Skip to main content

Linux CI/CD Integration

This document explains the general steps required to integrate EIV to a CI/CD system that builds Linux-based firmware.

Make sure to verify the linux system requirements before attempting to install EIV.

EIV Artifacts

The Linux EIV software package contains the EIV binary, libraries and configuration files required to install EIV in a Linux-based firmware. The key files are:

  • EIV Communication service: Responsible for communication with the Sternum Platform via a TLS encrypted communication channel.

    • Requires root permissions.

  • EIV Security service: Responsible for deploying the cyber security runtime protection into the entire user-space.

    • Requires unrestricted root permissions.

  • Configuration file.

     

List of files:

FileTypeUID/GIDPermissionsDescription
libsternum.soShared objectroot-r--r--r--EIV protection and monitoring
sternum_secExecutableroot-r-xr--r--EIV protection service
sternum_comExecutableroot-r-xr--r--EIV communication service
configuration.jsonConfiguration fileroot-r--r--r--EIV configuration file

 

Integration Prerequisites

One time configuration is needed when integrating to the build system:

  1. Update the firmware configuration to allow outgoing TLS network connections to remote port TCP:5001.

  2. Configure the Device Profile Identifier: Each firmware release is identified by a Device Profile Identifier. New Device Profile Identifiers are obtained from your Sternum Platform account. You need to set the Device Profile Identifier to the device_definition_id json property value in the configuration.json file.

    • Open the /opt/sternum/configuration.json file with a text editor and replace the device_definition_id property value 1234 with your Device Profile Identifier value:
      {
      "communication": {
      "dashboard_domain": "127.0.0.1",
      "dashboard_port": 5001,
      "transmission_delay_seconds": 60,
      "device_definition_id": 1234,
      "cool_down_in_miscroseconds": 300000,
      ...

  3. Create the appropriate startup commands/files (e.g. initd or systemd service files) to start Sternum components upon boot.
    The general way to start EIV services is:

    • To start the sternum_com service:
      cd /opt/sternum ; /opt/sternum/sternum_com /opt/sternum/configuration.json
    • To start the sternum_sec service:
      /opt/sternum/sternum_sec /opt/sternum/libsternum.so

    Examples of service files are provided in the package and below.

EIV Monitoring and Protection Modes

EIV provides both protection and monitoring by default. It can also be configured to run in a monitoring-only mode, which provides reporting of detected attacks without prevention. Contact Sternum if you need to run EIV in that mode.

Installation Steps

An automatic installation process shall include the following steps:

  1. Create /data/sternum directory on a persistent RW filesystem in the firmware
  2. Create /opt/sternum directory on a persistent RO filesystem (if possible) in the firmware
  3. Copy EIV artifacts with the appropriate permissions to /opt/sternum/ (see EIV Artifacts table above)
  4. Install/configure the startup files/commands (see Integration Prerequisites section above) in the Linux image.

Verifying EIV installation

  1. (Re)Boot the device/firmware
  2. Verify that sternum_com service is running: Run:
  • pidof sternum_com or ps | grep sternum_com
  • Or if using systemd, by running the systemctl status command:
    systemctl  status sternum_com.service
    >sternum_com.service            loaded   active  running  Sternum communication service

  1. Verify that sternum_sec is running: Run:
    cat /proc/*/maps | grep sternum
    and check for record(s) of libsternum

  2. Connect to your Sternum Platform account and navigate to your device profile from the Sternum Platform Device Profile View. See also Device Profile. On the Device Profile screen, click Show Data button on right-middle of the screen (shown in the red box below):

 

Then verify that some data is received from your device (you should see your device identifier in the Device Id column of the table), for example Process Exit, Execute or Fork events:

Examples of service files

sternumcom.init

#!/bin/sh /etc/rc.common

START=80

STERNUM_DIR=/opt/sternum
STERNUM_APP_NAME=sternum_com
STERNUM_APP=$STERNUM_DIR/$STERNUM_APP_NAME


start() {
            echo "Starting $STERNUM_APP"
            cd $STERNUM_DIR ; $STERNUM_APP $STERNUM_DIR/configuration.json &
}
 
stop() {
            echo "Stopping $STERNUM_APP"
            killall $STERNUM_APP_NAME
}

sternumsec.init


START=80

STERNUM_DIR=/opt/sternum
STERNUM_APP_NAME=sternum_sec
STERNUM_APP=$STERNUM_DIR/$STERNUM_APP_NAME


start() {
           echo "Starting $STERNUM_AD $STERNUM_DIR ; $STERNUM_APP /lib/libsternum.so
}
 
stop() {
            echo "Stopping $STERNUM_APP"
            killall $STERNUM_APP_NAME
}