Skip to content

feat(security): add Security Overview page #533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(security): add Security Overview page #533

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions configs/AM62AX/AM62AX_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ linux/Foundational_Components/Power_Management/pm_wakeup_sources
linux/Foundational_Components/Power_Management/pm_sw_arch
linux/Foundational_Components/Power_Management/pm_debug

linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components/System_Security/SELinux
linux/Foundational_Components/System_Security/Auth_boot

Expand Down
1 change: 1 addition & 0 deletions configs/AM62LX/AM62LX_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ linux/Foundational_Components/Power_Management/pm_cpuidle
linux/Foundational_Components/Power_Management/pm_am62lx_low_power_modes
linux/Foundational_Components/Power_Management/pm_wakeup_sources

linux/Foundational_Components/System_Security/Security_overview
#linux/Foundational_Components/System_Security/SELinux
linux/Foundational_Components/System_Security/Auth_boot

Expand Down
1 change: 1 addition & 0 deletions configs/AM62PX/AM62PX_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ linux/Foundational_Components/Power_Management/pm_wakeup_sources
linux/Foundational_Components/Power_Management/pm_sw_arch
linux/Foundational_Components/Power_Management/pm_debug

linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components/System_Security/SELinux
linux/Foundational_Components/System_Security/Auth_boot

Expand Down
1 change: 1 addition & 0 deletions configs/AM62X/AM62X_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ linux/Foundational_Components/Power_Management/pm_wakeup_sources
linux/Foundational_Components/Power_Management/pm_sw_arch
linux/Foundational_Components/Power_Management/pm_debug

linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components/System_Security/SELinux
linux/Foundational_Components/System_Security/Auth_boot

Expand Down
2 changes: 2 additions & 0 deletions source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
.. _SAUL-Crypto-Accelerator:

Check warning on line 1 in source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Spelling] Verify the word 'Crypto'. It is not in the American English spelling dictionary used by Vale.

Raw Output:
{"message": "[RedHat.Spelling] Verify the word 'Crypto'. It is not in the American English spelling dictionary used by Vale.", "location": {"path": "source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst", "range": {"start": {"line": 1, "column": 10}}}, "severity": "WARNING"}

Check warning on line 1 in source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.ReadabilityGrade] Simplify your language. The calculated Flesch–Kincaid grade level of 11.27 is above the recommended reading grade level of 9.

Raw Output:
{"message": "[RedHat.ReadabilityGrade] Simplify your language. The calculated Flesch–Kincaid grade level of 11.27 is above the recommended reading grade level of 9.", "location": {"path": "source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst", "range": {"start": {"line": 1, "column": 1}}}, "severity": "INFO"}

######
Crypto
######
Expand Down
85 changes: 85 additions & 0 deletions source/linux/Foundational_Components/System_Security/Security_overview.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
.. _Security_overview:

Check warning on line 1 in source/linux/Foundational_Components/System_Security/Security_overview.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.ReadabilityGrade] Simplify your language. The calculated Flesch–Kincaid grade level of 13.99 is above the recommended reading grade level of 9.

Raw Output:
{"message": "[RedHat.ReadabilityGrade] Simplify your language. The calculated Flesch–Kincaid grade level of 13.99 is above the recommended reading grade level of 9.", "location": {"path": "source/linux/Foundational_Components/System_Security/Security_overview.rst", "range": {"start": {"line": 1, "column": 1}}}, "severity": "INFO"}

########
Overview
########

=================
Security Overview

Check warning on line 8 in source/linux/Foundational_Components/System_Security/Security_overview.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Headings] Use sentence-style capitalization in 'Security Overview'.

Raw Output:
{"message": "[RedHat.Headings] Use sentence-style capitalization in 'Security Overview'.", "location": {"path": "source/linux/Foundational_Components/System_Security/Security_overview.rst", "range": {"start": {"line": 8, "column": 1}}}, "severity": "INFO"}
=================

The |__PART_FAMILY_DEVICE_NAMES__| SoC offers a comprehensive set of
security features that protect embedded Linux applications. This guide
offers a starting point to understand and implement these capabilities
as part of product development, with the following advantages:

* **Hardware-backed security** - Leverages built-in security hardware
for robust protection
* **Defense in-depth** - Creates many layers of security to protect
against various threats
* **Industry standards compliance** - Implements security features that
help meet regulatory requirements
* **Flexible implementation** - Allows security features that can be
tailored to specific application needs

================
Security Domains

Check warning on line 26 in source/linux/Foundational_Components/System_Security/Security_overview.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Headings] Use sentence-style capitalization in 'Security Domains'.

