summaryrefslogtreecommitdiffstats
path: root/security-blueprint
diff options
context:
space:
mode:
authormudcam <v.nieutin@live.fr>2017-12-08 23:03:53 +0100
committermudcam <v.nieutin@live.fr>2017-12-08 23:03:53 +0100
commite83b83378265d76df0113705e2be867814f2774e (patch)
tree0073ad3145aa19384ad6544317e6b657a8c4fd44 /security-blueprint
parent2b6888d31c836c084f9650563bf6af44b0a6120d (diff)
Jan-Simon's feedback
Diffstat (limited to 'security-blueprint')
-rw-r--r--security-blueprint/annexes/todoNotes.md12
-rw-r--r--security-blueprint/part-2/2-Communication-modes.md6
-rw-r--r--security-blueprint/part-4/1-General.md16
3 files changed, 31 insertions, 3 deletions
diff --git a/security-blueprint/annexes/todoNotes.md b/security-blueprint/annexes/todoNotes.md
index e5f6377..adf9773 100644
--- a/security-blueprint/annexes/todoNotes.md
+++ b/security-blueprint/annexes/todoNotes.md
@@ -17,6 +17,18 @@ Domain | Improvement
--------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hypervisor-Abstract-1 | Complete Hypervisor part ([jailhouse](https://github.com/siemens/jailhouse) / [KVM](https://www.linux-kvm.org/page/Main_Page) / [Xen](https://www.xenproject.org/developers/teams/embedded-and-automotive.html)).
+Domain | Improvement
+------------ | ----------------
+Kernel-MAC-1 | Add MAC config note.
+
+Domain | Improvement
+-------------------------------- | -----------------------------
+Kernel-General-IndependentExec-1 | Kernel or/and platform part ?
+
+Domain | Improvement
+------------------------------- | ---------------
+Kernel-General-LibraryLinking-1 | Keep this part?
+
Domain | Improvement
------------------- | -----------
Platform-Services-1 | SystemD ?
diff --git a/security-blueprint/part-2/2-Communication-modes.md b/security-blueprint/part-2/2-Communication-modes.md
index 165f8fd..6513475 100644
--- a/security-blueprint/part-2/2-Communication-modes.md
+++ b/security-blueprint/part-2/2-Communication-modes.md
@@ -45,10 +45,10 @@ Boot-Communication-USB-5 | `CONFIG_USB_HOST_ETHER` | _Not defined_
--------------------------------------------------------------------------------
-## Disable all Network Interfaces
+## Disable all unused Network Interfaces
-Preferably no network interface is allowed, but if required, then the enabled
-services should be restricted to only those used.
+Only used network interfaces should be enabled.
+Where possible, services should also be limited to those necessary.
<!-- config -->
diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md
index 6f951db..2811514 100644
--- a/security-blueprint/part-4/1-General.md
+++ b/security-blueprint/part-4/1-General.md
@@ -187,6 +187,14 @@ Kernel-General-Drivers-3 | Other `hotplug` bus | _Disabled_
## Position Independent Executables
+<!-- todo -->
+
+Domain | Improvement
+-------------------------------- | -----------------------------
+Kernel-General-IndependentExec-1 | Kernel or/and platform part ?
+
+<!-- endtodo -->
+
<!-- config -->
Domain | `compiler` and `linker` options | _State_
@@ -220,6 +228,14 @@ During program load, all dynamic symbols are resolved, allowing for the complete
## Library linking
+<!-- todo -->
+
+Domain | Improvement
+------------------------------- | ---------------
+Kernel-General-LibraryLinking-1 | Keep this part?
+
+<!-- endtodo -->
+
It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library. All libraries should be linked statically, but this is difficult to implement.
<!-- config -->