ProtectionProfileforVirtualization

Version:1.12021-02-25

NationalInformationAssurancePartnership

RevisionHistory

Version Date Comment

1.0 2016-11-17 InitialPublication

1.1 2020-11-17 IncorporateTDs,ReferenceTLSPackage,AddEquivalencyGuidelines

Contents

1 Introduction1.1 Overview1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms1.3 CompliantTargetsofEvaluation1.3.1 TOEBoundary1.3.2 RequirementsMetbythePlatform1.3.3 ScopeofCertification1.3.4 ProductandPlatformEquivalence1.4 UseCases2 ConformanceClaims3 SecurityProblemDescription3.1 Threats3.2 Assumptions3.3 OrganizationalSecurityPolicies4 SecurityObjectives4.1 SecurityObjectivesfortheTOE4.2 SecurityObjectivesfortheOperationalEnvironment4.3 SecurityObjectivesRationale5 SecurityRequirements5.1 SecurityFunctionalRequirements5.1.1 AuditableEventsforMandatorySFRs5.1.2 SecurityAudit(FAU)5.1.3 CryptographicSupport(FCS)5.1.4 UserDataProtection(FDP)5.1.5 IdentificationandAuthentication(FIA)5.1.6 SecurityManagement(FMT)5.1.7 ProtectionoftheTSF(FPT)5.1.8 TOEAccess(FTA)5.1.9 TrustedPath/Channel(FTP)5.1.10 TOESecurityFunctionalRequirementsRationale5.2 SecurityAssuranceRequirements5.2.1 ClassASE:SecurityTargetEvaluation5.2.2 ClassADV:Development5.2.3 ClassAGD:GuidanceDocuments5.2.4 ClassALC:Life-CycleSupport5.2.5 ClassATE:Tests5.2.6 ClassAVA:VulnerabilityAssessment

AppendixA- OptionalRequirementsA.1 StrictlyOptionalRequirementsA.1.1 AuditableEventsforStrictlyOptionalRequirementsA.1.2 SecurityAudit(FAU)A.1.3 ProtectionoftheTSF(FPT)A.2 ObjectiveRequirementsA.2.1 AuditableEventsforObjectiveRequirementsA.2.2 ProtectionoftheTSF(FPT)A.3 Implementation-basedRequirementsAppendixB- Selection-basedRequirementsB.1 AuditableEventsforSelection-basedRequirementsB.2 CryptographicSupport(FCS)B.3 IdentificationandAuthentication(FIA)B.4 ProtectionoftheTSF(FPT)B.5 TrustedPath/Channel(FTP)AppendixC- ExtendedComponentDefinitionsC.1 ExtendedComponentsTableC.2 ExtendedComponentDefinitionsAppendixD- ImplicitlySatisfiedRequirementsAppendixE- EntropyDocumentationandAssessmentE.1 DesignDescriptionE.2 EntropyJustificationE.3 OperatingConditions

E.4 HealthTestingAppendixF- EquivalencyGuidelinesF.1 IntroductionF.2 ApproachtoEquivalencyAnalysisF.3 SpecificGuidanceforDeterminingProductModelEquivalenceF.4 SpecificGuidanceforDeterminingProductVersionEquivalenceF.5 SpecificGuidanceforDeterminingPlatformEquivalenceF.5.1 HardwarePlatformEquivalenceF.5.2 SoftwarePlatformEquivalenceF.6 LevelofSpecificityforTestedConfigurationsandClaimedEquivalentConfigurationsAppendixG- ReferencesAppendixH- Acronyms

1Introduction

1.1OverviewThescopeofthisProtectionProfile(PP)istodescribethesecurityfunctionalityofvirtualizationtechnologiesintermsof[CC]andtodefinesecurityfunctionalandassurancerequirementsforsuchproducts.ThisPPisnotcompleteinitself,butratherprovidesasetofrequirementsthatarecommontothePP-ModulesforServerVirtualizationandforClientVirtualization.Thesecapabilitieshavebeenbrokenoutintothisgeneric‘base’PPduetothehighdegreeofsimilaritybetweenthetwoproducttypes.

Duetotheincreasingprevalenceofvirtualizationtechnologyinenterprisecomputingenvironmentsandtheshifttocloudcomputing,itisessentialtoensurethatthistechnologyisimplementedsecurelyinordertomitigatetheriskintroducedbysharingmultiplecomputersandtheirdataacrossasinglephysicalsystem.

1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.

1.2.1CommonCriteriaTerms

Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].

BaseProtectionProfile(Base-PP)

ProtectionProfileusedasabasistobuildaPP-Configuration.

CommonCriteria(CC)

CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).

CommonCriteriaTestingLaboratory

WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacility,accreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.

CommonEvaluationMethodology(CEM)

CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.

DistributedTOE

ATOEcomposedofmultiplecomponentsoperatingasalogicalwhole.

OperationalEnvironment(OE)

HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.

ProtectionProfile(PP)

Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.

ProtectionProfileConfiguration(PP-Configuration)

AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.

ProtectionProfileModule(PP-Module)

Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBaseProtectionProfiles.

SecurityAssuranceRequirement(SAR)

ArequirementtoassurethesecurityoftheTOE.

SecurityFunctionalRequirement(SFR)

ArequirementforsecurityenforcementbytheTOE.

SecurityTarget(ST)

Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.

TOESecurityFunctionality(TSF)

Thesecurityfunctionalityoftheproductunderevaluation.

TOESummarySpecification(TSS)

AdescriptionofhowaTOEsatisfiestheSFRsinanST.

TargetofEvaluation(TOE)

Theproductunderevaluation.

1.2.2TechnicalTerms

Administrator AdministratorsperformmanagementactivitiesontheVS.ThesemanagementfunctionsdonotincludeadministrationofsoftwarerunningwithinGuestVMs,suchastheGuestOS.AdministratorsneednotbehumanasinthecaseofembeddedorheadlessVMs.AdministratorsareoftennothingmorethansoftwareentitiesthatoperatewithintheVM.

Auditor AuditorsareresponsibleformanagingtheauditcapabilitiesoftheTOE.AnAuditormayalsobeanAdministrator.ItisnotarequirementthattheTOEbecapableofsupportinganAuditorrolethatisseparatefromthatofanAdministrator.

Domain ADomainorInformationDomainisapolicyconstructthatgroupstogetherexecutionenvironmentsandnetworksbysensitivityofinformationandaccesscontrolpolicy.Forexample,classificationlevelsrepresentinformationdomains.Withinclassificationlevels,theremightbeotherdomainsrepresentingcommunitiesofinterestorcoalitions.InthecontextofaVS,informationdomainsaregenerallyimplementedascollectionsofVMsconnectedbyvirtualnetworks.TheVSitselfcanbeconsideredanInformationDomain,ascanitsManagementSubsystem.

GuestNetwork

SeeOperationalNetwork.

GuestOperatingSystem(OS)

AnoperatingsystemthatrunswithinaGuestVM.

GuestVM AGuestVMisaVMthatcontainsavirtualenvironmentfortheexecutionofanindependentcomputingsystem.Virtualenvironmentsexecutemissionworkloadsandimplementcustomer-specificclientorserverfunctionalityinGuestVMs,suchasawebserverordesktopproductivityapplications.

HelperVM AHelperVMisaVMthatperformsservicesonbehalfofoneormoreGuestVMs,butdoesnotqualifyasaServiceVM—andthereforeisnotpartoftheVMM.HelperVMsimplementfunctionsorservicesthatareparticulartotheworkloadsofGuestVMs.Forexample,aVMthatprovidesavirusscanningserviceforaGuestVMwouldbeconsideredaHelperVM.Forthepurposesofthisdocument,HelperVMsareconsideredatypeofGuestVM,andarethereforesubjecttoallthesamerequirements,unlessspecificallystatedotherwise.

HostOperatingSystem(OS)

AnoperatingsystemontowhichaVSisinstalled.RelativetotheVS,theHostOSispartofthePlatform.

Hypercall AnAPIfunctionthatallowsVM-awaresoftwarerunningwithinaVMtoinvokeVMMfunctionality.

Hypervisor TheHypervisorispartoftheVMM.ItisthesoftwareexecutiveofthephysicalplatformofaVS.AHypervisor’sprimaryfunctionistomediateaccesstoallCPUandmemoryresources,butitisalsoresponsibleforeitherthedirectmanagementorthedelegationofthemanagementofallotherhardwaredevicesonthehardwareplatform.

InformationDomain

SeeDomain.

Introspection Acapabilitythatallowsaspeciallydesignatedandprivilegeddomaintohavevisibilityintoanotherdomainforpurposesofanomalydetectionormonitoring.

ManagementNetwork

Anetwork,whichmayhavebothphysicalandvirtualizedcomponents,usedtomanageandadministeraVS.ManagementnetworksincludenetworksusedbyVSAdministratorstocommunicatewithmanagementcomponentsoftheVS,andnetworksusedbytheVSforcommunicationsbetweenVScomponents.Forpurposesofthisdocument,networksthatconnectphysicalhostsforpurposesofVMtransferorcoordinate,andbackendstoragenetworksareconsideredmanagementnetworks.

ManagementSubsystem

ComponentsoftheVSthatallowVSAdministratorstoconfigureandmanagetheVMM,aswellasconfigureGuestVMs.VMMmanagementfunctionsincludeVMconfiguration,virtualizednetworkconfiguration,andallocationofphysicalresources.

OperationalNetwork

AnOperationalNetworkisanetwork,whichmayhavebothphysicalandvirtualizedcomponents,usedtoconnectGuestVMstoeachotherandpotentiallytootherentitiesoutsideoftheVS.OperationalNetworkssupportmissionworkloadsandcustomer-specificclientorserverfunctionality.Alsocalleda“GuestNetwork.”

PhysicalPlatform

ThehardwareenvironmentonwhichaVSexecutes.Physicalplatformresourcesincludeprocessors,memory,devices,andassociatedfirmware.

Platform Thehardware,firmware,andsoftwareenvironmentintowhichaVSisinstalledandexecutes.

ServiceVM AServiceVMisaVMwhosepurposeistosupporttheHypervisorinprovidingtheresourcesorservicesnecessarytosupportGuestVMs.ServiceVMsmayimplementsomeportionofHypervisorfunctionality,butalsomaycontainimportantsystemfunctionalitythatisnotnecessaryforHypervisoroperation.AswithanyVM,ServiceVMsnecessarilyexecutewithoutfullHypervisorprivileges—onlytheprivilegesrequiredtoperformitsdesignedfunctionality.ExamplesofServiceVMsincludedevicedriverVMsthatmanageaccesstoaphysicaldevices,andname-serviceVMsthathelpestablishcommunicationpathsbetweenVMs.

SystemSecurityPolicy(SSP)

TheoverallpolicyenforcedbytheVSdefiningconstraintsonthebehaviorofVMsandusers.

User UsersoperateGuestVMsandaresubjecttoconfigurationpoliciesappliedtotheVSbyAdministrators.UsersneednotbehumanasinthecaseofembeddedorheadlessVMs,usersareoftennothingmorethansoftwareentitiesthatoperatewithintheVM.

VirtualMachine(VM)

AVirtualMachineisavirtualizedhardwareenvironmentinwhichanoperatingsystemmayexecute.

VirtualMachineManager(VMM)

AVMMisacollectionofsoftwarecomponentsresponsibleforenablingVMstofunctionasexpectedbythesoftwareexecutingwithinthem.Generally,theVMMconsistsofaHypervisor,ServiceVMs,andothercomponentsoftheVS,suchasvirtualdevices,binarytranslationsystems,andphysicaldevicedrivers.ItmanagesconcurrentexecutionofallVMsandvirtualizesplatformresourcesasneeded.

VirtualizationSystem(VS)

Asoftwareproductthatenablesmultipleindependentcomputingsystemstoexecuteonthesamephysicalhardwareplatformwithoutinterferencefromoneother.Forthepurposesofthisdocument,theVSconsistsofaVirtualMachineManager(VMM),VirtualMachineabstractions,amanagementsubsystem,andothercomponents.

1.3CompliantTargetsofEvaluationAVirtualizationSystem(VS)isasoftwareproductthatenablesmultipleindependentcomputingsystemstoexecuteonthesamephysicalhardwareplatformwithoutinterferencefromoneother.AVScreatesavirtualizedhardwareenvironment(virtualmachinesorVMs)foreachinstanceofanoperatingsystempermittingtheseenvironmentstoexecuteconcurrentlywhilemaintainingisolationandtheappearanceofexclusivecontroloverassignedcomputingresources.Forthepurposesofthisdocument,theVSconsistsofaVirtualMachineManager(VMM),VirtualMachine(VM)abstractions,amanagementsubsystem,andothercomponents.

AVMMisacollectionofsoftwarecomponentsresponsibleforenablingVMstofunctionasexpectedbythesoftwareexecutingwithinthem.Generally,theVMMconsistsofaHypervisor,ServiceVMs,andothercomponentsoftheVS,suchasvirtualdevices,binarytranslationsystems,andphysicaldevicedrivers.ItmanagesconcurrentexecutionofallVMsandvirtualizesplatformresourcesasneeded.

TheHypervisoristhesoftwareexecutiveofthephysicalplatformofaVS.AhypervisoroperatesatthehighestCPUprivilegelevelandmanagesaccesstoallofthephysicalresourcesofthehardwareplatform.Itexportsawell-defined,protectedinterfaceforaccesstotheresourcesitmanages.AHypervisor’sprimaryfunctionistomediateaccesstoallCPUandmemoryresources,butitisalsoresponsibleforeitherthedirectmanagementorthedelegationofthemanagementofallotherhardwaredevicesonthehardwareplatform.ThisdocumentdoesnotspecifyanyHypervisor-specificrequirements,thoughmanyVMMrequirementswouldnaturallyapplytoaHypervisor.

AServiceVMisaVMwhosepurposeistosupporttheHypervisorinprovidingtheresourcesorservicesnecessarytosupportGuestVMs.ServiceVMsmayimplementsomeportionofHypervisorfunctionality,butalsomaycontainimportantsystemfunctionalitythatisnotnecessaryforHypervisoroperation.AswithanyVM,ServiceVMsnecessarilyexecutewithoutfullHypervisorprivileges—onlytheprivilegesrequiredto

performitsdesignedfunctionality.ExamplesofServiceVMsincludedevicedriverVMsthatmanageaccesstophysicaldevices,andname-serviceVMsthathelpestablishcommunicationpathsbetweenVMs.

AGuestVMisaVMthatcontainsavirtualenvironmentfortheexecutionofanindependentcomputingsystem.Virtualenvironmentsexecutemissionworkloadsandimplementcustomer-specificclientorserverfunctionalityinGuestVMs,suchasawebserverordesktopproductivityapplications.AHelperVMisaVMthatperformsservicesonbehalfofoneormoreGuestVMs,butdoesnotqualifyasaServiceVM—andthereforeisnotpartoftheVMM.HelperVMsimplementfunctionsorservicesthatareparticulartotheworkloadsofGuestVMs.Forexample,aVMthatprovidesavirusscanningserviceforaGuestVMwouldbeconsideredaHelperVM.ThelinebetweenHelperandServiceVMscaneasilybeblurred.Forinstance,aVMthatimplementsacryptographicfunction—suchasanin-lineencryptionVM—couldbeidentifiedaseitheraServiceorHelperVMdependingontheparticularvirtualizationsolution.IfthecryptographicfunctionsarenecessaryonlyfortheprivacyofGuestVMdatainsupportoftheGuest’smissionapplications,itwouldbepropertoclassifytheencryptionVMasaHelper.ButiftheencryptionVMisnecessaryfortheVMMtoisolateGuestVMs,itwouldbepropertoclassifytheencryptionVMasaServiceVM.Forthepurposesofthisdocument,HelperVMsaresubjecttoallrequirementsthatapplytoGuestVMs,unlessspecificallystatedotherwise.

1.3.1TOEBoundaryFigure1showsagreatlysimplifiedviewofagenericVirtualizationSystemandPlatform.TOEcomponentsaredisplayedinRed.Non-TOEcomponentsareinBlue.ThePlatformisthehardware,firmware,andsoftwareontowhichtheVSisinstalled.TheVMMincludestheHypervisor,ServiceVMs,andVMcontainers,butnotthesoftwarethatrunsinsideGuestVMsorHelperVMs.TheManagementSubsystemispartoftheTOE,butmayormaynotbepartoftheVMM.

Figure1:VirtualizationSystemandPlatform

ForpurposesofthisProtectionProfile,theVirtualizationSystemistheTOE,subjecttosomecaveats.ThePlatformontowhichtheVSisinstalled(whichincludeshardware,platformfirmware,andHostOperatingSystem)isnotpartoftheTOE.SoftwareinstalledwiththeVSontheHostOSspecificallytosupporttheVSorimplementVSfunctionalityispartoftheTOE.Generalpurposesoftware—suchasdevicedriversforphysicaldevicesandtheHostOSitself—isnotpartoftheTOE,regardlessofwhetheritsupportsVSfunctionalityorrunsinsideaServiceVMorcontroldomain.SoftwarethatrunswithinGuestandHelperVMsisnotpartoftheTOE.

Ingeneral,forvirtualizationproductsthatareinstalledonto“baremetal,”theentiresetofinstalledcomponentsconstitutetheTOE,andthehardwareconstitutesthePlatform.Alsoingeneral,forproductsthatarehostedbyorintegratedintoacommodityoperatingsystem,thecomponentsinstalledexpresslyforimplementingandsupportingvirtualizationareintheTOE,andthePlatformcomprisesthehardwareandHostOS.

1.3.2RequirementsMetbythePlatformDependingonthewaytheVSisinstalled,functionstestedunderthisPPmaybeimplementedbytheTOEorbythePlatform.ThereisnodifferenceinthetestingrequiredwhetherthefunctionisimplementedbytheTOEorbythePlatform.Ineithercase,thetestsdeterminewhetherthefunctionbeingtestedprovidesalevelofassuranceacceptabletomeetthegoalsofthisProfilewithrespecttoaparticularproductandplatform.TheequivalencyguidelinesareintendedinparttoaddressthisTOEvs.Platformdistinction,andtoensurethattheassuranceleveldoesnotchangebetweeninstancesofequivalentproductsonequivalentplatforms—andalso,ofcourse,toensurethattheappropriatetestingisdonewhenthedistinctionissignificant.-->

1.3.3ScopeofCertificationSuccessfulevaluationofaVirtualizationSystemagainstthisprofiledoesnotconstituteorimplysuccessfulevaluationofanyHostOperatingSystemorPlatform—nomatterhowtightlyintegratedwiththeVS.ThePlatform,includinganyHostOS,supportstheVSthroughprovisionofservicesandresources.SpecializedVScomponentsinstalledonorinaHostOStosupporttheVSmaybeconsideredpartoftheTOE.Butgeneral-purposeOScomponentsandfunctions—whetherornottheysupporttheVS—arenotpartoftheTOE,andthusarenotevaluatedunderthisPP.

1.3.4ProductandPlatformEquivalence

ThetestsinthisProtectionProfilemustberunonallproductversionsandPlatformswithwhichtheVendorwouldliketoclaimcompliance—subjecttothisProfile’sequivalencyguidelines(seeAppendixF-EquivalencyGuidelines).

1.4UseCasesThisbasePPdoesnotdefineanyusecasesforvirtualizationtechnology.ClientVirtualizationandServerVirtualizationproductshavedifferentusecasesandsothesearedefinedintheirrespectivePP-Modules.

2ConformanceClaimsConformanceStatement

AnSTmustclaimexactconformancetothisPP,asdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).

CCConformanceClaimsThisPPisconformanttoParts2(extended)and3(conformant)ofCommonCriteriaVersion3.1,Revision5.

PPClaimThisPPdoesnotclaimconformancetoanyProtectionProfile.

PackageClaimThisPPisNetworkEncryption(TLS)Package,Version1.1ConformantandSecureShell(SSH)Package,Version1.0Conformant.

ConformanceStatementASecurityTargetmustclaimexactconformancetothisProtectionProfile,asdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).

CCConformanceClaimsThisPPisconformanttoParts2(extended)and3(conformant)ofCommonCriteriaVersion3.1,Release5[CC].

PPClaimsThisPPdoesnotclaimconformancetoanyotherPP.

ModuleClaimOneormoreofthefollowingmodulesmustbespecifiedinaPP-ConfigurationwiththisPP.

PP-ModuleforClientVirtualization,Version1.1PP-ModuleforServerVirtualization,Version1.1

PackageClaimsThisPPisFunctionalPackageforTLS-conformant.

3SecurityProblemDescription

3.1ThreatsT.DATA_LEAKAGE

ItisafundamentalpropertyofVMsthatthedomainsencapsulatedbydifferentVMsremainseparateunlessdatasharingispermittedbypolicy.Forthisreason,allVirtualizationSystemsshallsupportapolicythatprohibitsinformationtransferbetweenVMs.

ItshallbepossibletoconfigureVMssuchthatdatacannotbemovedbetweendomainsfromVMtoVM,orthroughvirtualorphysicalnetworkcomponentsunderthecontroloftheVS.WhenVMsareconfiguredassuch,itshallnotbepossiblefordatatoleakbetweendomains,neitherbytheexpresseffortsofsoftwareorusersofaVM,norbecauseofvulnerabilitiesorerrorsintheimplementationoftheVMMorotherVScomponents.

Ifitispossiblefordatatoleakbetweendomainswhenprohibitedbypolicy,thenanadversaryononedomainornetworkcanobtaindatafromanotherdomain.Suchcross-domaindataleakagecan,forexample,causeclassifiedinformation,corporateproprietaryinformation,orpersonallyidentifiableinformationtobemadeaccessibletounauthorizedentities.

T.UNAUTHORIZED_UPDATEItiscommonforattackerstotargetoutdatedversionsofsoftwarecontainingknownflaws.ThismeansitisextremelyimportanttoupdateVSsoftwareassoonaspossiblewhenupdatesareavailable.Butthesourceoftheupdatesandtheupdatesthemselvesmustbetrusted.IfanattackercanwritetheirownupdatecontainingmaliciouscodetheycantakecontroloftheVS.

T.UNAUTHORIZED_MODIFICATIONSystemintegrityisacoresecurityobjectiveforVirtualizationSystems.Toachievesystemintegrity,theintegrityofeachVMMcomponentmustbeestablishedandmaintained.MalwarerunningontheplatformmustnotbeabletoundetectablymodifyVScomponentswhilethesystemisrunningoratrest.Likewise,maliciouscoderunningwithinavirtualmachinemustnotbeabletomodifyVirtualizationSystemcomponents.

T.USER_ERRORIfaVirtualizationSystemiscapableofsimultaneouslydisplayingVMsofdifferentdomainstothesameuseratthesametime,thereisalwaysthechancethattheuserwillbecomeconfusedandunintentionallyleakinformationbetweendomains.ThisisespeciallylikelyifVMsbelongingtodifferentdomainsareindistinguishable.Maliciouscodemayalsoattempttointerferewiththeuser’sabilitytodistinguishbetweendomains.TheVSmusttakemeasurestominimizethelikelihoodofsuchconfusion.

T.3P_SOFTWAREInsomeVSimplementations,functionscriticaltothesecuityoftheTOEarebynecessityperformedbysoftwarenotproducedbythevirtualizationvendor.Suchsoftwaremayincludephysicaldevicedrivers,andevennon-TOEentitiessuchasHostOperatingSystems.SincethissoftwarehasthesameorsimilarprivilegelevelastheVS,vulnerabilitiescanbeexploitedbyanadversarytocompromisetheVSandVMs.Wherepossible,theVSshouldmitigatetheresultsofpotentialvulnerabilitiesormaliciouscontentinthird-partycodeonwhichitrelies.Forexample,physicaldevicedrivers(potentiallytheHostOS)couldbeencapsulatedwithinVMsinordertolimittheeffectsofcompromise.

T.VMM_COMPROMISETheVSisdesignedtoprovidetheappearanceofexclusivitytotheVMsandisdesignedtoseparateorisolatetheirfunctionsexceptwherespecificallyshared.FailureofsecuritymechanismscouldleadtounauthorizedintrusionintoormodificationoftheVMM,orbypassoftheVMMaltogether,bynon-TOEsoftware,suchasthatrunninginGuestorHelperVMsoronthehostplatform.ThismustbepreventedtoavoidcompromisingtheVS.

T.PLATFORM_COMPROMISETheVSmustbecapableofprotectingtheplatformfromthreatsthatoriginatewithinVMsandoperationalnetworksconnectedtotheVS.Thehostingofuntrusted—evenmalicious—domainsbytheVScannotbepermittedtocompromisethesecurityandintegrityoftheplatformonwhichtheVSexecutes.IfanattackercanaccesstheunderlyingplatforminamannernotcontrolledbytheVMM,theattackermightbeabletomodifysystemfirmwareorsoftware—compromisingboththeVSandtheunderlyingplatform.

T.UNAUTHORIZED_ACCESSFunctionsperformedbythemanagementlayerincludeVMconfiguration,virtualizednetworkconfiguration,allocationofphysicalresources,andreporting.Onlycertainauthorizedsystemusers(administrators)areallowedtoexercisemanagementfunctions.

VirtualizationSystemsareoftenmanagedremotelyovercommunicationnetworks.Membersofthesenetworkscanbebothgeographicallyandlogicallyseparatedfromeachother,andpassthroughavarietyofothersystemswhichmaybeunderthecontrolofanadversary,andoffertheopportunityforcommunicationstobecompromised.Anadversarywithaccesstoanopenmanagementnetworkcouldinjectcommandsintothemanagementinfrastructure.Thiswouldprovideanadversarywithadministratorprivilegeontheplatform,andadministrativecontrolovertheVMsandvirtualnetwork

connections.Theadversarycouldalsogainaccesstothemanagementnetworkbyhijackingthemanagementnetworkchannel.

T.WEAK_CRYPTOTotheextentthatVMsappearisolatedwithintheVS,athreatofweakcryptographymayariseiftheVMMdoesnotprovidegoodentropytosupportsecurity-relatedfeaturesthatdependonentropytoimplementcryptographicalgorithms.Forexample,arandomnumbergeneratorkeepsanestimateofthenumberofbitsofnoiseintheentropypool.Fromthisentropypoolrandomnumbersarecreated.Goodrandomnumbersareessentialtoimplementingstrongcryptography.Cryptographyimplementedusingpoorrandomnumberscanbedefeatedbyasophisticatedadversary.SuchdefeatcanresultinthecompromiseofGuestVMdataandcredentials,andofVSdataandcredentials,andcanenableanauthorizedaccesstotheVSorVMs.

T.UNPATCHED_SOFTWAREVulnerabilitiesinoutdatedorunpatchedsoftwarecanbeexploitedbyadversariestocompromisetheVSorplatform.

T.MISCONFIGURATIONTheVSmaybemisconfigured,whichcouldimpactitsfunctioningandsecurity.Thismisconfigurationcouldbeduetoanadministrativeerrorortheuseoffaultyconfigurationdata.

T.DENIAL_OF_SERVICEAVMmayblockothersfromsystemresources(e.g.,systemmemory,persistentstorage,andprocessingtime)viaaresourceexhaustionattack.

3.2AssumptionsA.PLATFORM_INTEGRITY

TheplatformhasnotbeencompromisedpriortoinstallationoftheVS.

A.PHYSICALPhysicalsecuritycommensuratewiththevalueoftheTOEandthedataitcontainsisassumedtobeprovidedbytheenvironment.

A.TRUSTED_ADMINTOEAdministratorsaretrustedtofollowandapplyalladministratorguidance.

A.COVERT_CHANNELSThereissufficientassurancerelativetothevalueoftheVM’sITassetstoaddresstheriskofcovertstorageandtimingchannelstotheVMsexecutingontheTOE.

A.NON_MALICIOUS_USERTheuseroftheVSisnotwillfullynegligentorhostile,andusestheVSincompliancewiththeappliedenterprisesecuritypolicyandguidance.Atthesametime,maliciousapplicationscouldactastheuser,sorequirementswhichconfinemaliciousapplicationsarestillinscope.

3.3OrganizationalSecurityPoliciesTherearenoorganizationalsecuritypoliciesdefinedforthisPP.

4SecurityObjectives

4.1SecurityObjectivesfortheTOEO.VM_ISOLATION

VMsarethefundamentalsubjectofthesystem.TheVMMisresponsibleforapplyingthesystemsecuritypolicy(SSP)totheVMandallresources.Asbasicfunctionality,theVMMmustsupportasecuritypolicythatmandatesnoinformationtransferbetweenVMs.

TheVMMmustsupportthenecessarymechanismstoisolatetheresourcesofallVMs.TheVMMpartitionsaplatform'sphysicalresourcesforusebythesupportedvirtualenvironments.Dependingoncustomerrequirements,aVMmayneedacompletelyisolatedenvironmentwithexclusiveaccesstosystemresources,orsharesomeofitsresourceswithotherVMs.ItmustbepossibletoenforceasecuritypolicythatprohibitsthetransferofdatabetweenVMsthroughshareddevices.WhentheplatformsecuritypolicyallowsthesharingofresourcesacrossVMboundaries,theVMMmustensurethatallaccesstothoseresourcesisconsistentwiththepolicy.TheVMMmaydelegatetheresponsibilityforthemediationofsharingofparticularresourcestoselectServiceVMs;howeverindoingso,itremainsresponsibleformediatingaccesstotheServiceVMs,andeachServiceVMmustmediateallaccesstoanysharedresourcethathasbeendelegatedtoitinaccordancewiththeSSP.

Devices,whethervirtualorphysical,areresourcesrequiringaccesscontrol.TheVMMmustenforceaccesscontrolinaccordancetosystemsecuritypolicy.PhysicaldevicesareplatformdeviceswithaccessmediatedviatheVMMpertheO.VMM_Integrityobjective.Virtualdevicesmayincludevirtualstoragedevicesandvirtualnetworkdevices.SomeoftheaccesscontrolrestrictionsmustbeenforcedinternaltoServiceVMs,asmaybethecaseforisolatingvirtualnetworks.VMMsmayalsoexposepurelyvirtualinterfaces.TheseareVMMspecific,andwhiletheyarenotanalogoustoaphysicaldevice,theyarealsosubjecttoaccesscontrol.

TheVMMmustsupportthemechanismstoisolateallresourcesassociatedwithvirtualnetworksandtolimitaVM'saccesstoonlythosevirtualnetworksforwhichithasbeenconfigured.TheVMMmustalsosupportthemechanismstocontroltheconfigurationsofvirtualnetworksaccordingtotheSSP.

O.VMM_INTEGRITYIntegrityisacoresecurityobjectiveforVirtualizationSystems.Toachievesystemintegrity,theintegrityofeachVMMcomponentmustbeestablishedandmaintained.ThisobjectiveconcernsonlytheintegrityoftheVS—nottheintegrityofsoftwarerunninginsideofGuestVMsorofthephysicalplatform.TheoverallobjectiveistoensuretheintegrityofcriticalcomponentsofaVS.

InitialintegrityofaVScanbeestablishedthroughmechanismssuchasadigitallysignedinstallationorupdatepackage,orthroughintegritymeasurementsmadeatlaunch.IntegrityismaintainedinarunningsystembycarefulprotectionoftheVMMfromuntrustedusersandsoftware.Forexample,itmustnotbepossibleforsoftwarerunningwithinaGuestVMtoexploitavulnerabilityinadeviceorhypercallinterfaceandgaincontroloftheVMM.Thevendormustreleasepatchesforvulnerabilitiesassoonaspracticableafterdiscovery.

O.PLATFORM_INTEGRITYTheintegrityoftheVMMdependsontheintegrityofthehardwareandsoftwareonwhichtheVMMrelies.AlthoughtheVSdoesnothavecompletecontrolovertheintegrityoftheplatform,theVSshouldasmuchaspossibletrytoensurethatnousersorsoftwarehostedbytheVSiscapableofunderminingtheintegrityoftheplatform.

O.DOMAIN_INTEGRITYWhiletheVSisnotresponsibleforthecontentsorcorrectfunctioningofsoftwarethatrunswithinGuestVMs,itisresponsibleforensuringthatthecorrectfunctioningofthesoftwarewithinaGuestVMisnotinterferedwithbyotherVMs.

O.MANAGEMENT_ACCESSVMMmanagementfunctionsincludeVMconfiguration,virtualizednetworkconfiguration,allocationofphysicalresources,andreporting.Onlycertainauthorizedsystemusers(administrators)areallowedtoexercisemanagementfunctions.

BecauseoftheprivilegesexercisedbytheVMMmanagementfunctions,itmustnotbepossiblefortheVMM’smanagementcomponentstobecompromisedwithoutadministratornotification.Thismeansthatunauthorizeduserscannotbepermittedaccesstothemanagementfunctions,andthemanagementcomponentsmustnotbeinterferedwithbyGuestVMsorunprivilegedusersonothernetworks—includingoperationalnetworksconnectedtotheTOE.

VMMsincludeasetofmanagementfunctionsthatcollectivelyallowadministratorstoconfigureandmanagetheVMM,aswellasconfigureGuestVMs.ThesemanagementfunctionsarespecifictotheVS,distinctfromanyothermanagementfunctionsthatmightexistfortheinternalmanagementofanygivenGuestVM.TheseVMMmanagementfunctionsareprivileged,withthesecurityoftheentiresystemrelyingontheirproperuse.TheVMMmanagementfunctionscanbeclassifiedintodifferentcategoriesandthepolicyfortheiruseandtheimpacttosecuritymayvaryaccordingly.

ThemanagementfunctionsmightbedistributedthroughouttheVMM(withintheVMMandServiceVMs).TheVMMmustsupportthenecessarymechanismstoenablethecontrolofallmanagementfunctionsaccordingtothesystemsecuritypolicy.WhenamanagementfunctionisdistributedamongmultipleServiceVMs,theVMsmustbeprotectedusingthesecuritymechanismsoftheHypervisorandanyServiceVMsinvolvedtoensurethattheintentofthesystemsecuritypolicyisnotcompromised.Additionally,sincehypercallspermitGuestVMstoinvoketheHypervisor,andoftenallowthepassingofdatatotheHypervisor,itisimportantthatthehypercallinterfaceiswell-guardedandthatallparametersbevalidated.

TheVMMmaintainsconfigurationdataforeveryVMonthesystem.Thisconfigurationdata,whetherofServiceorGuestVMs,mustbeprotected.Themechanismsusedtoestablish,modifyandverifyconfigurationdataarepartoftheVSmanagementfunctionsandmustbeprotectedassuch.TheproperinternalconfigurationofServiceVMsthatprovidecriticalsecurityfunctionscanalsogreatlyimpactVSsecurity.Theseconfigurationsmustalsobeprotected.InternalconfigurationofGuestVMsshouldnotimpactoverallVSsecurity.TheoverallgoalistoensurethattheVMM,includingtheenvironmentsinternaltoServiceVMs,isproperlyconfiguredandthatallGuestVMconfigurationsaremaintainedconsistentwiththesystemsecuritypolicythroughouttheirlifecycle.

VirtualizationSystemsareoftenmanagedremotely.Forexample,anadministratorcanremotelyupdatevirtualizationsoftware,startandshutdownVMs,andmanagevirtualizednetworkconnections.Ifaconsoleisrequired,itcouldberunonaseparatemachineoritcoulditselfruninaVM.Whenperformingremotemanagement,anadministratormustcommunicatewithaprivilegedmanagementagentoveranetwork.CommunicationswiththemanagementinfrastructuremustbeprotectedfromGuestVMsandoperationalnetworks.

