@@ -898,19 +898,27 @@ FIXME define a security profile for interfaces that are the primary interface
### 5.2.X **TR-SDEF**: Secure by default configuration
#### 5.2.X.x Requirement
The product shall operate in a secure configuration by default.
What are things that can be configured to be insecure? - hardware, software?
#### 5.2.X.x **MI-ADEF**: Authorization required by default to access security-relevant assets
The product shall require appropriate authorization by default to access security-relevant assets, such as product firmware, security-relevant configuration, sensitive data, and sensitive functions.
* Reference: TR-SDEF
* Objective: Find any unauthorized access to security relevant assets in default configuration
Debug interfaces
* Preparation: List all interfaces allowing access to security-relevant assets
*usable from the host (over the system bus) - not important, the host must protect this - but we do need to specify that this is transferred to the host
*Activities: For each interface, attempt to access security-relevant assets without appropriate authorization and record whether access was allowed or not
*usable from the attached network - these do need to be specified as disabled or protected for end users
*Verdict: If every interface does not allow access without appropriate authorization => PASS, otherwise => FAIL
*debug interface requires external device (JTAG)
*Evidence: List of interfaces allowing access to security-relevant assets, record of activities used to attempt unauthorized access to security-relevant assets, log of results of attempts
Remember the integrator - debug enabled is okay there as long as documented
> FIXME: Definition of appropriate authorization is in progress by another group.
#### 5.2.X.x **MI-DPAH**: Documentation of product assets accessible from host
@@ -970,42 +978,19 @@ All debug/remote management interfaces accessible via the network shall be prote
* Verdict: No interface can be used => PASS, otherwise => FAIL
* Evidence: List of interfaces, log of attempts to access
#### 5.2.X.x **MI-SDEE**: Generic version
Manufacturer documents all interfaces with sensitivity of function/data
If pre-integration, then documented how to protect and disable
If post-integration, then protected or disabled based on ??? sensitivity/use
Necessary for functions?
Interface to host is always necessary
Interface to do normal network stuff over the network is always necessary
Debug is temporarily disabled for post-integration
FIXME: define disabled in definitions as temporarily/reversibly disabled - leave some room for manufacturer to permanently disable if necessary for security
How to say disable interfaces accessible from the network that provide access to something more than tx/rx stuff?
Remote management?
Depending on the risk factor of who has access to the network => require authorization by default for remote management or debug over the network or disabled
#### 5.2.X.x Mapping of mitigations to risk factors and security profiles
| Risk factors | Requires mitigations |
|-------------------|----------------------|
| any | DPAH |
| FIXME risk factor | SDEE-1 |
| FIXME risk factor | SDEE-2 |
|--------------|----------------------|
| FIXME| ADEF, DPAH |
| FIXME | SDEE-1, ADEF, DPAH |
| FIXME | SDEE-2, ADEF, DPAH |
| Security Profile | Requires mitigations |
|------------------|----------------------|
| FIXME integrator | DPAH, SDEE-1 |
| all others | DPAH, SDEE-2 |
| FIXME | ADEF, DPAH |
| FIXME integrator | ADEF, DPAH, SDEE-1 |
| all others | ADEF, DPAH, SDEE-2 |
### 5.2.X **TR-CONF**: Confidentiality of assets
@@ -1462,7 +1447,7 @@ Suggested type of tests include, but are not limited to:
