diff options
author | Jan-Simon Möller <jsmoeller@linuxfoundation.org> | 2020-10-14 13:26:09 +0200 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2020-10-14 11:28:17 +0000 |
commit | 93c1058794d8bdab19c49df6d402a40963be65ec (patch) | |
tree | ab893f78a3b9928cf409cd3b63f6129381e4f5aa /docs/2_Architecture_Guides/2.2_Security_Blueprint/2_Secure_Boot/1.2.2.2_Communication-modes.md | |
parent | 11d46ac01cf2b4bbc2e8ffe9b70ca27783af0137 (diff) |
Added Documentation for Jellyfish
(rewrote majority of them and updated with minor changes)
(removed whitespaces, added contribution guide, corrected rcar-gen3 section 7, added aglsetup.h flags to hardware support, some minor changes)
Bug-AGL: [SPEC-3633]
Signed-off-by: Shankho Boron Ghosh <shankhoghosh123@gmail.com>
Change-Id: Ifd6b3c1cdaa41f05a74c1affe6db9e24763921b9
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/documentation/+/25411
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Tested-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Diffstat (limited to 'docs/2_Architecture_Guides/2.2_Security_Blueprint/2_Secure_Boot/1.2.2.2_Communication-modes.md')
-rw-r--r-- | docs/2_Architecture_Guides/2.2_Security_Blueprint/2_Secure_Boot/1.2.2.2_Communication-modes.md | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/docs/2_Architecture_Guides/2.2_Security_Blueprint/2_Secure_Boot/1.2.2.2_Communication-modes.md b/docs/2_Architecture_Guides/2.2_Security_Blueprint/2_Secure_Boot/1.2.2.2_Communication-modes.md new file mode 100644 index 0000000..3381324 --- /dev/null +++ b/docs/2_Architecture_Guides/2.2_Security_Blueprint/2_Secure_Boot/1.2.2.2_Communication-modes.md @@ -0,0 +1,98 @@ +--- +edit_link: '' +title: Communication modes +origin_url: >- + https://raw.githubusercontent.com/automotive-grade-linux/docs-sources/master/docs/security-blueprint/part-2/2-Communication-modes.md +--- + +<!-- WARNING: This file is generated by fetch_docs.js using /home/boron/Documents/AGL/docs-webtemplate/site/_data/tocs/architecture/master/security_blueprint-security-blueprint-book.yml --> + +# Communication modes + +## Disable USB, Serial and DOCSIS Support + +To disable USB support in U-Boot, following config's shall not be defined: + +``` +CONFIG_CMD_USB: Enables basic USB support and the usb command. +CONFIG_USB_UHCI: Defines the lowlevel part. +CONFIG_USB_KEYBOARD: Enables the USB Keyboard. +CONFIG_USB_STORAGE: Enables the USB storage devices. +CONFIG_USB_HOST_ETHER: Enables USB Ethernet adapter support. +``` + +In addition, disable unnecessary communication modes like Ethernet, Serial +ports, DOCSIS in U-Boot and sboot that are not necessary. + +Linux Kernel support for USB should be compiled-out if not required. If it is +needed, the Linux Kernel should be configured to only enable the minimum +required USB devices. User-initiated USB-filesystems should be treated with +special care. Whether or not the filesystems are mounted in userspace +(**FUSE**), restricted mount options should be observed. + +<!-- section-config --> + +Domain | Communication modes | _State_ +-------------------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- +Boot-Communication-1 | `USB` | _Disabled_ and _Compiled-out_ if not required. +Boot-Communication-2 | `USB` | Else, Kernel should be configured to only enable the minimum required USB devices and filesystems should be treated with special care. +Boot-Communication-3 | `Ethernet` | _Disabled_ +Boot-Communication-4 | U-boot and sboot `DOCSIS` | _Disabled_ +Boot-Communication-5 | `Serial ports` | _Disabled_ + +<!-- end-section-config --> <!-- section-config --> + +Domain | `Config` name | _State_ +------------------------ | ----------------------- | ------------- +Boot-Communication-USB-1 | `CONFIG_CMD_USB` | _Not defined_ +Boot-Communication-USB-2 | `CONFIG_USB_UHCI` | _Not defined_ +Boot-Communication-USB-3 | `CONFIG_USB_KEYBOARD` | _Not defined_ +Boot-Communication-USB-4 | `CONFIG_USB_STORAGE` | _Not defined_ +Boot-Communication-USB-5 | `CONFIG_USB_HOST_ETHER` | _Not defined_ + +<!-- end-section-config --> + +-------------------------------------------------------------------------------- + +## Disable all unused Network Interfaces + +Only used network interfaces should be enabled. +Where possible, services should also be limited to those necessary. + +<!-- section-config --> + +Domain | Communication modes | _State_ +-------------------- | -------------------- | --------------------------------------------------------------------------------------------- +Boot-Communication-1 | `Network interfaces` | Preferably _no network interface is allowed_, otherwise, restrict the services to those used. + +<!-- end-section-config --> + +## Remove or Disable Unnecessary Services, Ports, and Devices + +Restrict the `services`, `ports` and `devices` to those used. + +<!-- section-config --> + +Domain | Object | Recommendations +-------------------- | --------------------------------- | ------------------------------------------------------------- +Boot-Communication-1 | `Services`, `ports` and `devices` | Restrict the `services`, `ports` and `devices` to those used. + +<!-- end-section-config --> + +## Disable flash access + +**Recommendation**: + +In U-Boot following flash memory commands shall be disabled: + +**NAND**: Support for nand flash access available through `do_nand` has to be disabled. + +<!-- section-config --> + +Domain | `Command` name | _State_ +-------------------------- | -------------- | --------- +Boot-Communication-Flash-1 | `do_nand` | _Disable_ + +<!-- end-section-config --> + +Similarly sboot should disable flash access support through command line if any. |