BSI-DSZ-CC-1146-2022
for
PikeOS Separation Kernel Version 5.1.3
from
SYSGO GmbH
BSI - Bundesamt für Sicherheit in der Informationstechnik, Postfach 20 03 63, D-53133 Bonn
Phone +49 (0)228 99 9582-0, Fax +49 (0)228 9582-5477, Infoline +49 (0)228 99 9582-111
Certification Report V1.0 CC-Zert-327 V5.41
BSI-DSZ-CC-1146-2022 (*)
Operating System
PikeOS Separation Kernel
Version 5.1.3
from SYSGO GmbH
PP Conformance: None
Functionality: Product specific Security Target
Common Criteria Part 2 conformant
Assurance: Common Criteria Part 3 conformant
EAL 5 augmented by ADV_IMP.2, ALC_CMC.5,
ALC_DVS.2, ALC_FLR.3, AVA_VAN.5
The IT Product identified in this certificate has been evaluated at an approved evaluation
facility using the Common Methodology for IT Security Evaluation (CEM), Version 3.1
extended by Scheme Interpretations and by advice of the Certification Body for
components beyond EAL 5 for conformance to the Common Criteria for IT Security
Evaluation (CC), Version 3.1. CC and CEM are also published as ISO/IEC 15408 and
ISO/IEC 18045.
(*) This certificate applies only to the specific version and release of the product in its
evaluated configuration and in conjunction with the complete Certification Report and
Notification. For details on the validity see Certification Report part A chapter 5.
The evaluation has been conducted in accordance with the provisions of the certification
scheme of the German Federal Office for Information Security (BSI) and the conclusions
of the evaluation facility in the evaluation technical report are consistent with the
evidence adduced.
This certificate is not an endorsement of the IT Product by the Federal Office for
Information Security or any other organisation that recognises or gives effect to this
certificate, and no warranty of the IT Product by the Federal Office for Information
Security or any other organisation that recognises or gives effect to this certificate, is
either expressed or implied.
Bonn, 20 September 2022
For the Federal Office for Information Security
Sandro Amendola L.S.
Head of Division
Bundesamt für Sicherheit in der Informationstechnik
Godesberger Allee 185-189 - D-53175 Bonn - Postfach 20 03 63 - D-53133 Bonn
Phone +49 (0)228 99 9582-0 - Fax +49 (0)228 9582-5477 - Infoline +49 (0)228 99 9582-111
SOGIS
Recognition Agreement
for components up to
EAL 4
Common Criteria
Recognition Arrangement
recognition for components
up to EAL 2 and ALC_FLR
only
Certification Report BSI-DSZ-CC-1146-2022
This page is intentionally left blank.
4 / 29
BSI-DSZ-CC-1146-2022 Certification Report
Contents
A. Certification......................................................................................................................6
1. Preliminary Remarks....................................................................................................6
2. Specifications of the Certification Procedure...............................................................6
3. Recognition Agreements..............................................................................................7
4. Performance of Evaluation and Certification................................................................8
5. Validity of the Certification Result.................................................................................8
6. Publication....................................................................................................................9
B. Certification Results.......................................................................................................10
1. Executive Summary....................................................................................................11
2. Identification of the TOE.............................................................................................12
3. Security Policy............................................................................................................16
4. Assumptions and Clarification of Scope.....................................................................16
5. Architectural Information.............................................................................................18
6. Documentation...........................................................................................................20
7. IT Product Testing.......................................................................................................20
8. Evaluated Configuration.............................................................................................23
9. Results of the Evaluation............................................................................................24
10. Obligations and Notes for the Usage of the TOE.....................................................24
11. Security Target..........................................................................................................25
12. Regulation specific aspects (eIDAS, QES)..............................................................25
13. Definitions.................................................................................................................25
14. Bibliography..............................................................................................................26
C. Excerpts from the Criteria..............................................................................................28
D. Annexes.........................................................................................................................29
5 / 29
Certification Report BSI-DSZ-CC-1146-2022
A. Certification
1. Preliminary Remarks
Under the BSIG1
Act, the Federal Office for Information Security (BSI) has the task of
issuing certificates for information technology products.
Certification of a product is carried out on the instigation of the vendor or a distributor,
hereinafter called the sponsor.
A part of the procedure is the technical examination (evaluation) of the product according
to the security criteria published by the BSI or generally recognised security criteria.
The evaluation is normally carried out by an evaluation facility recognised by the BSI or by
BSI itself.
The result of the certification procedure is the present Certification Report. This report
contains among others the certificate (summarised assessment) and the detailed
Certification Results.
The Certification Results contain the technical description of the security functionality of
the certified product, the details of the evaluation (strength and weaknesses) and
instructions for the user.
2. Specifications of the Certification Procedure
The certification body conducts the procedure according to the criteria laid down in the
following:
● Act on the Federal Office for Information Security1
● BSI Certification and Approval Ordinance2
● BMI Regulations on Ex-parte Costs 3
● Special decrees issued by the Bundesministerium des Innern und für Heimat (Federal
Ministry of the Interior and Community)
● DIN EN ISO/IEC 17065 standard
● BSI certification: Scheme documentation describing the certification process (CC-
Produkte) [3]
● BSI certification: Scheme documentation on requirements for the Evaluation Facility, its
approval and licencing process (CC-Stellen) [3]
1
Act on the Federal Office for Information Security (BSI-Gesetz - BSIG) of 14 August 2009,
Bundesgesetzblatt I p. 2821
2
Ordinance on the Procedure for Issuance of Security Certificates and approval by the Federal Office for
Information Security (BSI-Zertifizierungs- und -Anerkennungsverordnung - BSIZertV) of 17 December
2014, Bundesgesetzblatt 2014, part I, no. 61, p. 2231
3
BMI Regulations on Ex-parte Costs - Besondere Gebührenverordnung des BMI für individuell
zurechenbare öffentliche Leistungen in dessen Zuständigkeitsbereich (BMIBGebV), Abschnitt 7 (BSI-
Gesetz) - dated 2 September 2019, Bundesgesetzblatt I p. 1365
6 / 29
BSI-DSZ-CC-1146-2022 Certification Report
● Common Criteria for IT Security Evaluation (CC), Version 3.14
[1] also published as
ISO/IEC 15408.
● Common Methodology for IT Security Evaluation (CEM), Version 3.1 [2] also published
as ISO/IEC 18045
● BSI certification: Application Notes and Interpretation of the Scheme (AIS) [4]
3. Recognition Agreements
In order to avoid multiple certification of the same product in different countries a mutual
recognition of IT security certificates - as far as such certificates are based on ITSEC or
CC - under certain conditions was agreed.
3.1. European Recognition of CC – Certificates (SOGIS-MRA)
The SOGIS-Mutual Recognition Agreement (SOGIS-MRA) Version 3 became effective in
April 2010. It defines the recognition of certificates for IT-Products at a basic recognition
level and, in addition, at higher recognition levels for IT-Products related to certain SOGIS
Technical Domains only.
The basic recognition level includes Common Criteria (CC) Evaluation Assurance Levels
EAL 1 to EAL 4. For "Smartcards and similar devices" a SOGIS Technical Domain is in
place. For "HW Devices with Security Boxes" a SOGIS Technical Domains is in place, too.
In addition, certificates issued for Protection Profiles based on Common Criteria are part of
the recognition agreement.
