@@ -168,7 +168,7 @@ This category includes but is not limited to:
* embedded operating systems
* special purpose operating systems
Many products contain multiple operating systems which can affect the security functions of other operating systems in the product. For example, Baseboard Management Controllers
Many products contain multiple operating systems which can affect the security functions of other operating system(s) in the product. For example, a Baseboard Management Controllers (BMC) contains an operating system that can manage most or all of the hardware managed by the main system operating system. Radiofrequency transmission devices often have an embedded real-time operating system and the ability to read or write to system memory or trigger interrupts.
### 1.2.1 Elements of operating systems that are in scope
@@ -198,15 +198,18 @@ This standard does not cover:
* hypervisors or containers
* boot managers or boot loaders
* hardware, microcode, or device firmware
* device drivers not shipped with the operating system
* devices drivers that ship with and are loaded from hardware devices
* hardware, microcode, or special purpose device firmware
* device drivers not shipped with the operating system, including those stored on devices
While hypervisors abstract the underlying hardware and may provide services similar to operating systems such as resource management and scheduling, the set of services they supply to clients are far more limited than those of an operating system. Hypervisors provide clients an emulated hardware platform rather than a set of abstract operating system services.
Containers are a set of process isolation features provided by operating systems. They are an operating system feature, not an operating system.
Boot managers have the primary purpose of initializing the hardware after power on or reset with the goal of choosing, loading, and/or transferring execution to an operating system or other program. While many boot managers provide some or all of the services of an operating system (or are literally operating systems adapted for use as a boot manager), they are designed and intended primarily to transfer control to an operating system or other program, rather than continuously operate and provide services.
While hypervisors and containers abstract the underlying hardware and may provide services similar to operating systems such as resource management and scheduling, the set of services they supply to clients are far more limited than those of an operating system.
Firmware running on a device is an operating system if its core function is to abstract the hardware platform and control the execution of software that uses services it provides. Otherwise it is special purpose device-specific firmware.
> FIXME who gets BMCs, baseband controllers, etc.? How special-purpose does an OS have to be to have more in common with a boot manager in terms of threat model?
Device drivers are generally included in the security-relevant parts of an operating system. However, the manufacturer of the operating system is only responsible for device drivers included in the operating system.
> FIXME diagram(s) showing relationship to hypervisors, containers, boot managers, IAM, network interfaces, antivirus, hardware, and software.
