#cip log

09:00:00 <masashi910> #startmeeting CIP IRC weekly meeting
09:00:00 <brlogger`> Meeting started Thu Oct  8 09:00:00 2020 UTC and is due to finish in 60 minutes.  The chair is masashi910. Information about MeetBot at http://wiki.debian.org/MeetBot.
09:00:00 <brlogger`> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
09:00:00 <brlogger`> The meeting name has been set to 'cip_irc_weekly_meeting'
09:00:28 <masashi910> #topic rollcall
09:00:34 <masashi910> please say hi if you're around
09:00:53 <pavelm1> hi
09:00:58 <wens> hi
09:01:22 <masashi910> Today yoshidak[m] and iwamatsu are not here, so I will share their status.
09:01:29 <masashi910> #topic AI review
09:01:34 <masashi910> 1. Combine root filesystem with kselftest binary - iwamatsu
09:01:39 <masashi910> Quote from Iwamatsu-san "No update."
09:01:44 <masashi910> 2. Check whether CVE-2020-25284 needs to be backported to 4.4-rt
09:01:50 <masashi910> ->  Delete rbd ( Ceph block device ) from 4.4-rt x86 config - iwamatsu
09:01:54 <masashi910> ->  Done, so I close it.
09:01:59 <masashi910> https://lore.kernel.org/cip-dev/OSBPR01MB29833C0DA59C4F77B159DE2492300@OSBPR01MB2983.jpnprd01.prod.outlook.com/
09:02:07 <masashi910> any other topics?
09:02:18 <masashi910> 3
09:02:21 <masashi910> 2
09:02:25 <masashi910> 1
09:02:28 <masashi910> #topic Kernel maintenance updates
09:02:36 <masashi910> == Quote from iwamatsu ==
09:02:43 <masashi910> I reviewed 4.4.y-rc.
09:02:51 <masashi910> ====
09:02:58 <pavelm1> I have released v4.19.148-cip35-rt15, and reviewed 4.19.150.
09:03:05 <wens> Five new CVEs:
09:03:05 <wens> - CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for
09:03:05 <wens> mainline and 4.19+
09:03:05 <wens> - This is enabled in Siemens x86 configs for both 4.4 and 4.19
09:03:05 <wens> and we should probably backport them.
09:03:07 <wens> - CVE-2020-25643 [hdlc_ppp] - Fixed in all current stable kernels
09:03:10 <wens> - CVE-2020-26541 [UEFI secure boot] - Fix posted but hasn't landed
09:03:19 <wens> I also reviewed some patches from Daniel for cip-kernel-sec on the mailing list
09:03:39 <masashi910> pavelm1, wens: Thanks for your reports!
09:04:06 <pavelm1> v4.19.148-cip35-rt15 has problems on arm64_renesas.
09:04:37 <pavelm1> Question is if we should release -rt16 cca next week to fix them.
09:05:20 <masashi910> pavelm1: Thanks for raising this. Does anyone have any opinion?
09:05:55 <patersonc> If it's not too much hassle it may be worth doing.
09:06:10 <patersonc> We should try and keep things working on our reference platforms if possible imho
09:06:37 <pavelm1> I was wondering if someone is using realtime branch on renesas.
09:07:03 <patersonc> Renesas is. We have a RT version of our BSP based on cip-rt.
09:07:08 <pavelm1> Ok.
09:07:20 <patersonc> That said, we don't follow every release, so it's not a showstopper for us
09:07:33 <pavelm1> So I'll do -rt16 when new -cip is available.
09:07:56 <masashi910> pavelm1, patersonc: Thanks for your discussion.
09:07:57 <patersonc> Thank you for your efforts pavelm1
09:09:28 <masashi910> Any other topics?
09:10:01 <masashi910> wens: BTW, you mention that - CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for
09:10:01 <masashi910> <wens> mainline and 4.19+
09:10:15 <wens> yes.
09:10:26 <pavelm1> i40e stuff. I'll take a look.
09:10:29 <wens> i40e is a high-end 10/40G ethernet adapter
09:10:37 <masashi910> wens: Does it mean LTS4.4 backporting might be needed?
09:10:42 <wens> makes sense Siemens might use it on their servers
09:10:57 <pavelm1> If someone has git hashes, that is more useful than CVE numbers.
09:11:14 <wens> the hashes are in cip-kernel-sec
09:11:17 <wens> just a min.
09:11:26 <pavelm1> Ok, let's talk after the meeting.
09:11:35 <pavelm1> I'll need to learn to pull them myself.
09:11:42 <wens> https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requests/75/diffs
09:12:01 <wens> so the annoying thing about this group of CVEs is that Intel failed to tag the mainline patches
09:12:08 <pavelm1> Thank you.
09:12:16 <wens> they later requested backports of four patches # https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021006.html
09:12:34 <masashi910> wens, pavelm1: thanks. If needed, let's discuss offline.
09:12:35 <pavelm1> wens: Well, that used to be common policy. Don't talk about CVEs in commit logs.
09:12:36 <wens> but it is unclear which patch fixes what issue, or whether they are sufficient
09:13:02 <wens> pavelm1: I meant they didn't add Fixes tags
09:13:13 <wens> masashi910: ok
09:13:30 <masashi910> Thanks for your works!
09:13:32 <wens> pavelm1: I won't be around after the meeting, so please send me an email.
09:13:35 <pavelm1> wens: aha. That's unfortunate :-(.
09:13:45 <masashi910> so, shall we move on?
09:13:48 <wens> sure.
09:13:56 <masashi910> Thanks.
09:14:07 <masashi910> #topic Kernel testing
09:14:17 <patersonc> Hi, sorry
09:14:18 <masashi910> Chris-san, please.
09:14:25 <patersonc> I've started work on upgrading our LAVA master + workers to the latest version of lava-docker/lava
09:14:32 <patersonc> https://gitlab.com/cip-project/cip-testing/lava-docker/-/merge_requests/28
09:14:36 <patersonc> Now just waiting on feedback before merging. Then we'll need to schedule a time to do the upgrade on production
09:14:47 <patersonc> That's about it from me I think...
09:15:08 <masashi910> patersonc: Thanks for your works!
09:15:19 <masashi910> any other topics?
09:15:32 <masashi910> 3
09:15:35 <masashi910> 2
09:15:37 <masashi910> 1
09:15:41 <masashi910> #topic CIP Security
09:15:53 <masashi910> == Quote from yoshidak[m] ==
09:15:54 <masashi910> Both minor updates were once reported, but since they are protracted, I will summarize again here.
09:15:54 <masashi910> Major updates:
09:15:54 <masashi910> There is no major update this week.
09:15:54 <masashi910> Minor updates:
09:15:54 <masashi910> 1. Gap assessment for the development process (IEC 62443-4-1):
09:15:54 <masashi910> The report from the certification body, whether development process for OSS meets to the IEC 62443-4-1 standard, is delayed.
09:15:55 <masashi910> But, perhaps we can get it the end of this week.
09:15:55 <masashi910> And then, we'll plan to share the documents on the development process that reflects the feedback from the report.
09:15:56 <masashi910> 2. Gap assessment for security features of security packages we suggested (IEC 62443-4-2):
09:15:56 <masashi910> We started review security features of security packages we suggested to add as CIP core packages.
09:15:57 <masashi910> The completion date is scheduled by the end of December.
09:16:10 <masashi910> any other topics?
09:16:17 <masashi910> 3
09:16:20 <masashi910> 2
09:16:23 <masashi910> 1
09:16:26 <masashi910> #topic AOB
09:16:35 <masashi910> Are there any business to discuss?
09:16:48 <pavelm1> I guess we should talk to Siemens.
09:16:55 <pavelm1> Their kernel config contains... everything.
09:17:10 <wens> the x86 ones?
09:17:15 <pavelm1> It would be good to strip it down, so we can focus on things they actually use.
09:17:30 <pavelm1> Yes, x86: siemens_server_defconfig.
09:17:40 <masashi910> pavelm1: OK, then, shall I ask them?
09:17:48 <wens> they probably used some generic one as the template :(
09:17:55 <pavelm1> masashi910: Yes please, that would be nice.
09:18:04 <pavelm1> CONFIG_NE2K_PCI=m is example of driver they probably don't use.
09:18:19 <wens> rofl
09:18:31 <masashi910> pavelm1: Sure!
09:18:38 <pavelm1> Thank you!
09:18:47 <masashi910> Welcome!
09:19:11 <masashi910> So, if there are no other topics, let's close the meeting today.
09:19:24 <masashi910> 3
09:19:28 <masashi910> 2
09:19:32 <masashi910> 1
09:19:34 <masashi910> #endmeeting