From patchwork Mon Jul 27 11:41:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Venkata Pyla X-Patchwork-Id: 11686769 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5F14514E3 for ; Mon, 27 Jul 2020 11:40:46 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 132CD2072E for ; Mon, 27 Jul 2020 11:40:45 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="n09Yu7U3" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 132CD2072E Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=toshiba-tsip.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5021+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id bQO3YY4521763xgwfUKXaMSV; Mon, 27 Jul 2020 04:40:45 -0700 X-Received: from peak.toshiba-tesi.com (peak.toshiba-tesi.com [202.56.254.199]) by mx.groups.io with SMTP id smtpd.web11.53494.1595850044463669930 for ; Mon, 27 Jul 2020 04:40:44 -0700 IronPort-SDR: JF5QtnJFagkOiOL10I7kF40xksd46/cO3MEiyhG6sgoTitboyqo9KOzU7PcLiGnSsQukx/OOCM SEmZDSN76cEQ== X-IronPort-AV: E=Sophos;i="5.75,402,1589221800"; d="scan'208";a="5175745" X-Received: from unknown (HELO TOSBLRMBX0419.TOSHIBA-TSIP.COM) ([10.116.85.28]) by peak.toshiba-tesi.com with ESMTP; 27 Jul 2020 17:45:15 +0530 X-Received: from TOSBLRMBX0219.TOSHIBA-TSIP.COM (172.28.80.119) by TOSBLRMBX0419.TOSHIBA-TSIP.COM (10.116.85.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Mon, 27 Jul 2020 17:10:41 +0530 X-Received: from pvenkat.TOSHIBA-TSIP.COM (172.28.80.121) by TOSBLRMBX0219.TOSHIBA-TSIP.COM (172.28.80.119) with Microsoft SMTP Server id 15.1.1847.3 via Frontend Transport; Mon, 27 Jul 2020 17:10:41 +0530 From: "Venkata Pyla" To: CC: Kazuhiro Hayashi , , Venkata Pyla Subject: [cip-dev] [isar-cip-core 1/3] cip-security: Add packages for IEC-62443-4-2 evaluation Date: Mon, 27 Jul 2020 17:11:33 +0530 Message-ID: <20200727114135.368-2-venkata.pyla@toshiba-tsip.com> In-Reply-To: <20200727114135.368-1-venkata.pyla@toshiba-tsip.com> References: <20200727114135.368-1-venkata.pyla@toshiba-tsip.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: oqctxZrd3mQ9ekGBhprGsOwpx4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1595850045; bh=ShzPTMAbumTbURUV5SiK2BNddc5kObFte6Tqp1Rpg3Y=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=n09Yu7U3sfV0ekXQyyC149FihczAc0gmOdM3UQb8pgnFoy0vtSoAKB/ySyD3Hsqn5yD OMrJR47gpSSxUGvf5xNGrEv5ABuHnfxmm4gy/09W6oAWlwXTrtkBXTiP8YRX8Nc6Ax/1i MaQMKNZG7Qjol85TuGDuYC17V7rJDdv8XqM= From: Kazuhiro Hayashi Identified security packages are added to the target image and that will be used for IEC-62443-4-2 evaluation Signed-off-by: Kazuhiro Hayashi Signed-off-by: Venkata Pyla --- .../images/cip-core-image-security.bb | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 recipes-core/images/cip-core-image-security.bb diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb new file mode 100644 index 0000000..a17c522 --- /dev/null +++ b/recipes-core/images/cip-core-image-security.bb @@ -0,0 +1,36 @@ +# +# A reference image which includes security packages +# +# Copyright (c) Toshiba Corporation, 2020 +# +# Authors: +# Kazuhiro Hayashi +# +# SPDX-License-Identifier: MIT +# + +inherit image + +DESCRIPTION = "CIP Core image including security packages" + +IMAGE_INSTALL += "customizations" + +# Debian packages that provide security features +IMAGE_PREINSTALL += " \ + openssl