Security documentation contains a code guideline section that is more
about security principles than code guidelines itself. Just removing
the mention do code guideline to avoid possible confusions with
upcoming project code guideline based on MISRA-C.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
These CVEs have been released from embargo. Include details in the v2.3
release notes, and in the vulnerabilities document.
Signed-off-by: David Brown <david.brown@linaro.org>
Include documentation for CVE issues that are now out of embargo. This
includes links to the CVE database, as well as referencing the PRs
within Zephyr that fix these issues.
Signed-off-by: David Brown <david.brown@linaro.org>
In addition to having security vulnerability fixes reported within each
release note page, consolidate all of them in a new vulnerabilities
document.
This gives us two advantages: 1. The vulnerabilities can easily be
referenced in a single place, which is useful for someone trying to
cross reference against CVE lists, and 2. It allows a release to be made
with just CVE numbers when issues are under embargo, and the details can
be added to this vulnerabilities page. The release notes will be locked
to a tag, and updates will not be visible.
Signed-off-by: David Brown <david.brown@linaro.org>
Remove leading/trailing blank lines in .c, .h, .py, .rst, .yml, and
.yaml files.
Will avoid failures with the new CI test in
https://github.com/zephyrproject-rtos/ci-tools/pull/112, though it only
checks changed files.
Move the 'target-notes' target in boards/xtensa/odroid_go/doc/index.rst
to get rid of the trailing blank line there. It was probably misplaced.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Rewrite who the members of the Security Group are
and move the 'ability' of the members to an outer
bullet point.
Signed-off-by: Thomas Ebert Hansen <thoh@oticon.com>
The sentence "To process process documentation." does not make
any sense at all.
Add missing "the" to the sentence "in form of".
Signed-off-by: Thomas Ebert Hansen <thoh@oticon.com>
Continuation of a bullet list item wasn't indented properly, causing a
new list to be started (with odd indentation).
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
Certain external requirements require justification that threats in a
threat model have been satisfied. In order to do this, the threats must
be enumerated, and given labels.
Add labels to the threats. Use rts's citation model to allow the
threats to be grouped and listed at the end of the document to help with
cross referencing.
Signed-off-by: David Brown <david.brown@linaro.org>
This patch removes the revision history from the security overview
document. With this file being maintained in git, there is no need
for an additional in-document revision history table.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch revises the security overview document to bring the
information pertaining to stack protection, thread separation,
and memory protection up to date with the current state of the
software releases.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
Add a doc to the security section enumerating a threat model for a
sensor-type device. This will help the direction of work to meet these
security requirements for this particular application.
Signed-off-by: David Brown <david.brown@linaro.org>
This patch updates information pertaining to userspace related security
features. Some of these have been added to releases and this needs to
be shown in the document.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
fixed error introduced in application.rst (v1.8) along with a general
spelling check pass including consistent spelling of "runtime" and
hyphenated words with "pre-"
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
While we're working on doc publishing that separates
kernel docs that are release-specific from project docs
that aren't, (temporarily) put the security documents
here so they'll be published with the 1.9 release.
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>