From patchwork Tue Oct 31 08:37:35 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gylstorff Quirin <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13441266
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E0F3AC001B0
	for <webhook@archiver.kernel.org>; Tue, 31 Oct 2023 08:49:49 +0000 (UTC)
Received: from mta-65-226.siemens.flowmailer.net
 (mta-65-226.siemens.flowmailer.net [185.136.65.226])
 by mx.groups.io with SMTP id smtpd.web11.182063.1698742187492191971
 for <cip-dev@lists.cip-project.org>;
 Tue, 31 Oct 2023 01:49:48 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=LUX8Fu8s;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226,
 mailfrom:
 fm-51332-20231031084944119d385af1786ade5e-qd9oqu@rts-flowmailer.siemens.com)
Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id
 20231031084944119d385af1786ade5e
        for <cip-dev@lists.cip-project.org>;
        Tue, 31 Oct 2023 09:49:44 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=Ci4RvofAW6V9OV3FbM9k9//VUWNSYaXYeVKO0AdBJ78=;
 b=LUX8Fu8sIOJYmhlaFGeUQRHFLr7WbTrsGxgdkLhBn1hV9bt4wqIzmHF4bn//FwQeC3cTE8
 3VQrNm6QnsUhbn0BsovOgPJLtWwLftVlKdv0vqo/uLd8TqrtNrEqGESc0Qe6NCLs0LtGraAE
 1miZ0H1Qmqr55rn/pI75zyjm41AjE=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com,
	cip-dev@lists.cip-project.org,
	venkata.pyla@toshiba-tsip.com,
	dinesh.kumar@toshiba-tsip.com,
	kazuhiro3.hayashi@toshiba.co.jp
Subject: [cip-dev][isar-cip-core][RFC v2 1/9] scripts/deploy-kernelci: Format
 python code and remove unused import
Date: Tue, 31 Oct 2023 09:37:35 +0100
Message-ID: <20231031084943.3105056-2-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
References: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 31 Oct 2023 08:49:49 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13500

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Use flake8 for to check for issues.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 scripts/deploy-kernelci.py | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/scripts/deploy-kernelci.py b/scripts/deploy-kernelci.py
index 5a8adca..62f3f01 100755
--- a/scripts/deploy-kernelci.py
+++ b/scripts/deploy-kernelci.py
@@ -1,30 +1,30 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 
-import subprocess
 import requests
 import os
 import sys
 import time
 from urllib.parse import urljoin
 
-cdate=time.strftime("%Y%m%d")
-api="https://api.kernelci.org/upload"
-token=os.getenv("KERNELCI_TOKEN")
+cdate = time.strftime("%Y%m%d")
+api = "https://api.kernelci.org/upload"
+token = os.getenv("KERNELCI_TOKEN")
 
-release=sys.argv[1]
-target=sys.argv[2]
-extension=sys.argv[3]
+release = sys.argv[1]
+target = sys.argv[2]
+extension = sys.argv[3]
 
-rootfs_filename="cip-core-image-kernelci-cip-core-"+release+"-"+target+".tar.gz"
-initrd_filename="cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img"
-initrd_gz_filename="cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img.gz"
+rootfs_filename = "cip-core-image-kernelci-cip-core-"+release+"-"+target+".tar.gz"
+initrd_filename = "cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img"
+initrd_gz_filename = "cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img.gz"
+
+input_dir = "build/tmp/deploy/images/"+target
+upload_path = "/images/rootfs/cip/"+cdate+"/"+target+"/"
+upload_path_latest = "/images/rootfs/cip/latest/"+target+"/"
+rootfs = input_dir+"/"+rootfs_filename
+initrd = input_dir+"/"+initrd_filename
 
-input_dir="build/tmp/deploy/images/"+target
-upload_path="/images/rootfs/cip/"+cdate+"/"+target+"/"
-upload_path_latest="/images/rootfs/cip/latest/"+target+"/"
-rootfs=input_dir+"/"+rootfs_filename
-initrd=input_dir+"/"+initrd_filename
 
 def upload_file(api, token, path, input_file, input_filename):
     headers = {
@@ -40,6 +40,7 @@ def upload_file(api, token, path, input_file, input_filename):
     resp = requests.post(url, headers=headers, data=data, files=files)
     resp.raise_for_status()
 
+
 if os.path.exists(rootfs) and os.path.exists(initrd):
     print("uploading rootfs to KernelCI")
     upload_file(api, token, upload_path, rootfs, rootfs_filename)

