diff --git a/source/glossary/index.rst b/source/glossary/index.rst index 8b8e4846..e10bb54a 100644 --- a/source/glossary/index.rst +++ b/source/glossary/index.rst @@ -7,7 +7,7 @@ Terminology FoundriesFactory :term:`Foundries.io`'s Cloud native DevSecOps platform. Used for building, testing, deploying and maintaining Linux-based devices. - Includes the :term:`Linux microPlatform` distro, OTA update mechanisms, and management tools, such as Fioctl. + Includes the :term:`Linux microPlatform` distro, OTA update mechanisms, and management tools such as Fioctl. An instance of FoundriesFactory—customized to your needs and machine—is a :term:`Factory`. Foundries.io @@ -48,14 +48,16 @@ Terminology * :ref:`Porting, LmP ` Target - A description of the software a device should run. This description is visible as metadata in :term:`targets.json`. + A description of the software a device should run. + This description is visible as metadata in :term:`targets.json`. Includes details such as OSTree Hash and Docker-Compose App URIs, but are arbitrary. * :ref:`Tutorial, Target ` Docker-Compose App Compose App - Also referred to as app. A folder in :term:`containers.git`, containing a ``docker-compose.yml``. + Also referred to as app. + A folder in :term:`containers.git`, containing a ``docker-compose.yml``. The name of this folder is the name of your Docker-Compose App. * :ref:`Tutorial, Compose Apps ` @@ -63,19 +65,174 @@ Terminology System Image The OS image produced by the Factory that is flashed to all devices. - The build artifact is usually named ``lmp-factory-image-.wic.gz`` + The build artifact is commonly named ``lmp-factory-image-.wic.gz`` ``factory-config.yml`` A file in the :term:`ci-scripts.git` repository of the Factory which controls all configurable aspects of a Factory. Such as :ref:`ref-advanced-tagging`, :ref:`ug-container-preloading` and email alerts. - * `Factory Definition Reference Manual ` + * :ref:`Reference Manual, Factory Definition ` ``targets.json`` Part of `TUF Metadata `_ that specifies what Targets are valid to install. - It can be summarized with ``fioctl targets list``, or viewed in full with ``fioctl targets list --raw`` + You can view the summary with ``fioctl targets list``, or view in full with ``fioctl targets list --raw`` ``MACHINE`` - The Yocto machine name. - Officially supported by Foundries if listed in :ref:`ref-linux-supported`. + The machine name, as configured in the Yocto Project meta-layer. + Officially supported in FoundriesFactory if listed in :ref:`ref-linux-supported`. + + CA + Certificate Authority + Creates and signs certificates which certifies public keys. + Frequently used by browsers. + + * :ref:`Root of Trust, Managing Factory PKI ` + + CSR + Certificate Signing Request + Protocol to securely issue an X.509 certificate, if provided attributes. + + * :ref:`User Guide, Rotating Device Certificate ` + * :ref:`Security, Device Certificate Rotation ` + * :ref:`User Guide, Device Gateway PKI ` + + Device Gateway + Through which devices connect to OTA services. + Configured with mutual TLS. + + * :ref:`Security, Device Gateway ` + * :ref:`Testing, Device Gateway Testing API ` + * :ref:`Troubleshooting, Errors and Solutions ` + * :ref:`User Guide, Device Gateway PKI ` + + ECC + Elliptic Curve Cryptography + An approach in public-key cryptography based on elliptic curves over finite fields. + This allows for smaller keys than otherwise, but with an equivalent security level. + + * :ref:`Security, Secure Element ` + * :ref:`Security, StM32MP1 Secure boot ` + * :ref:`Security, OP-TEE on the Versal Adaptive Computer Acceleration Platform ` + + ECIES + Elliptic Curve Integrated Encryption Scheme + Protocol to securely encrypt data using an EC public key that can only be decrypted by the private key owner. + Used by FoundriesFactory to provision configuration changes to devices. + + Hardware Root of Trust + The first step in a security process used to trust code; always trusted. + Includes HSM/TPM and Secure Boot. + + * :ref:`Security, OP-TEE on the Versal Adaptive Computer Acceleration Platform ` + + HSM + Hardware Security Module + A physical device generally used for managing digital keys and encrypting and decrypting data. + + * :ref:`User Guide, LmP Device Auto Register ` + * :ref:`OTA Reference Manual, OTA Architecture ` + + Key Agreement + Symmetric key negotiation—definition of a shared secret—without having to transmit the key. + + Key Transport + Symmetric key created by one party and transmitted to the other party as ciphertext. + + mTLS + A mutual :term:`TLS` where both client and server must present an X.509 