The current list of signatory nations and approved certification schemes, details on
recognition, and the history of the agreement can be seen on the website at
https://www.sogis.eu.
The SOGIS-MRA logo printed on the certificate indicates that it is recognised under the
terms of this agreement by the related bodies of the signatory nations. A disclaimer
beneath the logo indicates the specific scope of recognition.
This certificate is recognized according to the rules of SOGIS-MRA, i.e. up to and including
CC part 3 EAL 4 components. The evaluation contained the components ADV_FSP.5,
ADV_IMP.2, ADV_INT.2, ADV_TDS.4, ALC_CMC.5, ALC_CMS.5, ALC_DVS.2,
ALC_FLR.3, ALC_TAT.2, ATE_DPT.3, AVA_VAN.5 that are not mutually recognised in
accordance with the provisions of the SOGIS MRA. For mutual recognition the EAL 4
components of these assurance families are relevant.
3.2. International Recognition of CC – Certificates (CCRA)
The international arrangement on the mutual recognition of certificates based on the CC
(Common Criteria Recognition Arrangement, CCRA-2014) has been ratified on 08
September 2014. It covers CC certificates based on collaborative Protection Profiles (cPP)
(exact use), CC certificates based on assurance components up to and including EAL 2 or
the assurance family Flaw Remediation (ALC_FLR) and CC certificates for Protection
Profiles and for collaborative Protection Profiles (cPP).
The current list of signatory nations and approved certification schemes can be seen on
the website: https://www.commoncriteriaportal.org.
4
Proclamation of the Bundesministerium des Innern of 12 February 2007 in the Bundesanzeiger dated
23 February 2007, p. 3730
7 / 29
Certification Report BSI-DSZ-CC-1146-2022
The Common Criteria Recognition Arrangement logo printed on the certificate indicates
that this certification is recognised under the terms of this agreement by the related bodies
of the signatory nations. A disclaimer beneath the logo indicates the specific scope of
recognition.
This certificate is recognized according to the rules of CCRA-2014, i. e. up to and including
CC part 3 EAL 2+ ALC_FLR components.
4. Performance of Evaluation and Certification
The certification body monitors each individual evaluation to ensure a uniform procedure, a
uniform interpretation of the criteria and uniform ratings.
The product PikeOS Separation Kernel, Version 5.1.3 has undergone the certification
procedure at BSI.
The evaluation of the product PikeOS Separation Kernel, Version 5.1.3 was conducted by
atsec information security GmbH. The evaluation was completed on 13 September 2022.
atsec information security GmbH is an evaluation facility (ITSEF)5
recognised by the
certification body of BSI.
For this certification procedure the sponsor and applicant is: SYSGO GmbH.
The product was developed by: SYSGO GmbH.
The certification is concluded with the comparability check and the production of this
Certification Report. This work was completed by the BSI.
5. Validity of the Certification Result
This Certification Report applies only to the version of the product as indicated. The
confirmed assurance package is valid on the condition that
● all stipulations regarding generation, configuration and operation, as given in the
following report, are observed,
● the product is operated in the environment described, as specified in the following report
and in the Security Target.
For the meaning of the assurance components and assurance levels please refer to CC
itself. Detailed references are listed in part C of this report.
The Certificate issued confirms the assurance of the product claimed in the Security Target
at the date of certification. As attack methods evolve over time, the resistance of the
certified version of the product against new attack methods needs to be re-assessed.
Therefore, the sponsor should apply for the certified product being monitored within the
assurance continuity program of the BSI Certification Scheme (e.g. by a re-assessment or
re-certification). Specifically, if results of the certification are used in subsequent evaluation
and certification procedures, in a system integration process or if a user's risk
management needs regularly updated results, it is recommended to perform a re-
assessment on a regular e.g. annual basis.
In order to avoid an indefinite usage of the certificate when evolved attack methods would
require a re-assessment of the products resistance to state of the art attack methods, the
maximum validity of the certificate has been limited. The certificate issued on 20
5
Information Technology Security Evaluation Facility
8 / 29
BSI-DSZ-CC-1146-2022 Certification Report
September 2022 is valid until 19. September 2027. Validity can be re-newed by re-
certification.
The owner of the certificate is obliged:
1. when advertising the certificate or the fact of the product's certification, to refer to
the Certification Report as well as to provide the Certification Report, the Security
Target and user guidance documentation mentioned herein to any customer of the
product for the application and usage of the certified product,
2. to inform the Certification Body at BSI immediately about vulnerabilities of the
product that have been identified by the developer or any third party after issuance
of the certificate,
3. to inform the Certification Body at BSI immediately in the case that security relevant
changes in the evaluated life cycle, e.g. related to development and production sites
or processes, occur, or the confidentiality of documentation and information related
to the Target of Evaluation (TOE) or resulting from the evaluation and certification
procedure where the certification of the product has assumed this confidentiality
being maintained, is not given any longer. In particular, prior to the dissemination of
confidential documentation and information related to the TOE or resulting from the
evaluation and certification procedure that do not belong to the deliverables
according to the Certification Report part B, or for those where no dissemination
rules have been agreed on, to third parties, the Certification Body at BSI has to be
informed.
In case of changes to the certified version of the product, the validity can be extended to
the new versions and releases, provided the sponsor applies for assurance continuity (i.e.
re-certification or maintenance) of the modified product, in accordance with the procedural
requirements, and the evaluation does not reveal any security deficiencies.
6. Publication
The product PikeOS Separation Kernel, Version 5.1.3 has been included in the BSI list of
certified products, which is published regularly (see also Internet: https://www.bsi.bund.de
and [5]). Further information can be obtained from BSI-Infoline +49 228 9582-111.
Further copies of this Certification Report can be requested from the developer6
of the
product. The Certification Report may also be obtained in electronic form at the internet
address stated above.
6
SYSGO GmbH
Am Pfaffenstein 8
55270 Klein-Winternheim
Deutschland
9 / 29
Certification Report BSI-DSZ-CC-1146-2022
B. Certification Results
The following results represent a summary of
● the Security Target of the sponsor for the Target of Evaluation,
● the relevant evaluation results from the evaluation facility, and
● complementary notes and stipulations of the certification body.
10 / 29
BSI-DSZ-CC-1146-2022 Certification Report
1. Executive Summary
The Target of Evaluation (TOE) is the PikeOS Separation Kernel Version 5.1.3 running on
the microprocessor family (x86 64-bit, ARMv8, or PowerPC) hosting different applications.
The TOE is referenced as PikeOS 5.1.3 base product build S6510 for Linux and Windows
development host with PikeOS 5.1.3 Certification Kit build S6510.
The TOE is a Separation Kernel, which allows to effectively separate multiple applications
running on the same platform from each other. Such applications can range from small
bare-metal programs up to entire Operating Systems. Non-privileged applications may be
malicious, and even in that case the TOE ensures that malicious applications are neither
capable of harming other applications nor the TOE itself. SYSGO defines separation as
follows: The TOE separates partitions by managing their accesses to and usage of
resources, such as memory, devices, processors, and communication channels, as
defined by the configuration. Isolation of a partition is the absence of communication with
other partitions, except partitions hosting the components implementing the system API,
when no communication channels or shared resources between the partition and other
partitions are configured. Isolation is a special case of separation. Additionally, the TOE
has the characteristics of an embedded real time operating system. Thus, the partitioning
is configured statically and the TOE does not include typical desktop operating system
services (e.g. user login, printer drivers). The TOE will typically be installed and operated
on a hardware platform suitable for embedded systems.
The TOE uses mechanisms like:
● Separation in space of applications hosted in different partitions from each other and
from the PikeOS Operating System according to the configuration data,
● Separation in time of applications hosted in different partitions from each other and from
the PikeOS Operating System according to the configuration data,
● Control of information flows between applications hosted in different partitions via
assigning to the partitions communication objects and access rights to those,
● Management of the TOE (e.g. system partition API) and the TOE data (e.g. threads,
tasks).
The Security Target [6] is the basis for this certification. It is not based on a certified
Protection Profile.
The TOE Security Assurance Requirements (SAR) are based entirely on the assurance
components defined in Part 3 of the Common Criteria (see part C or [1], Part 3 for details).
The TOE meets the assurance requirements of the Evaluation Assurance Level EAL 5
augmented by ADV_IMP.2, ALC_CMC.5, ALC_DVS.2, ALC_FLR.3, AVA_VAN.5.
The TOE Security Functional Requirements (SFR) relevant for the TOE are outlined in the
Security Target [6], chapter 8.1. They are all selected from Common Criteria Part 2. Thus
the TOE is CC Part 2 conformant.
The TOE Security Functional Requirements are implemented by the following TOE
Security Functionality:
11 / 29
Certification Report BSI-DSZ-CC-1146-2022
TOE Security Functionality Addressed issue
TSS_SSA Separation in space of applications hosted in different partitions from each
other and from the PikeOS Operating System according to the System
Security Policy (SSP) by using the underlying hardware, as shown by the
red lines in Figure 1 of the ST [6]. Applications can be hosted in different
partitions. Partitions get assigned resources (i.e. space) according to the
SSP, which comprise memory ranges and a set of CPUs. The TSF
enforces the corresponding part of the SSP by the enforcement of access
control on partition content, per-partition provision of physical memory
space and allocated CPU time for each CPU. By confining non-privileged
executables into partitions, the TSF enforces that these applications can
affect neither applications in other partitions nor the PikeOS Operating
System itself.
TSS_STA Separation in time of applications hosted in different partitions from each
other and from the PikeOS Operating System according to the SSP.
Applications can be hosted in different partitions. Partitions get assigned
CPU time (i.e. time windows) according to the SSP. The TSF enforces the
corresponding part of the SSP by per-partition allocation of a predefined
amount of CPU time for each CPU. On a partition switch CPUs will be
reused.
TSS_COM Provision and management of communication objects. Applications hosted
in different partitions can get assigned a set of communication objects. A
communication object is an object exposed to one or multiple partitions
with access rights as defined in the configuration data, thus allowing
communication between partitions.
TSS_MAN Management of the TOE (e.g. system partition API) and the TOE data (e.g.
threads, tasks). The TOE restricts a non-privileged application to only
manage tasks and threads within its partition. The TOE provides an API to
privileged applications to manage the TOE and the TOE data.
Table 1: TOE Security Functionalities
For more details please refer to the Security Target [6], chapter 9.
The assets to be protected by the TOE are defined in the Security Target [6], chapter 5.1.
Based on these assets the TOE Security Problem is defined in terms of Assumptions,
Threats and Organisational Security Policies. This is outlined in the Security Target [6],
chapter 5.2, 5.3 and 5.4.
This certification covers the configurations of the TOE as outlined in chapter 8.
The vulnerability assessment results as stated within this certificate do not include a rating
for those cryptographic algorithms and their implementation suitable for encryption and
decryption (see BSIG Section 9, Para. 4, Clause 2).
The certification results only apply to the version of the product indicated in the certificate
and on the condition that all the stipulations are kept as detailed in this Certification
Report. This certificate is not an endorsement of the IT product by the Federal Office for
Information Security (BSI) or any other organisation that recognises or gives effect to this
certificate, and no warranty of the IT product by BSI or any other organisation that
recognises or gives effect to this certificate, is either expressed or implied.
2. Identification of the TOE
The Target of Evaluation (TOE) is called:
PikeOS Separation Kernel, Version 5.1.3
12 / 29
BSI-DSZ-CC-1146-2022 Certification Report
The following table outlines the TOE deliverables:
No Type Identifier Release Form of
Delivery
PikeOS 5.1.3 x86 64-bit
1 SW PikeOS Microkernel
for x86 64-bit
pikeos-kernel-cert-x86_amd64-5.1-20592.x86_64.rpm
SHA256: cc3dcf9865fa84266118fa820e70dd4e\
10ea9c276e99c7fb65c8cf13a2a96bd2
from ISO
2 SW PikeOS System
Software for x86 64-
bit
pikeos-ssw-cert-x86_amd64-5.1-4562.x86_64.rpm
SHA256: 73fc02029ed3df55e29098e81fa6a4bb\
701ecda7bca9b274b365d400888b29be
from ISO
3 DOC PikeOS User
Manual
pikeos-doc-fundamentals-5.1-1077.noarch.rpm SHA256:
c3bdd123fc0e3c6ac612062437f088a0\
4a07a2707e6436c27ef41972f62ef077
from ISO
4 DOC PikeOS Installation
Guide
pikeos-doc-installationguide-5.1-112.noarch.rpm SHA256:
13ad083d5ce7c1ab323dabfed8ae229d\
24313f4385cb26ed2f288aff796245eb
from ISO
5 DOC PikeOS Kernel
Reference Manual
pikeos-doc-kernelref-5.1-297.noarch.rpm SHA256:
261f060d456ec8a34d6dfd2de2c062c4\
97b5449b58284ca66c0f0d2b655661dd
from ISO
6 DOC PikeOS System
Software Reference
Manual
pikeos-doc-psswref-5.1-321.noarch.rpm SHA256:
56ecd5bf36ded1cf53effefbb09b2b98\
b624dde5ad2ca309ff9cd905478e19bf
from ISO
7 DOC PikeOS Device
Driver Programming
ReferenceManual
pikeos-doc-drvref-5.1-305.noarch.rpm SHA256:
bd36e8b97ce4b5e8eb2cb458a8f261c4\
fde8b7376d050746559fd445e5c0ef20
from ISO
8 DOC PikeOS PSP and
KDEVDeveloper’s
Guide
pikeos-doc-pspdevguide-5.1-281.noarch.rpm SHA256:
beb01adac2c23d44ecb0a9cf45e33251\
4ce93b9fd6dfdcd6390c35a069581897
from ISO
9 DOC P4EXT PikeOS
Native Personality
Extensions
pikeos-doc-p4ext-5.1-87.noarch.rpm SHA256:
a35ac8a76908f4f82bb0df9a443fd338\
5c916208c40276cf35dc1f9dbd1cc056
from ISO
10 DOC CENV C Language
Programming
Environment
pikeos-doc-cenv-5.1-41.noarch.rpm SHA256:
b7cc316394bacb72f912b53872aafee5\
b6e3c481f370247dbed9fa6c63963158
from ISO
11 DOC PikeOS Platform
Manual for x86-
amd64Boards
pikeos-doc-platx86-amd64-5.1-569.noarch.rpm SHA256:
6fbb1accb93139e7b93db032bebf6fc4\
3838d13ea77123d81ebb79347039f8a8
from ISO
12 DOC PikeOS x86 64-bit
Generic Certification
Kit
R5p1_PIKEOS_X86_AMD64_CERTKIT_GENERIC_S65
10.amd64.iso SHA256:
538b62f5adf2638ff69dcac97d96b0a2\
ada5ef7de1009b6798962b4fa9b9d7c4
DL
13 DOC Security Bulletin for
PikeOS 5.1.3
pikeos-certkit-cc-secbul-5.1-395.noarch.rpm SHA256:
27514ca601f2b341cfcc6a6065f7b2dc\
be873e6272195a54ab1ef6fd32f2fa27
from ISO
‍
PikeOS 5.1.3 PowerPC
14 SW PikeOS Microkernel
for E500MC-4G
pikeos-kernel-cert-ppc_e500mc-4g-5.1-
20592.x86_64.rpm SHA256:
86f46bae70cfb6cee0b98b69702994f8\
4024ab190c70c92e71b47010575d6901
from ISO
13 / 29
Certification Report BSI-DSZ-CC-1146-2022
No Type Identifier Release Form of
Delivery
15 SW PikeOS System
Software for
E500MC-4G
pikeos-ssw-cert-ppc_e500mc-4g-5.1-4562.x86_64.rpm
SHA256: 1d081a4ae3574161354e8cf852d6e64a\
f7a7730d69f2baaef3f87e4dc17a9919
from ISO
16 DOC PikeOS User
Manual
pikeos-doc-fundamentals-5.1-1077.noarch.rpm SHA256:
c3bdd123fc0e3c6ac612062437f088a0\
4a07a2707e6436c27ef41972f62ef077
from ISO
17 DOC PikeOS Installation
Guide
pikeos-doc-installationguide-5.1-112.noarch.rpm SHA256:
13ad083d5ce7c1ab323dabfed8ae229d\
24313f4385cb26ed2f288aff796245eb
from ISO
18 DOC PikeOS Kernel
Reference Manual
pikeos-doc-kernelref-5.1-297.noarch.rpm SHA256:
261f060d456ec8a34d6dfd2de2c062c4\
97b5449b58284ca66c0f0d2b655661dd
from ISO
19 DOC PikeOS System
Software Reference
Manual
pikeos-doc-psswref-5.1-321.noarch.rpm SHA256:
56ecd5bf36ded1cf53effefbb09b2b98\
b624dde5ad2ca309ff9cd905478e19bf
from ISO
20 DOC PikeOS Device
Driver Programming
ReferenceManual
pikeos-doc-drvref-5.1-305.noarch.rpm SHA256:
bd36e8b97ce4b5e8eb2cb458a8f261c4\
fde8b7376d050746559fd445e5c0ef20
from ISO
21 DOC PikeOS PSP and
KDEVDeveloper’s
Guide
pikeos-doc-pspdevguide-5.1-281.noarch.rpm SHA256:
beb01adac2c23d44ecb0a9cf45e33251\
4ce93b9fd6dfdcd6390c35a069581897
from ISO
22 DOC P4EXT PikeOS
Native Personality
Extensions
pikeos-doc-p4ext-5.1-87.noarch.rpm SHA256:
a35ac8a76908f4f82bb0df9a443fd338\
5c916208c40276cf35dc1f9dbd1cc056
from ISO
23 DOC CENV C Language
Programming
Environment
pikeos-doc-cenv-5.1-41.noarch.rpm SHA256:
b7cc316394bacb72f912b53872aafee5\
b6e3c481f370247dbed9fa6c63963158
from ISO
24 DOC PikeOS Platform
Manual for
E500MC-4GBoards
pikeos-doc-platppc-e500mc-4g-5.1-240.noarch.rpm
SHA256: 4d889257ba2751851784f59d08cb24c1\
aaa1d9ed00162a226c01538dae80777a
from ISO
25 DOC PikeOS E500MC-
4G Generic
Certification Kit
R5p1_PIKEOS_PPC_E500MC_4G_CERTKIT_GENERIC
_S6510.amd64.iso SHA256:
b98d2eab6e79a62c8771b36a79362050\
a527cfc9f1681d28e99d061fa22287c7
DL
26 DOC Security Bulletin for
PikeOS 5.1.3
pikeos-certkit-cc-secbul-5.1-395.noarch.rpm SHA256:
27514ca601f2b341cfcc6a6065f7b2dc\
be873e6272195a54ab1ef6fd32f2fa27
from ISO
PikeOS 5.1.3 ARM v8‍
27 SW PikeOS Microkernel
for ARM v8
pikeos-kernel-cert-arm_v8hf-5.1-20592.x86_64.rpm
SHA256: a948e9b8fd09769e483e87d0409a36a2\
75616ca3b8071c5bdaed1e5b47872195
from ISO
28 SW PikeOS System
Software for ARM v8
pikeos-ssw-cert-arm_v8hf-5.1-4562.x86_64.rpm SHA256:
2499e9fd8a57438ee38d4933c89d220a\
7c4a82252745037806cdfc53603a395b
from ISO
29 DOC PikeOS User
Manual
pikeos-doc-fundamentals-5.1-1077.noarch.rpm SHA256:
c3bdd123fc0e3c6ac612062437f088a0\
4a07a2707e6436c27ef41972f62ef077
from ISO
14 / 29
BSI-DSZ-CC-1146-2022 Certification Report
No Type Identifier Release Form of
Delivery
30 DOC PikeOS Installation
Guide
pikeos-doc-installationguide-5.1-112.noarch.rpm SHA256:
13ad083d5ce7c1ab323dabfed8ae229d\
24313f4385cb26ed2f288aff796245eb
from ISO
31 DOC PikeOS Kernel
Reference Manual
pikeos-doc-kernelref-5.1-297.noarch.rpm SHA256:
261f060d456ec8a34d6dfd2de2c062c4\
97b5449b58284ca66c0f0d2b655661dd
from ISO
32 DOC PikeOS System
Software Reference
Manual
pikeos-doc-psswref-5.1-321.noarch.rpm SHA256:
56ecd5bf36ded1cf53effefbb09b2b98\
b624dde5ad2ca309ff9cd905478e19bf
from ISO
33 DOC PikeOS Device
Driver Programming
ReferenceManual
pikeos-doc-drvref-5.1-305.noarch.rpm SHA256:
bd36e8b97ce4b5e8eb2cb458a8f261c4\
fde8b7376d050746559fd445e5c0ef20
from ISO
34 DOC PikeOS PSP and
KDEVDeveloper’s
Guide
pikeos-doc-pspdevguide-5.1-281.noarch.rpm SHA256:
beb01adac2c23d44ecb0a9cf45e33251\
4ce93b9fd6dfdcd6390c35a069581897
from ISO
35 DOC P4EXT PikeOS
Native Personality
Extensions
pikeos-doc-p4ext-5.1-87.noarch.rpm SHA256:
a35ac8a76908f4f82bb0df9a443fd338\
5c916208c40276cf35dc1f9dbd1cc056
from ISO
36 DOC CENV C Language
Programming
Environment
pikeos-doc-cenv-5.1-41.noarch.rpm SHA256:
b7cc316394bacb72f912b53872aafee5\
b6e3c481f370247dbed9fa6c63963158
from ISO
37 DOC PikeOS Platform
Manual for ARM v8
Boards
pikeos-doc-platarm64-5.1-597.noarch.rpm SHA256:
c61258d7b610df4f6de655b7931686cd\
8401aa1968816f5e562c78e6993c8924
from ISO
38 DOC PikeOS ARM v8
Generic Certification
Kit
R5p1_PIKEOS_ARM_V8HF_CERTKIT_GENERIC_S651
0.amd64.iso SHA256:
3bd6efbf796f3370a47c98adc35e9aeb\
c3968526d8d2d1bb220ab197e46baab0
DL
39 DOC Security Bulletin for
PikeOS 5.1.3
pikeos-certkit-cc-secbul-5.1-395.noarch.rpm SHA256:
27514ca601f2b341cfcc6a6065f7b2dc\
be873e6272195a54ab1ef6fd32f2fa27
from ISO
Table 2: Deliverables of the TOE
The RPMs listed with their checksum in the sections of the table for each architecture
become locally available on the user's development computer upon installation of the
corresponding main PikeOS distribution ISO images (see below). In addition, the user
installs the listed CERTKIT ISO images used to deliver the current PikeOS security
bulletin.
The main ISO images for the respective architecture are named
R5p1_PIKEOS_ARM_V8HF_S6510.amd64.iso,
R5p1_PIKEOS_X86_AMD64_S6510.amd64.iso,
R5p1_PIKEOS_PPC_E500MC_4G_S6510.amd64.iso. These images also contain non-
TOE components and, therefore, their checksum may change.
2.1. Overview of Delivery Procedure
The TOE is delivered to the customer (human TOE user) by means of RPMs. These are
contained in ISO images, in turn made available for download. Except for one ISO image
per architecture (indicated by "DL" in table 2) these are not listed in the ST. They
15 / 29
Certification Report BSI-DSZ-CC-1146-2022
additionally contain non-TOE components. The customer receives the download link to the
ISOs as part of a delivery mail sent by the developer. The TOE and all guidance
documents are extracted from the RPMs by the PikeOS installer. The PikeOS 5.1
Installation Guide (see items 4, 17 and 30 in table 2) is additionally available for download
and contains the instructions to run the installer.
2.2. Identification of the TOE by the User
The integrator (human TOE user) identifies the TOE by inspecting the file names of the
downloaded ISO-images and comparing the sha256 hash of each of these with the ones
quoted in the corresponding signed sha256-files. The integrity of latter files is verified with
the help of GPG. This process is described in the delivery mail. The integrity of the
installation is verified by running a script that computes the checksums of the packaged
RPMs. This process is described in the CERTKIT manuals. The CERTKIT ISO-images
which include the relevant guidance and the verification scripts are themselves verified by
comparing their checksums with those from the Security Target [6].
The TOE is only one element of the product PikeOS delivered by means of the ISO-
images and needs to be combined with other components by the integrator in order to
execute it on the target platform. The required steps are described in the PikeOS User
Manual (see items 3, 16 and 29 in table 2) with details contained in further documents
listed above.
3. Security Policy
The Security Policy is expressed by the set of Security Functional Requirements and
implemented by the TOE. The TOE implements policies pertaining to the security
functional classes User Data Protection and Security Management. They are named in the
instantiated SFRs, according to the protected resources, as follows:
● memory access control policy
● file access control policy
● communication port access control policy
● interrupt access control policy
● PSP-specific services access control policy
● CPU core access policy
● IPC and event communication policy
Specific details can be found in chapter 8 of the Security Target [6]. The detailed
implementation of the specified security policy is defined by the integrator who performs
the static configuration of the TOE and referred to as the System Security Policy (SSP).
4. Assumptions and Clarification of Scope
The Assumptions defined in the Security Target and some aspects of Threats and
Organisational Security Policies are not covered by the TOE itself. These aspects lead to
specific security objectives to be fulfilled by the TOE-Environment. The following topics are
of relevance:
16 / 29
BSI-DSZ-CC-1146-2022 Certification Report
OE.PRIVILEGED_EXECUTABLES: All privileged executables are approved by the
integrator. The integrator thereby takes responsibility that the privileged executables have
been developed according to the TOE User Manuals and do not violate the SSP.
OE.HARDWARE: The underlying hardware, firmware and bootloader needed by PikeOS
to guarantee secure operation provide the necessary properties, are working correctly and
have no undocumented security critical side effect on the functions of the TOE. The
hardware must fulfill the following requirements, as explained in the TOE User Manuals:
1) Provide CPU(s) with at least two privilege modes (“user” and “supervisor” mode).
Only the TOE itself and privileged executables may run in the “supervisor” mode.
Non-privileged executables always run in “user mode”. In “user mode”, only a
limited set of instructions is available; in “supervisor mode”, all instructions are
available.
2) The hardware shall have a MMU, which is capable of restricting accesses (e.g.
destinations of load and store CPU instructions) of non-privileged executables to
certain memory regions. The MMU shall only be configurable from a privileged CPU
mode, thus, it can only be configurable through the TOE to configure the policies
specifying these access restrictions. These policies are part of the SSP. During TOE
run time, these policies are represented as page tables used by the MMU.
3) The hardware (CPU or CPUs) shall provide instructions to switch between privilege
modes and to use the memory management to set up different segments of
memory.
4) The hardware (CPU or CPUs) shall allow the TOE to reuse CPU(s) for different
non- privileged executables, in a way that there is no residual information flow
through CPU registers across a partition boundary.
5) The hardware shall provide default values for security-relevant settings at power-on
(e.g. program counter, detailed instructions shall be included in the hardware
reference manual). This supports the TOE reaching the initial safe and secure state.
6) If the hardware possesses any other active components beside CPUs or CPUs
have operating mode(s) not under control of PikeOS, then the hardware shall
provide support either to turn these components completely off or to control them as
described in the TOE User Manuals. For example, if a device accessible by non-
privileged executables can execute DMA, then all DMA shall be switched off or, in
order to control DMA, the hardware shall provide an I/O MMU, with an I/O MMU
driver protected by the PikeOS Operating System.
Specific requirements to the x86 64-bit architecture are:
● The processors are operated in 64-bit mode
● AMD64 instruction set architecture
● Non-Execute bit (NX bit) support enabled in the BIOS
Specific requirements to PowerPC architecture (E500MC, E5500, E6500) are:
● The processors are operated in 32-bit mode
● Memory Management Unit (MMU) with support for virtual memory
● Floating-point unit
17 / 29
Certification Report BSI-DSZ-CC-1146-2022
Specific requirements to the ARMv8 architecture (Cortex-A35, Cortex-A53, Cortex-A57
and Cortex-A72) are:
● The processors are operated in 64-bit mode.
● Memory Management Unit (MMU) with Virtual Memory System Architecture.
● Vector Floating Point (VFP) / Advanced SIMD (Neon) extension
The timer facilities provided by the hardware shall be sufficient for the timing requirements
(e.g., timer resolution) of the product based on PikeOS. The CPU-specific requirements
are met by all x86 64-bit, PowerPC, or ARMv8 CPUs specified in the TOE User Manuals
for the selected CPU architecture.
Application Note: Due to imperfections of the underlying hardware platform, the TOE
cannot guarantee complete absence of side/covert channels. It is the responsibility of the
Integrator to use all security features of the TOE to their full effect and to assess whether
the residual risk due to platform vulnerabilities that cannot be mitigated by the TOE is
acceptable.
OE.EXCLUSIVE_RESOURCES: All resources required by the PikeOS Operating System,
its privileged executables, and its non-privileged executables are exclusively controlled by
the TOE.
OE.PHYSICAL: The IT environment provides the TOE with appropriate physical security,
commensurate with the value of the IT assets protected by the TOE.
OE.TRUSTWORTHY_PERSONNEL: The personnel configuring and integrating the TOE
(integrator) and those installing and operating the TOE (system operator) are trustworthy,
act according to the TOE User Manuals, and are sufficiently qualified for this task.
Details can be found in the Security Target [6], chapter 6.2.
5. Architectural Information
The elements that form the TSF for this evaluation are the PikeOS System Software
"PSSW" (without any System Extension) and the PikeOS microkernel "KERN" (including
the PikeOS ASP, but excluding the PikeOS PSP and any Kernel Level Device Driver).
These two layers live on top of a hardware platform featuring one of the three supported
CPU architectures (x86 64-bit, ARMv8, or PowerPC). On top of the PSSW sits a
configurable number of "partitions" that can contain different types of applications
(including adapted versions of whole operating systems). The TOE itself has a limited set
of features, compared to what would be expected from a general-purpose operating
system, but ensures that the applications in different partitions cannot interfere in
unwanted ways, within the description provided by the Security Target [6].
The TOE is a microkernel-based operating system and, therefore, exposes a security
architecture that – at a generic level – is quite similar to the one that almost every
operating system has. The specifics of the TOE are the limited complexity of the kernel
(i.e. the parts of the TOE that execute with highest privileges) and the real-time
capabilities. Also specific is the aspect that the TOE itself does not have the abstraction of
a "human user" directly interacting with the TOE.
Another specific of the TOE is the static nature of the applications running on an instance
of the TOE. Those are defined when the instance of the TOE is built by the system
18 / 29
BSI-DSZ-CC-1146-2022 Certification Report
integrator. This reflects the main usage area of the TOE as an operating system for
embedded systems.
The TOE is designed as a separation kernel that separates individual partitions from each
other. A static number of partitions is defined when a product based on PikeOS is built.
Partitions may communicate with each other using communication ports provided by the
TOE. Such communication capabilities between partitions are also defined at build time.
The PikeOS microkernel (also kernel or KERN subsystem) takes many of the
responsibilities kernels have in other operating systems, including hardware abstraction,
the management of threads and tasks or exception handling. With respect to the security
features of the TOE, it is in charge of performing the partitioning of resources (memory and
time). The KERN subsystem runs with highest privileges.
The PSSW resides in user space. It takes care of the partitioning and inter-partition
communication according to the configuration. After initialization, it acts as a server
providing services to applications inside the various partitions. The PSSW can also be
viewed as a partition with the full set of abilities. This important property distinguishes it
from normal partitions whose separation PikeOS guarantees.
To define the precise behaviour of the TOE (including its detailed SFPs), its integrator
needs to make a number of configuration choices. Most importantly, PikeOS has some
elements that are statically defined in a table called the "Virtual Machine Initialization
Table" (VMIT). Among those are:
● Resource Partitions:
A Resource Partition defines a sort of "container" for applications to run in. It consists of
memory, I/O resources, predefined processes, file services, and communication ports
assigned to each partition. It also gets a set of "abilities" (privileges to call specific
system services) assigned.
● Process or Task:
A task or process is represented by an address space within a resource partition. The
task is the abstraction that KERN knows while the PSSW adds some semantics to a
task, which makes it a "process" for the PSSW.
Tasks build a hierarchy within a resource partition. A child task can inherit the abilities of
its parent task, but the parent task can also decide to restrict the abilities of a child
further when it creates the child.
A resource partition always has a "root" task which inherits all the abilities that are
assigned to its resource partition.
● Thread:
Threads are the active entities within a task. A thread inherits the security attributes of its
task, including the abilities assigned to the task the thread belongs to.
● Abilities:
Abilities are specific privileges that can be assigned to a resource partition. The abilities
determine which "privileged" system calls can be invoked. As described above, tasks
within a resource partition may have less abilities than are assigned to the partition they
belong to, but they can never have more abilities than are assigned to the partition itself.
Note that the Security Target [6] does not explicitly mention abilities, although they are
an important PikeOS concept. The reason is that there is a relationship between abilities
19 / 29
Certification Report BSI-DSZ-CC-1146-2022
and "normal partitions"/"system partitions". System partitions possess one or more
abilities from a set of abilities given in the PikeOS User Manual (see items 3, 16 and 29
in table 2). Except for two abilities that are common to all partitions, normal partitions do
not possess any of these. A number of abilities are reserved for the PSSW and not
available to others.
6. Documentation
The evaluated documentation as outlined in table 2 is being provided with the product to
the customer. This documentation contains the required information for secure usage of
the TOE in accordance with the Security Target.
Additional obligations and notes for secure usage of the TOE as outlined in chapter 10 of
this report have to be followed.
7. IT Product Testing
7.1. Test Configuration
The test setup differed between the ITSEF and the developer site with respect to the
deployment of the integrated TOE to the target platform. While the ITSEF executed the
tests on a single target platform, the developer maintains a sophisticated test setup to
execute all tests on a larger variety of systems in a fully automated fashion. However, the
developer and evaluator testing were based on the same test framework. Details of both
approaches, as well as the penetration testing, are described in dedicated sub-sections
below. At the end of each, a short summary of the test results is given.
7.2. Developer Testing
Testing Effort
The developer uses an automated test framework to cover most of the functionality.
The test suites also contain manual tests which prompt the tester for confirming
assertions.
Test Approach
Most of the tests are executed automatically. The testing involves the compilation of the
test code and the TOE on a developer system and uploading it to the target test system.
The developer uses an intermediary between the developer system and the TOE, which
receives the test request, determines which of the attached test targets (i.e. platform) it is
aimed for, restarts that test target and provides the TOE instance (and the including test
application) as network-bootable image. Finally, it returns the test results to the developer
system.
Some of the tests require a manual check by the tester. This check is integrated into the
test run such that it waits for a developer response on a specific item, and depending on
the answer, it marks the test as "pass" or "fail", and integrates it into the test result log
together with all other tests.
The testing is done very systematically. For this, the developer uses a document system
that allows to specify functional/design requirements identified by a specific ID, to which
statements in the respective evidence documents are linked and then systematically
20 / 29
BSI-DSZ-CC-1146-2022 Certification Report
covered by test cases. In that way, also for very detailed behaviour requirements, it is
always clear whether and where it has been tested.
Test Depth
The developer tests are very detailed in testing of the interface function behaviours.
Usually, all possible error codes of a function are covered. These return codes are used in
test code as expected results following the tested functionality. The developer focuses on
testing all behaviour by stimulating the external interfaces. In some cases a source code or
guidance inspection is used as alternative test method.
In addition, the developer employs a code coverage analysis tool, which measures the
function, statement, and condition coverage on an instrumented TOE while running the
test suites. The code coverage is demonstrated to be near 100%.
Configuration
The TOE was built/installed from R5p1_PIKEOS_<ARCH>_S6510.amd64.iso on these
architectures:
● PikeOS 5.1.3 for x86 64-bit (revision number S6510), board: IBM PC compatible based
on Intel i7 processor
● PikeOS 5.1.3 for PowerPC (revision number S6510), board: NXP/Freescale T2080RDB
● PikeOS 5.1.3 for ARMv8 (revision number S6510), board: NXP Layerscape LS1046A
Reference Design Board
Test results
The developer tests showed a failure percentage between 0% and 2.2% depending on the
tested platform and test suite. The evaluator confirmed that none of the failed tests impact
the evaluated functionality. Therefore, all relevant tests were successful.
7.3. Evaluator Testing
Testing Effort
On 26st
of January 2021, the evaluator and the certifier remotely observed a testing of a
preliminary TOE at the developer's site. This provided a first understanding of the test
framework and how the result is structured.
Beginning with June and until September 2021, the evaluator ran official tests on the final
TOE version using a developer-provided test system in the ITSEF lab. Using the developer
test suite he executed all developer test sets that are contained in four test suites. Many
test sets perform a number of tests, and each test can check several requirements.
In addition, the evaluator devised and conducted additional independent tests.
Test Approach
For the repetition of the developer tests, the evaluator simply executed all major developer
test suites.
For the independent testing, the evaluator focused on the configuration interface of the
TOE. This interface covers all phases of the TOE beginning with the boot step for setting
up all resources, partitions, or other objects that make up the running system. As part of
these steps, the TOE performs various checks to make sure that the complete image
structure adheres to the configuration requirements and limitations. For other interfaces,
no relevant gaps in the developer testing have been found.
21 / 29
Certification Report BSI-DSZ-CC-1146-2022
As a side-effect, for the tests that succeed the configuration check, these trigger some
kernel and PSSW functions. The concrete results of these calls are of less relevance, but
still indicate if the TOE would suffer any behavioural issues (due to the test's manipulation
of the configuration structure) and return unreasonable responses to these calls.
The re-run of the developer tests covers all SFRs.
The additional evaluator tests were designed to complement the developer tests by an
aspect of the interfaces that is not directly callable, but which is triggered by using
manipulated TOE instantiations, especially the VMIT configuration structure. They are
related to resource partition definitions, invalid VMIT memory references, and merging of
local and global configurations.
Test Depth
The additional evaluator tests test the interfaces at the attack surface only as a side-effect.
The main focus of the tests was on the indirect verification of the configuration interface
through manipulated TOE instantiations or its configuration. For this, the used developer
test framework was modified to prevent it from performing its own checks on the
configuration structure, and instead let the TOE perform the checks.
Test Configuration
The test setup was based on the image R5p1_PIKEOS_PPC_E500MC_4G_S6510.
amd64.iso and was run on a PowerPC platform (T2080RDB). The target system was
connected to the development system (where the TOE image is build together with the
applications within the resource partitions) via network for TFTP boot, and also connected
via serial line to receive the test output. The evaluator received the test framework of the
developer, which allowed the automation of all test phases, including test and TOE
instance compilation, linking, upload to the target platform, execution, and result
observation.
Test results
All tests passed and did not indicate any relevant deviation from the expected TOE
behaviour.
7.4. Evaluator Penetration Testing
Overview
The penetration testing was partially performed using the developer’s testing environment,
partially using the test environment of the ITSEF.
The tests were developed by the evaluators and executed on a PowerPC system
(E500MC). To cover all TOE platform classes (architectures), the tests were executed by
the developer on x86_64, ARMv8 and PowerPC platforms. The logs of these re-runs were
inspected by the evaluators.
The overall test result is that no deviations were found between the expected and the
actual test results. Moreover, no attack scenario with the attack potential High was actually
successful.
Testing effort
The evaluators devised penetration tests that require execution on the actual hardware.
Penetration testing approach
22 / 29
BSI-DSZ-CC-1146-2022 Certification Report
The designed penetration tests use only external interfaces of the TOE, which was
sufficient to verify the flaw hypotheses defined during the vulnerability analysis.
The penetration testing leveraged the use of the developer's test framework, which was
also used for the ATE_IND testing.
The penetration tests, except for one, are not platform-specific. Therefore, the evaluator
only used one test architecture setup (PowerPC) at the ITSEF lab, while relying on the
developer to execute the tests on the ARM and x86 64bit platform. The evaluator provided
the devised test code to the developer who returned the execution logs for their test runs.
Test configurations
The penetration testing was performed on the TOE version 5.1.3 (ISO suffix S6510). To
unambiguously identify the TOE, the checksums of the installed RPMs were also checked
against those from the current ST. Apart from the TOE version and supported platforms, no
further restrictions or configurations were defined for the evaluated configuration that
would have to be applied to the test setup.
Testing depth
The tests covered both TOE subsystems.
As stated earlier, for some tests the evaluator did not use the libraries provided by the
developer to use the TOE interfaces, but accessed the TSFI directly to have greater
control over the interface parameters. One such case was the test of the PSSW daemon
fuzzing, where IPC communication messages were crafted by hand (which would
otherwise be constructed by the VM API library when calling a certain VM function) and
were then sent to the PSSW daemon via IPC messages. The other case was the test of
the system call number checks, where the system calls were not executing using the
kernel P4 API, but executing the system call assembler instruction provided by the
respective TOE platform.
Test results
In summary, the tests did not show any deviation from the expected behaviour that would
violate the security policies of the TOE.
Verdict for the sub-activity
The overall test result is that no deviations were found between the expected and the
actual test results. No attack scenario with the attack potential High was actually
successful in the TOE’s operational environment as defined in the Security Target [6],
provided that all measures required by the developer are applied.
8. Evaluated Configuration
This certification covers the following configurations of the TOE: The evaluated
configuration of the TOE is obtained by installing the Certification Kit ISO-images that are
part of the TOE delivery on the development host and configuring and integrating the TOE
according to the TOE guidance.
The TOE in the evaluated configuration provides the following security features (see the
Security Target [6] for all details):
● TSS_SSA: Separation in space of applications hosted in different partitions from each
other and from the PikeOS Operating System according to the SSP by using the
underlying hardware. [...]
23 / 29
Certification Report BSI-DSZ-CC-1146-2022
● TSS_STA: Separation in time of applications hosted in different partitions from each
other and from the PikeOS Operating System according to the SSP. [...]
● TSS_COM: Provision and management of communication objects. [...]
● TSS_MAN: Management of the TOE (e.g. system partition API) and the TOE data (e.g.
threads, tasks). [...]
The TOE guidance, foremost the Security Manuals, describe limitations within which these
features have been evaluated. In particular, the evaluation results apply only for hardware
platforms based on a subset of the x86 64-bit, ARMv8 and PowerPC architectures (with
more details provided in the ST [6])
9. Results of the Evaluation
9.1. CC specific results
The Evaluation Technical Report (ETR) [7] was provided by the ITSEF according to the
Common Criteria [1], the Methodology [2], the requirements of the Scheme [3] and all
interpretations and guidelines of the Scheme (AIS) [4] as relevant for the TOE.
The Evaluation Methodology CEM [2] was used for those components up to EAL 5
extended by advice of the Certification Body for components beyond EAL 5 [4] (AIS 34).