From patchwork Tue Oct 31 08:37:36 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gylstorff Quirin <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13441267
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CEA32C0018C
	for <webhook@archiver.kernel.org>; Tue, 31 Oct 2023 08:49:49 +0000 (UTC)
Received: from mta-64-228.siemens.flowmailer.net
 (mta-64-228.siemens.flowmailer.net [185.136.64.228])
 by mx.groups.io with SMTP id smtpd.web11.182062.1698742187409283618
 for <cip-dev@lists.cip-project.org>;
 Tue, 31 Oct 2023 01:49:48 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=XV6B2HFz;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228,
 mailfrom:
 fm-51332-202310310849445335ae074fc412bd1e-e682ev@rts-flowmailer.siemens.com)
Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id
 202310310849445335ae074fc412bd1e
        for <cip-dev@lists.cip-project.org>;
        Tue, 31 Oct 2023 09:49:44 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=+J4uuX7uOtQ+LbSvZ3IDo8ENFfKDx5ouS56iYtvAg20=;
 b=XV6B2HFzXM8E4AWr+Q/eWL5vX6ZDpt5e78URo/T2LIMDn9ICphu1huGKoWdoDDrWgX7K0d
 QJ/pvWwBbYdzS5YKnTtc0iP+/YKq9eNti/YscEW1MAag7N+/4RZFK1FM2hNXdnuCThqtFrtJ
 Z8iYZaeUA29dc85InBwAguNfG0spA=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com,
	cip-dev@lists.cip-project.org,
	venkata.pyla@toshiba-tsip.com,
	dinesh.kumar@toshiba-tsip.com,
	kazuhiro3.hayashi@toshiba.co.jp
Subject: [cip-dev][isar-cip-core][RFC v2 2/9] customizations: Add variable to
 set the HOSTNAME
Date: Tue, 31 Oct 2023 09:37:36 +0100
Message-ID: <20231031084943.3105056-3-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
References: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 31 Oct 2023 08:49:49 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13499

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add the variable CUSTOM_HOSTNAME to modify the hostname of
the image.

The default value of CUSTOM_HOSTNAME is "demo".

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-core/customizations/common.inc                      | 6 +++++-
 .../customizations/files/{postinst => postinst.tmpl}        | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)
 rename recipes-core/customizations/files/{postinst => postinst.tmpl} (85%)

diff --git a/recipes-core/customizations/common.inc b/recipes-core/customizations/common.inc
index 680a4d6..79bf80d 100644
--- a/recipes-core/customizations/common.inc
+++ b/recipes-core/customizations/common.inc
@@ -14,16 +14,20 @@ inherit dpkg-raw
 FILESPATH:append := ":${FILE_DIRNAME}/files"
 
 SRC_URI = " \
-    file://postinst \
+    file://postinst.tmpl \
     file://ethernet \
     file://99-silent-printk.conf \
     file://99-watchdog.conf"
 
 SRC_URI:append:swupdate = " file://swupdate.cfg"
 
+CUSTOM_HOSTNAME ??= "demo"
 WIRELESS_FIRMWARE_PACKAGE ?= ""
 INSTALL_WIRELESS_TOOLS ??= "0"
 
+TEMPLATE_FILES += "postinst.tmpl"
+TEMPLATE_VARS += "CUSTOM_HOSTNAME"
+
 DEPENDS += "sshd-regen-keys change-root-homedir"
 
 DEBIAN_DEPENDS = " \
diff --git a/recipes-core/customizations/files/postinst b/recipes-core/customizations/files/postinst.tmpl
similarity index 85%
rename from recipes-core/customizations/files/postinst
rename to recipes-core/customizations/files/postinst.tmpl
index 7e7ea36..2668a93 100644
--- a/recipes-core/customizations/files/postinst
+++ b/recipes-core/customizations/files/postinst.tmpl
@@ -2,7 +2,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2019
+# Copyright (c) Siemens AG, 2019-2023
 #
 # Authors:
 #  Jan Kiszka <jan.kiszka@siemens.com>
@@ -18,6 +18,6 @@ if ! grep -e "^PermitRootLogin.*yes" -q /etc/ssh/sshd_config; then
 	echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
 fi
 
-HOSTNAME=demo
+HOSTNAME="${CUSTOM_HOSTNAME}"
 echo "$HOSTNAME" > /etc/hostname
 echo "127.0.0.1 $HOSTNAME" >> /etc/hosts

