diff mbox series

[isar-cip-core] security.yml: Add additional features to security image

Message ID 20230712113153.1194397-1-Sai.Sathujoda@toshiba-tsip.com (mailing list archive)
State Changes Requested
Headers show
Series [isar-cip-core] security.yml: Add additional features to security image | expand

Commit Message

Sai.Sathujoda@toshiba-tsip.com July 12, 2023, 11:31 a.m. UTC
From: Sai <Sai.Sathujoda@toshiba-tsip.com>

From IEC certification perspective, a security image is needed which has the below features along with security customizations.
1. Data encryption (CR4.1)
2. Secure boot (EDR 3.14)
3. SWupdate (NDR 3.10)

The config.yaml will not have the extra enabled features as true. Hence they
should be passed in the image run command.

Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
---
 doc/README.security-testing.md | 2 +-
 kas/opt/security.yml           | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

Comments

Jan Kiszka July 13, 2023, 5:32 p.m. UTC | #1
On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote:
> From: Sai <Sai.Sathujoda@toshiba-tsip.com>
> 
> From IEC certification perspective, a security image is needed which has the below features along with security customizations.
> 1. Data encryption (CR4.1)
> 2. Secure boot (EDR 3.14)
> 3. SWupdate (NDR 3.10)
> 
> The config.yaml will not have the extra enabled features as true. Hence they
> should be passed in the image run command.
> 
> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
> ---
>  doc/README.security-testing.md | 2 +-
>  kas/opt/security.yml           | 3 +++
>  2 files changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/doc/README.security-testing.md b/doc/README.security-testing.md
> index c9540be..97000da 100644
> --- a/doc/README.security-testing.md
> +++ b/doc/README.security-testing.md
> @@ -33,7 +33,7 @@ Save & Build
>  ```
>  # Boot the Linux image
>  ```
> -host$ ./start-qemu.sh x86
> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86
>  ```
>  
>  # Copy security tests in to the Linux image
> diff --git a/kas/opt/security.yml b/kas/opt/security.yml
> index 1f3745b..b21f330 100644
> --- a/kas/opt/security.yml
> +++ b/kas/opt/security.yml
> @@ -10,6 +10,9 @@
>  #
>  header:
>    version: 12
> +  includes:
> +    - kas/opt/encrypt-partitions.yml
> +    - kas/opt/ebg-secure-boot-snakeoil.yml
>  
>  target: cip-core-image-security
>  

Thanks, still applied for the release.

Jan
Jan Kiszka July 14, 2023, 6:10 a.m. UTC | #2
On 13.07.23 19:32, Jan Kiszka wrote:
> On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote:
>> From: Sai <Sai.Sathujoda@toshiba-tsip.com>
>>
>> From IEC certification perspective, a security image is needed which has the below features along with security customizations.
>> 1. Data encryption (CR4.1)
>> 2. Secure boot (EDR 3.14)
>> 3. SWupdate (NDR 3.10)
>>
>> The config.yaml will not have the extra enabled features as true. Hence they
>> should be passed in the image run command.
>>
>> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
>> ---
>>  doc/README.security-testing.md | 2 +-
>>  kas/opt/security.yml           | 3 +++
>>  2 files changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/doc/README.security-testing.md b/doc/README.security-testing.md
>> index c9540be..97000da 100644
>> --- a/doc/README.security-testing.md
>> +++ b/doc/README.security-testing.md
>> @@ -33,7 +33,7 @@ Save & Build
>>  ```
>>  # Boot the Linux image
>>  ```
>> -host$ ./start-qemu.sh x86
>> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86
>>  ```
>>  
>>  # Copy security tests in to the Linux image
>> diff --git a/kas/opt/security.yml b/kas/opt/security.yml
>> index 1f3745b..b21f330 100644
>> --- a/kas/opt/security.yml
>> +++ b/kas/opt/security.yml
>> @@ -10,6 +10,9 @@
>>  #
>>  header:
>>    version: 12
>> +  includes:
>> +    - kas/opt/encrypt-partitions.yml
>> +    - kas/opt/ebg-secure-boot-snakeoil.yml
>>  
>>  target: cip-core-image-security
>>  
> 
> Thanks, still applied for the release.
> 

Artifact upload was broken by this. And the should still adjust Kconfig
to reflect the implicit selection of security.yml.

I'm dropping this for now, it's more complicated, likely too much for
this release.

Jan
Sai.Sathujoda@toshiba-tsip.com July 17, 2023, 7:37 a.m. UTC | #3
Hi Jan,

So you mean to say that, Kconfig file needs to modified so that the extra features are selected when Security extensions is selected ?

Regards,
Sai Ashrith (T S I P)

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com> 
Sent: Friday, July 14, 2023 11:40 AM
To: ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>
Subject: Re: [isar-cip-core] security.yml: Add additional features to security image

On 13.07.23 19:32, Jan Kiszka wrote:
> On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote:
>> From: Sai <Sai.Sathujoda@toshiba-tsip.com>
>>
>> From IEC certification perspective, a security image is needed which has the below features along with security customizations.
>> 1. Data encryption (CR4.1)
>> 2. Secure boot (EDR 3.14)
>> 3. SWupdate (NDR 3.10)
>>
>> The config.yaml will not have the extra enabled features as true. 
>> Hence they should be passed in the image run command.
>>
>> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
>> ---
>>  doc/README.security-testing.md | 2 +-
>>  kas/opt/security.yml           | 3 +++
>>  2 files changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/doc/README.security-testing.md 
>> b/doc/README.security-testing.md index c9540be..97000da 100644
>> --- a/doc/README.security-testing.md
>> +++ b/doc/README.security-testing.md
>> @@ -33,7 +33,7 @@ Save & Build
>>  ```
>>  # Boot the Linux image
>>  ```
>> -host$ ./start-qemu.sh x86
>> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86
>>  ```
>>  
>>  # Copy security tests in to the Linux image diff --git 
>> a/kas/opt/security.yml b/kas/opt/security.yml index 1f3745b..b21f330 
>> 100644
>> --- a/kas/opt/security.yml
>> +++ b/kas/opt/security.yml
>> @@ -10,6 +10,9 @@
>>  #
>>  header:
>>    version: 12
>> +  includes:
>> +    - kas/opt/encrypt-partitions.yml
>> +    - kas/opt/ebg-secure-boot-snakeoil.yml
>>  
>>  target: cip-core-image-security
>>  
> 
> Thanks, still applied for the release.
> 

Artifact upload was broken by this. And the should still adjust Kconfig to reflect the implicit selection of security.yml.

I'm dropping this for now, it's more complicated, likely too much for this release.

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux
Jan Kiszka July 17, 2023, 7:52 a.m. UTC | #4
On 17.07.23 09:37, Sai.Sathujoda@toshiba-tsip.com wrote:
> Hi Jan,
> 
> So you mean to say that, Kconfig file needs to modified so that the extra features are selected when Security extensions is selected ?
> 

For example. Or make them invisible.

