RTOS/PROCESSOR-SDK-OMAPL138: Security questions for DSP/BIos, SYS/BIOS

Part Number:PROCESSOR-SDK-OMAPL138

Tool/software:TI-RTOS

Hello
My customer is considering the OMAP-L138ZWT in an Avionics project requiring DO-178 certification and has a number of questions concerning DSP-BIOS (SYS-BIOS) that I hope you can help me answer :-

I am currently evaluating the COTS products that we use in our product in terms of security and one of these SW COTS items is the DSP/Bios Real-Time Operating System (www.ti.com/tool/dspbios) to which all of the following questions is concerned. These questions will help us justify the use of the DSP Bios and ultimately the Texas Instruments DSP in our products.

So to the questions:

• Did you follow any official approach in developing this SW e.g. DO-178?
• Is it possible for us to get access to your bug database with issues posted towards this SW?
• Do Texas Instruments perform a security survey on this SW such as scanning the internet for vulnerabilities or an official process for posting new vulnerabilities?
  • Is it possible for Customers to either subscribe or get access to the result of such a survey?
  • Since the version we have currently implemented is not the newest version:
    • Is it possible to get the history of previous found vulnerabilities on this COTS?
    • Wen new vulnerabilities are found do you evaluate them against all versions of the COTS or only the latest binary?
• Your website only allows download of this COTS using insecure HTTP without any secure hash to verify the integrity of the download.
  • Do Texas Instruments provide any alternative secure site to download this SW such as HTTPS, FTPS or SSH?
  • Is Texas Instruments able to provide us with a hash of the binary provided by an alternative source than the download server where the binary is downloaded from?
  • Does Texas provide an additional download server or other means from which a binary comparison would be possible?
• In case Texas Instruments becomes aware of any security issues, does Texas Instruments have a process of handling these?
  • How is the evaluation process?
  • As a user of this SW binary, what is the patch delay that we could expect?
• Since Customer does not have the source-code (and in the case we acquired the source code the licensing terms does not allow us to modify the source code) Customer relies of Texas Instruments for updates:
  • What is the expected maintenance/support period for this SW?
  • If Texas Instruments choose no longer to support/maintain this SW, is it possible for us to continue the maintenance ourelves?

Thank you in advance for taking the time to answer our questions.

Best Regards
Bob Bacon