From patchwork Wed Sep 6 04:56:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sai.Sathujoda@toshiba-tsip.com X-Patchwork-Id: 13375266 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63102EB8FA5 for ; Wed, 6 Sep 2023 04:56:59 +0000 (UTC) Received: from mo-csw.securemx.jp (mo-csw.securemx.jp [210.130.202.131]) by mx.groups.io with SMTP id smtpd.web11.1742.1693976210211629495 for ; Tue, 05 Sep 2023 21:56:51 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: toshiba-tsip.com, ip: 210.130.202.131, mailfrom: sai.sathujoda@toshiba-tsip.com) Received: by mo-csw.securemx.jp (mx-mo-csw1120) id 3864ums52554729; Wed, 6 Sep 2023 13:56:48 +0900 X-Iguazu-Qid: 2rWgyA9oohD7aouMyB X-Iguazu-QSIG: v=2; s=0; t=1693976207; q=2rWgyA9oohD7aouMyB; m=rV4cMRcqFDG5v1ST1iT6Ibc4IzPJhbRrxZjw43Uc1jM= Received: from imx12-a.toshiba.co.jp ([38.106.60.135]) by relay.securemx.jp (mx-mr1120) id 3864ukEh181482 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 6 Sep 2023 13:56:47 +0900 From: Sai.Sathujoda@toshiba-tsip.com To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Cc: Sai , dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [isar-cip-core 1/3] Kconfig: Opt additional IEC 62443-4-2 features when security option is selected Date: Wed, 6 Sep 2023 10:26:41 +0530 X-TSB-HOP2: ON Message-Id: <20230906045643.2640096-2-Sai.Sathujoda@toshiba-tsip.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230906045643.2640096-1-Sai.Sathujoda@toshiba-tsip.com> References: <20230906045643.2640096-1-Sai.Sathujoda@toshiba-tsip.com> MIME-Version: 1.0 X-OriginalArrivalTime: 06 Sep 2023 04:56:43.0171 (UTC) FILETIME=[87B94F30:01D9E07E] List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 06 Sep 2023 04:56:59 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12971 From: Sai Data encryption, Secureboot and Swupdate options will be automatically selected when security extensions is selected. Signed-off-by: Sai --- Kconfig | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Kconfig b/Kconfig index ec49631..75d6ba4 100644 --- a/Kconfig +++ b/Kconfig @@ -170,6 +170,9 @@ config KAS_INCLUDE_IMAGE_FORMAT config IMAGE_SECURITY bool "Security extensions" + select IMAGE_DATA_ENCRYPTION + help + This enables security, encrpytion, secureboot and swupdate for IEC 62443-4-2. config KAS_INCLUDE_SECURITY string From patchwork Wed Sep 6 04:56:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sai.Sathujoda@toshiba-tsip.com X-Patchwork-Id: 13375268 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 549C4EB8FAD for ; Wed, 6 Sep 2023 04:56:59 +0000 (UTC) Received: from mo-csw.securemx.jp (mo-csw.securemx.jp [210.130.202.131]) by mx.groups.io with SMTP id smtpd.web11.1743.1693976211404141481 for ; Tue, 05 Sep 2023 21:56:51 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: toshiba-tsip.com, ip: 210.130.202.131, mailfrom: sai.sathujoda@toshiba-tsip.com) Received: by mo-csw.securemx.jp (mx-mo-csw1120) id 3864unBQ2554810; Wed, 6 Sep 2023 13:56:49 +0900 X-Iguazu-Qid: 2rWgJRkMVz8CLeFe42 X-Iguazu-QSIG: v=2; s=0; t=1693976208; q=2rWgJRkMVz8CLeFe42; m=MOGfv3ksqrBQPu3CI7hB6vljOjGHLN+NRdBf9SnrmBA= Received: from imx12-a.toshiba.co.jp ([38.106.60.135]) by relay.securemx.jp (mx-mr1120) id 3864ulI6181514 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 6 Sep 2023 13:56:48 +0900 From: Sai.Sathujoda@toshiba-tsip.com To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Cc: Sai , dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [isar-cip-core 2/3] .gitlab-ci.yml: Added a new variable to control deployment Date: Wed, 6 Sep 2023 10:26:42 +0530 X-TSB-HOP2: ON Message-Id: <20230906045643.2640096-3-Sai.Sathujoda@toshiba-tsip.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230906045643.2640096-1-Sai.Sathujoda@toshiba-tsip.com> References: <20230906045643.2640096-1-Sai.Sathujoda@toshiba-tsip.com> MIME-Version: 1.0 X-OriginalArrivalTime: 06 Sep 2023 04:56:43.0187 (UTC) FILETIME=[87BBC030:01D9E07E] List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 06 Sep 2023 04:56:59 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12973 From: Sai This "EXTRA_ARTIFACT" variable is enabled by default so that it can be disabled for targets where the uploading of only disk image is necessary. As per the requirement, only disk image upload is sufficient for security image. So the EXTRA_ARTIFACT is disabled for the targets involving security extension. Signed-off-by: Sai --- .gitlab-ci.yml | 6 +++++- scripts/deploy-cip-core.sh | 31 +++++++++++++++++-------------- 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8ccd617..f1308ee 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -25,6 +25,7 @@ variables: dtb: none deploy: enable deploy_kernelci: disable + extra_artifact: enable stages: - build @@ -60,7 +61,7 @@ default: - if [ "${encrypt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-partitions.yml"; fi - echo "Building ${base_yaml}" - kas build ${base_yaml} - - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG}; fi + - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG} ${extra_artifact}; fi - if [ "${deploy_kernelci}" = "enable" ]; then scripts/deploy-kernelci.py ${release} ${target} ${extension} ${dtb}; fi # base image @@ -100,6 +101,7 @@ build:qemu-amd64-base: use_rt: disable wic_targz: disable targz: enable + extra_artifact: disable build:qemu-amd64-base-kernelci: extends: @@ -122,6 +124,7 @@ build:qemu-arm64-base: use_rt: disable wic_targz: disable targz: enable + extra_artifact: disable build:qemu-arm64-base-kernelci: extends: @@ -144,6 +147,7 @@ build:qemu-arm-base: use_rt: disable wic_targz: disable targz: enable + extra_artifact: disable build:qemu-arm-base-kernelci: extends: diff --git a/scripts/deploy-cip-core.sh b/scripts/deploy-cip-core.sh index eaa8974..76e80ce 100755 --- a/scripts/deploy-cip-core.sh +++ b/scripts/deploy-cip-core.sh @@ -15,6 +15,7 @@ TARGET=$2 EXTENSION=$3 DTB=$4 REF=$5 +EXTRA_ARTIFACT=$6 BASE_FILENAME=cip-core-image-cip-core-$RELEASE-$TARGET if [ "${EXTENSION}" != "none" ]; then @@ -36,20 +37,22 @@ if [ -f "${BASE_PATH}.wic" ]; then aws s3 cp --no-progress --acl public-read "${BASE_PATH}.wic.xz" "${S3_TARGET}" fi -if [ -f "${BASE_PATH}.tar.gz" ]; then - echo "Uploading artifacts..." - aws s3 cp --no-progress --acl public-read "${BASE_PATH}.tar.gz" "${S3_TARGET}" -fi +if [ ${EXTRA_ARTIFACT} == "enable" ]; then + if [ -f "${BASE_PATH}.tar.gz" ]; then + echo "Uploading artifacts..." + aws s3 cp --no-progress --acl public-read "${BASE_PATH}.tar.gz" "${S3_TARGET}" + fi -KERNEL_IMAGE="$BASE_PATH-vmlinu[xz]" -# iwg20m workaround -if [ -f "build/tmp/deploy/images/$TARGET/zImage" ]; then - KERNEL_IMAGE=build/tmp/deploy/images/$TARGET/zImage -fi -# shellcheck disable=SC2086 -aws s3 cp --no-progress --acl public-read $KERNEL_IMAGE "${S3_TARGET}" -aws s3 cp --no-progress --acl public-read "${BASE_PATH}-initrd.img" "${S3_TARGET}" + KERNEL_IMAGE="$BASE_PATH-vmlinu[xz]" + # iwg20m workaround + if [ -f "build/tmp/deploy/images/$TARGET/zImage" ]; then + KERNEL_IMAGE=build/tmp/deploy/images/$TARGET/zImage + fi + # shellcheck disable=SC2086 + aws s3 cp --no-progress --acl public-read $KERNEL_IMAGE "${S3_TARGET}" + aws s3 cp --no-progress --acl public-read "${BASE_PATH}-initrd.img" "${S3_TARGET}" -if [ "$DTB" != "none" ]; then - aws s3 cp --no-progress --acl public-read build/tmp/deploy/images/*/"$DTB" "${S3_TARGET}" + if [ "$DTB" != "none" ]; then + aws s3 cp --no-progress --acl public-read build/tmp/deploy/images/*/"$DTB" "${S3_TARGET}" + fi fi From patchwork Wed Sep 6 04:56:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sai.Sathujoda@toshiba-tsip.com X-Patchwork-Id: 13375267 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B696EB8FB5 for ; Wed, 6 Sep 2023 04:56:59 +0000 (UTC) Received: from mo-csw.securemx.jp (mo-csw.securemx.jp [210.130.202.158]) by mx.groups.io with SMTP id smtpd.web10.1799.1693976211354366849 for ; Tue, 05 Sep 2023 21:56:51 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: toshiba-tsip.com, ip: 210.130.202.158, mailfrom: sai.sathujoda@toshiba-tsip.com) Received: by mo-csw.securemx.jp (mx-mo-csw1122) id 3864un452617035; Wed, 6 Sep 2023 13:56:49 +0900 X-Iguazu-Qid: 2rWgqlGKychAQo5q6C X-Iguazu-QSIG: v=2; s=0; t=1693976208; q=2rWgqlGKychAQo5q6C; m=yJqz/tb2SA5rOHxgKikwft1BnmqEno3HSU/39ScnDoM= Received: from imx2-a.toshiba.co.jp (imx2-a.toshiba.co.jp [106.186.93.35]) by relay.securemx.jp (mx-mr1123) id 3864ulgK3853591 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 6 Sep 2023 13:56:48 +0900 From: Sai.Sathujoda@toshiba-tsip.com To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Cc: Sai , dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [isar-cip-core 3/3] security.yml: Add additional features to security image Date: Wed, 6 Sep 2023 10:26:43 +0530 X-TSB-HOP2: ON Message-Id: <20230906045643.2640096-4-Sai.Sathujoda@toshiba-tsip.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230906045643.2640096-1-Sai.Sathujoda@toshiba-tsip.com> References: <20230906045643.2640096-1-Sai.Sathujoda@toshiba-tsip.com> MIME-Version: 1.0 X-OriginalArrivalTime: 06 Sep 2023 04:56:43.0313 (UTC) FILETIME=[87CEFA10:01D9E07E] List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 06 Sep 2023 04:56:59 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12972 From: Sai From IEC certification perspective, a security image is needed which has the below features along with security customizations. 1. Data encryption (CR4.1) 2. Secure boot (EDR 3.14) 3. SWupdate (NDR 3.10) Signed-off-by: Sai --- kas/opt/security.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kas/opt/security.yml b/kas/opt/security.yml index 1f3745b..67bf4ff 100644 --- a/kas/opt/security.yml +++ b/kas/opt/security.yml @@ -10,6 +10,9 @@ # header: version: 12 + includes: + - kas/opt/encrypt-partitions.yml + - kas/opt/ebg-secure-boot-snakeoil.yml target: cip-core-image-security