Configuration Tool Appendix

NVIDIA DRIVE OS 5.1 Linux SDK

Developer Guide

5.1.12.0 Release

Security Foundation

Detection

Threat Management

Configuration Tool Options and Values

Other Config Items: Security Services

This topic provides the configurable parameters for each Security Service.

Security Foundation

• The Security Service inspects all traffic between the Communication Service and the Guest VMs.

• The configuration binary file, that is encrypted and signed, configures the detection and policies for the traffic.

• Once an attack is detected, the Security Service enacts the configured policy for that attack.

• Each guest VM has a security policy associated with each communications interface.

• The security policies are independent of each other, consequently two Guest VMs can have different security policies for the same physical interface.

• The Security service manages the logging of incidents, if required, by the associated policy, according to Common Criteria principles.

There two phases in the Security Service are:

1. Detection of potential threats

2. Threat management execution of the associated policy once it is detected

Detection

The three types of detection and associated threat management are:

Type of Detection	Description
Hard Policy Threats	All threats of this type are blocked by default. However, the system can be configured to allow very specific cases to not be blocked. For example, incoming traffic is blocked unless the source of that traffic was already communicated by a Guest VM to effectively ensure an incoming packet filter of unsolicited traffic. However, it is possible to open a specific IP port address to always be open in the configuration file.
Normal Threat Detection	Different configuration policies can be created depending on the type of threat detected. These policies can include: • No Action • Let Through
Temporary Threat Detection	Includes attacks that happen for a limited period of time, such as Denial of Service attacks. Includes a mechanism to detect if the attack is still happening.

Threat Management

Once an attack is detected, the configured policy for that specific VM traffic on that specific interface is executed.

For each detection method, the Prevention System supports a broad range of remedy actions. The following remedy actions are not intended to be exhaustive, and these actions can be combined, as necessary, in reaction to each detection or combination of detections:

• Allow packet

• Block packet

• Log event

• Verify integrity of Guest OS or other parts of the system

• Reset Guest OS

• Reset interface

• Block interface, blacklist

• Notify user

Configuration Tool Options and Values

The configurable options and values for the Communications and Security Services are as follows:

IP Engine Services: Security Services

The types of scans available for scanning the IP path include:

• IP firewall scans

• Anti-malware scans

• IP deep packet inspection scans

IP firewall scans

The possible events generated from a firewall scan are as follows:

Firewall Event	Description
Scan Okay	Results of firewall scan on the packet are okay.
Header Frame Error	Flags any error from parsing the header: • MAC frame, IP packet and payload length. • IP header or TCP/UDP/ICMP checksum error.
IPV6 Frame	Ethernet frame is of type IPV6.
ARP Frame	Ethernet frame is an ARP frame.
Frame Type Not Recognized	Filter for ETH frames for which the firewall scan is not available.
Security Risk	Flag security for these security risks: • Echo request/reply with broadcast frames. • Echo request/reply with multicast frames. • Loopback packets, source MAC\|IP, matching destination MAC\|IP. • Packet from or to a Guest VM with forged IP.
No Tracking Entry Match	Filter TCP untracked packets.
Out of Resources	Flag the out of tracking resources for the TCP/ICMP/UDP packets.
Source Blocked	Filter for packets with a blacklisted IP, source or destination.
IP Protocol Not Recognized	Filter for packet using a protocol other than: • IPV4 • PIM internal multicast • UDP • TCP • ICMP
Port Closed	Filter for packets using non-opened ports.
Blacklist Request	Flag a peer that has repeatedly sent packets that are not allowed for a configurable number of times. Default is 20.
TCP Connection Error	Flag any TCP state error during establishment.
TCP Connection Timeout	Flag timeout on half-opened, default 20 seconds, or established connection, default 2 hours.
Broadcast Frame	Ethernet frame is a broadcast frame.
Multicast Frame	Ethernet frame is a multicast frame.
DHCP Packet	Packet is a DHCP Packet.
ICMP Fragment	Ping message.
UDP Fragment	Packet is a UDP Packet.
UDP Zero Checksum	Bypass checksum on UDP with zero sum.
DoS Attack Okay	No DoS attack detected.
DoS Internal Attack L1	Detected DoS attack from internal source, Level 1.
DoS External Attack L1	Detected DoS attack from external source, Level 1.
DoS Internal Attack L2	Detected DoS attack from internal source, Level 2.
DoS External Attack L2	Detected DoS attack from external source, Level 2.
DoS Internal Attack L3	Detected DoS attack from internal source, Level 3.
DoS External Attack L3	Detected DoS attack from external source, Level 3.

