IBM 10 SP1 EAL4 manual Kernel TSF software

The concept of breaking the TOE product into logical subsystems is described in the Common Criteria. These logical subsystems are the building blocks of the TOE, and are described in the Functional Descriptions chapter of this paper. They include logical subsystems and trusted processes that implement security functions. A logical subsystem can implement or support one or more functional components. For example, the File and I/O subsystem is partly implemented by functions of the Virtual Memory Manager.

4.2.1Kernel TSF software

The kernel is the core of the operating system. It interacts directly with the hardware, providing common services to programs, and prevents programs from directly accessing hardware-dependent functions. Services provided by the kernel include the following:

•Control of the execution of processes by allowing their creation, termination or suspension, and communication. These include:

•Fair scheduling of processes for execution on the CPU.

•Share of processes in the CPU in a time-shared manner.

•CPU execution of a process.

•Kernel suspension when its time quantum elapses.

•Kernel schedule of another process to execute.

•Later kernel rescheduling of the suspended process.

•Allocation of the main memory for an executing process. These include:

•Kernel allowance of processes to share portions of their address space under certain conditions, but protection of the private address space of a process from outside tampering.

•If the system runs low on free memory, the kernel frees memory by writing a process temporarily to secondary memory, or a swap device.

•Coordination with the machine hardware to set up a virtual-to-physical address that maps the compiler-generated addresses to their physical addresses.

•File system maintenance. These include:

•Allocation of secondary memory for efficient storage and retrieval of user data.

•Allocation of secondary storage for user files.

•Reclamation of unused storage.

•Structure of the file system in a well-understood manner.

•Protection of user files from illegal access.

•Allowance of processes’ controlled access to peripheral devices such as terminals, tape drives, disk drives, and network devices.

•Mediation of access between subjects and objects, allowing controlled access based on DAC and (optionally) AppArmor policy.

The SLES kernel is a fully preemptible kernel. In non-preemptive kernels, kernel code runs until completion. That is, the scheduler is not capable of rescheduling a task while it is in the kernel. Moreover, the kernel code is scheduled cooperatively, not preemptively, and it runs until it finishes and returns to user-space, or explicitly blocks. In preemptive kernels, it is possible to preempt a task at any point, so long as the kernel is in a state in which it is safe to reschedule.

23