WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -1034,63 +1034,33 @@ The product shall be securely updateable by the user.
> FIXME add versions for device driver and virtual network interface.
#### 5.2.X.x **MI-SCFM**: Secure update of firmware
#### 5.2.X.x **MI-SUDC**: Documentation of secure update
The product shall provide a method of updating its firmware from the host system.
* Applicability: Product is a physical network interface
* Reference: TR-SCUD
* Objective: Secure updates
* Preparation: Prepare a new firmware image with a different version number from the currently installed firmware
* Activities: Check the firmware version, install the new firmware, and check the firmware version
* Verdict: The second version number is that of the new firmware => PASS, otherwise FAIL
* Evidence: Log of querying the firmware version, installing the new firmware, and querying the firmware version again
#### 5.2.X.x **MI-SCDC**: Documentation of secure update of firmware
The product shall be accompanied by documentation of the secure update methods for the physical network interface.
The product shall be accompanied by documentation of the secure update methods for any firmware or software in the product.
* Applicability: Product expected use is long enough to require updates
* Reference: TR-SCUD
* Objective: Secure updates
* Activities: Assess the documentation for completeness
* Verdict: Documentation describes secure update methods sufficiently for a third party to implement them => PASS, otherwise FAIL
* Evidence: Documentation and analysis of completeness
#### 5.2.X.x **MI-SCDD**: Secure update of firmware via device driver
#### 5.2.X.x **MI-SUVP**: Secure update via product
The device driver shall provide a method of updating the firmware on the device.
The product shall provide a method of securely updating any firmware or software in the product via the product itself.
* Applicability: Device driver supplied with physical network interface
* Applicability: Product expected use is long enough to require updates
* Reference: TR-SCUD
* Preparation: Prepare a new firmware image with a different version number from the currently installed firmware
* Activities: Check the firmware version, install the new firmware, and check the firmware version
* Verdict: The second version number is that of the new firmware => PASS, otherwise FAIL
* Evidence: Log of querying the firmware version, installing the new firmware, and querying the firmware version again
* Preparation: Prepare an update for each part of the product that can be updated with a different version number from the currently installed product version
* Activities: Check the versions of all parts of the product that can be updated, install the new update, and check the versions again
* Verdict: The second versions read are that of the new product update => PASS, otherwise FAIL
* Evidence: New update version numbers, and log of querying the product parts' versions, installing the update, and querying the versions again
#### 5.2.X.x **MI-SCHL**: Low security updates provided by operational environment
#### 5.2.X.x **MI-SUOE**: Secure update provided by operational environment
The technical documentation provided with the product shall document that the operational environment shall provide a method of receiving notifications of secure updates from the manufacturer, retrieving the updates, verifying the updates, and applying them to the product. The secure update method shall satisfy the "Low" security level for the product supplying it.
* Reference: TR-SCUD
* Objective: Secure updates
* Activities: Assess the documentation provided with the product
* Verdict: Documentation describes requirements for the secure updates provided by the operational environment => PASS, otherwise FAIL
* Evidence: Documentation and analysis of completeness
#### 5.2.X.x **MI-SCHM**: Medium secure updates provided by operational environment
The technical documentation provided with the product shall document that the operational environment shall provide a method of receiving notifications of secure updates from the manufacturer, retrieving the updates, verifying the updates, and applying them to the product. The secure update method shall satisfy the "Medium" security level for the product supplying it.
* Reference: TR-SCUD
* Objective: Secure updates
* Activities: Assess the documentation provided with the product
* Verdict: Documentation describes requirements for the secure updates provided by the operational environment => PASS, otherwise FAIL
* Evidence: Documentation and analysis of completeness
#### 5.2.X.x **MI-SCHH**: High secure updates provided by operational environment
The technical documentation provided with the product shall document that the operational environment shall provide a method of receiving notifications of secure updates from the manufacturer, retrieving the updates, verifying the updates, and applying them to the product. The secure update method shall satisfy the "High" security level for the product supplying it.
The technical documentation provided with the product shall document that the operational environment shall provide a method of securely updating the product.
* Applicability: Product expected use is long enough to require updates
* Reference: TR-SCUD
* Objective: Secure updates
* Activities: Assess the documentation provided with the product
@@ -1100,22 +1070,13 @@ The technical documentation provided with the product shall document that the op
#### 5.2.X.x Mapping of mitigations to risk factors and security profiles
| Risk factors | Requires mitigations |
|---------------------|----------------------|
| any | SCFM, SCDD, SCDC |
| RSKL | SCDL |
| RSKM | SCDM |
| RSKH | SCDH |
FIXME define RSKL/M/H as a function of other risk factors
