From patchwork Wed Aug 30 04:41:13 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sai.Sathujoda@toshiba-tsip.com
X-Patchwork-Id: 13369955
Return-Path: <sai.sathujoda@toshiba-tsip.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 70F0FC6FA8F
	for <webhook@archiver.kernel.org>; Wed, 30 Aug 2023 04:41:30 +0000 (UTC)
Received: from mo-csw.securemx.jp (mo-csw.securemx.jp [210.130.202.132])
 by mx.groups.io with SMTP id smtpd.web10.7098.1693370481547353415
 for <cip-dev@lists.cip-project.org>;
 Tue, 29 Aug 2023 21:41:22 -0700
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=pass (domain: toshiba-tsip.com, ip: 210.130.202.132,
 mailfrom: sai.sathujoda@toshiba-tsip.com)
Received: by mo-csw.securemx.jp (mx-mo-csw1121) id 37U4fJkQ3253075;
 Wed, 30 Aug 2023 13:41:20 +0900
X-Iguazu-Qid: 2rWgoVec2D0oz0eZ7e
X-Iguazu-QSIG: v=2; s=0; t=1693370479; q=2rWgoVec2D0oz0eZ7e;
 m=Es92qf8ik2lQ7B5wkieKsgUp91auIj2IbXB3HsTUoCc=
Received: from imx12-a.toshiba.co.jp ([38.106.60.135])
	by relay.securemx.jp (mx-mr1120) id 37U4fIUV1003217
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
	Wed, 30 Aug 2023 13:41:18 +0900
From: Sai.Sathujoda@toshiba-tsip.com
To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com
Cc: Sai <Sai.Sathujoda@toshiba-tsip.com>, dinesh.kumar@toshiba-tsip.com,
        kazuhiro3.hayashi@toshiba.co.jp
Subject: [isar-cip-core 1/3] Kconfig: Opt additional IEC 62443-4-2 features
 when security option is selected
Date: Wed, 30 Aug 2023 10:11:13 +0530
X-TSB-HOP2: ON
Message-Id: <20230830044115.1112349-2-Sai.Sathujoda@toshiba-tsip.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20230830044115.1112349-1-Sai.Sathujoda@toshiba-tsip.com>
References: <20230830044115.1112349-1-Sai.Sathujoda@toshiba-tsip.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 30 Aug 2023 04:41:16.0087 (UTC)
 FILETIME=[363F4470:01D9DAFC]
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Wed, 30 Aug 2023 04:41:30 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12903

From: Sai <Sai.Sathujoda@toshiba-tsip.com>

Data encryption, Secureboot and Swupdate options will be automatically
selected when security extensions is selected.

Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
---
 Kconfig | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Kconfig b/Kconfig
index ec49631..75d6ba4 100644
--- a/Kconfig
+++ b/Kconfig
@@ -170,6 +170,9 @@ config KAS_INCLUDE_IMAGE_FORMAT
 
 config IMAGE_SECURITY
 	bool "Security extensions"
+        select IMAGE_DATA_ENCRYPTION
+        help
+          This enables security, encrpytion, secureboot and swupdate for IEC 62443-4-2.
 
 config KAS_INCLUDE_SECURITY
 	string

From patchwork Wed Aug 30 04:41:14 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sai.Sathujoda@toshiba-tsip.com
X-Patchwork-Id: 13369957
Return-Path: <sai.sathujoda@toshiba-tsip.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 77924C83F18
	for <webhook@archiver.kernel.org>; Wed, 30 Aug 2023 04:41:30 +0000 (UTC)
Received: from mo-csw.securemx.jp (mo-csw.securemx.jp [210.130.202.131])
 by mx.groups.io with SMTP id smtpd.web11.7006.1693370482003039612
 for <cip-dev@lists.cip-project.org>;
 Tue, 29 Aug 2023 21:41:22 -0700
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=pass (domain: toshiba-tsip.com, ip: 210.130.202.131,
 mailfrom: sai.sathujoda@toshiba-tsip.com)
Received: by mo-csw.securemx.jp (mx-mo-csw1120) id 37U4fK803197270;
 Wed, 30 Aug 2023 13:41:20 +0900
X-Iguazu-Qid: 2rWgJRkMVnDRxnCCsl
X-Iguazu-QSIG: v=2; s=0; t=1693370479; q=2rWgJRkMVnDRxnCCsl;
 m=k/J2nY7ce+ustnGnItc/xHIEi79PvdDS9ZkaRYPuJaY=
Received: from imx12-a.toshiba.co.jp ([38.106.60.135])
	by relay.securemx.jp (mx-mr1123) id 37U4fIuM505392
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
	Wed, 30 Aug 2023 13:41:19 +0900
From: Sai.Sathujoda@toshiba-tsip.com
To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com
Cc: Sai <Sai.Sathujoda@toshiba-tsip.com>, dinesh.kumar@toshiba-tsip.com,
        kazuhiro3.hayashi@toshiba.co.jp
Subject: [isar-cip-core 2/3] deploy-cip-core.sh: Workaround to search for
 swupdate initrd image name
Date: Wed, 30 Aug 2023 10:11:14 +0530
X-TSB-HOP2: ON
Message-Id: <20230830044115.1112349-3-Sai.Sathujoda@toshiba-tsip.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20230830044115.1112349-1-Sai.Sathujoda@toshiba-tsip.com>
References: <20230830044115.1112349-1-Sai.Sathujoda@toshiba-tsip.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 30 Aug 2023 04:41:16.0103 (UTC)
 FILETIME=[3641B570:01D9DAFC]
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Wed, 30 Aug 2023 04:41:30 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12905

