From patchwork Fri Jun 26 06:44:38 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
X-Patchwork-Id: 11626607
Return-Path: 
 <SRS0=+r5+=AH=lists.cip-project.org=bounce+64572+4835+4520428+8129116@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4682090
	for <patchwork-cip-dev@patchwork.kernel.org>;
 Fri, 26 Jun 2020 06:44:42 +0000 (UTC)
Received: from web01.groups.io (web01.groups.io [66.175.222.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 2110B207E8
	for <patchwork-cip-dev@patchwork.kernel.org>;
 Fri, 26 Jun 2020 06:44:42 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=lists.cip-project.org
 header.i=@lists.cip-project.org header.b="nychqbwb"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2110B207E8
Authentication-Results: mail.kernel.org;
 dmarc=none (p=none dis=none) header.from=toshiba-tsip.com
Authentication-Results: mail.kernel.org;
 spf=pass
 smtp.mailfrom=bounce+64572+4835+4520428+8129116@lists.cip-project.org
X-Received: by 127.0.0.2 with SMTP id 22gaYY4521763xhTmy9ufhl3;
 Thu, 25 Jun 2020 23:44:41 -0700
X-Received: from peak.toshiba-tesi.com (peak.toshiba-tesi.com
 [202.56.254.199])
 by mx.groups.io with SMTP id smtpd.web11.2382.1593153880067566133
 for <cip-dev@lists.cip-project.org>;
 Thu, 25 Jun 2020 23:44:41 -0700
IronPort-SDR: 
 opu8vlUgneBp5Mnq6Ebn1nVHc/H8qrK298HZaULVw+GcSmPZvEPcamj0olvN8vmaU7Ht0fXuB+
 82ThG0UgUKhA==
X-IronPort-AV: E=Sophos;i="5.75,282,1589221800";
   d="scan'208,217";a="4552737"
X-Received: from unknown (HELO TOSBLRMBX0419.TOSHIBA-TSIP.COM)
 ([10.116.85.28])
  by peak.toshiba-tesi.com with ESMTP; 26 Jun 2020 12:45:16 +0530
X-Received: from TOSBLRMBX0219.TOSHIBA-TSIP.COM (172.28.80.119) by
 TOSBLRMBX0419.TOSHIBA-TSIP.COM (10.116.85.28) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.1847.3; Fri, 26 Jun 2020 12:14:38 +0530
X-Received: from TOSBLRMBX0219.TOSHIBA-TSIP.COM ([::1]) by
 TOSBLRMBX0219.TOSHIBA-TSIP.COM ([fe80::8d35:f069:2af2:deff%9]) with mapi id
 15.01.1847.003; Fri, 26 Jun 2020 12:14:38 +0530
From: "venkata" <venkata.pyla@toshiba-tsip.com>
To: "cip-dev@lists.cip-project.org" <cip-dev@lists.cip-project.org>
CC: "cip-security@lists.cip-project.org" <cip-security@lists.cip-project.org>
Subject: [cip-dev][isar-cip-core PATCH 4/6] Use an image recipe to define
 installed packages instead of kas option
Thread-Topic: [cip-dev][isar-cip-core PATCH 4/6] Use an image recipe to define
 installed packages instead of kas option
Thread-Index: AdZLhVcNSinQl5PfRTyoazF0atL3EA==
Date: Fri, 26 Jun 2020 06:44:38 +0000
Message-ID: <a6a80ffc9357463fb213e8d65a90916e@toshiba-tsip.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [172.28.80.121]
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <https://lists.cip-project.org/g/cip-dev/unsub>
Sender: cip-dev@lists.cip-project.org
List-Id: <cip-dev.lists.cip-project.org>
Mailing-List: list cip-dev@lists.cip-project.org;
 contact cip-dev+owner@lists.cip-project.org
Delivered-To: mailing list cip-dev@lists.cip-project.org
Reply-To: cip-dev@lists.cip-project.org
X-Gm-Message-State: ydRAvFDwAoVckM7xlDmS4viOx4520428AA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=lists.cip-project.org; q=dns/txt; s=20140610; t=1593153881;
 bh=M4MeWSJOsmHtwG4QDqE2MxmvK1t82tjxv2ZPd0pCXNU=;
 h=CC:Content-Type:Date:From:Reply-To:Subject:To;
 b=nychqbwbY9yeHbHOyS6NMztpTfXfKE5pPPgI0W1eCprgvNv1jaEVUQ0oDbjIMnyYhjh
 HUFM1a+6aVilsxXdCE0C2/570mF+1ABjG+PtD3r5aOWWcDyvjJIyFe6j33kmn8QT+HktD
 yCqkuD0bBlJd8NA06qF86jQuES4u1/5axto=

