Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Document ID Revision DOORS Baseline Date State 18109-8000-ST 41.19 41.19 2023-07-27 App SYSGO GmbH Am Pfaffenstein 8, 55270 Klein-Winternheim, Germany www.sysgo.com ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 1 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Table of Contents 1 Notices and Revisions 6 1.1 Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 Introduction 8 2.1 Purpose of this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2 Document References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.1 Applicable Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.2 Referenced Documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3 Abbreviations and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.4 Terms and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3 ST Introduction 15 3.1 ST Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.2 TOE Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.3 TOE Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.3.1 Base Functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.3.2 TOE Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.4 TOE Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.4.1 TOE Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.4.2 TOE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.4.3 TOE Operational Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.4.4 TOE Life Cycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.4.5 TOE Physical Boundary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.4.6 TOE Logical Boundary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4 Conformance Claims 26 4.1 CC Conformance Claim. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.2 Protection Profile Claim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.3 Package Claim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.4 Conformance Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 5 Security Problem Definition 27 5.1 Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.2 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.3 Organizational Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.4 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 6 Security Objectives 30 6.1 Security Objectives for the TOE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 6.2 Security Objectives for the Operational Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 6.3 Security Objectives Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 6.3.1 Security Objectives Rationale: Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 6.3.2 Security Objective Rationale: Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 7 Extended Components Definition 34 8 Security Requirements 35 8.1 Security Functional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 8.1.1 User Data Protection (FDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 8.1.2 Identification and Authentication (FIA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 8.1.3 Security Management (FMT). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 8.1.4 Resource Utilization (FRU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 2 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 8.2 Security Assurance Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 8.3 Security Requirements Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 8.3.1 Security Objective: OT.CONFIDENTIALITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 8.3.2 Security Objective: OT.INTEGRITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 8.3.3 Security Objective: OT.RESOURCE_AVAILABILITY . . . . . . . . . . . . . . . . . . . . . . . . . 55 8.3.4 Security Objective: OT.API_PROTECTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 8.3.5 Security Assurance Requirements Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 8.3.6 Security Assurance Requirements Dependency Analysis . . . . . . . . . . . . . . . . . . . . . . 55 9 TOE Summary Specification 57 10 Acknowledgment 59 ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 3 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Tables 1 Applicable Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2 Referenced Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3 Abbreviations and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4 TOE Physical Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 5 Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 6 Security Objectives Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 7 Coverage of Security Objectives for the TOE by SFR. "X" is for where a dependency to an objective exists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 8 SAR Dependency Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 4 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Figures 1 TOE and TOE Operational Environment during Operational Use . . . . . . . . . . . . . . . . . . . . 17 2 System Integration Phase of the TOE Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 5 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 1 Notices and Revisions 1.1 Revision History DOORS Baseline // Date Description of Change 41.0 // 09.12.2020 Initial revision based on PikeOS Security Target 00101-8000-ST rev. 40.6 41.1 // 09.12.2020 Revision based on internal review. 41.2 // 16.12.2020 Revision based on internal review. 41.3 // 16.12.2020 Revision based on internal review. 41.4 // 17.12.2020 Revision based on review 18109-00005. 41.5 // 17.12.2020 Approved revision as per review 18109-00006. 41.6 // 17.12.2020 Approved revision as per review 18109-00006. Updated state to "App". 41.7 // 26.03.2021 Revision based on internal review. 41.8 // 03.05.2021 Revision based on internal review. 41.9 // 28.05.2021 Update PikeOS version to 5.1.3. Restructured TOE physical boundaries. Fix application notes numbering. Fix minor typos. 41.10 // 08.07.2021 Update Figure 1. 41.11 // 05.10.2021 Update based on internal review. 41.12 // 29.12.2021 Update based on reviewer feedback. 41.13 // 07.13.2022 Removed Application note 11, update figure 1, update "TOE Physical Components" table 41.14 // 26.09.2022 Minor update of §3.1 and §3.2. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 6 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 41.15 // 28.06.2023 Update TOE physical Boundary with correct RPM and ISO. 41.16 // 03.07.2023 Approved version. 41.17 // 19.07.2023 Fixed readability in table 4 in the generated pdf. 41.18 // 19.07.2023 Fixed format issues in tables. 41.19 // 27.07.2023 Security bulletin RPM version changed from 138 to 287. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 7 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 2 Introduction See section 3.3 for a high-level overview of the TOE characteristics and its security services. 2.1 Purpose of this Document This document is the Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Pro- cessor. 2.2 Document References 2.2.1 Applicable Documents Ref. Document ID - Document Title Version [Com17] Common Criteria Sponsoring Organizations, Common Criteria for Information Technology Security Evaluation. Version 3.1, revision 5 (final), April 2017. https://www.commoncriteriaportal.org/ccra/index.cfm v3.1r5 Table 1: Applicable Documents 2.2.2 Referenced Documents ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 8 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Ref. Document ID - Document Title [ANSSI17] Agence nationale de la sécurité des systèmes d’information (ANSSI), Processus de qualification d'un produit, n°274/ANSSI/SDE, réf. QUAL-PROD-PROCESS/1.0, 12 jan. 2017, https://www.ssi.gouv.fr/uploads/2014/11/qual_prod_process-processus-de- qualification-d-un-produit.pdf [Bun08] Bundesamt für Sicherheit in der Informationstechnik (BSI) and Sirrix AG security technologies, Protection Profile for High-Assurance Security Kernel: Version 1.14, June 2008. [Inf07] Information Assurance Directorate, U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness. Version 1.03, June 2007. [LNIM10] Timothy E. Levin, Thuy D. Nguyen, Cynthia E. Irvine, Michael McEvilley, Separation Kernel Protection Profile revisited: Choices and rationale, 4th Annual Layered Assurance Workshop (LAW), 2010, http://fm.csl.sri.com/LAW/2010/. [OSPP] Stephan Mueller, Gerald Krummeck, Helmut Kurth, Operating System Protection Profile, 2010, https://www.commoncriteriaportal.org/files/ppfiles/pp0067b_pdf.pdf. [Rus81] John Rushby, Design and Verification of Secure Systems, 8th ACM Symposium on Operating System Principles, 1981, http://www.csl.sri.com/users/rushby/papers/sosp81.pdf Table 2: Referenced Documents 2.3 Abbreviations and Acronyms ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 9 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Abbreviation / Acronym Description APEX Application Executive API Application Programming Interface ARINC Aeronautical Radio, Inc. ASP Architecture Support Package BSP Board Support Package CC Common Criteria for Information Technology Security Evaluation CLKMGR Clock Manager CPU Central Processing Unit DMA Direct Memory Access EAL Evaluation Assurance Level ELF Executable and Linkable Format HASK High-Assurance Security Kernel HWVIRT Hardware Virtualization I/O MMU Input / Output Memory Management Unit I/O Input / Output IPC Interprocess Communication IT Information Technology MILS Multiple Independent Levels of Security MMU Memory Management Unit OSEK Offene Systeme und deren Schnittstellen für die Elektronik in Kraftfahrzeugen OSP Organizational Security Policy OSPP Operating Systems Protection Profile POSIX Portable Operating System Interface PSP Platform Support Package RAM Random Access Memory RTEMS Real-Time Executive for Multiprocessor Systems SAR Security Assurance Requirement SFP Security Function Policy SFR Security Functional Requirement SKPP Separation Kernel Protection Profile SSP System Security Policy ST Security Target TOE Target of Evaluation TSF Target of Evaluation Security Functionality TSS_XXX TOE Security Service XXX USB Universal Serial Bus VMIT Virtual Machine Initialization Table XML Extensible Markup Language Table 3: Abbreviations and Acronyms ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 10 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 2.4 Terms and Definitions Access Flag: An access flag is a bit specifying whether a certain access operation is allowed. Access Mode: An access mode is a set of access flags. Application: An application is executable data. An application is a special case of "Executable". Architecture Support Package: An architecture support package (ASP) is part of the TOE. The ASP provides spe- cific low-level functionality for each supported CPU architecture. Since the CPU instruction set is also CPU dependent, the generic components are CPU specific at the object code level. The main responsibilities of an ASP are: (1) abstraction of data type representation, (2) processor exception handling, and (3) low level address space and memory management. In operational use, the TSF always contains only one ASP. Board Support Package: A board support package (BSP) is a set of software components composed of PikeOS (kernel and PSSW), the ASP, the PSP, and kernel-level and user-level device drivers, that provides an abstraction layer for a specific board to be further used by the Integrator to produce the Product Based on PikeOS. Bootloader: See "Firmware". Builtin File Provider: A builtin file provider is an executable provided by the TOE that implements file services. Communication Object: Partitions can communicate with each other under the supervision of the TOE. A commu- nication object is an object exposed to one or multiple partitions with access rights as defined in the configuration data. Configuration Data: The configuration data defines a set of rules on how the TOE behaves. The configuration data comprises a top-level configuration XML document called VMIT (Virtual Machine Initialization Table) and the property file system. Access to each property file system node is controlled by the file access control defined in the VMIT. The configuration data is defined during Step 3 of the system integration phase and used by the TOE to enforce the System Security Policy (SSP, Section 3.4.4.2). The default configuration is that there is no communication between any partitions. Any communication between partitions has to be explicitly allowed by the integrator in the configuration data. CPU Architecture: The CPU architecture is the implementation of a CPU instruction set. CPU architectures are for instance x86, Arm, or PowerPC. Cyclic Periodicity: Cyclic periodicity is the repetition of a scheduling scheme: when the last time window of the scheduling scheme has finished, the scheduling scheme begins again with its first time window. ELF File: An ELF file is a file in ELF format, used to load applications. e1000 driver: An e1000 driver is a driver for Gigabit Ethernet controllers. Executable: "Executable" is the term for an application within a partition or other executable code linked to the TOE. More details about executables are given in section 3.4.3.1.3. External File Provider: An external file provider is an executable provided by third-party developers that implements file services and is confined by the VMIT. File Descriptor: A file descriptor is an identifier for a file. Firmware: Firmware is hardware-specific software which comprises the following: • Software and data stored in non-volatile memory of the hardware that initializes the hardware after the power on. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 11 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 • Software that (fully or partially) loads the TOE into RAM memory and hands over the full control to the TOE. In particular, a TOE-external check of the TOE may be implemented in the bootloader (e.g. for "secure boot"). Fusion Tool Chain: The PikeOS fusion tool chain project is a linker that links one or several executables and the TOE. The tool-chain provides linker for all required CPU architectures. The tool chain can be used on a development machine with Linux or Windows. Hardware: Hardware is the physical part of the TOE operational environment on which the TOE is executed. Usually, hardware is a board with several components such as CPUs and I/O devices (e.g. serial interfaces, network adapters) etc. This ST considers firmware as part of the hardware. Integration Tool Chain: The PikeOS integration tool chain project takes as input one or more applications, the VMIT, the property file system, and the results of the fusion tool chain and produces the product based on PikeOS, in the form of a ROM image. The tool-chain supports the required CPU architectures and can be used on a development machine with Linux or Windows. Integrator: The integrator executes the system integration phase, which results in a product based on the TOE. Interprocess Communication: IPC is a communication protocol supported by the TOE to exchange messages within a partition or between partitions synchronously. The communication objects are IPC messages. Isolation: Isolation of a partition is the absence of communication with other partitions, except partitions hosting the components implementing the system API, when no communication channels or shared resources between the partition and other partitions are configured. Isolation is a special case of separation. Kernel Info Page: The kernel info page is a memory page that is mapped in read-only access mode to all parti- tions. Kernel Device Driver: A kernel device driver (KDEV) is a software component linked with the kernel via the KDEV API. A KDEV can provide specific functionality to applications within partitions and is protected from non-privileged executables by access control and resource management enforced by the TOE. Life Cycle: The life cycle phases for this TOE are development (source code development), manufacturing (compila- tion to binary) and delivery to the integrator. The integrator executes the system integration phase, which results in a product based on the TOE. Memory Page: A memory page is an aligned and contiguous area of memory of a CPU architecture dependent size (e.g. 4096 bytes). Normal Partition: A normal partition can use the API provided by the TOE to partitions that only consists of non- privileged calls ("normal partition API"). Non-Privileged Executable: See "Executable". Own (for a Task or a Thread): A partition owns a task if the task is assigned to it by the integrator in the VMIT. A partition owns a thread if the thread is created by one of its applications. Partition: A partition is a logical unit maintained by the TOE and configured by the SSP. A partition contains user data. For each partition, the TOE provides resources. Resources of a partition comprise physical memory and allocated CPU time for each CPU. Partition Switch: Partition switches are defined by the SSP as part of the scheduling scheme and transfer code execution on CPU(s) from one partition to another. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 12 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 PikeOS: The term PikeOS is usually used in the documentation when the described system includes at least the TOE. PikeOS Kernel: The PikeOS Kernel is one of the two constituting subsystems of the PikeOS Separation Kernel and implements a portion of the TSF. PikeOS Operating System: The PikeOS Operating System consists of the TOE and additional system components such as the PSP, (kernel) device drivers, and system extensions. Such additional components are usually used for making the TOE fully compatible with its use-case and the selected hardware. PikeOS Separation Kernel: The PikeOS Separation Kernel (the TOE) provides the TSF and operates the prod- uct based on PikeOS. The TSF implements mechanisms to assign resources to partitions, providing the execution environments for applications, and implementing communication between partitions as defined by the configuration data. The PikeOS Separation Kernel is provided as binary for each supported CPU architecture. The functionality of the PikeOS Separation Kernel is CPU architecture-independent thanks to the usage of the ASP that abstracts the underlying CPU architecture. PikeOS System Software: The PikeOS System Software (PSSW), also called System Software, is one of the two constituting subsystems of the PikeOS Separation Kernel and implements a portion of the TSF. Platform Support Package: A platform support package (PSP) contains a set of drivers for a specific hardware platform. A PSP uses the TSF’s PSP API. In operational use, the product based on PikeOS always contains exactly one PSP. A PSP is protected from non-privileged executables by access control and resource management enforced by the TOE. The main tasks of a PSP are (1) platform initialization, (2) interrupt management, (3) hardware timer management. Port: A port is a communication endpoint for message based communication. A port is either configured as source port or destination port. A sender writes a message to a source port and a receiver reads the message from the connected destination port. The TOE supports two kinds of message transfer modes - queuing mode and sampling mode. The mode is defined by the port type. Only ports of the same type can be connected. Messages sent to a source queuing port are buffered in a queue until they are read from the connected destination port. The number of messages that can be buffered is a configurable property of a queuing port. A message sent to a source sampling port is only buffered until the next message is sent, the new message will replace the old one. Privileged Executable: See "Executable". Product Based on PikeOS: The product based on PikeOS is the output of the system integration phase (Section 3.4.4.2). The product based on PikeOS contains the configuration data in a representation readable by the TOE, the PSP, system extensions, kernel device drivers, and partitions. The PSP reads and set up the configuration, and confines non-privileged executables within their partitions according the SSP. Property Node: A property node is a file in the property file system. The integrator can use the property file system to describe properties of hardware in the operational environment. Resource: In this ST we consider resources of partitions and TSF data. The resources of a partition comprise physical memory and allocated CPU time for each CPU. Separation: The TOE separates partitions by managing their accesses to and usage of resources, such as memory, devices, processors, and communication channels, as defined by the configuration. Separation Kernel: A Separation Kernel as defined by [Rus81] is the logical concept of a software that is capable of providing multiple execution environments on a single system that are separated from each other with the same degree of rigor as if the environments were executed on physically separate systems. A Separation Kernel can be implemented in a number of different ways, for example as (part of) an Operating System Kernel. Subject: In this ST, the term subject is used for a thread in a partition, for an application, or for a partition as a whole depending on the context. In the running TOE, the entity executing application code is a TOE thread. In a partition ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 13 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 there can be multiple threads and each thread is uniquely assigned to its partition. Since this ST works on security policies at partition level, we abstract all threads in one partition to the partition subject. System Extension: A system extension is a software component supplied and approved by the integrator and linked with the TOE via the system extension API. A system extension can provide specific functionality to applications within partitions and is protected from non-privileged executables by access control and resource management enforced by the TOE. System Partition: A system partition can use the whole API provided by the TOE to partitions ("system partition API"), i.e. use both non-privileged (normal partition API) and additional privileged calls. The integrator can define a partition as a system partition in the SSP. System Security Policy (SSP): The configuration data uniquely defines the System Security Policy (SSP) consisting of configuration choices made by an integrator. The SSP defines partitions, setting their resources, defining communi- cation objects, defining access to and parameters for PSP, system extensions, and kernel device drivers, setting their content and resources, setting TOE attributes, comprising scheduling scheme, policy for memory cache handling on a partition switch to the extent supported by the operational environment’s hardware, scheme for automatic handling of error conditions. The SSP is a subset of the VMIT. Time Window: A time window is the basic scheduling entity of CPU time assigned to a partition that is specified by the offset from the start of a cyclical time period and the window duration. TOE Security Service: A TOE Security Service is a logical part of the TOE that has to be relied upon for enforcing a related subset of the rules regulating how the SSP is maintained by the TOE. TOE User Manuals: The TOE User Manuals are documentation provided with the TOE on how to use the TOE in general environments and in safety and security critical environments. User: A "user" of the TOE is a partition. Virtual Machine Initialization Table (VMIT): The configuration data defines a set of rules on how the TOE behaves. The configuration data comprises a top-level configuration XML document called VMIT (Virtual Machine Initialization Table) and the property file system. Access to each property file system node is controlled by the file access control defined in the VMIT.The SSP is a subset of the VMIT. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 14 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 3 ST Introduction 3.1 ST Reference • Title: Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor • Version: 41.19 • Issuer: SYSGO GmbH • Keywords: real-time, operating system, separation kernel, virtualization, hypervisor, MILS (Multiple Inde- pendent Levels of Security), board support package. • Date: 27th July, 2023 • TOE Version: 3.1.0 This security target complies with the Common Criteria for Information Technology Security Evaluation Version 3.1 Revision 5 [Com17] (CC). 3.2 TOE Reference The TOE is referenced as the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor v3.1.0. 3.3 TOE Overview The TOE allows to effectively separate multiple applications from each other while running on the same platform. Such applications can range from small bare-metal programs up to entire Operating Systems. Non-privileged applications may be malicious, and even in that case, the TOE ensures that malicious applications are neither capable of harming other applications nor the TOE itself. Separation kernels aim to establish a degree of isolation between the applications on a single system (e.g., a hard- ware platform) which, in terms of security, is comparable to running the application executables on physically separate platforms [Rus81]. However, separation kernels also provide communication facilities that allow the applications to interact with each other, if configured by the integrator. The TOE includes a wide range of additional features and functionalities such as direct memory access, process control, memory management, different communication services and more. Together with the real-time capability of the TOE, this allows to build and operate embedded systems in areas with a high demand towards security and safety such as automotive, avionics, medical devices, industrial and railway applications. The TOE also includes specific BSP components for the NXP LS1023A/LS1043 Processor. 3.3.1 Base Functionality The interference-free coexistence of applications is guaranteed by separating these applications into so-called parti- tions. These partitions are a key component of the functionality of the TOE. They ensure that even malicious applica- tions are isolated in a way that the TOE itself and other applications in other partitions remain in a secure state. SYSGO defines separation as follows: The TOE separates partitions by managing their accesses to and usage of resources, such as memory, devices, processors, and communication channels, as defined by the configuration. Isolation of a partition is the absence of communication with other partitions, except partitions hosting the components implementing the system API, when no communication channels or shared resources between the partition and other partitions are configured. Isolation is a special case of separation. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 15 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Additionally, the TOE has the characteristics of an embedded real time operating system. Thus, the partitioning is configured statically and the TOE does not include typical desktop operating system services (e.g. user login, printer drivers). The TOE will typically be installed and operated on a hardware platform suitable for embedded systems. The major security services provided by the TOE are: • Separation in space of applications hosted in different partitions from each other and from the PikeOS Operating System according to the configuration data, • Separation in time of applications hosted in different partitions from each other and from the PikeOS Op- erating System according to the configuration data, • Control of information flows between applications hosted in different partitions via assigning to the partitions communication objects and access rights to those, • Management of the TOE (e.g. system partition API) and the TOE data (e.g. threads, tasks). 