O.PATCHED_SOFTWARETheVSmustbeupdatedandpatchedwhenneededinordertopreventthepotentialcompromiseoftheVMM,aswellasthenetworksandVMsthatithosts.Identifyingandapplyingneededupdatesmustbeanormalpartoftheoperatingproceduretoensurethatpatchesareappliedinatimelyandthoroughmanner.Inordertofacilitatethis,theVSmustsupportstandardsandprotocolsthathelpenhancethemanageabilityoftheVSasanITproduct,enablingittobeintegratedaspartofamanageablenetwork(e.g.,reportingcurrentpatchlevelandpatchability).

O.VM_ENTROPYVMsmusthaveaccesstogoodentropysourcestosupportsecurity-relatedfeaturesthatimplementcryptographicalgorithms.Forexample,inordertofunctionasmembersofoperationalnetworks,VMsmustbeabletocommunicatesecurelywithothernetworkentities—whethervirtualorphysical.Theymustthereforehaveaccesstosourcesofgoodentropytosupportthatsecurecommunication.

O.AUDITAnauditlogmustbecreatedthatcapturesaccessestotheobjectstheTOEprotects.Thelogoftheseaccesses,orauditevents,mustbeprotectedfrommodification,unauthorizedaccess,anddestruction.Theauditlogmustbesufficientlydetailedtoindicatethedateandtimeoftheevent,theidentifyoftheuser,thetypeofevent,andthesuccessorfailureoftheevent.

O.CORRECTLY_APPLIED_CONFIGURATIONTheTOEmustnotapplyconfigurationsthatviolatethecurrentsecuritypolicy.

TheTOEmustcorrectlyapplyconfigurationsandpoliciestonewlycreatedGuestVM,aswellastoexistingGuestVMswhenapplicableconfigurationorpolicychangesaremade.Allchangestoconfigurationandtopolicymustconformtotheexistingsecuritypolicy.Similarly,changesmadetotheconfigurationoftheTOEitselfmustnotviolatetheexistingsecuritypolicy.

O.RESOURCE_ALLOCATIONTheTOEwillprovidemechanismsthatenforceconstraintsontheallocationofsystemresourcesinaccordancewithexistingsecuritypolicy.

4.2SecurityObjectivesfortheOperationalEnvironmentOE.CONFIG

TOEadministratorswillconfiguretheVScorrectlytocreatetheintendedsecuritypolicy.

OE.PHYSICALPhysicalsecurity,commensuratewiththevalueoftheTOEandthedataitcontains,isprovidedbytheenvironment.

OE.TRUSTED_ADMINTOEAdministratorsaretrustedtofollowandapplyalladministratorguidanceinatrustedmanner.

OE.COVERT_CHANNELSIftheTOEhascovertstorageortimingchannels,thenforallVMsexecutingonthatTOE,itisassumedthatthoseVMswillhavesufficientassurancerelativetotheITassetstowhichtheyhaveaccess,tooutweightheriskthattheywillviolatethesecuritypolicyoftheTOEbyusingthosecovertchannels.

OE.NON_MALICIOUS_USERUsersaretrustedtobenotwillfullynegligentorhostileandusetheVSincompliancewiththeappliedenterprisesecuritypolicyandguidance.

4.3SecurityObjectivesRationaleThissectiondescribeshowtheassumptions,threats,andorganizationsecuritypoliciesmaptothesecurityobjectives.

Table1:SecurityObjectivesRationaleThreat,Assumption,orOSP SecurityObjectives Rationale

T.DATA_LEAKAGE O.VM_ISOLATION LogicalseparationofVMsandenforcementofdomainintegritypreventunauthorizedtransmissionofdatafromoneVMtoanother.

O.DOMAIN_INTEGRITY LogicalseparationofVMsandenforcementofdomainintegritypreventunauthorizedtransmissionofdatafromoneVMtoanother.

T.UNAUTHORIZED_UPDATE O.VMM_INTEGRITY SystemintegritypreventstheTOEfrominstallingasoftwarepatchcontainingunknownandpotentiallymaliciouscode.

T.UNAUTHORIZED_MODIFICATION O.VMM_INTEGRITY EnforcementofVMMintegritypreventsthebypassofenforcementmechanismsandauditingensuresthatabuseoflegitimateauthoritycanbedetected.

O.AUDIT EnforcementofVMMintegritypreventsthebypassofenforcementmechanismsandauditingensuresthatabuseoflegitimateauthoritycanbedetected.

T.USER_ERROR O.VM_ISOLATION IsolationofVMsincludesclearattributionofthoseVMstotheirrespectivedomainswhichreducesthelikelihoodthatauserinadvertentlyinputsortransfersdatameantforoneVMintoanother.

T.3P_SOFTWARE O.VMM_INTEGRITY TheVMMintegritymechanismsincludeenvironment-basedvulnerabilitymitigationandpotentiallysupportforintrospectionanddevicedriverisolation,allofwhichreducethelikelihood

thatanyvulnerabilitiesinthird-partysoftwarecanbeusedtoexploittheTOE.

T.VMM_COMPROMISE O.VMM_INTEGRITY MaintainingtheintegrityoftheVMMandensuringthatVMsexecuteinisolateddomainsmitigatetheriskthattheVMMcanbecompromisedorbypassed.

O.VM_ISOLATION MaintainingtheintegrityoftheVMMandensuringthatVMsexecuteinisolateddomainsmitigatetheriskthattheVMMcanbecompromisedorbypassed.

T.PLATFORM_COMPROMISE O.PLATFORM_INTEGRITY PlatformintegritymechanismsusedbytheTOEreducetheriskthatanattackercan‘breakout’ofaVMandaffecttheplatformonwhichtheVSisrunning.

T.UNAUTHORIZED_ACCESS O.MANAGEMENT_ACCESS EnsuringthatTSFmanagementfunctionscannotbeexecutedwithoutauthorizationpreventsuntrustedsubjectsfrommodifyingthebehavioroftheTOEinanunanticipatedmanner.

T.WEAK_CRYPTO O.VM_ENTROPY AcquisitionofgoodentropyisnecessarytosupporttheTOE'ssecurity-relatedcryptographicalgorithms.

T.UNPATCHED_SOFTWARE O.PATCHED_SOFTWARE TheabilitytopatchtheTOEsoftwareensuresthatprotectionsagainstvulnerabilitiescanbeappliedastheybecomeavailable.

T.MISCONFIGURATION O.CORRECTLY_APPLIED_CONFIGURATION Mechanismstopreventtheapplicationofconfigurationsthatviolatethecurrentsecuritypolicyhelppreventmisconfigurations.

T.DENIAL_OF_SERVICE O.RESOURCE_ALLOCATION TheabilityoftheTSFtoensuretheproperallocationofresourcesmakes

denialofserviceattacksmoredifficult.

A.PLATFORM_INTEGRITY OE.PHYSICAL IftheunderlyingplatformhasnotbeencompromisedpriortoinstallationoftheTOE,itsintegritycanbeassumedtobeintact.

A.PHYSICAL OE.PHYSICAL IftheTOEisdeployedinalocationthathasappropriatephysicalsafeguards,itcanbeassumedtobephysicallysecure.

A.TRUSTED_ADMIN OE.TRUSTED_ADMIN Providingguidancetoadministratorsandensuringthatindividualsareproperlytrainedandvettedbeforebeinggivenadministrativeresponsibilitieswillensurethattheyaretrusted.

A.COVERT_CHANNELS OE.COVERT_CHANNELS ItisexpectedthatthevalueofanydatacontainedwithinVMsiscommensuratewiththesecurityprovidedbytheTOE,whichincludesanyvulnerabilitiesduetothepotentialpresenceofcovertstorageortimingchannels.

A.NON_MALICIOUS_USER OE.NON_MALICIOUS_USER Iftheorganizationproperlyvetsandtrainsusers,itisexpectedthattheywillbenon-malicious.

5SecurityRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2andassurancecomponentsfromPart3of[CC].Thefollowingconventionsareusedforthecompletionofoperations:

Refinementoperation(denotedbyboldtextorstrikethroughtext):isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:isindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."

5.1SecurityFunctionalRequirements

5.1.1AuditableEventsforMandatorySFRs

Table2:AuditEventsforMandatoryRequirementsRequirement AuditableEvents AdditionalAuditRecordContents

FAU_GEN.1 Noeventsspecified

FAU_SAR.1 Noeventsspecified

FAU_STG.1 Noeventsspecified

FAU_STG_EXT.1 Failureofauditdatacaptureduetolackofdiskspaceorpre-definedlimit.

FAU_STG_EXT.1 Onfailureofloggingfunction,capturerecordoffailureandrecorduponrestartofloggingfunction.

FCS_CKM.1 Noeventsspecified

FCS_CKM.2 Noeventsspecified

FCS_CKM_EXT.4 Noeventsspecified

FCS_COP.1/UDE Noeventsspecified

FCS_COP.1/HASH Noeventsspecified

FCS_COP.1/Sig Noeventsspecified

FCS_COP.1/KeyHash Noeventsspecified

FCS_ENT_EXT.1 Noeventsspecified

FCS_RBG_EXT.1 Failureoftherandomizationprocess

FDP_HBI_EXT.1 Noeventsspecified

FDP_PPR_EXT.1 SuccessfulandfailedVMconnectionstophysicaldeviceswhereconnectionisgovernedbyconfigurablepolicy.

VMandphysicaldeviceidentifiers.

FDP_PPR_EXT.1 Securitypolicyviolations. Identifierforthesecuritypolicythatwasviolated.

FDP_RIP_EXT.1 Noeventsspecified

FDP_RIP_EXT.2 Noeventsspecified

FDP_VMS_EXT.1 Noeventsspecified

FDP_VNC_EXT.1 SuccessfulandfailedattemptstoconnectVMstovirtualandphysicalnetworkingcomponents.

VMandvirtualorphysicalnetworkingcomponentidentifiers.

FDP_VNC_EXT.1 Securitypolicyviolations. Identifierforthesecuritypolicythatwasviolated.VMandvirtualorphysicalnetworkingcomponentidentifiers.

FDP_VNC_EXT.1 Administratorconfigurationofinter-VMcommunicationschannelsbetweenVMs.

VMandvirtualorphysicalnetworkingcomponentidentifiers.

FIA_AFL_EXT.1 Unsuccessfulloginattemptslimitismetorexceeded.

Originofattempt(e.g.,IPaddress).

FIA_UAU.5 Noeventsspecified

FIA_UIA_EXT.1 Administratorauthenticationattempts.

Provideduseridentity,originoftheattempt(e.g.console,remoteIPaddress).

FIA_UIA_EXT.1 Alluseoftheidentificationandauthenticationmechanism.

Provideduseridentity,originoftheattempt(e.g.console,remoteIPaddress).

FIA_UIA_EXT.1 [selection:Startandendofadministratorsession.,None]

Starttimeandendtimeofadministratorsession.

FMT_MSA_EXT.1 Noeventsspecified

FMT_SMO_EXT.1 Noeventsspecified

FPT_DVD_EXT.1 Noeventsspecified

FPT_EEM_EXT.1 Noeventsspecified

FPT_HAS_EXT.1 Noeventsspecified

FPT_HCL_EXT.1 Attemptstoaccessdisabledhypercallinterfaces

Interfaceforwhichaccesswasattempted.

FPT_HCL_EXT.1 Securitypolicyviolations. Identifierforthesecuritypolicythatwasviolated.

FPT_RDM_EXT.1 Connection/disconnectionofremovablemediaordeviceto/fromaVM.

VMIdentifier,Removablemedia/deviceidentifier,eventdescriptionoridentifier(connect/disconnect,ejection/insertion,etc.)

FPT_RDM_EXT.1 Ejection/insertionofremovablemediaordevicefrom/toanalreadyconnectedVM.

VMIdentifier,Removablemedia/deviceidentifier,eventdescriptionoridentifier(connect/disconnect,ejection/insertion,etc.)

FPT_TUD_EXT.1 Initiationofupdate.

FPT_TUD_EXT.1 Failureofsignatureverification.

FPT_VDP_EXT.1 Noeventsspecified

FPT_VIV_EXT.1 Noeventsspecified

FTA_TAB.1 Noeventsspecified

FTP_ITC_EXT.1 Initiationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.

FTP_ITC_EXT.1 Terminationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.

FTP_ITC_EXT.1 Failuresofthetrustedpathfunctions. UserIDandremotesource(IPAddress)iffeasible.

FTP_UIF_EXT.1 Noeventsspecified

FTP_UIF_EXT.2 Noeventsspecified

5.1.2SecurityAudit(FAU)

FAU_GEN.1AuditDataGeneration

FAU_GEN.1.1TheTSFshallbeabletogenerateanauditrecordofthefollowingauditableevents:

a. Start-upandshutdownofauditfunctionsb. [AlladministrativeactionsrelevanttoclaimedSFRsasdefinedin

theAuditableEventsTablefromtheClientandServerPP-Modules]c. [AuditableeventsdefinedinTableatref-mandatory]d. [selection:AuditableeventsdefinedinTableatref-optional-depfor

StrictlyOptionalSFRs,AuditableeventsdefinedinTableatref-objective-depforObjectiveSFRs,AuditableeventsdefinedinTableatref-sel-based-depforSelection-BasedSFRs,AuditableeventsdefinedintheaudittablefortheTLSFunctionalPackage(seeTable3),AuditableeventsdefinedintheaudittablefortheSSHFunctionalPackage(seeTable3),nootherauditableevents]

FAU_GEN.1.2TheTSFshallrecordwithineachauditrecordatleastthefollowinginformation:

a. Dateandtimeoftheeventb. Typeofeventc. Subjectandobjectidentity(ifapplicable)d. Theoutcome(successorfailure)oftheevente. [AdditionalinformationdefinedinTableatref-mandatory]f. [selection:AdditionalinformationdefinedinTableatref-optional-depforStrictlyOptionalSFRs,AdditionalinformationdefinedinTableatref-objective-depforObjectiveSFRs,AdditionalinformationdefinedinTableatref-sel-based-depforSelection-BasedSFRs,AdditionalinformationdefinedintheaudittablefortheTLSFunctionalPackage(seeTable3),AdditionalinformationdefinedintheaudittablefortheSSHFunctionalPackage(seeTable3),nootherinformation]

ApplicationNote:TheSTauthorcanincludeotherauditableeventsdirectlyinTableatref-mandatory;theyarenotlimitedtothelistpresented.TheSTauthorshouldupdatethetableinFAU_GEN.1.2withanyadditionalinformationgenerated.“Subjectidentity”inFAU_GEN.1.2couldbeauseridoranidentifierspecifyingaVM,forexample.

AppropriateentriesfromTableatref-optional-dep,Tableatref-objective-dep,andTableatref-sel-based-depshouldbeincludedintheSTiftheassociatedSFRsandselectionsareincluded.

TheTableatref-mandatoryentryforFDP_VNC_EXT.1referstoconfigurationsettingsthatattachVMstovirtualizednetworkcomponents.ChangestotheseconfigurationscanbemadeduringVMexecutionorwhenVMsarenotrunning.Auditrecordsmustbegeneratedforeithercase.

TheintentoftheauditrequirementforFDP_PPR_EXT.1istologthattheVMisconnectedtoaphysicaldevice(whenthedevicebecomespartoftheVM'shardwareview),nottologeverytimethatthedeviceisaccessed.Generally,thisisonlyonceatVMstartup.However,somedevicescanbeconnectedanddisconnectedduringoperation(e.g.,virtualUSBdevicessuchasCD-ROMs).Allsuchconnection/disconnectioneventsmustbelogged.

ThefollowingtablecontainstheeventsenumeratedintheauditableeventstablesfortheSSHandTLSFunctionalPackages.InclusionoftheseeventsintheSTissubjecttoselectionabove,inclusionofthecorrespondingSFRsintheST,andsupportintheFPasrepresentedbyaselectionintheFPaudittable.Thislistisincludedhereforreference.

Table3:AuditableEventsforFunctionalPackages

Requirement AuditableEvents AdditionalAuditRecordContents

FCS_SSHC_EXT.1 Failuretoestablishasession.

Reasonforfailure,Non-TOEendpointofattemptedconnection(IPAddress).

FCS_SSHC_EXT.1 Establishmentofasession.

Non-TOEendpointofconnection(IPAddress).

FCS_SSHC_EXT.1 Terminationofasession. Non-TOEendpointofconnection(IPAddress).

FCS_SSHS_EXT.1 Failuretoestablishasession.

Reasonforfailure,Non-TOEendpointofattemptedconnection(IPAddress).

FCS_SSHS_EXT.1 Establishmentofasession.

Non-TOEendpointofconnection(IPAddress).

FCS_SSHS_EXT.1 Terminationofasession. Non-TOEendpointofconnection(IPAddress).

FCS_TLSC_EXT.1 Failuretoestablishasession.

Reasonforfailure.

FCS_TLSC_EXT.1 Failuretoverifypresentedidentifier.

Presentedidentifierandreferenceidentifier.

FCS_TLSC_EXT.1 Establishment/terminationofaTLSsession.

Non-TOEendpointofconnection.

FCS_TLSS_EXT.1 Failuretoestablishasession.

Reasonforfailure.

FCS_DTLSC_EXT.1 Failureofthecertificatevaliditycheck.

IssuerNameandSubjectNameofcertificate.

FCS_DTLSS_EXT.1 Failureofthecertificatevaliditycheck.

IssuerNameandSubjectNameofcertificate.

EvaluationActivities

FAU_GEN.1:TSSTheevaluatorshallchecktheTSSandensurethatitlistsalloftheauditableeventsandprovidesaformatforauditrecords.Eachauditrecordformattypeshallbecovered,alongwithabriefdescriptionofeachfield.TheevaluatorshallchecktomakesurethateveryauditeventtypemandatedbythePP-ConfigurationisdescribedintheTSS.

GuidanceTheevaluatorshallalsomakeadeterminationoftheadministrativeactionsthatarerelevantinthecontextofthisPP-Configuration.Theevaluatorshallexaminetheadministrativeguideandmakeadeterminationofwhichadministrativecommands,includingsubcommands,scripts,andconfigurationfiles,arerelatedtotheconfiguration(includingenablingordisabling)ofthemechanismsimplementedintheTOEthatarenecessarytoenforcetherequirementsspecifiedinthePPandPP-Module(s).Theevaluatorshalldocumentthemethodologyorapproachtakenwhiledeterminingwhichactionsintheadministrativeguidearesecurity-relevantwithrespecttothisPP-Configuration.

TestsTheevaluatorshalltesttheTOE’sabilitytocorrectlygenerateauditrecordsbyhavingtheTOEgenerateauditrecordsfortheeventslistedandadministrativeactions.Foradministrativeactions,theevaluatorshalltestthateachactiondeterminedbytheevaluatorabovetobesecurityrelevantinthecontextofthisPPisauditable.Whenverifyingthetestresults,theevaluatorshallensuretheauditrecordsgeneratedduringtestingmatchtheformatspecifiedintheadministrativeguide,andthatthefieldsineachauditrecordhavetheproperentries.

Notethatthetestingherecanbeaccomplishedinconjunctionwiththetestingofthesecuritymechanismsdirectly.

FAU_SAR.1AuditReviewFAU_SAR.1.1

TheTSFshallprovide[administrators]withthecapabilitytoread[allinformation]fromtheauditrecords.

FAU_SAR.1.2TheTSFshallprovidetheauditrecordsinamannersuitablefortheusertointerprettheinformation.

EvaluationActivities

FAU_SAR.1:GuidanceTheevaluatorshallreviewtheoperationalguidancefortheprocedureonhowtoreviewtheauditrecords.TestsTheevaluatorshallverifythattheauditrecordsprovidealloftheinformationspecifiedinFAU_GEN.1andthatthisinformationissuitableforhumaninterpretation.TheassuranceactivityforthisrequirementisperformedinconjunctionwiththeassuranceactivityforFAU_GEN.1.

FAU_FAK_EXT.1FakeAuditReviewFAU_FAK_EXT.1.1

EvaluationActivities

FAU_STG.1ProtectedAuditTrailStorageFAU_STG.1.1

TheTSFshallprotectthestoredauditrecordsintheaudittrailfromunauthorizeddeletion.

FAU_STG.1.2TheTSFshallbeableto[prevent]unauthorizedmodificationstothestoredauditrecordsintheaudittrail.

ApplicationNote:TheassuranceactivityforthisSFRisnotintendedtoimplythattheTOEmustsupportanadministrator’sabilitytodesignateindividualauditrecordsfordeletion.Thatlevelofgranularityisnotrequired.

EvaluationActivities

FAU_STG.1:TSSTheevaluatorshallensurethattheTSSdescribeshowtheauditrecordsareprotectedfromunauthorizedmodificationordeletion.TheevaluatorshallensurethattheTSSdescribestheconditionsthatmustbemetforauthorizeddeletionofauditrecords.GuidanceTestsTheevaluatorshallperformthefollowingtests:

Test1:TheevaluatorshallaccesstheaudittrailasanunauthorizedAdministratorandattempttomodifyanddeletetheauditrecords.Theevaluatorshallverifythattheseattemptsfail.Test2:TheevaluatorshallaccesstheaudittrailasanauthorizedAdministratorandattempttodeletetheauditrecords.Theevaluatorshallverifythattheseattemptssucceed.Theevaluatorshallverifythatonlytherecordsauthorizedfordeletionaredeleted.

FAU_STG_EXT.1Off-LoadingofAuditDataFAU_STG_EXT.1.1

TheTSFshallbeabletotransmitthegeneratedauditdatatoanexternalITentityusingatrustedchannelasspecifiedinFTP_ITC_EXT.1.

FAU_STG_EXT.1.2TheTSFshall[selection:dropnewauditdata,overwritepreviousauditrecordsaccordingtothefollowingrule:[assignment:ruleforoverwritingpreviousauditrecords],[assignment:otheraction]]whenthelocalstoragespaceforauditdataisfull.

ApplicationNote:Anexternallogserver,ifavailable,mightbeusedasalternativestoragespaceincasethelocalstoragespaceisfull.An‘otheraction’couldbedefinedinthiscaseas‘sendthenewauditdatatoanexternalITentity’.

EvaluationActivities

FAU_STG_EXT.1:ProtocolsusedforimplementingthetrustedchannelmustbeselectedinFTP_ITC_EXT.1.

TSSTheevaluatorshallexaminetheTSStoensureitdescribesthemeansbywhichtheauditdataaretransferredtotheexternalauditserver,andhowthetrustedchannelisprovided.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensureitdescribeshowtoestablishthetrustedchanneltotheauditserver,aswellasdescribeanyrequirementsontheauditserver(particularauditserverprotocol,versionoftheprotocolrequired,etc.),aswellasconfigurationoftheTOEneededtocommunicatewiththeauditserver.TestsTestingofthetrustedchannelmechanismistobeperformedasspecifiedintheassuranceactivitiesforFTP_ITC_EXT.1.

Theevaluatorshallperformthefollowingtestforthisrequirement:

Test1:TheevaluatorshallestablishasessionbetweentheTOEandtheauditserveraccordingtotheconfigurationguidanceprovided.TheevaluatorshallthenexaminethetrafficthatpassesbetweentheauditserverandtheTOEduringseveralactivitiesoftheevaluator’schoicedesignedtogenerateauditdatatobetransferredtotheauditserver.Theevaluatorshallobservethatthesedataarenotabletobeviewedintheclearduringthistransfer,andthattheyaresuccessfullyreceivedbytheauditserver.Theevaluatorshallrecordtheparticularsoftware(name,version)usedontheauditserverduringtesting.

TSSTheevaluatorshallexaminetheTSStoensureitdescribeswhathappenswhenthelocalauditdatastoreisfull.GuidanceTheevaluatorshallalsoexaminetheoperationalguidancetodeterminethatitdescribestherelationshipbetweenthelocalauditdataandtheauditdatathataresenttotheauditlogserver.Forexample,whenanauditeventisgenerated,isitsimultaneouslysenttotheexternalserverandthelocalstore,oristhelocalstoreusedasabufferand“cleared”periodicallybysendingthedatatotheauditserver.TestsTheevaluatorshallperformoperationsthatgenerateauditdataandverifythatthisdataisstoredlocally.TheevaluatorshallperformoperationsthatgenerateauditdatauntilthelocalstoragespaceisexceededandverifiesthattheTOEcomplieswiththebehaviordefinedintheSTforFAU_STG_EXT.1.2.

5.1.3CryptographicSupport(FCS)

FCS_CKM.1CryptographicKeyGenerationFCS_CKM.1.1

TheTSFshallgenerateasymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithm[selection:

RSAschemesusingcryptographickeysizes[2048-bitorgreater]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,AppendixB.3],ECCschemesusing[“NISTcurves”P-256,P-384,and[selection:P-521,noothercurves]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,AppendixB.4],FFCschemesusingcryptographickeysizes[2048-bitorgreater]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,AppendixB.1]].

].

ApplicationNote:TheSTauthorselectsallkeygenerationschemesusedforkeyestablishmentanddeviceauthentication.Whenkeygenerationisusedforkeyestablishment,theschemesinFCS_CKM.2.1andselectedcryptographicprotocolsshallmatchtheselection.Whenkeygenerationisusedfordeviceauthentication,thepublickeyisexpectedtobeassociatedwithanX.509v3certificate.

IftheTOEactsasareceiverintheRSAkeyestablishmentscheme,theTOEdoesnotneedtoimplementRSAkeygeneration.

EvaluationActivities

FCS_CKM.1:TSSTheevaluatorshallensurethattheTSSidentifiesthekeysizessupportedbytheTOE.IftheSTspecifiesmorethanonescheme,theevaluatorshallexaminetheTSStoverifythatitidentifiestheusageforeachscheme.

GuidanceTheevaluatorshallverifythattheAGDguidanceinstructstheadministratorhowtoconfiguretheTOEtousetheselectedkeygenerationscheme(s)andkeysize(s)forallusesdefinedinthisPP.TestsNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.

KeyGenerationforFIPSPUB186-4RSASchemesTheevaluatorshallverifytheimplementationofRSAKeyGenerationbytheTOEusingtheKeyGenerationtest.ThistestverifiestheabilityoftheTSFtocorrectlyproducevaluesforthekeycomponentsincludingthepublicverificationexponente,theprivateprimefactorspandq,thepublicmodulusnandthecalculationoftheprivatesignatureexponentd.

KeyPairgenerationspecifies5ways(ormethods)togeneratetheprimespandq.Theseinclude:

RandomPrimes:ProvableprimesProbableprimes

PrimeswithConditions:Primesp1,p2,q1,q2,pandqshallallbeprovableprimesPrimesp1,p2,q1,andq2shallbeprovableprimesandpandqshallbeprobableprimesPrimesp1,p2,q1,q2,pandqshallallbeprobableprimes

TotestthekeygenerationmethodfortheRandomProvableprimesmethodandforallthePrimeswithConditionsmethods,theevaluatorshallseedtheTSFkeygenerationroutinewithsufficientdatatodeterministicallygeneratetheRSAkeypair.Thisincludestherandomseed(s),thepublicexponentoftheRSAkey,andthedesiredkeylength.Foreachkeylengthsupported,theevaluatorshallhavetheTSFgenerate25keypairs.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationbycomparingvaluesgeneratedbytheTSFwiththosegeneratedfromaknowngoodimplementation.

KeyGenerationforEllipticCurveCryptography(ECC)

FIPS186-4ECCKeyGenerationTest

ForeachsupportedNISTcurve,i.e.,P-256,P-384andP-521,theevaluatorshallrequiretheimplementationundertest(IUT)togenerate10private/publickeypairs.Theprivatekeyshallbegeneratedusinganapprovedrandombitgenerator(RBG).Todeterminecorrectness,theevaluatorshallsubmitthegeneratedkeypairstothepublickeyverification(PKV)functionofaknowngoodimplementation.FIPS186-4PublicKeyVerification(PKV)TestForeachsupportedNISTcurve,i.e.,P-256,P-384andP-521,theevaluatorshallgenerate10private/publickeypairsusingthekeygenerationfunctionofaknowngoodimplementationandmodifyfiveofthepublickeyvaluessothattheyareincorrect,leavingfivevaluesunchanged(i.e.,correct).Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.

KeyGenerationforFinite-FieldCryptography(FFC)

TheevaluatorshallverifytheimplementationoftheParametersGenerationandtheKeyGenerationforFFCbytheTOEusingtheParameterGenerationandKeyGenerationtest.ThistestverifiestheabilityoftheTSFtocorrectlyproducevaluesforthefieldprimep,thecryptographicprimeq(dividingp-1),thecryptographicgroupgeneratorg,andthecalculationoftheprivatekeyxandpublickeyy.

TheParametergenerationspecifies2ways(ormethods)togeneratethecryptographicprimeqandthefieldprimep:

PrimesqandpshallbothbeprovableprimesPrimesqandfieldprimepshallbothbeprobableprimes

andtwowaystogeneratethecryptographicgroupgeneratorg:GeneratorgconstructedthroughaverifiableprocessGeneratorgconstructedthroughanunverifiableprocess.

TheKeygenerationspecifies2waystogeneratetheprivatekeyx:len(q)bitoutputofRBGwhere1�x�q-1len(q)+64bitoutputofRBG,followedbyamodq-1operationwhere1�x�q-1

ThesecuritystrengthoftheRBGshallbeatleastthatofthesecurityofferedbytheFFCparameterset.

Totestthecryptographicandfieldprimegenerationmethodfortheprovableprimesmethodandthegroupgeneratorgforaverifiableprocess,theevaluatorshallseedtheTSFparametergenerationroutinewithsufficientdatatodeterministicallygeneratetheparameterset.

Foreachkeylengthsupported,theevaluatorshallhavetheTSFgenerate25parametersetsandkeypairs.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationbycomparingvaluesgeneratedbytheTSFwiththosegeneratedfromaknowngoodimplementation.Verificationshallalsoconfirm

g!=0,1qdividesp-1g^qmodp=1g^xmodp=y

foreachFFCparametersetandkeypair.

FCS_CKM.2CryptographicKeyEstablishmentFCS_CKM.2.1

TheTSFshallperformcryptographickeyestablishmentinaccordancewithaspecifiedcryptographickeyestablishmentmethod:[selection:

RSA-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56B,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingIntegerFactorizationCryptography”,Ellipticcurve-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56A,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography”,Finitefield-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56A,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography”]

]

EvaluationActivities

FCS_CKM.2:TSSTheevaluatorshallensurethatthesupportedkeyestablishmentschemescorrespondtothekeygenerationschemesidentifiedinFCS_CKM.1.1.IftheSTspecifiesmorethanonescheme,theevaluatorshallexaminetheTSStoverifythatitidentifiestheusageforeachscheme.

GuidanceTheevaluatorshallverifythattheAGDguidanceinstructstheadministratorhowtoconfiguretheTOEtousetheselectedkeyestablishmentscheme(s).

TestsTheevaluatorshallverifytheimplementationofthekeyestablishmentschemesofthesupportedbytheTOEusingtheapplicabletestsbelow.

KeyEstablishmentSchemes

SP800-56AKeyEstablishmentSchemes

TheevaluatorshallverifyaTOE'simplementationofSP800-56AkeyagreementschemesusingthefollowingFunctionandValiditytests.ThesevalidationtestsforeachkeyagreementschemeverifythataTOEhasimplementedthecomponentsofthekeyagreementschemeaccordingtothespecificationsintheRecommendation.ThesecomponentsincludethecalculationoftheDLCprimitives(thesharedsecretvalueZ)andthecalculationofthederivedkeyingmaterial(DKM)viatheKeyDerivationFunction(KDF).Ifkeyconfirmationissupported,theevaluatorshallalsoverifythatthecomponentsofkeyconfirmationhavebeenimplementedcorrectly,usingthetestproceduresdescribedbelow.ThisincludestheparsingoftheDKM,thegenerationofMACdataandthecalculationofMACtag.

FunctionTest

TheFunctiontestverifiestheabilityofthetoimplementthekeyagreementschemescorrectly.Toconductthistest,theevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachsupportedkeyagreementscheme-key

agreementrolecombination,KDFtype,and,ifsupported,keyconfirmationrole-keyconfirmationtypecombination,thetestershallgenerate10setsoftestvectors.Thedatasetconsistsofonesetofdomainparametervalues(FFC)ortheNISTapprovedcurve(ECC)per10setsofpublickeys.Thesekeysarestatic,ephemeralorbothdependingontheschemebeingtested.

TheevaluatorshallobtaintheDKM,thecorrespondingTOE’spublickeys(staticand/orephemeral),theMACtag(s),andanyinputsusedintheKDF,suchastheOtherInformationfieldOIandTOEidfields.

IftheTOEdoesnotuseaKDFdefinedinSP800-56A,theevaluatorshallobtainonlythepublickeysandthehashedvalueofthesharedsecret.

TheevaluatorshallverifythecorrectnessoftheTSF’simplementationofagivenschemebyusingaknowngoodimplementationtocalculatethesharedsecretvalue,derivethekeyingmaterialDKM,andcomparehashesorMACtagsgeneratedfromthesevalues.

Ifkeyconfirmationissupported,theTSFshallperformtheaboveforeachimplementedapprovedMACalgorithm.

ValidityTest

TheValiditytestverifiestheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidkeyagreementresultswithorwithoutkeyconfirmation.Toconductthistest,theevaluatorshallobtainalistofthesupportingcryptographicfunctionsincludedintheSP800-56AkeyagreementimplementationtodeterminewhicherrorstheTOEshouldbeabletorecognize.Theevaluatorgeneratesasetof24(FFC)or30(ECC)testvectorsconsistingofdatasetsincludingdomainparametervaluesorNISTapprovedcurves,theevaluator’spublickeys,theTOE’spublic/privatekeypairs,MACTag,andanyinputsusedintheKDF,suchastheotherinfoandTOEidfields.

TheevaluatorshallinjectanerrorinsomeofthetestvectorstotestthattheTOErecognizesinvalidkeyagreementresultscausedbythefollowingfieldsbeingincorrect:thesharedsecretvalueZ,theDKM,theotherinformationfieldOI,thedatatobeMACed,orthegeneratedMACTag.IftheTOEcontainsthefullorpartial(onlyECC)publickeyvalidation,theevaluatorwillalsoindividuallyinjecterrorsinbothparties’staticpublickeys,bothparties’ephemeralpublickeysandtheTOE’sstaticprivatekeytoassuretheTOEdetectserrorsinthepublickeyvalidationfunctionand/orthepartialkeyvalidationfunction(inECConly).Atleasttwoofthetestvectorsshallremainunmodifiedandthereforeshouldresultinvalidkeyagreementresults(theyshouldpass).

TheTOEshallusethesemodifiedtestvectorstoemulatethekeyagreementschemeusingthecorrespondingparameters.TheevaluatorshallcomparetheTOE’sresultswiththeresultsusingaknowngoodimplementationverifyingthattheTOEdetectstheseerrors.

SP800-56BKeyEstablishmentSchemes

TheevaluatorshallverifythattheTSSdescribeswhethertheTOEactsasasender,arecipient,orbothforRSA-basedkeyestablishmentschemes.

IftheTOEactsasasender,thefollowingassuranceactivityshallbeperformedtoensuretheproperoperationofeveryTOEsupportedcombinationofRSA-basedkeyestablishmentscheme:

Toconductthistest,theevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachcombinationofsupportedkeyestablishmentschemeanditsoptions(withorwithoutkeyconfirmationifsupported,foreachsupportedkeyconfirmationMACfunctionifkeyconfirmationissupported,andforeachsupportedmaskgenerationfunctionifKTS-OAEPissupported),thetestershallgenerate10setsoftestvectors.EachtestvectorshallincludetheRSApublickey,theplaintextkeyingmaterial,anyadditionalinputparametersifapplicable,theMacKeyandMacTagifkeyconfirmationisincorporated,andtheoutputtedciphertext.Foreachtestvector,theevaluatorshallperformakeyestablishmentencryptionoperationontheTOEwiththesameinputs(incaseswherekeyconfirmationisincorporated,thetestshallusetheMacKeyfromthetestvectorinsteadoftherandomlygeneratedMacKeyusedinnormaloperation)andensurethattheoutputtedciphertextisequivalenttotheciphertextinthetestvector.

IftheTOEactsasareceiver,thefollowingassuranceactivitiesshallbeperformedtoensuretheproperoperationofeveryTOEsupportedcombinationofRSA-basedkeyestablishmentscheme:

Toconductthistest,theevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachcombinationofsupportedkeyestablishmentschemeanditsoptions(withourwithoutkeyconfirmationifsupported,foreachsupportedkeyconfirmationMACfunctionifkeyconfirmationissupported,andforeachsupportedmaskgenerationfunctionifKTS-OAEPissupported),thetestershallgenerate10setsoftestvectors.EachtestvectorshallincludetheRSAprivatekey,theplaintextkeyingmaterial

(KeyData),anyadditionalinputparametersifapplicable,theMacTagincaseswherekeyconfirmationisincorporated,andtheoutputtedciphertext.Foreachtestvector,theevaluatorshallperformthekeyestablishmentdecryptionoperationontheTOEandensurethattheoutputtedplaintextkeyingmaterial(KeyData)isequivalenttotheplaintextkeyingmaterialinthetestvector.Incaseswherekeyconfirmationisincorporated,theevaluatorshallperformthekeyconfirmationstepsandensurethattheoutputtedMacTagisequivalenttotheMacTaginthetestvector.

TheevaluatorshallensurethattheTSSdescribeshowtheTOEhandlesdecryptionerrors.InaccordancewithNISTSpecialPublication800-56B,theTOEshallnotrevealtheparticularerrorthatoccurred,eitherthroughthecontentsofanyoutputtedorloggederrormessageorthroughtimingvariations.IfKTS-OAEPissupported,theevaluatorshallcreateseparatecontrivedciphertextvaluesthattriggereachofthethreedecryptionerrorchecksdescribedinNISTSpecialPublication800-56Bsection7.2.2.3,ensurethateachdecryptionattemptresultsinanerror,andensurethatanyoutputtedorloggederrormessageisidenticalforeach.IfKTS-KEM-KWSissupported,theevaluatorshallcreateseparatecontrivedciphertextvaluesthattriggereachofthethreedecryptionerrorchecksdescribedinNISTSpecialPublication800-56Bsection7.2.3.3,ensurethateachdecryptionattemptresultsinanerror,andensurethatanyoutputtedorloggederrormessageisidenticalforeach.

FCS_CKM_EXT.4CryptographicKeyDestructionFCS_CKM_EXT.4.1

TheTSFshallcausedisusedcryptographickeysinvolatilememorytobedestroyedorrenderedunrecoverable.

ApplicationNote:Thethreataddressedbythiselementistherecoveryofdisusedcryptographickeysfromvolatilememorybyunauthorizedprocesses.

TheTSFmusttodestroyorcausetobedestroyedallcopiesofcryptographickeyscreatedandmanagedbytheTOEoncethekeysarenolongerneeded.ThisrequirementisthesameforallinstancesofkeyswithinTOEvolatilememoryregardlessofwhetherthememoryiscontrolledbyTOEmanufacturersoftwareorby3rdpartyTOEmodules.TheassuranceactivitiesaredesignedwithflexibilitytoaddresscaseswheretheTOEmanufacturerhaslimitedinsightintothebehaviorof3rdpartyTOEcomponents.

ThepreferredmethodfordestroyingkeysinTOEvolatilememoryisbydirectoverwriteofthememoryoccupiedbythekeys.Thevaluesusedforoverwritingcanbeallzeros,allones,oranyotherpatternorcombinationofvaluessignificantlydifferentthanthevalueofthekeyitselfsuchthatthekeysarerenderedinaccessibletorunningprocesses.

Someimplementationsmayfindthatdirectoverwritingofmemoryisnotfeasibleorpossibleduetoprogramminglanguageconstraints.Manymemory-andtype-safelanguagesprovidenomechanismforprogrammerstospecifythataparticularmemorylocationbeaccessedorwritten.Thevalueofsuchlanguagesisthatitismuchharderforaprogrammingerrortoresultinabufferorheapoverflow.Thedownsideisthatmultiplecopiesofkeysmightbescatteredthroughoutlanguage-runtimememory.Insuchcases,theTOEshouldtakewhateveractionsarefeasibletocausethekeystobecomeinaccessible—freeingmemory,destroyingobjects,closingapplications,programmingusingtheminimumpossiblescopeforvariablescontainingkeys.

Likewise,ifkeysresideinmemorywithintheexecutioncontextofathird-partymodule,thentheTOEshouldtakewhateverfeasibleactionsitcantocausethekeystobedestroyed.

Cryptographickeysinnon-TOEvolatilememoryarenotcoveredbythisrequirement.ThisexpresslyincludeskeyscreatedandusedbyGuestVMs.TheGuestisresponsiblefordisposingofsuchkeys.

FCS_CKM_EXT.4.2TheTSFshallcausedisusedcryptographickeysinnon-volatilestoragetobedestroyedorrenderedunrecoverable.

ApplicationNote:Theultimategoalofthiselementistoensurethatdisusedcryptographickeysareinaccessiblenotonlytocomponentsoftherunningsystem,butarealsounrecoverablethroughforensicanalysisofdiscardedstoragemedia.Theelementisdesignedtoreflectthefactthatthelattermaynotbewhollypracticalatthistimeduetothewaysomestoragetechnologiesareimplemented(e.g.,wear-levelingofflashstorage).

Keystorageareasinnon-volatilestoragecanbeoverwrittenwithanyvaluethat

rendersthekeysunrecoverable.Thevalueusedcanbeallzeros,allones,oranyotherpatternorcombinationofvaluessignificantlydifferentthanthevalueofthekeyitself.

TheTSFmustdestroyallcopiesofcryptographickeyscreatedandmanagedbytheTOEoncethekeysarenolongerneeded.Sincethisisasoftware-onlyTOE,thehardwarecontrollersthatmanagenon-volatilestoragemediaarenecessarilyoutsidetheTOEboundary.Thus,theTOEmanufacturerislikelytohavelittlecontrolover—orinsightinto—thefunctioningofthesestoragedevices.TheTOEmustmakea“best-effort”todestroydisusedcryptographickeysbyinvokingtheappropriateplatforminterfaces—recognizingthatthespecificactionstakenbytheplatformareoutoftheTOE’scontrol.

ButincaseswheretheTOEhasinsightintothenon-volatilestoragetechnologiesusedbytheplatform,orwheretheTOEcanspecifyapreferenceormethodfordestroyingkeys,thedestructionshouldbeexecutedbyasingle,directoverwriteconsistingofpseudo-randomdataoranewkey,byarepeatingpatternofanystaticvalue,orbyablockerase.

Forkeysstoredonencryptedmedia,itissufficientforthemediaencryptionkeystobedestroyedforallkeysstoredonthemediatobeconsidereddestroyed.

EvaluationActivities

FCS_CKM_EXT.4:TSSTheevaluatorshallchecktoensuretheTSSlistseachtypeofkeyanditsoriginandlocationinmemoryorstorage.TheevaluatorshallverifythattheTSSdescribeswheneachtypeofkeyiscleared.TestsForeachkeyclearingsituationtheevaluatorshallperformoneofthefollowingactivities:

Theevaluatorshalluseappropriatecombinationsofspecializedoperationalordevelopmentenvironments,developmenttools(debuggers,emulators,simulators,etc.),orinstrumentedbuilds(developmental,debug,orrelease)todemonstratethatkeysareclearedcorrectly,includingallintermediatecopiesofthekeythatmayhavebeencreatedinternallybytheTOEduringnormalcryptographicprocessing.Incaseswheretestingrevealsthat3rd-partysoftwaremodulesorprogramminglanguagerun-timeenvironmentsdonotproperlyoverwritekeys,thisfactmustbedocumented.Likewise,itmustbedocumentedifthereisnopracticalwaytodeterminewhethersuchmodulesorenvironmentsdestroykeysproperly.Incaseswhereitisimpossibleorimpracticabletoperformtheabovetests,theevaluatorshalldescribehowkeysaredestroyedinsuchcases,toinclude:

WhichkeysareaffectedThereasonswhytestingisimpossibleorimpracticableEvidencethatkeysaredestroyedappropriately(e.g.,citationstocomponentdocumentation,componentdeveloper/vendorattestation,componentvendortestresults)Aggravatingandmitigatingfactorsthatmayaffectthetimelinessorexecutionofkeydestruction(e.g.,caching,garbagecollection,operatingsystemmemorymanagement)

UseofdebugorinstrumentedbuildsoftheTOEandTOEcomponentsispermittedinordertodemonstratethattheTOEtakesappropriateactiontodestroykeys.Thesebuildsshouldbebasedonthesamesourcecodeasarereleasebuilds(ofcourse,withinstrumentationanddebug-specificcodeadded).

FCS_COP.1/UDECryptographicOperation(AESDataEncryption/Decryption)FCS_COP.1.1/UDE

TheTSFshallperform[encryptionanddecryption]inaccordancewithaspecifiedcryptographicalgorithm[selection:

AESKeyWrap(KW)(asdefinedinNISTSP800-38F),AESKeyWrapwithPadding(KWP)(asdefinedinNISTSP800-38F),AES-GCM(asdefinedinNISTSP800-38D),AES-CCM(asdefinedinNISTSP800-38C),AES-XTS(asdefinedinNISTSP800-38E)mode,AES-CCMP-256(asdefinedinNISTSP800-38CandIEEE802.11ac-2013),AES-GCMP-256(asdefinedinNISTSP800-38DandIEEE802.11ac-2013),AES-CCMP(asdefinedinFIPSPUB197,NISTSP800-38CandIEEE802.11-2012),AES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)mode,

AES-CTR(asdefinedinNISTSP800-38A)mode]andcryptographickeysizes[selection:128-bitkeysizes,256-bitkeysizes].

ApplicationNote:ForthefirstselectionofFCS_COP.1.1/UDE,theSTauthorshouldchoosethemodeormodesinwhichAESoperates.Forthesecondselection,theSTauthorshouldchoosethekeysizesthataresupportedbythisfunctionality.

EvaluationActivities

FCS_COP.1/UDE:AssuranceActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.

TestsAES-CBCTests

AES-CBCKnownAnswerTests

TherearefourKnownAnswerTests(KATs),describedbelow.InallKATs,theplaintext,ciphertext,andIVvaluesshallbe128-bitblocks.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.

KAT-1.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplyasetof10plaintextvaluesandobtaintheciphertextvaluethatresultsfromAES-CBCencryptionofthegivenplaintextusingakeyvalueofallzerosandanIVofallzeros.Fiveplaintextvaluesshallbeencryptedwitha128-bitall-zeroskey,andtheotherfiveshallbeencryptedwitha256-bitall-zeroskey.

TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,using10ciphertextvaluesasinputandAES-CBCdecryption.

KAT-2.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplyasetof10keyvaluesandobtaintheciphertextvaluethatresultsfromAES-CBCencryptionofanall-zerosplaintextusingthegivenkeyvalueandanIVofallzeros.Fiveofthekeysshallbe128-bitkeys,andtheotherfiveshallbe256-bitkeys.

TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,usinganall-zerociphertextvalueasinputandAES-CBCdecryption.

KAT-3.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplythetwosetsofkeyvaluesdescribedbelowandobtaintheciphertextvaluethatresultsfromAESencryptionofanall-zerosplaintextusingthegivenkeyvalueandanIVofallzeros.Thefirstsetofkeysshallhave128128-bitkeys,andthesecondsetshallhave256256-bitkeys.KeyiineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].

TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallsupplythetwosetsofkeyandciphertextvaluepairsdescribedbelowandobtaintheplaintextvaluethatresultsfromAES-CBCdecryptionofthegivenciphertextusingthegivenkeyandanIVofallzeros.Thefirstsetofkey/ciphertextpairsshallhave128128-bitkey/ciphertextpairs,andthesecondsetofkey/ciphertextpairsshallhave256256-bitkey/ciphertextpairs.KeyiineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].Theciphertextvalueineachpairshallbethevaluethatresultsinanall-zerosplaintextwhendecryptedwithitscorrespondingkey.

KAT-4.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplythesetof128plaintextvaluesdescribedbelowandobtainthetwociphertextvaluesthatresultfromAES-CBCencryptionofthegivenplaintextusinga128-bitkeyvalueofallzeroswithanIVofallzerosandusinga256-bitkeyvalueofallzeroswithanIVofallzeros,respectively.Plaintextvalueiineachsetshallhavetheleftmostibitsbeonesandtherightmost128-ibitsbezeros,foriin[1,128].

TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,usingciphertextvaluesofthesameformastheplaintextintheencrypttestasinputandAES-CBCdecryption.

AES-CBCMulti-BlockMessageTest

Theevaluatorshalltesttheencryptfunctionalitybyencryptingani-blockmessagewhere1<i�

10.Theevaluatorshallchooseakey,anIVandplaintextmessageoflengthiblocksandencryptthemessage,usingthemodetobetested,withthechosenkeyandIV.TheciphertextshallbecomparedtotheresultofencryptingthesameplaintextmessagewiththesamekeyandIVusingaknowngoodimplementation.

Theevaluatorshallalsotestthedecryptfunctionalityforeachmodebydecryptingani-blockmessagewhere1<i�10.Theevaluatorshallchooseakey,anIVandaciphertextmessageoflengthiblocksanddecryptthemessage,usingthemodetobetested,withthechosenkeyandIV.TheplaintextshallbecomparedtotheresultofdecryptingthesameciphertextmessagewiththesamekeyandIVusingaknowngoodimplementation.

AES-CBCMonteCarloTests

Theevaluatorshalltesttheencryptfunctionalityusingasetof200plaintext,IV,andkey3-tuples.100oftheseshalluse128bitkeys,and100shalluse256bitkeys.TheplaintextandIVvaluesshallbe128-bitblocks.Foreach3-tuple,1000iterationsshallberunasfollows:

#Input:PT,IV,Keyfori=1to1000:ifi==1:CT[1]=AES-CBC-Encrypt(Key,IV,PT)PT=IVelse:CT[i]=AES-CBC-Encrypt(Key,PT)PT=CT[i-1]

Theciphertextcomputedinthe1000thiteration(i.e.,CT[1000])istheresultforthattrial.Thisresultshallbecomparedtotheresultofrunning1000iterationswiththesamevaluesusingaknowngoodimplementation.

Theevaluatorshalltestthedecryptfunctionalityusingthesametestasforencrypt,exchangingCTandPTandreplacingAES-CBC-EncryptwithAES-CBC-Decrypt.

AES-CCMTests

Theevaluatorshalltestthegeneration-encryptionanddecryption-verificationfunctionalityofAES-CCMforthefollowinginputparameterandtaglengths:

128bitand256bitkeys

Twopayloadlengths.Onepayloadlengthshallbetheshortestsupportedpayloadlength,greaterthanorequaltozerobytes.Theotherpayloadlengthshallbethelongestsupportedpayloadlength,lessthanorequalto32bytes(256bits).

Twoorthreeassociateddatalengths.Oneassociateddatalengthshallbe0,ifsupported.Oneassociateddatalengthshallbetheshortestsupportedpayloadlength,greaterthanorequaltozerobytes.Oneassociateddatalengthshallbethelongestsupportedpayloadlength,lessthanorequalto32bytes(256bits).Iftheimplementationsupportsanassociateddatalengthof216bytes,anassociateddatalengthof216bytesshallbetested.

Noncelengths.Allsupportednoncelengthsbetween7and13bytes,inclusive,shallbetested.

Taglengths.Allsupportedtaglengthsof4,6,8,10,12,14and16bytesshallbetested.

Totestthegeneration-encryptionfunctionalityofAES-CCM,theevaluatorshallperformthefollowingfourtests:

Test1:ForEACHsupportedkeyandassociateddatalengthandANYsupportedpayload,nonceandtaglength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.Test2:ForEACHsupportedkeyandpayloadlengthandANYsupportedassociateddata,nonceandtaglength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.Test3:ForEACHsupportedkeyandnoncelengthandANYsupportedassociateddata,payloadandtaglength,theevaluatorshallsupplyonekeyvalueand10associateddata,payloadandnoncevalue3-tuplesandobtaintheresultingciphertext.Test4:ForEACHsupportedkeyandtaglengthandANYsupportedassociateddata,payloadandnoncelength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.

Todeterminecorrectnessineachoftheabovetests,theevaluatorshallcomparetheciphertextwiththeresultofgeneration-encryptionofthesameinputswithaknowngoodimplementation.

Totestthedecryption-verificationfunctionalityofAES-CCM,forEACHcombinationofsupportedassociateddatalength,payloadlength,noncelengthandtaglength,theevaluatorshallsupplyakeyvalueand15nonce,associateddataandciphertext3-tuplesandobtaineitheraFAILresult

oraPASSresultwiththedecryptedpayload.Theevaluatorshallsupply10tuplesthatshouldFAILand5thatshouldPASSpersetof15.

Additionally,theevaluatorshallusetestsfromtheIEEE802.11-02/362r6document“ProposedTestvectorsforIEEE802.11TGi”,datedSeptember10,2002,Section2.1AES-CCMPEncapsulationExampleandSection2.2AdditionalAESCCMPTestVectorstofurtherverifytheIEEE802.11-2007implementationofAES-CCMP.

AES-GCMTest

TheevaluatorshalltesttheauthenticatedencryptfunctionalityofAES-GCMforeachcombinationofthefollowinginputparameterlengths:

128bitand256bitkeys

Twoplaintextlengths.Oneoftheplaintextlengthsshallbeanon-zerointegermultipleof128bits,ifsupported.Theotherplaintextlengthshallnotbeanintegermultipleof128bits,ifsupported.

ThreeAADlengths.OneAADlengthshallbe0,ifsupported.OneAADlengthshallbeanon-zerointegermultipleof128bits,ifsupported.OneAADlengthshallnotbeanintegermultipleof128bits,ifsupported.

TwoIVlengths.If96bitIVissupported,96bitsshallbeoneofthetwoIVlengthstested.

Theevaluatorshalltesttheencryptfunctionalityusingasetof10key,plaintext,AAD,andIVtuplesforeachcombinationofparameterlengthsaboveandobtaintheciphertextvalueandtagthatresultsfromAES-GCMauthenticatedencrypt.Eachsupportedtaglengthshallbetestedatleastoncepersetof10.TheIVvaluemaybesuppliedbytheevaluatorortheimplementationbeingtested,aslongasitisknown.

Theevaluatorshalltestthedecryptfunctionalityusingasetof10key,ciphertext,tag,AAD,andIV5-tuplesforeachcombinationofparameterlengthsaboveandobtainaPass/FailresultonauthenticationandthedecryptedplaintextifPass.ThesetshallincludefivetuplesthatPassandfivethatFail.

Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.

XTS-AESTest

TheevaluatorshalltesttheencryptfunctionalityofXTS-AESforeachcombinationofthefollowinginputparameterlengths:

256bit(forAES-128)and512bit(forAES-256)keys

Threedataunit(i.e.,plaintext)lengths.Oneofthedataunitlengthsshallbeanon-zerointegermultipleof128bits,ifsupported.Oneofthedataunitlengthsshallbeanintegermultipleof128bits,ifsupported.Thethirddataunitlengthshallbeeitherthelongestsupporteddataunitlengthor216bits,whicheverissmaller.

usingasetof100(key,plaintextand128-bitrandomtweakvalue)3-tuplesandobtaintheciphertextthatresultsfromXTS-AESencrypt.

Theevaluatormaysupplyadataunitsequencenumberinsteadofthetweakvalueiftheimplementationsupportsit.Thedataunitsequencenumberisabase-10numberrangingbetween0and255thatimplementationsconverttoatweakvalueinternally.

TheevaluatorshalltestthedecryptfunctionalityofXTS-AESusingthesametestasforencrypt,replacingplaintextvalueswithciphertextvaluesandXTS-AESencryptwithXTS-AESdecrypt.

AESKeyWrap(AES-KW)andKeyWrapwithPadding(AES-KWP)Test

TheevaluatorshalltesttheauthenticatedencryptionfunctionalityofAES-KWforEACHcombinationofthefollowinginputparameterlengths:

128and256bitkeyencryptionkeys(KEKs)Threeplaintextlengths.Oneoftheplaintextlengthsshallbetwosemi-blocks(128bits).Oneoftheplaintextlengthsshallbethreesemi-blocks(192bits).Thethirddataunitlengthshallbethelongestsupportedplaintextlengthlessthanorequalto64semi-blocks(4096

bits).usingasetof100keyandplaintextpairsandobtaintheciphertextthatresultsfromAES-KWauthenticatedencryption.Todeterminecorrectness,theevaluatorshallusetheAES-KWauthenticated-encryptionfunctionofaknowngoodimplementation.

Theevaluatorshalltesttheauthenticated-decryptionfunctionalityofAES-KWusingthesametestasforauthenticated-encryption,replacingplaintextvalueswithciphertextvaluesandAES-KWauthenticated-encryptionwithAES-KWauthenticated-decryption.

Theevaluatorshalltesttheauthenticated-encryptionfunctionalityofAES-KWPusingthesametestasforAES-KWauthenticated-encryptionwiththefollowingchangeinthethreeplaintextlengths:

Oneplaintextlengthshallbeoneoctet.Oneplaintextlengthshallbe20octets(160bits).

Oneplaintextlengthshallbethelongestsupportedplaintextlengthlessthanorequalto512octets(4096bits).

Theevaluatorshalltesttheauthenticated-decryptionfunctionalityofAES-KWPusingthesametestasforAES-KWPauthenticated-encryption,replacingplaintextvalueswithciphertextvaluesandAES-KWPauthenticated-encryptionwithAES-KWPauthenticated-decryption.

AES-CTRTest

Test1:KnownAnswerTests(KATs)TherearefourKnownAnswerTests(KATs)describedbelow.ForallKATs,theplaintext,initializationvector(IV),andciphertextvaluesshallbe128-bitblocks.Theresultsfromeachtestmayeitherbeobtainedbythevalidatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.Test1a:Totesttheencryptfunctionality,theevaluatorshallsupplyasetof10plaintextvaluesandobtaintheciphertextvaluethatresultsfromencryptionofthegivenplaintextusingakeyvalueofallzerosandanIVofallzeros.Fiveplaintextvaluesshallbeencryptedwitha128-bitallzeroskey,andtheotherfiveshallbeencryptedwitha256-bitallzeroskey.Totestthedecryptfunctionality,theevaluatorshallperformthesametestasforencrypt,using10ciphertextvaluesasinput.

Test1b:Totesttheencryptfunctionality,theevaluatorshallsupplyasetof10keyvaluesandobtaintheciphertextvaluethatresultsfromencryptionofanallzerosplaintextusingthegivenkeyvalueandanIVofallzeros.Fiveofthekeyvaluesshallbe128-bitkeys,andtheotherfiveshallbe256-bitkeys.Totestthedecryptfunctionality,theevaluatorshallperformthesametestasforencrypt,usinganallzerociphertextvalueasinput.Test1c:Totesttheencryptfunctionality,theevaluatorshallsupplythetwosetsofkeyvaluesdescribedbelowandobtaintheciphertextvaluesthatresultfromAESencryptionofanallzerosplaintextusingthegivenkeyvaluesandanIVofallzeros.Thefirstsetofkeysshallhave128128-bitkeys,andthesecondshallhave256256-bitkeys.Key_iineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].Totestthedecryptfunctionality,theevaluatorshallsupplythetwosetsofkeyandciphertextvaluepairsdescribedbelowandobtaintheplaintextvaluethatresultsfromdecryptionofthegivenciphertextusingthegivenkeyvaluesandanIVofallzeros.Thefirstsetofkey/ciphertextpairsshallhave128128-bitkey/ciphertextpairs,andthesecondsetofkey/ciphertextpairsshallhave256256-bitpairs.Key_iineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezerosforiin[1,N].Theciphertextvalueineachpairshallbethevaluethatresultsinanallzerosplaintextwhendecryptedwithitscorrespondingkey.

Test1d:Totesttheencryptfunctionality,theevaluatorshallsupplythesetof128plaintextvaluesdescribedbelowandobtainthetwociphertextvaluesthatresultfromencryptionofthegivenplaintextusinga128-bitkeyvalueofallzerosandusinga256bitkeyvalueofallzeros,respectively,andanIVofallzeros.Plaintextvalueiineachsetshallhavetheleftmostbitsbeonesandtherightmost128-ibitsbezeros,foriin[1,128].Totestthedecryptfunctionality,theevaluatorshallperformthesametestasforencrypt,usingciphertextvaluesofthesameformastheplaintextintheencrypttestasinput.

Test2:Multi-BlockMessageTestTheevaluatorshalltesttheencryptfunctionalitybyencryptingani-blockmessagewhere1less-thaniless-than-or-equalto10.Foreachitheevaluatorshallchooseakey,IV,andplaintextmessageoflengthiblocksandencryptthemessage,usingthemodetobetested,withthechosenkey.TheciphertextshallbecomparedtotheresultofencryptingthesameplaintextmessagewiththesamekeyandIVusingaknowngoodimplementation.Theevaluatorshallalsotestthedecryptfunctionalitybydecryptingani-blockmessagewhere1less-thaniless-than-or-equalto10.Foreachitheevaluatorshallchooseakeyanda

ciphertextmessageoflengthiblocksanddecryptthemessage,usingthemodetobetested,withthechosenkey.Theplaintextshallbecomparedtotheresultofdecryptingthesameciphertextmessagewiththesamekeyusingaknowngoodimplementation.

Test3:Monte-CarloTestForAES-CTRmodeperformtheMonteCarloTestforECBModeontheencryptionengineofthecountermodeimplementation.Thereisnoneedtotestthedecryptionengine.Theevaluatorshalltesttheencryptfunctionalityusing200plaintext/keypairs.100oftheseshalluse128bitkeys,and100oftheseshalluse256bitkeys.Theplaintextvaluesshallbe128-bitblocks.Foreachpair,1000iterationsshallberunasfollows:ForAES-ECBmode#Input:PT,Keyfori=1to1000:CT[i]=AES-ECB-Encrypt(Key,PT)PT=CT[i]Theciphertextcomputedinthe1000thiterationistheresultforthattrial.Thisresultshallbecomparedtotheresultofrunning1000iterationswiththesamevaluesusingaknowngoodimplementation.

If"invokeplatform-provided"isselected,theevaluatorconfirmsthatSSHconnectionsareonlysuccessfulifappropriatealgorithmsandappropriatekeysizesareconfigured.Todothis,theevaluatorshallperformthefollowingtests:

Test1:[Conditional:TOEisanSSHserver]TheevaluatorshallconfigureanSSHclienttoconnectwithaninvalidcryptographicalgorithmandkeysizeforeachlisteningSSHsocketconnectionontheTOE.TheevaluatorinitiatesSSHclientconnectionstoeachlisteningSSHsocketconnectionontheTOEandobservesthattheconnectionfailsineachattempt.Test2:[Conditional:TOEisanSSHclient]TheevaluatorshallconfigurealisteningSSHsocketonaremoteSSHserverthatacceptsonlyinvalidcryptographicalgorithmsandkeys.TheevaluatorusestheTOEtoattemptanSSHconnectiontothisserverandobservesthattheconnectionfails.

FCS_COP.1/HASHCryptographicOperation(Hashing)FCS_COP.1.1/HASH

TheTSFshallperform[cryptographichashing]inaccordancewithaspecifiedcryptographicalgorithm[selection:SHA-1,SHA-256,SHA-384,SHA-512,SHA-3-224,SHA-3-256,SHA-3-384,SHA-3-512]andmessagedigestsizes[selection:160,256,384,512bits]thatmeetthefollowing:[selection:FIPSPUB180-4"SecureHashStandard",ISO/IEC10118-3:2018]

ApplicationNote:PerNISTSP800-131A,SHA-1forgeneratingdigitalsignaturesisnolongerallowed,andSHA-1forverificationofdigitalsignaturesisstronglydiscouragedastheremayberiskinacceptingthesesignatures.ItisexpectedthatvendorswillimplementSHA-2algorithmsinaccordancewithSP800-131A.

Theintentofthisrequirementistospecifythehashingfunction.Thehashselectionshallsupportthemessagedigestsizeselection.Thehashselectionshouldbeconsistentwiththeoverallstrengthofthealgorithmused(forexample,SHA256for128-bitkeys).

EvaluationActivities

FCS_COP.1/HASH:TSSTheevaluatorshallcheckthattheassociationofthehashfunctionwithotherTSFcryptographicfunctions(forexample,thedigitalsignatureverificationfunction)isdocumentedintheTSS.GuidanceTheevaluatorcheckstheAGDdocumentstodeterminethatanyconfigurationthatisrequiredtobedonetoconfigurethefunctionalityfortherequiredhashsizesispresent.TestsSHA-1andSHA-2TestsTheTSFhashingfunctionscanbeimplementedinoneoftwomodes.Thefirstmodeisthebyteorientedmode.InthismodetheTSFonlyhashesmessagesthatareanintegralnumberofbytesinlength;i.e.,thelength(inbits)ofthemessagetobehashedisdivisibleby8.Thesecondmodeisthebitorientedmode.InthismodetheTSFhashesmessagesofarbitrarylength.Astherearedifferenttestsforeachmode,anindicationisgiveninthefollowingsectionsforthebitorientedvs.thebyteorientedtestmacs.

TheevaluatorshallperformallofthefollowingtestsforeachhashalgorithmimplementedbytheTSFandusedtosatisfytherequirementsofthisPP.

AssuranceActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.

ShortMessagesTestBit-orientedMode

Theevaluatorsdeviseaninputsetconsistingofm+1messages,wheremistheblocklengthofthehashalgorithm.Thelengthofthemessagesrangesequentiallyfrom0tombits.Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

ShortMessagesTestByte-orientedMode

Theevaluatorsdeviseaninputsetconsistingofm/8+1messages,wheremistheblocklengthofthehashalgorithm.Thelengthofthemessagesrangesequentiallyfrom0tom/8bytes,witheachmessagebeinganintegralnumberofbytes.Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

SelectedLongMessagesTestBit-orientedMode

Theevaluatorsdeviseaninputsetconsistingofmmessages,wheremistheblocklengthofthehashalgorithm.Thelengthoftheithmessageis512+99*i,where1�i�m.Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

SelectedLongMessagesTestByte-orientedMode

Theevaluatorsdeviseaninputsetconsistingofm/8messages,wheremistheblocklengthofthehashalgorithm.Thelengthoftheithmessageis512+8*99*i,where1�i�m/8.Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

Pseudo-randomlyGeneratedMessagesTest

Thistestisforbyte-orientedimplementationsonly.Theevaluatorsrandomlygenerateaseedthatisnbitslong,wherenisthelengthofthemessagedigestproducedbythehashfunctiontobetested.Theevaluatorsthenformulateasetof100messagesandassociateddigestsbyfollowingthealgorithmprovidedinFigure1of[SHAVS].TheevaluatorsthenensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

SHA-3TestsThetestsbelowarederivedfromtheTheSecureHashAlgorithm-3ValidationSystem(SHA3VS),Updated:April7,2016,fromtheNationalInstituteofStandardsandTechnology.

ForeachSHA-3-XXXimplementation,XXXrepresentsd,thedigestlengthinbits.Thecapacity,c,isequalto2dbits.Therateisequalto1600-cbits.

TheTSFhashingfunctionscanbeimplementedwithoneoftwoorientations.Thefirstisabit-orientedmodethathashesmessagesofarbitrarylength.Thesecondisabyte-orientedmodethathashesmessagesthatareanintegralnumberofbytesinlength(i.e.,thelength(inbits)ofthemessagetobehashedisdivisibleby8).Separatetestsforeachorientationaregivenbelow.

TheevaluatorshallperformallofthefollowingtestsforeachhashalgorithmandorientationimplementedbytheTSFandusedtosatisfytherequirementsofthisPP.Theevaluatorshallcomparedigestvaluesproducedbyaknown-goodSHA-3implementationagainstthosegeneratedbyrunningthesamevaluesthroughtheTSF.

ShortMessagesTest,Bit-orientedMode

Theevaluatorsdeviseaninputsetconsistingofrate+1shortmessages.Thelengthofthemessagesrangessequentiallyfrom0toratebits.Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.Themessageoflength0isomittediftheTOEdoesnotsupportzero-lengthmessages.

ShortMessagesTest,Byte-orientedMode

Theevaluatorsdeviseaninputsetconsistingofrate/8+1shortmessages.Thelengthofthemessagesrangessequentiallyfrom0torate/8bytes,witheachmessagebeinganintegralnumberofbytes.Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.Themessageoflength0isomittediftheTOEdoesnotsupportzero-lengthmessages.

SelectedLongMessagesTest,Bit-orientedMode

Theevaluatorsdeviseaninputsetconsistingof100longmessagesranginginsizefromrate+(rate+1)torate+(100*(rate+1)),incrementingbyrate+1.(Forexample,SHA-3-256hasarateof1088bits.Therefore,100messageswillbegeneratedwithlengths2177,3266,…,109988bits.)Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

SelectedLongMessagesTest,Byte-orientedMode

Theevaluatorsdeviseaninputsetconsistingof100messagesranginginsizefrom(rate+(rate+8))to(rate+100*(rate+8)),incrementingbyrate+8.(Forexample,SHA-3-256hasarateof1088bits.Therefore100messageswillbegeneratedoflengths2184,3280,4376,…,110688bits.)Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

Pseudo-randomlyGeneratedMessagesMonteCarlo)Test,Byte-orientedMode

Theevaluatorssupplyaseedofdbits(wheredisthelengthofthemessagedigestproducedbythehashfunctiontobetested.Thisseedisusedbyapseudorandomfunctiontogenerate100,000messagedigests.Onehundredofthedigests(every1000thdigest)arerecordedascheckpoints.TheTOEthenusesthesameproceduretogeneratethesame100,000messagedigestsand100checkpointvalues.TheevaluatorsthencomparetheresultsgeneratedensurethatthecorrectresultisproducedwhenthemessagesaregeneratedbytheTSF.

FCS_COP.1/SigCryptographicOperation(SignatureAlgorithms)FCS_COP.1.1/Sig

TheTSFshallperform[cryptographicsignatureservices(generationandverification)]inaccordancewithaspecifiedcryptographicalgorithm[selection:

RSAschemesusingcryptographickeysizes[2048-bitorgreater]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,Section4],ECDSAschemesusing[“NISTcurves”P-256,P-384and[selection:P-521,noothercurves]]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,Section5]

].

ApplicationNote:TheSTAuthorshouldchoosethealgorithmimplementedtoperformdigitalsignatures;ifmorethanonealgorithmisavailable,thisrequirementshouldbeiteratedtospecifythefunctionality.Forthealgorithmchosen,theSTauthorshouldmaketheappropriateassignments/selectionstospecifytheparametersthatareimplementedforthatalgorithm.

EvaluationActivities

FCS_COP.1/Sig:TestsAssuranceActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.

ECDSAAlgorithmTests

ECDSAFIPS186-4SignatureGenerationTest

ForeachsupportedNISTcurve(i.e.,P-256,P-384andP-521)andSHAfunctionpair,theevaluatorshallgenerate101024-bitlongmessagesandobtainforeachmessageapublickey

andtheresultingsignaturevaluesRandS.Todeterminecorrectness,theevaluatorshallusethesignatureverificationfunctionofaknowngoodimplementation.

