@@ -965,7 +965,7 @@ All warnings, annotations, or other method of suppressing warnings from the anal
#### 5.2.X.x **MI-KSEP**: Separation of operating systems memory from user account memory
The manufacturer shall implement all preceding mitigations for this requirement.
The manufacturer shall implement MI-SSCA.
The manufacturer shall implement mechanisms to prevent unauthorized access to security-relevant parts of the operating system memory by unauthorized users or subsystems of the operating systems.
@@ -977,7 +977,7 @@ FIXME should have separate requirement for privileged user still not being able
#### 5.2.X.x **MI-USEP**: Separation of memory by user account
The manufacturer shall implement all preceding mitigations for this requirement.
The manufacturer shall implement MI-KSEP.
The manufacturer shall use user identifiers, discretionary access control, or mandatory access control to prevent access of the private in-memory data owned by one user account by different user account.
@@ -987,7 +987,7 @@ The manufacturer shall use user identifiers, discretionary access control, or ma
The manufacturer shall implement all preceding mitigations for this requirement.
The manufacturer shall implement MI-SCCA and MI-KSEP.
The manufacturer shall implement mechanisms to reject a user account from logging in if a different user account is already logged in.
@@ -997,7 +997,7 @@ The manufacturer shall implement mechanisms to reject a user account from loggin
#### 5.2.X.x **MI-SPEX** Prevent memory leaks through microarchitectural side channels
The manufacturer shall implement all preceding mitigations for this requirement.
The manufacturer shall implement MI-USEP.
The manufacturer shall implement mechanisms to prevent leaking of memory data to unauthorized user through microarchitectural side channels via the observing the time of cache access for the operations:
