diff mbox series

[isar-cip-core,1/3] cip-security: Add packages for IEC-62443-4-2 evaluation

Message ID 20200727114135.368-2-venkata.pyla@toshiba-tsip.com (mailing list archive)
State Accepted
Headers show
Series [isar-cip-core,1/3] cip-security: Add packages for IEC-62443-4-2 evaluation | expand

Commit Message

Venkata Pyla July 27, 2020, 11:41 a.m. UTC
From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>

Identified security packages are added to the target image
and that will be used for IEC-62443-4-2 evaluation

Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
Signed-off-by: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
---
 .../images/cip-core-image-security.bb         | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 recipes-core/images/cip-core-image-security.bb

Comments

Jan Kiszka July 27, 2020, 2:34 p.m. UTC | #1
On 27.07.20 13:41, venkata.pyla@toshiba-tsip.com wrote:
> From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> 
> Identified security packages are added to the target image
> and that will be used for IEC-62443-4-2 evaluation
> 
> Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> Signed-off-by: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
> ---
>   .../images/cip-core-image-security.bb         | 36 +++++++++++++++++++
>   1 file changed, 36 insertions(+)
>   create mode 100644 recipes-core/images/cip-core-image-security.bb
> 
> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
> new file mode 100644
> index 0000000..a17c522
> --- /dev/null
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -0,0 +1,36 @@
> +#
> +# A reference image which includes security packages
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# Authors:
> +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit image
> +
> +DESCRIPTION = "CIP Core image including security packages"
> +
> +IMAGE_INSTALL += "customizations"
> +
> +# Debian packages that provide security features
> +IMAGE_PREINSTALL += " \
> +	openssl libssl1.1 \
> +	fail2ban \
> +	openssh-server openssh-sftp-server openssh-client \
> +	syslog-ng-core syslog-ng-mod-journal \
> +	aide aide-common \
> +	libnftables0 nftables \
> +	libpam-pkcs11 \
> +	chrony \
> +	tpm2-tools \
> +	tpm2-abrmd \
> +	libtss2-esys0 libtss2-udev \
> +	libpam-cracklib \
> +	acl \
> +	libauparse0 audispd-plugins auditd \
> +	uuid-runtime \
> +	sudo \
> +"
> 

Still no CI for this. You can send that separately on top, the series 
looks fine otherwise.

Jan
Venkata Pyla July 29, 2020, 12:39 p.m. UTC | #2
On Mon, Jul 27, 2020 at 08:04 PM, Jan Kiszka wrote:

>
> On 27.07.20 13:41, venkata.pyla@toshiba-tsip.com wrote:
> > From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > 
> > Identified security packages are added to the target image
> > and that will be used for IEC-62443-4-2 evaluation
> > 
> > Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > Signed-off-by: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
> > ---
> >   .../images/cip-core-image-security.bb         | 36 +++++++++++++++++++
> >   1 file changed, 36 insertions(+)
> >   create mode 100644 recipes-core/images/cip-core-image-security.bb
> > 
> > diff --git a/recipes-core/images/cip-core-image-security.bb
> b/recipes-core/images/cip-core-image-security.bb
> > new file mode 100644
> > index 0000000..a17c522
> > --- /dev/null
> > +++ b/recipes-core/images/cip-core-image-security.bb
> > @@ -0,0 +1,36 @@
> > +#
> > +# A reference image which includes security packages
> > +#
> > +# Copyright (c) Toshiba Corporation, 2020
> > +#
> > +# Authors:
> > +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > +#
> > +# SPDX-License-Identifier: MIT
> > +#
> > +
> > +inherit image
> > +
> > +DESCRIPTION = "CIP Core image including security packages"
> > +
> > +IMAGE_INSTALL += "customizations"
> > +
> > +# Debian packages that provide security features
> > +IMAGE_PREINSTALL += " \
> > +	openssl libssl1.1 \
> > +	fail2ban \
> > +	openssh-server openssh-sftp-server openssh-client \
> > +	syslog-ng-core syslog-ng-mod-journal \
> > +	aide aide-common \
> > +	libnftables0 nftables \
> > +	libpam-pkcs11 \
> > +	chrony \
> > +	tpm2-tools \
> > +	tpm2-abrmd \
> > +	libtss2-esys0 libtss2-udev \
> > +	libpam-cracklib \
> > +	acl \
> > +	libauparse0 audispd-plugins auditd \
> > +	uuid-runtime \
> > +	sudo \
> > +"
> > 
> 
> Still no CI for this. You can send that separately on top, the series 
> looks fine otherwise.
>

To add security image in gitlab-ci.yml i need some suggestions...
in deploy-cip-core script that is used in gitlab-ci is expecting *.wic image for copying the files, 
but because there is no wks file yet for QEMU it is not generating the image.

i think we should add wks file for the qemu target, can you guide me how to do that?

