@@ -975,20 +975,35 @@ FIXME define a security profile for interfaces that are the primary interface
|---------------------|----------------------|
| FIXME | FIXME |
### 5.2.X **TR-XXXX**: Encryption related stuff
### 5.2.X **TR-SDEF**: Secure by default configuration
#### 5.2.X.x **MI-XXXX**:
The product shall operate in a secure configuration by default.
Need to specify encryption related stuff that is not covered by ACM.
#### 5.2.X.x **MI-ADEF**: Authorization required by default to access security-relevant assets
_Description of mitigation in "shall" format._
The product shall require authorization by default to access security-relevant assets, such as product firmware, security-relevant configuration, sensitive data, and sensitive functions.
* Test:
* Result:
* Output:
* False positive test:
* Requirements:
* Documentation:
* Reference: TR-SDEF
* Objective: Find any unauthorized access to security relevant assets in default configuration
* Preparation: List all interfaces allowing access to security-relevant assets
* Activities: For each interface, attempt to access security-relevant assets without authorization and record whether access was allowed or not
* Verdict: If every interface does not allow access without authorization => PASS, otherwise => FAIL
* Evidence: List of interfaces allowing access to security-relevant assets, record of activities used to attempt unauthorized access to security-relevant assets, log of results of attempts
| Risk factors | Requires mitigations |
|---------------------|----------------------|
| any | ADEF |
| Security Profile | Requires mitigations |
|---------------------|----------------------|
| all | ADEF |
#### 5.2.X.x Mapping of mitigations to security profiles
### 5.2.X **TR-XXXX**: Encryption related stuff
Need to specify encryption related stuff that is not covered by ACM.
> Copy-n-paste mitigation format
@@ -1049,7 +1064,7 @@ Suggested type of tests include, but are not limited to:
