From patchwork Tue Oct 31 09:37:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Opdenacker X-Patchwork-Id: 33154 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1EB88C4332F for ; Tue, 31 Oct 2023 09:37:40 +0000 (UTC) Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by mx.groups.io with SMTP id smtpd.web11.182561.1698745049649425187 for ; Tue, 31 Oct 2023 02:37:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=c6lldC2B; spf=pass (domain: bootlin.com, ip: 217.70.183.199, mailfrom: michael.opdenacker@bootlin.com) Received: by mail.gandi.net (Postfix) with ESMTPSA id D2475FF816; Tue, 31 Oct 2023 09:37:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1698745047; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=L8oCyUTYpLqZhEummUcvBUZy/fv6gD9I8wUjE9LS2Ls=; b=c6lldC2B4U4aUcwTgRRRaRQMWCEw49sK0hZtimBdiDzxscoR+wkpyXUeFiK7lwpql+z+C5 7ezbW8zao1CwMmMbyiaBaeU0IuHgH9UG9WSzCc95d/lmMWD8rYVdEZNGNE2+FaTNxHFy1V Iepp4GF+Z9ELHN0jzxQfn5AbbgLSV1rNR3yFupGftlXwRFxxP8wPrxhOsjmfmylMjHAbv4 h6Tpew47DjSsJDvpdZfmIatsw/TgyNmbUViCRZ6cyYqFZal6wxFonLldXr3m1GXQ8s2zqK 85jTb4SaTCrxo5GMFkj6gfbK6hijGsJ2PgOR1l7eMfnJlDYNERrQzTU2ZeCIuw== From: michael.opdenacker@bootlin.com To: docs@lists.yoctoproject.org Cc: Michael Opdenacker Subject: [kirkstone][PATCH 1/3] manuals: correct "yocto-linux" by "linux-yocto" Date: Tue, 31 Oct 2023 10:37:14 +0100 Message-Id: <20231031093716.1792379-2-michael.opdenacker@bootlin.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231031093716.1792379-1-michael.opdenacker@bootlin.com> References: <20231031093716.1792379-1-michael.opdenacker@bootlin.com> MIME-Version: 1.0 X-GND-Sasl: michael.opdenacker@bootlin.com List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 31 Oct 2023 09:37:40 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/4531 From: Michael Opdenacker Signed-off-by: Michael Opdenacker --- documentation/bsp-guide/bsp.rst | 2 +- documentation/kernel-dev/common.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/bsp-guide/bsp.rst b/documentation/bsp-guide/bsp.rst index 94ed1641b5..6cb35ba6cc 100644 --- a/documentation/bsp-guide/bsp.rst +++ b/documentation/bsp-guide/bsp.rst @@ -1180,7 +1180,7 @@ Use these steps to create a BSP layer: - *Create a Kernel Recipe:* Create a kernel recipe in ``recipes-kernel/linux`` by either using a kernel append file or a - new custom kernel recipe file (e.g. ``yocto-linux_4.12.bb``). The BSP + new custom kernel recipe file (e.g. ``linux-yocto_4.12.bb``). The BSP layers mentioned in the previous step also contain different kernel examples. See the ":ref:`kernel-dev/common:modifying an existing recipe`" section in the Yocto Project Linux Kernel Development Manual for diff --git a/documentation/kernel-dev/common.rst b/documentation/kernel-dev/common.rst index 3406fcfe75..3e1ef389b8 100644 --- a/documentation/kernel-dev/common.rst +++ b/documentation/kernel-dev/common.rst @@ -1081,7 +1081,7 @@ Section. the following sequence of commands:: $ cd poky/build - $ bitbake -c cleanall yocto-linux + $ bitbake -c cleanall linux-yocto $ bitbake core-image-minimal -c cleanall $ bitbake core-image-minimal $ runqemu qemux86 From patchwork Tue Oct 31 09:37:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Opdenacker X-Patchwork-Id: 33155 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2BBC2C4167B for ; Tue, 31 Oct 2023 09:37:40 +0000 (UTC) Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by mx.groups.io with SMTP id smtpd.web11.182563.1698745055995431287 for ; Tue, 31 Oct 2023 02:37:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=lxSBg++d; spf=pass (domain: bootlin.com, ip: 217.70.183.196, mailfrom: michael.opdenacker@bootlin.com) Received: by mail.gandi.net (Postfix) with ESMTPSA id 03580E0005; Tue, 31 Oct 2023 09:37:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1698745054; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9Na16Ls5NHz/cjXankiPYdkZxFKgL7D+f6qR4xR7/5A=; b=lxSBg++duJS62MqaY4uRjoSLREj61EkHoCJ+g2JeIIJeaPS79BB/k71iD9PYvpelmW44zt zmYNtDC4wPeTrpgP655albOqMVMdJarIvUPyGV5ZYiEFNF+UbuUm/0Q4q+e6+x75ID7MIG IXuMLQ7Z+Ucwcr7mq3DATr3dIXDt4yjWeDp1YuFvcd2xs1wHnY5fQWCY+FPCrj8t4X5FXI zfd4lRWBnvBFdGlvYkQEvVO7Hvnf43jg5/bguDQfqTEMWfq4hvROcNY/5Aq3KcFw+GVr5C hP1cSQzUs2tFStvX665YuhvBPUzRqUculelU7KsdFBGNA0l+Mk/fmLw8fIFw7g== From: michael.opdenacker@bootlin.com To: docs@lists.yoctoproject.org Cc: Michael Opdenacker , Marta Rybczynska Subject: [kirkstone][PATCH 2/3] dev-manual: add security team processes Date: Tue, 31 Oct 2023 10:37:15 +0100 Message-Id: <20231031093716.1792379-3-michael.opdenacker@bootlin.