summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security-blueprint/annexes/ConfigNotes.md16
-rw-r--r--security-blueprint/part-2/0_Abstract.md3
-rw-r--r--security-blueprint/part-2/2-Communication-modes.md2
-rw-r--r--security-blueprint/part-2/3-Consoles.md4
-rw-r--r--security-blueprint/part-3/0_Abstract.md2
-rw-r--r--security-blueprint/part-4/1-General.md28
6 files changed, 37 insertions, 18 deletions
diff --git a/security-blueprint/annexes/ConfigNotes.md b/security-blueprint/annexes/ConfigNotes.md
index 3e1f295..f79f4fa 100644
--- a/security-blueprint/annexes/ConfigNotes.md
+++ b/security-blueprint/annexes/ConfigNotes.md
@@ -99,8 +99,8 @@ Boot-Consoles-MemDump-8 | `mtest` | _Disabled_
Boot-Consoles-MemDump-9 | `loopw` | _Disabled_
Domain | Object | Recommendations
--------------------- | ------ | --------------------
-Kernel-General-MAC-1 | SMACK | Must implement a MAC
+-------------------- | ------ | ------------------------------------------
+Kernel-General-MAC-1 | SMACK | Must implement a Mandatory Access Control.
Domain | `Config` name | `Value`
---------------------- | -------------- | -------
@@ -131,9 +131,9 @@ Domain | `Config` name | `Value`
Kernel-General-SocketMon-1 | `CONFIG_PACKET_DIAG` | `n`
Kernel-General-SocketMon-2 | `CONFIG_UNIX_DIAG` | `n`
-Domain | `Config` name | `Value`
------------------------- | ------------- | -------
-Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n`
+Domain | `Config` name | `Value`
+------------------------ | ---------------- | -------
+Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n`
Domain | `Config` name | `Value`
------------------------------ | ------------------------- | -------
@@ -453,10 +453,10 @@ Domain | Tech name | Recommendations
Connectivity-Wireless-NFC-1 | NFC | Protected against relay and replay attacks.
Connectivity-Wireless-NFC-2 | Device | Disable unneeded and unapproved services and profiles.
-Domain | Object | Recommendations
----------------------------- | ---------------- | ----------------------------------------
+Domain | Object | Recommendations
+---------------------------- | -------------- | --------------------------------------
Application-Cloud-Download-1 | authentication | Must implement authentication process.
-Application-Cloud-Download-2 | Authorization | Must implement Authorization process.
+Application-Cloud-Download-2 | Authorization | Must implement Authorization process.
Domain | Object | Recommendations
---------------------------------- | ------------- | ----------------------------------------------------------
diff --git a/security-blueprint/part-2/0_Abstract.md b/security-blueprint/part-2/0_Abstract.md
index 5ebb750..6d10490 100644
--- a/security-blueprint/part-2/0_Abstract.md
+++ b/security-blueprint/part-2/0_Abstract.md
@@ -53,6 +53,7 @@ loads the Kernel/system image before passing control to it.
The following table lists the terms utilized within this part of the document.
Acronyms or Abbreviations | Description
-------------------------- | ---------------------------------
+------------------------- | -----------------------------------------------------------------------
_FUSE_ | **F**ilesystem in **U**ser**S**pac**E**
_OTP_ | **O**ne-**T**ime-**P**rogrammable
+_DOCSIS_ | **D**ata **O**ver **C**able **S**ervice **I**nterface **S**pecification
diff --git a/security-blueprint/part-2/2-Communication-modes.md b/security-blueprint/part-2/2-Communication-modes.md
index d3a823c..165f8fd 100644
--- a/security-blueprint/part-2/2-Communication-modes.md
+++ b/security-blueprint/part-2/2-Communication-modes.md
@@ -1,6 +1,6 @@
# Communication modes
-## Disable USB, Serial and Docsis Support
+## Disable USB, Serial and DOCSIS Support
To disable USB support in U-Boot, following config's shall not be defined:
diff --git a/security-blueprint/part-2/3-Consoles.md b/security-blueprint/part-2/3-Consoles.md
index 5adad3f..a2d1209 100644
--- a/security-blueprint/part-2/3-Consoles.md
+++ b/security-blueprint/part-2/3-Consoles.md
@@ -21,8 +21,8 @@ Boot-Consoles-1 | Secure loader: No reference earlier?
<!-- endtodo -->
-And set "**silent**" environment variable. For the Secure loader, disable the
-traces by undefined the below macro:
+And set "**silent**" environment variable. For the Secure loader,
+disable the traces by not defining the below macro:
<!-- config -->
diff --git a/security-blueprint/part-3/0_Abstract.md b/security-blueprint/part-3/0_Abstract.md
index 3fb8831..4fe7fb6 100644
--- a/security-blueprint/part-3/0_Abstract.md
+++ b/security-blueprint/part-3/0_Abstract.md
@@ -3,6 +3,8 @@
Definition: "A hypervisor or virtual machine monitor (VMM) is computer software,
firmware or hardware that creates and runs virtual machines".
+It must include a signature verification (possibly delegated).
+
<!-- todo -->
Domain | Improvement
diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md
index 013762f..6f951db 100644
--- a/security-blueprint/part-4/1-General.md
+++ b/security-blueprint/part-4/1-General.md
@@ -1,17 +1,25 @@
# General configuration
-## MAC
+## Mandatory Access Control
Kernel should controls access with labels and policy.
<!-- config -->
Domain | Object | Recommendations
--------------------- | ------ | --------------------
-Kernel-General-MAC-1 | SMACK | Must implement a MAC
+-------------------- | ------ | ------------------------------------------
+Kernel-General-MAC-1 | SMACK | Must implement a Mandatory Access Control.
<!-- endconfig -->
+<!-- todo -->
+
+Domain | Improvement
+------------ | ----------------
+Kernel-MAC-1 | Add MAC config note.
+
+<!-- endtodo -->
+
--------------------------------------------------------------------------------
## Disable kexec
@@ -129,9 +137,9 @@ This configuration for is supported in **Linux 3.16 and greater** and thus shoul
<!-- config -->
-Domain | `Config` name | `Value`
------------------------- | ------------- | -------
-Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n`
+Domain | `Config` name | `Value`
+------------------------ | ---------------- | -------
+Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n`
<!-- endconfig -->
@@ -139,6 +147,14 @@ Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n`
## Enable Enforced Module Signing
+The kernel should never allow an unprivileged user the ability to load specific kernel modules,
+since that would provide a facility to unexpectedly extend the available attack surface.
+
+To protect against even privileged users, systems may need to either disable
+module loading entirely, or provide signed modules
+(e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having
+root load arbitrary kernel code via the module loader interface.
+
This configuration is supported in **Linux 3.7 and greater** and thus should only be enabled for such versions.
<!-- config -->