From 31b5a6ed0d6d5d9d2c3239b36dd021a6870357e0 Mon Sep 17 00:00:00 2001 From: NicholasWoodIMG <142398143+NicholasWoodIMG@users.noreply.github.com> Date: Tue, 4 Jun 2024 14:35:37 +0100 Subject: [PATCH] Chapter 1 PoC fix. Signed-off-by: NicholasWoodIMG <142398143+NicholasWoodIMG@users.noreply.github.com> --- specification/src/chapter1.adoc | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/specification/src/chapter1.adoc b/specification/src/chapter1.adoc index 95e43a7..f453320 100644 --- a/specification/src/chapter1.adoc +++ b/specification/src/chapter1.adoc @@ -5,18 +5,22 @@ This specification provides guidelines for building secure RISC-V systems using RISC-V security building blocks. It is aimed at developers of RISC-V technical specifications, as well as at designers of secure RISC-V systems. -A few example use cases are provided, which are based on commonly used security deployment models. +A few example use cases are provided, based on commonly used security deployment models. These are not intended to be exhaustive but are common enough to represent a wide range of deployments of secure products. They are accompanied by use case specific security guidelines which are intended to help readers implement secure products for their specific use cases. The examples may be extended over time as required. +RISC-V is currently not intending to create a security certification programme. This specification is provided as non-normative guidance for developing secure RISC-V systems which are certifiable within existing third party security certification programmes. + +This specification does not define any new RISC-V ISA or non-ISA extensions. Instead it refers to existing RISC-V extensions, as well as commonly used non-RVI architecture agnostic security features and processes. It aims to show how those can be combined, in commonly used examples, to create systems which are certifiabe within commonly used existing security certification programmes. + +All existing RISC-V extensions are associated with an RVI _proof of concept (PoC)_, providing a viable example implementation. Any non-RVI security feature or process referred to in this document has existing commonly used sample implementations equivalent to an RVI PoC. + The examples are not definitions of formal Protection Profiles (See: https://csrc.nist.gov/glossary/term/protection_profile). Formal protection profiles are typically provided by third party certification bodies for different ecosystems. The guidelines provided within the examples in this specification are intended to help readers adapt RISC-V security features to meet security requirements of commonly used third party protection profiles. -RISC-V is currently not intending to create a security certification programme. This specification is provided as non-normative guidance for developing secure RISC-V systems which are certifiable within existing third party security certification programmes. As such, there is no RISC-V proof of concept or RISC-V testing associated with this specification. - This specification does not contain threat modelling or security assessment of individual RISC-V technical specifications. Individual RISC-V technical specifications are expected to use the Security Model as a guide to develop their own specific security analysis, including formal threat modeling where appropriate. For this purpose, all guidelines in this document are labelled to enable referencing from other specifications. Specific security analysis in the context of a RISC-V technical specification may require testing and a proof of concept as per normal RISC-V development processes for RISC-V technical specifications. Security is an evolving area where new use cases and new threats can emerge at any time. This specification represents the RISC-V security model and best practice as of the date of publication of this document.