From patchwork Fri Jun 26 06:44:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Venkata Pyla X-Patchwork-Id: 11626601 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 499EE92A for ; Fri, 26 Jun 2020 06:44:26 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D0906207E8 for ; Fri, 26 Jun 2020 06:44:25 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="Fkxx2rl/" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D0906207E8 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=toshiba-tsip.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+4832+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id 5ypsYY4521763xspERNYMuhf; Thu, 25 Jun 2020 23:44:25 -0700 X-Received: from peak.toshiba-tesi.com (peak.toshiba-tesi.com [202.56.254.199]) by mx.groups.io with SMTP id smtpd.web11.2378.1593153863517336676 for ; Thu, 25 Jun 2020 23:44:24 -0700 IronPort-SDR: 4PDEdIZSi9W2tPocq29MGV3KoO2QdI3Pnx8YYvjHuT46OdE90L8a/qMIi9k8S4qT4dvl5xpsvA 7vl67Hs6+GSg== X-IronPort-AV: E=Sophos;i="5.75,282,1589221800"; d="scan'208,217";a="4552709" X-Received: from unknown (HELO TOSBLRMBX0219.TOSHIBA-TSIP.COM) ([172.28.80.119]) by peak.toshiba-tesi.com with ESMTP; 26 Jun 2020 12:44:53 +0530 X-Received: from TOSBLRMBX0219.TOSHIBA-TSIP.COM (172.28.80.119) by TOSBLRMBX0219.TOSHIBA-TSIP.COM (172.28.80.119) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Fri, 26 Jun 2020 12:14:16 +0530 X-Received: from TOSBLRMBX0219.TOSHIBA-TSIP.COM ([::1]) by TOSBLRMBX0219.TOSHIBA-TSIP.COM ([fe80::8d35:f069:2af2:deff%9]) with mapi id 15.01.1847.003; Fri, 26 Jun 2020 12:14:16 +0530 From: "venkata" To: "cip-dev@lists.cip-project.org" CC: "cip-security@lists.cip-project.org" Subject: [cip-dev][isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security Thread-Topic: [cip-dev][isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security Thread-Index: AdZLgw09VZScIMwHQ0+wrCRdhfQsyg== Date: Fri, 26 Jun 2020 06:44:16 +0000 Message-ID: <3ec242c02a3948fe9194df2517cbe0ad@toshiba-tsip.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.28.80.121] MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: XssmrSjp9s3QGhNVSEiPQhFux4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1593153865; bh=u8jao07J0t5v9c5NI8sOy/B4kcdvQFb4xQss/jJaKPk=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=Fkxx2rl/dWfFnlEPaNTpnGncHfgVLJdKWuz4UDs+Ktnzr4AZC+c9lAHWH2Vg4TWyZkh RPnZO94gYuybTNEzOOdlqnNo8i2cNkv7URcpNSS4/cHzVA5MK+knVJm+vhJMyluAe17Mc UjPuerKjdOtkfLnWvW+EjCzQPcJOpJ5dbWM= From: Kazuhiro Hayashi kazuhiro3.hayashi@toshiba.co.jp opt-security.yml: Sample settings to install security packages Signed-off-by: Kazuhiro Hayashi --- SECURITY.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++ opt-security.yml | 34 +++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100644 SECURITY.md create mode 100644 opt-security.yml -- 2.20.1 The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4832): https://lists.cip-project.org/g/cip-dev/message/4832 Mute This Topic: https://lists.cip-project.org/mt/75119562/4520428 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..a8bccc7 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,52 @@ +How to customize images for security features +============================================= + +This is the "temporal" document about how to create and use +the CIP Core generic profile images for security feature evaluation. + +Official manuals +---------------- + +* isar-cip-core: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/README.md +* ISAR User Manual: https://github.com/ilbers/isar/blob/master/doc/user_manual.md + +Assumed environment +------------------- + +* isar-cip-core: master branch +* Host: Debian 10 buster amd64 + * Installed packages: `docker-ce`, `qemu-system` + * Users who does the following actions must be in the groups `docker` and `kvm` + +Create kas file +--------------- + +Create a kas file named `opt-security.yml` to add security settings. + +Add security packages to rootfs +------------------------------- + +Set `IMAGE_PREINSTALL` to the list of packages required to enable +the security features. This variable can be set through the kas file. + +Example: + +``` +local_conf_header: + security: | + IMAGE_PREINSTALL = "openssl" +``` + +Build images +------------ + +Build images for QEMU x86 64bit machine: + + $ ./kas-docker --isar build kas.yml:board-qemu-amd64.yml:opt-security.yml + +Run on QEMU +----------- + +Run the generated images on QEMU (x86 64bit). + + $ ./start-qemu.sh amd64 diff --git a/opt-security.yml b/opt-security.yml new file mode 100644 index 0000000..7c6b39c --- /dev/null +++ b/opt-security.yml @@ -0,0 +1,34 @@ +# +# KAS configuration for CIP Core generic profile to enable security features +# +# Copyright (c) Toshiba Corporation, 2020 +# +# Authors: +# Kazuhiro Hayashi +# +# SPDX-License-Identifier: MIT +# + +header: + version: 8 + +local_conf_header: + security: | + # TODO: Add sudo or sudo-ldap + IMAGE_PREINSTALL = "\ + openssl libssl1.1 \ + fail2ban \ + openssh-server openssh-sftp-server openssh-client \ + syslog-ng-core syslog-ng-mod-journal \ + aide aide-common \ + libnftables0 nftables \ + libpam-pkcs11 \ + chrony \ + tpm2-tools \ + tpm2-abrmd \ + libtss2-esys0 libtss2-udev \ + libpam-cracklib \ + acl \ + libauparse0 audispd-plugins auditd \ + uuid-runtime \ + " \ No newline at end of file