diff options
| author |   mudcam <v.nieutin@live.fr> | 2017-12-08 23:03:53 +0100 |
|---|---|---|
| committer | mudcam <v.nieutin@live.fr> | 2017-12-08 23:03:53 +0100 |
| commit | e83b83378265d76df0113705e2be867814f2774e (patch) | |
| tree | 0073ad3145aa19384ad6544317e6b657a8c4fd44 | |
| parent | 2b6888d31c836c084f9650563bf6af44b0a6120d (diff) | |
Jan-Simon's feedback
| -rw-r--r-- | security-blueprint/annexes/todoNotes.md | 12 | ||||
| -rw-r--r-- | security-blueprint/part-2/2-Communication-modes.md | 6 | ||||
| -rw-r--r-- | security-blueprint/part-4/1-General.md | 16 |
3 files changed, 31 insertions, 3 deletions
diff --git a/security-blueprint/annexes/todoNotes.md b/security-blueprint/annexes/todoNotes.md index e5f6377..adf9773 100644 --- a/security-blueprint/annexes/todoNotes.md +++ b/security-blueprint/annexes/todoNotes.md @@ -17,6 +17,18 @@ Domain | Improvement --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- Hypervisor-Abstract-1 | Complete Hypervisor part ([jailhouse](https://github.com/siemens/jailhouse) / [KVM](https://www.linux-kvm.org/page/Main_Page) / [Xen](https://www.xenproject.org/developers/teams/embedded-and-automotive.html)). +Domain | Improvement +------------ | ---------------- +Kernel-MAC-1 | Add MAC config note. + +Domain | Improvement +-------------------------------- | ----------------------------- +Kernel-General-IndependentExec-1 | Kernel or/and platform part ? + +Domain | Improvement +------------------------------- | --------------- +Kernel-General-LibraryLinking-1 | Keep this part? + Domain | Improvement ------------------- | ----------- Platform-Services-1 | SystemD ? diff --git a/security-blueprint/part-2/2-Communication-modes.md b/security-blueprint/part-2/2-Communication-modes.md index 165f8fd..6513475 100644 --- a/security-blueprint/part-2/2-Communication-modes.md +++ b/security-blueprint/part-2/2-Communication-modes.md @@ -45,10 +45,10 @@ Boot-Communication-USB-5 | `CONFIG_USB_HOST_ETHER` | _Not defined_ -------------------------------------------------------------------------------- -## Disable all Network Interfaces +## Disable all unused Network Interfaces -Preferably no network interface is allowed, but if required, then the enabled -services should be restricted to only those used. +Only used network interfaces should be enabled. +Where possible, services should also be limited to those necessary. <!-- config --> diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md index 6f951db..2811514 100644 --- a/security-blueprint/part-4/1-General.md +++ b/security-blueprint/part-4/1-General.md @@ -187,6 +187,14 @@ Kernel-General-Drivers-3 | Other `hotplug` bus | _Disabled_ ## Position Independent Executables +<!-- todo --> + +Domain | Improvement +-------------------------------- | ----------------------------- +Kernel-General-IndependentExec-1 | Kernel or/and platform part ? + +<!-- endtodo --> + <!-- config --> Domain | `compiler` and `linker` options | _State_ @@ -220,6 +228,14 @@ During program load, all dynamic symbols are resolved, allowing for the complete ## Library linking +<!-- todo --> + +Domain | Improvement +------------------------------- | --------------- +Kernel-General-LibraryLinking-1 | Keep this part? + +<!-- endtodo --> + It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library. All libraries should be linked statically, but this is difficult to implement. <!-- config --> |