xorg and EAL4+

Eamon Walsh ewalsh at tycho.nsa.gov
Thu Apr 19 11:56:36 PDT 2007

James Courtier-Dutton wrote:
> Hi,
> Fortunately, Linux has EAL4+ security evaluation done for most security
> targets (configurations).
> The one major thing that is excluded each time is the X front end.
> I.e. Linux has EAL4+ for a server config, without X.

Specific distributions such as SLES9 and RHEL4 have received an EAL4 
rating under a specific protection profile, CAPP.  The vendors' decision 
not to include X could be for conformance, or it could be simply to 
reduce the set of packages that have to be documented and examined 
(which would include all the X applications), or because they are 
targeting the server market only.

There do exist variously accredited commercial Linux distributions that 
include X, see for example Trusted Computer Solutions' Nettop2 product.

> Have any moves been made to modify X so that it could reach EAL4+
> certifications?

Yes, there is ongoing work on a security framework for X, XACE, and 
SELinux support.

> Or, is the X protocol just so broken, that X could never reach this
> level of security.

It is possible, but it depends on the protection profile and the 
specific X protocol subset (extensions).

> The only alternative at the moment is MS Windows, that does have EAL4+
> certifications.
> Kind Regards
> James
> _______________________________________________
> xorg mailing list
> xorg at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/xorg

Eamon Walsh <ewalsh at tycho.nsa.gov>
National Security Agency

More information about the xorg mailing list