ECDSAFIPS186-4SignatureVerificationTest

ForeachsupportedNISTcurve(i.e.,P-256,P-384andP-521)andSHAfunctionpair,theevaluatorshallgenerateasetof101024-bitmessage,publickeyandsignaturetuplesandmodifyoneofthevalues(message,publickeyorsignature)infiveofthe10tuples.Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.

RSASignatureAlgorithmTests

SignatureGenerationTest

TheevaluatorshallverifytheimplementationofRSASignatureGenerationbytheTOEusingtheSignatureGenerationTest.Toconductthistest,theevaluatorshallgenerateorobtain10messagesfromatrustedreferenceimplementationforeachmodulussize/SHAcombinationsupportedbytheTSF.TheevaluatorshallhavetheTOEusetheirprivatekeyandmodulusvaluetosignthesemessages.

TheevaluatorshallverifythecorrectnessoftheTSF’ssignatureusingaknowngoodimplementationandtheassociatedpublickeystoverifythesignatures.

SignatureVerificationTest

TheevaluatorshallperformtheSignatureVerificationtesttoverifytheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidsignatures.TheevaluatorshallinjecterrorsintothetestvectorsproducedduringtheSignatureVerificationTestbyintroducingerrorsinsomeofthepublickeyse,messages,IRformat,and/orsignatures.TheTOEattemptstoverifythesignaturesandreturnssuccessorfailure.

TheevaluatorshallusethesetestvectorstoemulatethesignatureverificationtestusingthecorrespondingparametersandverifythattheTOEdetectstheseerrors.

FCS_COP.1/KeyHashCryptographicOperation(KeyedHashAlgorithms)FCS_COP.1.1/KeyHash

TheTSFshallperform[keyed-hashmessageauthentication]inaccordancewithaspecifiedcryptographicalgorithm[selection:HMAC-SHA-1,HMAC-SHA-256,HMAC-SHA-384,HMAC-SHA-512,SHA-3-224,SHA-3-256,SHA-3-384,SHA-3-512]andcryptographickeysizes[assignment:keysize(inbits)usedinHMAC]andmessagedigestsizes[selection:160,256,384,512bits]thatmeetthefollowing:[FIPSPub198-1,"TheKeyed-HashMessageAuthenticationCode,andFIPSPub180-4,“SecureHashStandard"].

ApplicationNote:Theselectioninthisrequirementmustbeconsistentwiththekeysizespecifiedforthesizeofthekeysusedinconjunctionwiththekeyed-hashmessageauthentication.

EvaluationActivities

FCS_COP.1/KeyHash:TSSTheevaluatorshallexaminetheTSStoensurethatitspecifiesthefollowingvaluesusedbytheHMACfunction:keylength,hashfunctionused,blocksize,andoutputMAClengthused.TestsAssuranceActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.

Foreachofthesupportedparametersets,theevaluatorshallcompose15setsoftestdata.Eachsetshallconsistofakeyandmessagedata.TheevaluatorshallhavetheTSFgenerateHMACtagsforthesesetsoftestdata.TheresultingMACtagsshallbecomparedtotheresultofgeneratingHMACtagswiththesamekeyandIVusingaknowngoodimplementation.

FCS_ENT_EXT.1Extended:EntropyforVirtualMachinesFCS_ENT_EXT.1.1

TheTSFshallprovideamechanismtomakeavailabletoVMsentropythatmeetsFCS_RBG_EXT.1through[selection:Hypercallinterface,virtualdeviceinterface,passthroughaccesstohardwareentropysource].

FCS_ENT_EXT.1.2TheTSFshallprovideindependententropyacrossmultipleVMs.

ApplicationNote:ThisrequirementensuresthatsufficiententropyisavailabletoanyVMthatrequiresit.Theentropyneednotprovidehigh-qualityentropyforeverypossiblemethodthataVMmightacquireit.TheVMMmust,however,providesomemeansforVMstogetsufficiententropy.Forexample,theVMMcanprovideaninterfacethatreturnsentropytoaGuestVM.Alternatively,theVMMcouldprovidepass-throughaccesstoentropysourcesprovidedbythehostplatform.

Thisrequirementallowsforthreegeneralwaysofprovidingentropytoguests:1)TheVScanprovideaHypercallaccessibletoVM-awareguests,2)accesstoavirtualizeddevicethatprovidesentropy,or3)pass-throughaccesstoahardwareentropysource(includingasourceofrandomnumbers).Inallcases,itispossiblethattheguestismadeVM-awarethroughinstallationofsoftwareordrivers.Forthesecondandthirdcases,itispossiblethattheguestcouldbeVM-unaware.ThereisnorequirementthattheTOEprovideentropysourcesasexpectedbyVM-unawareguests.Thatis,theTOEdoesnothavetoanticipateeverywayaguestmighttrytoacquireentropyaslongasitsuppliesamechanismthatcanbeusedbyVM-awareguests,orprovidesaccesstoastandardmechanismthataVM-unawareguestwoulduse.

TheSTauthorshouldselect“Hypercallinterface”iftheTSFprovidesanAPIfunctionthroughwhichguest-residentsoftwarecanobtainentropyorrandomnumbers.TheSTauthorshouldselect“virtualdeviceinterface”iftheTSFpresentsavirtualdeviceinterfacetotheGuestOSthroughwhichitcanobtainentropyorrandomnumbers.Suchaninterfacecouldpresentavirtualizedrealdevice,suchasaTPM,thatcanbeaccessedbyVM-unawareguests,oravirtualizedfictionaldevicethatwouldrequiretheGuestOStobeVM-aware.TheSTauthorshouldselect“passthroughaccesstohardwareentropysource”iftheTSFpermitsGuestVMstohavedirectaccesstohardwareentropyorrandomnumbersourceontheplatform.TheSTauthorshouldselectallitemsthatareappropriate.

ForFCS_ENT_EXT.1.2,theVMMmustensurethattheprovisionofentropytooneVMcannotaffectthequalityofentropyprovidedtoanotherVMonthesameplatform.

EvaluationActivities

FCS_ENT_EXT.1:TSSTheevaluatorshallverifythattheTSSdescribeshowtheTOEprovidesentropytoGuestVM"s,andhowtoaccesstheinterfacetoacquireentropyorrandomnumbers.TheevaluatorshallverifythattheTSSdescribesthemechanismsforensuringthatoneVMdoesnotaffecttheentropyacquiredbyanother.TestsTheevaluatorshallperformthefollowingtests:

Test1:TheevaluatorshallinvokeentropyfromeachGuestVM.TheevaluatorshallverifythateachVMacquiresvaluesfromtheinterface.Test2:TheevaluatorshallinvokeentropyfrommultipleVMsasnearlysimultaneouslyaspracticable.TheevaluatorshallverifythattheentropyusedinoneVMisnotidenticaltothatinvokedfromtheotherVMs.

FCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)FCS_RBG_EXT.1.1

TheTSFshallperformalldeterministicrandombitgenerationservicesinaccordancewithNISTSpecialPublication800-90Ausing[selection:Hash_DRBG(any),HMAC_DRBG(any),CTR_DRBG(AES)]

FCS_RBG_EXT.1.2ThedeterministicRBGshallbeseededbyanentropysourcethataccumulatesentropyfrom[selection:asoftware-basednoisesource,ahardware-basednoisesource]withaminimumof[selection:128bits,192bits,256bits]ofentropyatleastequaltothegreatestsecuritystrengthaccordingtoNISTSP800-57,ofthekeysandhashesthatitwillgenerate.

ApplicationNote:NISTSP800-90Acontainsthreedifferentmethodsofgeneratingrandomnumbers;eachofthese,inturn,dependsonunderlyingcryptographicprimitives(hashfunctions/ciphers).TheSTauthorwillselectthe

functionused,andincludethespecificunderlyingcryptographicprimitivesusedintherequirement.Whileanyoftheidentifiedhashfunctions(SHA-1,SHA-224,SHA-256,SHA-384,SHA-44512)areallowedforHash_DRBGorHMAC_DRBG,onlyAES-basedimplementationsforCTR_DRBGareallowed.

IfthekeylengthfortheAESimplementationusedhereisdifferentthanthatusedtoencrypttheuserdata,thenFCS_COP.1/UDEmayhavetobeadjustedoriteratedtoreflectthedifferentkeylength.FortheselectioninFCS_RBG_EXT.1.2,theSTauthorselectstheminimumnumberofbitsofentropythatisusedtoseedtheRBG.

EvaluationActivities

FCS_RBG_EXT.1:Documentationshallbeproduced—andtheevaluatorshallperformtheactivities—inaccordancewithAppendixD,EntropyDocumentationandAssessment.

TestsTheevaluatorshallalsoperformthefollowingtests,dependingonthestandardtowhichtheRBGconforms.

Theevaluatorshallperform15trialsfortheRBGimplementation.IftheRBGisconfigurable,theevaluatorshallperform15trialsforeachconfiguration.TheevaluatorshallalsoconfirmthattheoperationalguidancecontainsappropriateinstructionsforconfiguringtheRBGfunctionality.

IftheRBGhaspredictionresistanceenabled,eachtrialconsistsof(1)instantiatedrbg,(2)generatethefirstblockofrandombits(3)generateasecondblockofrandombits(4)uninstantiate.Theevaluatorverifiesthatthesecondblockofrandombitsistheexpectedvalue.Theevaluatorshallgenerateeightinputvaluesforeachtrial.Thefirstisacount(0–14).Thenextthreeareentropyinput,nonce,andpersonalizationstringfortheinstantiateoperation.Thenexttwoareadditionalinputandentropyinputforthefirstcalltogenerate.Thefinaltwoareadditionalinputandentropyinputforthesecondcalltogenerate.Thesevaluesarerandomlygenerated.“generateoneblockofrandombits”meanstogeneraterandombitswithnumberofreturnedbitsequaltotheOutputBlockLength(asdefinedinNISTSP800-90A).

IftheRBGdoesnothavepredictionresistance,eachtrialconsistsof(1)instantiatedrbg,(2)generatethefirstblockofrandombits(3)reseed,(4)generateasecondblockofrandombits(5)uninstantiate.Theevaluatorverifiesthatthesecondblockofrandombitsistheexpectedvalue.Theevaluatorshallgenerateeightinputvaluesforeachtrial.Thefirstisacount(0–14).Thenextthreeareentropyinput,nonce,andpersonalizationstringfortheinstantiateoperation.Thefifthvalueisadditionalinputtothefirstcalltogenerate.Thesixthandseventhareadditionalinputandentropyinputtothecalltore-seed.Thefinalvalueisadditionalinputtothesecondgeneratecall.

Thefollowingparagraphscontainmoreinformationonsomeoftheinputvaluestobegenerated/selectedbytheevaluator.

Entropyinput:thelengthoftheentropyinputvaluemustequaltheseedlengthNonce:Ifanonceissupported(CTR_DRBGwithnodfdoesnotuseanonce),thenoncebitlengthisone-halftheseedlength.Personalizationstring:Thelengthofthepersonalizationstringmustbe<=seedlength.Iftheimplementationonlysupportsonepersonalizationstringlength,thenthesamelengthcanbeusedforbothvalues.Ifmorethanonestringlengthissupport,theevaluatorshallusepersonalizationstringsoftwodifferentlengths.Iftheimplementationdoesnotuseapersonalizationstring,novalueneedstobesupplied.Additionalinput:theadditionalinputbitlengthshavethesamedefaultsandrestrictionsasthepersonalizationstringlengths.

5.1.4UserDataProtection(FDP)

FDP_HBI_EXT.1Hardware-BasedIsolationMechanismsFDP_HBI_EXT.1.1

TheTSFshalluse[selection:nomechanism,[assignment:listofplatform-provided,hardware-basedmechanisms]]toconstrainaGuestVM'sdirectaccesstothefollowingphysicaldevices:[selection:nodevices,[assignment:physicaldevicestowhichtheVMMallowsGuestVMsphysicalaccess]].

ApplicationNote:TheTSFmustuseavailablehardware-basedisolationmechanismstoconstrainVMswhenVMshavedirectaccesstophysicaldevices.“Directaccess”inthiscontextmeansthattheVMcanreadorwritedevicememoryoraccessdeviceI/OportswithouttheVMMbeingabletointerceptandvalidateeverytransaction.

EvaluationActivities

FDP_HBI_EXT.1:TSSTheevaluatorshallensurethattheTSSprovidesevidencethathardware-basedisolationmechanismsareusedtoconstrainVMswhenVMshavedirectaccesstophysicaldevices,includinganexplanationoftheconditionsunderwhichtheTSFinvokestheseprotections.GuidanceTheevaluatorshallverifythattheoperationalguidancecontainsinstructionsonhowtoensurethattheplatform-provided,hardware-basedmechanismsareenabled.

FDP_PPR_EXT.1PhysicalPlatformResourceControlsFDP_PPR_EXT.1.1

TheTSFshallallowanauthorizedadministratortocontrolGuestVMaccesstothefollowingphysicalplatformresources:[assignment:listofphysicalplatformresourcestheVMMisabletocontrolaccessto].

FDP_PPR_EXT.1.2TheTSFshallexplicitlydenyallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisexplicitlydenied]].

FDP_PPR_EXT.1.3TheTSFshallexplicitlyallowallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisalwaysallowed]].

ApplicationNote:ThisrequirementspecifiesthattheVMMcontrolsaccesstophysicalplatformresources,andindicatesthatitmustbeconfigurable,butdoesnotspecifythemeansbywhichthatisdone.TheSTauthorshouldlistthephysicalplatformresourcesthatcanbeconfiguredforGuestVMaccessbytheadministrator.GuestVMsmaynotbealloweddirectaccesstocertainphysicalresources;thoseresourcesarelistedinthesecondelement.Iftherearenosuchresources,theSTauthorselects"nophysicalplatformresources".Likewise,anyresourcestowhichallGuestVMsautomaticallyhaveaccesstoarelistedinthethirdelement;iftherearenosuchresources,then"nophysicalplatformresources"isselected.

EvaluationActivities

FDP_PPR_EXT.1:TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthemechanismbywhichtheVMMcontrolsaGuestVM'saccesstophysicalplatformresourcesisdescribed.ThisdescriptionshallcoverallofthephysicalplatformsallowedintheevaluatedconfigurationbytheST.ThisdescriptionshallincludehowtheVMMdistinguishesamongGuestVMs,andhoweachphysicalplatformresourcethatiscontrollable(thatis,listedintheassignmentstatementinthefirstelement)isidentified.TheevaluatorshallensurethattheTSSdescribeshowtheGuestVMisassociatedwitheachphysicalresources,andhowotherGuestVMscannotaccessaphysicalresourcewithoutbeinggrantedexplicitaccess.ForTOEsthatimplementarobustinterface(otherthanjust"allowaccess"or"denyaccess"),theevaluatorshallensurethattheTSSdescribesthepossibleoperationsormodesofaccessbetweenaGuestVMsandphysicalplatformresources.

Ifphysicalresourcesarelistedinthesecondelement,theevaluatorshallexaminetheTSSandoperationalguidancetodeterminethatthereappearstobenowaytoconfigurethoseresourcesforaccessbyaGuestVM.Theevaluatorshalldocumentintheevaluationreporttheiranalysisofwhythecontrolsofferedtoconfigureaccesstophysicalresourcescan'tbeusedtospecifyaccesstotheresourcesidentifiedinthesecondelement(forexample,iftheinterfaceoffersadrop-downlistofresourcestoassign,andthedeniedresourcesarenotincludedonthatlist,thatwouldbesufficientjustificationintheevaluationreport).GuidanceTheevaluatorshallexaminetheoperationalguidancetodeterminethatitdescribeshowanadministratorisabletoconfigureaccesstophysicalplatformresourcesforGuestVMsforeachplatformallowedintheevaluatedconfigurationaccordingtotheST.Theevaluatorshallalsodeterminethattheoperationalguidanceidentifiesthoseresourceslistedinthesecondandthirdelementsofthecomponentandnotesthataccesstotheseresourcesisexplicitlydenied/allowed,respectively.TestsUsingtheoperationalguidance,theevaluatorshallperformthefollowingtestsforeachphysical

platformidentifiedintheST:

Test1:Foreachphysicalplatformresourceidentifiedinthefirstelement,theevaluatorshallconfigureaGuestVMtohaveaccesstothatresourceandshowthattheGuestVMisabletosuccessfullyaccessthatresource.Test2:Foreachphysicalplatformresourceidentifiedinthefirstelement,theevaluatorshallconfigurethesystemsuchthataGuestVMdoesnothaveaccesstothatresourceandshowthattheGuestVMisunabletosuccessfullyaccessthatresource.Test3:[conditional]:ForTOEsthathavearobustcontrolinterface,theevaluatorshallexerciseeachelementoftheinterfaceasdescribedintheTSSandtheoperationalguidancetoensurethatthebehaviordescribedintheoperationalguidanceisexhibited.Test4:[conditional]:IftheTOEexplicitlydeniesaccesstocertainphysicalresources,theevaluatorshallattempttoaccesseachlisted(inFDP_PPR_EXT.1.2)physicalresourcefromaGuestVMandobservethataccessisdenied.Test5:[conditional]:IftheTOEexplicitlyallowsaccesstocertainphysicalresources,theevaluatorshallattempttoaccesseachlisted(inFDP_PPR_EXT.1.3)physicalresourcefromaGuestVMandobservethattheaccessisallowed.IftheoperationalguidancespecifiesthataccessisallowedsimultaneouslybymorethanoneGuestVM,theevaluatorshallattempttoaccesseachresourcelistedfrommorethanoneGuestVMandshowthataccessisallowed.

FDP_RIP_EXT.1ResidualInformationinMemoryFDP_RIP_EXT.1.1

TheTSFshallensurethatanypreviousinformationcontentofphysicalmemoryisclearedpriortoallocationtoaGuestVM.

ApplicationNote:PhysicalmemorymustbezeroedbeforeitismadeaccessibletoaVMforgeneralusebyaGuestOS.

ThepurposeofthisrequirementistoensurethataVMdoesnotreceivememorycontainingdatapreviouslyusedbyanotherVMorthehost.