Consult Denial of Service for details on DoS internal and external attack parameters.

The various policy actions that are possible for the firewall scan include:

Policy Action	Description
Event Log	All these events are logged for later analysis.
Event Block	Block the frame if these events occur.
Event Close Connection	Close connection associated to the current TCP packet.
Event Close All Connections	Close all TCP connections with timeout.
Event Blacklist	Request for IP or MAC address to be blacklisted.
Event Reset	Request for system reset, for future use.
Event Alert	Alerts the Guest OS of violations. For more information, see Event Logging for details.
Event DoS QOS	Enable QoS on DoS detection.
Event DoS Blacklist Inbound	Blacklist requests in case of DoS attack, for future use.
Event DoS Blacklist Outbound	Blacklist requests in case of DoS attack, for future use.

Anti-malware scans

The possible events generated from anti-malware scans are as follows:

Policy Action	Description
AmOk	Reserved for future use.
AmIndef	Reserved for future use.
AmMalic	Reserved for future use.

All policy actions that are possible for an IP firewall scan can be applied for anti-malware scans as well.

IP deep packet inspection scans

Possible events generated from an IP deep packet inspection scan are as follows:

Policy Action	Description
DpiOk	Results of DPI scan on the packet are okay.
DpiIndef	Results of DPI scan cannot be determined.
DpiMalic	Malicious packet found during DPI scan.

All policy actions that are possible for an IP firewall scan can be applied for IP DPI scans as well.

Note:

Unless indicated, the default policy action for all scan events is to allow the packet; Event Allow.

Anti-malware inspection scan is not supported in this release.

CAN and Aurix Engine Services: Security Services

The types of scans available for scanning the Native CAN and CAN over Ethernet path include:

• CAN firewall scans

• CAN message frequency scans

• CAN deep packet inspection scans

CAN firewall scans

Various events that are possible out of a CAN firewall scan are as follows:

Policy Action	Description
FwEventOk	Indicates results of a CAN firewall scan on the packet are okay.
Suspicious Frame Length	The CAN frame length is not a standard defined size. The size is not of any CAN, external CAN or CAN-FD frame types.
Message ID Not Allowed	CAN message ID is not configured to be allowed through the CAN firewall.

The various policy actions that are possible for the CAN firewall scan include:

Policy Action	Description
Event Log Can	All these events are logged for later analysis.
Event Block Can	Blocks the CAN frame if these events occur.
Event Close Connection Can	Reserved for future use.

CAN deep packet inspection scans

Various events that are possible out of a CAN DPI scan are as follows:

Policy Action	Description
DpiOk	Indicates results of DPI scan on the CAN frame are okay.
DpiIndef	Results from the DPI scan cannot be determined.
DpiMalic	Malicious frame detected during the DPI scan.

All policy actions that are possible for a CAN firewall scan can be applied for CAN DPI scans as well.

CAN message frequency scans

Various events that are possible out of a CAN message frequency scan are as follows:

Policy Action	Description
MsgFreqOk	Reserved for future use.
MsgFreqIndef	Reserved for future use.
MsgFreqMalic	Reserved for future use.

All policy actions that are possible for a CAN firewall scan can be applied for CAN message frequency scans as well.

