V3: Software Platform Requirements
Control Objective
The bootloader is the first piece of code to run during the device's boot process. The firmware vendor is responsible for configuring it correctly, otherwise its vulnerabilities can undermine the security of the entire device, leading to compromise and device hijacking. Controls in this chapter ensure boot trustworthiness by verifying cryptographic signatures on the loaded code, not allowing loading images from external locations, and disallowing memory, shell, and other debug access during boot.
The operating system, and its kernel in particular, are central for device security, as they run in privileged mode and implement critical device functionality, including many security primitives. This necessitates best security practices for operating system and kernel configuration and hardening.
The Linux operating system is one of the most popular in IoT. It has many features from first-line security to defense-in-depth, including the isolation mechanisms supported by namespaces and cgroups, and additional kernel security modules for access controls. Leverage these isolation mechanisms when configuring and deploying third-party applications to run within a container.
Security Verification Requirements
Bootloader
OS Configuration
Linux
Software Updates
Security chip integrations
Kernel space application requirements
References
For more information, see also:
ENISA - Baseline Security Recommendations for IoT: https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport
CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/
TGC Guidance for Secure Update of Software and Firmware on Embedded Systems: https://trustedcomputinggroup.org/wp-content/uploads/TCG-Secure-Update-of-SW-and-FW-on-Devices-v1r72_pub.pdf
U-Boot FIT Signature Verification: https://github.com/u-boot/u-boot/blob/master/doc/uImage.FIT/signature.txt
GSMA - IoT Security Guidelines for Endpoint Systems: https://www.gsma.com/iot/wp-content/uploads/2017/10/CLP.13-v2.0.pdf
OWASP Docker Top 10: https://owasp.org/www-project-docker-top-10/
Linux Containers Security (LXC): https://linuxcontainers.org/lxc/security/
Linux Containers Security (LXD): https://linuxcontainers.org/lxd/docs/master/security
Last updated