@@ -156,9 +156,10 @@ The present document describes how to demonstrate compliance with requirements i
## 1.2 Products in scope
Operating systems include software products with digital elements that provide an abstract interface of the underlying hardware and control the execution of software, and that may provide services such as computing resource management and configuration, scheduling, input-output control, managing data, and providing an interface through which applications interact with system resources and peripherals.
Products in scope are products whose core function and intended or reasonabily foreseeable use or misuse is as an operating system. Operating systems include software products with digital elements that provide an abstract interface of the underlying hardware and control the execution of software, and that may provide services such as computing resource management and configuration, scheduling, input-output control, managing data, and providing an interface through which applications interact with system resources and peripherals.
This category includes but is not limited to:
* general purpose operating systems
* personal computing operating systems
* mobile phone operating systemsg
@@ -167,7 +168,13 @@ This category includes but is not limited to:
* embedded operating systems
* special purpose operating systems
The scope is limited to the security-relevant parts of the operating system. This includes any element capable of modifying elements that control the security of the system, as well as elements that provide security functionality. Security-relevant parts of the operating system include but are not limited to:
Many products contain multiple operating systems which can affect the security functions of other operating systems in the product. For example, Baseboard Management Controllers
### 1.2.1 Elements of operating systems that are in scope
The scope is limited to the security-relevant parts of the operating system. This includes any element capable of modifying elements that control the security of the system, as well as elements that provide security functionality.
Security-relevant parts of the operating system include but are not limited to:
* the kernel
* device drivers if supplied with the operating system
@@ -549,6 +556,8 @@ Note: "account" refers to a user in the operating systems sense: a unique system
* DATA-1: the operating system is designed only to store limited data types
* DATA-2: the operating system is designed to store arbitrary data
FIXME needs to reflect sensitivity of data
#### 4.5.1.4 Physical Access by Threat Actors to the Device
**[PHYS]:** Manufacturers of operating systems may implement protective measures, such as preventing peripheral device driver loading or relying on hardware capabilities such as tamper-evident mechanisms, to mitigate physical access based threats to the device.
@@ -683,14 +692,16 @@ An operating system may provide, depending on the hardware available and its con
* Memory protection
* Storage protection
* Other permissions
* Hardware communication
* Device drivers
* Abstract I/O
* Network stack
* File systems
* Video
* Sound
* Input devices (mouse, keyboard)
* Hardware communication
* Device drivers
* Power management
* Hardware management
* Configuration
* Software to run
* Hardware configuration
@@ -903,6 +914,7 @@ Potential additional sources of security requirements
* Read exploit reports and CVEs
*[ETSI EN 303 645](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/03.01.03_60/en_303645v030103p.pdf)
*[CHERI BSD](https://www.cheribsd.org/)
*[ETSI EN 103 732](https://portal.etsi.org/webapp/workprogram/Report_WorkItem.asp?WKI_ID=69549)
# Annex A (informative): Relationship between the present document and any related ETSI standards (if any)
