Security Target PikeOS Separation Kernel v5.1.3 Document ID Revision DOORS Baseline Date State 00101-8000-ST 40.22 40.22 2022-09-06 App SYSGO GmbH Am Pfaffenstein 8, 55270 Klein-Winternheim, Germany www.sysgo.com ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 1 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Table of Contents 1 Notices and Revisions 6 1.1 Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 Introduction 9 2.1 Purpose of this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2 Document References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.1 Applicable Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.2 Referenced Documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3 Abbreviations and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.4 Terms and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3 ST Introduction 16 3.1 ST Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.2 TOE Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.3 TOE Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.3.1 Base Functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.3.2 TOE Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.4 TOE Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.4.1 TOE Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.4.2 TOE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.4.3 TOE Operational Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.4.4 TOE Life Cycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.4.5 TOE Physical Boundary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.4.6 TOE Logical Boundary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4 Conformance Claims 30 4.1 CC Conformance Claim. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.2 Protection Profile Claim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.3 Package Claim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.4 Conformance Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 5 Security Problem Definition 31 5.1 Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 5.2 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.3 Organizational Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.4 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 6 Security Objectives 34 6.1 Security Objectives for the TOE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 6.2 Security Objectives for the Operational Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 6.3 Security Objectives Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 6.3.1 Security Objectives Rationale: Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 6.3.2 Security Objective Rationale: Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 7 Extended Components Definition 38 8 Security Requirements 39 8.1 Security Functional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 8.1.1 User Data Protection (FDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 8.1.2 Identification and Authentication (FIA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 8.1.3 Security Management (FMT). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 2 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 8.1.4 Resource Utilization (FRU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 8.2 Security Assurance Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 8.3 Security Requirements Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 8.3.1 Security Objective: OT.CONFIDENTIALITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 8.3.2 Security Objective: OT.INTEGRITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 8.3.3 Security Objective: OT.RESOURCE_AVAILABILITY . . . . . . . . . . . . . . . . . . . . . . . . . 59 8.3.4 Security Objective: OT.API_PROTECTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 8.3.5 Security Assurance Requirements Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 8.3.6 Security Assurance Requirements Dependency Analysis . . . . . . . . . . . . . . . . . . . . . . 59 9 TOE Summary Specification 61 10 Acknowledgment 63 ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 3 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Tables 1 Applicable Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2 Referenced Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3 Abbreviations and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4 TOE Physical Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 5 TOE Distribution Media (x86 64-bit) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 6 TOE Distribution Media (PowerPC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 7 TOE Distribution Media (ARM v8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 8 Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 9 Security Objectives Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 10 Coverage of Security Objectives for the TOE by SFR. "X" is for where a dependency to an objective exists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 11 SAR Dependency Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 4 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Figures 1 TOE and TOE Operational Environment during Operational Use . . . . . . . . . . . . . . . . . . . . 18 2 System Integration Phase of the TOE Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 5 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 1 Notices and Revisions 1.1 Revision History [Intentionally left blank] ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 6 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 [Intentionally left blank] ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 7 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 [Intentionally left blank] ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 8 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 2 Introduction See section 3.3 for a high-level overview of the TOE characteristics and its security services. 2.1 Purpose of this Document This is the Security Target for the PikeOS Separation Kernel. 2.2 Document References 2.2.1 Applicable Documents Ref. Document ID - Document Title Version [Com17] Common Criteria Sponsoring Organizations, Common Criteria for Information Technology Security Evaluation. Version 3.1, revision 5 (final), April 2017, https://www.commoncriteriaportal.org/ccra/index.cfm . 3.1, revision 5 Table 1: Applicable Documents 2.2.2 Referenced Documents ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 9 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Ref. Document ID - Document Title [ANSSI17] Age ce atio ale de la s curit des syst es d’i for atio ANSSI , Processus de qualification d'un produit, n°274/ANSSI/SDE, réf. QUAL-PROD-PROCESS/1.0, 12 jan. 2017, https://www.ssi.gouv.fr/uploads/2014/11/qual_prod_process-processus-de- qualification-d-un-produit.pdf [Bun08] Bundesamt für Sicherheit in der Informationstechnik (BSI) and Sirrix AG security technologies, Protection Profile for High-Assurance Security Kernel: Version 1.14, June 2008. [Inf07] Information Assurance Directorate, U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness. Version 1.03, June 2007. [LNIM10] Timothy E. Levin, Thuy D. Nguyen, Cynthia E. Irvine, Michael McEvilley, Separation Kernel Protection Profile revisited: Choices and rationale, 4th Annual Layered Assurance Workshop (LAW), 2010, http://fm.csl.sri.com/LAW/2010/. [OSPP] Stephan Mueller, Gerald Krummeck, Helmut Kurth, Operating System Protection Profile, 2010, https://www.commoncriteriaportal.org/files/ppfiles/pp0067b_pdf.pdf. [Rus81] John Rushby, Design and Verification of Secure Systems, 8th ACM Symposium on Operating System Principles, 1981, http://www.csl.sri.com/users/rushby/papers/sosp81.pdf Table 2: Referenced Documents 2.3 Abbreviations and Acronyms ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 10 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Abbreviation / Acronym Description APEX Application Executive API Application Programming Interface ARINC Aeronautical Radio, Inc. ASP Architecture Support Package CC Common Criteria for Information Technology Security Evaluation CPU Central Processing Unit DMA Direct Memory Access EAL Evaluation Assurance Level ELF Executable and Linkable Format HASK High-Assurance Security Kernel I/O MMU Input / Output Memory Management Unit I/O Input / Output IPC Interprocess Communication IT Information Technology MILS Multiple Independent Levels of Security MMU Memory Management Unit OSEK Offene Systeme und deren Schnittstellen für die Elektronik in Kraftfahrzeugen OSP Organizational Security Policy OSPP Operating Systems Protection Profile POSIX Portable Operating System Interface PSP Platform Support Package RAM Random Access Memory RTEMS Real-Time Executive for Multiprocessor Systems SAR Security Assurance Requirement SFP Security Function Policy SFR Security Functional Requirement SKPP Separation Kernel Protection Profile SSP System Security Policy ST Security Target TOE Target of Evaluation TSF Target of Evaluation Security Functionality TSS_XXX TOE Security Service XXX USB Universal Serial Bus VMIT Virtual Machine Initialization Table XML Extensible Markup Language Table 3: Abbreviations and Acronyms 2.4 Terms and Definitions Access Flag: An access flag is a bit specifying whether a certain access operation is allowed. Access Mode: An access mode is a set of access flags. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 11 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Application: An application is executable data. An application is a special case of "Executable". Architecture Support Package: An architecture support package (ASP) is part of the TOE. The ASP provides spe- cific low-level functionality for each supported CPU architecture. Since the CPU instruction set is also CPU dependent, the generic components are CPU specific at the object code level. The main responsibilities of an ASP are: (1) abstraction of data type representation, (2) processor exception handling, and (3) low level address space and memory management. In operational use, the TSF always contains only one ASP. Bootloader: See "Firmware". Built-in File Provider: A built-in file provider is an executable provided by the TOE that implements file ser- vices. Communication Object: Partitions can communicate with each other under the supervision of the TOE. A commu- nication object is an object exposed to one or multiple partitions with access rights as defined in the configuration data. Configuration Data: The configuration data defines a set of rules on how the TOE behaves. The configuration data comprises a top-level configuration XML document called VMIT (Virtual Machine Initialization Table) and the property file system. Access to each property file system node is controlled by the file access control defined in the VMIT. The configuration data is defined during Step 3 of the system integration phase and used by the TOE to enforce the System Security Policy (SSP, Section 3.4.4.2). The default configuration is that there is no communication between any partitions. Any communication between partitions has to be explicitly allowed by the integrator in the configuration data. CPU Architecture: The CPU architecture is the implementation of a CPU instruction set. CPU architectures are for instance x86, ARM, or PowerPC. Cyclic Periodicity: Cyclic periodicity is the repetition of a scheduling scheme: when the last time window of the scheduling scheme has finished, the scheduling scheme begins again with its first time window. ELF File: An ELF file is a file in ELF format, used to load applications. Executable: "Executable" is the term for an application within a partition or other executable code linked to the TOE. More details about executables are given in section 3.4.3.1.3. External File Provider: An external file provider is an executable provided by third-party developers that implements file services and is confined by the VMIT. File Descriptor: A file descriptor is an identifier for a file. Firmware: Firmware is hardware-specific software which comprises the following: • Software and data stored in non-volatile memory of the hardware that initializes the hardware after the power on. • Software that (fully or partially) loads the TOE into RAM memory and hands over the full control to the TOE. In particular, a TOE-external check of the TOE may be implemented in the bootloader (e.g. for "secure boot"). Fusion Tool Chain: The PikeOS fusion tool chain project is a linker that links one or several executables and the TOE. The tool-chain provides linker for all required CPU architectures. The tool chain can be used on a development machine with Linux or Windows. Hardware: Hardware is the physical part of the TOE operational environment on which the TOE is executed. Usually, hardware is a board with several components such as CPUs and I/O devices (e.g. serial interfaces, network adapters) etc. This ST considers firmware as part of the hardware. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 12 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Integration Tool Chain: The PikeOS integration tool chain project takes as input one or more applications, the VMIT, the property file system, and the results of the fusion tool chain and produces the product based on PikeOS, in the form of a ROM image. The tool-chain supports the required CPU architectures and can be used on a development machine with Linux or Windows. Integrator: The integrator executes the system integration phase, which results in a product based on the TOE. Interprocess Communication: IPC is a communication protocol supported by the TOE to exchange messages within a partition or between partitions synchronously. The communication objects are IPC messages. Isolation: Isolation of a partition is the absence of communication with other partitions, except partitions hosting the components implementing the system API, when no communication channels or shared resources between the partition and other partitions are configured. Isolation is a special case of separation. Kernel Info Page: The kernel info page is a memory page that is mapped in read-only access mode to all parti- tions. Kernel Device Driver: A kernel device driver is a software component supplied and approved by the integrator and linked with the TOE via the kernel device driver API. A kernel device driver can provide specific functionality to applications within partitions and is protected from non-privileged executables by access control and resource management enforced by the TOE. Life Cycle: The life cycle phases for this TOE are development (source code development), manufacturing (compila- tion to binary) and delivery to the integrator. The integrator executes the system integration phase, which results in a product based on the TOE. Memory Page: A memory page is an aligned and contiguous area of memory of a CPU architecture dependent size (e.g. 4096 bytes). Normal Partition: A normal partition can use the API provided by the TOE to partitions that only consists of non- privileged calls ("normal partition API"). Non-Privileged Executable: See "Executable". Own (for a Task or a Thread): A partition owns a task if the task is assigned to it by the integrator in the VMIT. A partition owns a thread if the thread is created by one of its applications. Partition: A partition is a logical unit maintained by the TOE and configured by the SSP. A partition contains user data. For each partition, the TOE provides resources. Resources of a partition comprise physical memory and allocated CPU time for each CPU. Partition Switch: Partition switches are defined by the SSP as part of the scheduling scheme and transfer code execution on CPU(s) from one partition to another. PikeOS: The term PikeOS is usually used in the documentation when the described system includes at least the TOE. PikeOS Kernel: The PikeOS Kernel is one of the two constituting subsystems of the PikeOS Separation Kernel and implements a portion of the TSF. PikeOS Operating System: The PikeOS Operating System consists of the TOE and additional system components such as the PSP, (kernel) device drivers, and system extensions. Such additional components are usually used for making the TOE fully compatible with its use-case and the selected hardware. PikeOS Separation Kernel: The PikeOS Separation Kernel (the TOE) provides the TSF and operates the prod- uct based on PikeOS. The TSF implements mechanisms to assign resources to partitions, providing the execution ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 13 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 environments for applications, and implementing communication between partitions as defined by the configuration data. The PikeOS Separation Kernel is provided as binary for each supported CPU architecture. The functionality of the PikeOS Separation Kernel is CPU architecture-independent thanks to the usage of the ASP that abstracts the underlying CPU architecture. PikeOS System Software: The PikeOS System Software (PSSW), also called System Software, is one of the two constituting subsystems of the PikeOS Separation Kernel and implements a portion of the TSF. Platform Support Package: A platform support package (PSP) contains a set of drivers for specific hardware compo- nents and is supplied and approved by the integrator. A PSP uses the TSF’s PSP API. In operational use, the product based on PikeOS always contains exactly one PSP. A PSP is protected from non-privileged executables by access control and resource management enforced by the TOE. The main tasks of a PSP are (1) platform initialization, (2) interrupt management, (3) hardware timer management. Port: A port is a communication endpoint for message based communication. A port is either configured as source port or destination port. A sender writes a message to a source port and a receiver reads the message from the connected destination port. The TOE supports two kinds of message transfer modes - queuing mode and sampling mode. The mode is defined by the port type. Only ports of the same type can be connected. Messages sent to a source queuing port are buffered in a queue until they are read from the connected destination port. The number of messages that can be buffered is a configurable property of a queuing port. A message sent to a source sampling port is only buffered until the next message is sent, the new message will replace the old one. Privileged Executable: See "Executable". Product Based on PikeOS: The product based on PikeOS is the output of the system integration phase (Section 3.4.4.2). The product based on PikeOS contains the configuration data in a representation readable by the TOE, the PSP, system extensions, kernel device drivers, and partitions. The PSP reads and set up the configuration, and confines non-privileged executables within their partitions according the SSP. Property Node: A property node is a file in the property file system. The integrator can use the property file system to describe properties of hardware in the operational environment. Resource: In this ST we consider resources of partitions and TSF data. The resources of a partition comprise physical memory and allocated CPU time for each CPU. Separation: The TOE separates partitions by managing their accesses to and usage of resources, such as memory, devices, processors, and communication channels, as defined by the configuration. Separation Kernel: A Separation Kernel as defined by [Rus81] is the logical concept of a software that is capable of providing multiple execution environments on a single system that are separated from each other with the same degree of rigor as if the environments were executed on physically separate systems. A Separation Kernel can be implemented in a number of different ways, for example as (part of) an Operating System Kernel. Subject: In this ST, the term subject is used for a thread in a partition, for an application, or for a partition as a whole depending on the context. In the running TOE, the entity executing application code is a TOE thread. In a partition there can be multiple threads and each thread is uniquely assigned to its partition. Since this ST works on security policies at partition level, we abstract all threads in one partition to the partition subject. System Extension: A system extension is a software component supplied and approved by the integrator and linked with the TOE via the system extension API. A system extension can provide specific functionality to applications within partitions and is protected from non-privileged executables by access control and resource management enforced by the TOE. System Partition: A system partition can use the whole API provided by the TOE to partitions ("system partition API"), i.e. use both non-privileged (normal partition API) and additional privileged calls. The integrator can define a partition as a system partition in the SSP. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 14 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 System Security Policy (SSP): The configuration data uniquely defines the System Security Policy (SSP) consisting of configuration choices made by an integrator. The SSP defines partitions, setting their resources, defining communi- cation objects, defining access to and parameters for PSP, system extensions, and kernel device drivers, setting their content and resources, setting TOE attributes, comprising scheduling scheme, policy for memory cache handling on a partition switch to the extent supported by the operational environment’s hardware, scheme for automatic handling of error conditions. The SSP is a subset of the VMIT. Time Window: A time window is the basic scheduling entity of CPU time assigned to a partition that is specified by the offset from the start of a cyclical time period and the window duration. TOE Security Service: A TOE Security Service is a logical part of the TOE that has to be relied upon for enforcing a related subset of the rules regulating how the SSP is maintained by the TOE. TOE User Manuals: The TOE User Manuals are documentation provided with the TOE on how to use the TOE in general environments and in safety and security critical environments. User: A "user" of the TOE is a partition. Virtual Machine Initialization Table (VMIT): The configuration data defines a set of rules on how the TOE behaves. The configuration data comprises a top-level configuration XML document called VMIT (Virtual Machine Initialization Table) and the property file system. Access to each property file system node is controlled by the file access control defined in the VMIT.The SSP is a subset of the VMIT. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 15 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 3 ST Introduction This is the Security Target for the PikeOS Separation Kernel. 3.1 ST Reference • Title: Security Target PikeOS Separation Kernel v5.1.3 • Version: 40.22 • Issuer: SYSGO GmbH • Keywords: real-time, operating system, separation kernel, MILS (Multiple Independent Levels of Security), virtualization, hypervisor • Date: 6th September, 2022 • TOE Version: 5.1.3 This document is the Security Target for the Common Criteria evaluation of the PikeOS Separation Kernel. It complies with the Common Criteria for Information Technology Security Evaluation Version 3.1 Revision 5 [Com17] (CC). 3.2 TOE Reference The TOE is the PikeOS Separation Kernel version 5.1.3 running on the microprocessor family x86 64-bit, ARMv8, or PowerPC hosting different applications. The TOE is referenced as PikeOS 5.1.3 for Linux and Windows development host with PikeOS 5.1.3 Certification Kit build S6510. 3.3 TOE Overview The TOE is a Separation Kernel, which allows to effectively separate multiple applications running on the same plat- form from each other. Such applications can range from small bare-metal programs up to entire Operating Systems. Non-privileged applications may be malicious, and even in that case the TOE ensures that malicious applications are neither capable of harming other applications nor the TOE itself. Separation Kernels aim to establish a degree of isolation between the applications on a single system (e.g., a hard- ware platform) which, in terms of security, is comparable to running the application executables on physically separate platforms [Rus81]. However, Separation Kernels also provide communication facilities that allow the applications to interact with each other, if configured by the Integrator. The TOE includes a wide range of additional features and functionalities such as direct memory access, process control, memory management, different communication services and more. Together with the real-time capability of the TOE, this allows to build and operate embedded systems in areas with a high demand towards security and safety such as automotive, avionics, medical devices, industrial and railway applications. 3.3.1 Base Functionality The interference-free coexistence of applications is guaranteed by separating these applications into so-called parti- tions. These partitions are a key component of the functionality of the TOE. They ensure that even malicious applica- tions are isolated in a way that the TOE itself and other applications in other partitions remain in a secure state. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 16 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 SYSGO defines separation as follows: The TOE separates partitions by managing their accesses to and usage of resources, such as memory, devices, processors, and communication channels, as defined by the configuration. Isolation of a partition is the absence of communication with other partitions, except partitions hosting the components implementing the system API, when no communication channels or shared resources between the partition and other partitions are configured. Isolation is a special case of separation. Additionally, the TOE has the characteristics of an embedded real time operating system. Thus, the partitioning is configured statically and the TOE does not include typical desktop operating system services (e.g. user login, printer drivers). The TOE will typically be installed and operated on a hardware platform suitable for embedded systems. The major security services provided by the TOE are: • Separation in space of applications hosted in different partitions from each other and from the PikeOS Operating System according to the configuration data, • Separation in time of applications hosted in different partitions from each other and from the PikeOS Op- erating System according to the configuration data, • Control of information flows between applications hosted in different partitions via assigning to the partitions communication objects and access rights to those, • Management of the TOE (e.g. system partition API) and the TOE data (e.g. threads, tasks). 3.3.2 TOE Type The TOE is a separation kernel with real-time support. The typical life cycle phases for this TOE type are development (source code development), manufacturing (compila- tion to binary) and delivery to the integrator. The integrator executes the system integration phase, which results in a product based on the TOE. The TOE may run on various hardware platforms. The hardware platform is not part of the TOE. The minimum requirements on the hardware platform comprise a CPU with a memory management unit (MMU) and support for different CPU privilege modes as well as having a suitable Platform Support Package (PSP). 3.4 TOE Description 3.4.1 TOE Architecture The TOE, including its architecture, and the TOE operational environment is depicted in Figure 1. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 17 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 BSP Normal Partition API System Software Kernel / Architecture Su ppor t Packag e System Partition API System Ext. API Kernel Device Driver API PSP API Hardware Firmware System Partition N System Partition 1 ... Normal Partition 1 Non-privil eged Applicat ion(s) E.g. C A ppli cation Normal Partition 2 Non-privil eged Applicat ion(s) E.g. POSI X Normal Partition N Non-privil eged Applicat ion(s) E.g. Li nux ... Target of Evaluation (TOE) TOE Subsystem s TOE API Board Support Package (BSP) Normal Parti tion Content - E.g. non-privileged appli cations, arbitrary user data Pri vil eged executable Content - User data that has to be approved by the system integrator The red line defines securi ty dom ains separated by technical means PSP Kernel Device Driver Kernel Device Driver System Extensio n System Extensio n PikeOS Operating System PikeOS Separation Kernel Figure 1: TOE and TOE Operational Environment during Operational Use Figure 1 will be explained in detail in the next sections (Section 3.4.2 and 3.4.3). 