As a result of the evaluation the verdict PASS is confirmed for the following assurance
components:
● All components of the EAL 5 package including the class ASE as defined in the CC (see
also part C of this report)
● The components ADV_IMP.2, ALC_CMC.5, ALC_DVS.2, ALC_FLR.3, AVA_VAN.5
augmented for this TOE evaluation.
The evaluation has confirmed:
● PP Conformance: None
● for the Functionality: Product specific Security Target
Common Criteria Part 2 conformant
● for the Assurance: Common Criteria Part 3 conformant
EAL 5 augmented by ADV_IMP.2, ALC_CMC.5, ALC_DVS.2,
ALC_FLR.3, AVA_VAN.5
The results of the evaluation are only applicable to the TOE as defined in chapter 2 and
the configuration as outlined in chapter 8 above.
9.2. Results of cryptographic assessment
The TOE does not include cryptographic mechanisms. Thus, no such mechanisms were
part of the assessment.
10. Obligations and Notes for the Usage of the TOE
The documents as outlined in table 2 contain necessary information about the usage of the
TOE and all security hints therein have to be considered. In addition all aspects of
Assumptions, Threats and OSPs as outlined in the Security Target not covered by the TOE
itself need to be fulfilled by the operational environment of the TOE.
24 / 29
BSI-DSZ-CC-1146-2022 Certification Report
The customer or user of the product shall consider the results of the certification within his
system risk management process. In order for the evolution of attack methods and
techniques to be covered, he should define the period of time until a re-assessment of the
TOE is required and thus requested from the sponsor of the certificate.
The limited validity for the usage of cryptographic algorithms as outlined in chapter 9 has
to be considered by the user and his system risk management process, too.
If available, certified updates of the TOE should be used. If non-certified updates or
patches are available the user of the TOE should request the sponsor to provide a re-
certification. In the meantime a risk management process of the system using the TOE
should investigate and decide on the usage of not yet certified updates and patches or
take additional measures in order to maintain system security.
11. Security Target
For the purpose of publishing, the Security Target [6] of the Target of Evaluation (TOE) is
provided within a separate document as Annex A of this report.
12. Regulation specific aspects (eIDAS, QES)
None
13. Definitions
13.1. Acronyms
AIS Application Notes and Interpretations of the Scheme
ASP Architecture Support Package
BSI Bundesamt für Sicherheit in der Informationstechnik / Federal Office for
Information Security, Bonn, Germany
BSIG BSI-Gesetz / Act on the Federal Office for Information Security
CCRA Common Criteria Recognition Arrangement
CC Common Criteria for IT Security Evaluation
CEM Common Methodology for Information Technology Security Evaluation
cPP Collaborative Protection Profile
EAL Evaluation Assurance Level
ETR Evaluation Technical Report
GPG Gnu Privacy Guard
IPC Inter-Process Communication
IT Information Technology
ITSEF Information Technology Security Evaluation Facility
MMU Memory Management Unit
PP Protection Profile
PSP Platform Support Package
25 / 29
Certification Report BSI-DSZ-CC-1146-2022
PSSW PikeOS System Software
RPM Red Hat Package Manager
SAR Security Assurance Requirement
SFP Security Function Policy
SFR Security Functional Requirement
SSP System Security Policy
ST Security Target
TOE Target of Evaluation
TSF TOE Security Functionality
TSS TOE Security Service
VMIT Virtual Machine Initialization Table
13.2. Glossary
Augmentation - The addition of one or more requirement(s) to a package.
Collaborative Protection Profile - A Protection Profile collaboratively developed by an
International Technical Community endorsed by the Management Committee.
Extension - The addition to an ST or PP of functional requirements not contained in CC
part 2 and/or assurance requirements not contained in CC part 3.
Formal - Expressed in a restricted syntax language with defined semantics based on well-
established mathematical concepts.
Informal - Expressed in natural language.
Object - A passive entity in the TOE, that contains or receives information, and upon which
subjects perform operations.
Package - named set of either security functional or security assurance requirements
Protection Profile - A formal document defined in CC, expressing an implementation
independent set of security requirements for a category of IT Products that meet specific
consumer needs.
Security Target - An implementation-dependent statement of security needs for a specific
identified TOE.
Semiformal - Expressed in a restricted syntax language with defined semantics.
Subject - An active entity in the TOE that performs operations on objects.
Target of Evaluation - An IT Product and its associated administrator and user guidance
documentation that is the subject of an Evaluation.
TOE Security Functionality - Combined functionality of all hardware, software, and
firmware of a TOE that must be relied upon for the correct enforcement of the SFRs.
14. Bibliography
[1] Common Criteria for Information Technology Security Evaluation, Version 3.1,
Part 1: Introduction and general model, Revision 5, April 2017
Part 2: Security functional components, Revision 5, April 2017
26 / 29
BSI-DSZ-CC-1146-2022 Certification Report
Part 3: Security assurance components, Revision 5, April 2017
https://www.commoncriteriaportal.org
[2] Common Methodology for Information Technology Security Evaluation (CEM),
Evaluation Methodology, Version 3.1, Rev. 5, April 2017,
https://www.commoncriteriaportal.org
[3] BSI certification: Scheme documentation describing the certification process (CC-
Produkte) and Scheme documentation on requirements for the Evaluation Facility,
approval and licencing (CC-Stellen), https://www.bsi.bund.de/zertifizierung
[4] Application Notes and Interpretations of the Scheme (AIS) as relevant for the TOE7
https://www.bsi.bund.de/AIS
[5] German IT Security Certificates (BSI 7148), periodically updated list published also
on the BSI Website, https://www.bsi.bund.de/zertifizierungsreporte
[6] Security Target BSI-DSZ-CC-1146-2022, Version 40.22, 2022-09-06, Security Target
PikeOS Separation Kernel v5.1.3, SYSGO GmbH
[7] Evaluation Technical Report, Version 7, 2022-09-08, Final Evaluation Technical
Report, atsec information security GmbH, (confidential document)
[8] Configuration list for the TOE, 2022-09-06, 18064-0000-MDL.xlsx (confidential
document)
[9] Guidance documentation for the TOE, see table 2 in chapter 2
7
specifically
• AIS 32, Version 7, CC-Interpretationen im deutschen Zertifizierungsschema
• AIS 34, Version 3, Evaluation Methodology for CC Assurance Classes for EAL 5+ (CCv2.3 &
CCv3.1) and EAL 6 (CCv3.1)
27 / 29
Certification Report BSI-DSZ-CC-1146-2022
C. Excerpts from the Criteria
For the meaning of the assurance components and levels the following references to the
Common Criteria can be followed:
• On conformance claim definitions and descriptions refer to CC part 1 chapter 10.5
• On the concept of assurance classes, families and components refer to CC Part 3
chapter 7.1
• On the concept and definition of pre-defined assurance packages (EAL) refer to CC
Part 3 chapters 7.2 and 8
• On the assurance class ASE for Security Target evaluation refer to CC Part 3
chapter 12
• On the detailed definitions of the assurance components for the TOE evaluation
refer to CC Part 3 chapters 13 to 17
• The table in CC part 3, Annex E summarizes the relationship between the
evaluation assurance levels (EAL) and the assurance classes, families and
components.
The CC are published at https://www.commoncriteriaportal.org/cc/
28 / 29
BSI-DSZ-CC-1146-2022 Certification Report
D. Annexes
List of annexes of this certification report
Annex A: Security Target provided within a separate document.
Note: End of report
29 / 29