Note:

Unless indicated, the default policy action for all scan events is to allow the packet; Event Allow.

Version information

Version information, reserved for future use, is used to correctly identify the configuration binary file and to enable the software and hardware platform compatibility checks.

Values and meanings

OEM identifier:

• is a unique number given to each major OEM

• value = 0 is used for development purposes (universal value)

• Value = 1 is used for NVIDIA product

• Other values to be identified by NVIDIA

OEM model number:

• is a unique number given to each major OEM to differentiate for different products (models)

• value = 0 is used for development purposes (universal value)

• Other values to be identified later by each OEM

Hardware identifier:

• is a unique number given to each hardware variant

• value = 0 if configuration is applicable to any hardware variant

• Other values to be identified by NVIDIA or OEM as appropriate

Software configuration identifier:

• is a unique number given to each software configuration (but on the same hardware variant)

• value = 0 is used for development purposes (universal value)

• Other values to be identified by NVIDIA or OEM as appropriate

Compatibility version:

• Used to verify that a specific configuration file format is compatible with a specific software build which is attempting to use it.

• Starts as value = 1

• Increments to a new value every time the software must change to be able to use this file format. A software change that requires the file format to change also triggers this increment.

Sub Version:

• Reserved for future use

• Default value = 0

Date:

• The date and time of the last update of the configuration file.

Note:

The Version Information Page displays the configured defaults. These values are not used in this release.

Communication EQ0 Configuration: Communication Services

• Used to configure the IP Address of the Communication Services Network Interface Card.

• The Network Interface Card can be assigned IP address automatically (DHCP) or using Static Configuration.

• Option is also provided to configure Alias Addresses on the network interface.

IP Blacklist Table: Security Services

• Used to configure the IP Addresses to Block outgoing/incoming connections to/from on a permanent basis.

• Number of elements field should match the number of entries with Block flag enabled for the corresponding entry.

MAC Blacklist Table: for future use

• Used to configure the MAC Addresses to Block outgoing/incoming connections to/from.

• Number of elements field should match the number of entries with Block flag enabled for the corresponding entry.

NAT Configuration Table: Communication Services

• The NAT is a map function that translates network address information (IP address and port number) between private and public domain and allows nodes in the private network to share the platform physical Ethernet interface.

Values and meanings

Configuration Value	Description
Number of Elements	Number of active entries in NAT table. Only this number of entries are considered on the Comms NAT table, even if the table has more than “Number of Elements” entries in them.
External IP Address	IP address on Communication Services NIC - 0.0.0.0.
Port Start	External port on which the connection is made - Start Value.
Port End	External port on which the connection is made - End Value.
Firewall IP Address	IP address of the Guest VM that must access the external world.
Port Start	Internal port on which the connection is made - Start Value.
Port End	Internal port on which the connection is made - End Value.

The NAT Configuration Table entry is as follows:

The corresponding NAT Configuration Table entry on the Communication Services is as follows:

pfctl -s nat

rdr on eq0 inet proto tcp from any to (eq0:0) port = 1000 -> 192.168.10.4 port 22

Denial of Service Configuration Table: Security Services

The values and meanings are as follows:

Configuration Values		Description
Number of Guests		Reserved for future use.
Bandwidth allocation	Total
	Guest > Host
	Guest > Guest
	TCP
	UDP
	ICMP
TCP	Outbound_Ext
	Inbound_Ext
	Internal
	Threshold
UDP	Outbound_Ext
	Inbound_Ext
	Internal
	Threshold
Slot	Dos_level_0_Escalate
	Dos_level_0_Wait
	Dos_level_1_Escalate
	Dos_level_1_Wait
	Dos_level_2_Escalate
	Dos_level_2_Wait
	Dos_level_3_Escalate
	Dos_level_3_Wait

Note:

The DoS Configuration Table values in the interface are the default values. Do NOT change these values.

Port Mask Table: Security Services

• Determines the list of ports allowed to pass through Security Firewall for inbound connections.

• Configured on a per-interface basis.

Values and meanings

Configuration Values	Description
Number of Elements	Number of entries to be configured for this interface. Only this number of entries is considered on the Port Mask table even if the table has more than Number of Elements entries in them.
Port Start	List of ports allowed through the security firewall - Start Value.
Port End	List of ports allowed through the security firewall - End Value.
Enable	Enable/disable the specified ports.

Note:

These ports are a second line of defense. The NAT Configuration Table must have the correct port forwarding entry defined for that particular interface.

TLS Encryption Table: Security Services

• Determines if the TLS proxy in the Security Services will intercept a TLS session or not.

• Configured on a per-interface basis.

Values and meanings

Configuration Values	Description
Number of Elements	Number of entries to be configured for this interface. Only this number of entries is considered on the TLS Encryption table even if the table has more than Number of Elements entries in them.
Encryption	Encryption options for this IP Address/Port Range. Values include: • Secure - Inspect traffic • Unsecure - Define exceptions • Not set - Entry not used
IP Address	IP address and mask combination to scan.
IP Mask	IP address and mask combination to scan.
Minimum	Port range to scan - Minimum.
Maximum	Port range to scan - Maximum.

For example:

Num_entries: 3

Secure, 0.0.0.0, 0.0.0.0, 443, 445 => Scans all IP addresses with port 443-445

Unsecure, 1.2.3.4, 255.255.255.255, 443, 443 => Removes scanning of port 443 for IP 1.2.3.4

Secure, 14.15.0.0, 255.255.0.0, 0, 65535 => Scans all ports on IP address range 14.15.*.*

Other Configuration Items: Security Services

The additional configuration items provided as part of security services include:

Logging

The various parameters that configure time of logging duration, log count, etc. are as follows.

The logging configuration values and their meaning is as follows:

Configuration Value	Description
Log Upload time	Time of day at when the logs are uploaded to the log server.
Log Upload Interval	Number of days before the log gets uploaded to the log server.
Event Log Count	Counts to reach before logs gets appended to event log. This is to avoid repetitive logging. Consult Security Logging for details.
Log Timer Interval	The number of hours before the log count is added to eventlog if the Event Log Count is not reached.

Precision Time Protocol

The PTP virtualization service is provided as part of the Communications Services. It provides APIs for client Virtual Machines. to access a common PTP time source with low latency.

Consult Using PTP Virtualization topic for details.

The PTP configuration values and their meaning is as follows:

Configuration Value	Description
PTP Enable/Disable	Enables/Disables the Virtual PTP.
PTP Arguments	Consult Using PTP Virtualization topic for details.

Cipher

The various ciphering key options that can be used for TLS Proxy (read-only and reserved for future use).

The Cipher configuration values and their meaning is as follows:

Configuration Value	Description
Server Cipher	Reserved for future use
Client Cipher
Password

Other Config Items: Security Services

Logging

These parameters configure time of logging, logging duration, log count, etc.

Values and meanings

Configuration Value	Description
Log Upload time	Time of day when the logs are uploaded to the log server.
Log Upload Interval	Number of days before the log gets uploaded to the log server.
Event Log Count	Counts to reach before logs gets appended to event log. This is to avoid repetitive logging. For more information, see Security Logging.
Log Timer Interval	Number of hours before the log count are added to the event log if the Event Log Count is not reached.

PTP

The PTP virtualization service is provided as part communications services. It provides APIs for client VMs to access a common PTP time source with low latency. For more information, see Using PTP Virtualization.

Values and meanings

Configuration Value	Description
PTP Enable/Disable	Enables/disables virtual PTP.
PTP Arguments	For more information, see Using PTP Virtualization.

Cipher

Various ciphering key options can be used for TLS proxy.

Values and meanings

Configuration Value	Description
Server Cipher	Reserved for future use.
Client Cipher
Password