09:00:01 #startmeeting CIP IRC weekly meeting 09:00:01 Meeting started Thu Oct 15 09:00:01 2020 UTC and is due to finish in 60 minutes. The chair is masashi910. Information about MeetBot at http://wiki.debian.org/MeetBot. 09:00:01 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 09:00:01 The meeting name has been set to 'cip_irc_weekly_meeting' 09:00:05 #topic rollcall 09:00:09 hi 09:00:10 hi 09:00:12 please say hi if you're around 09:00:14 hi 09:00:33 hi 09:00:34 hi 09:00:40 #topic AI review 09:00:48 1. Combine root filesystem with kselftest binary - iwamatsu 09:00:59 sorry, no update this 09:01:11 iwamatsu: Sure, Thanks! 09:01:14 2. Check whether CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 needs to be backported to 4.4 - masashi910 09:01:21 Jan-san@Siemens would like us to backport them to 4.4. 09:01:26 https://lore.kernel.org/cip-dev/d5baee23-9a71-6994-146d-1b54d42d1ef9@siemens.com/ 09:01:54 pave1, iwamatsu: Do you think we can proceed the backporting? 09:02:18 masashi: I'm looking into that, yes. 09:02:29 pave1: Thanks! 09:02:30 yes, 09:02:37 iwamatsu: Thanks! 09:02:48 So, shall we move on? 09:02:58 #topic Kernel maintenance updates 09:03:06 masashi: CVE-- There's some confusion as 145 and 147 point to same fix in our database. Plus some of the issues may not be serious enough to be worth fixing. 09:04:02 I have reviewed 4.19.151... and PCIe EP series. 09:04:17 pave1: Oh, I see. Need to sort out the necessity again? 09:04:40 I reviewed 4.4.239 09:04:51 there's not much to go on from Intel's security notice 09:05:12 masashi: Well, either that or we identified wrong commits. 09:05:39 the latter is possible 09:06:23 wens: I'm looking at Bluetooth CVEs (CVE-2020-12351,12352,24490). 09:06:30 was about to report on those 09:06:33 - CVE-2020-12351, CVE-2020-12352, CVE-2020-24490 [bluetooth] (also known as BleedingTooth) 09:06:36 These are grouped together because Intel's security notice does not clearly state which patches fix which issues. Fixes posted. 09:06:39 - CVE-2020-16119 [net: dccp] - fix posted 09:06:43 - CVE-2020-16120 [overlayfs] - fixed 09:06:44 - CVE-2020-25645 [net: geneve] - fixed and backported to 4.14+ - Fix should be backported to 4.4 and 4.9. The driver was added in 4.2. 09:07:22 regarding the Bluetooth CVEs, Google has produced much better reports than Intel's security notices: https://lwn.net/Articles/834297/rss 09:07:57 wens: Yes, Google is doing pretty well there. They even have proof of concepts. 09:08:32 I haven't fixed the entries in cip-kernel-sec yet. 09:08:35 wens: AFAICT, CVE-2020-24490.yml is fixed at least in 4.19.y. 09:09:06 wens: I started taking notes in form of yml files. Will post the diff if it is useful as a starting point. 09:09:27 I plan to ask if bwh wanted to push them upstream (to Debian) before we update it on our end, otherwise we end up pulling in the garbled stuff in again. 09:11:05 wens: If the entries are later replaced with cleaner entries from Debian... that should not be a huge problem. 09:11:36 sure. the changes here https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requests/78 09:11:51 wens: Thanks! 09:11:58 pave1, iwamatsu, wens: Thanks for your works! 09:12:02 are just the initial import. I can split them up based on Google's information. 09:12:34 that's all. 09:12:45 Any suggestions for CVE-2019-0145/0147/0148 how to proceed? 09:13:21 ideally, ask Intel for more information about which commits are the correct fixes. 09:14:24 wens: I see. Thanks for your comment. Well, let's discuss offline, then. 09:14:35 Any other topics? 09:14:50 3 09:14:53 2 09:14:56 1 09:14:58 #topic Kernel testing 09:15:10 Hello 09:15:15 The LAVA master and workers have been updated to the latest version of lava-docker, based on LAVA 2020.07. 09:15:21 Let me know if you see any issues. 09:15:26 Thanks to the lab owners for their support. 09:15:37 Also, the x86 devices have been split into seperate device-types (x86-openblocks-iot-vx2, x86-simatic-ipc227e) so we can choose specific platforms to run tests. 09:15:59 That's it from me 09:16:17 patersonc: Thanks for your works! 09:16:36 any queries or comments? 09:16:48 3 09:16:51 2 09:16:54 1 09:16:58 #topic CIP Security 09:17:10 Hello 09:17:39 We got the gap assessment report about CIP development process to meet for IEC 62443-4-1. 09:18:24 You can see it in our security repo: 09:18:25 https://gitlab.com/cip-project/cip-security/iec_62443-4-x/-/blob/master/gap_assessment/TLF_Gap_Analysis_IEC_62443_4-1_Public.pdf 09:18:40 The report shows what we have to define, and then we try to define the compliant process to IEC 62443-4-1. 09:19:01 We keep continue to work this. 09:19:18 That's the end from me this week, thanks! 09:19:27 yoshidak[m]: Thanks for your updates. 09:19:40 any queries or comments? 09:19:53 3 09:19:57 2 09:20:00 1 09:20:03 #topic AOB 09:20:13 Are there any business to discuss? 09:20:30 3 09:20:33 2 09:20:36 1 09:20:39 #endmeeting