CGX CGL and Security

MontaVista’s CGX Security Profile encompasses both reactive and proactive security features so embedded developers can stay ahead of emerging threats.

Reactive approaches like CVE patching, secure live updates, auditing, and monitoring give you peace of mind your product stays resistant to emerging vulnerabilities. As important, proactive measures give developers more “weapons” to withstand attacks, even those that are new and not yet detected. MontaVista also offers the ability to securely isolate applications using Docker/Containers or KVM.

We proactively monitor emerging CVEs. Moreover, we pay for membership into groups that provide early warnings of CVE’s before they go public. When a priority CVE hits (like Heartbleed or BASH), we provide an immediate fix after the vulnerability embargo is lifted.  The benefit to our customers is they are covered quickly to avoid any high priority security attacks.

For IoT, key security initiatives are implementing a solid Root of Trust, identity management and authentication (using secure keys), and real-time monitoring for unauthorized applications (i.e. preventing Trojan Horses).  MontaVista’s CGX Security Profile implements security features to address these initiatives.  Developers can use TrustZone or Trust Platform Module (TPM) to implement Secure Boot, identity authentication, and secure key management.  TrustZone also offers the ability to create secure “sandboxes” using Trusted Execution Environments (TEE).

The benefit to our customers is they can seamlessly incorporate advanced and robust security prevention measures to withstand known and unknown attacks.  This helps reduce maintenance cost, increase product reliability, and build confidence in your reputation of being a secure product provider. 

At a high level, CGX Security features, including roadmap, are:

Proactive
  • Trusted Platform Module (TPM) 1.2/2.0
  • Trustzone
  • SELinux
  • ASLR/kASLR
  • TPM Library (TrouSers)
  • Common Criteria EAL4+ Profile
  • Secure Boot
  • Mutex W/E Pages (PaX)
  • Linux IMA/EVM
  • Encryption (offload with hardware partners)
Reactive
  • Quarterly CVE updates
  • Samhain
  • Tripwire auditing
  • ASLR/kASLR
  • Auditd
  • Secure Update Manager

MontaVista also uses the following specifications as guides to determine the best technology and practices to include in our CGX platform:

Security Technology Implementation Guide (STIG) UNIX version 5.0 r1

Common Criteria Operation System Protection Profile (OSPP) version 2.0

Including these specifications makes it significantly easier for MontaVista's customers to certify a full hardware/software product for these profiles and comply with widely accepted security standards.