@@ -126,6 +126,36 @@ This category includes but is not limited to:
- embedded operating systems
- special purpose operating systems
EDITS
**Everything will be generic in final draft**
should include:
- systemd (and all dependencies)
- udev
- loading firmware
- windowing system
- anything necessary to use the hardware
- Authentication
- libc etc
- system libraries by path?
- privileged processes?
- kernel :)
- device drivers
- basic command utils?
- language interpreters
- bash :)
- software update
- logging (in init stuff usually)
- package manager (part of updates)
- remember xz
exclude
- not all privileged processes (depends)
- device drivers supplied by external vendors?? beyond API
# 1.3 Products not in scope
_Detailed list of things whose scope might be confusing, including parts of a system which are often included when the terms in the "in scope" section are used in general conversation. Reference the "Product Context" section again to remind the reader what operational environments are in scope._
@@ -260,6 +290,26 @@ FIXME split into specific use cases
* Runs servers open to the world (ssh, web, etc.)
1. Phone
Use cases don't include industrial operations, marine, airplane, medical, military, national security, etc.
* personal laptop
* personal desktop/stationary
* personal server
* corporate versions of above (different levels?)
* sun ray situation stateless multi-user terminal
* embedded device with low risk
* embedded devices with higher risk that are still in scope???
* phone
* ???
suggestion: look for most extremely vulnerable use cases and then remove exposure for less vulnerable use cases
this is highly dependent on environment
figure out terminology for user vs. user
where is data/state? 0 or 1 user or multiple user state
FIXME more use cases?
## 4.4 Essential functions
@@ -278,6 +328,8 @@ _List the essential functions of the product, including:_
- Network management/network stack [not mandatory, but very common]
- File system management [also not mandatory?]
- System call interface [if user-space/kernel architecture]
- decide whether to load new kernel code
- updates/package management
FIXME more use-based functions
@@ -301,6 +353,8 @@ _Harmonised Standards not specifying a normative environmental profile should us
_The technical requirements of the present document apply under the environmental profile for operation of the equipment, which shall be in accordance with its intended use. The equipment shall comply with all the technical requirements of the present document at all times when operating within the boundary limits of the operational environmental profile defined by its intended use._
DEscribe by use case
## 4.6 Users
_Describe the classes of users for this product, as differentiated by sophistication in understanding and taking responsibility for security risks. More sophisticated users can be expected to follow more instructions and cope with higher levels of unmitigated risks._
@@ -324,6 +378,10 @@ _Describe the expected support period and its impact on security risks. Generall
## 5.1 Security levels
_Examples only, will be generic_
Use cases should all be mapped to a security level
1. Embedded
2. Home computer phone
3. Phone
@@ -331,6 +389,8 @@ _Describe the expected support period and its impact on security risks. Generall
