summaryrefslogtreecommitdiffstats
path: root/security-blueprint
diff options
context:
space:
mode:
Diffstat (limited to 'security-blueprint')
-rw-r--r--security-blueprint/README.md2
-rw-r--r--security-blueprint/annexes/ConfigNotes.md16
-rw-r--r--security-blueprint/annexes/todoNotes.md12
-rw-r--r--security-blueprint/index.md4
-rw-r--r--security-blueprint/part-2/0_Abstract.md3
-rw-r--r--security-blueprint/part-2/2-Communication-modes.md8
-rw-r--r--security-blueprint/part-2/3-Consoles.md4
-rw-r--r--security-blueprint/part-3/0_Abstract.md2
-rw-r--r--security-blueprint/part-4/1-General.md40
-rw-r--r--security-blueprint/part-7/3-Cloud.md6
10 files changed, 73 insertions, 24 deletions
diff --git a/security-blueprint/README.md b/security-blueprint/README.md
index d15e44f..5513dcc 100644
--- a/security-blueprint/README.md
+++ b/security-blueprint/README.md
@@ -57,6 +57,8 @@ _ECU_ | **E**lectronic **C**ontrol **U**nit
- [security-blueprint](http://docs.automotivelinux.org/docs/architecture/en/dev/reference/security/01-overview.html).
- _http:// docs.automotivelinux.org/docs/architecture/en/dev/reference/security/01-overview.html_
+- **[2017]** - [kernel security](https://www.kernel.org/doc/Documentation/security/).
+ - _https:// www.kernel.org/doc/Documentation/security/_
- **[2017]** - [Systemd integration and user management](http://iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf).
- _http:// iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf_
- **[2017]** - [AGL - Application Framework Documentation](http://iot.bzh/download/public/2017/SDK/AppFw-Documentation-v3.1.pdf).
diff --git a/security-blueprint/annexes/ConfigNotes.md b/security-blueprint/annexes/ConfigNotes.md
index 05b7228..da0812c 100644
--- a/security-blueprint/annexes/ConfigNotes.md
+++ b/security-blueprint/annexes/ConfigNotes.md
@@ -99,8 +99,8 @@ Boot-Consoles-MemDump-8 | `mtest` | _Disabled_
Boot-Consoles-MemDump-9 | `loopw` | _Disabled_
Domain | Object | Recommendations
--------------------- | ------ | --------------------
-Kernel-General-MAC-1 | SMACK | Must implement a MAC
+-------------------- | ------ | ------------------------------------------
+Kernel-General-MAC-1 | SMACK | Must implement a Mandatory Access Control.
Domain | `Config` name | `Value`
---------------------- | -------------- | -------
@@ -131,9 +131,9 @@ Domain | `Config` name | `Value`
Kernel-General-SocketMon-1 | `CONFIG_PACKET_DIAG` | `n`
Kernel-General-SocketMon-2 | `CONFIG_UNIX_DIAG` | `n`
-Domain | `Config` name | `Value`
------------------------- | ------------- | -------
-Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n`
+Domain | `Config` name | `Value`
+------------------------ | ---------------- | -------
+Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n`
Domain | `Config` name | `Value`
------------------------------ | ------------------------- | -------
@@ -453,10 +453,10 @@ Domain | Tech name | Recommendations
Connectivity-Wireless-NFC-1 | NFC | Protected against relay and replay attacks.
Connectivity-Wireless-NFC-2 | Device | Disable unneeded and unapproved services and profiles.
-Domain | Object | Recommendations
----------------------------- | ---------------- | ----------------------------------------
+Domain | Object | Recommendations
+---------------------------- | -------------- | --------------------------------------
Application-Cloud-Download-1 | authentication | Must implement authentication process.
-Application-Cloud-Download-2 | Authorization | Must implement Authorization process.
+Application-Cloud-Download-2 | Authorization | Must implement Authorization process.
Domain | Object | Recommendations
---------------------------------- | ------------- | ----------------------------------------------------------
diff --git a/security-blueprint/annexes/todoNotes.md b/security-blueprint/annexes/todoNotes.md
index 077fd57..01e05d8 100644
--- a/security-blueprint/annexes/todoNotes.md
+++ b/security-blueprint/annexes/todoNotes.md
@@ -17,6 +17,18 @@ Domain | Improvement
--------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hypervisor-Abstract-1 | Complete Hypervisor part ([jailhouse](https://github.com/siemens/jailhouse) / [KVM](https://www.linux-kvm.org/page/Main_Page) / [Xen](https://www.xenproject.org/developers/teams/embedded-and-automotive.html)).
+Domain | Improvement
+------------ | ----------------
+Kernel-MAC-1 | Add MAC config note.
+
+Domain | Improvement
+-------------------------------- | -----------------------------
+Kernel-General-IndependentExec-1 | Kernel or/and platform part ?
+
+Domain | Improvement
+------------------------------- | ---------------
+Kernel-General-LibraryLinking-1 | Keep this part?
+
Domain | Improvement
------------------- | -----------
Platform-Services-1 | SystemD ?
diff --git a/security-blueprint/index.md b/security-blueprint/index.md
index 533aee7..1ca88b3 100644
--- a/security-blueprint/index.md
+++ b/security-blueprint/index.md
@@ -1,8 +1,8 @@
---
title : security-blueprint
-date : 2017-07-12
-version : 4.99.3
+date : 2017-12-07
+version : 4.99.4
category: security
tags: security, architecture, automotive, linux
layout: techdoc
diff --git a/security-blueprint/part-2/0_Abstract.md b/security-blueprint/part-2/0_Abstract.md
index 4574ecf..da9daee 100644
--- a/security-blueprint/part-2/0_Abstract.md
+++ b/security-blueprint/part-2/0_Abstract.md
@@ -53,6 +53,7 @@ loads the Kernel/system image before passing control to it.
The following table lists the terms utilized within this part of the document.
Acronyms or Abbreviations | Description
-------------------------- | ---------------------------------
+------------------------- | -----------------------------------------------------------------------
_FUSE_ | **F**ilesystem in **U**ser**S**pac**E**
_OTP_ | **O**ne-**T**ime-**P**rogrammable
+_DOCSIS_ | **D**ata **O**ver **C**able **S**ervice **I**nterface **S**pecification
diff --git a/security-blueprint/part-2/2-Communication-modes.md b/security-blueprint/part-2/2-Communication-modes.md
index d3539f8..268da5d 100644
--- a/security-blueprint/part-2/2-Communication-modes.md
+++ b/security-blueprint/part-2/2-Communication-modes.md
@@ -1,6 +1,6 @@
# Communication modes
-## Disable USB, Serial and Docsis Support
+## Disable USB, Serial and DOCSIS Support
To disable USB support in U-Boot, following config's shall not be defined:
@@ -45,10 +45,10 @@ Boot-Communication-USB-5 | `CONFIG_USB_HOST_ETHER` | _Not defined_
--------------------------------------------------------------------------------
-## Disable all Network Interfaces
+## Disable all unused Network Interfaces
-Preferably no network interface is allowed, but if required, then the enabled
-services should be restricted to only those used.
+Only used network interfaces should be enabled.
+Where possible, services should also be limited to those necessary.
<!-- section-config -->
diff --git a/security-blueprint/part-2/3-Consoles.md b/security-blueprint/part-2/3-Consoles.md
index 366573b..0a8faed 100644
--- a/security-blueprint/part-2/3-Consoles.md
+++ b/security-blueprint/part-2/3-Consoles.md
@@ -21,8 +21,8 @@ Boot-Consoles-1 | Secure loader: No reference earlier?