3.3.2 TOE Type The TOE is a separation kernel with real-time support with BSP components for the NXP LS1023A/1043A proces- sor. The typical life cycle phases for this TOE type are development (source code development), manufacturing (compila- tion to binary) and delivery to the integrator. The integrator executes the system integration phase, which results in a product based on the TOE. The TOE is intended to be run on an NXP LS1023A/LS1043A Processor hardware platform. The hardware platform is not part of the TOE. 3.4 TOE Description 3.4.1 TOE Architecture The TOE, including its architecture, and the TOE operational environment is depicted in Figure 1. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 16 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Softw ar e Normal Partition Normal Partition API System Software Kernel / Architecture Su ppor t Packag eARMv8 Kernel Device Driver API PSP API Hardware (LS1043A/LS1023A) Firmware Normal Partition Normal Partition Target of Evaluation (TOE) TOE Subsystem s TOE API Normal Parti tion Content - E.g. non-privileged appli cations, arbitrary user data Pri vil eged executable Content - User data that has to be approved by the system integrator The red line defines securi ty dom ains separated by technical means PSP for LS1043A/1023A HWVIRT KDEV PikeOS Separation Kernel e100 0 IO Driver Normal Partition IO Driver Normal Partition IO Driver CLKMG R KDEV HWVIRT Ma nager Normal Partition System Partition API Normal Partition Boot softw are (U-Boot) ELinOS HWVIRT Guest System Partition System Partition Figure 1: TOE and TOE Operational Environment during Operational Use Figure 1 will be explained in detail in the next sections (Section 3.4.2 and 3.4.3). 3.4.2 TOE The TOE is the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor, depicted in Figure 1. It consists of the PikeOS Kernel and System Software instantiated with an Armv8 ASP and extended with BSP com- ponents for the NXP LS1023A/LS1043A Processor hardware platform (featuring an Arm Cortex-A53 core processor with 4 cores for LS1043A, 2 cores for LS1023A): PSP, HWVIRT Hypervisor driver (as kernel device driver), CLKMGR driver (as kernel device driver), and e1000 driver (as external file provider in a normal partition). Note: • The hardware platform itself is not part of the TOE. • The HWVIRT Hypervisor kernel device driver differs from a typical kernel device driver as its implemen- tation is not limited to the PSP level but also leverages specific CPU interfaces related to hardware virtu- alization at the ASP level. A HWVIRT Manager runs in partitions using HWVIRT to communicate with the HWVIRT Hypervisor kernel device driver. Applications in these partitions then handle CPU exceptions as configured through HWVIRT directly without passing through the PikeOS kernel. The TOE contains all the security functions (TSF) claimed in this ST, and the TSF data (e.g. configuration data and run-time data such as security attributes) necessary to configure and control them. The subdivision of the TOE into the two subsystems (Kernel and System Software) is a design choice with no negative impact on the provided security services. The TOE provides the TSF and operates the final product based on the TOE. The TSF implements mechanisms to assign resources to partitions, providing the execution environments for applications, and implementing communica- tion between partitions as defined by the configuration data. The TSF provides APIs to normal partitions and system partitions as well as APIs to kernel device drivers and the platform support package (PSP). TSF data consists of: • Configuration data: data used by the TOE to enforce the System Security Policy (SSP, Section 3.4.4.2). • Run-time data such as security attributes. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 17 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 3.4.2.1 PikeOS Operating System The PikeOS Operating System consists of the TOE and, depending on the configuration used, of additional software components as mentioned in Section 3.4.3. 3.4.3 TOE Operational Environment In a final product, e.g., an embedded system product based on the TOE, the TOE will use additional hardware and software components. These additional components that are provided by the integrator are not covered by this evaluation and belong therefore to the TOE’s operational environment. They interact with the TOE through the TOE’s well-defined interfaces and do not change the TOE binary. Some of the components may execute privileged CPU instructions or use privileged TOE services and could therefore interfere with security policies enforced by the TSF at runtime. Those components are collectively referred to as privileged executables (see Section 3.4.3.1.3). It is outside the scope of this evaluation how the trust for the privileged executables will be established. The integrator of a product based on PikeOS must establish trust for these privileged executables, e.g. may use a national scheme’s accreditation for components and/or the product based on the TOE, a Common Criteria evaluation of the product based on the TOE, or provide some other arguments to the user of the product based on the TOE. The TOE’s operational environment consists of any component not within the blue boxes in Figure 1. The various privileged components (boxes in gray) or non-privileged components (boxes in orange) that may be added by the integrator are the following. 3.4.3.1 Partition A partition is a logical unit maintained by the TOE and configured by the configuration data. A partition contains user data. For each partition, the TOE provides resources. Resources of a partition comprise physical memory and allocated CPU time for each CPU. The TOE supports two different kinds of partitions: normal and system partitions. Normal partitions as depicted in Figure 1 are defined in Section 3.4.3.1.1. System partitions as depicted in Figure 1 are defined in Section 3.4.3.1.2. Partitions can communicate with each other under the supervision of the TOE. This communication occurs via com- munication objects. A communication object is an object exposed to one or multiple partitions with access rights as defined in the configuration data. 3.4.3.1.1 Normal Partition A normal partition can use the API provided by the TOE to partitions that only consists of non-privileged calls ("normal partition API"). The integrator can define a partition as a normal partition in the SSP. 3.4.3.1.2 System Partition A system partition can use the whole API provided by the TOE to partitions ("system partition API"), i.e. use both non-privileged (normal partition API) and additional privileged calls. The integrator can define a partition as a system partition in the SSP. 3.4.3.1.3 Executable, Non-privileged Executable, Privileged Executable "Executable" is the term for an appli- cation within a partition or other executable code linked to the PikeOS Operating System. • An executable is critical if it can have access to critical hardware. Critical hardware can bypass TOE partitioning. Examples where a normal partition hosts a critical executable are: ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 18 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 • An executable in a normal partition is critical if the integrator in the configuration assigns to it access to control a critical hardware which can do DMA, there is no I/O MMU in place, and the hardware can write to arbitrary system memory, thus tampering with the TOE. Another example is an executable that has sufficient control over a hardware device allowing the executable to tamper with the device’s BIOS or non-volatile memory. We refer the reader to the TOE User Manuals for more details. • A non-privileged executable is an application in a normal partition that is not critical. Thus, a non-privileged executable can be an arbitrary executable, which can contain unintentional errors or be even malicious. • A privileged executable is either: A critical application in a normal partition, or any application in a system partition, or the PSP, or a kernel device driver, or a system extension. That is, a privileged executable has access to a TOE API or to critical hardware that can bypass TOE partitioning. Therefore, a privileged executable must be non-evil, and the integrator must verify that it complies with the system design as well as that it will not interfere with the TOE and the SSP. 3.4.3.2 Communication Object A communication object is a file, shared memory, a port, an IPC message, or an event. 3.4.3.3 Hardware Hardware is the physical part of the TOE operational environment on which the TOE is executed. Usually, hardware is a board with several components such as CPUs and I/O devices (e.g. serial interfaces, network adapters) etc. Hardware may also comprise firmware. Firmware is hardware-specific software which comprises the following: • Software and data stored in non-volatile memory of the hardware that initializes the hardware after the power on. • Software that (fully or partially) loads the TOE into RAM memory and hands over the full control to the TOE. In particular, a TOE-external check of the TOE may be implemented in the bootloader (e.g. for "secure boot"). The TOE is designed to run specifically on the NXP LS1023A/LS1043A Processor hardware platform. 3.4.4 TOE Life Cycle 3.4.4.1 TOE Development, TOE Manufacturing At the TOE manufacturer’s site (SYSGO), the TSF is developed (source code development), and manufactured (compiled to binary). The TOE manufacturer also produces the TOE User Manuals. 3.4.4.2 System Integration At the integrator’s site, the TOE is integrated. Figure 2 presents the system integration phase of the TOE lifecycle. Components used to build the product based on the TOE are provided by different sources: application develop- ers, integrator, and the TOE manufacturer (SYSGO). During system integration, the TOE, applications and other executables only have to be linked, i.e. their implementations do not need to be changed or recompiled. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 19 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Integrator Product Binary Image Integration Process Application Developers Non-privileged Partition 1 Content e.g. C Program Non-privileged Partition 2 Content e.g. C POSIX Non-privileged Partition N Content e.g. Linux ... TOE Manufacturer TOE User Manual Integration Toolchain PikeOS Configuration Data System Partition Content Parts of the Target ofEvaluation (TOE): Provided by the TOE manufacturer Integration Toolchain: Provided by the TOE manufacturer Content of User Partitions: This content can be arbitrary (from a security point ofview) and also be supplied by any 3rd party Content of System Components and Configuration Data: These elements, even ifsupplied by a 3rd party, are under sole responsibility of the integrator and shall be approved by him/her; see A.PRIVILEGED_EXECUTABLES below. PSP HWVIRT (Kernel Device Driver) e1000 driver (Non-privileged Partition Content) CLKMGR (Kernel Device Driver) Figure 2: System Integration Phase of the TOE Lifecycle The system integration phase can be split into the four steps: selection of the TOE operational environment, non- privileged and privileged executables, and deciding on system partitions and normal partitions (Step 1), fusion (Step 2), configuration of the TOE (Step 3), and integration (Step 4). Step 1 Selection The integrator installs the PikeOS BSP product and the PikeOS BSP Certification Kit on the development machine for the Armv8 CPU architecture. The integrator selects the product components: the TOE components (PikeOS kernel and system software, PSP and kernel device drivers), one or more instances of the e1000 driver in normal partition(s), optionally additional normal and system partitions. The content of any privileged executable shall be developed complying with the obligations given in Section 5.4 and be approved by the integrator. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 20 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Step 2 Configuration The integrator configures the product by: • defining normal and system partitions, setting their content and resources, • defining communication objects, • defining access to the PSP and kernel device drivers, • setting TOE attributes, comprising: • scheduling scheme, • policy for memory cache handling on a partition switch to the extent supported by the operational environment’s hardware, • scheme for automatic handling of error conditions, defining the meaning of the safe and secure state. The result of this activity is the configuration data. The configuration data defines a set of rules on how the TOE behaves. The configuration data comprises a top-level configuration XML document called VMIT (Vir- tual Machine Initialization Table) and the property file system. Access to each property file system node is controlled by the file access control defined in the VMIT. The configuration data uniquely defines the System Security Policy (SSP) consisting of configuration choices made by an integrator. The SSP defines partitions, setting their resources, defining communication objects, defining access to and parameters for PSP, system extensions, and kernel device drivers, setting their content and resources, setting TOE attributes, comprising scheduling scheme, policy for memory cache handling on a partition switch to the extent supported by the operational environment’s hardware, scheme for automatic handling of error conditions. The SSP is a subset of the VMIT. The SSP is enforced by the TSF and it cannot be circumvented by non-privileged executables. The default configuration is that there is no communication between any partitions. Any communication between parti- tions has to be explicitly allowed by the integrator in the configuration data. Step 3 Integration The integrator uses the integration tool chain to create a product based on PikeOS (in the form of a binary image) from the selected components and the TOE configuration data, creating the product based on PikeOS, including configuration data in a representation readable by the TOE. 3.4.4.3 Operational Use of the Product Based on the TOE At power on the hardware is initialized and then the product based on PikeOS is loaded. Immediately after the product based on PikeOS has been loaded, the PSP gets executed. The PSP then starts the TOE (TSF), the TOE initializes itself and starts enforcing the SSP, i.e. the TOE reads and set up the configuration, and confines non-privileged executables within their partitions according the SSP. 3.4.5 TOE Physical Boundary The TOE is the Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor. In Figure 1, each component within the blue boxes are part of the TOE; this includes the PikeOS kernel and system software and BSP (PSP, HWVIRT Hypervisor and CLKMGR kernel device drivers, and the e1000 driver in a normal partition). The TOE provides interfaces to normal and system partitions as well as to the BSP. The TOE physical boundary is composed of the blue boxes. Thus, the TOE does not include any hardware or software except from those cited in the paragraph above. The TOE also includes the TOE User Manuals, which are used during the system integration phase. TOE physical components (PikeOS kernel and system software, BSP components, and user manuals) are distributed as files on ISO images ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 21 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 • PikeOS Product ISO medium: PDT_ISO (R5p1_PIKEOS_ARM_V8HF_S*.amd64.iso), • Generic Certification Kit ISO medium: CKGEN_ISO (R5p1_PIKEOS_ARM_V8HF_CERTKIT_GENERIC_S*.iso), • 18109 PikeOS BSP ISO medium: BSP_ISO (R5p1_PIKEOS_18109_PIKEOS_BSP_S*.amd64.iso), • 18109 PikeOS BSP Generic Certification Kit ISO medium: BSP_CKGEN_ISO (R5p1_PIKEOS_18109_CERTKIT_GENERIC_S*.amd64.iso). • 18109 PikeOS BSP Common Criteria Certification Kit ISO medium: BSP_CKCC_ISO (R5p1_PIKEOS_18109_CERTKIT_CC_S*.amd64.iso). • PikeOS ARM HwVirt ISO medium: HWV_ISO (R5p1_PIKEOS_ARM_V8HF_HWVIRT_S*.amd64.iso). • PikeOS ARM HwVirt ISO Generic Certification Kit medium: HWV_CKGEN_ISO (R5p1_PIKEOS_ARM_V8HF_CERTKIT_HWVIRT_GENERIC_S*.amd64.iso). and listed in Table 4 hereafter. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 22 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Item Version Medium PikeOS Microkernel for Armv8 pikeos-kernel-cert-arm_v8hf-5.1-20592.x86_64.rpm SHA256: a948e9b8fd09769e483e87d0409a36a275616ca3b8071c5bdaed1e5b47872195 5.1 -20592 PDT_ISO PikeOS System Software for Armv8 pikeos-ssw-cert-arm_v8hf-5.1-4562.x86_64.rpm SHA256: 2499e9fd8a57438ee38d4933c89d220a7c4a82252745037806cdfc53603a395b 5.1 -4562 PDT_ISO PikeOS Hardware Virtualization Hypervisor for Armv8 pikeos-hwvirt-hypervisor-arm_v8hf-5.1-817.x86_64.rpm SHA256: fe169e669554c2e4faaaa11d9f4a5ebc5bb50e64b335ca210f447804054e3dcb 5.1 -817 HWV_ISO 18109 Platform Support Package pikeos-p18109-psp-18109-arm_v8hf-5.1-89104.x86_64.rpm SHA256: f8637fcb917bd0edf3a2ca83c2cdadeb6eecb16f57a2bd360cc61f0a8f2d1dad pikeos-p18109-config-psp-18109-arm_v8hf-5.1-89104.x86_64.rpm SHA256: 3838281ea93e1d85a074d127be9ee5dfc7e2167f7a1d65705df5443a00ab2ee7 5.1 -89104 BSP_ISO 18109 Clock Manager pikeos-p18109-hwvirt-eeh-clock-manager-arm_v8hf-5.1-131631.x86_64.rpm SHA256: 454db2e4909ae88bf6c3769f2804024941faf4da6b7c5c537975fc09e3eeaf81 5.1 -131631 BSP_ISO 18109 PikeOS e1000 driver pikeos-p18109-e1000_fp-cert-210-arm_v8hf-5.1-36984.x86_64.rpm SHA256: 4c97a5b03bad29d162b3f6fe2f0ca2db176717349c5e632cd31f4121c18d1db9 pikeos-p18109-e1000_fp-cert-config-arm_v8hf-5.1-36984.x86_64.rpm SHA256: 0b7b86f5ba831b2e58571b2d1c7b5b033c8a624d3efb487a716748a0dd9a948c 5.1 -36984 BSP_ISO PikeOS User Manual pikeos-doc-fundamentals-5.1-1077.noarch.rpm SHA256: c3bdd123fc0e3c6ac612062437f088a04a07a2707e6436c27ef41972f62ef077 5.1-1077 PDT_ISO PikeOS Installation Guide pikeos-doc-installationguide-5.1-112.noarch.rpm SHA256: 13ad083d5ce7c1ab323dabfed8ae229d24313f4385cb26ed2f288aff796245eb 5.1.3 PDT_ISO PikeOS Kernel Reference Manual pikeos-doc-kernelref-5.1-297.noarch.rpm SHA256: 261f060d456ec8a34d6dfd2de2c062c497b5449b58284ca66c0f0d2b655661dd 5.1-297 PDT_ISO PikeOS System Software Reference Manual pikeos-doc-psswref-5.1-321.noarch.rpm SHA256: 56ecd5bf36ded1cf53effefbb09b2b98b624dde5ad2ca309ff9cd905478e19bf 5.1-321 PDT_ISO PikeOS Device Driver Programming Reference Manual pikeos-doc-drvref-5.1-305.noarch.rpm SHA256: bd36e8b97ce4b5e8eb2cb458a8f261c4fde8b7376d050746559fd445e5c0ef20 5.1-305 PDT_ISO PikeOS PSP and KDEV Developer’s Guide pikeos-doc-pspdevguide-5.1-281.noarch.rpm SHA256: beb01adac2c23d44ecb0a9cf45e332514ce93b9fd6dfdcd6390c35a069581897 5.1-281 PDT_ISO ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 23 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 P4EXT PikeOS Native Personality Extensions pikeos-doc-p4ext-5.1-87.noarch.rpm SHA256: a35ac8a76908f4f82bb0df9a443fd3385c916208c40276cf35dc1f9dbd1cc056 5.1-87 PDT_ISO CENV C Language Programming Environment pikeos-doc-cenv-5.1-41.noarch.rpm SHA256: b7cc316394bacb72f912b53872aafee5b6e3c481f370247dbed9fa6c63963158 5.1-41 PDT_ISO PikeOS Platform Manual for ARM v8-A 64-bit Boards pikeos-doc-platarm64-5.1-597.noarch.rpm SHA256: c61258d7b610df4f6de655b7931686cd8401aa1968816f5e562c78e6993c8924 5.1-597 PDT_ISO PikeOS Armv8 Generic Certification Kit pikeos-certkit-gen-asp-arm_v8hf-5.1-353.noarch.rpm SHA256: 754f275945bf46792bc0e38420607661c75375c85305f4d5fc3471f36cc589dc pikeos-certkit-gen-conf-arm_v8hf-5.1-353.noarch.rpm SHA256: 82c7e5b0ce760b908ed5a8f5985fe997738b1098f137441832de0c213a62aa6a pikeos-certkit-gen-libs-arm_v8hf-5.1-353.noarch.rpm SHA256: d70127908687dbe3b0e82bca01b195e2c18e2c2f10e5f4146986abdcc6da8f74 pikeos-certkit-gen-kern-arm_v8hf-5.1-353.noarch.rpm SHA256: 248778905d2fab83a93e80e5925b6fe4570748c41106bee83270ae634a0666b1 pikeos-certkit-gen-pgen-arm_v8hf-5.1-353.noarch.rpm SHA256: c76ed7f3555f790c6c82b446d8dd6df405365d7405009b692ae80117acf484d6 pikeos-certkit-gen-pssw-arm_v8hf-5.1-353.noarch.rpm SHA256: 8176e79590077c76f2df2eb0dee6a9b11b063264d3a68aabee274c941509fb4d pikeos-certkit-gen-sm-arm_v8hf-5.1-353.noarch.rpm SHA256: 3e11eaf2874a5fed4ffadaf561412dfa249824a340663fa9e9db0570d2edc201 pikeos-certkit-gen-usermanual-arm_v8hf-5.1-92.noarch.rpm SHA256: 613f83524ef082a7f2962467dbdbdcdfc43368e0a1b52f9061cceb9de1a526bd S6510 CKGEN_ISO PikeOS HWVIRT Generic Certification Kit pikeos-certkit-hwvirt-gen-analysis-arm_v8hf-5.1-36.noarch.rpm SHA256: 8443b999306fefac8bf04f8ef7d6c1bc1f73944c0d2c86a8c5f60826aa98dc55 pikeos-certkit-hwvirt-gen-artefacts-arm_v8hf-5.1-123.noarch.rpm SHA256: 89daf06b0a90765becdb8e9b4590244e43a844fc9e2f8ce0372424907ccde515 pikeos-certkit-hwvirt-gen-usermanual-arm_v8hf-5.1-41.noarch.rpm SHA256: 04d52c2a9fe46aac294f669a60edbbb7d07e1f313c278a1ae118c13ee434080f S7000 HWV_CKGEN_ISO 18109 PikeOS BSP Genric Certification Kit pikeos-certkit-generic-18109-arm_v8hf-5.1-279.noarch.rpm SHA256: 5916183aa735c6c20ec04080accc55f8b98cbfa96dbd3d26502ddc5efeb263dc 279 BSP_CKGEN_ISO Security Bulletin 18109 PikeOS BSP pikeos-p18109-certkit-cc-secbul-5.1-287.noarch.rpm SHA256: fabed1a44677566e69c9a36639f9dc4847917338486ef53cd7d5b0261843b49c 287 BSP_CKCC_ISO Table 4: TOE Physical Components Application Note 1: The documents referred to as "Security Bulletin" in Table 4 list all vulnerabilities found during the Common Criteria evaluation process that shall be addressed by the integrator. 3.4.6 TOE Logical Boundary The TOE provides the following TOE security services, abbreviated as TSS_XXX: • TSS_SSA: Separation in space of applications hosted in different partitions from each other and from the PikeOS Operating System according to the SSP by using the underlying hardware, as shown by the red lines in Figure 1. Applications can be hosted in different partitions. Partitions get assigned resources (i.e. space) according to the SSP, which comprise memory ranges and a set of CPUs. The TSF enforces the corresponding part of the SSP by the enforcement of access control on partition content, per-partition provision of physical memory space and allocated CPU time for each CPU. By confining non-privileged ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 24 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 executables into partitions, the TSF enforces that these applications can affect neither applications in other partitions nor the PikeOS Operating System itself. • TSS_STA: Separation in time of applications hosted in different partitions from each other and from the PikeOS Operating System according to the SSP. Applications can be hosted in different partitions. Parti- tions get assigned CPU time (i.e. time windows) according to the SSP. The TSF enforces the corresponding part of the SSP by per-partition allocation of a predefined amount of CPU time for each CPU. On a partition switch CPUs will be reused. • TSS_COM: Provision and management of communication objects. Applications hosted in different parti- tions can get assigned a set of communication objects. A communication object is an object exposed to one or multiple partitions with access rights as defined in the configuration data, thus allowing communication between partitions. • TSS_MAN: Management of the TOE (e.g. system partition API) and the TOE data (e.g. threads, tasks). The TOE restricts a non-privileged application to only manage tasks and threads within its partition. The TOE provides an API to privileged applications to manage the TOE and the TOE data. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 25 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 4 Conformance Claims 4.1 CC Conformance Claim This Security Target (ST) conforms to the Common Criteria for Information Technology Security Evaluation Version 3.1 Revision 5 [Com17] (CC) as follows: • Part 2 conformant • Part 3 conformant 4.2 Protection Profile Claim This ST does not claim conformance with any Protection Profile. 4.3 Package Claim This ST claims conformance to the Evaluation Assurance Level 5 (EAL 5), augmented with ALC_FLR.3, ADV_IMP.2, ALC_DVS.2, AVA_VAN.5, and ALC_CMC.5. Thus, this ST is EAL 5 augmented. 4.4 Conformance Rationale Since this ST does not claim conformance to any protection profile, this section is not applicable. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 26 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 5 Security Problem Definition 5.1 Assets All assets within the same domain as the TSF (see Figure 1, red-line shape with TSF) are treated in this security target together with the asset TSF data (AS.TSF_DATA). Asset Name Description Security Properties to be Preserved Memory (AS.MEM) RAM or ROM memory, memory mapped I/O, and port mapped I/O assigned to a partition by the integrator . confidentiality, integrity, availability Files (AS.FILE) Access to files and access modes assigned to a partition by the integrator . confidentiality, integrity Ports (AS.PORT) Each port is either a source port or a destination port. The integrator uses channels to specify from which source ports PikeOS transfers messages to which destination ports. confidentiality, integrity Interrupts (AS.INT) Set of interrupts allocated to each partition, configured by the integrator . confidentiality, integrity Access to PSP-specific services (AS.PS) For each access to PSP-specific services, the right to invoke that driver is configured by the integrator per partition. confidentiality, integrity CPU cores (AS.CORE) Set of CPU cores allocated to each partition, configured by the integrator . integrity Memory reserved for exclusive access by the PikeOS hypervisor (AS.KMEM) Memory reserved for exclusive access by the PikeOS hypervisor used on behalf of the resource partition, configured by the integrator . Application Note 2: This memory is within the same domain as the TSF. availability CPU processing time (AS.TIME) The integrator assigns time windows to partitions. This defines the CPU processing time of each partition. availability Tasks (AS.TASK) An application always has at least one task. Tasks are used to structure the assigned memory into address spaces. This asset consists of this structure. Application Note 3: The content of tasks is already covered by AS.MEM. API protection ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 27 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Asset Name Description Security Properties to be Preserved Threads (AS.THR) An application always has at least one thread. The asset consists of all threads that can be created in a partition. API protection TSF data (AS.TSF_DATA) TSF data consists of: Configuration data: Data used by the TSF to enforce the SSP. Run-time data such as partition attributes, task and thread management data. confidentiality, integrity System Partition API (AS.SYS_PART_API) The system partition API is an interface to functions of the TSF available for system partitions. API protection Table 5: Assets 5.2 Threats Assets are defined in Table 5 in Section 5.1. An attacker is a non-privileged executable. T.DISCLOSURE An attacker reads an asset of which the property confidentiality shall be maintained according to Table 5 and the SSP. T.MODIFICATION An attacker writes an asset of which the property integrity shall be maintained according to Table 5 and the SSP. T.DEPLETION By consuming resources of which the property availability shall be maintained according to Table 5 and the SSP, an attacker makes these resources unavailable to the TOE itself and/or to non-privileged executables and/or to privileged executables. T.EXECUTION An attacker executes a management function of which the property API protection shall be maintained according to Table 5 and the SSP without being authorized to do so. 5.3 Organizational Security Policies This Security Target defines no organizational security policies. 