certificate to prove identity and authorize connection. + This is how Factory devices talk to the device gateway for OTA. + Compared to TLS, mTLS has the benefit of protecting intellectual property, + but does not add more protection from device data manipulation. + + * :ref:`Device Gateway Reference Manual, Server TLS Certificate ` + * :ref:`Security Reference Manual, FoundriesFactory Security Summary ` + + OAuth2 + The industry-standard protocol for authorization developed within the IETF OAuth Working Group. + + PKCS #11 + Public-Key Cryptography Standards # 11 + Defines an API for cryptographic tokens, implemented by OP-TEE. + Supported for Factory PKI and storage of device keys. + + * :ref:`Secure Element TPM Reference Manual, PKCS #11 Support ` + * :ref:`EdgeLock™ SE05x Reference Manual, Importing Secure Objects into PKCS #11 Tokens ` + * :ref:`Linux Disk Encryption Reference Manual, PKCS #11 Tokens ` + * `TEE PKCS #11 Implementation (external) `_ + + PKI + Public Key Infrastructure + How digital certificates and keys relate to their owners and can be trusted. + + * :ref:`Device Gateway PKI User Guide, Device Gateway PKI ` + * :ref:`Factory Account Roles User Guide, Factory PKI Management ` + * :ref:`iMX Secure Boot Reference Manual, PKI tree ` + * :ref:`Factory Registration Reference Manual, Device Gateway PKI ` + + Secure Boot + Helps ensure only trusted software executes at boot. + * :ref:`Security, Secure Boot ` + * :ref:`Security, UEFI Secure Boot ` + * :ref:`Security, Machines With Secure Boot ` + + Secure World + Trusted Execution Environment (:term:`TEE`) on ARM. + + TEE + OP-TEE + Trusted Execution Environment. + In general, a hardware based component where code can run. + + * :ref:`Porting Guide, including OP-TEE ` + * :ref:`EdgeLock SE05x Reference Manual ,OP-TEE Use ` + * :ref:`Factory Keys, OP-TEE Keys ` + + TF-A + Trusted Firmware-A + Secure world software for Armv7-A and Armv8-A. + + * :ref:`Factory Keys, TF-A Keys ` + + TLS + Transport Layer Security + Cryptographic protocol for securing communication within a network. + See-also: :term:`mTLS` + + TLS Handshake + The procedure belonging to the :term:`TLS` protocol where the client and server agree on how to exchange information. + + TPM 2 + Trusted Platform Module 2.0 implementation + A standard for a cryptoprocessor. + Used to check platform integrity and to form a root of trust. + + * :ref:`Security, Trusted Platform Module ` + + TUF + The Update Framework + Open Source Framework and Specification used to help keep software update systems secure against different attack types. + Uses its own keys. + Also used for updating :term:`Fioctl`. + See-also: :term:`Target` + + * :ref:`Account Management, Team Based Access and TUF Keys ` + * :ref:`Custom CI User Guide, TUF Targets ` + * :ref:`CI Targets Reference Manual, TUF Targets; TUF Metadata ` + * :ref:`Offline Updates, TUF Metadata; TUF Keys; TUF Repo; ` + * :ref:`Reference Manual, Offline Factory TUF Keys ` + * :ref:`Crypto Key Summary, TUF Signing Keys ` + * :ref:`Production Targets, TUF ` + + UEFI + Unified Extensible Firmware Interface + Standard which connects firmware for booting the hardware and operating system(s). + Also defines :term:`Secure Boot`. + + * :ref:`Security, UEFI Secure Boot ` + * :ref:`Crypto Keys, UEFI Secure Boot Flow ` + * :ref:`Disk Encryption Support, UEFI Requirement; UEFI Support; UEFI Secure Boot ` + + + X.509 + An International Telecommunication Union (ITU) standard defining the format of public key certificates. diff --git a/source/reference-manual/security/ff-security-summary.rst b/source/reference-manual/security/ff-security-summary.rst index cbda5341..f999bc58 100644 --- a/source/reference-manual/security/ff-security-summary.rst +++ b/source/reference-manual/security/ff-security-summary.rst @@ -1,3 +1,5 @@ +.. _ff-crypto-key-summary: + Summary of Crypto Keys Used by FoundriesFactory =============================================== diff --git a/source/user-guide/account-management/account-roles.rst b/source/user-guide/account-management/account-roles.rst index 3f1ff4ad..e3511d01 100644 --- a/source/user-guide/account-management/account-roles.rst +++ b/source/user-guide/account-management/account-roles.rst @@ -22,7 +22,7 @@ There are four roles available. The two core roles being: - manage teams - manage the Factory subscription plan - register, delete, and rename all devices - - manage the Factory's Public Key Infrastructure (PKI) and create Waves. + - manage the Factory's :term:`Public Key Infrastructure` (PKI) and create Waves. The remaining two each get a subset of the **Owner** permissions.