• Aucun résultat trouvé

HARDWARE SECURITY REQUIREMENTS FOR X86 PLATFORMS

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "HARDWARE SECURITY REQUIREMENTS FOR X86 PLATFORMS"

Copied!
12
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

...

ANSSI-PG-067-EN08/11/2019

.

HARDWARE SECURITY REQUIREMENTS FOR X86 PLATFORMS

.

GUIDE ANSSI

..

PUBLIC VISÉ :

Développeur

Administrateur RSSI

DSI Utilisateur

..

..

(2)
(3)

..

Informations

.

...

Attention

.

Ce document rédigé par l’ANSSI présente les« Hardware security requirements for x86 platforms ». Il est téléchargeable sur le sitewww.ssi.gouv.fr.

Il constitue une production originale de l’ANSSI placée sous le régime de la « Licence ouverte v2.0 » publiée par la mission Etalab [1].

Conformément à la Licence Ouverte v2.0, le guide peut être réutilisé librement, sous réserve de mentionner sa paternité (source et date de la dernière mise à jour). La réutilisation s’entend du droit de communiquer, diffuser, redistribuer, publier, transmettre, reproduire, copier, adapter, modifier, extraire, transformer et exploiter, y compris à des fins commer- ciales.

Ces recommandations n’ont pas de caractère normatif, elles sont livrées en l’état et adaptées aux menaces au jour de leur publication. Au regard de la diversité des systèmes d’informa- tion, l’ANSSI ne peut garantir que ces informations puissent être reprises sans adaptation sur les systèmes d’information cibles. Dans tous les cas, la pertinence de l’implémentation des éléments proposés par l’ANSSI doit être soumise, au préalable, à la validation de l’adminis- trateur du système et/ou des personnes en charge de la sécurité des systèmes d’information.

.

Évolutions du document :

.

VERSION .

DATE .

NATURE DES MODIFICATIONS .

.

1.0 .

08/11/2019 .

Initial version ...

HARDWARE SECURITY REQUIREMENTS FOR X86 PLATFORMS1

..

(4)

Table des matières

1 Introduction 3

2 Glossary 4

3 Security requirements 5

3.1 Control over the Platform . . . 5

3.1.1 Inventory . . . 5

3.1.2 Wireless interfaces . . . 5

3.1.3 System soware . . . 5

3.2 Hardware specifications . . . 5

3.2.1 I/OMMU . . . 6

3.2.2 TPM . . . 6

3.3 Firmware specifications . . . 6

3.3.1 Firmware configuration . . . 6

3.3.2 Firmware integrity . . . 6

3.3.3 Out-of-band management solutions . . . 7

3.3.4 Firmware Auditability . . . 7

3.4 Security updates . . . 7

3.4.1 Updates availability . . . 7

3.4.2 Patch application . . . 7

Bibliographie 8

(5)

1

Introduction

This guide presents some security features and configuration options applying to hardware de- vices. These features are defined in the form of requirements and can apply to a provider of these hardware configurations.

The intended goal is to enforce security of new hardware acquired by an IT department. Each requirement is followed by a security objective specifying the goal.

The requirements are consolidated in four themes :

controls over the Platform : these requirements help ensure owners have the best control of their Platform

hardware specifications : these requirements apply to some specifical hardware components firmware specifications : these requirements apply to BIOS configuration and protection security Update : these requirements apply to updates of soware components

HARDWARE SECURITY REQUIREMENTS FOR X86 PLATFORMS3

..

(6)

2

Glossary

Plateform : Computing platform based on the x86 hardware architecture (32bit or 64bit), like servers, desktop or mobile PC

Firmware : Low-level soware components shipped with the platform, including UEFI and legacy BIOSes or hardware components embedded soware.

I/OMMU : Input/Output Memory Management Unit, hardware feature allowing for filtering mem- ory accessing issued by peripherals.

TPM : Trusted Platform Module, passive hardware component specified by the Trusted Computing Group (TCG) which provides integrity and sealing capabilities.

Contract holder Provider of the hardware platforms, for example choosen aer a public tender process.

Owner : Owner of the hardware platform or her delegate (for example the IT department).

(7)

3

Security requirements

3.1 Control over the Platform

3.1.1 Inventory

For each platform batch, and in accordance with selected features, the candidates provide a list of the hardware components —the Inventory— which form the platform. In particular, the following information is expected to appear on the Inventory :

n Product references (manufacturer, model version, etc. )

n Details on firmware executed by the hardware component (including version number)

n Details on firmware which interact with the hardware component independently from the plat- form system soware (including version number)

n Communication interfaces exposed by the component

Security objective Ensure the owner has control over the platform they purchase.

3.1.2 Wireless interfaces

Wireless interfaces (e.g., WiFi, 4G), if present, shall remain optional for the platform to operate and physically removable by the owner without any incidents over the platform warranty.

Security Objective : Reduce the platform attack surface by removing unneeded interfaces

3.1.3 System software

The platform does not impose the use of particular system soware or operating system

Security objective Make sure the owner has full control over the operating system used on the platform

3.2 Hardware specifications

HARDWARE SECURITY REQUIREMENTS FOR X86 PLATFORMS5

. .

(8)

3.2.1 I/OMMU

The platform exposes an input/output memory management unit, such as VT-x (Intel) or AMD-V (AMD). This feature needs to be enabled by default, and can only be disabled by the owner (not the user of the platform).

Security objective Enforce protection of the main memory against unstrusted peripherals

3.2.2 TPM

In case the platform embeds a TPM, the latter is certified (from a Common Criteria perspective) according to one of the following protection profiles :

n Protection Profile PC Client Specific Trusted Platform Module TPM Family 1.2

n TCG Protection Profile PC Client Specific TPM Family 2.0

Only the owner (not the user) can enable and disable the TPM. Disabling the TPM shall not be more complex than enabling it.

Security objective : Ensure the hardware component quality

3.3 Firmware specifications

3.3.1 Firmware configuration

The firmware configuration interface provides the following features :

n Protecting the access to the firmware configuration interface thanks to a dedicated password

n Locking the boot sequence of the platform thanks to a dedicated password

n Enabling and disabling input/output interfaces (e.g. USB)

n Configuring the boot order (the ordering of the list of devices checked by the BIOS to boot an operating system)

n Replacing default Secure Boot keys with custom keys generated by the owner Security objective : Ensure the presence of minimal security features.

3.3.2 Firmware integrity

Platform firmwares for components listed at3.1.1are expected to ensure their integrity by means of state-of-the-art security mechanisms. This notably includes protecting integrity of the code and

(9)

data stored on the Flash Memory. The modification of firmware code should only be the result of a legitimate, signed update. The installation of a signed update older than the version currently installed on the platformshall be considered illegitimate by default. However, for the latter case, the firmware configuration interface shall allow the owner to disable this protection.

The candidates shall provide an argument which details the security mechanisms implemented by firmware system to comply with this requirement. This argument shall include the cryptographic protocols used to verify the integrity and legitimacy of updates.

Security objective : Ensure the hardening of the platform against persistent compromises.

3.3.3 Out-of-band management solutions

The candidates shall provide the list of out-of-band management solutions exposed by their plat- forms. Besides, these solutions shall all be disabled by default, and only the owner can enable them.

Disabling these solutions shall not be more complicated than enabling them, and shall not require additional privileges.

Security objective Reduce the attack surface of the platform by enabling highly privileged so- ware components only if necessary.

3.3.4 Firmware Auditability

Mechanisms which prevent firmware code inspection shall be absent or disabled by default. If present, only the owner can enable them, and disabling them shall not be more complex than enabling them, and shall not require any additional privileges.

Security objective Allow for inspecting and auditing firmware code.

3.4 Security updates

3.4.1 Updates availability

The candidates shall provide security updates less then eight weeks aer the publication of a critical vulnerability affecting a component declared in the list from3.1.1. In case this is not possible, the candidate shall provide the technical information enabling the owner to prevent exploitation of the vulnerability without negative impact on the platform normal behavior.

Security objective : Ensure the platform security state accross its entire life

3.4.2 Patch application

The candidates commits to integrate security updates mentionned at the previous requirements in all new platforms in the same delays.

Security objective : Ensure new platforms also include security updates

HARDWARE SECURITY REQUIREMENTS FOR X86 PLATFORMS7

..

(10)

Bibliographie

[1] Licence ouverte / Open Licence.

Page Web v2.0, Mission Etalab, avril 2017.

https://www.etalab.gouv.fr/licence-ouverte-open-licence.

(11)

HARDWARE SECURITY REQUIREMENTS FOR X86 PLATFORMS9

..

(12)

..

.

ANSSI-PG-067-EN Version 1.0 - 08/11/2019

Licence ouverte / Open Licence (Étalab - v2.0) .

AGENCE NATIONALE DE LA SÉCURITÉ DES SYSTÈMES D'INFORMATION .

ANSSI - 51, boulevard de La Tour-Maubourg, 75700 PARIS 07 SP

..

Références

Télécharger maintenant ( PDF - 12 Page - 235.07 KB )

Documents relatifs

Managing Access to Security Hardware in PC Browsers

To fill this gap, we develop a software tool called SEAM, which is a SEcure Add-on Management framework built on top of the web browser native extension

Specifying and Verifying Hardware-based Security Enforcement Mechanisms

In this thesis, we have identified a class of security enforcement mechanisms called Hardware- based Security Enforcement (HSE) mechanisms, which consist of the configuration by

Extending tamper-proof hardware security to untrusted execution environments

The suggested solution assures the security of the cir- cuits executed on an untrusted runtime environment. It also makes it possible to securely perform multi-step evaluation

Security Requirements Engineering for Service-Oriented Applications

We are currently working on SecCo, which will be the socio-technical security mod- elling language for the EU-funded Aniketos project. Aniketos is about ensuring trust- worthiness

A Tool for Managing Evolving Security Requirements

The methodology also supports the automatic detection of requirement changes and violation of security properties and argumentation analysis [9] to check security properties

A security requirements approach for Web systems

We use the model in the approach to support two steps in particular: (1) deriving misuse cases based on the modelled attack patterns and (2) refinement of the high-level misuse cases

A Model for Structuring and Reusing Security Requirements Sources and Security Requirements

Like diagnostic security information and knowledge, prescriptive aspects should be assignable to each security topic as easily and intuitively as possible, and

MEMORY REQUIREMENTS FOR HARDWARE IMPLEMENTATION OF THE H.264 ENCODER MODULES

In this work we give the architecture of internal and external memory used by the H.264 encoder in order to develop a simulation platform for