libssl1.1 \ + fail2ban \ + openssh-server openssh-sftp-server openssh-client \ + syslog-ng-core syslog-ng-mod-journal \ + aide aide-common \ + libnftables0 nftables \ + libpam-pkcs11 \ + chrony \ + tpm2-tools \ + tpm2-abrmd \ + libtss2-esys0 libtss2-udev \ + libpam-cracklib \ + acl \ + libauparse0 audispd-plugins auditd \ + uuid-runtime \ + sudo \ +" From patchwork Mon Jul 27 11:41:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Venkata Pyla X-Patchwork-Id: 11686773 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E875117CA for ; Mon, 27 Jul 2020 11:40:46 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BFB5820714 for ; Mon, 27 Jul 2020 11:40:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="nP53R66C" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BFB5820714 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=toshiba-tsip.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5022+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id lBj5YY4521763xpXXJfuJp0e; Mon, 27 Jul 2020 04:40:46 -0700 X-Received: from peak.toshiba-tesi.com (peak.toshiba-tesi.com []) by mx.groups.io with SMTP id smtpd.web11.53493.1595850044332209491 for ; Mon, 27 Jul 2020 04:40:45 -0700 IronPort-SDR: nB901Wl/IJ8F53nhv3zyCxVEvwaL8qGMWCrU7oDXnGiH9gNcQfgxm4CUqTMpIoGxq6Js0GYxB5 GpisdVPYevmQ== X-IronPort-AV: E=Sophos;i="5.75,402,1589221800"; d="scan'208";a="5175747" X-Received: from unknown (HELO TOSBLRMBX0419.TOSHIBA-TSIP.COM) ([10.116.85.28]) by peak.toshiba-tesi.com with ESMTP; 27 Jul 2020 17:45:15 +0530 X-Received: from TOSBLRMBX0219.TOSHIBA-TSIP.COM (172.28.80.119) by TOSBLRMBX0419.TOSHIBA-TSIP.COM (10.116.85.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Mon, 27 Jul 2020 17:10:41 +0530 X-Received: from pvenkat.TOSHIBA-TSIP.COM (172.28.80.121) by TOSBLRMBX0219.TOSHIBA-TSIP.COM (172.28.80.119) with Microsoft SMTP Server id 15.1.1847.3 via Frontend Transport; Mon, 27 Jul 2020 17:10:41 +0530 From: "Venkata Pyla" To: CC: Venkata Pyla , Subject: [cip-dev] [isar-cip-core 2/3] start-qemu.sh: Use 'TARGET_IMAGE' to pick respective image file Date: Mon, 27 Jul 2020 17:11:34 +0530 Message-ID: <20200727114135.368-3-venkata.pyla@toshiba-tsip.com> In-Reply-To: <20200727114135.368-1-venkata.pyla@toshiba-tsip.com> References: <20200727114135.368-1-venkata.pyla@toshiba-tsip.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: 4wkhcNBBFY0UmNqT8YdQBILVx4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1595850046; bh=/woF2NhSSpWV47JRfUwfnMSGo2sUhcJu1qh7JO5R1RE=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=nP53R66CwO7MQeEeDmDBfOzvz4KJlPqGu98f5IhSbCkyqND/WXqNlmxVZRGbjym84yk hVqhtcmYHmoHgepyinYQIj52VsYO4/bzmbA5tGSlO0moJ81h4eU0mIahqSPa2PEB1aNFr QompNicGKankBvG4u/xOvBj3ul93T+w/PE0= From: Venkata Pyla Use 'TARGET_IMAGE' to pick respective image file when starting qemu by default 'TARGET_IMAGE' uses "cip-core-image". to pick different target image set the 'TARGET_IMAGE' variable as below e.g: $TARGET_IMAGE=cip-core-image-security ./start-qemu.sh amd64 Signed-off-by: Venkata Pyla --- start-qemu.