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231031093716.1792379-1-michael.opdenacker@bootlin.com> References: <20231031093716.1792379-1-michael.opdenacker@bootlin.com> MIME-Version: 1.0 X-GND-Sasl: michael.opdenacker@bootlin.com List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 31 Oct 2023 09:37:40 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/4532 From: Michael Opdenacker From: Marta Rybczynska Add the initial version of the section on vulnerability reports, operations of the Security Team with a transcription of https://wiki.yoctoproject.org/wiki/Security_private_reporting Signed-off-by: Marta Rybczynska Reviewed-by: Michael Opdenacker --- documentation/dev-manual/index.rst | 1 + .../dev-manual/security-subjects.rst | 189 ++++++++++++++++++ 2 files changed, 190 insertions(+) create mode 100644 documentation/dev-manual/security-subjects.rst diff --git a/documentation/dev-manual/index.rst b/documentation/dev-manual/index.rst index 3106b90a45..9ccf60f701 100644 --- a/documentation/dev-manual/index.rst +++ b/documentation/dev-manual/index.rst @@ -42,6 +42,7 @@ Yocto Project Development Tasks Manual runtime-testing debugging licenses + security-subjects vulnerabilities sbom error-reporting-tool diff --git a/documentation/dev-manual/security-subjects.rst b/documentation/dev-manual/security-subjects.rst new file mode 100644 index 0000000000..1b02b6a9e9 --- /dev/null +++ b/documentation/dev-manual/security-subjects.rst @@ -0,0 +1,189 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Dealing with Vulnerability Reports +********************************** + +The Yocto Project and OpenEmbedded are open-source, community-based projects +used in numerous products. They assemble multiple other open-source projects, +and need to handle security issues and practices both internal (in the code +maintained by both projects), and external (maintained by other projects and +organizations). + +This manual assembles security-related information concerning the whole +ecosystem. It includes information on reporting a potential security issue, +the operation of the YP Security team and how to contribute in the +related code. It is written to be useful for both security researchers and +YP developers. + +How to report a potential security vulnerability? +================================================= + +If you would like to report a public issue (for example, one with a released +CVE number), please report it using the +:yocto_bugs:`Security Bugzilla `. + +If you are dealing with a not-yet-released issue, or an urgent one, please send +a message to security AT yoctoproject DOT org, including as many details as +possible: the layer or software module affected, the recipe and its version, +and any example code, if available. This mailing list is monitored by the +Yocto Project Security team. + +For each layer, you might also look for specific instructions (if any) for +reporting potential security issues in the specific ``SECURITY.md`` file at the +root of the repository. Instructions on how and where submit a patch are +usually available in ``README.md``. If this is your first patch to the +Yocto Project/OpenEmbedded, you might want to have a look into the +Contributor's Manual section +":ref:`contributor-guide/submit-changes:preparing changes for submission`". + +Branches maintained with security fixes +--------------------------------------- + +See the +:ref:`Release process ` +documentation for details regarding the policies and maintenance of stable +branches. + +The :yocto_wiki:`Releases page ` contains a list +of all releases of the Yocto Project. Versions in gray are no longer actively +maintained with security patches, but well-tested patches may still be accepted +for them for significant issues. + +Security-related discussions at the Yocto Project +------------------------------------------------- + +We have set up two security-related mailing lists: + + - Public List: yocto [dash] security [at] yoctoproject[dot] org + + This is a public mailing list for anyone to subscribe to. This list is an + open list to discuss public security issues/patches and security-related + initiatives. For more information, including subscription information, + please see the :yocto_lists:`yocto-security mailing list info page `. + + - Private List: security [at] yoctoproject [dot] org + + This is a private mailing