Communication modes

Disable USB, Serial and DOCSIS Support

To disable USB support in U-Boot, following config’s shall not be defined:

CONFIG_CMD_USB: Enables basic USB support and the usb command.
CONFIG_USB_UHCI: Defines the lowlevel part.
CONFIG_USB_KEYBOARD: Enables the USB Keyboard.
CONFIG_USB_STORAGE: Enables the USB storage devices.
CONFIG_USB_HOST_ETHER: Enables USB Ethernet adapter support.

In addition, disable unnecessary communication modes like Ethernet, Serial ports, DOCSIS in U-Boot and sboot that are not necessary.

Linux Kernel support for USB should be compiled-out if not required. If it is needed, the Linux Kernel should be configured to only enable the minimum required USB devices. User-initiated USB-filesystems should be treated with special care. Whether or not the filesystems are mounted in userspace (FUSE), restricted mount options should be observed.

Domain Communication modes State
Boot-Communication-1 USB Disabled and Compiled-out if not required.
Boot-Communication-2 USB Else, Kernel should be configured to only enable the minimum required USB devices and filesystems should be treated with special care.
Boot-Communication-3 Ethernet Disabled
Boot-Communication-4 U-boot and sboot DOCSIS Disabled
Boot-Communication-5 Serial ports Disabled

Domain Config name State
Boot-Communication-USB-1 CONFIG_CMD_USB Not defined
Boot-Communication-USB-2 CONFIG_USB_UHCI Not defined
Boot-Communication-USB-3 CONFIG_USB_KEYBOARD Not defined
Boot-Communication-USB-4 CONFIG_USB_STORAGE Not defined
Boot-Communication-USB-5 CONFIG_USB_HOST_ETHER Not defined

Disable all unused Network Interfaces

Only used network interfaces should be enabled. Where possible, services should also be limited to those necessary.

Domain Communication modes State
Boot-Communication-1 Network interfaces Preferably no network interface is allowed, otherwise, restrict the services to those used.

Remove or Disable Unnecessary Services, Ports, and Devices

Restrict the services, ports and devices to those used.

Domain Object Recommendations
Boot-Communication-1 Services, ports and devices Restrict the services, ports and devices to those used.

Disable flash access

Recommendation:

In U-Boot following flash memory commands shall be disabled:

NAND: Support for nand flash access available through do_nand has to be disabled.

Domain Command name State
Boot-Communication-Flash-1 do_nand Disable

Similarly sboot should disable flash access support through command line if any.