Wind River® Intelligent Device Platform XT SECURITY GUIDE 2.0 EDITION 4 Copyright Notice Copyright © 2014 Wind River Systems, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written permission of Wind River Systems, Inc. Wind River, Tornado, and VxWorks are registered trademarks of Wind River Systems, Inc. The Wind River logo is a trademark of Wind River Systems, Inc. Any third-party trademarks referenced are the property of their respective owners. For further information regarding Wind River trademarks, please see: www.windriver.com/company/terms/trademark.html This product may include software licensed to Wind River by third parties. Relevant notices (if any) are provided in your product installation at one of the following locations: installDir/product_name/3rd_party_licensor_notice.pdf installDir/legal-notices/ Wind River may refer to third-party documentation by listing publications or providing links to third-party Web sites for informational purposes. Wind River accepts no responsibility for the information provided in such third-party documentation. Corporate Headquarters Wind River 500 Wind River Way Alameda, CA 94501-1153 U.S.A. Toll free (U.S.A.): 800-545-WIND Telephone: 510-748-4100 Facsimile: 510-749-2010 For additional contact information, see the Wind River Web site: www.windriver.com For information on how to contact Customer Support, see: www.windriver.com/support 10 Dec 2014 Contents 1 Introduction to IDP Security ................................................................................... 5 Overview of Security Guide ................................................................................................ 5 Security Architect Tasks ..................................................................................................... 6 About Trusted Boot ............................................................................................................ 6 About Deployed Embedded Devices .................................................................................. 7 Embedded Terms ............................................................................................................... 7 Stakeholder Roles ............................................................................................... 7 Target Software System ...................................................................................... 8 Public Key Cryptography .................................................................................................... 9 The Chain of Trust .............................................................................................................. 9 Overview of the SRM Trusted Software Stack .................................................... 10 TMP OpenSSL Engine ........................................................................................ 11 SRM Workflow .................................................................................................................... 12 2 Security Planning .................................................................................................... 13 Security Planning Workflow ................................................................................................ 13 Initial Development Assessment ......................................................................... 14 Review Security Design Techniques ................................................................... 14 Run-time Security Assessment ........................................................................... 15 Application Security Assessment ........................................................................ 15 Lifecycle Planning ............................................................................................... 16 Certificate and Key Management ........................................................................ 16 3 Risks, Threats, and IDP Security Mechanisms ..................................................... 19 IDP Security Mechanisms .................................................................................................. 19 About Handling and Analyzing Attacks .............................................................................. 20 4 Security Best Practices .......................................................................................... 25 5 Keys and Certificates .............................................................................................. 27 Root Certificate Management ............................................................................................. 27 Fetching Certificates at Run Time ....................................................................... 28 Maintaining Certificate Security ........................................................................... 28 Vendor Key Lifecycle .......................................................................................................... 29 About Documentation for Device Users ............................................................................. 30 Verifying Packages Using OpenSSL .................................................................................. 30 iii Wind River® Intelligent Device Platform XT Security Guide, 2.0 6 Integrity Measurement ............................................................................................ 33 Integrity Measurement ........................................................................................................ 33 IMA Appraise ....................................................................................................... 33 McAfee Embedded Control ................................................................................. 34 7 Secure Repository ................................................................................................... 37 The Secure Repository ....................................................................................................... 37 Extended Signature in RPM Design ................................................................................... 38 IM Check Structure ............................................................................................................. 38 IM Tools Script Design ....................................................................................................... 39 8 Encrypted Data Storage .......................................................................................... 41 Encrypted Data Storage ..................................................................................................... 41 dm-crypt and cryptsetup ..................................................................................................... 41 TPM-Backed Encrypted Storage ........................................................................................ 42 iv 1 Introduction to IDP Security Overview of Security Guide 5 Security Architect Tasks 6 About Trusted Boot 6 About Deployed Embedded Devices 7 Embedded Terms 7 Public Key Cryptography 9 The Chain of Trust 9 SRM Workflow 12 Overview of Security Guide This document provides systems integrators and security architects with guidance on using Wind River Intelligent Device Platform XT to secure their products. IDP XT provides capabilities to help you secure your product throughout its life: • during design • during development • during deployment The security guide also provides guidance about best practices. 5 Wind River® Intelligent Device Platform XT Security Guide, 2.0 Security Architect Tasks The security architect plans and implements the owner's requirements for the security of the device. Tasks performed by security architects include the following: • Determining the overall security policy, including up-front security policy and periodic security policy reviews. • Determining the environment the device is placed in and the security threats that the device must mediate. • Determining the communication posture of the device, including choosing supported networks, networking devices, and protocols, as well as specifying the network topology if it is not determined by the choice of networks. • Defining procedures for handling attacks when they are discovered. (By definition, successful attacks are discovered after the attack, while unsuccessful attacks are discovered before or during the attack.) • Defining a forensics strategy to analyze data about possible attacks, successful or unsuccessful. This could both prevent or mitigate subsequent attacks and identify the attacker. • Determining the management strategy for the device. • Assisting with selection of device hardware and application vendors. • Monitoring the device vendor during development and deployment. • Monitoring the device vendor and software providers during device provisioning. • Monitoring the device vendor and software providers during device firmware and software updates. • Planning a schedule of device retirement, and monitoring the device vendor and software providers or special disposition teams at the time of device retirement. • Creating documentation for the end user, which defines the required security procedures and practices. About Trusted Boot A trusted platform must provide a high assurance that the system behaves as it is expected to behave. One of the challenges is ensuring that the entire executing software stack is of a known source and has not been tampered with. The IDP XT software stack consists