SEAPATH-Debian or SEAPATH-Yocto

Version

• Debian 12 (current)

• Debian 11 (legacy)

• Yocto scarthgap (current LTS)

• Yocto Kirkstone (previous LTS)

Features

• Host

  • Virtualization (KVM)

  • Containers (Optional with Docker)

• Linux-RT

• Ceph

• Pacemaker/Corosync

• Host

  • Virtualization (KVM)

  • Containers (Optional with Docker)

• Linux-RT

• Ceph

• Pacemaker/Corosync

Build

• Use FAI to create a disk installation with default configuration

• No build of packages: use pre-build package from Debian

• Build every software from the source code

Customization

• Ability to customize libraries and binaries by using and compiling the debian source packages

• Ability to customize libraries and binaries
  
  

  • Customization could be done by Yocto community

  • Customization could be done by SEAPATH community

  • Customization could be done by third-party community

Configuration

• Done by Ansible on run-time

• Done on build-time

• Done by Ansible on run-time

Updates

• Uses apt to update packages

• update custom application with ansible

• Use LVM snapshots (including /boot, grub, etc.) for rollback in case of fault

• Update the entire operating system

  • A/B update mechanism using SwUpdate

  • Atomic update

  • Automatic rollback mechanism in case of fault

Package management

• Uses APT

• Every package is built and installed by Yocto

• Each package can be modified to remove useless features

Reproductibility

• Available on most packages individually, but not for Debian as a whole (Debian reproducible builds)

• Fully reproducible builds

Cybersecurity

• Hardening ansible playbooks for compliance with ANSSI NT-28, compliance matrix provided in the CI reporting

• Compilation flags
  
  

  • Debian stock configuration flags

• Linux Kernel hardening

  • Debian stock kernel config

  • Designed to work with many kinds of machines and use cases

  • hardening can be done by kernel boot params (done with the debian hardening playbook)

• Minimization of services

  • only essential packages are installed with their mandarory requirements (no "recommended packages" are installed)

  • hardening playbooks restrict listening services to minimum

• Compilation flags
  
  

  • Done (TO DETAIL)

• Linux Kernel hardening

  • SEAPATH specific kernel configuration with hardening

  • Done (TO DETAIL)

• Minimization of services

  • Done

SBOM

• Analyzed / 3rd party SBOM

  • Created on the target without knowing build process

  • Done with heuristics and Debian database

  • Contains less information

• Require external tools

• Build and Source SBOM

• Generation integrated in the Yocto Project

CVE management

• CVE uploaded on the Debian security tracker

• End user cannot patch the CVE itself

• Issue is fixed by the Debian community

  • Strong community, but various response time

  • Patch may be applied to the next Debian version and not the current one.

• CVE of each package uploaded to the NIST database

• Patch can be provided

  • By package community

  • By Yocto community

  • By SEAPATH user itself

• Patch can be applied

  • manually by SEAPATH user

  • by updating the package to the next version

Maintenance

• Ease of use, maintenance is mostly outsourced to the debian community

• Require package mirror to create the disk offline

• steeper learning curve

• Require time and strong machine to build

  • (ex: 4h on 32 cores 64G RAM machine)

• require mirroring all sources to build offline