View Only

Common Criteria POWER9 Power10

By Veena Ganti posted Tue August 23, 2022 03:37 PM

Common Criteria Security Certification
for POWER9 and Power10
Security Image
Information security has always been an important consideration in providing a complete enterprise solution, but with all the current attacks and exploits, this certainly has become a focus area for every customer.  The PowerVM and Power hardware teams always put security at the center of our designs.  Protection of client data is one of the key values of a PowerVM solution.  The following blog covers a recently achieved security certification of PowerVM.

Value of Security Certification
One reason a vendor might pursue a security certification would be to meet a specific requirement that a product hold a security certification to meet an explicit requirement as part of a contractual obligation.  In this situation, the consumer of the product may want to only run on that specific level of hardware, firmware and/or software as that is the certified configuration.  Technically, as soon as a fix is applied to the environment, this changes the evaluated configuration and usually the certification is no longer valid.  Some certifications, including this PowerVM certificate, also consider the vendor’s flaw remediation process, which may provide some level of confidence in the fixes that would be applied to the base certification.

Another reason for doing a security certification is that it provides some level of validation that the product is following secure development and maintenance practices as required by the certification.  Most software products are really a modification or evolution from a previous generation, so it’s likely if secure engineering practices have been followed by a vendor in the past, that the vendor will continue to follow these practices in new product development.

IBM has a corporate policy that products produced by IBM follow the IBM Security and Privacy by Design principles (SPdD@IBM).  The basic principles involve threat assessments, security testing (like this PowerVM security evaluation) and release reviews. 

Note that a security certification does not guarantee that the product is free from all defects, as exposure can be found long after a product has been released.  For example, even though many products from many different vendors carried security certifications, the spectre/meltdown security vulnerability allowed for the capture of private data via side channel attacks.


Details of Recent PowerVM Common Criteria Certification

Recently, the PowerVM team completed a Common Criteria security certification that evaluated both the POWER9 E980 and Power10 E1080 running VIOS level  The target of evaluation (TOE) covered both the Virtual I/O Server (VIOS) and the PowerVM Hypervisor as shown in figure 1.
Common Criteria Fig 1

The security target covers the following threats:

1.    An entity operating within a partition may be able to gain access to resource that belong to another partition as configured by an authorized user.  An example of this threat would be a user running in a virtual machine (Logical Partition-LPAR) gaining access to memory, processor or I/O resources that were assigned to another partition. 

2.    An entity operating within a partition may be able to establish a communication channel with another partition.    An example of this threat would be allowing two partition that are NOT configured to communicate via virtual ethernet to pass data over this connection.

3.    An entity operating within a partition may be able to disrupt the operation of another partition.  An example of this threat would be that a partition is able to reboot itself but should not be able to reboot other partitions.

All of these threats can be concerns for on-premise and cloud environments like PowerVS.  When you virtualize your hardware to run multiple instances, you need protection from a virtual machine sharing data or affecting the operation with other virtual machines.

Common Criteria evaluations require three different parties all participating in the evaluation.  You have a vendor, a licensed laboratory and a certification body.  For this certification, the vendor is IBM which was represented by a team from the PowerVM hypervisor and VIOS development organization.  It was IBM’s responsibility to provide detailed design documents, documents covering how to configure the supported configuration, development of testcases for the interfaces under test and the execution of the testcases.

The auditor is a Common Criteria licensed laboratory that guides the vendor (IBM) in the process of the certification, creates the security target document, reviews the documents produced by the vendor, uses the information from the documentation to review the test case coverage, review and independently execute the vendor testcase, develop and run additional security tests including penetration testing, review existing vulnerabilities and work directly with the certification body.

There are currently 17 different governments that can act as the certificate authorizing members and 14 additional governments that accept Common Criteria certificates.  Depending on the evaluated assurance level (EAL), the security certification will be accepted by one or more member countries.  All certificate members and all additional consuming members accept the PowerVM security certification.  It is the responsibility of the certificate authority to validate all the data provided by the licensed laboratory to ensure that it meets all the current requirements for a Common Criteria license.  The certification authority can request additional documentation, additional testing and so on until they are satisfied that a product under evaluation can be certified.

This overview provided an insight into why and how security evaluations are performed along with the value these evaluations provide to consumers.  Have questions about security or want to learn more about PowerVM?  Follow our discussion group on LinkedIn IBM PowerVM.