diff mbox series

[isar-cip-core] Kconfig: Refactor Kconfig options

Message ID 20240704091803.3250609-1-Shivanand.Kunijadar@toshiba-tsip.com (mailing list archive)
State Superseded
Headers show
Series [isar-cip-core] Kconfig: Refactor Kconfig options | expand

Commit Message

Shivanand Kunijadar July 4, 2024, 9:18 a.m. UTC
The security target should include both SWUpdate and Secure boot options
by default, so add the missing secure boot dependency in the security
option. Also enable kas-container menu in such way that user can select
individual features without security option.

Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com>
---
 Kconfig | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

Comments

Jan Kiszka July 4, 2024, 10:07 a.m. UTC | #1
On 04.07.24 11:18, Shivanand wrote:
> The security target should include both SWUpdate and Secure boot options
> by default, so add the missing secure boot dependency in the security
> option. Also enable kas-container menu in such way that user can select
> individual features without security option.

This is too unspecific.

> 
> Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com>
> ---
>  Kconfig | 23 ++++++++++++++---------
>  1 file changed, 14 insertions(+), 9 deletions(-)
> 
> diff --git a/Kconfig b/Kconfig
> index 96f590a..f73c8f2 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -163,11 +163,25 @@ if !KERNEL_4_4 && !KERNEL_4_19
>  config IMAGE_SECURITY
>  	bool "Security extensions"
>  	select IMAGE_SWUPDATE
> +	select IMAGE_SECURE_BOOT

Why is this change along not enough?

>  	select IMAGE_DATA_ENCRYPTION
>  	depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI
>  	help
>  	  This enables security, encryption, secureboot and swupdate for IEC 62443-4-2.
>  
> +config KAS_INCLUDE_SWUPDATE
> +	string
> +	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE
> +
> +config KAS_INCLUDE_SECURE_BOOT
> +        string0
> +        default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
> +
> +config IMAGE_SECURE_BOOT
> +        bool "Secure boot support"
> +	select IMAGE_SWUPDATE
> +        depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI
> +

Inconsistent indention.

>  config KAS_INCLUDE_SECURITY
>  	string
>  	default "kas/opt/security.yml" if IMAGE_SECURITY
> @@ -189,15 +203,6 @@ config IMAGE_DELTA_SWUPDATE
>  
>  endchoice
>  
> -config IMAGE_SECURE_BOOT
> -	bool "Secure boot support"
> -	depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI
> -
> -config KAS_INCLUDE_SWUPDATE_SECBOOT
> -	string
> -	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
> -	default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
> -

These structures and dependencies exist for reasons. My feeling is that
you are breaking things, but maybe you just need to explain better what
you want to achieve (besides enforcing secure boot for the security image).

>  config KAS_INCLUDE_DELTA_UPDATE
>  	string
>  	default "kas/opt/delta-update.yml" if IMAGE_DELTA_SWUPDATE

Jan
Shivanand Kunijadar July 4, 2024, 11:37 a.m. UTC | #2
Hi Jan, 

Let me explain the reason behind this patch. 

My understanding is that the security image should include SWUpdate and Secure boot features by default. 
Re. https://gitlab.com/cip-project/cip-core/isar-cip-core/-/commit/b95e256a5b05f87aab48b7bf3e7e4d8d45566ad3 

I found there are some minor issues as below, 

1. In the current menu when security extensions is selected, SWUpdate is enabled by default and secure boot is disabled. 
If I build with security extensions option, the build system is creating the image with secure boot enabled along with SWUpdate. The reason is security.yml internally includes "kas/opt/ebg-secure-boot-snakeoil.yml" kas option file. It is creating the wrong impression that the secure boot is disabled in the menu but in the final image it is enabled. 
So that is the reason, the secure boot is also enabled by default for security image now. 
> IMAGE_SECURITY
>  	bool "Security extensions"
>  	select IMAGE_SWUPDATE
> +	select IMAGE_SECURE_BOOT

2. In the current menu, there is no provision to select secure boot option without security extensions. It will show only when security extensions is selected.   

The patch changes will help to fix these issues. 

On top of my changes I confirmed things like,
- SWUpdate and Secure boot options are visible along with security extensions option in the menu. 
- User can select SWUpdate alone and  SWUpdate + secure boot features 
- SWUpdate and Secure boot features are enabled by default for security image    

> -config KAS_INCLUDE_SWUPDATE_SECBOOT
> -	string
> -	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
> -	default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT

While testing locally it was adding same .yml file multiple times to the final .config file which is not necessary, so I removed this structure to fix it.    

Kindly check and let me know your view on this. 

Thanks & Regards
Shivanand K

-----Original Message-----
From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Jan Kiszka via lists.cip-project.org
Sent: Thursday, July 4, 2024 3:38 PM
To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>
Subject: Re: [cip-dev] [isar-cip-core] Kconfig: Refactor Kconfig options

On 04.07.24 11:18, Shivanand wrote:
> The security target should include both SWUpdate and Secure boot 
> options by default, so add the missing secure boot dependency in the 
> security option. Also enable kas-container menu in such way that user 
> can select individual features without security option.

This is too unspecific.

> 
> Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com>
> ---
>  Kconfig | 23 ++++++++++++++---------
>  1 file changed, 14 insertions(+), 9 deletions(-)
> 
> diff --git a/Kconfig b/Kconfig
> index 96f590a..f73c8f2 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -163,11 +163,25 @@ if !KERNEL_4_4 && !KERNEL_4_19  config 
> IMAGE_SECURITY
>  	bool "Security extensions"
>  	select IMAGE_SWUPDATE
> +	select IMAGE_SECURE_BOOT

Why is this change along not enough?

>  	select IMAGE_DATA_ENCRYPTION
>  	depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI
>  	help
>  	  This enables security, encryption, secureboot and swupdate for IEC 62443-4-2.
>  
> +config KAS_INCLUDE_SWUPDATE
> +	string
> +	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE
> +
> +config KAS_INCLUDE_SECURE_BOOT
> +        string0
> +        default "kas/opt/ebg-secure-boot-snakeoil.yml" if 
> +IMAGE_SECURE_BOOT
> +
> +config IMAGE_SECURE_BOOT
> +        bool "Secure boot support"
> +	select IMAGE_SWUPDATE
> +        depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || 
> +TARGET_QEMU_ARM || TARGET_X86_UEFI
> +

Inconsistent indention.

>  config KAS_INCLUDE_SECURITY
>  	string
>  	default "kas/opt/security.yml" if IMAGE_SECURITY @@ -189,15 +203,6 
> @@ config IMAGE_DELTA_SWUPDATE
>  
>  endchoice
>  
> -config IMAGE_SECURE_BOOT
> -	bool "Secure boot support"
> -	depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI
> -
> -config KAS_INCLUDE_SWUPDATE_SECBOOT
> -	string
> -	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
> -	default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
> -

These structures and dependencies exist for reasons. My feeling is that you are breaking things, but maybe you just need to explain better what you want to achieve (besides enforcing secure boot for the security image).

>  config KAS_INCLUDE_DELTA_UPDATE
>  	string
>  	default "kas/opt/delta-update.yml" if IMAGE_DELTA_SWUPDATE

Jan

--
Siemens AG, Technology
Linux Expert Center
Jan Kiszka July 4, 2024, 9:44 p.m. UTC | #3
On 04.07.24 13:37, Shivanand.Kunijadar@toshiba-tsip.com wrote:
> Hi Jan, 
> 
> Let me explain the reason behind this patch. 
> 
> My understanding is that the security image should include SWUpdate and Secure boot features by default. 
> Re. https://gitlab.com/cip-project/cip-core/isar-cip-core/-/commit/b95e256a5b05f87aab48b7bf3e7e4d8d45566ad3 
> 
> I found there are some minor issues as below, 
> 
> 1. In the current menu when security extensions is selected, SWUpdate is enabled by default and secure boot is disabled. 
> If I build with security extensions option, the build system is creating the image with secure boot enabled along with SWUpdate. The reason is security.yml internally includes "kas/opt/ebg-secure-boot-snakeoil.yml" kas option file. It is creating the wrong impression that the secure boot is disabled in the menu but in the final image it is enabled. 
> So that is the reason, the secure boot is also enabled by default for security image now. 

I still don't get what we need more than the select below to enforce
secure boot for the security image. When adding that change, it is
clearly visible what the security extensions imply.

>> IMAGE_SECURITY
>>  	bool "Security extensions"
>>  	select IMAGE_SWUPDATE
>> +	select IMAGE_SECURE_BOOT
> 
> 2. In the current menu, there is no provision to select secure boot option without security extensions. It will show only when security extensions is selected.   

This is not correct, check again.

> 
> The patch changes will help to fix these issues. 
> 
> On top of my changes I confirmed things like,
> - SWUpdate and Secure boot options are visible along with security extensions option in the menu. 
> - User can select SWUpdate alone and  SWUpdate + secure boot features 
> - SWUpdate and Secure boot features are enabled by default for security image    
> 
>> -config KAS_INCLUDE_SWUPDATE_SECBOOT
>> -	string
>> -	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
>> -	default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
> 
> While testing locally it was adding same .yml file multiple times to the final .config file which is not necessary, so I removed this structure to fix it.    
> 

I can't follow. Please share the .config.yaml that was wrongly created
for you using current 'next'. It will both document which options you
selected and show the duplicate includes (if any).

Jan
Shivanand Kunijadar July 5, 2024, 6:06 a.m. UTC | #4
Hi Jan, 

Let me explain it through the pictures. These pictures taken on the next branch (commit: 507a6a70a7244a646165c1051668b855aeee9b5f) 

In pic-1.png, I don't see Secure boot option under Image features until I click on Security extensions. 

In pic-2.png, Security extensions is checked so SWUpdate is enabled by default but not Secure boot. A user may think here only SWUpdate is enabled in security image. I understand that internally it is including "ebg-secure-boot-snakeoil.yml" to enable secure boot for security image. There is no issue in build part(I mean proper .yml's are getting included for security image).  
 
I hope this will clear the doubts.   

> -config KAS_INCLUDE_SWUPDATE_SECBOOT
> -	string
> -	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
> -	default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT

When I made some changes locally to fix the above issues and later while testing I found this code snippet was adding duplicate .yml files.  

On top of my changes, I confirmed these yml files are getting included in the final .config.yml

[*] SWUpdate:   - kas/opt/ebg-swu.yml
[*] Secure boot: - kas/opt/ebg-swu.yml, kas/opt/ebg-secure-boot-snakeoil.yml 
[*] Security image: kas/opt/ebg-swu.yml, kas/opt/ebg-secure-boot-snakeoil.yml, kas/opt/security.yml, kas/opt/encrypt-data.yml

Thanks & Regards
Shivanand K

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com> 
Sent: Friday, July 5, 2024 3:14 AM
To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>
Subject: Re: [cip-dev] [isar-cip-core] Kconfig: Refactor Kconfig options

On 04.07.24 13:37, Shivanand.Kunijadar@toshiba-tsip.com wrote:
> Hi Jan,
> 
> Let me explain the reason behind this patch. 
> 
> My understanding is that the security image should include SWUpdate and Secure boot features by default. 
> Re. 
> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/commit/b95e256
> a5b05f87aab48b7bf3e7e4d8d45566ad3
> 
> I found there are some minor issues as below,
> 
> 1. In the current menu when security extensions is selected, SWUpdate is enabled by default and secure boot is disabled. 
> If I build with security extensions option, the build system is creating the image with secure boot enabled along with SWUpdate. The reason is security.yml internally includes "kas/opt/ebg-secure-boot-snakeoil.yml" kas option file. It is creating the wrong impression that the secure boot is disabled in the menu but in the final image it is enabled. 
> So that is the reason, the secure boot is also enabled by default for security image now. 

I still don't get what we need more than the select below to enforce secure boot for the security image. When adding that change, it is clearly visible what the security extensions imply.

>> IMAGE_SECURITY
>>  	bool "Security extensions"
>>  	select IMAGE_SWUPDATE
>> +	select IMAGE_SECURE_BOOT
> 
> 2. In the current menu, there is no provision to select secure boot option without security extensions. It will show only when security extensions is selected.   

This is not correct, check again.

> 
> The patch changes will help to fix these issues. 
> 
> On top of my changes I confirmed things like,
> - SWUpdate and Secure boot options are visible along with security extensions option in the menu. 
> - User can select SWUpdate alone and  SWUpdate + secure boot features 
> - SWUpdate and Secure boot features are enabled by default for security image    
> 
>> -config KAS_INCLUDE_SWUPDATE_SECBOOT
>> -	string
>> -	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
>> -	default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
> 
> While testing locally it was adding same .yml file multiple times to the final .config file which is not necessary, so I removed this structure to fix it.    
> 

I can't follow. Please share the .config.yaml that was wrongly created for you using current 'next'. It will both document which options you selected and show the duplicate includes (if any).

Jan

--
Siemens AG, Technology
Linux Expert Center
Jan Kiszka July 5, 2024, 6:19 a.m. UTC | #5
On 05.07.24 08:06, Shivanand.Kunijadar@toshiba-tsip.com wrote:
> Hi Jan, 
> 
> Let me explain it through the pictures. These pictures taken on the next branch (commit: 507a6a70a7244a646165c1051668b855aeee9b5f) 
> 
> In pic-1.png, I don't see Secure boot option under Image features until I click on Security extensions. 
> 

This is by design: We do not support secure boot without SWUpdate. While
is technically possible, our recipes and conf files are not preparted
for that. Therefore, you have to select SWUpdate first before being able
to choose also Secure Boot.

> In pic-2.png, Security extensions is checked so SWUpdate is enabled by default but not Secure boot. A user may think here only SWUpdate is enabled in security image. I understand that internally it is including "ebg-secure-boot-snakeoil.yml" to enable secure boot for security image. There is no issue in build part(I mean proper .yml's are getting included for security image).  
>  

Ok, it's getting clearer: kas/opt/security.yml includes
kas/opt/ebg-secure-boot-snakeoil.yml, thus already enforces secure boot
while the kconfig menu suggests that it can be disabled as well. That
should be fixed visually by selecting secure boot in Kconfig.

Now, if you enable (or select) secure boot for the security image, you
include kas/opt/ebg-secure-boot-snakeoil.yml (and kas/opt/swupdate.yml
as well as kas/opt/swupdate.yml) once again. This looks redundant but is
actually harmless because the statements in those kas files are
automatically de-duplicated by kas. Just check the effective
build/conf/local.conf.

Jan
Shivanand Kunijadar July 5, 2024, 6:57 a.m. UTC | #6
Hi Jan, 

> This is by design: We do not support secure boot without SWUpdate. While is technically possible, our recipes and conf files are not preparted for that. Therefore, you have to select SWUpdate first before being able to choose also Secure Boot. 

Ok, thanks. It is clear now why secure boot option is not showing in Kconfig menu by default.    

> Ok, it's getting clearer: kas/opt/security.yml includes kas/opt/ebg-secure-boot-snakeoil.yml, thus already enforces secure boot while 
> the kconfig menu suggests that it can be disabled as well. That should be fixed visually by selecting secure boot in Kconfig.

> Now, if you enable (or select) secure boot for the security image, you include kas/opt/ebg-secure-boot-snakeoil.yml (and 
> kas/opt/swupdate.yml as well as kas/opt/swupdate.yml) once again. This looks redundant but is actually harmless because the 
> statements in those kas files are automatically de-duplicated by kas. Just check the effective build/conf/local.conf.

Understood, then there is no issue if it includes redundant yml files as it will be handled by kas. 

You can ignore the patch, sorry for the inconvenience.    

Thanks & Regards
Shivanand K

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com> 
Sent: Friday, July 5, 2024 11:49 AM
To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>
Subject: Re: [cip-dev] [isar-cip-core] Kconfig: Refactor Kconfig options

On 05.07.24 08:06, Shivanand.Kunijadar@toshiba-tsip.com wrote:
> Hi Jan,
> 
> Let me explain it through the pictures. These pictures taken on the 
> next branch (commit: 507a6a70a7244a646165c1051668b855aeee9b5f)
> 
> In pic-1.png, I don't see Secure boot option under Image features until I click on Security extensions. 
> 

This is by design: We do not support secure boot without SWUpdate. While is technically possible, our recipes and conf files are not preparted for that. Therefore, you have to select SWUpdate first before being able to choose also Secure Boot.

> In pic-2.png, Security extensions is checked so SWUpdate is enabled by default but not Secure boot. A user may think here only SWUpdate is enabled in security image. I understand that internally it is including "ebg-secure-boot-snakeoil.yml" to enable secure boot for security image. There is no issue in build part(I mean proper .yml's are getting included for security image).  
>  

Ok, it's getting clearer: kas/opt/security.yml includes kas/opt/ebg-secure-boot-snakeoil.yml, thus already enforces secure boot while the kconfig menu suggests that it can be disabled as well. That should be fixed visually by selecting secure boot in Kconfig.

Now, if you enable (or select) secure boot for the security image, you include kas/opt/ebg-secure-boot-snakeoil.yml (and kas/opt/swupdate.yml as well as kas/opt/swupdate.yml) once again. This looks redundant but is actually harmless because the statements in those kas files are automatically de-duplicated by kas. Just check the effective build/conf/local.conf.

Jan

--
Siemens AG, Technology
Linux Expert Center
Jan Kiszka July 5, 2024, 7:17 a.m. UTC | #7
On 05.07.24 08:57, Shivanand.Kunijadar@toshiba-tsip.com wrote:
> Hi Jan, 
> 
>> This is by design: We do not support secure boot without SWUpdate. While is technically possible, our recipes and conf files are not preparted for that. Therefore, you have to select SWUpdate first before being able to choose also Secure Boot. 
> 
> Ok, thanks. It is clear now why secure boot option is not showing in Kconfig menu by default.    
> 
>> Ok, it's getting clearer: kas/opt/security.yml includes kas/opt/ebg-secure-boot-snakeoil.yml, thus already enforces secure boot while 
>> the kconfig menu suggests that it can be disabled as well. That should be fixed visually by selecting secure boot in Kconfig.
> 
>> Now, if you enable (or select) secure boot for the security image, you include kas/opt/ebg-secure-boot-snakeoil.yml (and 
>> kas/opt/swupdate.yml as well as kas/opt/swupdate.yml) once again. This looks redundant but is actually harmless because the 
>> statements in those kas files are automatically de-duplicated by kas. Just check the effective build/conf/local.conf.
> 
> Understood, then there is no issue if it includes redundant yml files as it will be handled by kas. 
> 
> You can ignore the patch, sorry for the inconvenience.    
> 

Not really: we should still select secure boot from the security image.

Jan
Shivanand Kunijadar July 5, 2024, 7:23 a.m. UTC | #8
Hi Jan, 

> Not really: we should still select secure boot from the security image. 

You mean the below change is still valid? if so, I will send the v2 patch for this change only. 

config IMAGE_SECURITY
        bool "Security extensions"
        select IMAGE_SWUPDATE
+       select IMAGE_SECURE_BOOT
        select IMAGE_DATA_ENCRYPTION
        depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI

Thanks & Regards
Shivanand K 

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com> 
Sent: Friday, July 5, 2024 12:47 PM
To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>
Subject: Re: [cip-dev] [isar-cip-core] Kconfig: Refactor Kconfig options

On 05.07.24 08:57, Shivanand.Kunijadar@toshiba-tsip.com wrote:
> Hi Jan,
> 
>> This is by design: We do not support secure boot without SWUpdate. While is technically possible, our recipes and conf files are not preparted for that. Therefore, you have to select SWUpdate first before being able to choose also Secure Boot. 
> 
> Ok, thanks. It is clear now why secure boot option is not showing in Kconfig menu by default.    
> 
>> Ok, it's getting clearer: kas/opt/security.yml includes 
>> kas/opt/ebg-secure-boot-snakeoil.yml, thus already enforces secure boot while the kconfig menu suggests that it can be disabled as well. That should be fixed visually by selecting secure boot in Kconfig.
> 
>> Now, if you enable (or select) secure boot for the security image, 
>> you include kas/opt/ebg-secure-boot-snakeoil.yml (and 
>> kas/opt/swupdate.yml as well as kas/opt/swupdate.yml) once again. This looks redundant but is actually harmless because the statements in those kas files are automatically de-duplicated by kas. Just check the effective build/conf/local.conf.
> 
> Understood, then there is no issue if it includes redundant yml files as it will be handled by kas. 
> 
> You can ignore the patch, sorry for the inconvenience.    
> 

Not really: we should still select secure boot from the security image.