From: Sai <Sai.Sathujoda@toshiba-tsip.com>

Since the security image is now included with swupdate feature, deployment
of initrd image will fail in CI due to name mismatch. So this workaround
will search for initrd image name as defined in read-only-rootfs.bbclass

Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
---
 scripts/deploy-cip-core.sh | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/scripts/deploy-cip-core.sh b/scripts/deploy-cip-core.sh
index eaa8974..868e28e 100755
--- a/scripts/deploy-cip-core.sh
+++ b/scripts/deploy-cip-core.sh
@@ -46,9 +46,16 @@ KERNEL_IMAGE="$BASE_PATH-vmlinu[xz]"
 if [ -f "build/tmp/deploy/images/$TARGET/zImage" ]; then
 	KERNEL_IMAGE=build/tmp/deploy/images/$TARGET/zImage
 fi
+
+INITRD_IMAGE="${BASE_PATH}-initrd.img"
+# swupdate image initrd search workaround
+if [ -f "build/tmp/deployimages/$TARGET/cip-core-initramfs-cip-core-$RELEASE-$TARGET.initrd.img" ]; then
+	INITRD_IMAGE=build/tmp/deploy/images/$TARGET/cip-core-initramfs-cip-core-$RELEASE-$TARGET.initrd.img
+fi
+
 # shellcheck disable=SC2086
 aws s3 cp --no-progress --acl public-read $KERNEL_IMAGE "${S3_TARGET}"
-aws s3 cp --no-progress --acl public-read "${BASE_PATH}-initrd.img" "${S3_TARGET}"
+aws s3 cp --no-progress --acl public-read "${INITRD_IMAGE}" "${S3_TARGET}"
 
 if [ "$DTB" != "none" ]; then
 	aws s3 cp --no-progress --acl public-read build/tmp/deploy/images/*/"$DTB" "${S3_TARGET}"

From patchwork Wed Aug 30 04:41:15 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sai.Sathujoda@toshiba-tsip.com
X-Patchwork-Id: 13369954
Return-Path: <sai.sathujoda@toshiba-tsip.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 73D70C83F15
	for <webhook@archiver.kernel.org>; Wed, 30 Aug 2023 04:41:30 +0000 (UTC)
Received: from mo-csw.securemx.jp (mo-csw.securemx.jp [210.130.202.158])
 by mx.groups.io with SMTP id smtpd.web10.7101.1693370482926065121
 for <cip-dev@lists.cip-project.org>;
 Tue, 29 Aug 2023 21:41:23 -0700
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=pass (domain: toshiba-tsip.com, ip: 210.130.202.158,
 mailfrom: sai.sathujoda@toshiba-tsip.com)
Received: by mo-csw.securemx.jp (mx-mo-csw1122) id 37U4fLBx3232686;
 Wed, 30 Aug 2023 13:41:21 +0900
X-Iguazu-Qid: 2rWgbWvRznAFJUfdUh
X-Iguazu-QSIG: v=2; s=0; t=1693370481; q=2rWgbWvRznAFJUfdUh;
 m=pJ+agS6wQAqRE8RmTP/8RX6Q2LJ8H4Y3WSQWGBQuSLw=
Received: from imx12-a.toshiba.co.jp ([38.106.60.135])
	by relay.securemx.jp (mx-mr1120) id 37U4fJe41003263
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
	Wed, 30 Aug 2023 13:41:20 +0900
From: Sai.Sathujoda@toshiba-tsip.com
To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com
Cc: Sai <Sai.Sathujoda@toshiba-tsip.com>, dinesh.kumar@toshiba-tsip.com,
        kazuhiro3.hayashi@toshiba.co.jp
Subject: [isar-cip-core 3/3] security.yml: Add additional features to security
 image
Date: Wed, 30 Aug 2023 10:11:15 +0530
X-TSB-HOP2: ON
Message-Id: <20230830044115.1112349-4-Sai.Sathujoda@toshiba-tsip.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20230830044115.1112349-1-Sai.Sathujoda@toshiba-tsip.com>
References: <20230830044115.1112349-1-Sai.Sathujoda@toshiba-tsip.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 30 Aug 2023 04:41:16.0182 (UTC)
 FILETIME=[364DC360:01D9DAFC]
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Wed, 30 Aug 2023 04:41:30 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12906

From: Sai <Sai.Sathujoda@toshiba-tsip.com>

From IEC certification perspective, a security image is needed which has the below features along with security customizations.
1. Data encryption (CR4.1)
2. Secure boot (EDR 3.14)
3. SWupdate (NDR 3.10)

Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
---
 kas/opt/security.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kas/opt/security.yml b/kas/opt/security.yml
index 1f3745b..67bf4ff 100644
--- a/kas/opt/security.yml
+++ b/kas/opt/security.yml
@@ -10,6 +10,9 @@
 #
 header:
   version: 12
+  includes:
+   - kas/opt/encrypt-partitions.yml
+   - kas/opt/ebg-secure-boot-snakeoil.yml
 
 target: cip-core-image-security