From patchwork Tue Oct 31 08:37:37 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gylstorff Quirin <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13441265
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B66E6C41535
	for <webhook@archiver.kernel.org>; Tue, 31 Oct 2023 08:49:49 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.web11.182058.1698742187077371981
 for <cip-dev@lists.cip-project.org>;
 Tue, 31 Oct 2023 01:49:48 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=NNUHQsxD;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-51332-2023103108494422d43670e56ceb6843-gggyqe@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 2023103108494422d43670e56ceb6843
        for <cip-dev@lists.cip-project.org>;
        Tue, 31 Oct 2023 09:49:44 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=KkrE/aaGJne7YC9Xs4E/hV6L1sOCQbFqkS7i9saxwLk=;
 b=NNUHQsxDQc/IJFSXZa32EP2aC/mZAZVM/i7LjAb5SuJtKJ3KMeme+IYpVYoGCSykOC7478
 oH+FxesJi5hHxb9fH8jTwU99LxKIcOWRhkmlMcy+hFa4jQTVe0/6XxJl3YKG5GnqBl7Mdc2e
 V4zgLnt4FT3BmjyL6hkSC/wgFmSuY=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com,
	cip-dev@lists.cip-project.org,
	venkata.pyla@toshiba-tsip.com,
	dinesh.kumar@toshiba-tsip.com,
	kazuhiro3.hayashi@toshiba.co.jp
Subject: [cip-dev][isar-cip-core][RFC v2 3/9] customizations: Move ssh
 configuration from postinst to sshd_config.d
Date: Tue, 31 Oct 2023 09:37:37 +0100
Message-ID: <20231031084943.3105056-4-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
References: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 31 Oct 2023 08:49:49 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13498

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Make the ssh configuration in line with Debian guidelines by adding
an additional file to /etc/ssh/sshd_config.d/.

This also allows to disable these changes with a customization.bbappend
instead of overwritting the postinst script.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-core/customizations/customizations.bb          | 8 ++++++++
 recipes-core/customizations/files/postinst.tmpl        | 4 ----
 recipes-core/customizations/files/ssh-permit-root.conf | 1 +
 3 files changed, 9 insertions(+), 4 deletions(-)
 create mode 100644 recipes-core/customizations/files/ssh-permit-root.conf

diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb
index ad16a90..3dbeb3f 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -11,6 +11,7 @@
 
 require common.inc
 
+SRC_URI += "file://ssh-permit-root.conf"
 DESCRIPTION = "CIP Core image demo & customizations"
 
 do_prepare_build:prepend:qemu-riscv64() {
@@ -20,3 +21,10 @@ do_prepare_build:prepend:qemu-riscv64() {
 		echo "systemctl mask serial-getty@hvc0.service" >> ${WORKDIR}/postinst
 	fi
 }
+
+do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/"
+do_install:append () {
+	if [ -f "${WORKDIR}/ssh-permit-root.conf" ]; then
+		install -v -m 644 ${WORKDIR}/ssh-permit-root.conf ${D}/etc/ssh/sshd_config.d/
+	fi
+}
diff --git a/recipes-core/customizations/files/postinst.tmpl b/recipes-core/customizations/files/postinst.tmpl
index 2668a93..62e9a1a 100644
--- a/recipes-core/customizations/files/postinst.tmpl
+++ b/recipes-core/customizations/files/postinst.tmpl
@@ -14,10 +14,6 @@ set -e
 
 echo "CIP Core Demo & Test Image (login: root/root)" > /etc/issue
 
-if ! grep -e "^PermitRootLogin.*yes" -q /etc/ssh/sshd_config; then
-	echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
-fi
-
 HOSTNAME="${CUSTOM_HOSTNAME}"
 echo "$HOSTNAME" > /etc/hostname
 echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
diff --git a/recipes-core/customizations/files/ssh-permit-root.conf b/recipes-core/customizations/files/ssh-permit-root.conf
new file mode 100644
index 0000000..1073982
--- /dev/null
+++ b/recipes-core/customizations/files/ssh-permit-root.conf
@@ -0,0 +1 @@
+PermitRootLogin yes

From patchwork Tue Oct 31 08:37:38 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gylstorff Quirin <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13441262
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AF41EC0018A
	for <webhook@archiver.kernel.org>; Tue, 31 Oct 2023 08:49:49 +0000 (UTC)
Received: from mta-65-226.siemens.flowmailer.net
 (mta-65-226.siemens.flowmailer.net [185.136.65.226])
 by mx.groups.io with SMTP id smtpd.web11.182059.1698742187160447957
 for <cip-dev@lists.cip-project.org>;
 Tue, 31 Oct 2023 01:49:48 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=jf2GSTnZ;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226,
 mailfrom:
 fm-51332-202310310849459df27b0c5a93f9fa8e-hubzwy@rts-flowmailer.siemens.com)
Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id
 202310310849459df27b0c5a93f9fa8e
        for <cip-dev@lists.cip-project.org>;
        Tue, 31 Oct 2023 09:49:45 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=cf6CKS5vv+7Bbob2Up+oY7zdNhEIWYkPB0sj770ounI=;
 b=jf2GSTnZdr8t/Ev3ziqM80oN+jXxnR4TvXEKL3Vxo1zW0GPHB/MVAX/tbGlOoV0l2oYpU6
 x8mgmLSTNGtUfSDzlndl9QHddAStfOSzKi/Dl9mxJR1gpzo4S20aOZq2Np4aVRg43xTk2H+i
 m0Nqqynap6pTUASnm/tZuEgBct8UY=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com,
	cip-dev@lists.cip-project.org,
	venkata.pyla@toshiba-tsip.com,
	dinesh.kumar@toshiba-tsip.com,
	kazuhiro3.hayashi@toshiba.co.jp
Subject: [cip-dev][isar-cip-core][RFC v2 4/9] security-customizations: Add
 dependency to customizations
Date: Tue, 31 Oct 2023 09:37:38 +0100
Message-ID: <20231031084943.3105056-5-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
References: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 31 Oct 2023 08:49:49 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13502

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

To simplify package structure Security customizations no
longer set the hostname and use a dependency instead of a include.

Add the OVERRIDE `security` to enable or disable security related
configuration settings.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 kas/opt/security.yml                                      | 2 ++
 recipes-core/customizations/customizations.bb             | 2 ++
 recipes-core/security-customizations/files/postinst       | 4 ----
 .../security-customizations/security-customizations.bb    | 8 ++++----
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/kas/opt/security.yml b/kas/opt/security.yml
index d87235a..000c522 100644
--- a/kas/opt/security.yml
+++ b/kas/opt/security.yml
@@ -24,3 +24,5 @@ local_conf_header:
   adjust-swupdate: |
     ABROOTFS_IMAGE_RECIPE = "cip-core-image-security"
     VERITY_IMAGE_RECIPE = "cip-core-image-security"
+  security-override: |
+    OVERRIDES .= ":security"
diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb
index 3dbeb3f..3f6b5de 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -12,6 +12,8 @@
 require common.inc
 
 SRC_URI += "file://ssh-permit-root.conf"
+SRC_URI:remove:security = "file://ssh-permit-root.conf"
+
 DESCRIPTION = "CIP Core image demo & customizations"
 
 do_prepare_build:prepend:qemu-riscv64() {
diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 620c863..bbd21bd 100755
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -8,10 +8,6 @@ set -e
 
 echo "CIP Core Security Image (login: root/CIPsecurity@123)" > /etc/issue
 
-HOSTNAME=demo
-echo "$HOSTNAME" > /etc/hostname
-echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
-
 # CR1.7: Strength of password-based authentication
 # Pam configuration to  enforce password strength
 PAM_PWD_FILE="/etc/pam.d/common-password"
diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
index 240a577..d5249a2 100644
--- a/recipes-core/security-customizations/security-customizations.bb
+++ b/recipes-core/security-customizations/security-customizations.bb
@@ -9,12 +9,12 @@
 # SPDX-License-Identifier: MIT
 #
 
-require recipes-core/customizations/common.inc
+inherit dpkg-raw
 
 DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
 
-SRC_URI += "file://postinst"
+SRC_URI = "file://postinst"
 
-DEPENDS += "sshd-regen-keys"
-DEBIAN_DEPENDS += ", sshd-regen-keys, libpam-google-authenticator"
+DEPENDS = "customizations, sshd-regen-keys"
+DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator"
 

From patchwork Tue Oct 31 08:37:39 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gylstorff Quirin <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13441260
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7C8A6C4332F
	for <webhook@archiver.kernel.org>; Tue, 31 Oct 2023 08:49:49 +0000 (UTC)
Received: from mta-65-226.siemens.flowmailer.net
 (mta-65-226.siemens.flowmailer.net [185.136.65.226])
 by mx.groups.io with SMTP id smtpd.web11.182060.1698742187162610669
 for <cip-dev@lists.cip-project.org>;
 Tue, 31 Oct 2023 01:49:48 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=O+yBh7x9;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226,
 mailfrom:
 fm-51332-20231031084945abdcd5937c79bb22f5-t9o4vd@rts-flowmailer.siemens.com)
Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id
 20231031084945abdcd5937c79bb22f5
        for <cip-dev@lists.cip-project.org>;
        Tue, 31 Oct 2023 09:49:45 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=DpJ5enxTStm0JqVPfSab2POrhUxiD+dzpPTvVi48S5I=;
 b=O+yBh7x9sWkugLgH98PtuJJ3tn7kINLpDoSdySUF4pehG1p+NNm/OKIhdWAHSQSZ2PVWVS
 D7XSMhKQIgOIcEn/8+x4pmrSoGyzogrhIBTPBZ/JP8B6L8Z/9ojE43hh+qC6RKoEj55Yj3cK
 aMwIC8aAE90sES/lEsSzNWJ4y1kq8=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com,
	cip-dev@lists.cip-project.org,
	venkata.pyla@toshiba-tsip.com,
	dinesh.kumar@toshiba-tsip.com,
	kazuhiro3.hayashi@toshiba.co.jp
Subject: [cip-dev][isar-cip-core][RFC v2 5/9] security-customizations: Fix
 shell error
Date: Tue, 31 Oct 2023 09:37:39 +0100
Message-ID: <20231031084943.3105056-6-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
References: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 31 Oct 2023 08:49:49 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13497

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

if [ -f ... ] does not work with globbing.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-core/security-customizations/files/postinst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index bbd21bd..717b7ac 100755
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -32,11 +32,11 @@ fi
 # Lock user account after unsuccessful login attempts
 PAM_AUTH_FILE="/etc/pam.d/common-auth"
 # pam_tally2 is deprecated from pam version 1.4.0-7
-if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then
+if readlink -f /lib/*-linux-gnu*/security/pam_tally2.so; then
        PAM_MODULE="pam_tally2.so"
        PAM_CONFIG="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60
                  \naccount required pam_tally2.so"
-elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then
+elif readlink -f /lib/*-linux-gnu*/security/pam_faillock.so; then
        PAM_MODULE="pam_faillock.so"
        PAM_CONFIG="auth   required  pam_faillock.so preauth silent  deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
                \nauth   required  pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \

From patchwork Tue Oct 31 08:37:40 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gylstorff Quirin <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13441263
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8CF2AC00142
	for <webhook@archiver.kernel.org>; Tue, 31 Oct 2023 08:49:49 +0000 (UTC)
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net [185.136.64.226])
 by mx.groups.io with SMTP id smtpd.web11.182064.1698742187653013004
 for <cip-dev@lists.cip-project.org>;
 Tue, 31 Oct 2023 01:49:48 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=mnyMGRz4;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226,
 mailfrom:
 fm-51332-202310310849451aa6ec3f6f67475676-58cmvv@rts-flowmailer.siemens.com)
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 202310310849451aa6ec3f6f67475676
        for <cip-dev@lists.cip-project.org>;
        Tue, 31 Oct 2023 09:49:45 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=b3ESTw/WyWgx1z2zLpB4b04iyAVbpWnEdJ8ZFMpm4lc=;
 b=mnyMGRz49QclSnqDaSJI02bF1GFfyc3ILq7R2AY4/yXAqrd0kwUTGssd1wCWdao/6GYeN/
 k+avwdRIastPmzX6Kf0nGH3ro1H8x4hDhCv/vnZNlavs4bA0a5W6LLJOIAFsjZ7Ei1LcWJaZ
 Mj6Qf3C4woVpzb4VGe+whQB9Zld4o=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com,
	cip-dev@lists.cip-project.org,
	venkata.pyla@toshiba-tsip.com,
	dinesh.kumar@toshiba-tsip.com,
	kazuhiro3.hayashi@toshiba.co.jp
Subject: [cip-dev][isar-cip-core][RFC v2 6/9] security-customizations: Extract
 sshd config from postinst to files
Date: Tue, 31 Oct 2023 09:37:40 +0100
Message-ID: <20231031084943.3105056-7-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
References: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 31 Oct 2023 08:49:49 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13503

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

For easier maintenance extract the ssh configuration to
/etc/sshd_config.d/.

Configuration entries in sshd_config.d will overwrite elements in
sshd_config.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../security-customizations/files/postinst       | 16 ----------------
 .../files/ssh-pam-remote.conf                    |  4 ++++
 .../files/ssh-remote-session-term.conf           |  5 +++++
 .../security-customizations.bb                   |  9 ++++++++-
 4 files changed, 17 insertions(+), 17 deletions(-)
 create mode 100644 recipes-core/security-customizations/files/ssh-pam-remote.conf
 create mode 100644 recipes-core/security-customizations/files/ssh-remote-session-term.conf

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 717b7ac..daade83 100755
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -51,14 +51,6 @@ if grep -c "${PAM_MODULE}" "${PAM_AUTH_FILE}";then
 fi
 sed -i "0,/^auth.*/s/^auth.*/${PAM_CONFIG}\n&/" "${PAM_AUTH_FILE}"
 
-# CR2.6: Remote session termination
-# Terminate remote session after inactive time period
-SSHD_CONFIG="/etc/ssh/sshd_config"
-alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
-alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
-sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
-sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
-
 # CR2.7: Concurrent session control
 # Limit the concurrent login sessions
 LIMITS_CONFIG="/etc/security/limits.conf"
@@ -80,12 +72,4 @@ if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
         sed -i '/pam_google_authenticator.so/ s/^#*/#/'  "${SSHD_AUTH_CONFIG}"
 fi
 echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
-# Enable PAM configuration for Remote Session
-if grep -s -q "ChallengeResponseAuthentication" "${SSHD_CONFIG}";then
-       sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
-fi
 
-if grep -s -q "KbdInteractiveAuthentication" "${SSHD_CONFIG}";then
-       sed -i 's/KbdInteractiveAuthentication no/KbdInteractiveAuthentication yes/g' "${SSHD_CONFIG}"
-fi
-echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
diff --git a/recipes-core/security-customizations/files/ssh-pam-remote.conf b/recipes-core/security-customizations/files/ssh-pam-remote.conf
new file mode 100644
index 0000000..d460b0c
--- /dev/null
+++ b/recipes-core/security-customizations/files/ssh-pam-remote.conf
@@ -0,0 +1,4 @@
+# Enable PAM configuration for Remote Session
+ChallengeResponseAuthentication yes
+KbdInteractiveAuthentication yes
+AuthenticationMethods keyboard-interactive
diff --git a/recipes-core/security-customizations/files/ssh-remote-session-term.conf b/recipes-core/security-customizations/files/ssh-remote-session-term.conf
new file mode 100644
index 0000000..d11b92e
--- /dev/null
+++ b/recipes-core/security-customizations/files/ssh-remote-session-term.conf
@@ -0,0 +1,5 @@
+# CR2.6: Remote session termination
+# Terminate remote session after inactive time period
+
+ClientAliveInterval 120
+ClientAliveCountMax 0
diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
index d5249a2..d3cede8 100644
--- a/recipes-core/security-customizations/security-customizations.bb
+++ b/recipes-core/security-customizations/security-customizations.bb
@@ -13,8 +13,15 @@ inherit dpkg-raw
 
 DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
 
-SRC_URI = "file://postinst"
+SRC_URI = "file://postinst \
+           file://ssh-remote-session-term.conf \
+           file://ssh-pam-remote.conf"
 
 DEPENDS = "customizations, sshd-regen-keys"
 DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator"
 
+do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/"
+do_install () {
+    install -m 600 ${WORKDIR}/ssh-remote-session-term.conf ${D}/etc/ssh/sshd_config.d/
+    install -m 600 ${WORKDIR}/ssh-pam-remote.conf ${D}/etc/ssh/sshd_config.d/
+}

From patchwork Tue Oct 31 08:37:41 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gylstorff Quirin <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13441264
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9E798C00144
	for <webhook@archiver.kernel.org>; Tue, 31 Oct 2023 08:49:49 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.web10.181752.1698742187874120935
 for <cip-dev@lists.cip-project.org>;
 Tue, 31 Oct 2023 01:49:49 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=joPV2g9q;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-51332-20231031084945508ccc02151a4b986d-jgakxs@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 20231031084945508ccc02151a4b986d
        for <cip-dev@lists.cip-project.org>;
        Tue, 31 Oct 2023 09:49:46 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=Nt4ntYuEiRNzFR4nPCmUdhjkXsvSVVP9iudmSUyKetc=;
 b=joPV2g9q/cAVEWRcd61ld/iK/HVQyo9sFrFnXVJrmCacnTcGgeOa+BKG3wt+52ifsdaxrw
 Wy9d1iqoW+5zbtk4WubUcwGNjfXW4gyRMbTPo2g+rc4etZnBEa700maTvXNiFnjhUDXGaT2o
 l6jOfAPNc+3TLnw9dw2g7CHVKs9gM=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com,
	cip-dev@lists.cip-project.org,
	venkata.pyla@toshiba-tsip.com,
	dinesh.kumar@toshiba-tsip.com,
	kazuhiro3.hayashi@toshiba.co.jp
Subject: [cip-dev][isar-cip-core][RFC v2 7/9] cip-core-image-security: Move
 packages to security-customization
Date: Tue, 31 Oct 2023 09:37:41 +0100
Message-ID: <20231031084943.3105056-8-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
References: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 31 Oct 2023 08:49:49 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13505

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

To ensure that the package security-customizations is installable
move packages from cip-core-image-security as dependencies to
security-packges.

Remove libtss2-esys* as it is already installed together with
tpm2-tools.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-core/images/cip-core-image-security.bb       | 12 +-----------
 .../security-customizations.bb                       | 11 ++++++++---
 2 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 3421ce5..525a346 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -28,24 +28,14 @@ IMAGE_PREINSTALL += " \
 	tpm2-tools \
 	tpm2-abrmd \
 	acl \
-	audispd-plugins auditd \
+	audispd-plugins \
 	uuid-runtime \
 	sudo \
 	aide-common \
-	libpam-google-authenticator \
 	passwd \
 	login \
-	libpam-runtime \
 	util-linux \
 "
 
-# Package names based on the distro version
-IMAGE_PREINSTALL:append:buster = " libtss2-esys0 \
-                                   libpam-cracklib"
-IMAGE_PREINSTALL:append:bullseye = " libtss2-esys-3.0.2-0 \
-                                     libpam-cracklib"
-IMAGE_PREINSTALL:append:bookworm = " libtss2-esys-3.0.2-0 \
-                                     libpam-passwdqc"
-
 CIP_IMAGE_OPTIONS ?= ""
 require ${CIP_IMAGE_OPTIONS}
diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
index d3cede8..75a6a99 100644
--- a/recipes-core/security-customizations/security-customizations.bb
+++ b/recipes-core/security-customizations/security-customizations.bb
@@ -11,14 +11,19 @@
 
 inherit dpkg-raw
 
-DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
+DESCRIPTION = "CIP Security configuration for IEC62443-4-2 evaluation"
 
