

# **CIP Technical Steering Committee Meeting**

Date: 11th of October 2022.

## **Roll Call**

TSC members (Alphabetical order by company name)

Attendees (Please change to **Bold**, if you attend this meeting) (Key shortcut: Ctrl+b)

| Company    | Members                                                                                                                                                         |
|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Bosch      | Philipp Ahmann<br>Steffen Evers                                                                                                                                 |
| Cybertrust | Hirotaka Motai (Representative)<br>Hiraku Toyooka                                                                                                               |
| Hitachi    | <b>Hidehiro Kawai (Representative)</b><br>Takuo Koguchi                                                                                                         |
| Linutronix |                                                                                                                                                                 |
| Moxa       | Jimmy Chen (Representative)                                                                                                                                     |
| Plat'Home  | Masato Minda (Representative)                                                                                                                                   |
| Renesas    | Chris Paterson (CIP Testing WG Chair) Kento Yoshida Kazuhiro Fujita Takehisa Katayama (Representative) (Voting)                                                 |
| Siemens    | Jan Kiszka (Representative) (Kernel Team Chair) Wolfgang Mauerer (Representative) (Voting) Urs Gleim Stefan Schroeder                                           |
| Toshiba    | Dinesh Kumar Kazuhiro Hayashi (Voting Representative) (CIP Core / Software Update Chair) Venkata Pyla Nobuhiro Iwamatsu (Kernel Maintainer) Shivanand Kunijadar |

|                  | Yoshi Kobayashi (TSC Chair)      |
|------------------|----------------------------------|
| Denx             | Pavel Machek (Kernel Maintainer) |
|                  | Ulrich Hecht (Kernel Developer)  |
| Linux Foundation | Neal Caidin                      |

## **Discussions**

### **Security Working Group**

#### Items need to be approved by TSC voting members

None

#### **Status updates**

- No updates on IEC-62443 Als
- This week's SWG meeting on 10th Oct was canceled as members were not available
- Other updates
  - Exida can share Cybersecurity Management Plan template for meeting SM-1 requirement for IEC-62443-4-1 (exida response to CIP queries)
  - Exida and SWG members to have follow-up discuss to clarify exida queries on 14th
     Oct specifically about CIP Kernel
    - How threat modeling and static code analysis requirement can be achieved for CIP kernel
  - Exida to confirm back specifically how security testing requirements to be met in CIP
  - Exida to also share cost quotation tentatively by E/Oct-22
- Is there any preference for supporting specific architecture from IEC-62443 final certification? (Majority CIP reference hardware are based on ARM64)
  - https://wiki.linuxfoundation.org/civilinfrastructureplatform/ciptesting/cipreferenceh ardware
  - (Action: SW) Clarify why this architecture requirement need to include for the assessment

 $\circ$ 

### **Kernel Team Working Group**

### Items need to be approved by TSC voting members

None

#### **Status updates**

• CIP IRC weekly meeting

- logs
  - Sep 29th
  - Oct 6th
- CIP kernel release
  - 0 4.4
    - none
  - 0 4.19
    - none
  - o 5.10
    - v5.10.145-cip17-rt7 on October 1st by Pavel
- New Spectre issues vs. 4.x-cip
  - Mitigations for <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29900">https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29900</a> (Intel x86) not backported to 4.x kernels, and this may not happen at all
  - o Consequently, 4.4-cip and 4.19-cip would have no baseline fixes
  - Kernel team considers own backporting attempts too much effort and too risky
  - Threat vector for these CVE is unlikely to be present on industrial devices with these kernels
  - Any concerns by members when CIP would skip them for 4.4 and 4.19?
- RISC-V architecture
  - o qemu-riscv64 Debian image can now generated from isar-cip-core
  - o Currently using kernel's riscv defconfig, cip-kernel-config will pick that up
  - Work on RZ/Five board ongoing but still todos (kernel upstreaming, ldconfig crashes)

### **CIP Core Working Group**

### Items need to be approved by TSC voting members

None

#### Past minutes

past meetings

#### **Status updates**

- (WIP) Release process of CIP Core
  - Motivation
    - IEC 62443-4-1 requirement (release process, versioning, testing)
    - Kernel testing
  - How to release
    - Release with version number (e.g. cip-core-x.y)
    - When: after each Debian point release (e.g. 11.1, 11.2...)
    - What:
      - Recipes
      - Generated images (kernel + rootfs)
      - Security report by cip-core-sec (still draft)

#### • Test results (TBD)

- isar-cip-core:
  - Update <u>kernel versions</u>, <u>isar</u>
  - Support the distro "cip-core-sid-ports" & the machine "qemu-riscv64"
  - And a lot of fixes, improvements in recipes
- deby
  - o cip-core-buster
    - Use Debian's lavacli package to fix CI problem
    - Update the upstream (meta-debian) revision to the latest to fetch package security updates by Debian LTS (2022-09-26)
- cip-core-sec (a tool to generate CVE report for specific Debian package set)
  - Improved the script to generate CVE report, fixed know issues
  - Confirmed that the script works for both Debian 10 & 11
  - (WIP) Add more minor fixes then move the project from cip-playground to cip-project

### **CIP Testing Working Group**

### Items need to be approved by TSC voting members

None

#### **Status updates**

- GitLab runner issues
  - Runner "not being found" anymore: Rollback to older gitlab runner version seems to have resolved this issue
  - Not being able to use Kanico to build docker containers: Still an issue with the CIP runners, so we've switched the linux-cip-ci project to use gitlab.org shared runners instead. We get 50,000 CI minutes a month, so we should be okay.
- Adding RISC-V support
  - RISC-V build support added to linux-cip-ci: https://gitlab.com/cip-project/cip-testing/linux-cip-ci/-/merge\_requests/58
  - Merge request open to add RISC-V defconfig builds to linux-5.10.y{-cip}:
     <a href="https://gitlab.com/cip-project/cip-testing/linux-cip-pipelines/-/merge\_requests/32">https://gitlab.com/cip-project/cip-testing/linux-cip-pipelines/-/merge\_requests/32</a>
  - Next step is to add support for qemu-riscv
- Added proposed risc-v support for <u>CIP reference hardware wiki page</u>
- LAVA infrastructure maintenance

#### **Discussions**

None

### **Software Update Working Group**

#### Items need to be approved by TSC voting members

None

#### **Status updates**

- Related updates in isar-cip-core
  - o (None)
- (WIP) Secure boot + SWUpdate verification on QEMU amd64
  - Patches for README shared for review
- (WIP) Secure storage (with SWUpdate)
  - o e.g. Encryption data partition
  - Starting by considering the system architecture
  - o Discussions will be required in SWG

## **Upcoming TSC meetings**

- Regular TSC meeting
  - o Date 25th of October 2022 (Tuesday)
  - Start time: <u>Local time in your timezone</u>
  - NOTE: DST information
    - US DST start: The second Sunday of March
    - US DST end: the first Sunday of November
    - EU DST start: The last Sunday of March
    - EU DST end: The last Sunday of October

•