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/start-qemu.sh b/start-qemu.sh index 49f0266..5c17d74 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -75,7 +75,11 @@ if [ -z "${DISTRO_RELEASE}" ]; then DISTRO_RELEASE="buster" fi -IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/cip-core-image-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}" +if [ -z "${TARGET_IMAGE}" ]; then + TARGET_IMAGE="cip-core-image" +fi + +IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}" IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img) if [ -z "${DISPLAY}" ]; then From patchwork Mon Jul 27 11:41:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Venkata Pyla X-Patchwork-Id: 11686775 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E60A3913 for ; Mon, 27 Jul 2020 11:40:46 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C0C982072E for ; Mon, 27 Jul 2020 11:40:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="ZyPtgUDK" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C0C982072E Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=toshiba-tsip.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5023+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id Jl03YY4521763x5RqsiFKwRn; Mon, 27 Jul 2020 04:40:46 -0700 X-Received: from peak.toshiba-tesi.com (peak.toshiba-tesi.com []) by mx.groups.io with SMTP id smtpd.web11.53494.1595850044463669930 for ; Mon, 27 Jul 2020 04:40:46 -0700 IronPort-SDR: hB0G3/UDGaMBruzLFmgb4rmgF02nTOvsNqufiOlTB73DukTJG6j0ACyLriWLC3C5I0O8sHccUn ZRK6jl3q/0uA== X-IronPort-AV: E=Sophos;i="5.75,402,1589221800"; d="scan'208";a="5175749" X-Received: from unknown (HELO TOSBLRMBX0419.TOSHIBA-TSIP.COM) ([10.116.85.28]) by peak.toshiba-tesi.com with ESMTP; 27 Jul 2020 17:45:16 +0530 X-Received: from TOSBLRMBX0219.TOSHIBA-TSIP.COM (172.28.80.119) by TOSBLRMBX0419.TOSHIBA-TSIP.COM (10.116.85.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Mon, 27 Jul 2020 17:10:42 +0530 X-Received: from pvenkat.TOSHIBA-TSIP.COM (172.28.80.121) by TOSBLRMBX0219.TOSHIBA-TSIP.COM (172.28.80.119) with Microsoft SMTP Server id 15.1.1847.3 via Frontend Transport; Mon, 27 Jul 2020 17:10:42 +0530 From: "Venkata Pyla" To: CC: Venkata Pyla , Subject: [cip-dev] [isar-cip-core 3/3] README: Add steps to build cip-security image Date: Mon, 27 Jul 2020 17:11:35 +0530 Message-ID: <20200727114135.368-4-venkata.pyla@toshiba-tsip.com> In-Reply-To: <20200727114135.368-1-venkata.pyla@toshiba-tsip.com> References: <20200727114135.368-1-venkata.pyla@toshiba-tsip.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: Qwysi2vBcOSuhI8xdhQWd5A6x4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1595850046; bh=4HAxZLPZMazdoZ26r05/AYubhLVGq03cGUsn0e5qbJw=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=ZyPtgUDKwlaLX4fSpbwCOpPwIl3BdXFsjFuq0QK4ZuqqOpAV0kqo/JiLKkyhCsFp+eu U5q+7Xt8GJR2l1xzmfSU2xW2m3YmYyvzqxrGuluqJijsfmzda/tz1HBEH042vAdQUvvo8 JUVELGk7MAThQ4JL89ttcVfw0t2eOsgeCaA= From: Venkata Pyla Signed-off-by: Venkata Pyla --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index 59a014b..26fbbef 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,16 @@ card, run dd if=build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.img \ of=/dev/ bs=1M status=progress +## Building Security target images +Building images for QEMU x86-64bit machine + + ./kas-docker --isar build --target cip-core-image-security kas.yml:board-qemu-amd64.yml + +Run the generated securiy images on QEMU (x86-64bit) + + TARGET_IMAGE=cip-core-image-security ./start-qemu.sh amd64 + + ## Community Resources TBD