 SRC_URI = "file://postinst \
            file://ssh-remote-session-term.conf \
            file://ssh-pam-remote.conf"
 
-DEPENDS = "customizations, sshd-regen-keys"
-DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator"
+DEPENDS = "customizations sshd-regen-keys"
+DEBIAN_DEPENDS = "customizations, sshd-regen-keys, libpam-google-authenticator, libpam-modules, libpam-runtime, auditd"
+
+# Package names based on the distro version
+DEBIAN_DEPENDS:append:buster = ", libpam-cracklib"
+DEBIAN_DEPENDS:append:bullseye = ", libpam-cracklib"
+DEBIAN_DEPENDS:append:bookworm = ", libpam-passwdqc"
 
 do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/"
 do_install () {

From patchwork Tue Oct 31 08:37:42 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gylstorff Quirin <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13441259
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7F704C4167B
	for <webhook@archiver.kernel.org>; Tue, 31 Oct 2023 08:49:49 +0000 (UTC)
Received: from mta-65-228.siemens.flowmailer.net
 (mta-65-228.siemens.flowmailer.net [185.136.65.228])
 by mx.groups.io with SMTP id smtpd.web10.181753.1698742188353021032
 for <cip-dev@lists.cip-project.org>;
 Tue, 31 Oct 2023 01:49:49 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=l9Y6/D2j;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228,
 mailfrom:
 fm-51332-202310310849461b6d53d0769d8704b4-yemcva@rts-flowmailer.siemens.com)
Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id
 202310310849461b6d53d0769d8704b4
        for <cip-dev@lists.cip-project.org>;
        Tue, 31 Oct 2023 09:49:46 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=4yMJjJ/SF4ixxHUG4EcI/irLionAYK3VquIQ/8Nx4yk=;
 b=l9Y6/D2jOUIHs6DVTmqWGaleMrXZ/Fo+vxyewYyWlaFARoVZubb4b+CKqwGkmb0IiJlun8
 oGWKMMt8lXAnhCphs3/rr0MAyCrp6NhEFPEymgZbCR/NxKHdNC4bDQXbKgRsn8L9MDMShvZB
 u28rc6YNTm+GHcl+7OI5+oEEbA5Bc=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com,
	cip-dev@lists.cip-project.org,
	venkata.pyla@toshiba-tsip.com,
	dinesh.kumar@toshiba-tsip.com,
	kazuhiro3.hayashi@toshiba.co.jp
Subject: [cip-dev][isar-cip-core][RFC v2 8/9] customization-kernelci: Add
 dependency to customizations
Date: Tue, 31 Oct 2023 09:37:42 +0100
Message-ID: <20231031084943.3105056-9-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
References: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 31 Oct 2023 08:49:49 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13506

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This is to simplify maintenance.

Also extract serial getty override and sshd_config
changes from postinstall to seperate files.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../kernelci-customizations/files/postinst     | 11 -----------
 .../files/serial-getty-kernelci-override.conf  |  3 +++
 .../files/ssh-permit-empty-passwords.conf      |  2 ++
 .../kernelci-customizations.bb                 | 18 ++++++++++++++----
 4 files changed, 19 insertions(+), 15 deletions(-)
 create mode 100644 recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
 create mode 100644 recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf

diff --git a/recipes-core/kernelci-customizations/files/postinst b/recipes-core/kernelci-customizations/files/postinst
index 7ae30e8..08544a4 100644
--- a/recipes-core/kernelci-customizations/files/postinst
+++ b/recipes-core/kernelci-customizations/files/postinst
@@ -15,20 +15,9 @@
 echo "CIP Core Demo & Test Image" > /etc/issue
 
 # permit root login without password
-echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
-echo "PermitEmptyPasswords yes" >> /etc/ssh/sshd_config
 passwd root -d
 
-# serial getty service for autologin
-mkdir -p /etc/systemd/system/serial-getty@.service.d/
-echo "[Service]" > /etc/systemd/system/serial-getty@.service.d/override.conf
-echo "ExecStart=" >> /etc/systemd/system/serial-getty@.service.d/override.conf
-echo "ExecStart=-/sbin/agetty --autologin root --keep-baud 115200,38400,9600 %I $TERM" >> /etc/systemd/system/serial-getty@.service.d/override.conf
-
 # set the profile for KernelCI
 echo "PS1='\$(pwd) # '" > /root/.profile
 echo "cd /" >> /root/.profile
 