Jan

--
Siemens AG, Technology
Linux Expert Center
Jan Kiszka July 5, 2024, 7:33 a.m. UTC | #9
On 05.07.24 09:23, Shivanand.Kunijadar@toshiba-tsip.com wrote:
> Hi Jan, 
> 
>> Not really: we should still select secure boot from the security image. 
> 
> You mean the below change is still valid? if so, I will send the v2 patch for this change only. 
> 
> config IMAGE_SECURITY
>         bool "Security extensions"
>         select IMAGE_SWUPDATE
> +       select IMAGE_SECURE_BOOT
>         select IMAGE_DATA_ENCRYPTION
>         depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI
> 

Sure!

Jan

> Thanks & Regards
> Shivanand K 
> 
> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@siemens.com> 
> Sent: Friday, July 5, 2024 12:47 PM
> To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>
> Subject: Re: [cip-dev] [isar-cip-core] Kconfig: Refactor Kconfig options
> 
> On 05.07.24 08:57, Shivanand.Kunijadar@toshiba-tsip.com wrote:
>> Hi Jan,
>>
>>> This is by design: We do not support secure boot without SWUpdate. While is technically possible, our recipes and conf files are not preparted for that. Therefore, you have to select SWUpdate first before being able to choose also Secure Boot. 
>>
>> Ok, thanks. It is clear now why secure boot option is not showing in Kconfig menu by default.    
>>
>>> Ok, it's getting clearer: kas/opt/security.yml includes 
>>> kas/opt/ebg-secure-boot-snakeoil.yml, thus already enforces secure boot while the kconfig menu suggests that it can be disabled as well. That should be fixed visually by selecting secure boot in Kconfig.
>>
>>> Now, if you enable (or select) secure boot for the security image, 
>>> you include kas/opt/ebg-secure-boot-snakeoil.yml (and 
>>> kas/opt/swupdate.yml as well as kas/opt/swupdate.yml) once again. This looks redundant but is actually harmless because the statements in those kas files are automatically de-duplicated by kas. Just check the effective build/conf/local.conf.
>>
>> Understood, then there is no issue if it includes redundant yml files as it will be handled by kas. 
>>
>> You can ignore the patch, sorry for the inconvenience.    
>>
> 
> Not really: we should still select secure boot from the security image.
> 
> Jan
> 
> --
> Siemens AG, Technology
> Linux Expert Center
diff mbox series

Patch

diff --git a/Kconfig b/Kconfig
index 96f590a..f73c8f2 100644
--- a/Kconfig
+++ b/Kconfig
@@ -163,11 +163,25 @@  if !KERNEL_4_4 && !KERNEL_4_19
 config IMAGE_SECURITY
 	bool "Security extensions"
 	select IMAGE_SWUPDATE
+	select IMAGE_SECURE_BOOT
 	select IMAGE_DATA_ENCRYPTION
 	depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI
 	help
 	  This enables security, encryption, secureboot and swupdate for IEC 62443-4-2.
 
+config KAS_INCLUDE_SWUPDATE
+	string
+	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE
+
+config KAS_INCLUDE_SECURE_BOOT
+        string
+        default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
+
+config IMAGE_SECURE_BOOT
+        bool "Secure boot support"
+	select IMAGE_SWUPDATE
+        depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI
+
 config KAS_INCLUDE_SECURITY
 	string
 	default "kas/opt/security.yml" if IMAGE_SECURITY
@@ -189,15 +203,6 @@  config IMAGE_DELTA_SWUPDATE
 
 endchoice
 
-config IMAGE_SECURE_BOOT
-	bool "Secure boot support"
-	depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI
-
-config KAS_INCLUDE_SWUPDATE_SECBOOT
-	string
-	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
-	default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
-
 config KAS_INCLUDE_DELTA_UPDATE
 	string
 	default "kas/opt/delta-update.yml" if IMAGE_DELTA_SWUPDATE