ETSI GS NFV-SEC 012 V5.3.1 (2025-08)

GROUP SPECIFICATION
Network Functions Virtualisation (NFV)
Release 5;
Security;
System architecture specification
for execution of sensitive NFV components

2 ETSI GS NFV-SEC 012 V5.3.1 (2025-08)

Reference
RGS/NFV-SEC012ed531
Keywords
architecture, NFV, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from the
ETSI Search & Browse Standards application.
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format on ETSI deliver repository.
Users should be aware that the present document may be revised or have its status changed,
this information is available in the Milestones listing.
If you find errors in the present document, please send your comments to
the relevant service listed under Committee Support Staff.
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure (CVD) program.
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2025.
All rights reserved.
ETSI
3 ETSI GS NFV-SEC 012 V5.3.1 (2025-08)

Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
1 Scope . 5
2 References . 5
2.1 Normative references . 5
2.2 Informative references . 5
3 Definition of terms, symbols and abbreviations . 6
3.1 Terms . 6
3.2 Symbols . 6
3.3 Abbreviations . 6
4 Principles . 7
4.1 Introduction . 7
5 Platform requirements . 7
5.1 Core hardware requirements. 7
5.2 Core software requirements . 8
6 Lifecycle . 9
6.1 Trusted Computing Base . 9
6.2 Workload provisioning . 10
6.3 Runtime checks . 10
6.4 Entropy and random numbers . 11
6.5 Cryptographic primitives . 11
6.5.1 Introduction. 11
6.5.2 Classical Cryptographic Algorithms . 11
6.5.3 Quantum Safe Cryptographic Algorithms . 13
6.6 Installed software and configurations on host system . 14
6.7 De-provisioning workloads . 14
6.8 Dealing with failure . 14
6.8.0 General points . 14
6.8.1 Requirements relating to failure conditions . 15
7 External dependencies . 15
8 Architecture section . 15
8.0 System hardening techniques . 15
8.1 Secure logging . 15
8.2 OS-level access and confinement control . 16
8.3 Physical controls and alarms . 16
8.4 Authentication controls . 16
8.5 Access controls . 16
8.6 Communications security . 16
8.7 Boot . 17
8.8 Attestation . 17
8.9 Hardware-mediated execution enclaves . 17
8.10 Hardware-Based Root of Trust (HBRT) . 17
8.11 Self-encrypting storage . 17
8.12 Direct access to memory . 17
8.13 Hardware Security Modules . 18
8.14 Software integrity protection and verification . 18
Annex A (informative): Change history . 19
History . 20

ETSI
4 ETSI GS NFV-SEC 012 V5.3.1 (2025-08)

Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI IPR online database.
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its
Members. 3GPP™, LTE™ and 5G™ logo are trademarks of ETSI registered for the benefit of its Members and of the
3GPP Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of ®
the oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Network Functions
Virtualisation (NFV).
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

ETSI
5 ETSI GS NFV-SEC 012 V5.3.1 (2025-08)

1 Scope
The present document defines requirements for host system elements on which sensitive workloads are to be run. The
present document defines requirements to ensure isolation of sensitive workloads from non-sensitive workloads sharing
a platform. The present document discusses a wide range of different technologies which aim to increase the security of
a host system for the workloads which will be executing on it.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found in the
ETSI docbox.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long-term validity.
The following referenced documents are necessary for the application of the present document.
[1] ETSI TS 133 310: "Universal Mobile Telecommunications System (UMTS); LTE; 5G; Network
Domain Security (NDS); Authentication Framework (AF) (3GPP TS 33.310)".
[2] ETSI TS 133 210: "Digital cellular telecommunications system (Phase 2+) (GSM); Universal
Mobile Telecommunications System (UMTS); LTE; 5G; Network Domain Security (NDS);
IP network layer security (3GPP TS 33.210)".
[3] ISO/IEC 18031:2025: "Information technology — Security techniques — Random bit generation".
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long-term validity.
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's
understanding, but are not required for conformance to the present document.
[i.1] NIST Special Publication (SP) 800-90B: "Recommendation for the Entropy Sources Used for
Random Bit Generation".
[i.2] NIST Special Publication (SP) 800-88 revision 1: "Guidelines for Media Sanitization".
[i.3] ETSI GS NFV-SEC 009: "Network Functions Virtualisation (NFV); NFV Security; Report on use
cases and technical approaches for multi-layer host administration".
[i.4] Greg Hoglund, Gary McGraw (2007): "Exploiting Online Games: Cheating Massively Distributed
Systems", Addison-Wesley, New Jersey.
[i.5] ETSI TS 103 487: "CYBER; Baseline security requirements regarding sensitive functions for NFV
and related platforms".
[i.6] ETSI TR 103 309: "CYBER; Secure by Default - platform security technology".
ETSI
6 ETSI GS NFV-SEC 012 V5.3.1 (2025-08)