<!-- end-section-todo -->
-And set "**silent**" environment variable. For the Secure loader, disable the
-traces by undefined the below macro:
+And set "**silent**" environment variable. For the Secure loader,
+disable the traces by not defining the below macro:
<!-- section-config -->
diff --git a/security-blueprint/part-3/0_Abstract.md b/security-blueprint/part-3/0_Abstract.md
index bdec985..c6e3942 100644
--- a/security-blueprint/part-3/0_Abstract.md
+++ b/security-blueprint/part-3/0_Abstract.md
@@ -3,6 +3,8 @@
Definition: "A hypervisor or virtual machine monitor (VMM) is computer software,
firmware or hardware that creates and runs virtual machines".
+It must include a signature verification (possibly delegated).
+
<!-- section-todo -->
Domain | Improvement
diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md
index 3653904..10c665e 100644
--- a/security-blueprint/part-4/1-General.md
+++ b/security-blueprint/part-4/1-General.md
@@ -1,17 +1,25 @@
# General configuration
-## MAC
+## Mandatory Access Control
Kernel should controls access with labels and policy.
<!-- section-config -->
Domain | Object | Recommendations
--------------------- | ------ | --------------------
-Kernel-General-MAC-1 | SMACK | Must implement a MAC
+-------------------- | ------ | ------------------------------------------
+Kernel-General-MAC-1 | SMACK | Must implement a Mandatory Access Control.
<!-- end-section-config -->
+<!-- section-todo -->
+
+Domain | Improvement
+------------ | ----------------
+Kernel-MAC-1 | Add MAC config note.
+
+<!-- end-section-todo -->
+
--------------------------------------------------------------------------------
## Disable kexec
@@ -131,7 +139,7 @@ This configuration for is supported in **Linux 3.16 and greater** and thus shoul
Domain | `Config` name | `Value`
------------------------ | ------------- | -------
-Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n`
+Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n`
<!-- end-section-config -->
@@ -139,6 +147,14 @@ Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n`
## Enable Enforced Module Signing
+The kernel should never allow an unprivileged user the ability to load specific kernel modules,
+since that would provide a facility to unexpectedly extend the available attack surface.
+
+To protect against even privileged users, systems may need to either disable
+module loading entirely, or provide signed modules
+(e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having
+root load arbitrary kernel code via the module loader interface.
+
This configuration is supported in **Linux 3.7 and greater** and thus should only be enabled for such versions.
<!-- section-config -->
@@ -171,6 +187,14 @@ Kernel-General-Drivers-3 | Other `hotplug` bus | _Disabled_
## Position Independent Executables
+<!-- section-todo -->
+
+Domain | Improvement
+-------------------------------- | -----------------------------
+Kernel-General-IndependentExec-1 | Kernel or/and platform part ?
+
+<!-- end-section-todo -->
+
<!-- section-config -->
Domain | `compiler` and `linker` options | _State_
@@ -204,6 +228,14 @@ During program load, all dynamic symbols are resolved, allowing for the complete
## Library linking
+<!-- section-todo -->
+
+Domain | Improvement
+------------------------------- | ---------------
+Kernel-General-LibraryLinking-1 | Keep this part?
+
+<!-- end-section-todo -->
+
It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library. All libraries should be linked statically, but this is difficult to implement.
<!-- section-config -->
diff --git a/security-blueprint/part-7/3-Cloud.md b/security-blueprint/part-7/3-Cloud.md
index 67c9c76..ec7edea 100644
--- a/security-blueprint/part-7/3-Cloud.md
+++ b/security-blueprint/part-7/3-Cloud.md
@@ -12,10 +12,10 @@ on a subscriber's profile and services purchased.
<!-- section-config -->
-Domain | Object | Recommendations
----------------------------- | ---------------- | ----------------------------------------
+Domain | Object | Recommendations
+---------------------------- | -------------- | --------------------------------------
Application-Cloud-Download-1 | authentication | Must implement authentication process.
-Application-Cloud-Download-2 | Authorization | Must implement Authorization process.
+Application-Cloud-Download-2 | Authorization | Must implement Authorization process.
<!-- end-section-config -->