> Jan
> 
> -- 
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE
> Corporate Competence Center Embedded Linux
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5046): https://lists.cip-project.org/g/cip-dev/message/5046
Mute This Topic: https://lists.cip-project.org/mt/75820361/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy  [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
Jan Kiszka July 29, 2020, 4:42 p.m. UTC | #3
On 29.07.20 14:39, Venkata Pyla wrote:
> On Mon, Jul 27, 2020 at 08:04 PM, Jan Kiszka wrote:
> 
>>
>> On 27.07.20 13:41, venkata.pyla@toshiba-tsip.com wrote:
>>> From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>>
>>> Identified security packages are added to the target image
>>> and that will be used for IEC-62443-4-2 evaluation
>>>
>>> Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>> Signed-off-by: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
>>> ---
>>>    .../images/cip-core-image-security.bb         | 36 +++++++++++++++++++
>>>    1 file changed, 36 insertions(+)
>>>    create mode 100644 recipes-core/images/cip-core-image-security.bb
>>>
>>> diff --git a/recipes-core/images/cip-core-image-security.bb
>> b/recipes-core/images/cip-core-image-security.bb
>>> new file mode 100644
>>> index 0000000..a17c522
>>> --- /dev/null
>>> +++ b/recipes-core/images/cip-core-image-security.bb
>>> @@ -0,0 +1,36 @@
>>> +#
>>> +# A reference image which includes security packages
>>> +#
>>> +# Copyright (c) Toshiba Corporation, 2020
>>> +#
>>> +# Authors:
>>> +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +#
>>> +
>>> +inherit image
>>> +
>>> +DESCRIPTION = "CIP Core image including security packages"
>>> +
>>> +IMAGE_INSTALL += "customizations"
>>> +
>>> +# Debian packages that provide security features
>>> +IMAGE_PREINSTALL += " \
>>> +	openssl libssl1.1 \
>>> +	fail2ban \
>>> +	openssh-server openssh-sftp-server openssh-client \
>>> +	syslog-ng-core syslog-ng-mod-journal \
>>> +	aide aide-common \
>>> +	libnftables0 nftables \
>>> +	libpam-pkcs11 \
>>> +	chrony \
>>> +	tpm2-tools \
>>> +	tpm2-abrmd \
>>> +	libtss2-esys0 libtss2-udev \
>>> +	libpam-cracklib \
>>> +	acl \
>>> +	libauparse0 audispd-plugins auditd \
>>> +	uuid-runtime \
>>> +	sudo \
>>> +"
>>>
>>
>> Still no CI for this. You can send that separately on top, the series
>> looks fine otherwise.
>>
> 
> To add security image in gitlab-ci.yml i need some suggestions...
> in deploy-cip-core script that is used in gitlab-ci is expecting *.wic image for copying the files,
> but because there is no wks file yet for QEMU it is not generating the image.
> 
> i think we should add wks file for the qemu target, can you guide me how to do that?

Such a wks file only makes sense when we switch QEMU to image-based 
booting, like Quirin does in [1].

For adding CI coverage to the security image, it would already be enough 
to just build it, skipping the deployment. Of course, if you'd like to 
feed the build result into automated testing, that needs deployment 
again, but possibly also more. So, let's postpone it until that is on 
the agenda of the day, I would say.

Jan

[1] https://lists.cip-project.org/g/cip-dev/message/4997
diff mbox series

Patch

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
new file mode 100644
index 0000000..a17c522
--- /dev/null
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -0,0 +1,36 @@ 
+#
+# A reference image which includes security packages
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit image
+
+DESCRIPTION = "CIP Core image including security packages"
+
+IMAGE_INSTALL += "customizations"
+
+# Debian packages that provide security features
+IMAGE_PREINSTALL += " \
+	openssl libssl1.1 \
+	fail2ban \
+	openssh-server openssh-sftp-server openssh-client \
+	syslog-ng-core syslog-ng-mod-journal \
+	aide aide-common \
+	libnftables0 nftables \
+	libpam-pkcs11 \
+	chrony \
+	tpm2-tools \
+	tpm2-abrmd \
+	libtss2-esys0 libtss2-udev \
+	libpam-cracklib \
+	acl \
+	libauparse0 audispd-plugins auditd \
+	uuid-runtime \
+	sudo \
+"