Raw Output:
{"message": "[RedHat.Headings] Use sentence-style capitalization in 'Security Domains'.", "location": {"path": "source/linux/Foundational_Components/System_Security/Security_overview.rst", "range": {"start": {"line": 26, "column": 1}}}, "severity": "INFO"}
================

Below is an overview of the security framework's main domains:

.. figure:: ./images/security_framework.png

These security domains create a chain of trust protecting the
|__PART_FAMILY_DEVICE_NAMES__| SoC from boot through runtime and storage,
ensuring system integrity and data confidentiality.

=============================
Security Features at a Glance

Check warning on line 38 in source/linux/Foundational_Components/System_Security/Security_overview.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Headings] Use sentence-style capitalization in 'Security Features at a Glance'.

Raw Output:
{"message": "[RedHat.Headings] Use sentence-style capitalization in 'Security Features at a Glance'.", "location": {"path": "source/linux/Foundational_Components/System_Security/Security_overview.rst", "range": {"start": {"line": 38, "column": 1}}}, "severity": "INFO"}
=============================

The following table lists some of the key Security Features:

.. ifconfig:: CONFIG_part_variant in ('AM62LX')

+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Security Feature** | **Description** | **Links** |
+=========================+===========================================================+======================================+
| **Authenticated Boot** | Verifies each boot component to ensure only authorized | :ref:`auth_boot_guide` |
| | code executes on the device | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`DTHEv2-Crypto-Accelerator` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Key Management** | Tools for secure key provisioning | :ref:`key-writer-lite-label` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Trusted Execution** | Implementation of secure monitor (EL3) firmware that | :ref:`foundational-components-atf` |
| | manages the secure boot process and TrustZone transitions | |
+ +-----------------------------------------------------------+--------------------------------------+
| | Trusted Execution Environment that enables isolated | :ref:`foundational-components-optee` |
| | execution of security-sensitive applications and services | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+

.. ifconfig:: CONFIG_part_variant not in ('AM62LX')

+-------------------------+-----------------------------------------------------------+--------------------------------------+
| Security Feature | Description | Links |
+=========================+===========================================================+======================================+
| **Authenticated Boot** | Verifies each boot component to ensure only authorized | :ref:`auth_boot_guide` |
| | code executes on the device | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`SAUL-Crypto-Accelerator` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **SELinux** | Kernel security module providing policy-based access | :ref:`selinux_guide` |
| | control for processes, files, and system objects | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Trusted Execution** | Implementation of secure monitor (EL3) firmware that | :ref:`foundational-components-atf` |
| | manages the secure boot process and TrustZone transitions | |
+ +-----------------------------------------------------------+--------------------------------------+
| | Trusted Execution Environment that enables isolated | :ref:`foundational-components-optee` |
| | execution of security-sensitive applications and services | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+

Binary file added source/linux/Foundational_Components/System_Security/images/security_framework.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions source/linux/Foundational_Components_OPTEE.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ of entropy can work around these issues.
$ make CROSS_COMPILE="$CROSS_COMPILE_32" CROSS_COMPILE64="$CROSS_COMPILE_64" PLATFORM=k3-|__OPTEE_PLATFORM_FLAVOR__| CFG_ARM64_core=y CFG_WITH_SOFTWARE_PRNG=y
.. _secure-storage-with-rpmb:

Secure Storage with RPMB (For HS)
*********************************
Expand Down
1 change: 1 addition & 0 deletions source/linux/Foundational_Components_Security.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ Security
.. toctree::
:maxdepth: 5

Foundational_Components/System_Security/Security_overview
Foundational_Components_Migration_Guide
Foundational_Components_Secure_Boot
Foundational_Components/System_Security/SELinux
Expand Down