLUDE_SWUPDATE_SECBOOT > - string > - default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT > - default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT > - These structures and dependencies exist for reasons. My feeling is that you are breaking things, but maybe you just need to explain better what you want to achieve (besides enforcing secure boot for the security image). > config KAS_INCLUDE_DELTA_UPDATE > string > default "kas/opt/delta-update.yml" if IMAGE_DELTA_SWUPDATE Jan -- Siemens AG, Technology Linux Expert Center
On 04.07.24 13:37, Shivanand.Kunijadar@toshiba-tsip.com wrote: > Hi Jan, > > Let me explain the reason behind this patch. > > My understanding is that the security image should include SWUpdate and Secure boot features by default. > Re. https://gitlab.com/cip-project/cip-core/isar-cip-core/-/commit/b95e256a5b05f87aab48b7bf3e7e4d8d45566ad3 > > I found there are some minor issues as below, > > 1. In the current menu when security extensions is selected, SWUpdate is enabled by default and secure boot is disabled. > If I build with security extensions option, the build system is creating the image with secure boot enabled along with SWUpdate. The reason is security.yml internally includes "kas/opt/ebg-secure-boot-snakeoil.yml" kas option file. It is creating the wrong impression that the secure boot is disabled in the menu but in the final image it is enabled. > So that is the reason, the secure boot is also enabled by default for security image now. I still don't get what we need more than the select below to enforce secure boot for the security image. When adding that change, it is clearly visible what the security extensions imply. >> IMAGE_SECURITY >> bool "Security extensions" >> select IMAGE_SWUPDATE >> + select IMAGE_SECURE_BOOT > > 2. In the current menu, there is no provision to select secure boot option without security extensions. It will show only when security extensions is selected. This is not correct, check again. > > The patch changes will help to fix these issues. > > On top of my changes I confirmed things like, > - SWUpdate and Secure boot options are visible along with security extensions option in the menu. > - User can select SWUpdate alone and SWUpdate + secure boot features > - SWUpdate and Secure boot features are enabled by default for security image > >> -config KAS_INCLUDE_SWUPDATE_SECBOOT >> - string >> - default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT >> - default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT > > While testing locally it was adding same .yml file multiple times to the final .config file which is not necessary, so I removed this structure to fix it. > I can't follow. Please share the .config.yaml that was wrongly created for you using current 'next'. It will both document which options you selected and show the duplicate includes (if any). Jan
Hi Jan, Let me explain it through the pictures. These pictures taken on the next branch (commit: 507a6a70a7244a646165c1051668b855aeee9b5f) In pic-1.png, I don't see Secure boot option under Image features until I click on Security extensions. In pic-2.png, Security extensions is checked so SWUpdate is enabled by default but not Secure boot. A user may think here only SWUpdate is enabled in security image. I understand that internally it is including "ebg-secure-boot-snakeoil.yml" to enable secure boot for security image. There is no issue in build part(I mean proper .yml's are getting included for security image). I hope this will clear the doubts. > -config KAS_INCLUDE_SWUPDATE_SECBOOT > - string > - default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT > - default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT When I made some changes locally to fix the above issues and later while testing I found this code snippet was adding duplicate .yml files. On top of my changes, I confirmed these yml files are getting included in the final .config.yml [*] SWUpdate: - kas/opt/ebg-swu.yml [*] Secure boot: - kas/opt/ebg-swu.yml, kas/opt/ebg-secure-boot-snakeoil.yml [*] Security image: kas/opt/ebg-swu.yml, kas/opt/ebg-secure-boot-snakeoil.yml, kas/opt/security.yml, kas/opt/encrypt-data.yml Thanks & Regards Shivanand K -----Original Message----- From: Jan Kiszka <jan.kiszka@siemens.com> Sent: Friday, July 5, 2024 3:14 AM To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp> Subject: Re: [cip-dev] [isar-cip-core] Kconfig: Refactor Kconfig options On 04.07.24 13:37, Shivanand.Kunijadar@toshiba-tsip.com wrote: > Hi Jan, > > Let me explain the reason behind this patch. > > My understanding is that the security image should include SWUpdate and Secure boot features by default. > Re. > https://gitlab.com/cip-project/cip-core/isar-cip-core/-/commit/b95e256 > a5b05f87aab48b7bf3e7e4d8d45566ad3 > > I found there are some minor issues as below, > > 1. In the current menu when security extensions is selected, SWUpdate is enabled by default and secure boot is disabled. > If I build with security extensions option, the build system is creating the image with secure boot enabled along with SWUpdate. The reason is security.yml internally includes "kas/opt/ebg-secure-boot-snakeoil.yml" kas option file. It is creating the wrong impression that the secure boot is disabled in the menu but in the final image it is enabled. > So that is the reason, the secure boot is also enabled by default for security image now. I still don't get what we need more than the select below to enforce secure boot for the security image. When adding that change, it is clearly visible what the security extensions imply. >> IMAGE_SECURITY >> bool "Security extensions" >> select IMAGE_SWUPDATE >> + select IMAGE_SECURE_BOOT > > 2. In the current menu, there is no provision to select secure boot option without security extensions. It will show only when security extensions is selected. This is not correct, check again. > > The patch changes will help to fix these issues. > > On top of my changes I confirmed things like, > - SWUpdate and Secure boot options are visible along with security extensions option in the menu. > - User can select SWUpdate alone and SWUpdate + secure boot features > - SWUpdate and Secure boot features are enabled by default for security image > >> -config KAS_INCLUDE_SWUPDATE_SECBOOT >> - string >> - default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT >> - default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT > > While testing locally it was adding same .yml file multiple times to the final .config file which is not necessary, so I removed this structure to fix it. > I can't follow. Please share the .config.yaml that was wrongly created for you using current 'next'. It will both document which options you selected and show the duplicate includes (if any). Jan -- Siemens AG, Technology Linux Expert Center
On 05.07.24 08:06, Shivanand.Kunijadar@toshiba-tsip.com wrote: > Hi Jan, > > Let me explain it through the pictures. These pictures taken on the next branch (commit: 507a6a70a7244a646165c1051668b855aeee9b5f) > > In pic-1.png, I don't see Secure boot option under Image features until I click on Security extensions. > This is by design: We do not support secure boot without SWUpdate. While is technically possible, our recipes and conf files are not preparted for that. Therefore, you have to select SWUpdate first before being able to choose also Secure Boot. > In pic-2.png, Security extensions is checked so SWUpdate is enabled by default but not Secure boot. A user may think here only SWUpdate is enabled in security image. I understand that internally it is including "ebg-secure-boot-snakeoil.yml" to enable secure boot for security image. There is no issue in build part(I mean proper .yml's are getting included for security image). > Ok, it's getting clearer: kas/opt/security.yml includes kas/opt/ebg-secure-boot-snakeoil.yml, thus already enforces secure boot while the kconfig menu suggests that it can be disabled as well. That should be fixed visually by selecting secure boot in Kconfig. Now, if you enable (or select) secure boot for the security image, you include kas/opt/ebg-secure-boot-snakeoil.yml (and kas/opt/swupdate.yml as well as kas/opt/swupdate.yml) once again. This looks redundant but is actually harmless because the statements in those kas files are automatically de-duplicated by kas. Just check the effective build/conf/local.conf. Jan
Hi Jan, > This is by design: We do not support secure boot without SWUpdate. While is technically possible, our recipes and conf files are not preparted for that. Therefore, you have to select SWUpdate first before being able to choose also Secure Boot. Ok, thanks. It is clear now why secure boot option is not showing in Kconfig menu by default. > Ok, it's getting clearer: kas/opt/security.yml includes kas/opt/ebg-secure-boot-snakeoil.yml, thus already enforces secure boot while > the kconfig menu suggests that it can be disabled as well. That should be fixed visually by selecting secure boot in Kconfig. > Now, if you enable (or select) secure boot for the security image, you include kas/opt/ebg-secure-boot-snakeoil.yml (and > kas/opt/swupdate.yml as well as kas/opt/swupdate.yml) once again. This looks redundant but is actually harmless because the > statements in those kas files are automatically de-duplicated by kas. Just check the effective build/conf/local.conf. Understood, then there is no issue if it includes redundant yml files as it will be handled by kas. You can ignore the patch, sorry for the inconvenience. Thanks & Regards Shivanand K -----Original Message----- From: Jan Kiszka <jan.kiszka@siemens.com> Sent: Friday, July 5, 2024 11:49 AM To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp> Subject: Re: [cip-dev] [isar-cip-core] Kconfig: Refactor Kconfig options On 05.07.24 08:06, Shivanand.Kunijadar@toshiba-tsip.com wrote: > Hi Jan, > > Let me explain it through the pictures. These pictures taken on the > next branch (commit: 507a6a70a7244a646165c1051668b855aeee9b5f) > > In pic-1.png, I don't see Secure boot option under Image features until I click on Security extensions. > This is by design: We do not support secure boot without SWUpdate. While is technically possible, our recipes and conf files are not preparted for that. Therefore, you have to select SWUpdate first before being able to choose also Secure Boot. > In pic-2.png, Security extensions is checked so SWUpdate is enabled by default but not Secure boot. A user may think here only SWUpdate is enabled in security image. I understand that internally it is including "ebg-secure-boot-snakeoil.yml" to enable secure boot for security image. There is no issue in build part(I mean proper .yml's are getting included for security image). > Ok, it's getting clearer: kas/opt/security.yml includes kas/opt/ebg-secure-boot-snakeoil.yml, thus already enforces secure boot while the kconfig menu suggests that it can be disabled as well. That should be fixed visually by selecting secure boot in Kconfig. Now, if you enable (or select) secure boot for the security image, you include kas/opt/ebg-secure-boot-snakeoil.yml (and kas/opt/swupdate.yml as well as kas/opt/swupdate.yml) once again. This looks redundant but is actually harmless because the statements in those kas files are automatically de-duplicated by kas. Just check the effective build/conf/local.conf. Jan -- Siemens AG, Technology Linux Expert Center
On 05.07.24 08:57, Shivanand.Kunijadar@toshiba-tsip.com wrote: > Hi Jan, > >> This is by design: We do not support secure boot without SWUpdate. While is technically possible, our recipes and conf files are not preparted for that. Therefore, you have to select SWUpdate first before being able to choose also Secure Boot. > > Ok, thanks. It is clear now why secure boot option is not showing in Kconfig menu by default. > >> Ok, it's getting clearer: kas/opt/security.yml includes kas/opt/ebg-secure-boot-snakeoil.yml, thus already enforces secure boot while >> the kconfig menu suggests that it can be disabled as well. That should be fixed visually by selecting secure boot in Kconfig. > >> Now, if you enable (or select) secure boot for the security image, you include kas/opt/ebg-secure-boot-snakeoil.yml (and >> kas/opt/swupdate.yml as well as kas/opt/swupdate.yml) once again. This looks redundant but is actually harmless because the >> statements in those kas files are automatically de-duplicated by kas. Just check the effective build/conf/local.conf. > > Understood, then there is no issue if it includes redundant yml files as it will be handled by kas. > > You can ignore the patch, sorry for the inconvenience. > Not really: we should still select secure boot from the security image. Jan
Hi Jan, > Not really: we should still select secure boot from the security image. You mean the below change is still valid? if so, I will send the v2 patch for this change only. config IMAGE_SECURITY bool "Security extensions" select IMAGE_SWUPDATE + select IMAGE_SECURE_BOOT select IMAGE_DATA_ENCRYPTION depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI Thanks & Regards Shivanand K -----Original Message----- From: Jan Kiszka <jan.kiszka@siemens.com> Sent: Friday, July 5, 2024 12:47 PM To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp> Subject: Re: [cip-dev] [isar-cip-core] Kconfig: Refactor Kconfig options On 05.07.24 08:57, Shivanand.Kunijadar@toshiba-tsip.com wrote: > Hi Jan, > >> This is by design: We do not support secure boot without SWUpdate. While is technically possible, our recipes and conf files are not preparted for that. Therefore, you have to select SWUpdate first before being able to choose also Secure Boot. > > Ok, thanks. It is clear now why secure boot option is not showing in Kconfig menu by default. > >> Ok, it's getting clearer: kas/opt/security.yml includes >> kas/opt/ebg-secure-boot-snakeoil.yml, thus already enforces secure boot while the kconfig menu suggests that it can be disabled as well. That should be fixed visually by selecting secure boot in Kconfig. > >> Now, if you enable (or select) secure boot for the security image, >> you include kas/opt/ebg-secure-boot-snakeoil.yml (and >> kas/opt/swupdate.yml as well as kas/opt/swupdate.yml) once again. This looks redundant but is actually harmless because the statements in those kas files are automatically de-duplicated by kas. Just check the effective build/conf/local.conf. > > Understood, then there is no issue if it includes redundant yml files as it will be handled by kas. > > You can ignore the patch, sorry for the inconvenience. > Not really: we should still select secure boot from the security image. Jan -- Siemens AG, Technology Linux Expert Center
On 05.07.24 09:23, Shivanand.Kunijadar@toshiba-tsip.com wrote: > Hi Jan, > >> Not really: we should still select secure boot from the security image. > > You mean the below change is still valid? if so, I will send the v2 patch for this change only. > > config IMAGE_SECURITY > bool "Security extensions" > select IMAGE_SWUPDATE > + select IMAGE_SECURE_BOOT > select IMAGE_DATA_ENCRYPTION > depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI > Sure! Jan > Thanks & Regards > Shivanand K > > -----Original Message----- > From: Jan Kiszka <jan.kiszka@siemens.com> > Sent: Friday, July 5, 2024 12:47 PM > To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org > Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp> > Subject: Re: [cip-dev] [isar-cip-core] Kconfig: Refactor Kconfig options > > On 05.07.24 08:57, Shivanand.Kunijadar@toshiba-tsip.com wrote: >> Hi Jan, >> >>> This is by design: We do not support secure boot without SWUpdate. While is technically possible, our recipes and conf files are not preparted for that. Therefore, you have to select SWUpdate first before being able to choose also Secure Boot. >> >> Ok, thanks. It is clear now why secure boot option is not showing in Kconfig menu by default. >> >>> Ok, it's getting clearer: kas/opt/security.yml includes >>> kas/opt/ebg-secure-boot-snakeoil.yml, thus already enforces secure boot while the kconfig menu suggests that it can be disabled as well. That should be fixed visually by selecting secure boot in Kconfig. >> >>> Now, if you enable (or select) secure boot for the security image, >>> you include kas/opt/ebg-secure-boot-snakeoil.yml (and >>> kas/opt/swupdate.yml as well as kas/opt/swupdate.yml) once again. This looks redundant but is actually harmless because the statements in those kas files are automatically de-duplicated by kas. Just check the effective build/conf/local.conf. >> >> Understood, then there is no issue if it includes redundant yml files as it will be handled by kas. >> >> You can ignore the patch, sorry for the inconvenience. >> > > Not really: we should still select secure boot from the security image. > > Jan > > -- > Siemens AG, Technology > Linux Expert Center
diff --git a/Kconfig b/Kconfig index 96f590a..f73c8f2 100644 --- a/Kconfig +++ b/Kconfig @@ -163,11 +163,25 @@ if !KERNEL_4_4 && !KERNEL_4_19 config IMAGE_SECURITY bool "Security extensions" select IMAGE_SWUPDATE + select IMAGE_SECURE_BOOT select IMAGE_DATA_ENCRYPTION depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI help This enables security, encryption, secureboot and swupdate for IEC 62443-4-2. +config KAS_INCLUDE_SWUPDATE + string + default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE + +config KAS_INCLUDE_SECURE_BOOT + string + default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT + +config IMAGE_SECURE_BOOT + bool "Secure boot support" + select IMAGE_SWUPDATE + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI + config KAS_INCLUDE_SECURITY string default "kas/opt/security.yml" if IMAGE_SECURITY @@ -189,15 +203,6 @@ config IMAGE_DELTA_SWUPDATE endchoice -config IMAGE_SECURE_BOOT - bool "Secure boot support" - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI - -config KAS_INCLUDE_SWUPDATE_SECBOOT - string - default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT - default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT - config KAS_INCLUDE_DELTA_UPDATE string default "kas/opt/delta-update.yml" if IMAGE_DELTA_SWUPDATE
The security target should include both SWUpdate and Secure boot options by default, so add the missing secure boot dependency in the security option. Also enable kas-container menu in such way that user can select individual features without security option. Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com> --- Kconfig | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-)