[i.7] NIST Special Publication (SP) 800-123: "Guide to General Server Security".
[i.8] NIST Special Publication (SP) 800-125: "Guide to Security for Full Virtualization Technologies".
[i.9] ISO/IEC 15408-1:2022: "Information security, cybersecurity and privacy protection — Evaluation
criteria for IT security — Part 1: Introduction and general model".
[i.10] ETSI GR NFV-SEC 003: "Network Functions Virtualisation (NFV); NFV Security; Security and
Trust Guidance".
[i.11] Void.
[i.12] TCG: "Virtualized Trusted Platform Architecture Specification", Version 1.0, Revision 0.26.
[i.13] NIST Special Publication (SP) 800-162: "Guide to Attribute Based Access Control (ABAC)
Definition and Considerations".
[i.14] ETSI TR 103 619: "CYBER; Migration strategies and recommendations to Quantum Safe
schemes".
[i.15] GSMA PQ.03: "Post Quantum Cryptography – Guidelines for Telecom Use Cases".
[i.16] NIST FIPS 203: "Module-Lattice-Based Key-Encapsulation Mechanism Standard".
[i.17] NIST FIPS 204: "Module-Lattice-Based Digital Signature Standard".
[i.18] NIST FIPS 205: "Stateless Hash-Based Digital Signature Standard".
[i.19] ETSI GR NFV 003: "Network Functions Virtualisation (NFV); Terminology for Main Concepts in
NFV".
3 Definition of terms, symbols and abbreviations
3.1 Terms
For the purposes of the present document, the terms given in ETSI GR NFV 003 [i.19] and the following apply:
host system: collection of hardware, software and firmware making up the compute node which executes workloads
workload: component of the NFV architecture that is virtualised in the context of a particular deployment
3.2 Symbols
Void.
3.3 Abbreviations
For the purposes of the present document, the abbreviations given in ETSI GR NFV 003 [i.19] and the following apply:
ABAC Attribute-Based Access Control
CRQC Cryptographically Relevant Quantum Computer
DH Diffie-Hellman
DHE Diffie-Hellman Exchange
DSA Digital Signature Algorithm
ECDH Elliptic Curve Diffie-Hellman
ECDHE Elliptic Curve Diffie-Hellman Exchange
ECDSA Elliptic Curve Digital Signature Algorithm
ECP Elliptic Curve modulo a Prime
GMAC Galois Message Authentication Mode
HBRT Hardware-Based Root of Trust
ETSI
7 ETSI GS NFV-SEC 012 V5.3.1 (2025-08)