5.4 Assumptions A.PRIVILEGED_EXECUTABLES All privileged executables are approved by the integrator. The integrator thereby takes responsibility that the privileged executables have been developed according to the TOE User Manuals and do not violate the SSP. The integrator takes responsibility not to put privileged executables and non-privileged executables into the same partition. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 28 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Application Note 4: The TOE User Manuals provide detailed guidance on secure configuration and usage of the TOE. A.HARDWARE The underlying hardware, firmware, and bootloader provide the necessary properties, are working correctly and have no undocumented or unintended security critical side effect on the functions of the TOE. The hardware must fulfill the following requirements, as explained in the TOE User Manuals: 1. Provide CPU(s) with at least two privilege modes ("user" and "supervisor" mode). Only the TOE itself and privileged executables may run in the "supervisor" mode. Non-privileged executables always run in "user mode". In "user mode", only a limited set of instructions is available; in "supervisor mode", all instructions are available. 2. The hardware shall have a MMU, which is capable of restricting accesses (e.g. destinations of load and store CPU instructions) of non-privileged executables to certain memory regions. The MMU shall only be configurable from a privileged CPU mode, thus, it can only be configurable through the TOE to configure the policies specifying these access restrictions. These policies are part of the SSP. During TOE run time, these policies are represented as page tables used by the MMU. 3. The hardware (CPU or CPUs) shall provide instructions to switch between privilege modes and to use the memory management to set up different segments of memory. 4. The hardware (CPU or CPUs) shall allow the TOE to reuse CPU(s) for different non-privileged executa- bles, in a way that there is no residual information flow through CPU registers across a partition boundary. 5. The hardware shall provide default values for security-relevant settings at power-on (e.g. program counter, detailed instructions shall be included in the hardware reference manual). This supports the TOE reaching the initial safe and secure state. 6. If the hardware possesses any other active components beside CPUs or CPUs have operating mode(s) not under control of the PikeOS Operating System, then the hardware shall provide support either to turn these components completely off or to control them as described in the TOE User Manuals. For example, if a device accessible by non-privileged executables can execute DMA, then all DMA shall be switched off or, in order to control DMA, the hardware shall provide an I/O MMU, with an I/O MMU driver protected by the PikeOS Operating System. Specific requirements to the Armv8 architecture Cortex-A53 are: • The processors are operated in 64-bit mode • Memory Management Unit (MMU) with Virtual Memory System Architecture • Vector Floating Point (VFP) / Advanced SIMD (Neon) extension The TOE is assumed to be operated exclusively on the dedicated hardware known as NXP LS1023A/LS1043 ARM- based processor for embedded networking. A.EXCLUSIVE_RESOURCES All resources required by the PikeOS Operating System, its privileged executables, and its non-privileged executables are exclusively controlled by the TOE. A.PHYSICAL It is assumed that the IT environment provides the TOE with appropriate physical security, commensurate with the value of the IT assets protected by the TOE. A.TRUSTWORTHY_PERSONNEL The personnel configuring, integrating, and developing the product based on the TOE (integrator) are trustworthy, act according to the TOE User Manuals and are sufficiently qualified for this task. Application Note 5: The system integration phase (Section 3.4.4.2) can be split into the four steps: selection of the TOE operational environment, non-privileged and privileged executables, and deciding on system partitions and normal partitions (Step 1), fusion (Step 2), configuration of the TOE (Step 3), and integration (Step 4). At each step of the system integration phase, the integrator shall follow the TOE User Manuals. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 29 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 6 Security Objectives 6.1 Security Objectives for the TOE OT.CONFIDENTIALITY For each asset, the TOE shall preserve its confidentiality according to Table 5 and the SSP. OT.INTEGRITY For each asset, the TOE shall preserve its integrity according to Table 5 and the SSP. OT.RESOURCE_AVAILABILITY For resources assigned to partitions and to TSF data, the TOE shall preserve their availability according to Table 5 and the SSP. Application Note 6: In this ST, availability means that the TOE will provide a specified amount of a resource or ability to use some TOE services. This ST does not consider availability in the sense of physical availability such as tolerance to power failure. OT.API_PROTECTION The TSF shall prevent any execution of a management function reserved to privileged executables by non-privileged executables. 6.2 Security Objectives for the Operational Environment OE.PRIVILEGED_EXECUTABLES All privileged executables are approved by the integrator. The integrator thereby takes responsibility that the privileged executables have been developed according to the TOE User Manuals and do not violate the SSP. OE.HARDWARE The underlying hardware, firmware, and bootloader provide the necessary properties, are working correctly and have no undocumented or unintended security critical side effect on the functions of the TOE. The hardware must fulfill the following requirements, as explained in the TOE User Manuals: 1. Provide CPU(s) with at least two privilege modes ("user" and "supervisor" mode). Only the TOE itself and privileged executables may run in the "supervisor" mode. Non-privileged executables always run in "user mode". In "user mode", only a limited set of instructions is available; in "supervisor mode", all instructions are available. 2. The hardware shall have a MMU, which is capable of restricting accesses (e.g. destinations of load and store CPU instructions) of non-privileged executables to certain memory regions. The MMU shall only be configurable from a privileged CPU mode, thus, it can only be configurable through the TOE to configure the policies specifying these access restrictions. These policies are part of the SSP. During TOE run time, these policies are represented as page tables used by the MMU. 3. The hardware (CPU or CPUs) shall provide instructions to switch between privilege modes and to use the memory management to set up different segments of memory. 4. The hardware (CPU or CPUs) shall allow the TOE to reuse CPU(s) for different non-privileged executa- bles, in a way that there is no residual information flow through CPU registers across a partition boundary. 5. The hardware shall provide default values for security-relevant settings at power-on (e.g. program counter, detailed instructions shall be included in the hardware reference manual). This supports the TOE reaching the initial safe and secure state. 6. If the hardware possesses any other active components beside CPUs or CPUs have operating mode(s) not under control of the PikeOS Operating System, then the hardware shall provide support either to turn these components completely off or to control them as described in the TOE User Manuals. For example, if a device accessible by non-privileged executables can execute DMA, then all DMA shall be switched off or, ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 30 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 in order to control DMA, the hardware shall provide an I/O MMU, with an I/O MMU driver protected by the PikeOS Operating System. Specific requirements to the Armv8 architecture Cortex-A53 are: • The processors are operated in 64-bit mode • Memory Management Unit (MMU) with Virtual Memory System Architecture • Vector Floating Point (VFP) / Advanced SIMD (Neon) extension The TOE is assumed to be operated exclusively on the dedicated hardware known as NXP LS1023A/LS1043 Armv8- based processor for embedded networking. Application Note 7: Due to imperfections of the underlying hardware platform, the TOE cannot guarantee complete absence of side/covert channels. It is the responsibility of the integrator to use all security features of the TOE to their full effect and to assess whether the residual risk due to platform vulnerabilities that cannot be mitigated by the TOE is acceptable. OE.EXCLUSIVE_RESOURCES All resources required by the PikeOS Operating System, its privileged executables, and its non-privileged executables are exclusively controlled by the TOE. OE.PHYSICAL The IT environment provides the TOE with appropriate physical security, commensurate with the value of the IT assets protected by the TOE. OE.TRUSTWORTHY_PERSONNEL The personnel configuring and integrating the TOE (integrator) and those installing and operating the TOE (system operator) are trustworthy, act according to the TOE User Manuals, and are sufficiently qualified for this task. 6.3 Security Objectives Rationale The following table provides an overview for security objectives coverage (TOE and its environment) and also gives an evidence for sufficiency and necessity of the defined objectives. It shows that all threats and OSPs are addressed by the security objectives and it also shows that all assumptions are addressed by the security objectives for the TOE operational environment. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 31 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 OT.CONFIDENTIALITY OT.INTEGRITY OT.RESOURCE_AVAILABILITY OT.API_PROTECTION OE.PRIVILEGED_EXECUTABLES OE.HARDWARE OE.EXCLUSIVE_RESOURCES OE.PHYSICAL OE.TRUSTWORTHY_PERSONNEL T.DISCLOSURE X T.MODIFICATION X T.DEPLETION X T.EXECUTION X A.PRIVILEGED_EXECUTABLES X A.HARDWARE X A.EXCLUSIVE_RESOURCES X A.PHYSICAL X A.TRUSTWORTHY_PERSONNEL X Table 6: Security Objectives Rationale A justification required for suitability of the security objectives to cope with the security problem definition is given below: 6.3.1 Security Objectives Rationale: Threats 6.3.1.1 Threat: T.DISCLOSURE If the security objective OT.CONFIDENTIALITY has been reached, the threat T.DISCLOSURE is completely elimi- nated. 6.3.1.2 Threat: T.MODIFICATION If the security objective OT.INTEGRITY has been reached, the threat T.MODIFICATION is completely elimi- nated. 6.3.1.3 Threat: T.DEPLETION If the security objective OT.RESOURCE_AVAILABILITY has been reached, the threat T.DEPLETION is completely eliminated. 6.3.1.4 Threat: T.EXECUTION If the security objective OT.API_PROTECTION has been reached, the threat T.EXECUTION is completely elimi- nated. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 32 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 6.3.2 Security Objective Rationale: Assumptions Each security assumption in this Security Target is addressed by at least one security objective for the operational environment. This section maps assumptions to environmental security objectives and provides a rationale how the assumption is fulfilled. 6.3.2.1 Assumption: A.PRIVILEGED_EXECUTABLES OE.PRIVILEGED_EXECUTABLES directly upholds A.PRIVILEGED_EXECUTABLES. 6.3.2.2 Assumption: A.HARDWARE OE.HARDWARE directly upholds A.HARDWARE. 6.3.2.3 Assumption: A.EXCLUSIVE_RESOURCES OE.EXCLUSIVE_RESOURCES directly upholds A.EXCLUSIVE_RESOURCES. 6.3.2.4 Assumption: A.PHYSICAL OE.PHYSICAL directly upholds A.PHYSICAL. 6.3.2.5 Assumption: A.TRUSTWORTHY_PERSONNEL OE.TRUSTWORTHY_PERSONNEL directly upholds A.TRUSTWORTHY_PERSONNEL. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 33 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 7 Extended Components Definition This Security Target does not include any extended components. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 34 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 8 Security Requirements This section defines security functional requirements (SFRs) and security assurance requirements (SARs), which apply to the TOE. 8.1 Security Functional Requirements We perform assignment, selection, and refinement of the SFRs provided by the CC. The assignment operation is marked by square brackets "[ ]". The selection operation is marked in italics. In a refinement operation, added text is underlined and removed text is crossed out. The iteration operation is used when a component is repeated on varying assets. Iteration is denoted by showing a slash ("/") and the iteration indicator after the component identifier. For example, FDP_ACF.1/CPA indicates an iteration of FDP_ACF.1 on ’communication port access’. Iterations applied to assets follow the order of Table 5 in Section 5.1 (Assets). Where sentences are grouped by having the same indentation level, the terms "OR" and "AND" in uppercase are used to indicate their logical relation. Configuration XML elements, attributes, and values are denoted in . These configuration elements, attributes, and values have speaking names, and when the configuration maintains a list of elements, then this list is referred to in the configuration as . For a detailed explanation on how to use the configuration to configure the TOE see the TOE User Manuals. All symbols beginning with "p4_" or "vm_" are API symbols that the TOE provides to applications. In this ST, we list only those symbols that trigger a system call and are not convenience user space wrappers for other calls. See the TOE User Manuals for details. Application Note 8: The SSP is a subset of the VMIT configured by the integrator. The SFP is a set of rules that are parameterized by the SSP. These rules are fix-coded in the implementation of the TSF. Thus, the behavior of a product based on PikeOS depends on the SFP and SSP. In the following the SFP is split up into sub-SFPs as follows: • memory access control policy (MA) • file access control policy (FA) • communication port access control policy (CPA) • interrupt access control policy (IA) • PSP-specific services access control policy (PSA) • CPU core access policy (CCA) • IPC and event communication policy (IEC) Application Note 9: In this ST, the term subject is used for a thread in a partition, for an application, or for a partition as a whole depending on the context. In the running TOE, the entity executing application code is a TOE thread. In a partition there can be multiple threads and each thread is uniquely assigned to its partition. Since this ST works on security policies at partition level, we abstract all threads in one partition to the partition subject. 8.1.1 User Data Protection (FDP) 8.1.1.1 FDP_ACC.2/MA Complete Access Control - Memory Access FDP_ACC.2.1/MA: The TSF shall enforce the [memory access control policy] on [subjects: partitions, objects: mem- ory] and all operations among subjects and objects covered by the SFP. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 35 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 FDP_ACC.2.2/MA: The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. Application Note 10:The TSF initializes the MMU of the CPU and sets up page tables in the memory allocated to the TSF to enforce this policy. 8.1.1.2 FDP_ACF.1/MA Security Attribute Based Access Control - Memory Access FDP_ACF.1.1/MA: The TSF shall enforce the [memory access control policy] to objects based on the follow- ing [subjects: partitions, objects: memory areas, security attributes: partition ID, attributes defined for the memory area]. FDP_ACF.1.2/MA: The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ Access to physical memory M of type , , , or is allowed to a subject in PA if: M is specified in a MR in the contained within PA AND there is a MA in the contained within the subject’s which refers to MR AND the access operation is read or write or execute and the access mode of both MR and MA matches for read, for write, and for execute correspondingly OR M is specified in a MR in the contained within PA and the attribute of M is set to AND a subject in PA has obtained a memory descriptor MD (vm_mem_lookup) and has successfully performed a memory mapping (vm_mem_pool_alloc) operation with MD AND ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 36 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 the access operation is read or write or execute and the access mode of MR matches for read, for write, and for execute correspondingly OR M is in the text segment of an ELF file referenced in a element in the contained in a of the of PA and the attribute is set to AND the access operation is read or execute OR M is specified in a property file system node PN where the attribute specifies access mode AM AND the element of PA has an element of type where the at- tribute includes and the attribute matches the PN AND a subject in PA has successfully performed an open operation (vm_open) on the property node name PN with access flags including , resulting in a file descriptor FD AND a subject in PA has successfully performed a property memory mapping (vm_prop_mem_map) operation with the file descriptor FD AND the access operation is read or write or execute and compatible with AM OR M is specified in a property file system node PN AND ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 37 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 the element of PA has an element of type where the at- tribute is AM and the attribute matches the PN AND a subject in PA has successfully performed open operation (vm_open) on the property node name PN with access flags including and access flags being subset of AM, resulting in a file descriptor FD AND a subject in PA has successfully performed a property I/O port mapping (vm_prop_ioport_map) operation with the file descriptor FD AND the access operation is read or write OR M has been received via mapping IPC (p4_ipc) with the requested access mode allowing to read or write M AND the access operation is read or write respectively OR M is the storage location of a file F that has been memory-mapped via vm_map with access mode MAM AND There is a entry with a referring to F in the list contained within PA AND F is successfully opened (vm_open) according to FDP_ACF.1.2/FA with an access mode AM including and being a superset of MAM AND ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 38 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 the access operation is read or write or execute and MAM matches for read, for write, and for execute correspondingly OR M is part of a memory page that the TSF has mapped in read-only access mode to all partitions ("kernel info page") AND the access operation is read ]. FDP_ACF.1.3/MA: The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4/MA: The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. Application Note 11: The memory pool can be used by a partition in three ways: (1) an application in a partition uses memory allocation service calls (e.g. vm_mem_pool_alloc) to get memory from the pool; (2) the application ELF file is mapped to the memory allocated from the pool during partition initialization, if it is specified in the VMIT; (3) memory is mapped from the pool to partition during partition initialization, if it is specified in the VMIT. Application Note 12: Shared memory in the TOE is implemented as files provided by the internal file provider shm. Shared memories are specified in the and are processed in the same way as the disjunction for the case vm_map. 8.1.1.3 FDP_ACC.2/FA Complete Access Control - File Access FDP_ACC.2.1/FA: The TSF shall enforce the [file access control policy] on [subjects: partitions, objects: files] and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2/FA: The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. 8.1.1.4 FDP_ACF.1/FA Security Attribute Based Access Control - File Access FDP_ACF.1.1/FA: The TSF shall enforce the [file access control policy] to objects based on the following: [subjects: partitions, objects: files, security attributes: partition ID, attributes defined for the files in the configura- tion element of the partition in the VMIT]. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 39 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 FDP_ACF.1.2/FA: The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ • an open operation (vm_open) on any file F provided by a builtin file provider, external file provider, system extension or kernel device driver to PA is allowed if: The element of PA has an element of type where attribute matches F AND the access flags provided as an argument to the vm_open operation are subset of element for file F • a mount operation (vm_mount) on any volume V to PA is allowed if: The element of PA has an element of type where attribute matches V and contains flag AND the access flags provided as an argument to the vm_mount operation are subset of element for the volume V • a status request operation (vm_stat) on any file F by a builtin file provider, external file provider, system exten- sion or kernel device driver to PA is allowed if: The element of PA has an element of type where attribute matches F • an access operation (vm_close, vm_fstat, vm_fsync, vm_ioctl, vm_lseek, vm_map, vm_prop_read, vm_prop_write, vm_read, vm_read_at, vm_discard_at, vm_test, vm_write, vm_write_at) on file F provided by a builtin file provider, system extension or kernel device driver to PA is allowed if: ( the file has been successfully opened before with the access flags including and the access operation is vm_read, vm_read_at, or vm_prop_read OR ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 40 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 the file has been successfully opened before with the access flags including and the access operation is vm_write, vm_write_at, or vm_prop_write OR the file has been successfully opened before with the access flags including and the access operation is vm_map OR the file has been successfully opened before with the access flags including or and the access operation is vm_lseek OR the file has been successfully opened before and the operation is vm_close, vm_fstat, vm_fsync, vm_ioctl, vm_test, vm_discard_at ) ]. Application Note 13: Files can be provided by builtin file providers, system extensions, kernel device drivers, external file providers, or volume providers. An access operation itself on a file provided by a builtin file provider is implemented by the TSF. An access operation on a file provided by a system extension or kernel device driver is directly forwarded by the TSF, after validating the file descriptor, to the corresponding function of the system extension or kernel device driver after the check described FDP_ACF.1.2/FA. An access operation on a file provided by an external file provider is implemented as a direct IPC to the file provider. See FDP_IFC.2 and FDP_IFF.1. An open, status request or access operation on a file provided by a volume file provider is implemented as a direct IPC to the volume provider. See FDP_IFC.2 and FDP_IFF.1. FDP_ACF.1.3/FA: The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4/FA: The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. 8.1.1.5 FDP_ACC.2/CPA Complete Access Control - Communication Port Access FDP_ACC.2.1/CPA: The TSF shall enforce the [communication port access control policy] on [subjects: partitions, objects: communication ports] and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2/CPA: The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 41 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 8.1.1.6 FDP_ACF.1/CPA Security Attribute Based Access Control - Communication Port Access FDP_ACF.1.1/CPA: The TSF shall enforce the [communication port access control policy] to objects based on the following: [subjects: partitions, objects: communication ports, security attributes: partition ID, port attribute in the VMIT, configuration elements in the VMIT]. FDP_ACF.1.2/CPA: The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ • an open operation (vm_qport_open, vm_sport_open) on port PO is allowed to PA if: the element of PA has an element of type where attribute equals PO or the of PA has an element of type where attribute equals PO AND the argument direction to the open (vm_qport_open, vm_sport_open) operation is equal to the attribute of the PO • a status request operation (vm_qport_iterate, vm_qport_stat, vm_sport_iterate, vm_sport_stat) on port PO is allowed to PA if: the element of PA has an element of type where attribute equals PO or the of PA has an element of type where attribute equals PO • an access operation on port PO successfully opened by PA is allowed if: ( the operation is read (vm_qport_read, vm_qport_read_routed, vm_sport_read, vm_sport_read_at), and the port PO was successfully opened with destination direction OR the operation is write (vm_qport_write, vm_qport_write_routed, vm_sport_write) and the port was success- fully opened with destination direction OR all other access operations (vm_qport_clear, vm_qport_close, vm_qport_control, vm_qport_pstat, vm_qport_pstat_routed, vm_qport_psync, vm_qport_test, vm_sport_clear, vm_sport_close, vm_sport_control, vm_sport_pstat, vm_sport_psync, vm_sport_test) on ports are allowed ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 42 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 ) ]. FDP_ACF.1.3/CPA: The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4/CPA: The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. 8.1.1.7 FDP_ACC.2/IA Complete Access Control - Interrupt Access FDP_ACC.2.1/IA: The TSF shall enforce the [interrupt access control policy] on [subjects: partitions, objects: inter- rupts] and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2/IA: The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. 8.1.1.8 FDP_ACF.1/IA Security Attribute Based Access Control - Interrupt Access FDP_ACF.1.1/IA: The TSF shall enforce the [interrupt access control policy] to objects based on the following: [sub- jects: partitions, objects: interrupts, security attributes: partition ID, attributes defined for files in the configuration element of the partition in the VMIT]. FDP_ACF.1.2/IA: The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ The operation p4_int_attach_syscall of attaching to interrupt IN (i.e., to have an interrupt handler invoked when interrupt IN is triggered) is allowed to a subject in PA if: IN is specified in a property file system node PN AND the element of PA has an element of type where the attribute matches PN and attribute AM AND ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 43 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 a subject in PA has successfully performed an open operation (vm_open) on the property node PN with access flags including and being subset of AM, resulting in file descriptor FD AND A subject in PA has performed successfully vm_prop_int_grant with the file descriptor FD, giving a valid interrupt number IN ]. FDP_ACF.1.3/IA: The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4/IA: The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. 8.1.1.9 FDP_ACC.2/PSA Complete Access Control - PSP-Specific Services Access FDP_ACC.2.1/PSA: The TSF shall enforce the [PSP-specific services access control policy] on [subjects: partitions, objects: PSP-specific services] and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2/PSA: The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. 8.1.1.10 FDP_ACF.1/PSA Security Attribute Based Access Control - PSP-Specific Services Access FDP_ACF.1.1/PSA: The TSF shall enforce the [PSP-specific services access control policy] to objects based on the following: [subjects: partitions, objects: interrupts, security attributes: partition ID, attributes defined for files in the configuration element of the partition in the VMIT]. FDP_ACF.1.2/PSA: The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ The operation of invoking a PSP-specific service PS (p4_dev_call) is allowed to a subject in PA if: PS is specified in a property file system node PN AND the element of PA has an element of type where the attribute matches to the PN and attribute AM ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 44 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 AND a subject in PA has successfully performed an open operation (vm_open) on the property node PN with access flags including and being subset of AM, resulting in file descriptor FD AND a subject in partition PA has successfully performed vm_prop_dev_grant with the file descriptor FD, giving access to the PSP-specific service PS ]. FDP_ACF.1.3/PSA: The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4/PSA: The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. 8.1.1.11 FDP_ACC.2/CCA Complete Access Control - CPU Core Access FDP_ACC.2.1/CCA: The TSF shall enforce the [CPU core access control policy] on [subjects: partitions, objects: CPU cores] and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2/CCA: The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. 8.1.1.12 FDP_ACF.1/CCA Security Attribute Based Access Control - CPU Core Access FDP_ACF.1.1/CCA: The TSF shall enforce the [CPU core access control policy] to objects based on the following: [subjects: partitions, objects: CPU cores, security attributes: partition ID, CPU cores in the configuration element of the partition in the VMIT]. FDP_ACF.1.2/CCA: The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ The PA can run a thread on CPU core C if the element of PA has set the Cth bit in the . ]. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 45 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 FDP_ACF.1.3/CCA: The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4/CCA: The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. 8.1.1.13 FDP_IFC.2 Complete Information Flow Control FDP_IFC.2.1: The TSF shall enforce the [IPC and event communication policy] on [all subjects: partitions] and all operations that cause that information to flow to and from subjects covered by the SFP. FDP_IFC.2.2: The TSF shall ensure that all operations that cause any information in the TOE to flow to and from any subject in the TOE are covered by an information flow control SFP. 8.1.1.14 FDP_IFF.1 Simple Security Attributes FDP_IFF.1.1: The TSF shall enforce the [IPC and event communication policy] based on the following types of subject and information security attributes: [ • subject identity: thread ID • information security attributes: file access permissions to a file marked with attribute or ]. FDP_IFF.1.2: The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [ The operation signal event (p4_ev_signal) or send IPC (p4_ipc), from a thread in PA1 to a subject in PA2 or vice versa is allowed if: the VMIT specifies that PA1 provides a file F with attribute AND the of PA2 has an element of type where attribute is AM and attribute matches F AND ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 46 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 PA1 has successfully registered the file provider (vm_fp_register) with the TOE AND a subject in PA2 has successfully performed an open operation (vm_open) on file F with access flags being subset of AM OR the VMIT specifies that PA1 provides a volume V with attribute AND the of PA2 has an element of type where is AM and con- tains and attribute matches V AND PA1 has successfully registered the volume provider (vm_vp_register) with the TOE AND a subject in PA2 has successfully performed a mount operation (vm_mount) on V with access flags being subset of AM ]. FDP_IFF.1.3: The TSF shall enforce the [additional information flow rules: none]. FDP_IFF.1.4: The TSF shall explicitly authorize an information flow based on the following rules: [none]. FDP_IFF.1.5: The TSF shall explicitly deny an information flow based on the following rules: [none]. 8.1.2 Identification and Authentication (FIA) 8.1.2.1 FIA_UID.2 User Identification FIA_UID.2.1: The TSF shall require each user partition to be successfully identified before allowing any other TSF- mediated actions on behalf of that user partition. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 47 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Application Note 14: A "user" of the TOE is a partition. 8.1.3 Security Management (FMT) 8.1.3.1 FMT_MSA.1 Management of Security Attributes FMT_MSA.1.1: The TSF shall enforce the [IPC and event communication policy, memory access control policy, file access control policy, communication port access control policy, PSP-specific services access control policy, interrupt access control policy, CPU core access control policy] to restrict the ability to [write] the security attributes [specified in the VMIT and property file system] to [system partitions]. 8.1.3.2 FMT_MSA.3 Static Policy Attribute Initialization FMT_MSA.3.1: The TSF shall enforce the [IPC and event communication policy, memory access control policy, file access control policy, communication port access control policy, PSP-specific services access control policy, interrupt access control policy, CPU core access control policy] to provide [restrictive or integrator-defined] default values for security attributes that are used to enforce the SFP. Application Note 15: The integrator defines the VMIT. The VMIT is used by the TSF as the source of initial SSP val- ues. If an attribute is not defined by the integrator in the VMIT for a subject, then the default is to deny any operations involving this attribute, i.e. a white list security policy is implemented. This behavior is specified in FMT_MSA.3.1 as "restrictive default values". Attributes with integrator-defined values in the VMIT are also initial values for the TSF. This behavior is specified in FMT_MSA.3.1 as "integrator-defined default values". FMT_MSA.3.2: The TSF shall allow [no one] to specify alternative initial values to override the default values when an object or information is created. Application Note 16: The TSF does not have any functionality for specifying alternative initial values to override the default values. 8.1.3.3 FMT_MTD.1/SYS Management of TSF Data - System Partition API FMT_MTD.1.1/SYS: The TSF shall restrict the ability to [invoke] the [System Partition API] to [system parti- tions]. Application Note 17: The complete definition of the System Partition API is given in the TOE User Manuals. 8.1.3.4 FMT_MTD.1/TASK Management of TSF Data - Tasks FMT_MTD.1.1/TASK: The TSF shall restrict the ability to [ ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 48 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 • activate (p4_task_activate) • terminate (p4_task_terminate) • modify (p4_comm_grant, p4_comm_link, p4_dev_grant, p4_dev_link, p4_int_grant, p4_int_link, p4_task_start, p4_task_donate, p4_task_hm_register, p4_task_hm_wait, p4_task_hm_wake) • read (p4_task_get_attr) ] the [tasks] to [the owning partition or system partitions]. Application Note 18: Tasks are also TSF data. A partition owns a task if the task is assigned to it by the integrator in the VMIT. 8.1.3.5 FMT_MTD.1/THR Management of TSF Data - Threads FMT_MTD.1.1/THR: The TSF shall restrict the ability to [ • create (p4_thread_create_syscall) • delete (p4_thread_delete) • modify (p4_fast_set_prio_syscall, p4_thread_alarm_syscall, p4_thread_ex_affinity, p4_thread_ex_exh, p4_thread_ex_regs, p4_thread_ex_sched_syscall, p4_thread_except, p4_thread_preempt, p4_thread_resume, p4_thread_set_regs, p4_thread_stop_syscall, p4_sysemu_enter, p4_thread_yield) • read (p4_fast_get_prio_syscall, p4_my_cpuid_syscall, p4_my_timepart_syscall, p4_my_uid_syscall, p4_thread_get_attr, p4_thread_get_regs) ] the [threads] to [the owning partition or system partitions]. Application Note 19: Threads are also TSF data. A partition owns a thread if the thread is created by one of its applications. 8.1.3.6 FMT_SMF.1 Specification of Management Functions FMT_SMF.1.1: The TSF shall be capable of performing the following management functions: ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 49 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 [ • thread management • task management • TOE management (System Partition API) ]. 8.1.3.7 FMT_SMR.1 Security Roles FMT_SMR.1.1: The TSF shall maintain the roles: [ • "system partition" and • "normal partition" ]. FMT_SMR.1.2: The TSF shall be able to associate users partitions with roles. Application Note 20: The TSF supports roles on partition granularity. 8.1.4 Resource Utilization (FRU) 8.1.4.1 FRU_RSA.2/MEM Minimum and Maximum Quotas - Memory FRU_RSA.2.1/MEM: The TSF shall enforce maximum quotas of the following resources: [ System memory: the maximum amount of system memory is the sum of the sizes elements of type with attribute set to or of type assigned to that partition in the VMIT ] that subjects, which are the non-privileged executables in a normal partition can use simultaneously. FRU_RSA.2.2/MEM: The TSF shall ensure the provision of minimum quantity of each: ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 50 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 [ System memory: the minimum amount of system memory is the sum of the sizes of all elements of type with attribute set to or of type assigned to that partition in the VMIT ] that is available for subjects, which are the non-privileged executables in a normal partition to use simultane- ously. Application Note 21: In contrast to FDP_ACF.1/MA, FRU_RSA.2.1/MEM only considers memory that is dynamically allocated to the subjects based on a SSP-defined quota and the enforcement of that quota by the TSF. 8.1.4.2 FRU_RSA.2/TIME Minimum and Maximum Quotas - Processing Time FRU_RSA.2.1/TIME: The TSF shall enforce maximum quotas of the following resources: [ Processing time: the maximum amount of CPU processing time is the sum of the attributes of as- signed elements of its in the VMIT ] that subjects, which are the non-privileged executables in a normal partition can use over a specified period of time. FRU_RSA.2.2/TIME: The TSF shall ensure the provision of minimum quantity of each: [ Processing time: if time windows are assigned to a partition exclusively, the minimum amount of CPU processing time is the sum of the attributes of assigned elements of its in the VMIT ] that is available for subjects, which are the non-privileged executables in a normal partition to use over a specified period of time. Application Note 22: The "specified period of time" is the sum of the attributes of all elements the . The schedule scheme is repeated with cyclic periodicity. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 51 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Application Note 23: If a window is assigned to more than one partition, i.e. the window is not assigned exclusively, the integrator can use the attributes for partitions sharing the window to set up a sharing scheme for the CPU processing time within that window. 8.2 Security Assurance Requirements This ST claims conformance to the assurance level EAL 5 augmented with ALC_FLR.3, ADV_IMP.2, ALC_DVS.2, AVA_VAN.5 and ALC_CMC.5. 8.3 Security Requirements Rationale The following table provides an overview for security functional requirements coverage also giving an evidence for sufficiency and necessity of the SFRs chosen. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 52 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 OT.CONFIDENTIALITY OT.INTEGRITY OT.RESOURCE_AVAILABILITY OT.API_PROTECTION FDP_ACC.2/MA X X X FDP_ACF.1/MA X X X FDP_ACC.2/FA X X FDP_ACF.1/FA X X FDP_ACC.2/CPA X X FDP_ACF.1/CPA X X FDP_ACC.2/IA X X FDP_ACF.1/IA X X FDP_ACC.2/PSA X X FDP_ACF.1/PSA X X FDP_ACC.2/CCA X X FDP_ACF.1/CCA X X FDP_IFC.2 X FDP_IFF.1 X FIA_UID.2 X X FMT_MSA.1 X X FMT_MSA.3 X X FMT_MTD.1/SYS X FMT_MTD.1/TASK X FMT_MTD.1/THR X FMT_SMF.1 X FMT_SMR.1 X X FRU_RSA.2/MEM X X FRU_RSA.2/TIME X X Table 7: Coverage of Security Objectives for the TOE by SFR. "X" is for where a dependency to an objective exists. 8.3.1 Security Objective: OT.CONFIDENTIALITY For all assets, the operations of non-privileged executables are controlled by the TSF: • For the asset AS.MEM the SFRs FDP_ACC.2/MA and FDP_ACF.1/MA ensure that non-privileged executa- bles can only access memory (AS.MEM) according to the SSP. • For the asset AS.FILE the SFRs FDP_ACC.2/FA and FDP_ACF.1/FA ensure that non-privileged executa- bles can only access files (AS.FILE) according to the SSP. • For the asset AS.PORT the SFRs FDP_ACC.2/CPA and FDP_ACF.1/CPA ensure that non-privileged exe- cutables can only access communication ports (AS.PORT) according to the SSP. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 53 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 • For the asset AS.INT the SFRs FDP_ACC.2/IA and FDP_ACF.1/IA ensure that non-privileged executables can only access interrupts (AS.INT) according to the SSP. • For the asset AS.PS the SFRs FDP_ACC.2/PSA and FDP_ACF.1/PSA ensure that non-privileged executa- bles can only access PSP-specific services (AS.PSA) according to the SSP. • For the asset AS.CORE the SFRs FDP_ACC.2/CCA and FDP_ACF.1/CCA ensure that non-privileged executables can only access CPU cores (AS.CORE) according to the SSP. • For the asset AS.TSF_DATA, the TSF configures the MMU to disallow non-privileged executables to ac- cess the memory of any of these other assets (i.e., the memory used for AS.TASK, AS.TSF_DATA and AS.THR). The TSF data also includes all security attributes that TSF uses to manage any asset (e.g. se- curity attributes for file access rights or the schedule schemes used for assignment of CPU processing time). FIA_UID.2 ensures that partitions are identified; FMT_SMR.1 provides security roles to partitions. FMT_MSA.1 re- stricts the ability to write the security attributes specified in the VMIT and the property file system to system partitions. FMT_MSA.3 provides restrictive or integrator-defined default values for security attributes. FDP_IFF.1, FDP_IFC.2 ensure that IPC and event communication information flows originating from non-privileged executables are restricted to information flows allowed according to the SSP. FRU_RSA.2/MEM ensures that no information flow against the SSP can be initiated by memory depletion. FRU_RSA.2/TIME ensures that no information flow against the SSP can be initiated by CPU processing time depletion. 8.3.2 Security Objective: OT.INTEGRITY For all assets, the operations of non-privileged executables are controlled by the TSF: • For the asset AS.MEM the SFRs FDP_ACC.2/MA and FDP_ACF.1/MA ensure that non-privileged executa- bles can only access memory (AS.MEM) according to the SSP. • For the asset AS.FILE the SFRs FDP_ACC.2/FA and FDP_ACF.1/FA ensure that non-privileged executa- bles can only access files (AS.FILE) according to the SSP. • For the asset AS.PORT the SFRs FDP_ACC.2/CPA and FDP_ACF.1/CPA ensure that non-privileged exe- cutables can only access communication ports (AS.PORT) according to the SSP. • For the asset AS.INT the SFRs FDP_ACC.2/IA and FDP_ACF.1/IA ensure that non-privileged executables can only access interrupts (AS.INT) according to the SSP. • For the asset AS.PS the SFRs FDP_ACC.2/PSA and FDP_ACF.1/PSA ensure that non-privileged executa- bles can only access PSP-specific services (AS.PSA) according to the SSP. • For the asset AS.CORE the SFRs FDP_ACC.2/CCA and FDP_ACF.1/CCA ensure that non-privileged executables can only access CPU cores (AS.CORE) according to the SSP. • For the asset AS.TSF_DATA, the TSF configures the MMU to disallow non-privileged executables to ac- cess the memory of any of these other assets (i.e., the memory used for AS.TASK, AS.TSF_DATA and AS.THR). The TSF data also includes all security attributes that TSF uses to manage any asset (e.g. se- curity attributes for file access rights or the schedule schemes used for assignment of CPU processing time). FIA_UID.2 ensures that partitions are identified; FMT_SMR.1 provides security roles to partitions. FMT_MSA.1 re- stricts the ability to write the security attributes specified in the VMIT and the property file system to system partitions. FMT_MSA.3 provides restrictive or integrator-defined default values for security attributes. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 54 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 8.3.3 Security Objective: OT.RESOURCE_AVAILABILITY • For the assets AS.MEM and AS.KMEM, FRU_RSA.2/MEM ensures that limits are enforced according to the SSP on the minimum and maximum amount of memory (AS.MEM) and exclusive hypervisor memory (AS.KMEM) available to non-privileged applications in normal partitions. • For the asset processing time (AS.TIME), FRU_RSA.2/TIME ensures that limits are enforced according to the SSP on the minimum and maximum processing time (AS.TIME) available to non-privileged applications in normal partitions. These limits also ensure that resources used for AS.TASK, AS.TSF_DATA and AS.THR are not depleted through operations of non-privileged executables. 8.3.4 Security Objective: OT.API_PROTECTION FMT_SMF.1 specifies that the management API can be used for management of threads, tasks and the TOE. FMT_MTD.1/SYS ensures that the TOE prevents access from normal partitions to the system application API. FMT_MTD.1/TASK restricts the access that a normal partition has via the normal partition API to tasks that the normal partition owns. FMT_MTD.1/THR restricts the access that a normal partition has via the normal partition API to threads that the normal partition owns. All other APIs reserved for privileged executables (PSP, system extensions and kernel device drivers) only can be reached from executables linked to the TOE. FDP_ACC.2/MA and FDP_ACF.1/MA ensure that the TOE prevents any execution of the APIs by non-privileged applications. 8.3.5 Security Assurance Requirements Rationale EAL 5+ has been considered appropriate to ensure the robust and reliable separation of partitions. ALC_FLR.3 has been included to ensure that integrators understand how to submit security flaw reports to SYSGO and how to register themselves with SYSGO so that they may receive these corrective fixes. ADV_IMP.2, ALC_DVS.2, and AVA_VAN.5 and related dependencies have been added to be compliant to qualification renforcée [ANSSI17]. 8.3.6 Security Assurance Requirements Dependency Analysis In this section, we provide a dependency analysis for the security assurance requirements as defined by the CC. There are no unfulfilled dependencies. This ST claims conformance to the standard EAL 5 package. For the EAL 5 standard package, all dependencies in CC v3.1 part 3 provided packages are fulfilled. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 55 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 Family: Depends on: Covered by: ALC_FLR.3 No dependencies - ADV_IMP.2 ADV_TDS.3, ALC_TAT.1, ALC_CMC.5 Either covered by this augmentation or EAL5 ALC_DVS.2 No dependencies - AVA_VAN.5 ADV_ARC.1, ADV_FSP.4, ADV_TDS.3, ADV_IMP.1, AGD_OPE.1, AGD_PRE.1, ATE_DPT.1 Covered by EAL5 ALC_CMC.5 ALC_CMS.1, ALC_DVS.2, ALC_LCD.1 Either covered by this augmentation or EAL5 Table 8: SAR Dependency Analysis ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 56 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 9 TOE Summary Specification This section describes how each TOE Security Service defined in Section 3.4.6 is implemented and covers its SFRs. TSS_SSA: Separation in space of applications hosted in different partitions from each other and from the PikeOS Operating System according to the SSP: Applications can be hosted in different partitions. Partitions get assigned resources (i.e. space) according to the SSP, which comprise memory ranges and a set of CPUs. The TSF enforces the corresponding part of the SSP by the enforcement of access control on partition content, per-partition provision of physical memory space and allocated CPU time for each CPU. By confining non-privileged executables into partitions, the TSF enforces that these applications can affect neither applications in other partitions nor the PikeOS Operating System itself. The TSF defines separated security domains via page tables. For memory (AS.MEM) the SFRs FDP_ACC.2/MA and FDP_ACF.1/MA are implemented because the TSF configures the MMU to use these page tables to confine single load/store operations within a predefined physical memory. For interrupts (AS.INT) the SFRs FDP_ACC.2/IA and FDP_ACF.1/IA are implemented and ensure that non-privileged executables can only access interrupts according to the SSP. For PSP-specific services (AS.PS) the SFRs FDP_ACC.2/PSA and FDP_ACF.1/PSA are implemented and ensure that non-privileged executables can only access PSP-specific services according to the SSP. For CPU cores (AS.CORE) the SFRs FDP_ACC.2/CCA and FDP_ACF.1/CCA are implemented and ensure that non-privileged executables can only access CPU cores according to the SSP. FRU_RSA.2/MEM (AS.MEM and AS.KMEM) is implemented because limits on the minimum and maximum amount of memory available to non-privileged executables in normal partitions are enforced according to the SSP. Separation in space includes access control to devices via device drivers, e.g. Ethernet or USB drivers. The drivers can be configured by the SSP to be contained in a partition. Separation in space also includes execution of industrial APIs/libraries. These APIs/libraries can be run as non- privileged executables, for example POSIX, ARINC 653 (APEX), Linux, RTEMS, OSEK, and thus cannot bypass the SSP. TSS_STA: Separation in time of applications hosted in different partitions from each other and from the PikeOS Operating System according to the SSP: Applications can be hosted in different partitions. Partitions get assigned CPU time (i.e. time windows) according to the SSP. The TSF enforces the corresponding part of the SSP by per-partition allocation of a predefined amount of CPU time for each CPU. On a partition switch CPUs will be reused. FRU_RSA.2/TIME is implemented because limits on the minimum and maximum amount of processing time available to non-privileged executables in normal partitions are enforced according to the SSP. TSS_COM: Provision and management of communication objects: Applications hosted in different partitions can get assigned a set of communication objects. A communication object is an object exposed to one or multiple partitions with access rights as defined in the configuration data, thus allowing communication between partitions. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 57 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 For communication ports (AS.PORT) the SFRs FDP_ACC.2/CPA and FDP_ACF.1/CPA are implemented and ensure that non-privileged executables can only access communication ports according to the SSP. For files (AS.FILE) the SFRs FDP_ACC.2/FA and FDP_ACF.1/FA are implemented and ensure that non-privileged executables can only access files according to the SSP. For memory that is used as shared memory (AS.MEM) FDP_ACC.2/MA and FDP_ACF.1/MA are implemented be- cause the TSF configures the MMU to use these page tables to confine single load/store operations within a prede- fined physical memory. For IPC and event communication, FDP_IFC.2 and FDP_IFF.1 are implemented by providing communication objects and because information flows originating from non-privileged executables are restricted to information flows allowed by the SSP. TSS_MAN: Management of the TOE (e.g. system partition API) and the TOE data (e.g. threads, tasks): The TSF protects the confidentiality and integrity of TSF data and the availability of resources. FIA_UID.2 is implemented by requiring each partition to be successfully identified before allowing any other TSF- mediated actions on behalf of that application. FMT_MSA.1 is implemented because the TSF restricts the ability to write the security attributes specified in the VMIT and the property file system to system partitions. FMT_MSA.3 is implemented because the TSF provides restrictive or integrator-defined default values for security attributes that are used to enforce the SFP. FMT_SMF.1 is implemented because the TSF provides functions for thread management, task management and TOE management (System Partition API). FMT_MTD.1/SYS is implemented because the TOE prevents any access of a non-privileged executable to the system partition API. FMT_MTD.1/TASK is implemented because the TOE restricts the access to tasks that a non-privileged executable has to tasks that its normal partition owns. FMT_MTD.1/THR is implemented because the TOE restricts any access of a non-privileged executable the access to threads that its partition to threads that its partition owns. FMT_SMR.1 is implemented by assigning the roles "system partition" and "normal partition" and associating each partition with a role. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 58 of 59 Security Target for the PikeOS Separation Kernel v5.1.3 for the NXP LS1023A/LS1043A Processor Doc.-ID: 18109-8000-ST Revision: 41.19 10 Acknowledgment Part of this ST is based on SKPP [Inf07, LNIM10], OSPP [OSPP], HASK-PP [Bun08]. This ST has benefited from the work in the TECOM (FP7 grant 216888), SeSaM (BMBF grants 01BY1120 to 01BY1123), PASS (BMWi grant 01 MD 16002D), EURO-MILS (FP7 grant 318353) and certMILS (H2020 grant 731456) projects. ©2023 by SYSGO GmbH. SYSGO, ELinOS, PikeOS, and CODEO are trademarks or registered trademarks of SYSGO GmbH. All other products, logos and service names are the trademarks of their responsible owners. SYSGO Headquarters Phone +49 6136 9948 500 sales-de@sysgo.com SYSGO France Phone +33 1 30 09 12 70 sales-fr@sysgo.com SYSGO Czech Phone +420 222 138 111 sales-cz@sysgo.com Restricted Page 59 of 59