3.4.2 TOE The TOE is the PikeOS Separation Kernel, shown in Figure 1 by the correspondingly labeled box. It consists of the PikeOS Kernel and System Software, which contain all security functions (TSF) claimed in this ST, and the TSF data (e.g. configuration data and run-time data such as security attributes) necessary to configure and control them. The subdivision of the TOE into the two subsystems (Kernel and System Software) is a design choice with no negative impact on the provided security services. The TOE provides the TSF and operates the product based on PikeOS. The TSF implements mechanisms to assign resources to partitions, providing the execution environments for applications, and implementing communication be- tween partitions as defined by the configuration data. The TOE has the following interfaces (boxes indicated as "TOE API" in Figure 1): • The TOE provides APIs to normal partitions and system partitions as well as APIs to system extensions, kernel device drivers and the platform support package (PSP). • An architecture support package (ASP) is part of the TOE. The ASP provides specific low-level functionality for each supported CPU architecture. Supported CPU architectures are x86 64bit, ARMv8, and PowerPC. In operational use, the TSF always contains only one ASP. TSF data consists of: • Configuration data: data used by the TOE to enforce the System Security Policy (SSP, Section 3.4.4.2). • Run-time data such as security attributes. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 18 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 3.4.2.1 PikeOS Operating System The PikeOS Operating System consists of the TOE and, depending on the configuration used, of additional soft- ware components as mentioned in Section 3.4.3. Such components are depicted in Figure 1 within the box labeled "BSP". 3.4.3 TOE Operational Environment In a final product, e.g., an embedded system product based on the TOE, the TOE will use additional supporting software components to adapt the product to its operational environment, including the system’s hardware. These additional components are provided by the integrator and are not covered by this evaluation and belong therefore to the TOE’s operational environment. They interact with the TOE through the TOE’s well-defined interfaces and do not change the TOE binary. Some of the components execute privileged CPU instructions or use privileged TOE services and could therefore interfere with security policies enforced by the TSF at runtime. Those components are collectively referred to as privileged executables (see Section 3.4.3.1.3). It is outside the scope of this evaluation how the trust for the privileged executables will be established. The integrator of a product based on PikeOS must establish trust for these privileged executables, e.g. the integrator may use a national scheme’s accreditation for components and/or the product based on the TOE, a Common Criteria evaluation of the product based on the TOE, or the integrator may provide some other arguments to the user of the product based on the TOE. The TOE’s operational environment consists of everything outside the box labeled "PikeOS Separation Kernel" in Figure 1. The various privileged components (boxes indicated as "Privileged executable Content") or non-privileged compo- nents (boxes indicated as "Normal Partition Content") that may be added by the system or platform integrators are the following: 3.4.3.1 Partition A partition is a logical unit maintained by the TOE and configured by the configuration data. A partition contains user data. For each partition, the TOE provides resources. Resources of a partition comprise physical memory and allocated CPU time for each CPU. The TOE supports two different kinds of partitions: normal and system partitions. Normal partitions as depicted in Figure 1 are defined in Section 3.4.3.1.1. System partitions as depicted in Figure 1 are defined in Section 3.4.3.1.2. Partitions can communicate with each other under the supervision of the TOE. This communication occurs via com- munication objects. A communication object is an object exposed to one or multiple partitions with access rights as defined in the configuration data. 3.4.3.1.1 Normal Partition A normal partition can use the API provided by the TOE to partitions that only consists of non-privileged calls ("normal partition API"). The integrator can define a partition as a normal partition in the SSP. 3.4.3.1.2 System Partition A system partition can use the whole API provided by the TOE to partitions ("system partition API"), i.e. use both non-privileged (normal partition API) and additional privileged calls. The integrator can define a partition as a system partition in the SSP. 3.4.3.1.3 Executable, Non-privileged Executable, Privileged Executable "Executable" is the term for an appli- cation within a partition or other executable code linked to the PikeOS Operating System. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 19 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 • An executable is critical if it can have access to critical hardware. Critical hardware can bypass TOE partitioning. Examples where a normal partition hosts a critical executable are: • An executable in a normal partition is critical if the integrator in the configuration assigns to it access to control a critical hardware which can do DMA, there is no I/O MMU in place, and the hardware can write to arbitrary system memory, thus tampering with the TOE. Another example is an executable that has sufficient control over a hardware device allowing the executable to tamper with the device’s BIOS or non-volatile memory. We refer the reader to the TOE User Manuals for more details. • A non-privileged executable is an application in a normal partition that is not critical. Thus, a non-privileged executable can be an arbitrary executable, which can contain unintentional errors or be even malicious. • A privileged executable is either: A critical application in a normal partition, or any application in a system partition, or the PSP, or a kernel device driver, or a system extension. That is, a privileged executable has access to a TOE API or to critical hardware that can bypass TOE partitioning. Therefore, a privileged executable must be non-evil, and the integrator must verify that it complies with the system design as well as that it will not interfere with the TOE and the SSP. 3.4.3.2 System Extension A system extension is a software component supplied and approved by the integrator and linked with the TOE via the system extension API. A system extension can provide specific functionality to applications within partitions and is protected from non-privileged executables by access control and resource management enforced by the TOE. 3.4.3.3 Kernel Device Driver A kernel device driver is a software component supplied and approved by the integrator and linked with the TOE via the kernel device driver API. A kernel device driver can provide specific functionality to applications within parti- tions and is protected from non-privileged executables by access control and resource management enforced by the TOE. 3.4.3.4 Platform Support Package (PSP) A platform support package (PSP) contains a set of drivers for specific hardware components and is supplied and approved by the integrator. A PSP uses the TSF’s PSP API. In operational use, the product based on PikeOS al- ways contains exactly one PSP. A PSP is protected from non-privileged executables by access control and resource management enforced by the TOE. 3.4.3.5 Communication Object A communication object is a file, shared memory, a port, an IPC message, or an event. 3.4.3.6 Hardware Hardware is the physical part of the TOE operational environment on which the TOE is executed. Usually, hardware is a board with several components such as CPUs and I/O devices (e.g. serial interfaces, network adapters) etc. Hardware may also comprise firmware. Firmware is hardware-specific software which comprises the following: • Software and data stored in non-volatile memory of the hardware that initializes the hardware after the power on. • Software that (fully or partially) loads the TOE into RAM memory and hands over the full control to the TOE. In particular, a TOE-external check of the TOE may be implemented in the bootloader (e.g. for "secure boot"). ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 20 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 3.4.4 TOE Life Cycle 3.4.4.1 TOE Development, TOE Manufacturing At the TOE manufacturer’s site (SYSGO), the TSF is developed (source code development), and manufactured (compiled to binary). The TOE manufacturer also produces the TOE User Manuals. 3.4.4.2 System Integration At the integrator’s site, the TOE is integrated. Figure 2 presents the system integration phase of the TOE lifecycle. Components used to build the product based on the TOE are provided by different sources: application develop- ers, integrators, and the TOE manufacturer (SYSGO). During system integration, the TOE, applications and other executables only have to be linked, i.e. their implementations do not need to be changed or recompiled. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 21 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Integrator Product Binary Image Integration Process Application Developers Non-privileged Partition 1 Content e.g. C Program Non-privileged Partition 2 Content e.g. C POSIX Non-privileged Partition N Content e.g. Linux ... TOE Manufacturer TOE binary TOE User Manual Integration Toolchain Configuration Data System Partition Content System Extension Content Kernel Device Driver Content PSP Content Parts of the Target ofEvaluation (TOE): Provided by the TOE manufacturer Integration Toolchain: Provided by the TOE manufacturer Content of User Partitions: This content can be arbitrary (from a security point ofview) and also be supplied by any 3rd party Content of System Components and Configuration Data: These elements, even ifsupplied by a 3rd party, are under sole responsibility of the integrator and shall be approved by him/her; see A.PRIVILEGED_EXECUTABLES below. Figure 2: System Integration Phase of the TOE Lifecycle ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 22 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 The system integration phase can be split into the four steps: selection of the TOE operational environment, non- privileged and privileged executables, and deciding on system partitions and normal partitions (Step 1), fusion (Step 2), configuration of the TOE (Step 3), and integration (Step 4). Step 1 Selection The integrator selects hardware, and if applicable, firmware the TOE runs on. The integrator installs the PikeOS product and the PikeOS Certification Kit on the development machine for the corresponding CPU architecture. The integrator selects the content of components: PSP, optional system extension(s), optional kernel device driver(s), optional system partition(s), and normal partition(s) to be integrated in the TOE. The content of any privileged executable shall be developed complying with the obligations given in Section 5.4 and be approved by the integrator. Step 2 Fusion In this step the integrator: • provides configuration for the PSP, kernel device drivers, and system extensions, and • uses the fusion tool chain to link the PSP, kernel device drivers, and system extensions with the binary image of the TOE. Step 3 Configuration The integrator configures the product by: • defining normal and system partitions, setting their content and resources, • defining communication objects, • defining access to and parameters for PSP, system extensions, and kernel device drivers, setting their content and resources, • setting TOE attributes, comprising: • scheduling scheme, • policy for memory cache handling on a partition switch to the extent supported by the operational environment’s hardware, • scheme for automatic handling of error conditions, defining the meaning of the safe and secure state. The result of this activity is the configuration data. The configuration data defines a set of rules on how the TOE behaves. The configuration data comprises a top-level configuration XML document called VMIT (Virtual Machine Initialization Table) and the property file system. Access to each property file system node is controlled by the file access control defined in the VMIT. The configuration data uniquely defines the System Security Policy (SSP) consisting of configuration choices made by an integrator. The SSP defines partitions, setting their resources, defining communication objects, defining access to and parameters for PSP, system extensions, and kernel device drivers, setting their content and resources, setting TOE attributes, comprising scheduling scheme, policy for memory cache handling on a partition switch to the extent supported by the operational environment’s hardware, scheme for automatic handling of error conditions. The SSP is a subset of the VMIT. The SSP is enforced by the TSF and it cannot be circumvented by non-privileged executables. The default configuration is that there is no communication between any partitions. Any communication between parti- tions has to be explicitly allowed by the integrator in the configuration data. Step 4 Integration The integrator uses the integration tool chain to create a product based on PikeOS (in the form of a binary image) from the selected components and the TOE configuration data, creating the product based on PikeOS, including configuration data in a representation readable by the TOE. 3.4.4.3 Operational Use of the Product Based on the TOE At power on the hardware is initialized and then the product based on PikeOS is loaded. Immediately after the product based on PikeOS has been loaded, the PSP gets executed. The PSP then starts the TOE (TSF), the TOE initializes itself and starts enforcing the SSP, i.e. the TOE reads and set up the configuration, and confines non-privileged executables within their partitions according the SSP. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 23 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 3.4.5 TOE Physical Boundary The TOE is the PikeOS Separation Kernel. In Figure 1, each component within the box labeled PikeOS Separation Kernel is part of the TOE. This includes the PikeOS kernel and the PikeOS system software. The TOE provides interfaces to normal and system partitions, as well as to board support packages (including board initialization and drivers). Each component outside of that box is outside of the TOE physical boundary. Thus, no hardware belongs to the TOE, and no software for kernel device drivers, PSP, system extensions and no partitions belong to the TOE. The TOE also includes the TOE User Manuals, which are used during the system integration phase. Table 4 lists all these TOE physical components (PikeOS kernel and system software and user manuals). Column "Arch." indicates whether the component is generic or relates to a specific architecture (x86_64, PowerPC, ARMv8 or Generic). Column "Version" indicates the version of the component. Column "Medium" relates to the ISO image file where the component can be found (PDT_ISO for the prod- uct ISO image "R5p1_PIKEOS__S*.amd64.iso", CKGEN_ISO for the generic certification kit ISO image "R5p1_PIKEOS__CERTKIT_GENERIC_S*.amd64.iso", and CKCC_ISO for the Common Criteria certifica- tion kit ISO image "R5p1_PIKEOS_CERTKIT_CC_S*.amd64.iso". ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 24 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Title Arch. Version Medium PikeOS Microkernel for x86 64-bit x86_64 5.1-20592 PDT_ISO PikeOS Microkernel for E500MC-4G PowerPC 5.1-20592 PDT_ISO PikeOS Microkernel for ARMv8 ARMv8 5.1-20592 PDT_ISO PikeOS System Software for x86 64-bit x86_64 5.1-4562 PDT_ISO PikeOS System Software for E500MC-4G PowerPC 5.1-4562 PDT_ISO PikeOS System Software for ARMv8 ARMv8 5.1-4562 PDT_ISO PikeOS User Manual Generic 5.1-1077 PDT_ISO PikeOS Installation Guide Generic 5.1.3 PDT_ISO PikeOS Kernel Reference Manual Generic 5.1-297 PDT_ISO PikeOS System Software Reference Manual Generic 5.1-321 PDT_ISO PikeOS Device Driver Programming Reference Manual Generic 5.1-305 PDT_ISO PikeOS PSP and KDEV Developer’s Guide Generic 5.1-281 PDT_ISO P4EXT PikeOS Native Personality Extensions Generic 5.1-87 PDT_ISO CENV C Language Programming Environment Generic 5.1-41 PDT_ISO PikeOS Platform Manual for x86-amd64 Boards x86_64 5.1-569 PDT_ISO PikeOS Platform Manual for e500mc-4g Boards PowerPC 5.1-240 PDT_ISO PikeOS Platform Manual for ARM v8-A 64-bit Boards ARMv8 5.1-597 PDT_ISO PikeOS Kernel Interface Specification Generic 40.17 CKGEN_ISO PikeOS Kernel Device Driver Interface Specification Generic 40.13 CKGEN_ISO PikeOS ASP ARM_V8HF Interface Specification ARMv8 40.8 CKGEN_ISO PikeOS ASP PPC_E500MC_4G Interface Specification PowerPC 40.11 CKGEN_ISO PikeOS ASP X86_AMD64 Interface Specification x86_64 40.9 CKGEN_ISO PikeOS PSP Generic Interface Specification Generic 40.16 CKGEN_ISO PikeOS System Software Interface Specification Generic 40.15 CKGEN_ISO PikeOS Configuration Interface Specification Generic 40.11 CKGEN_ISO PikeOS Utils Library Interface Specification Generic 40.6 CKGEN_ISO User Manual PikeOS Generic Certification Kit (X86_AMD64) x86_64 40.1 CKGEN_ISO User Manual PikeOS Generic Certification Kit (E500MC-4G) PowerPC 40.1 CKGEN_ISO User Manual PikeOS Generic Certification Kit (ARM_V8HF) ARMv8 40.5 CKGEN_ISO PikeOS Safety and Security Manual Generic 40.18 CKGEN_ISO PikeOS Safety and Security Manual (x86 AMD64 Supplement) x86_64 40.5 CKGEN_ISO PikeOS Safety and Security Manual (E500MC-4G Supplement) PowerPC 40.7 CKGEN_ISO PikeOS Safety and Security Manual (ARM8 Supplement) ARMv8 40.15 CKGEN_ISO PikeOS Kernel Interface Specification Generic 40.17 CKGEN_ISO PikeOS System Software Interface Specification Generic 40.15 CKGEN_ISO Security Bulletin for PikeOS 5.1.3 Generic 10 CKCC_ISO Table 4: TOE Physical Components Application Note 1: The document "Security Bulletin for PikeOS 5.1.3" lists all vulnerabilities found during the Com- mon Criteria evaluation process that shall be addressed by the Integrator. Tables 5, 6 and 7 hereafter list the TOE physical components distribution media for each architecture. The compo- nents are either provided as individual files or can be found in the ISO image files mentioned in Table 4. Each file is given together with its reference SHA256 digest for verification purpose. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 25 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Short Description Archive Name PikeOS Microkernel for x86 64-bit pikeos-kernel-cert-x86_amd64-5.1-20592.x86_64.rpm SHA256: cc3dcf9865fa84266118fa820e70dd4e10ea9c276e99c7fb65c8cf13a2a96bd2 PikeOS System Software for x86 64-bit pikeos-ssw-cert-x86_amd64-5.1-4562.x86_64.rpm SHA256: 73fc02029ed3df55e29098e81fa6a4bb701ecda7bca9b274b365d400888b29be PikeOS User Manual pikeos-doc-fundamentals-5.1-1077.noarch.rpm SHA256: c3bdd123fc0e3c6ac612062437f088a04a07a2707e6436c27ef41972f62ef077 PikeOS Installation Guide pikeos-doc-installationguide-5.1-112.noarch.rpm SHA256: 13ad083d5ce7c1ab323dabfed8ae229d24313f4385cb26ed2f288aff796245eb PikeOS Kernel Reference Manual pikeos-doc-kernelref-5.1-297.noarch.rpm SHA256: 261f060d456ec8a34d6dfd2de2c062c497b5449b58284ca66c0f0d2b655661dd PikeOS System Software Reference Manual pikeos-doc-psswref-5.1-321.noarch.rpm SHA256: 56ecd5bf36ded1cf53effefbb09b2b98b624dde5ad2ca309ff9cd905478e19bf PikeOS Device Driver Programming Reference Manual pikeos-doc-drvref-5.1-305.noarch.rpm SHA256: bd36e8b97ce4b5e8eb2cb458a8f261c4fde8b7376d050746559fd445e5c0ef20 PikeOS PSP and KDEV Developer’s Guide pikeos-doc-pspdevguide-5.1-281.noarch.rpm SHA256: beb01adac2c23d44ecb0a9cf45e332514ce93b9fd6dfdcd6390c35a069581897 P4EXT PikeOS Native Personality Extensions pikeos-doc-p4ext-5.1-87.noarch.rpm SHA256: a35ac8a76908f4f82bb0df9a443fd3385c916208c40276cf35dc1f9dbd1cc056 CENV C Language Programming Environment pikeos-doc-cenv-5.1-41.noarch.rpm SHA256: b7cc316394bacb72f912b53872aafee5b6e3c481f370247dbed9fa6c63963158 PikeOS Platform Manual for x86-amd64 Boards pikeos-doc-platx86-amd64-5.1-569.noarch.rpm SHA256: 6fbb1accb93139e7b93db032bebf6fc43838d13ea77123d81ebb79347039f8a8 PikeOS x86 64-bit Generic Certification Kit R5p1_PIKEOS_X86_AMD64_CERTKIT_GENERIC_S6510.amd64.iso SHA256: 538b62f5adf2638ff69dcac97d96b0a2ada5ef7de1009b6798962b4fa9b9d7c4 Security Bulletin for PikeOS 5.1.3 pikeos-certkit-cc-secbul-5.1-395.noarch.rpm SHA256: 27514ca601f2b341cfcc6a6065f7b2dcbe873e6272195a54ab1ef6fd32f2fa27 Table 5: TOE Distribution Media (x86 64-bit) ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 26 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Short Description Archive Name PikeOS Microkernel for E500MC-4G pikeos-kernel-cert-ppc_e500mc-4g-5.1-20592.x86_64.rpm SHA256: 86f46bae70cfb6cee0b98b69702994f84024ab190c70c92e71b47010575d6901 PikeOS System Software for E500MC-4G pikeos-ssw-cert-ppc_e500mc-4g-5.1-4562.x86_64.rpm SHA256: 1d081a4ae3574161354e8cf852d6e64af7a7730d69f2baaef3f87e4dc17a9919 PikeOS User Manual pikeos-doc-fundamentals-5.1-1077.noarch.rpm SHA256: c3bdd123fc0e3c6ac612062437f088a04a07a2707e6436c27ef41972f62ef077 PikeOS Installation Guide pikeos-doc-installationguide-5.1-112.noarch.rpm SHA256: 13ad083d5ce7c1ab323dabfed8ae229d24313f4385cb26ed2f288aff796245eb PikeOS Kernel Reference Manual pikeos-doc-kernelref-5.1-297.noarch.rpm SHA256: 261f060d456ec8a34d6dfd2de2c062c497b5449b58284ca66c0f0d2b655661dd PikeOS System Software Reference Manual pikeos-doc-psswref-5.1-321.noarch.rpm SHA256: 56ecd5bf36ded1cf53effefbb09b2b98b624dde5ad2ca309ff9cd905478e19bf PikeOS Device Driver Programming Reference Manual pikeos-doc-drvref-5.1-305.noarch.rpm SHA256: bd36e8b97ce4b5e8eb2cb458a8f261c4fde8b7376d050746559fd445e5c0ef20 PikeOS PSP and KDEV Developer’s Guide pikeos-doc-pspdevguide-5.1-281.noarch.rpm SHA256: beb01adac2c23d44ecb0a9cf45e332514ce93b9fd6dfdcd6390c35a069581897 P4EXT PikeOS Native Personality Extensions pikeos-doc-p4ext-5.1-87.noarch.rpm SHA256: a35ac8a76908f4f82bb0df9a443fd3385c916208c40276cf35dc1f9dbd1cc056 CENV C Language Programming Environment pikeos-doc-cenv-5.1-41.noarch.rpm SHA256: b7cc316394bacb72f912b53872aafee5b6e3c481f370247dbed9fa6c63963158 PikeOS Platform Manual for E500MC-4G Boards pikeos-doc-platppc-e500mc-4g-5.1-240.noarch.rpm SHA256: 4d889257ba2751851784f59d08cb24c1aaa1d9ed00162a226c01538dae80777a PikeOS E500MC-4G Generic Certification Kit R5p1_PIKEOS_PPC_E500MC_4G_CERTKIT_GENERIC_S6510.amd64.iso SHA256: b98d2eab6e79a62c8771b36a79362050a527cfc9f1681d28e99d061fa22287c7 Security Bulletin for PikeOS 5.1.3 pikeos-certkit-cc-secbul-5.1-395.noarch.rpm SHA256: 27514ca601f2b341cfcc6a6065f7b2dcbe873e6272195a54ab1ef6fd32f2fa27 Table 6: TOE Distribution Media (PowerPC) ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 27 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Short Description Archive Name PikeOS Microkernel for ARM v8 pikeos-kernel-cert-arm_v8hf-5.1-20592.x86_64.rpm SHA256: a948e9b8fd09769e483e87d0409a36a275616ca3b8071c5bdaed1e5b47872195 PikeOS System Software for ARM v8 pikeos-ssw-cert-arm_v8hf-5.1-4562.x86_64.rpm SHA256: 2499e9fd8a57438ee38d4933c89d220a7c4a82252745037806cdfc53603a395b PikeOS User Manual pikeos-doc-fundamentals-5.1-1077.noarch.rpm SHA256: c3bdd123fc0e3c6ac612062437f088a04a07a2707e6436c27ef41972f62ef077 PikeOS Installation Guide pikeos-doc-installationguide-5.1-112.noarch.rpm SHA256: 13ad083d5ce7c1ab323dabfed8ae229d24313f4385cb26ed2f288aff796245eb PikeOS Kernel Reference Manual pikeos-doc-kernelref-5.1-297.noarch.rpm SHA256: 261f060d456ec8a34d6dfd2de2c062c497b5449b58284ca66c0f0d2b655661dd PikeOS System Software Reference Manual pikeos-doc-psswref-5.1-321.noarch.rpm SHA256: 56ecd5bf36ded1cf53effefbb09b2b98b624dde5ad2ca309ff9cd905478e19bf PikeOS Device Driver Programming Reference Manual pikeos-doc-drvref-5.1-305.noarch.rpm SHA256: bd36e8b97ce4b5e8eb2cb458a8f261c4fde8b7376d050746559fd445e5c0ef20 PikeOS PSP and KDEV Developer’s Guide pikeos-doc-pspdevguide-5.1-281.noarch.rpm SHA256: beb01adac2c23d44ecb0a9cf45e332514ce93b9fd6dfdcd6390c35a069581897 P4EXT PikeOS Native Personality Extensions pikeos-doc-p4ext-5.1-87.noarch.rpm SHA256: a35ac8a76908f4f82bb0df9a443fd3385c916208c40276cf35dc1f9dbd1cc056 CENV C Language Programming Environment pikeos-doc-cenv-5.1-41.noarch.rpm SHA256: b7cc316394bacb72f912b53872aafee5b6e3c481f370247dbed9fa6c63963158 PikeOS Platform Manual for ARM v8 Boards pikeos-doc-platarm64-5.1-597.noarch.rpm SHA256: c61258d7b610df4f6de655b7931686cd8401aa1968816f5e562c78e6993c8924 PikeOS ARM v8 Generic Certification Kit R5p1_PIKEOS_ARM_V8HF_CERTKIT_GENERIC_S6510.amd64.iso SHA256: 3bd6efbf796f3370a47c98adc35e9aebc3968526d8d2d1bb220ab197e46baab0 Security Bulletin for PikeOS 5.1.3 pikeos-certkit-cc-secbul-5.1-395.noarch.rpm SHA256: 27514ca601f2b341cfcc6a6065f7b2dcbe873e6272195a54ab1ef6fd32f2fa27 Table 7: TOE Distribution Media (ARM v8) 3.4.6 TOE Logical Boundary The TOE provides the following TOE security services, abbreviated as TSS_XXX: ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 28 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 • TSS_SSA: Separation in space of applications hosted in different partitions from each other and from the PikeOS Operating System according to the SSP by using the underlying hardware, as shown by the red lines in Figure 1. Applications can be hosted in different partitions. Partitions get assigned resources (i.e. space) according to the SSP, which comprise memory ranges and a set of CPUs. The TSF enforces the corresponding part of the SSP by the enforcement of access control on partition content, per-partition provision of physical memory space and allocated CPU time for each CPU. By confining non-privileged executables into partitions, the TSF enforces that these applications can affect neither applications in other partitions nor the PikeOS Operating System itself. • TSS_STA: Separation in time of applications hosted in different partitions from each other and from the PikeOS Operating System according to the SSP. Applications can be hosted in different partitions. Parti- tions get assigned CPU time (i.e. time windows) according to the SSP. The TSF enforces the corresponding part of the SSP by per-partition allocation of a predefined amount of CPU time for each CPU. On a partition switch CPUs will be reused. • TSS_COM: Provision and management of communication objects. Applications hosted in different parti- tions can get assigned a set of communication objects. A communication object is an object exposed to one or multiple partitions with access rights as defined in the configuration data, thus allowing communication between partitions. • TSS_MAN: Management of the TOE (e.g. system partition API) and the TOE data (e.g. threads, tasks). The TOE restricts a non-privileged application to only manage tasks and threads within its partition. The TOE provides an API to privileged applications to manage the TOE and the TOE data. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 29 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 4 Conformance Claims 4.1 CC Conformance Claim This Security Target (ST) conforms to the Common Criteria for Information Technology Security Evaluation Version 3.1 Revision 5 [Com17] (CC) as follows: • Part 2 conformant • Part 3 conformant 4.2 Protection Profile Claim This ST does not claim conformance with any Protection Profile. 4.3 Package Claim This ST claims conformance to the Evaluation Assurance Level 5 (EAL 5), augmented with ALC_FLR.3, ADV_IMP.2, ALC_DVS.2, AVA_VAN.5, and ALC_CMC.5. Thus, this ST is EAL 5 augmented. 4.4 Conformance Rationale Since this ST does not claim conformance to any protection profile, this section is not applicable. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 30 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 5 Security Problem Definition 5.1 Assets All assets within the same domain as the TSF (see Figure 1, red-line shape with TSF) are treated in this security target together with the asset TSF data (AS.TSF_DATA). Asset Name Description Security Properties to be Preserved Memory (AS.MEM) RAM or ROM memory, memory mapped I/O, and port mapped I/O assigned to a partition by the integrator. confidentiality, integrity, availability Files (AS.FILE) Access to files and access modes assigned to a partition by the integrator. confidentiality, integrity Ports (AS.PORT) Each port is either a source port or a destination port. The integrator uses channels to specify from which source ports PikeOS transfers messages to which destination ports. confidentiality, integrity Interrupts (AS.INT) Set of interrupts allocated to each partition, configured by the integrator. confidentiality, integrity Access to PSP-specific services (AS.PS) For each access to PSP-specific services, the right to invoke that driver is configured by the integrator per partition. confidentiality, integrity CPU cores (AS.CORE) Set of CPU cores allocated to each partition, configured by the integrator. integrity Memory reserved for exclusive access by the PikeOS hypervisor (AS.KMEM) Memory reserved for exclusive access by the PikeOS hypervisor used on behalf of the resource partition, configured by the integrator. Application Note 2: This memory is within the same domain as the TSF. availability CPU processing time (AS.TIME) The integrator assigns time windows to partitions. This defines the CPU processing time of each partition. availability Tasks (AS.TASK) An application always has at least one task. Tasks are used to structure the assigned memory into address spaces. This asset consists of this structure. Application Note 3: The content of tasks is already covered by AS.MEM. API protection ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 31 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Asset Name Description Security Properties to be Preserved Threads (AS.THR) An application always has at least one thread. The asset consists of all threads that can be created in a partition. API protection TSF data (AS.TSF_DATA) TSF data consists of: Configuration data: Data used by the TSF to enforce the SSP. Run-time data such as partition attributes, task and thread management data. confidentiality, integrity System Partition API (AS.SYS_PART_API) The system partition API is an interface to functions of the TSF available for system partitions. API protection Table 8: Assets 5.2 Threats Assets are defined in Table 8 in Section 5.1. An attacker is a non-privileged executable. T.DISCLOSURE An attacker reads an asset of which the property confidentiality shall be maintained according to Table 8 and the SSP. T.MODIFICATION An attacker writes an asset of which the property integrity shall be maintained according to Table 8 and the SSP. T.DEPLETION By consuming resources of which the property availability shall be maintained according to Table 8 and the SSP, an attacker makes these resources unavailable to the TOE itself and/or to non-privileged executables and/or to privileged executables. T.EXECUTION An attacker executes a management function of which the property API protection shall be maintained according to Table 8 and the SSP without being authorized to do so. 5.3 Organizational Security Policies This Security Target defines no organizational security policies. 5.4 Assumptions A.PRIVILEGED_EXECUTABLES All privileged executables are approved by the integrator. The integrator thereby takes responsibility that the privileged executables have been developed according to the TOE User Manuals and do not violate the SSP. The integrator takes responsibility not to put privileged executables and non-privileged executables into the same partition. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 32 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Application Note 4: The TOE User Manuals provide detailed guidance on secure configuration and usage of the TOE. A.HARDWARE The underlying hardware, firmware, and bootloader provide the necessary properties, are working correctly and have no undocumented or unintended security critical side effect on the functions of the TOE. The hardware must fulfill the following requirements, as explained in the TOE User Manuals: 1. Provide CPU(s) with at least two privilege modes ("user" and "supervisor" mode). Only the TOE itself and privileged executables may run in the "supervisor" mode. Non-privileged executables always run in "user mode". In "user mode", only a limited set of instructions is available; in "supervisor mode", all instructions are available. 2. The hardware shall have a MMU, which is capable of restricting accesses (e.g. destinations of load and store CPU instructions) of non-privileged executables to certain memory regions. The MMU shall only be configurable from a privileged CPU mode, thus, it can only be configurable through the TOE to configure the policies specifying these access restrictions. These policies are part of the SSP. During TOE run time, these policies are represented as page tables used by the MMU. 3. The hardware (CPU or CPUs) shall provide instructions to switch between privilege modes and to use the memory management to set up different segments of memory. 4. The hardware (CPU or CPUs) shall allow the TOE to reuse CPU(s) for different non-privileged executa- bles, in a way that there is no residual information flow through CPU registers across a partition boundary. 5. The hardware shall provide default values for security-relevant settings at power-on (e.g. program counter, detailed instructions shall be included in the hardware reference manual). This supports the TOE reaching the initial safe and secure state. 6. If the hardware possesses any other active components beside CPUs or CPUs have operating mode(s) not under control of the PikeOS Operating System, then the hardware shall provide support either to turn these components completely off or to control them as described in the TOE User Manuals. For example, if a device accessible by non-privileged executables can execute DMA, then all DMA shall be switched off or, in order to control DMA, the hardware shall provide an I/O MMU, with an I/O MMU driver protected by the PikeOS Operating System. The timer facilities provided by the hardware shall be sufficient for the timing requirements (e.g., timer resolution) of the product based on PikeOS. The CPU-specific requirements are met by all x86 64-bit, PowerPC, or ARMv8 CPUs specified in the TOE User Manuals for the selected CPU architecture. A.EXCLUSIVE_RESOURCES All resources required by the PikeOS Operating System, its privileged executables, and its non-privileged executables are exclusively controlled by the TOE. A.PHYSICAL It is assumed that the IT environment provides the TOE with appropriate physical security, commensurate with the value of the IT assets protected by the TOE. A.TRUSTWORTHY_PERSONNEL The personnel configuring, integrating, and developing the product based on the TOE (integrator) are trustworthy, act according to the TOE User Manuals and are sufficiently qualified for this task. Application Note 5: The system integration phase (Section 3.4.4.2) can be split into the four steps: selection of the TOE operational environment, non-privileged and privileged executables, and deciding on system partitions and normal partitions (Step 1), fusion (Step 2), configuration of the TOE (Step 3), and integration (Step 4). At each step of the system integration phase, the integrator shall follow the TOE User Manuals. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 33 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 6 Security Objectives 6.1 Security Objectives for the TOE OT.CONFIDENTIALITY For each asset, the TOE shall preserve its confidentiality according to Table 8 and the SSP. OT.INTEGRITY For each asset, the TOE shall preserve its integrity according to Table 8 and the SSP. OT.RESOURCE_AVAILABILITY For resources assigned to partitions and to TSF data, the TOE shall preserve their availability according to Table 8 and the SSP. Application Note 6: In this ST, availability means that the TOE will provide a specified amount of a resource or ability to use some TOE services. This ST does not consider availability in the sense of physical availability such as tolerance to power failure. OT.API_PROTECTION The TSF shall prevent any execution of a management function reserved to privileged executables by non-privileged executables. 6.2 Security Objectives for the Operational Environment OE.PRIVILEGED_EXECUTABLES All privileged executables are approved by the integrator. The integrator thereby takes responsibility that the privileged executables have been developed according to the TOE User Manuals and do not violate the SSP. OE.HARDWARE The underlying hardware, firmware, and bootloader provide the necessary properties, are working correctly and have no undocumented or unintended security critical side effect on the functions of the TOE. The hardware must fulfill the following requirements, as explained in the TOE User Manuals: 1. Provide CPU(s) with at least two privilege modes ("user" and "supervisor" mode). Only the TOE itself and privileged executables may run in the "supervisor" mode. Non-privileged executables always run in "user mode". In "user mode", only a limited set of instructions is available; in "supervisor mode", all instructions are available. 2. The hardware shall have a MMU, which is capable of restricting accesses (e.g. destinations of load and store CPU instructions) of non-privileged executables to certain memory regions. The MMU shall only be configurable from a privileged CPU mode, thus, it can only be configurable through the TOE to configure the policies specifying these access restrictions. These policies are part of the SSP. During TOE run time, these policies are represented as page tables used by the MMU. 3. The hardware (CPU or CPUs) shall provide instructions to switch between privilege modes and to use the memory management to set up different segments of memory. 4. The hardware (CPU or CPUs) shall allow the TOE to reuse CPU(s) for different non-privileged executa- bles, in a way that there is no residual information flow through CPU registers across a partition boundary. 5. The hardware shall provide default values for security-relevant settings at power-on (e.g. program counter, detailed instructions shall be included in the hardware reference manual). This supports the TOE reaching the initial safe and secure state. 6. If the hardware possesses any other active components beside CPUs or CPUs have operating mode(s) not under control of the PikeOS Operating System, then the hardware shall provide support either to turn these components completely off or to control them as described in the TOE User Manuals. For example, if ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 34 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 a device accessible by non-privileged executables can execute DMA, then all DMA shall be switched off or, in order to control DMA, the hardware shall provide an I/O MMU, with an I/O MMU driver protected by the PikeOS Operating System. Specific requirements to the x86 64-bit architecture are: • The processors are operated in 64-bit mode • AMD64 instruction set architecture • Non-Execute bit (NX bit) support enabled in the BIOS Specific requirements to the PowerPC architecture (E500MC, E5500, E6500) are: • The processors are operated in 32bit mode • Memory Management Unit (MMU) with support for virtual memory • Floating-point unit Specific requirements to the ARMv8 architecture (Cortex-A35, Cortex-A53, Cortex-A57 and Cortex-A72) are: • The processors are operated in 64-bit mode • Memory Management Unit (MMU) with Virtual Memory System Architecture • Vector Floating Point (VFP) / Advanced SIMD (Neon) extension The timer facilities provided by the hardware shall be sufficient for the timing requirements (e.g., timer resolution) of the product based on PikeOS. The CPU-specific requirements are met by all x86 64-bit, PowerPC, or ARMv8 CPUs specified in the TOE User Manuals for the selected CPU architecture. Application Note 7: Due to imperfections of the underlying hardware platform, the TOE cannot guarantee complete absence of side/covert channels. It is the responsibility of the Integrator to use all security features of the TOE to their full effect and to assess whether the residual risk due to platform vulnerabilities that cannot be mitigated by the TOE is acceptable. OE.EXCLUSIVE_RESOURCES All resources required by the PikeOS Operating System, its privileged executables, and its non-privileged executables are exclusively controlled by the TOE. OE.PHYSICAL The IT environment provides the TOE with appropriate physical security, commensurate with the value of the IT assets protected by the TOE. OE.TRUSTWORTHY_PERSONNEL The personnel configuring and integrating the TOE (integrator) and those installing and operating the TOE (system operator) are trustworthy, act according to the TOE User Manuals, and are sufficiently qualified for this task. 6.3 Security Objectives Rationale The following table provides an overview for security objectives coverage (TOE and its environment) and also gives an evidence for sufficiency and necessity of the defined objectives. It shows that all threats and OSPs are addressed by the security objectives and it also shows that all assumptions are addressed by the security objectives for the TOE operational environment. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 35 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 OT.CONFIDENTIALITY OT.INTEGRITY OT.RESOURCE_AVAILABILITY OT.API_PROTECTION OE.PRIVILEGED_EXECUTABLES OE.HARDWARE OE.EXCLUSIVE_RESOURCES OE.PHYSICAL OE.TRUSTWORTHY_PERSONNEL T.DISCLOSURE X T.MODIFICATION X T.DEPLETION X T.EXECUTION X A.PRIVILEGED_EXECUTABLES X A.HARDWARE X A.EXCLUSIVE_RESOURCES X A.PHYSICAL X A.TRUSTWORTHY_PERSONNEL X Table 9: Security Objectives Rationale A justification required for suitability of the security objectives to cope with the security problem definition is given below: 6.3.1 Security Objectives Rationale: Threats 6.3.1.1 Threat: T.DISCLOSURE If the security objective OT.CONFIDENTIALITY has been reached, the threat T.DISCLOSURE is completely elimi- nated. 6.3.1.2 Threat: T.MODIFICATION If the security objective OT.INTEGRITY has been reached, the threat T.MODIFICATION is completely elimi- nated. 6.3.1.3 Threat: T.DEPLETION If the security objective OT.RESOURCE_AVAILABILITY has been reached, the threat T.DEPLETION is completely eliminated. 6.3.1.4 Threat: T.EXECUTION If the security objective OT.API_PROTECTION has been reached, the threat T.EXECUTION is completely elimi- nated. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 36 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 6.3.2 Security Objective Rationale: Assumptions Each security assumption in this Security Target is addressed by at least one security objective for the operational environment. This section maps assumptions to environmental security objectives and provides a rationale how the assumption is fulfilled. 6.3.2.1 Assumption: A.PRIVILEGED_EXECUTABLES OE.PRIVILEGED_EXECUTABLES directly upholds A.PRIVILEGED_EXECUTABLES. 6.3.2.2 Assumption: A.HARDWARE OE.HARDWARE directly upholds A.HARDWARE. 6.3.2.3 Assumption: A.EXCLUSIVE_RESOURCES OE.EXCLUSIVE_RESOURCES directly upholds A.EXCLUSIVE_RESOURCES. 6.3.2.4 Assumption: A.PHYSICAL OE.PHYSICAL directly upholds A.PHYSICAL. 6.3.2.5 Assumption: A.TRUSTWORTHY_PERSONNEL OE.TRUSTWORTHY_PERSONNEL directly upholds A.TRUSTWORTHY_PERSONNEL. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 37 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 7 Extended Components Definition This Security Target does not include any extended components. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 38 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 8 Security Requirements This section defines security functional requirements (SFRs) and security assurance requirements (SARs), which apply to the TOE. 8.1 Security Functional Requirements We perform assignment, selection, and refinement of the SFRs provided by the CC. The assignment operation is marked by square brackets "[ ]". The selection operation is marked in italics. In a refinement operation, added text is underlined and removed text is crossed out. The iteration operation is used when a component is repeated on varying assets. Iteration is denoted by showing a slash ("/") and the iteration indicator after the component identifier. For example, FDP_ACF.1/CPA indicates an iteration of FDP_ACF.1 on ’communication port access’. Iterations applied to assets follow the order of Table 8 in Section 5.1 (Assets). Where sentences are grouped by having the same indentation level, the terms "OR" and "AND" in uppercase are used to indicate their logical relation. Configuration XML elements, attributes, and values are denoted in . These configuration elements, attributes, and values have speaking names, and when the configuration maintains a list of elements, then this list is referred to in the configuration as . For a detailed explanation on how to use the configuration to configure the TOE see the TOE User Manuals. All symbols beginning with "p4_" or "vm_" are API symbols that the TOE provides to applications. In this ST, we list only those symbols that trigger a system call and are not convenience user space wrappers for other calls. See the TOE User Manuals for details. Application Note 8: The SSP is a subset of the VMIT configured by the integrator. The SFP is a set of rules that are parameterized by the SSP. These rules are fix-coded in the implementation of the TSF. Thus, the behavior of a product based on PikeOS depends on the SFP and SSP. In the following the SFP is split up into sub-SFPs as follows: • memory access control policy (MA) • file access control policy (FA) • communication port access control policy (CPA) • interrupt access control policy (IA) • PSP-specific services access control policy (PSA) • CPU core access policy (CCA) • IPC and event communication policy (IEC) Application Note 9: In this ST, the term subject is used for a thread in a partition, for an application, or for a partition as a whole depending on the context. In the running TOE, the entity executing application code is a TOE thread. In a partition there can be multiple threads and each thread is uniquely assigned to its partition. Since this ST works on security policies at partition level, we abstract all threads in one partition to the partition subject. 8.1.1 User Data Protection (FDP) 8.1.1.1 FDP_ACC.2/MA Complete Access Control - Memory Access FDP_ACC.2.1/MA: The TSF shall enforce the [memory access control policy] on [subjects: partitions, objects: mem- ory] and all operations among subjects and objects covered by the SFP. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 39 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 FDP_ACC.2.2/MA: The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. Application Note 10:The TSF initializes the MMU of the CPU and sets up page tables in the memory allocated to the TSF to enforce this policy. 8.1.1.2 FDP_ACF.1/MA Security Attribute Based Access Control - Memory Access FDP_ACF.1.1/MA: The TSF shall enforce the [memory access control policy] to objects based on the follow- ing [subjects: partitions, objects: memory areas, security attributes: partition ID, attributes defined for the memory area]. FDP_ACF.1.2/MA: The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ Access to physical memory M of type , , , or is allowed to a subject in PA if: M is specified in a MR in the contained within PA AND there is a MA in the contained within the subject’s which refers to MR AND the access operation is read or write or execute and the access mode of both MR and MA matches for read, for write, and for execute correspondingly OR M is specified in a MR in the contained within PA and the attribute of M is set to AND a subject in PA has obtained a memory descriptor MD (vm_mem_lookup) and has successfully performed a memory mapping (vm_mem_pool_alloc) operation with MD AND ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 40 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 the access operation is read or write or execute and the access mode of MR matches for read, for write, and for execute correspondingly OR M is in the text segment of an ELF file referenced in a element in the contained in a of the of PA and the attribute is set to AND the access operation is read or execute OR M is specified in a property file system node PN where the attribute specifies access mode AM AND the element of PA has an element of type where the at- tribute includes and the attribute matches the PN AND a subject in PA has successfully performed an open operation (vm_open) on the property node name PN with access flags including , resulting in a file descriptor FD AND a subject in PA has successfully performed a property memory mapping (vm_prop_mem_map) operation with the file descriptor FD AND the access operation is read or write or execute and compatible with AM OR M is specified in a property file system node PN AND ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 41 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 the element of PA has an element of type where the at- tribute is AM and the attribute matches the PN AND a subject in PA has successfully performed open operation (vm_open) on the property node name PN with access flags including and access flags being subset of AM, resulting in a file descriptor FD AND a subject in PA has successfully performed a property I/O port mapping (vm_prop_ioport_map) operation with the file descriptor FD AND the access operation is read or write OR M has been received via mapping IPC (p4_ipc) with the requested access mode allowing to read or write M AND the access operation is read or write respectively OR M is the storage location of a file F that has been memory-mapped via vm_map with access mode MAM AND There is a entry with a referring to F in the list contained within PA AND F is successfully opened (vm_open) according to FDP_ACF.1.2/FA with an access mode AM including and being a superset of MAM AND ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 42 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 the access operation is read or write or execute and MAM matches for read, for write, and for execute correspondingly OR M is part of a memory page that the TSF has mapped in read-only access mode to all partitions ("kernel info page") AND the access operation is read ]. FDP_ACF.1.3/MA: The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4/MA: The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. Application Note 11: The operations on I/O ports are available only for the x86 platform. The TSF on x86 configures the CPU’s I/O port unit. Application Note 12: The memory pool can be used by a partition in three ways: (1) an application in a partition uses memory allocation service calls (e.g. vm_mem_pool_alloc) to get memory from the pool; (2) the application ELF file is mapped to the memory allocated from the pool during partition initialization, if it is specified in the VMIT; (3) memory is mapped from the pool to partition during partition initialization, if it is specified in the VMIT. Application Note 13: Shared memory in the TOE is implemented as files provided by the internal file provider shm. Shared memories are specified in the and are processed in the same way as the disjunction for the case vm_map. 8.1.1.3 FDP_ACC.2/FA Complete Access Control - File Access FDP_ACC.2.1/FA: The TSF shall enforce the [file access control policy] on [subjects: partitions, objects: files] and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2/FA: The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. 8.1.1.4 FDP_ACF.1/FA Security Attribute Based Access Control - File Access FDP_ACF.1.1/FA: The TSF shall enforce the [file access control policy] to objects based on the following: [subjects: partitions, objects: files, security attributes: partition ID, attributes defined for the files in the configura- tion element of the partition in the VMIT]. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 43 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 FDP_ACF.1.2/FA: The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ • an open operation (vm_open) on any file F provided by a built-in file provider, external file provider, system extension or kernel device driver to PA is allowed if: The element of PA has an element of type where attribute matches F AND the access flags provided as an argument to the vm_open operation are subset of element for file F • a mount operation (vm_mount) on any volume V to PA is allowed if: The element of PA has an element of type where attribute matches V and contains flag AND the access flags provided as an argument to the vm_mount operation are subset of element for the volume V • a status request operation (vm_stat) on any file F by a built-in file provider, external file provider, system extension or kernel device driver to PA is allowed if: The element of PA has an element of type where attribute matches F • an access operation (vm_close, vm_fstat, vm_fsync, vm_ioctl, vm_lseek, vm_map, vm_prop_read, vm_prop_write, vm_read, vm_read_at, vm_discard_at, vm_test, vm_write, vm_write_at) on file F provided by a built-in file provider, system extension or kernel device driver to PA is allowed if: ( the file has been successfully opened before with the access flags including and the access operation is vm_read, vm_read_at, or vm_prop_read OR ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 44 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 the file has been successfully opened before with the access flags including and the access operation is vm_write, vm_write_at, or vm_prop_write OR the file has been successfully opened before with the access flags including and the access operation is vm_map OR the file has been successfully opened before with the access flags including or and the access operation is vm_lseek OR the file has been successfully opened before and the operation is vm_close, vm_fstat, vm_fsync, vm_ioctl, vm_test, vm_discard_at ) ]. Application Note 14: Files can be provided by built-in file providers, system extensions, kernel device drivers, ex- ternal file providers, or volume providers. An access operation itself on a file provided by a built-in file provider is implemented by the TSF. An access operation on a file provided by a system extension or kernel device driver is directly forwarded by the TSF, after validating the file descriptor, to the corresponding function of the system exten- sion or kernel device driver after the check described FDP_ACF.1.2/FA. An access operation on a file provided by an external file provider is implemented as a direct IPC to the file provider. See FDP_IFC.2 and FDP_IFF.1. An open, status request or access operation on a file provided by a volume file provider is implemented as a direct IPC to the volume provider. See FDP_IFC.2 and FDP_IFF.1. FDP_ACF.1.3/FA: The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4/FA: The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. 8.1.1.5 FDP_ACC.2/CPA Complete Access Control - Communication Port Access FDP_ACC.2.1/CPA: The TSF shall enforce the [communication port access control policy] on [subjects: partitions, objects: communication ports] and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2/CPA: The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 45 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 8.1.1.6 FDP_ACF.1/CPA Security Attribute Based Access Control - Communication Port Access FDP_ACF.1.1/CPA: The TSF shall enforce the [communication port access control policy] to objects based on the following: [subjects: partitions, objects: communication ports, security attributes: partition ID, port attribute in the VMIT, configuration elements in the VMIT]. FDP_ACF.1.2/CPA: The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ • an open operation (vm_qport_open, vm_sport_open) on port PO is allowed to PA if: the element of PA has an element of type where attribute equals PO or the of PA has an element of type where attribute equals PO AND the argument direction to the open (vm_qport_open, vm_sport_open) operation is equal to the attribute of the PO • a status request operation (vm_qport_iterate, vm_qport_stat, vm_sport_iterate, vm_sport_stat) on port PO is allowed to PA if: the element of PA has an element of type where attribute equals PO or the of PA has an element of type where attribute equals PO • an access operation on port PO successfully opened by PA is allowed if: ( the operation is read (vm_qport_read, vm_qport_read_routed, vm_sport_read, vm_sport_read_at), and the port PO was successfully opened with destination direction OR the operation is write (vm_qport_write, vm_qport_write_routed, vm_sport_write) and the port was success- fully opened with destination direction OR all other access operations (vm_qport_clear, vm_qport_close, vm_qport_control, vm_qport_pstat, vm_qport_pstat_routed, vm_qport_psync, vm_qport_test, vm_sport_clear, vm_sport_close, vm_sport_control, vm_sport_pstat, vm_sport_psync, vm_sport_test) on ports are allowed ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 46 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 ) ]. FDP_ACF.1.3/CPA: The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4/CPA: The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. 8.1.1.7 FDP_ACC.2/IA Complete Access Control - Interrupt Access FDP_ACC.2.1/IA: The TSF shall enforce the [interrupt access control policy] on [subjects: partitions, objects: inter- rupts] and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2/IA: The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. 8.1.1.8 FDP_ACF.1/IA Security Attribute Based Access Control - Interrupt Access FDP_ACF.1.1/IA: The TSF shall enforce the [interrupt access control policy] to objects based on the following: [sub- jects: partitions, objects: interrupts, security attributes: partition ID, attributes defined for files in the configuration element of the partition in the VMIT]. FDP_ACF.1.2/IA: The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ The operation p4_int_attach_syscall of attaching to interrupt IN (i.e., to have an interrupt handler invoked when interrupt IN is triggered) is allowed to a subject in PA if: IN is specified in a property file system node PN AND the element of PA has an element of type where the attribute matches PN and attribute AM AND ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 47 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 a subject in PA has successfully performed an open operation (vm_open) on the property node PN with access flags including and being subset of AM, resulting in file descriptor FD AND A subject in PA has performed successfully vm_prop_int_grant with the file descriptor FD, giving a valid interrupt number IN ]. FDP_ACF.1.3/IA: The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4/IA: The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. 8.1.1.9 FDP_ACC.2/PSA Complete Access Control - PSP-Specific Services Access FDP_ACC.2.1/PSA: The TSF shall enforce the [PSP-specific services access control policy] on [subjects: partitions, objects: PSP-specific services] and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2/PSA: The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. 8.1.1.10 FDP_ACF.1/PSA Security Attribute Based Access Control - PSP-Specific Services Access FDP_ACF.1.1/PSA: The TSF shall enforce the [PSP-specific services access control policy] to objects based on the following: [subjects: partitions, objects: interrupts, security attributes: partition ID, attributes defined for files in the configuration element of the partition in the VMIT]. FDP_ACF.1.2/PSA: The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ The operation of invoking a PSP-specific service PS (p4_dev_call) is allowed to a subject in PA if: PS is specified in a property file system node PN AND the element of PA has an element of type where the attribute matches to the PN and attribute AM ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 48 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 AND a subject in PA has successfully performed an open operation (vm_open) on the property node PN with access flags including and being subset of AM, resulting in file descriptor FD AND a subject in partition PA has successfully performed vm_prop_dev_grant with the file descriptor FD, giving access to the PSP-specific service PS ]. FDP_ACF.1.3/PSA: The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4/PSA: The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. 8.1.1.11 FDP_ACC.2/CCA Complete Access Control - CPU Core Access FDP_ACC.2.1/CCA: The TSF shall enforce the [CPU core access control policy] on [subjects: partitions, objects: CPU cores] and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2/CCA: The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. 8.1.1.12 FDP_ACF.1/CCA Security Attribute Based Access Control - CPU Core Access FDP_ACF.1.1/CCA: The TSF shall enforce the [CPU core access control policy] to objects based on the following: [subjects: partitions, objects: CPU cores, security attributes: partition ID, CPU cores in the configuration element of the partition in the VMIT]. FDP_ACF.1.2/CCA: The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ The PA can run a thread on CPU core C if the element of PA has set the Cth bit in the . ]. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 49 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 FDP_ACF.1.3/CCA: The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4/CCA: The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. 8.1.1.13 FDP_IFC.2 Complete Information Flow Control FDP_IFC.2.1: The TSF shall enforce the [IPC and event communication policy] on [all subjects: partitions] and all operations that cause that information to flow to and from subjects covered by the SFP. FDP_IFC.2.2: The TSF shall ensure that all operations that cause any information in the TOE to flow to and from any subject in the TOE are covered by an information flow control SFP. 8.1.1.14 FDP_IFF.1 Simple Security Attributes FDP_IFF.1.1: The TSF shall enforce the [IPC and event communication policy] based on the following types of subject and information security attributes: [ • subject identity: thread ID • information security attributes: file access permissions to a file marked with attribute or ]. FDP_IFF.1.2: The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [ The operation signal event (p4_ev_signal) or send IPC (p4_ipc), from a thread in PA1 to a subject in PA2 or vice versa is allowed if: the VMIT specifies that PA1 provides a file F with attribute AND the of PA2 has an element of type where attribute is AM and attribute matches F AND ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 50 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 PA1 has successfully registered the file provider (vm_fp_register) with the TOE AND a subject in PA2 has successfully performed an open operation (vm_open) on file F with access flags being subset of AM OR the VMIT specifies that PA1 provides a volume V with attribute AND the of PA2 has an element of type where is AM and con- tains and attribute matches V AND PA1 has successfully registered the volume provider (vm_vp_register) with the TOE AND a subject in PA2 has successfully performed a mount operation (vm_mount) on V with access flags being subset of AM ]. FDP_IFF.1.3: The TSF shall enforce the [additional information flow rules: none]. FDP_IFF.1.4: The TSF shall explicitly authorize an information flow based on the following rules: [none]. FDP_IFF.1.5: The TSF shall explicitly deny an information flow based on the following rules: [none]. 8.1.2 Identification and Authentication (FIA) 8.1.2.1 FIA_UID.2 User Identification FIA_UID.2.1: The TSF shall require each user partition to be successfully identified before allowing any other TSF- mediated actions on behalf of that user partition. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 51 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Application Note 15: A "user" of the TOE is a partition. 8.1.3 Security Management (FMT) 8.1.3.1 FMT_MSA.1 Management of Security Attributes FMT_MSA.1.1: The TSF shall enforce the [IPC and event communication policy, memory access control policy, file access control policy, communication port access control policy, PSP-specific services access control policy, interrupt access control policy, CPU core access control policy] to restrict the ability to [write] the security attributes [specified in the VMIT and property file system] to [system partitions]. 8.1.3.2 FMT_MSA.3 Static Policy Attribute Initialization FMT_MSA.3.1: The TSF shall enforce the [IPC and event communication policy, memory access control policy, file access control policy, communication port access control policy, PSP-specific services access control policy, interrupt access control policy, CPU core access control policy] to provide [restrictive or integrator-defined] default values for security attributes that are used to enforce the SFP. Application Note 16: The integrator defines the VMIT. The VMIT is used by the TSF as the source of initial SSP val- ues. If an attribute is not defined by the integrator in the VMIT for a subject, then the default is to deny any operations involving this attribute, i.e. a white list security policy is implemented. This behavior is specified in FMT_MSA.3.1 as "restrictive default values". Attributes with integrator-defined values in the VMIT are also initial values for the TSF. This behavior is specified in FMT_MSA.3.1 as "integrator-defined default values". FMT_MSA.3.2: The TSF shall allow [no one] to specify alternative initial values to override the default values when an object or information is created. Application Note 17: The TSF does not have any functionality for specifying alternative initial values to override the default values. 8.1.3.3 FMT_MTD.1/SYS Management of TSF Data - System Partition API FMT_MTD.1.1/SYS: The TSF shall restrict the ability to [invoke] the [System Partition API] to [system parti- tions]. Application Note 18: The complete definition of the System Partition API is given in the TOE User Manuals. 8.1.3.4 FMT_MTD.1/TASK Management of TSF Data - Tasks FMT_MTD.1.1/TASK: The TSF shall restrict the ability to [ ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 52 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 • activate (p4_task_activate) • terminate (p4_task_terminate) • modify (p4_comm_grant, p4_comm_link, p4_dev_grant, p4_dev_link, p4_int_grant, p4_int_link, p4_task_start, p4_task_donate, p4_task_hm_register, p4_task_hm_wait, p4_task_hm_wake) • read (p4_task_get_attr) ] the [tasks] to [the owning partition or system partitions]. Application Note 19: Tasks are also TSF data. A partition owns a task if the task is assigned to it by the integrator in the VMIT. 8.1.3.5 FMT_MTD.1/THR Management of TSF Data - Threads FMT_MTD.1.1/THR: The TSF shall restrict the ability to [ • create (p4_thread_create_syscall) • delete (p4_thread_delete) • modify (p4_fast_set_prio_syscall, p4_thread_alarm_syscall, p4_thread_ex_affinity, p4_thread_ex_exh, p4_thread_ex_regs, p4_thread_ex_sched_syscall, p4_thread_except, p4_thread_preempt, p4_thread_resume, p4_thread_set_regs, p4_thread_stop_syscall, p4_sysemu_enter, p4_thread_yield) • read (p4_fast_get_prio_syscall, p4_my_cpuid_syscall, p4_my_timepart_syscall, p4_my_uid_syscall, p4_thread_get_attr, p4_thread_get_regs) ] the [threads] to [the owning partition or system partitions]. Application Note 20: Threads are also TSF data. A partition owns a thread if the thread is created by one of its applications. 8.1.3.6 FMT_SMF.1 Specification of Management Functions FMT_SMF.1.1: The TSF shall be capable of performing the following management functions: ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 53 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 [ • thread management • task management • TOE management (System Partition API) ]. 8.1.3.7 FMT_SMR.1 Security Roles FMT_SMR.1.1: The TSF shall maintain the roles: [ • "system partition" and • "normal partition" ]. FMT_SMR.1.2: The TSF shall be able to associate users partitions with roles. Application Note 21: The TSF supports roles on partition granularity. 8.1.4 Resource Utilization (FRU) 8.1.4.1 FRU_RSA.2/MEM Minimum and Maximum Quotas - Memory FRU_RSA.2.1/MEM: The TSF shall enforce maximum quotas of the following resources: [ System memory: the maximum amount of system memory is the sum of the sizes elements of type with attribute set to or of type assigned to that partition in the VMIT ] that subjects, which are the non-privileged executables in a normal partition can use simultaneously. FRU_RSA.2.2/MEM: The TSF shall ensure the provision of minimum quantity of each: ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 54 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 [ System memory: the minimum amount of system memory is the sum of the sizes of all elements of type with attribute set to or of type assigned to that partition in the VMIT ] that is available for subjects, which are the non-privileged executables in a normal partition to use simultane- ously. Application Note 22: In contrast to FDP_ACF.1/MA, FRU_RSA.2.1/MEM only considers memory that is dynamically allocated to the subjects based on a SSP-defined quota and the enforcement of that quota by the TSF. 8.1.4.2 FRU_RSA.2/TIME Minimum and Maximum Quotas - Processing Time FRU_RSA.2.1/TIME: The TSF shall enforce maximum quotas of the following resources: [ Processing time: the maximum amount of CPU processing time is the sum of the attributes of as- signed elements of its in the VMIT ] that subjects, which are the non-privileged executables in a normal partition can use over a specified period of time. FRU_RSA.2.2/TIME: The TSF shall ensure the provision of minimum quantity of each: [ Processing time: if time windows are assigned to a partition exclusively, the minimum amount of CPU processing time is the sum of the attributes of assigned elements of its in the VMIT ] that is available for subjects, which are the non-privileged executables in a normal partition to use over a specified period of time. Application Note 23: The "specified period of time" is the sum of the attributes of all elements the . The schedule scheme is repeated with cyclic periodicity. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 55 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Application Note 24: If a window is assigned to more than one partition, i.e. the window is not assigned exclusively, the integrator can use the attributes for partitions sharing the window to set up a sharing scheme for the CPU processing time within that window. 8.2 Security Assurance Requirements This ST claims conformance to the assurance level EAL 5 augmented with ALC_FLR.3, ADV_IMP.2, ALC_DVS.2, AVA_VAN.5, and ALC_CMC.5. 8.3 Security Requirements Rationale The following table provides an overview for security functional requirements coverage also giving an evidence for sufficiency and necessity of the SFRs chosen. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 56 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 OT.CONFIDENTIALITY OT.INTEGRITY OT.RESOURCE_AVAILABILITY OT.API_PROTECTION FDP_ACC.2/MA X X X FDP_ACF.1/MA X X X FDP_ACC.2/FA X X FDP_ACF.1/FA X X FDP_ACC.2/CPA X X FDP_ACF.1/CPA X X FDP_ACC.2/IA X X FDP_ACF.1/IA X X FDP_ACC.2/PSA X X FDP_ACF.1/PSA X X FDP_ACC.2/CCA X X FDP_ACF.1/CCA X X FDP_IFC.2 X FDP_IFF.1 X FIA_UID.2 X X FMT_MSA.1 X X FMT_MSA.3 X X FMT_MTD.1/SYS X FMT_MTD.1/TASK X FMT_MTD.1/THR X FMT_SMF.1 X FMT_SMR.1 X X FRU_RSA.2/MEM X X FRU_RSA.2/TIME X X Table 10: Coverage of Security Objectives for the TOE by SFR. "X" is for where a dependency to an objective exists. 8.3.1 Security Objective: OT.CONFIDENTIALITY For all assets, the operations of non-privileged executables are controlled by the TSF: • For the asset AS.MEM the SFRs FDP_ACC.2/MA and FDP_ACF.1/MA ensure that non-privileged executa- bles can only access memory (AS.MEM) according to the SSP. • For the asset AS.FILE the SFRs FDP_ACC.2/FA and FDP_ACF.1/FA ensure that non-privileged executa- bles can only access files (AS.FILE) according to the SSP. • For the asset AS.PORT the SFRs FDP_ACC.2/CPA and FDP_ACF.1/CPA ensure that non-privileged exe- cutables can only access communication ports (AS.PORT) according to the SSP. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 57 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 • For the asset AS.INT the SFRs FDP_ACC.2/IA and FDP_ACF.1/IA ensure that non-privileged executables can only access interrupts (AS.INT) according to the SSP. • For the asset AS.PS the SFRs FDP_ACC.2/PSA and FDP_ACF.1/PSA ensure that non-privileged executa- bles can only access PSP-specific services (AS.PSA) according to the SSP. • For the asset AS.CORE the SFRs FDP_ACC.2/CCA and FDP_ACF.1/CCA ensure that non-privileged executables can only access CPU cores (AS.CORE) according to the SSP. • For the asset AS.TSF_DATA, the TSF configures the MMU to disallow non-privileged executables to ac- cess the memory of any of these other assets (i.e., the memory used for AS.TASK, AS.TSF_DATA and AS.THR). The TSF data also includes all security attributes that TSF uses to manage any asset (e.g. se- curity attributes for file access rights or the schedule schemes used for assignment of CPU processing time). FIA_UID.2 ensures that partitions are identified; FMT_SMR.1 provides security roles to partitions. FMT_MSA.1 re- stricts the ability to write the security attributes specified in the VMIT and the property file system to system partitions. FMT_MSA.3 provides restrictive or integrator-defined default values for security attributes. FDP_IFF.1, FDP_IFC.2 ensure that IPC and event communication information flows originating from non-privileged executables are restricted to information flows allowed according to the SSP. FRU_RSA.2/MEM ensures that no information flow against the SSP can be initiated by memory depletion. FRU_RSA.2/TIME ensures that no information flow against the SSP can be initiated by CPU processing time depletion. 8.3.2 Security Objective: OT.INTEGRITY For all assets, the operations of non-privileged executables are controlled by the TSF: • For the asset AS.MEM the SFRs FDP_ACC.2/MA and FDP_ACF.1/MA ensure that non-privileged executa- bles can only access memory (AS.MEM) according to the SSP. • For the asset AS.FILE the SFRs FDP_ACC.2/FA and FDP_ACF.1/FA ensure that non-privileged executa- bles can only access files (AS.FILE) according to the SSP. • For the asset AS.PORT the SFRs FDP_ACC.2/CPA and FDP_ACF.1/CPA ensure that non-privileged exe- cutables can only access communication ports (AS.PORT) according to the SSP. • For the asset AS.INT the SFRs FDP_ACC.2/IA and FDP_ACF.1/IA ensure that non-privileged executables can only access interrupts (AS.INT) according to the SSP. • For the asset AS.PS the SFRs FDP_ACC.2/PSA and FDP_ACF.1/PSA ensure that non-privileged executa- bles can only access PSP-specific services (AS.PSA) according to the SSP. • For the asset AS.CORE the SFRs FDP_ACC.2/CCA and FDP_ACF.1/CCA ensure that non-privileged executables can only access CPU cores (AS.CORE) according to the SSP. • For the asset AS.TSF_DATA, the TSF configures the MMU to disallow non-privileged executables to ac- cess the memory of any of these other assets (i.e., the memory used for AS.TASK, AS.TSF_DATA and AS.THR). The TSF data also includes all security attributes that TSF uses to manage any asset (e.g. se- curity attributes for file access rights or the schedule schemes used for assignment of CPU processing time). FIA_UID.2 ensures that partitions are identified; FMT_SMR.1 provides security roles to partitions. FMT_MSA.1 re- stricts the ability to write the security attributes specified in the VMIT and the property file system to system partitions. FMT_MSA.3 provides restrictive or integrator-defined default values for security attributes. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 58 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 8.3.3 Security Objective: OT.RESOURCE_AVAILABILITY • For the assets AS.MEM and AS.KMEM, FRU_RSA.2/MEM ensures that limits are enforced according to the SSP on the minimum and maximum amount of memory (AS.MEM) and exclusive hypervisor memory (AS.KMEM) available to non-privileged applications in normal partitions. • For the asset processing time (AS.TIME), FRU_RSA.2/TIME ensures that limits are enforced according to the SSP on the minimum and maximum processing time (AS.TIME) available to non-privileged applications in normal partitions. These limits also ensure that resources used for AS.TASK, AS.TSF_DATA and AS.THR are not depleted through operations of non-privileged executables. 8.3.4 Security Objective: OT.API_PROTECTION FMT_SMF.1 specifies that the management API can be used for management of threads, tasks and the TOE. FMT_MTD.1/SYS ensures that the TOE prevents access from normal partitions to the system application API. FMT_MTD.1/TASK restricts the access that a normal partition has via the normal partition API to tasks that the normal partition owns. FMT_MTD.1/THR restricts the access that a normal partition has via the normal partition API to threads that the normal partition owns. All other APIs reserved for privileged executables (PSP, system extensions and kernel device drivers) only can be reached from executables linked to the TOE. FDP_ACC.2/MA and FDP_ACF.1/MA ensure that the TOE prevents any execution of the APIs by non-privileged applications. 8.3.5 Security Assurance Requirements Rationale EAL 5+ has been considered appropriate to ensure the robust and reliable separation of partitions. ALC_FLR.3 has been included to ensure that integrators understand how to submit security flaw reports to SYSGO and how to register themselves with SYSGO so that they may receive these corrective fixes. ADV_IMP.2, ALC_DVS.2, and AVA_VAN.5 and related dependencies have been added to be compliant to qualification renforcée [ANSSI17]. 8.3.6 Security Assurance Requirements Dependency Analysis In this section, we provide a dependency analysis for the security assurance requirements as defined by the CC. There are no unfulfilled dependencies. This ST claims conformance to the standard EAL 5 package. For the EAL 5 standard package, all dependencies in CC v3.1 part 3 provided packages are fulfilled. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 59 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 Family: Depends on: Covered by: ALC_FLR.3 No dependencies - ADV_IMP.2 ADV_TDS.3, ALC_TAT.1, ALC_CMC.5 Either covered by this augmentation or EAL5 ALC_DVS.2 No dependencies - AVA_VAN.5 ADV_ARC.1, ADV_FSP.4, ADV_TDS.3, ADV_IMP.1, AGD_OPE.1, AGD_PRE.1, ATE_DPT.1 Covered by EAL5 ALC_CMC.5 ALC_CMS.1, ALC_DVS.2, ALC_LCD.1 Either covered by this augmentation or EAL5 Table 11: SAR Dependency Analysis ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 60 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 9 TOE Summary Specification This section describes how each TOE Security Service defined in Section 3.4.6 is implemented and covers its SFRs. TSS_SSA: Separation in space of applications hosted in different partitions from each other and from the PikeOS Operating System according to the SSP: Applications can be hosted in different partitions. Partitions get assigned resources (i.e. space) according to the SSP, which comprise memory ranges and a set of CPUs. The TSF enforces the corresponding part of the SSP by the enforcement of access control on partition content, per-partition provision of physical memory space and allocated CPU time for each CPU. By confining non-privileged executables into partitions, the TSF enforces that these applications can affect neither applications in other partitions nor the PikeOS Operating System itself. The TSF defines separated security domains via page tables. For memory (AS.MEM) the SFRs FDP_ACC.2/MA and FDP_ACF.1/MA are implemented because the TSF configures the MMU to use these page tables to confine single load/store operations within a predefined physical memory. For interrupts (AS.INT) the SFRs FDP_ACC.2/IA and FDP_ACF.1/IA are implemented and ensure that non-privileged executables can only access interrupts according to the SSP. For PSP-specific services (AS.PS) the SFRs FDP_ACC.2/PSA and FDP_ACF.1/PSA are implemented and ensure that non-privileged executables can only access PSP-specific services according to the SSP. For CPU cores (AS.CORE) the SFRs FDP_ACC.2/CCA and FDP_ACF.1/CCA are implemented and ensure that non-privileged executables can only access CPU cores according to the SSP. FRU_RSA.2/MEM (AS.MEM and AS.KMEM) is implemented because limits on the minimum and maximum amount of memory available to non-privileged executables in normal partitions are enforced according to the SSP. Separation in space includes access control to devices via device drivers, e.g. Ethernet or USB drivers. The drivers can be configured by the SSP to be contained in a partition. Separation in space also includes execution of industrial APIs/libraries. These APIs/libraries can be run as non- privileged executables, for example POSIX, ARINC 653 (APEX), Linux, RTEMS, OSEK, and thus cannot bypass the SSP. TSS_STA: Separation in time of applications hosted in different partitions from each other and from the PikeOS Operating System according to the SSP: Applications can be hosted in different partitions. Partitions get assigned CPU time (i.e. time windows) according to the SSP. The TSF enforces the corresponding part of the SSP by per-partition allocation of a predefined amount of CPU time for each CPU. On a partition switch CPUs will be reused. FRU_RSA.2/TIME is implemented because limits on the minimum and maximum amount of processing time available to non-privileged executables in normal partitions are enforced according to the SSP. TSS_COM: Provision and management of communication objects: Applications hosted in different partitions can get assigned a set of communication objects. A communication object is an object exposed to one or multiple partitions with access rights as defined in the configuration data, thus allowing communication between partitions. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 61 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 For communication ports (AS.PORT) the SFRs FDP_ACC.2/CPA and FDP_ACF.1/CPA are implemented and ensure that non-privileged executables can only access communication ports according to the SSP. For files (AS.FILE) the SFRs FDP_ACC.2/FA and FDP_ACF.1/FA are implemented and ensure that non-privileged executables can only access files according to the SSP. For memory that is used as shared memory (AS.MEM) FDP_ACC.2/MA and FDP_ACF.1/MA are implemented be- cause the TSF configures the MMU to use these page tables to confine single load/store operations within a prede- fined physical memory. For IPC and event communication, FDP_IFC.2 and FDP_IFF.1 are implemented by providing communication objects and because information flows originating from non-privileged executables are restricted to information flows allowed by the SSP. TSS_MAN: Management of the TOE (e.g. system partition API) and the TOE data (e.g. threads, tasks): The TSF protects the confidentiality and integrity of TSF data and the availability of resources. FIA_UID.2 is implemented by requiring each partition to be successfully identified before allowing any other TSF- mediated actions on behalf of that application. FMT_MSA.1 is implemented because the TSF restricts the ability to write the security attributes specified in the VMIT and the property file system to system partitions. FMT_MSA.3 is implemented because the TSF provides restrictive or integrator-defined default values for security attributes that are used to enforce the SFP. FMT_SMF.1 is implemented because the TSF provides functions for thread management, task management and TOE management (System Partition API). FMT_MTD.1/SYS is implemented because the TOE prevents any access of a non-privileged executable to the system partition API. FMT_MTD.1/TASK is implemented because the TOE restricts the access to tasks that a non-privileged executable has to tasks that its normal partition owns. FMT_MTD.1/THR is implemented because the TOE restricts any access of a non-privileged executable the access to threads that its partition to threads that its partition owns. FMT_SMR.1 is implemented by assigning the roles "system partition" and "normal partition" and associating each partition with a role. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 62 of 63 Security Target PikeOS Separation Kernel v5.1.3 Doc.-ID: 00101-8000-ST Revision: 40.22 10 Acknowledgment Part of this ST is based on SKPP [Inf07, LNIM10], OSPP [OSPP], HASK-PP [Bun08]. This ST has benefited from the work in the TECOM (FP7 grant 216888), SeSaM (BMBF grants 01BY1120 to 01BY1123), PASS (BMWi grant 01 MD 16002D), EURO-MILS (FP7 grant 318353) and certMILS (H2020 grant 731456) projects. ©2022 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Page 63 of 63