HMEE Hardware-Mediated Execution Enclave
HSM Hardware Security Module
ICV Integrity Check Value
IOMMU Input-Output Memory Management Unit
MANO MANagement and Orchestration
MODP More mODular exPonential
NIST National Institute of Standards and Technology
PKI Public Key Infrastructure
PRF Pseudo-Random Function
QKD Quantum Key Distribution
QRNG Quantum Random Number Generator
QSC Quantum-Safe Cryptography
RNG Random Number Generator
RSA Rivest-Shamir-Adleman
SSL Secure Sockets Layer
TCB Trusted Computing Base
TCG Trusted Platform Group
TLS Transport Layer Security
TPM Trusted Platform Module
4 Principles
4.1 Introduction
Trust, as defined in ETSI GR NFV-SEC 003 [i.10], is an important component of security. One weakness of software as
opposed to hardware, is that software can be copied in whole or in part. Trust that is rooted in software may be less
reliable than trust rooted in hardware, quickly, easily, and any number of times. For the particular case of sensitive
workloads that have to be trusted, only the highest assurance in the root of trust is considered acceptable, thus for the
purposes of the present document the root of trust shall be provided in hardware.
There is, however, a concomitant concern that when a device is subject to black box testing, it is impossible to
determine if the responses to interrogation come from hardware or software. To counter this, a NFVI vendor shall be
able to provide evidence on demand that the root of trust is a hardware element. The means by which the vendor
provides such evidence is not considered in the present document but should be mutually agreed between the vendor
and operator.
A vendor shall be able to provide evidence on demand to authorized parties of the security claims for the root of trust.
The means by which the vendor provides such evidence is not considered in the present document, but should be
rd
mutually agreed between the vendor and operator. An example of a 3 party assurance programme is Common Criteria
(defined in ISO/IEC 15408-1 [i.9]).
The host system, acting as a black box (closed) environment, shall provide access to authorized external entities only to
those capabilities identified in the authorization agreement.
5 Platform requirements
5.1 Core hardware requirements
1) The host system shall implement a Hardware-Based Root of Trust (HBRT) as Initial Root of Trust with the
following requirements:
- The HBRT shall be both physically and electronically tamper-resistant.
- The HBRT shall be both physically and electronically tamper-evident.
ETSI
8 ETSI GS NFV-SEC 012 V5.3.1 (2025-08)

- The HBRT physical and software interfaces between the HBRT and other hardware components of the
host system to which it directly communicates shall be protected from eavesdropping, manipulation,
replay or similar attacks.
- The level of resistance against attacks of the HBRT shall be verifiable and trustable using a certification
process.
- It shall be possible to restrict the booting procedure if assistance from the HBRT is not available or the
HBRT currently does not contain valid cryptographic material.
- Any tampering to the HBRT should lead to detectable degradation of its function.
- The HBRT shall be physically protected such that any attempts to remove or replace the HBRT shall
cause physical damage to both the HBRT and host system hardware to which the HBRT is attached,
rendering both inoperable.
- The HBRT shall be (physically and/or logically) bound to the host system, so that any attempt to remove
the HBRT will be detected and prevent normal operation of the host system.
- The HBRT shall include an Immutable Unique Identification value physically linked to the physical root
of trust that can be used as identification of the platform. This value shall be stored in a shielded location
protected from unauthorized use and disclosure.
- The HBRT shall provide capabilities to allow itself to be part of an attestation function.
- The host system shall have a mechanism to discover the tampered/non-tampered status of the HBRT.
- The host system shall have an interface to provide authorized external services with information about
the tampered/non-tampered status of the HBRT.
- The host system shall provide a mechanism to report to authorized external services when tamper events
occur.
- The HBRT shall implement a key management function with the requirements in the following bullet 2).
2) The host system shall implement a key management system which includes key generation, key storage, key
deletion and cryptographic processing with the following requirements:
- The cryptographic material shall be stored in a shielded location, protected against eavesdropping and
physical and environmental tampering.
- The key generation processing shall be protected against eavesdropping and physical and environmental
tampering.
- The key management system shall include an access right management to the sensitive data.
- The key management system shall ensure a complete deletion of outdated keys under deletion request.
- The key management system shall be scalable and ensure a high availability service.
- The key management system shall be remotely manageable to allow evolution, security strengthening,
and countermeasure deployment of the system.
The host system shall provide cryptographically separated secure environments to different applications.
5.2 Core software requirements
The following core software requirements are defined within the present document:
• Secure logging
• OS-level access control
• Logical authentication controls
ETSI
9 ETSI GS NFV-SEC 012 V5.3.1 (2025-08)

• Communications security (e.g. Confidentiality, Integrity, Availability, Non-repudiation)
• Secure firmware (e.g. BIOS) upgrade
• Secure remote management of keys, cryptographic algorithms and security services offered by the platform to
ensure ability of evolution, security strengthening, and countermeasure deployment
It shall be possible to restrict the booting procedure by preventing the running of workloads if assistance from the
HBRT is not available or the HBRT currently does not contain valid cryptographic material. The intent of this
requirement is to stop VNFs/VNFCIs being loaded onto possibly compromised hardware and to allow appropriate
mitigations to be put in place.
6 Lifecycle
6.1 Trust
...