From 981e9b9c4a40e248733d45cfedc6a512bdf95f5e Mon Sep 17 00:00:00 2001 From: mudcam Date: Thu, 7 Dec 2017 10:31:22 +0100 Subject: Add proposal for new security blueprint --- security-blueprint/part-2/2-Communication-modes.md | 89 ++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 security-blueprint/part-2/2-Communication-modes.md (limited to 'security-blueprint/part-2/2-Communication-modes.md') diff --git a/security-blueprint/part-2/2-Communication-modes.md b/security-blueprint/part-2/2-Communication-modes.md new file mode 100644 index 0000000..d3a823c --- /dev/null +++ b/security-blueprint/part-2/2-Communication-modes.md @@ -0,0 +1,89 @@ +# Communication modes + +## Disable USB, Serial and Docsis Support + +To disable USB support in U-Boot, following config's shall not be defined: + +``` +CONFIG_CMD_USB: Enables basic USB support and the usb command. +CONFIG_USB_UHCI: Defines the lowlevel part. +CONFIG_USB_KEYBOARD: Enables the USB Keyboard. +CONFIG_USB_STORAGE: Enables the USB storage devices. +CONFIG_USB_HOST_ETHER: Enables USB Ethernet adapter support. +``` + +In addition, disable unnecessary communication modes like Ethernet, Serial +ports, DOCSIS in U-Boot and sboot that are not necessary. + +Linux Kernel support for USB should be compiled-out if not required. If it is +needed, the Linux Kernel should be configured to only enable the minimum +required USB devices. User-initiated USB-filesystems should be treated with +special care. Whether or not the filesystems are mounted in userspace +(**FUSE**), restricted mount options should be observed. + + + +Domain | Communication modes | _State_ +-------------------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- +Boot-Communication-1 | `USB` | _Disabled_ and _Compiled-out_ if not required. +Boot-Communication-2 | `USB` | Else, Kernel should be configured to only enable the minimum required USB devices and filesystems should be treated with special care. +Boot-Communication-3 | `Ethernet` | _Disabled_ +Boot-Communication-4 | U-boot and sboot `DOCSIS` | _Disabled_ +Boot-Communication-5 | `Serial ports` | _Disabled_ + + + +Domain | `Config` name | _State_ +------------------------ | ----------------------- | ------------- +Boot-Communication-USB-1 | `CONFIG_CMD_USB` | _Not defined_ +Boot-Communication-USB-2 | `CONFIG_USB_UHCI` | _Not defined_ +Boot-Communication-USB-3 | `CONFIG_USB_KEYBOARD` | _Not defined_ +Boot-Communication-USB-4 | `CONFIG_USB_STORAGE` | _Not defined_ +Boot-Communication-USB-5 | `CONFIG_USB_HOST_ETHER` | _Not defined_ + + + +-------------------------------------------------------------------------------- + +## Disable all Network Interfaces + +Preferably no network interface is allowed, but if required, then the enabled +services should be restricted to only those used. + + + +Domain | Communication modes | _State_ +-------------------- | -------------------- | --------------------------------------------------------------------------------------------- +Boot-Communication-1 | `Network interfaces` | Preferably _no network interface is allowed_, otherwise, restrict the services to those used. + + + +## Remove or Disable Unnecessary Services, Ports, and Devices + +Restrict the `services`, `ports` and `devices` to those used. + + + +Domain | Object | Recommendations +-------------------- | --------------------------------- | ------------------------------------------------------------- +Boot-Communication-1 | `Services`, `ports` and `devices` | Restrict the `services`, `ports` and `devices` to those used. + + + +## Disable flash access + +**Recommendation**: + +In U-Boot following flash memory commands shall be disabled: + +**NAND**: Support for nand flash access available through `do_nand` has to be disabled. + + + +Domain | `Command` name | _State_ +-------------------------- | -------------- | --------- +Boot-Communication-Flash-1 | `do_nand` | _Disable_ + + + +Similarly sboot should disable flash access support through command line if any. -- cgit From df4bdd6e9e5669451e7f60ecdc5c9e0d25e3f726 Mon Sep 17 00:00:00 2001 From: Sebastien Douheret Date: Fri, 8 Dec 2017 17:40:04 +0100 Subject: Added templating for section-xxx tags. Security Blueprint doc uses specific tags to display arrays (see docs/security-blueprint/README.md) Signed-off-by: Sebastien Douheret --- security-blueprint/part-2/2-Communication-modes.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'security-blueprint/part-2/2-Communication-modes.md') diff --git a/security-blueprint/part-2/2-Communication-modes.md b/security-blueprint/part-2/2-Communication-modes.md index d3a823c..d3539f8 100644 --- a/security-blueprint/part-2/2-Communication-modes.md +++ b/security-blueprint/part-2/2-Communication-modes.md @@ -21,7 +21,7 @@ required USB devices. User-initiated USB-filesystems should be treated with special care. Whether or not the filesystems are mounted in userspace (**FUSE**), restricted mount options should be observed. - + Domain | Communication modes | _State_ -------------------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- @@ -31,7 +31,7 @@ Boot-Communication-3 | `Ethernet` | _Disabled_ Boot-Communication-4 | U-boot and sboot `DOCSIS` | _Disabled_ Boot-Communication-5 | `Serial ports` | _Disabled_ - + Domain | `Config` name | _State_ ------------------------ | ----------------------- | ------------- @@ -41,7 +41,7 @@ Boot-Communication-USB-3 | `CONFIG_USB_KEYBOARD` | _Not defined_ Boot-Communication-USB-4 | `CONFIG_USB_STORAGE` | _Not defined_ Boot-Communication-USB-5 | `CONFIG_USB_HOST_ETHER` | _Not defined_ - + -------------------------------------------------------------------------------- @@ -50,25 +50,25 @@ Boot-Communication-USB-5 | `CONFIG_USB_HOST_ETHER` | _Not defined_ Preferably no network interface is allowed, but if required, then the enabled services should be restricted to only those used. - + Domain | Communication modes | _State_ -------------------- | -------------------- | --------------------------------------------------------------------------------------------- Boot-Communication-1 | `Network interfaces` | Preferably _no network interface is allowed_, otherwise, restrict the services to those used. - + ## Remove or Disable Unnecessary Services, Ports, and Devices Restrict the `services`, `ports` and `devices` to those used. - + Domain | Object | Recommendations -------------------- | --------------------------------- | ------------------------------------------------------------- Boot-Communication-1 | `Services`, `ports` and `devices` | Restrict the `services`, `ports` and `devices` to those used. - + ## Disable flash access @@ -78,12 +78,12 @@ In U-Boot following flash memory commands shall be disabled: **NAND**: Support for nand flash access available through `do_nand` has to be disabled. - + Domain | `Command` name | _State_ -------------------------- | -------------- | --------- Boot-Communication-Flash-1 | `do_nand` | _Disable_ - + Similarly sboot should disable flash access support through command line if any. -- cgit