-HOSTNAME=demo
-echo "$HOSTNAME" > /etc/hostname
-echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
diff --git a/recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf b/recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
new file mode 100644
index 0000000..a1472c5
--- /dev/null
+++ b/recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty --autologin root --keep-baud 115200,38400,9600 %I $TERM
diff --git a/recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf b/recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
new file mode 100644
index 0000000..b958fec
--- /dev/null
+++ b/recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
@@ -0,0 +1,2 @@
+PermitEmptyPasswords yes
+
diff --git a/recipes-core/kernelci-customizations/kernelci-customizations.bb b/recipes-core/kernelci-customizations/kernelci-customizations.bb
index f972be5..3a99884 100644
--- a/recipes-core/kernelci-customizations/kernelci-customizations.bb
+++ b/recipes-core/kernelci-customizations/kernelci-customizations.bb
@@ -11,13 +11,23 @@
 # SPDX-License-Identifier: MIT
 #
 
-require recipes-core/customizations/common.inc
+inherit dpkg-raw
 
 DESCRIPTION = "CIP Core KernelCI image customizations"
 
-SRC_URI += "file://dmesg.sh"
+DEPENDS += "customizations"
+DEBIAN_DEPENDS += "customizations"
 
-do_install:append() {
-  install -v -d ${D}/opt/kernelci
+SRC_URI = "file://postinst \
+           file://dmesg.sh \
+           file://serial-getty-kernelci-override.conf \
+           file://ssh-permit-empty-passwords.conf"
+
+do_install[cleandirs] = "${D}/opt/kernelci/ \
+                         ${D}/etc/systemd/system/serial-getty@.service.d/ \
+                         ${D}/etc/ssh/sshd_config.d/"
+do_install() {
   install -v -m 744 ${WORKDIR}/dmesg.sh ${D}/opt/kernelci/
+  install -v -m 644 ${WORKDIR}/serial-getty-kernelci-override.conf ${D}/etc/systemd/system/serial-getty@.service.d/serial-getty-kernelci-override.conf
+  install -v -m 600 ${WORKDIR}/ssh-permit-empty-passwords.conf ${D}/etc/ssh/sshd_config.d/ssh-permit-empty-passwords.conf
 }

From patchwork Tue Oct 31 08:37:43 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gylstorff Quirin <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13441261
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 908E6C4167D
	for <webhook@archiver.kernel.org>; Tue, 31 Oct 2023 08:49:49 +0000 (UTC)
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net [185.136.64.226])
 by mx.groups.io with SMTP id smtpd.web11.182065.1698742188416570026
 for <cip-dev@lists.cip-project.org>;
 Tue, 31 Oct 2023 01:49:48 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=cdmm9DLG;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226,
 mailfrom:
 fm-51332-20231031084946ed8281284b9489ef69-srpcry@rts-flowmailer.siemens.com)
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 20231031084946ed8281284b9489ef69
        for <cip-dev@lists.cip-project.org>;
        Tue, 31 Oct 2023 09:49:46 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=nMbM3+ayTDWkq3ePJRp1e1khVw270YqiABTsAvFuPM0=;
 b=cdmm9DLG2RIMSm2gD29dlcd5OgT9cXU0baVOviGxApVO7XOPqosj9bUFh6ujSD0YJYMBLF
 WQh/9Sn2x/wWDAhsk8pAEG2JggTngUsAIRCNjGVVBogl1I61JR+MCPJhH7/znUPCyY0lwtmL
 LUzc6jeZjvaxfX+uZqrSzq8Wzi/xc=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com,
	cip-dev@lists.cip-project.org,
	venkata.pyla@toshiba-tsip.com,
	dinesh.kumar@toshiba-tsip.com,
	kazuhiro3.hayashi@toshiba.co.jp
Subject: [cip-dev][isar-cip-core][RFC v2 9/9] kas/opt/reproducible.yml: Move
 SOURCE_DATE_EPOCH to layer.conf
Date: Tue, 31 Oct 2023 09:37:43 +0100
Message-ID: <20231031084943.3105056-10-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
References: <20231031084943.3105056-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 31 Oct 2023 08:49:49 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13504

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This ensures that all images are build reproducible.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 conf/layer.conf          | 2 ++
 kas/opt/reproducible.yml | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 2c888b2..82b4084 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -24,3 +24,5 @@ LAYERDIR_cip-core = "${LAYERDIR}"
 LAYERDIR_cip-core[vardepvalue] = "isar-cip-core"
 
 IMAGE_CLASSES += "squashfs verity swupdate"
+
+SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core} log -1 --pretty=%ct | tr -d '\n'")[0]}"
diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml
index 5d6a896..bc71f28 100644
--- a/kas/opt/reproducible.yml
+++ b/kas/opt/reproducible.yml
@@ -13,5 +13,4 @@ header:
 
 local_conf_header:
   reproducible-builds: |
-    SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core} log -1 --pretty=%ct | tr -d '\n'")[0]}"
     WIC_DEPLOY_PARTITIONS = "1"