list for reporting non-published potential + vulnerabilities. The list is monitored by the Yocto Project Security team. + + +What you should do if you find a security vulnerability +------------------------------------------------------- + +If you find a security flaw: a crash, an information leakage, or anything that +can have a security impact if exploited in any Open Source software built or +used by the Yocto Project, please report this to the Yocto Project Security +Team. If you prefer to contact the upstream project directly, please send a +copy to the security team at the Yocto Project as well. If you believe this is +highly sensitive information, please report the vulnerability in a secure way, +i.e. encrypt the email and send it to the private list. This ensures that +the exploit is not leaked and exploited before a response/fix has been generated. + +Security team +============= + +The Yocto Project/OpenEmbedded security team coordinates the work on security +subjects in the project. All general discussion takes place publicly. The +Security Team only uses confidential communication tools to deal with private +vulnerability reports before they are released. + +Security team appointment +------------------------- + +The Yocto Project Security Team consists of at least three members. When new +members are needed, the Yocto Project Technical Steering Committee (YP TSC) +asks for nominations by public channels including a nomination deadline. +Self-nominations are possible. When the limit time is +reached, the YP TSC posts the list of candidates for the comments of project +participants and developers. Comments may be sent publicly or privately to the +YP and OE TSCs. The candidates are approved by both YP TSC and OpenEmbedded +Technical Steering Committee (OE TSC) and the final list of the team members +is announced publicly. The aim is to have people representing technical +leadership, security knowledge and infrastructure present with enough people +to provide backup/coverage but keep the notification list small enough to +minimize information risk and maintain trust. + +YP Security Team members may resign at any time. + +Security Team Operations +------------------------ + +The work of the Security Team might require high confidentiality. Team members +are individuals selected by merit and do not represent the companies they work +for. They do not share information about confidential issues outside of the team +and do not hint about ongoing embargoes. + +Team members can bring in domain experts as needed. Those people should be +added to individual issues only and adhere to the same standards as the YP +Security Team. + +The YP security team organizes its meetings and communication as needed. + +When the YP Security team receives a report about a potential security +vulnerability, they quickly analyze and notify the reporter of the result. +They might also request more information. + +If the issue is confirmed and affects the code maintained by the YP, they +confidentially notify maintainers of that code and work with them to prepare +a fix. + +If the issue is confirmed and affects an upstream project, the YP security team +notifies the project. Usually, the upstream project analyzes the problem again. +If they deem it a real security problem in their software, they develop and +release a fix following their security policy. They may want to include the +original reporter in the loop. There is also sometimes some coordination for +handling patches, backporting patches etc, or just understanding the problem +or what caused it. + +When the fix is publicly available, the YP security team member or the +package maintainer sends patches against the YP code base, following usual +procedures, including public code review. + +What Yocto Security Team does when it receives a security vulnerability +----------------------------------------------------------------------- + +The YP Security Team team performs a quick analysis and would usually report +the flaw to the upstream project. Normally the upstream project analyzes the +problem. If they deem it a real security problem in their software, they +develop and release a fix following their own security policy. They may want +to include the original reporter in the loop. There is also sometimes some +coordination for handling patches, backporting patches etc, or just +understanding the problem or what caused it. + +The security policy of the upstream project might include a notification to +Linux distributions or other important downstream projects in advance to +discuss coordinated disclosure. These mailing lists are normally non-public. + +When the upstream project releases a version with the fix, they are responsible +for contacting `Mitre `__ to get a CVE number assigned and +the CVE record published. + +If an upstream project does not respond quickly +----------------------------------------------- + +If an upstream project does not fix the problem in a reasonable time, +the Yocto's Security Team will contact other interested parties (usually +other distributions) in the community and together try to solve the +vulnerability as quickly as possible. + +The Yocto Project Security team adheres to the 90 days disclosure policy +by default. An increase of the embargo time is possible when necessary. + +Current Security Team members +----------------------------- + +For secure communications, please send your messages encrypted using the GPG +keys. Remember, message headers are not encrypted so do not include sensitive +information in the subject line. + + - Ross Burton: `Public key `__ + + - Michael Halstead: + `Public key `__ + or `Public key `__ + + - Richard Purdie: `Public key `__ + + - Marta Rybczynska: `Public key `__ + + - Steve Sakoman: `Public key `__ From patchwork Tue Oct 31 09:37:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Opdenacker X-Patchwork-Id: 33156 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1FD8EC4332F for ; Tue, 31 Oct 2023 09:37:50 +0000 (UTC) Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by mx.groups.io with SMTP id smtpd.web10.182204.1698745061662440362 for ; Tue, 31 Oct 2023 02:37:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=Ie2T7lWD; spf=pass (domain: bootlin.com, ip: 217.70.183.200, mailfrom: michael.opdenacker@bootlin.com) Received: by mail.gandi.net (Postfix) with ESMTPSA id BE4E72000A; Tue, 31 Oct 2023 09:37:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1698745059; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=r6eT10Hh5Sbq/JO/AV+jjcJiIS2RbGIqJ2rnktXR1SY=; b=Ie2T7lWDN53k4sLsqH+2K1Hkp32HLn7Ee31oQaB2q1tOWx9HLo+oEE5Z3QQcUtbxKNtRJP CwInFBs0O5+T1swfulT8JUyDrXuQ23ZeFbqcakXMbz6WhcUrt0UQar9VWUaOZISgiCct8n QtepdrRhCs61ioYMBFm7hRzspRd7wOc2Jrnr7ZgBQzPDX0VkZ03iRALNbtCO0b6FEZntaf iihk6s5lfrjBhC6HBMkFm3Z5qTUBt7CVmJCMkBXCOjlKEe4RFo8v8y0ajsZP9gpk9HndU3 ryswabncvUaaztKWp+XzGRhQJFNKTyvAowynHr7Y6qOorrIKJMpt4ItXowB2XA== From: michael.opdenacker@bootlin.com To: docs@lists.yoctoproject.org Cc: Michael Opdenacker Subject: [kirkstone][PATCH 3/3] test-manual: reproducible-builds: stop mentioning LTO bug Date: Tue, 31 Oct 2023 10:37:16 +0100 Message-Id: <20231031093716.1792379-4-michael.opdenacker@bootlin.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231031093716.1792379-1-michael.opdenacker@bootlin.com> References: <20231031093716.1792379-1-michael.opdenacker@bootlin.com> MIME-Version: 1.0 X-GND-Sasl: michael.opdenacker@bootlin.com List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 31 Oct 2023 09:37:50 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/4533 From: Michael Opdenacker Now that https://bugzilla.yoctoproject.org/show_bug.cgi?id=14481 is closed. Signed-off-by: Michael Opdenacker --- documentation/test-manual/reproducible-builds.rst | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/documentation/test-manual/reproducible-builds.rst b/documentation/test-manual/reproducible-builds.rst index 5977366c9e..6994989f7c 100644 --- a/documentation/test-manual/reproducible-builds.rst +++ b/documentation/test-manual/reproducible-builds.rst @@ -68,17 +68,6 @@ things we do within the build system to ensure reproducibility include: - Filtering the tools available from the host's ``PATH`` to only a specific set of tools, set using the :term:`HOSTTOOLS` variable. -.. note:: - - Because of an open bug in GCC, using ``DISTRO_FEATURES:append = " lto"`` or - adding ``-flto`` (Link Time Optimization) to ``CFLAGS`` makes the resulting - binary non-reproducible, in that it depends on the full absolute build path - to ``recipe-sysroot-native``, so installing the Yocto Project in a different - directory results in a different binary. - - This issue is addressed by - :yocto_bugs:`bug 14481 - Programs built with -flto are not reproducible`. - ========================================= Can we prove the project is reproducible? =========================================