Jan

> Regards,
> Sai Ashrith (T S I P)
> 
> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@siemens.com> 
> Sent: Friday, July 14, 2023 11:40 AM
> To: ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>
> Subject: Re: [isar-cip-core] security.yml: Add additional features to security image
> 
> On 13.07.23 19:32, Jan Kiszka wrote:
>> On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote:
>>> From: Sai <Sai.Sathujoda@toshiba-tsip.com>
>>>
>>> From IEC certification perspective, a security image is needed which has the below features along with security customizations.
>>> 1. Data encryption (CR4.1)
>>> 2. Secure boot (EDR 3.14)
>>> 3. SWupdate (NDR 3.10)
>>>
>>> The config.yaml will not have the extra enabled features as true. 
>>> Hence they should be passed in the image run command.
>>>
>>> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
>>> ---
>>>  doc/README.security-testing.md | 2 +-
>>>  kas/opt/security.yml           | 3 +++
>>>  2 files changed, 4 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/doc/README.security-testing.md 
>>> b/doc/README.security-testing.md index c9540be..97000da 100644
>>> --- a/doc/README.security-testing.md
>>> +++ b/doc/README.security-testing.md
>>> @@ -33,7 +33,7 @@ Save & Build
>>>  ```
>>>  # Boot the Linux image
>>>  ```
>>> -host$ ./start-qemu.sh x86
>>> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86
>>>  ```
>>>  
>>>  # Copy security tests in to the Linux image diff --git 
>>> a/kas/opt/security.yml b/kas/opt/security.yml index 1f3745b..b21f330 
>>> 100644
>>> --- a/kas/opt/security.yml
>>> +++ b/kas/opt/security.yml
>>> @@ -10,6 +10,9 @@
>>>  #
>>>  header:
>>>    version: 12
>>> +  includes:
>>> +    - kas/opt/encrypt-partitions.yml
>>> +    - kas/opt/ebg-secure-boot-snakeoil.yml
>>>  
>>>  target: cip-core-image-security
>>>  
>>
>> Thanks, still applied for the release.
>>
> 
> Artifact upload was broken by this. And the should still adjust Kconfig to reflect the implicit selection of security.yml.
> 
> I'm dropping this for now, it's more complicated, likely too much for this release.
> 
> Jan
> 
> --
> Siemens AG, Technology
> Competence Center Embedded Linux
Sai.Sathujoda@toshiba-tsip.com Aug. 3, 2023, 4:19 a.m. UTC | #5
Hi Jan,

Since the artifact upload is failing in CI with initrd image name mismatch if we include the additional feature related .yml files in security.yml, can we consider switching back to this patch https://lists.cip-project.org/g/cip-dev/message/12304 or do you expect any other changes ?

Thanks and regards,
Sai Ashrith

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com> 
Sent: Friday, July 14, 2023 11:40 AM
To: ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>
Subject: Re: [isar-cip-core] security.yml: Add additional features to security image

On 13.07.23 19:32, Jan Kiszka wrote:
> On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote:
>> From: Sai <Sai.Sathujoda@toshiba-tsip.com>
>>
>> From IEC certification perspective, a security image is needed which has the below features along with security customizations.
>> 1. Data encryption (CR4.1)
>> 2. Secure boot (EDR 3.14)
>> 3. SWupdate (NDR 3.10)
>>
>> The config.yaml will not have the extra enabled features as true. 
>> Hence they should be passed in the image run command.
>>
>> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
>> ---
>>  doc/README.security-testing.md | 2 +-
>>  kas/opt/security.yml           | 3 +++
>>  2 files changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/doc/README.security-testing.md 
>> b/doc/README.security-testing.md index c9540be..97000da 100644
>> --- a/doc/README.security-testing.md
>> +++ b/doc/README.security-testing.md
>> @@ -33,7 +33,7 @@ Save & Build
>>  ```
>>  # Boot the Linux image
>>  ```
>> -host$ ./start-qemu.sh x86
>> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86
>>  ```
>>  
>>  # Copy security tests in to the Linux image diff --git 
>> a/kas/opt/security.yml b/kas/opt/security.yml index 1f3745b..b21f330 
>> 100644
>> --- a/kas/opt/security.yml
>> +++ b/kas/opt/security.yml
>> @@ -10,6 +10,9 @@
>>  #
>>  header:
>>    version: 12
>> +  includes:
>> +    - kas/opt/encrypt-partitions.yml
>> +    - kas/opt/ebg-secure-boot-snakeoil.yml
>>  
>>  target: cip-core-image-security
>>  
> 
> Thanks, still applied for the release.
> 

Artifact upload was broken by this. And the should still adjust Kconfig to reflect the implicit selection of security.yml.

I'm dropping this for now, it's more complicated, likely too much for this release.

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux
Jan Kiszka Aug. 10, 2023, 10:31 a.m. UTC | #6
On 03.08.23 06:19, Sai.Sathujoda@toshiba-tsip.com wrote:
> Hi Jan,
> 
> Since the artifact upload is failing in CI with initrd image name mismatch if we include the additional feature related .yml files in security.yml, can we consider switching back to this patch https://lists.cip-project.org/g/cip-dev/message/12304 or do you expect any other changes ?
> 

Just fix things and *also* adjust Kconfig as written below.

Jan

> Thanks and regards,
> Sai Ashrith
> 
> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@siemens.com> 
> Sent: Friday, July 14, 2023 11:40 AM
> To: ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>
> Subject: Re: [isar-cip-core] security.yml: Add additional features to security image
> 
> On 13.07.23 19:32, Jan Kiszka wrote:
>> On 12.07.23 13:31, Sai.Sathujoda@toshiba-tsip.com wrote:
>>> From: Sai <Sai.Sathujoda@toshiba-tsip.com>
>>>
>>> From IEC certification perspective, a security image is needed which has the below features along with security customizations.
>>> 1. Data encryption (CR4.1)
>>> 2. Secure boot (EDR 3.14)
>>> 3. SWupdate (NDR 3.10)
>>>
>>> The config.yaml will not have the extra enabled features as true. 
>>> Hence they should be passed in the image run command.
>>>
>>> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
>>> ---
>>>  doc/README.security-testing.md | 2 +-
>>>  kas/opt/security.yml           | 3 +++
>>>  2 files changed, 4 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/doc/README.security-testing.md 
>>> b/doc/README.security-testing.md index c9540be..97000da 100644
>>> --- a/doc/README.security-testing.md
>>> +++ b/doc/README.security-testing.md
>>> @@ -33,7 +33,7 @@ Save & Build
>>>  ```
>>>  # Boot the Linux image
>>>  ```
>>> -host$ ./start-qemu.sh x86
>>> +host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86
>>>  ```
>>>  
>>>  # Copy security tests in to the Linux image diff --git 
>>> a/kas/opt/security.yml b/kas/opt/security.yml index 1f3745b..b21f330 
>>> 100644
>>> --- a/kas/opt/security.yml
>>> +++ b/kas/opt/security.yml
>>> @@ -10,6 +10,9 @@
>>>  #
>>>  header:
>>>    version: 12
>>> +  includes:
>>> +    - kas/opt/encrypt-partitions.yml
>>> +    - kas/opt/ebg-secure-boot-snakeoil.yml
>>>  
>>>  target: cip-core-image-security
>>>  
>>
>> Thanks, still applied for the release.
>>
> 
> Artifact upload was broken by this. And the should still adjust Kconfig to reflect the implicit selection of security.yml.
> 
> I'm dropping this for now, it's more complicated, likely too much for this release.
> 
> Jan
> 
> --
> Siemens AG, Technology
> Competence Center Embedded Linux
diff mbox series

Patch

diff --git a/doc/README.security-testing.md b/doc/README.security-testing.md
index c9540be..97000da 100644
--- a/doc/README.security-testing.md
+++ b/doc/README.security-testing.md
@@ -33,7 +33,7 @@  Save & Build
 ```
 # Boot the Linux image
 ```
-host$ ./start-qemu.sh x86
+host$ SECURE_BOOT="true" TPM2_ENCRYPTION="true" ./start-qemu.sh x86
 ```
 
 # Copy security tests in to the Linux image
diff --git a/kas/opt/security.yml b/kas/opt/security.yml
index 1f3745b..b21f330 100644
--- a/kas/opt/security.yml
+++ b/kas/opt/security.yml
@@ -10,6 +10,9 @@ 
 #
 header:
   version: 12
+  includes:
+    - kas/opt/encrypt-partitions.yml
+    - kas/opt/ebg-secure-boot-snakeoil.yml
 
 target: cip-core-image-security