• State TI Thinks Resolved
  • Locked Locked
  • Replies 5 replies
  • Answers 3 answers
  • Subscribers 100 subscribers
  • Views 308 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

PROCESSOR-SDK-AM335X: Security Audit: Kernel Vulnerabilities in TISDK 9.1 (Linux 6.1) – Guidance Needed

neha gupta
Prodigy 40 points
Part Number: PROCESSOR-SDK-AM335X

Tool/software:

Hello,

Hello TI Support,

We are using TISDK 09_01_00_001 in our project, which includes Linux kernel version 6.1.46. During a recent security audit, we received an extensive report highlighting many vulnerabilities in the kernel version used in the SDK. Unfortunately, we cannot upgrade the kernel easily, as doing so may introduce compatibility issues with other components provided in TISDK 09_01_00_001 (userspace libraries, drivers, etc.).

We have the following questions and would appreciate your guidance:

  1. How does TI handle known CVEs in the kernel version bundled with TISDK 09_01_00_001?

  2. Are security patches backported into the 6.1.46 kernel branch within the SDK, even if the version string doesn't change?

  3. Is there an official security update policy for TISDK releases?

  4. If we do attempt a kernel upgrade (e.g., to a newer LTS 6.1.x or 6.6), what should we watch out for regarding compatibility with TISDK 9.1 userland libraries and tools?

We want to ensure our system is secure while staying within the supported boundaries of the TISDK.

Thank you,
Neha Gupta

  • 0
    TI__Expert 6266 points

    Linux CVEs flow thru stable update process.

    The latest AM335 release is 9.3 Ref: https://software-dl.ti.com/processor-sdk-linux/esd/AM335X/09_03_05_02/exports/docs/devices/AM335X/linux/Release_Specific_Release_Notes.html 

    As you can see here , this contains 

    Linux Stable Upgrade to 6.1.119

    and Equivalent SDK yocto LTS is Kirkstone , that yocto branches were also updated to latest.

    --

    Further reading on CVE process of

    Kernel : https://docs.kernel.org/process/cve.html 

    Yocto Distro: https://docs.yoctoproject.org/dev/dev-manual/vulnerabilities.html 

    --

    Further reading on Long Stable versions of

    Kernel: https://www.kernel.org/category/releases.html 

    Yocto Distro: https://wiki.yoctoproject.org/wiki/Releases 

  • 0 in reply to Praneeth Bajjuri
    TI__Mastermind 44306 points

    Just to add on Praneeth comments..

    For older products such as AM335x we have about a yearly cadence for SDK releases. So if you can't wait you can at least watch what is happening on TI side using our CI/CD links:

    https://software-dl.ti.com/cicd-report/linux/index.html?section=platform&platform=am335x

    If you miss any important issue you can fall back to the normal upstream kernel trees from the community. Ultimately this will always be the fastest and reliable way to get to state of the art code basis.

  • 0 in reply to Frank Walzer
    Prodigy 40 points

    kernel_vulnerabilities.xlsx

    Hi [TI Support/Team],

    Thank you for your earlier responses and the helpful links.

    Just to give you more context — as part of our project security audit, we received a report listing over 4000 Vulnerabilities (we had also attached an Excel sheet earlier). Since we are using TISDK 9.1, we wanted to understand how many of these CVEs are already addressed through the kernel (6.1.x) or other components in this SDK.

    From your reply, we understand that CVE fixes are handled through the stable kernel update process, and newer versions like TISDK 9.3 (with kernel 6.1.119) include many of these patches. However, we’re currently close to a product release and have limited flexibility to upgrade the entire SDK right now, having already spent months migrating to 9.1.

    We wanted to confirm the following:

    1. Is it acceptable to continue with TISDK 9.1, while we track and patch only critical CVEs ourselves as needed?

    2. Is there a recommended way to cross-check our list of CVEs (from the audit) against what has already been patched in the kernel used in TISDK 9.1?

    3. Are there any known major security gaps in 9.1 that would make releasing with it strongly discouraged?

    We greatly appreciate your clarification, as this will help us decide how to move forward while balancing release timelines and security concerns.

  • 0 in reply to neha gupta
    TI__Mastermind 44306 points

    Hi Neha,

    I don't think TI is able to answer your questions. This is a specific use case and we don't know your product. You may consult an external security company to work that topic but ultimately it is your decision what SW to use.

    I am wondering a bit on the provided vulnerabilities report. For some reason it seems your security audit did cover the full kernel sources. But your device definitely has a kernel config that is targeting the TI processor and related interfaces only. So many of the CVEs probably do not even affect your device as the related code might not be in use at all as it is specific for different HW.  To my mind a "project security audit" should cover the configured kernel and not just list EVERY known CVE for a certain kernel release. Linux kernel source is really too big... Stripping down to relevant CVEs will help to cross check for available patches. Then you have the option to migrate to later kernel in same LTS chain or backport any patches. I assume in any case you will need to re-test your system.

    Concerning criticality I would suggest to sort relevant CVEs by score (available in your sheet). That should give a first indication on criticality to work with. Combining that with your own product risk assessment should be a good start.

  • 0 in reply to Frank Walzer
    Prodigy 40 points

    Thank you for your response and the detailed explanation.

    I understand your points now and will connect with our code audit team to look into the kernel configuration scenario you mentioned. This will help us better filter and assess the reported vulnerabilities.

    Appreciate your support.

    Best regards,
    Neha