Lexmark C4342 Security White Paper - Page 36

eSF Application Security

Get Lexmark C4342 PDF manuals and user guides View all Lexmark C4342 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 36 highlights

Secure Access 36 Only trusted firmware can be loaded on a Lexmark device. The following requirements are defined so that significant protections are provided with the device firmware: • The data must be packed appropriately in a format that is specific to the device type. • The data must be encrypted so that it is decrypted correctly with a symmetric key. This key is embedded in the device's firmware during manufacturing. To create a software package that passes the requirements of Lexmark devices, an individual must have this symmetric key. This is not published, nor can it be extracted from Lexmark firmware. • The data (after decryption) consists of multiple subpackages, each of which must have a separate digital signature. The digital signature provides two protections: It validates that the firmware came from Lexmark and that the firmware has not been modified since it was created. • Firmware updates can be restricted to authenticated and authorized users or disabled through the device access function controls. The chain-of-trust process developed by Lexmark to check and validate the integrity of a device's operating system during startup, normal operation, and execution of an internal application is defined in the following list. If any of the following tests fail, then the device halts operation of all processes and reports an error. • The device's physical hardware is used to validate the secure bootloader, which is then used to verify the signature on the kernel. • The kernel is then used to verify the signatures on each firmware flash partition before it is mounted by the device. • Internal device drivers and executable code are designed to be operated on trusted read-only flash partitions. No code is ever written to a standard or optional device hard disk. • Each time a block is paged from the trusted flash memory to RAM, its hash value gets verified by the kernel, which provides continuous verification and tamper detection. Other protections that Lexmark has in place to protect the device's operating system are as follows: • Device usage data is placed in tamper-proof memory so that it can be analyzed in the event that the device is compromised. • All hard copy devices use non-x86 processors. • The device does not accept incoming e-mail, nor does it contain its own SMTP server or service. • The device hard disks (standard or optional) are not designed to be long-term storage devices, nor do they allow users or administrators to load or extract information, create folders, share, or create a network file share or FTP information to the hard drive. • The device does not allow incoming remote procedure calls (RPCs), which limit the propagation of malware from other devices. The device does not recognize or run files with executable extensions. Image files, such as BMP, DCX, GIF, JPEG, JPG, PCX, PDF, PNG, TIF, and TIFF are recognized as print-related data. eSF Application Security Overview Lexmark devices can be extended with the Lexmark eSF. Included in Lexmark devices is an execution platform in solution-enabled devices that permits function enhancements to devices through the loading and running of custom applications. These applications are loaded, configured, and remain resident on the device, extending the capabilities of the device. To ensure that device security is not compromised, well-defined interfaces are specified, an application certification process is specified and secure encrypted, signed application install packages are created.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
Only trusted firmware can be loaded on a Lexmark device. The following requirements are defined so that
significant protections are provided with the device firmware:
The data must be packed appropriately in a format that is specific to the device type.
The data must be encrypted so that it is decrypted correctly with a symmetric key. This key is embedded in
the device’s firmware during manufacturing. To create a software package that passes the requirements of
Lexmark devices, an individual must have this symmetric key. This is not published, nor can it be extracted
from Lexmark firmware.
The data (after decryption) consists of multiple subpackages, each of which must have a separate digital
signature. The digital signature provides two protections: It validates that the firmware came from Lexmark
and that the firmware has not been modified since it was created.
Firmware updates can be restricted to authenticated and authorized users or disabled through the device
access function controls.
The chain-of-trust process developed by Lexmark to check and validate the integrity of a device’s operating
system during startup, normal operation, and execution of an internal application is defined in the following list.
If any of the following tests fail, then the device halts operation of all processes and reports an error.
The device’s physical hardware is used to validate the secure bootloader, which is then used to verify the
signature on the kernel.
The kernel is then used to verify the signatures on each firmware flash partition before it is mounted by the
device.
Internal device drivers and executable code are designed to be operated on trusted read-only flash
partitions. No code is ever written to a standard or optional device hard disk.
Each time a block is paged from the trusted flash memory to RAM, its hash value gets verified by the kernel,
which provides continuous verification and tamper detection.
Other protections that Lexmark has in place to protect the device’s operating system are as follows:
Device usage data is placed in tamper-proof memory so that it can be analyzed in the event that the device
is compromised.
All hard copy devices use non-x86 processors.
The device does not accept incoming e-mail, nor does it contain its own SMTP server or service.
The device hard disks (standard or optional) are not designed to be long-term storage devices, nor do they
allow users or administrators to load or extract information, create folders, share, or create a network file
share or FTP information to the hard drive.
The device does not allow incoming remote procedure calls (RPCs), which limit the propagation of malware
from other devices. The device does not recognize or run files with executable extensions. Image files, such
as BMP, DCX, GIF, JPEG, JPG, PCX, PDF, PNG, TIF, and TIFF are recognized as print-related data.
eSF Application Security
Overview
Lexmark devices can be extended with the Lexmark eSF. Included in Lexmark devices is an execution platform
in solution-enabled devices that permits function enhancements to devices through the loading and running
of custom applications. These applications are loaded, configured, and remain resident on the device,
extending the capabilities of the device. To ensure that device security is not compromised, well-defined
interfaces are specified, an application certification process is specified and secure encrypted, signed
application install packages are created.
Secure Access
36