#cip log

09:00:01 <masashi910> #startmeeting CIP IRC weekly meeting
09:00:01 <brlogger> Meeting started Thu Oct 15 09:00:01 2020 UTC and is due to finish in 60 minutes.  The chair is masashi910. Information about MeetBot at http://wiki.debian.org/MeetBot.
09:00:01 <brlogger> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
09:00:01 <brlogger> The meeting name has been set to 'cip_irc_weekly_meeting'
09:00:05 <masashi910> #topic rollcall
09:00:09 <wens> hi
09:00:10 <pave1> hi
09:00:12 <masashi910> please say hi if you're around
09:00:14 <iwamatsu> hi
09:00:33 <fujita> hi
09:00:34 <patersonc> hi
09:00:40 <masashi910> #topic AI review
09:00:48 <masashi910> 1. Combine root filesystem with kselftest binary - iwamatsu
09:00:59 <iwamatsu> sorry, no update this
09:01:11 <masashi910> iwamatsu: Sure, Thanks!
09:01:14 <masashi910> 2. Check whether CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 needs to be backported to 4.4 - masashi910
09:01:21 <masashi910> Jan-san@Siemens would like us to backport them to 4.4.
09:01:26 <masashi910> https://lore.kernel.org/cip-dev/d5baee23-9a71-6994-146d-1b54d42d1ef9@siemens.com/
09:01:54 <masashi910> pave1, iwamatsu: Do you think we can proceed the backporting?
09:02:18 <pave1> masashi: I'm looking into that, yes.
09:02:29 <masashi910> pave1: Thanks!
09:02:30 <iwamatsu> yes,
09:02:37 <masashi910> iwamatsu: Thanks!
09:02:48 <masashi910> So, shall we move on?
09:02:58 <masashi910> #topic Kernel maintenance updates
09:03:06 <pave1> masashi: CVE-- There's some confusion as 145 and 147 point to same fix in our database. Plus some of the issues may not be serious enough to be worth fixing.
09:04:02 <pave1> I have reviewed 4.19.151... and PCIe EP series.
09:04:17 <masashi910> pave1: Oh, I see. Need to sort out the necessity again?
09:04:40 <iwamatsu> I reviewed 4.4.239
09:04:51 <wens> there's not much to go on from Intel's security notice
09:05:12 <pave1> masashi: Well, either that or we identified wrong commits.
09:05:39 <wens> the latter is possible
09:06:23 <pave1> wens: I'm looking at Bluetooth CVEs (CVE-2020-12351,12352,24490).
09:06:30 <wens> was about to report on those
09:06:33 <wens> - CVE-2020-12351, CVE-2020-12352, CVE-2020-24490 [bluetooth] (also known as BleedingTooth)
09:06:36 <wens> These are grouped together because Intel's security notice does not clearly state which patches fix which issues. Fixes posted.
09:06:39 <wens> - CVE-2020-16119 [net: dccp] - fix posted
09:06:43 <wens> - CVE-2020-16120 [overlayfs] - fixed
09:06:44 <wens> - CVE-2020-25645 [net: geneve] - fixed and backported to 4.14+ - Fix should be backported to 4.4 and 4.9. The driver was added in 4.2.
09:07:22 <wens> regarding the Bluetooth CVEs, Google has produced much better reports than Intel's security notices: https://lwn.net/Articles/834297/rss
09:07:57 <pave1> wens: Yes, Google is doing pretty well there. They even have proof of concepts.
09:08:32 <wens> I haven't fixed the entries in cip-kernel-sec yet.
09:08:35 <pave1> wens: AFAICT, CVE-2020-24490.yml is fixed at least in 4.19.y.
09:09:06 <pave1> wens: I started taking notes in form of yml files. Will post the diff if it is useful as a starting point.
09:09:27 <wens> I plan to ask if bwh wanted to push them upstream (to Debian) before we update it on our end, otherwise we end up pulling in the garbled stuff in again.
09:11:05 <pave1> wens: If the entries are later replaced with cleaner entries from Debian... that should not be a huge problem.
09:11:36 <wens> sure. the changes here https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requests/78
09:11:51 <pave1> wens: Thanks!
09:11:58 <masashi910> pave1, iwamatsu, wens: Thanks for your works!
09:12:02 <wens> are just the initial import. I can split them up based on Google's information.
09:12:34 <wens> that's all.
09:12:45 <masashi910> Any suggestions for CVE-2019-0145/0147/0148 how to proceed?
09:13:21 <wens> ideally, ask Intel for more information about which commits are the correct fixes.
09:14:24 <masashi910> wens: I see. Thanks for your comment. Well, let's discuss offline, then.
09:14:35 <masashi910> Any other topics?
09:14:50 <masashi910> 3
09:14:53 <masashi910> 2
09:14:56 <masashi910> 1
09:14:58 <masashi910> #topic Kernel testing
09:15:10 <patersonc> Hello
09:15:15 <patersonc> The LAVA master and workers have been updated to the latest version of lava-docker, based on LAVA 2020.07.
09:15:21 <patersonc> Let me know if you see any issues.
09:15:26 <patersonc> Thanks to the lab owners for their support.
09:15:37 <patersonc> Also, the x86 devices have been split into seperate device-types (x86-openblocks-iot-vx2, x86-simatic-ipc227e) so we can choose specific platforms to run tests.
09:15:59 <patersonc> That's it from me
09:16:17 <masashi910> patersonc: Thanks for your works!
09:16:36 <masashi910> any queries or comments?
09:16:48 <masashi910> 3
09:16:51 <masashi910> 2
09:16:54 <masashi910> 1
09:16:58 <masashi910> #topic CIP Security
09:17:10 <yoshidak[m]> Hello
09:17:39 <yoshidak[m]> We got the gap assessment report about CIP development process to meet for IEC 62443-4-1.
09:18:24 <yoshidak[m]> You can see it in our security repo:
09:18:25 <yoshidak[m]> https://gitlab.com/cip-project/cip-security/iec_62443-4-x/-/blob/master/gap_assessment/TLF_Gap_Analysis_IEC_62443_4-1_Public.pdf
09:18:40 <yoshidak[m]> The report shows what we have to define, and then we try to define the compliant process to IEC 62443-4-1.
09:19:01 <yoshidak[m]> We keep continue to work this.
09:19:18 <yoshidak[m]> That's the end from me this week, thanks!
09:19:27 <masashi910> yoshidak[m]: Thanks for your updates.
09:19:40 <masashi910> any queries or comments?
09:19:53 <masashi910> 3
09:19:57 <masashi910> 2
09:20:00 <masashi910> 1
09:20:03 <masashi910> #topic AOB
09:20:13 <masashi910> Are there any business to discuss?
09:20:30 <masashi910> 3
09:20:33 <masashi910> 2
09:20:36 <masashi910> 1
09:20:39 <masashi910> #endmeeting