@@ -199,9 +199,9 @@ Boot managers have the primary purpose of initializing the hardware after power
While hypervisors and containers abstract the underlying hardware and may provide services similar to operating systems such as resource management and scheduling, the set of services they supply to clients are far more limited than those of an operating system.
<mark> FIXME who gets BMCs, baseband controllers, etc.? How special-purpose does an OS have to be to have more in common with a boot manager in terms of threat model?</mark>
> FIXME who gets BMCs, baseband controllers, etc.? How special-purpose does an OS have to be to have more in common with a boot manager in terms of threat model?
<mark> FIXME diagram(s) showing relationship to hypervisors, containers, boot managers, IAM, network interfaces, antivirus, hardware, and software.</mark>
> FIXME diagram(s) showing relationship to hypervisors, containers, boot managers, IAM, network interfaces, antivirus, hardware, and software.
# 2 References
@@ -237,9 +237,9 @@ The following referenced documents may be useful in implementing an ETSI deliver
*<aname="_ref_i.1">[i.1]</a> BSI CC-PP-0067 v2.0: Operating System Protection Profile
<mark> FIXME some of these could be normative references</mark>
> FIXME some of these could be normative references
<mark> FIXME more informative references</mark>
> FIXME more informative references
# 3 Definition of terms, symbols and abbreviations
@@ -275,7 +275,7 @@ ISO/IEC 15408).
1.
<mark> FIXME add any other terms we need to define</mark>
> FIXME add any other terms we need to define
## 3.2 Abbreviations
@@ -287,7 +287,7 @@ For the purposes of the present document, the following abbreviations apply:
* MMU Memory Management unit
* IO Input/Output
<mark> FIXME add more abbreviations</mark>
> FIXME add more abbreviations
# 4 Product context
@@ -324,28 +324,28 @@ Out of scope use cases and environments include those explicitly carved out by t
> A useful free diagram tool is [https://app.diagrams.net/](https://app.diagrams.net/), which allows you to save a PNG with the diagram source as SVG inside it.
<mark> FIXME write an operating systems overview and make some diagrams</mark>
> FIXME write an operating systems overview and make some diagrams
<mark> FIXME include the current vertical definition supplied by the EC, use that as a starting point.
> FIXME include the current vertical definition supplied by the EC, use that as a starting point.
<mark> FIXME include the relation graphic between verticals here to explain the outside relationship.
> FIXME include the relation graphic between verticals here to explain the outside relationship.
The internal structure/architecture/security design of an operating system depends a lot on the type of kernel and operating system as well as the security and separation mechanisms available on the taret hardware.
<mark> FIXME: Use generic architectural descriptions (monolithic, microkernel, ...) or create a list of orthogonal properties (hardware access control for drivers, address space separation, ...) and differentiate based on that?
> FIXME: Use generic architectural descriptions (monolithic, microkernel, ...) or create a list of orthogonal properties (hardware access control for drivers, address space separation, ...) and differentiate based on that?
### 4.3.0 Hybrid monolithic/micro kernel operating systems
<mark> FIXME: Use the definition from section 4.5 as a starting point?
> FIXME: Use the definition from section 4.5 as a starting point?
<mark> FIXME: Extend our definition of operating systems with the sentences below?
> FIXME: Extend our definition of operating systems with the sentences below?
A generic operating system encompasses both a kernel implementing resource access control and resource allocation as well as hardware abstraction (drivers) for internal components and I/O interfaces. Commonly used libraries are also considered to be part of the operating system (part of the API/ABI).
Any not commonly used (or internal) library/interface which is directly or indirectly used by (or can in some way influence the security of) security or execution control mechanisms of the operating system, including but not limited to the init system, is also considered to be part of the operating system.
Mechanisms for run-time fixups of hardware (e.g. CPU microcode upload/update) as well as workarounds for run-time attack surface of hardware (microarchitectural and other side effects) are also considered to be part of the operating system.
In contrast to the run-time fixup mechanisms, the CPU microcode update itself is considered to be part of the scope of the microprocessor vertical because it modifies functionality of the microprocessor.
<mark> FIXME: Ensure the following cases present in most x86 computers are not lost, assign them to the scope of a vertical (may be ours, may be another vertical).
> FIXME: Ensure the following cases present in most x86 computers are not lost, assign them to the scope of a vertical (may be ours, may be another vertical).
Special case UEFI updates triggered by the operating system: The update mechanism as provided by the firmware (UEFI capsule) is considered to be in the scope of the boot manager vertical, as is the cryptographic verification of such updates.
Special case Windows drivers delivered as part of UEFI and retrieved by Windows from UEFI during Windows installation (usually hardware enabledment like storage and network drivers). FIXME: Look up the name of that mechanism.
Special case of Windows using calls into UEFI runtime services if no native Windows driver for a given peripheral (may even be the graphics card) exists. Does that make this specific UEFI driver part of the operating system?
@@ -357,7 +357,7 @@ Special case configuration files? Not code in most cases, but substantial impact
### 4.3.1 Monolithic kernel based operating systems
<mark> FIXME write an operating systems overview and make some diagrams</mark>
> FIXME write an operating systems overview and make some diagrams
Comments:
General comment on the Windows vs. Linux vs. macOS situation: Neither is a pure monolithic kernel nor a completely microkernel. Each of them can be described as hybrid of various flavours.
@@ -366,13 +366,13 @@ Yes, the statements above somewhat contradict what Wikipedia is saying.
### 4.3.2 Microkernel based operating systems
<mark>
>
### 4.3.3 Exokernel based operating systems
<mark> FIXME should this just be a special case of microkernel for most architectural purposes? If not, do we differentiate based on kernel design of based on hardware access privileges for applications?
> FIXME should this just be a special case of microkernel for most architectural purposes? If not, do we differentiate based on kernel design of based on hardware access privileges for applications?
### 4.3.4 Unikernel based operating systems
<mark> FIXME differentiate between single-address-space/single-privilege-level combined binaries and binaries with some separation mechanisms baked in?
> FIXME differentiate between single-address-space/single-privilege-level combined binaries and binaries with some separation mechanisms baked in?
@@ -550,7 +550,7 @@ Note: "account" refers to a user in the operating systems sense: a unique system
@@ -792,13 +792,13 @@ An operating system may provide, depending on the hardware available and its con
* Logging
* Monitoring/notifications
<mark> Put this in a diagram with dependencies and interface/attack surface</mark>
> Put this in a diagram with dependencies and interface/attack surface
## 4.8 Operational Environment
The technical requirements of the present document apply under the environmental profile for operation of the equipment, which shall be in accordance with its intended use. The equipment shall comply with all the technical requirements of the present document at all times when operating within the boundary limits of the operational environmental profile defined by its intended use.
<mark> FIXME not sure how to describe an operational environment for all operating systems!</mark>
> FIXME not sure how to describe an operational environment for all operating systems!
The manufacturer shall document and communicate the expected environmental profile for the product to the cosumer.
<mark> FIXME where does trusted/untrusted hardware devices go? External/internal interfaces, what can the operating system protect against, what can be accessed with a limited time access by attacker?</mark>
> FIXME where does trusted/untrusted hardware devices go? External/internal interfaces, what can the operating system protect against, what can be accessed with a limited time access by attacker?
- Not being attacked by a state actor
- Not using sophisticated or expensive hardware snooping techniques
@@ -1179,7 +1179,7 @@ A.PROPER USER: The user of the OS is not willfully negligent or hostile, and use
A.PROPER ADMIN: The administrator of the OS is not careless, willfully negligent or hostile, and administers the OS within compliance of the applied enterprise security policy.