From: Kazuhiro Hayashi kazuhiro3.hayashi@toshiba.co.jp<mailto:kazuhiro3.hayashi@toshiba.co.jp>

Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
---
SECURITY.md                                   | 23 ++++--------
opt-security.yml                              | 34 -----------------
.../images/cip-core-image-security.bb         | 37 +++++++++++++++++++
3 files changed, 45 insertions(+), 49 deletions(-)
delete mode 100644 opt-security.yml
create mode 100644 recipes-core/images/cip-core-image-security.bb

+#
+# A reference image which includes security packages
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit image
+
+DESCRIPTION = "CIP Core image including security packages"
+
+# Use the same customizations as cip-core-image
+IMAGE_INSTALL += "customizations"
+
+# Debian packages that provide security features
+# TODO: Add sudo or sudo-ldap which conflict each other
+IMAGE_PREINSTALL = " \
+             openssl libssl1.1 \
+             fail2ban \
+             openssh-server openssh-sftp-server openssh-client \
+             syslog-ng-core syslog-ng-mod-journal \
+             aide aide-common \
+             libnftables0 nftables \
+             libpam-pkcs11 \
+             chrony \
+             tpm2-tools \
+             tpm2-abrmd \
+             libtss2-esys0 libtss2-udev \
+             libpam-cracklib \
+             acl \
+             libauparse0 audispd-plugins auditd \
+             uuid-runtime \
+"
--
2.20.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4835): https://lists.cip-project.org/g/cip-dev/message/4835
Mute This Topic: https://lists.cip-project.org/mt/75119568/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy  [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

diff --git a/SECURITY.md b/SECURITY.md
index a8bccc7..ddceee5 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -18,31 +18,24 @@ Assumed environment
     * Installed packages: `docker-ce`, `qemu-system`
     * Users who does the following actions must be in the groups `docker` and `kvm`
-Create kas file
----------------
-
-Create a kas file named `opt-security.yml` to add security settings.
-
-Add security packages to rootfs
--------------------------------
+Create image recipe
+-------------------
-Set `IMAGE_PREINSTALL` to the list of packages required to enable
-the security features. This variable can be set through the kas file.
+Create the recipe `recipes-core/images/cip-core-image-security.bb`
+to generate a image including required packages.
+We can install existing Debian packages by setting
+`IMAGE_PREINSTALL` in the image recipe.
 Example:
-```
-local_conf_header:
-  security: |
     IMAGE_PREINSTALL = "openssl"
-```
 Build images
------------
-Build images for QEMU x86 64bit machine:
+Build images for QEMU x86 64bit machine.
-    $ ./kas-docker --isar build kas.yml:board-qemu-amd64.yml:opt-security.yml
+    $ ./kas-docker --isar build --target cip-core-image-security kas.yml:board-qemu-amd64.yml
 Run on QEMU
-----------
diff --git a/opt-security.yml b/opt-security.yml
deleted file mode 100644
index 7c6b39c..0000000
--- a/opt-security.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# KAS configuration for CIP Core generic profile to enable security features
-#
-# Copyright (c) Toshiba Corporation, 2020
-#
-# Authors:
-#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
-  version: 8
-
-local_conf_header:
-  security: |
-    # TODO: Add sudo or sudo-ldap
-    IMAGE_PREINSTALL = "\
-      openssl libssl1.1 \
-      fail2ban \
-      openssh-server openssh-sftp-server openssh-client \
-      syslog-ng-core syslog-ng-mod-journal \
-      aide aide-common \
-      libnftables0 nftables \
-      libpam-pkcs11 \
-      chrony \
-      tpm2-tools \
-      tpm2-abrmd \
-      libtss2-esys0 libtss2-udev \
-      libpam-cracklib \
-      acl \
-      libauparse0 audispd-plugins auditd \
-      uuid-runtime \
-    "
\ No newline at end of file
diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
new file mode 100644
index 0000000..70571f8
--- /dev/null
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -0,0 +1,37 @@