“Forgeneraluse”meansforusebytheGuestOSinitspagetablesforrunningapplicationsorsystemsoftware.

ThisdoesnotapplytopagessharedbydesignorpolicybetweenVMsorbetweentheVMMsandVMs,suchasread-onlyOSpagesorpagesusedforvirtualdevicebuffers.

EvaluationActivities

FDP_RIP_EXT.1:TSSTheevaluatorshallensurethattheTSSdocumentstheprocessusedforclearingphysicalmemorypriortoallocationtoaGuestVM,providingdetailsonwhenandhowthisisperformed.Additionally,theevaluatorshallensurethattheTSSdocumentstheconditionsunderwhichphysicalmemoryisnotclearedpriortoallocationtoaGuestVM,anddescribeswhenandhowthememoryiscleared.

FDP_RIP_EXT.2ResidualInformationonDiskFDP_RIP_EXT.2.1

TheTSFshallensurethatanypreviousinformationcontentofphysicaldiskstorageisclearedtozerospriortoallocationtoaGuestVM.

ApplicationNote:DiskstoragemustbezeroedbeforeitismadeaccessibletoaVMforusebyaGuestOS.

ThepurposeofthisrequirementistoensurethataVMdoesnotreceivediskstoragecontainingdatapreviouslyusedbyanotherVMorthehost.

Thisdoesnotapplytodisk-residentfilessharedbydesignorpolicybetweenVMsorbetweentheVMMsandVMs,suchasread-onlydatafilesorfilesusedforinter-VMdatatransferspermittedbypolicy.

EvaluationActivities

FDP_RIP_EXT.2:TSS

TheevaluatorshallensurethattheTSSdocumentstheconditionsunderwhichphysicaldiskstorageisnotclearedpriortoallocationtoaGuestVM.TheevaluatorshallalsoensurethattheTSSdocumentsthemetadatausedinitsvirtualdiskfiles.TestsTheevaluatorshallperformthefollowingtest:

Test1:Onthehost,theevaluatorcreatesafilethatismorethanhalfthesizeofaconnectedphysicalstoragedevice(ormultiplefileswhoseindividualsizesadduptomorethanhalfthesizeofthestoragemedia).Thisfile(orfiles)shallbefilledentirelywithanon-zerovalue.Then,thefile(orfiles)shallbereleased(freedforusebutnotcleared).Next,theevaluator(asaVSAdministrator)createsavirtualdiskatleastthatlargeonthesamephysicalstoragedeviceandconnectsittoapowered-offVM.Then,fromoutsidetheGuestVM,scanthroughandcheckthatallthenon-metadata(asdocumentedintheTSS)inthefilecorrespondingtothatvirtualdiskissettozero.

FDP_VMS_EXT.1VMSeparationFDP_VMS_EXT.1.1

TheVSshallprovidethefollowingmechanismsfortransferringdatabetweenGuestVMs:[selection:

nomechanism,virtualnetworking,[assignment:otherinter-VMdatasharingmechanisms]

].

FDP_VMS_EXT.1.2TheTSFshallallowAdministratorstoconfigurethemechanismsselectedinFDP_VMS_EXT.1.1toenableanddisablethetransferofdatabetweenGuestVMs.

FDP_VMS_EXT.1.3TheVSshallensurethatnoGuestVMisabletoreadortransferdatatoorfromanotherGuestVMexceptthroughthemechanismslistedinFDP_VMS_EXT.1.1.

ApplicationNote:ThefundamentalrequirementofaVirtualizationSystemistheabilitytoenforceseparationbetweeninformationdomainsimplementedasVirtualMachinesandVirtualNetworks.TheintentofthisrequirementistoensurethatVMs,VMMs,andtheVSasawholeisimplementedwiththisfundamentalrequirementinmind.

TheSTauthorshouldselect“nomechanism”intheunlikelyeventthattheVSimplementsnomechanismsfortransferringdatabetweenGuestVMs.Otherwise,theSTauthorshouldselect“virtualnetworking”andidentifyallothermechanismsthroughwhichdatacanbetransferredbetweenGuestVMs.ThisshouldbethesamelistofmechanismssuppliedforFMT_MSA_EXT.1.

Examplesofnon-networkinter-VMsharingmechanismsare:

Userinterface-basedmechanisms,suchascopy-pasteanddrag-and-dropSharedvirtualorphysicaldevicesAPI-basedmechanismssuchasHypercalls

FordatatransfermechanismsimplementedintermsofHypercallfunctions,FDP_VMS_EXT.1.2ismetifFPT_HCL_EXT.1.2ismetforthoseHypercallfunctions(VMaccesstoHypercallfunctionsisconfigurable).

Fordatatransfermechanismsthatusesharedphysicaldevices,FDP_VMS_EXT.1.2ismetifthedeviceislistedinandmeetsFDP_PPR_EXT.1.1(VMaccesstothephysicaldeviceisconfigurable).

Fordatatransfermechanismsthatusevirtualnetworking,FDP_VMS_EXT.1.2ismetifFDP_VNC_EXT.1.1ismet(VMaccesstovirtualnetworksisconfigurable).

EvaluationActivities

FDP_VMS_EXT.1:TSSTheevaluatorshallexaminetheTSStoverifythatitdocumentsallinter-VMcommunicationsmechanisms(asdefinedabove),andexplainshowtheTSFpreventsthetransferofdatabetweenVMsoutsideofthemechanismslistedinFDP_VMS_EXT.1.1.Guidance

Theevaluatorshallexaminetheoperationalguidancetoensurethatitdocumentshowtoconfigureallinter-VMcommunicationsmechanisms,includinghowtheyareinvokedandhowtheyaredisabled.TestsTheevaluatorshallperformthefollowingtestsforeachdocumentedinter-VMcommunicationschannel:

Test1:a. CreatetwoVMswithoutspecifyinganycommunicationsmechanismoroverridingthe

defaultconfiguration.b. TestthatthetwoVMscannotcommunicatethroughthemechanismsselectedin

FMT_MSA_EXT.1.1.c. CreatetwonewVMs,overridingthedefaultconfigurationtoallowcommunications

throughachannelselectedinFMT_MSA_EXT.1.1.d. TestthatcommunicationscanbepassedbetweentheVMsthroughthechannel.e. CreatetwonewVMs,thefirstwiththeinter-VMcommunicationschannelcurrently

beingtestedenabled,andthesecondwiththeinter-VMcommunicationschannelcurrentlybeingtesteddisabled.

f. TestthatcommunicationscannotbepassedbetweentheVMsthroughthechannel.g. AsanAdministrator,enableinter-VMcommunicationsbetweentheVMsonthesecond

VM.h. Testthatcommunicationscanbepassedthroughtheinter-VMchannel.i. AsanAdministratoragain,disableinter-VMcommunicationsbetweenthetwoVMs.j. Testthatcommunicationscannolongerbepassedthroughthechannel.

FDP_VMS_EXT.1.2ismetifcommunicationissuccessfulinstep(d)andunsuccessfulinstep(f).

FMT_MSA_EXT.1.1ismetifcommunicationisunsuccessfulinstep(b).FMT_MSA_EXT.1.2ismetifcommunicationissuccessfulinstep(d).Additionally,FMT_MSA_EXT.1requiresthattheevaluatorverifiesthattheTSSdocumentstheinter-VMcommunicationsmechanismsasdescribedabove.

FDP_VNC_EXT.1VirtualNetworkingComponentsFDP_VNC_EXT.1.1

TheTSFshallallowAdministratorstoconfigurevirtualnetworkingcomponentstoconnectVMstoeachother,andtophysicalnetworks.

FDP_VNC_EXT.1.2TheTSFshallensurethatnetworktrafficvisibletoaGuestVMonavirtualnetwork--orvirtualsegmentofaphysicalnetwork--isvisibleonlytoGuestVMsconfiguredtobeonthatvirtualnetworkorsegment.

ApplicationNote:Virtualnetworksmustbeisolatedfromoneanothertoprovideassurancecommensuratewiththatprovidedbyphysicallyseparatenetworks.ItmustnotbepossiblefordatatocrossbetweenproperlyconfiguredvirtualnetworksregardlessofwhetherthetrafficoriginatedfromalocalGuestVMoraremotehost.

UnprivilegedusersmustnotbeabletoconnectVMstoeachotherortoexternalnetworks.

EvaluationActivities

FDP_VNC_EXT.1:TSSTheevaluatorshallexaminetheTSS(oraproprietaryannex)toverifythatitdescribesthemechanismbywhichvirtualnetworktrafficisensuredtobevisibleonlytoGuestVMsconfiguredtobeonthatvirtualnetwork.GuidanceTheevaluatormustensurethattheOperationalGuidancedescribeshowtocreatevirtualizednetworksandconnectVMstoeachotherandtophysicalnetworks.Tests

Test1:TheevaluatorshallassumetheroleoftheAdministratorandattempttoconfigureaVMtoconnecttoanetworkcomponent.Theevaluatorshallverifythattheattemptissuccessful.Theevaluatorshallthenassumetheroleofanunprivilegeduserandattemptthesameconnection.Iftheattemptfails,orthereisnowayforanunprivilegedusertoconfigureVMnetworkconnections,therequirementismet.Test2:TheevaluatorshallassumetheroleoftheAdministratorandattempttoconfigureaVMtoconnecttoaphysicalnetwork.Theevaluatorshallverifythattheattemptissuccessful.Theevaluatorshallthenassumetheroleofanunprivilegeduserandmakethesameattempt.Iftheattemptfails,orthereisnowayforanunprivilegedusertoconfigure

VMnetworkconnections,therequirementismet.

5.1.5IdentificationandAuthentication(FIA)

FIA_AFL_EXT.1AuthenticationFailureHandlingFIA_AFL_EXT.1.1

TheTSFshalldetectwhen[selection:[assignment:apositiveintegernumber],anadministratorconfigurablepositiveintegerwithina[assignment:rangeofacceptablevalues]

]unsuccessfulauthenticationattemptsoccurrelatedtoAdministratorsattemptingtoauthenticateremotelyusing[selection:usernameandpassword,usernameandPIN].

FIA_AFL_EXT.1.2Whenthedefinednumberofunsuccessfulauthenticationattemptshasbeenmet,theTSFshall:[selection:preventtheoffendingAdministratorfromsuccessfullyestablishingremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntil[assignment:actiontounlock]istakenbyanAdministrator,preventtheoffendingAdministratorfromsuccessfullyestablishingremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntilanAdministratordefinedtimeperiodhaselapsed]

ApplicationNote:TheactiontobetakenshallbepopulatedintheselectionoftheSTanddefinedintheAdministratorguidance.

ThisrequirementappliestoadefinednumberofsuccessiveunsuccessfulremotepasswordorPIN-basedauthenticationattemptsanddoesnotapplytolocalAdministrativeaccess.CompliantTOEsmayoptionallyincludecryptographicauthenticationfailuresandlocalauthenticationfailuresinthenumberofunsuccessfulauthenticationattempts.

EvaluationActivities

FIA_AFL_EXT.1:TestsTheevaluatorshallperformthefollowingtestsforeachcredentialselectedinFIA_AFL_EXT.1.1:

Test1:TheevaluatorwillsetanAdministrator-configurablethresholdnforfailedattempts,ornotetheST-specifiedassignment.

Test1:Theevaluatorwillattempttoauthenticateremotelywiththecredentialn-1times.Theevaluatorwillthenattempttoauthenticateusingagoodcredentialandverifythatauthenticationissuccessful.Test2:Theevaluatorwillmakenattemptstoauthenticateusingabadcredential.Theevaluatorwillthenattempttoauthenticateusingagoodcredentialandverifythattheattemptisunsuccessful.NotethattheauthenticationattemptsandlockoutsmustalsobeloggedasspecifiedinFAU_GEN.1.Test3:Afterreachingthelimitforunsuccessfulauthenticationattemptstheevaluatorwillproceedasfollows:

Test1:IftheAdministratoractionselectioninFIA_AFL_EXT.1.2isselected,thentheevaluatorwillconfirmbytestingthatfollowingtheoperationalguidanceandperformingeachactionspecifiedintheSTtore-enabletheremoteAdministrator’saccessresultsinsuccessfulaccess(whenusingvalidcredentialsforthatAdministrator).Test2:IfthetimeperiodselectioninFIA_AFL_EXT.1.2isselected,theevaluatorwillwaitforjustlessthanthetimeperiodconfiguredandshowthatanauthenticationattemptusingvalidcredentialsdoesnotresultinsuccessfulaccess.Theevaluatorwillthenwaituntiljustafterthetimeperiodconfiguredandshowthatanauthenticationattemptusingvalidcredentialsresultsinsuccessfulaccess.

FIA_UAU.5MultipleAuthenticationMechanismsFIA_UAU.5.1

TheTSFshallprovidethefollowingauthenticationmechanisms:[selection:[selection:local,directory-based]authenticationbasedonusernameandpassword,authenticationbasedonusernameandaPINthatreleasesanasymmetrickeystoredinOE-protectedstorage,

[selection:local,directory-based]authenticationbasedonX.509certificates,[selection:local,directory-based]authenticationbasedonanSSHpublickeycredential

]tosupportAdministratorauthentication.

ApplicationNote:Selectionof‘authenticationbasedonusernameandpassword’requiresthatFIA_PMG_EXT.1beincludedintheST.ThisalsorequiresthattheSTincludeamanagementfunctionforpasswordmanagement.IftheSTauthorselects‘authenticationbasedonanSSHpublic-keycredential’,theTSFshallbevalidatedagainsttheFunctionalPackageforSecureShell.TheSTmustincludeFIA_X509_EXT.1if'authenticationbasedonX.509certificates'isselected.

PINsusedtoaccessOE-protectedstoragearesetandmanagedbytheOE-protectedstoragemechanism.ThusrequirementsonPINmanagementareoutsidethescopeoftheTOE.

FIA_UAU.5.2TheTSFshallauthenticateanyAdministrator’sclaimedidentityaccordingtothe[assignment:rulesdescribinghowthemultipleauthenticationmechanismsprovideauthentication].

EvaluationActivities

FIA_UAU.5:TestsIf‘usernameandpasswordauthentication‘isselected,theevaluatorwillconfiguretheVSwithaknownusernameandpasswordandconductthefollowingtests:

Test1:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernameandpassword.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernamebutanincorrectpassword.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.

If‘usernameandPINthatreleasesanasymmetrickey‘isselected,theevaluatorwillexaminetheTSSforguidanceonsupportedprotectedstorageandwillthenconfiguretheTOEorOEtoestablishaPINwhichenablesreleaseoftheasymmetrickeyfromtheprotectedstorage(suchasaTPM,ahardwaretoken,orisolatedexecutionenvironment)withwhichtheVScaninterface.Theevaluatorwillthenconductthefollowingtests:

Test1:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernameandPIN.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernamebutanincorrectPIN.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.

If‘X.509certificateauthentication‘isselected,theevaluatorwillgenerateanX.509v3certificateforanAdministratoruserwiththeClientAuthenticationEnhancedKeyUsagefieldset.TheevaluatorwillprovisiontheVSforauthenticationwiththeX.509v3certificate.TheevaluatorwillensurethatthecertificatesarevalidatedbytheVSasperFIA_X509_EXT.1.1andthenconductthefollowingtests:

Test1:TheevaluatorwillattempttoauthenticatetotheVSusingtheX.509v3certificate.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:Theevaluatorwillgenerateasecondcertificateidenticaltothefirstexceptforthepublickeyandanyvaluesderivedfromthepublickey.TheevaluatorwillattempttoauthenticatetotheVSwiththiscertificate.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.

If‘SSHpublic-keycredentialauthentication‘isselected,theevaluatorshallgenerateapublic-privatehostkeypairontheTOEusingRSAorECDSA,andasecondpublic-privatekeypaironaremoteclient.TheevaluatorshallprovisiontheVSwiththeclientpublickeyforauthenticationoverSSH,andconductthefollowingtests:

Test1:TheevaluatorwillattempttoauthenticatetotheVSusingamessagesignedbytheclientprivatekeythatcorrespondstoprovisionedclientpublickey.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:TheevaluatorwillgenerateasecondclientkeypairandwillattempttoauthenticatetotheVSwiththeprivatekeyoverSSHwithoutfirstprovisioningtheVStosupportthenewkeypair.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.

FIA_UIA_EXT.1AdministratorIdentificationandAuthenticationFIA_UIA_EXT.1.1

TheTSFshallrequireAdministratorstobesuccessfullyidentifiedandauthenticatedusingoneofthemethodsinFIA_UAU.5beforeallowinganyTSF-mediatedmanagementfunctiontobeperformedbythatAdministrator.

ApplicationNote:Usersdonothavetoauthenticate,onlyAdministratorsneedtoauthenticate.

EvaluationActivities

FIA_UIA_EXT.1:TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthelogonprocessforeachlogonmethod(local,remote(HTTPS,SSH,etc.))supportedfortheproduct.Thisdescriptionshallcontaininformationpertainingtothecredentialsallowed/used,anyprotocoltransactionsthattakeplace,andwhatconstitutesa“successfullogon”.Theevaluatorshallexaminetheoperationalguidancetodeterminethatanynecessarypreparatorysteps(e.g.,establishingcredentialmaterialsuchaspre-sharedkeys,tunnels,certificates,etc.)tologginginaredescribed.Foreachsupportedtheloginmethod,theevaluatorshallensuretheoperationalguidanceprovidesclearinstructionsforsuccessfullyloggingon.Ifconfigurationisnecessarytoensuretheservicesprovidedbeforeloginarelimited,theevaluatorshalldeterminethattheoperationalguidanceprovidessufficientinstructiononlimitingtheallowedservices.

5.1.6SecurityManagement(FMT)

FMT_MSA_EXT.1DefaultDataSharingConfigurationFMT_MSA_EXT.1.1

TheTSFshallbydefaultenforceapolicyprohibitingsharingofdatabetweenGuestVMs.

FMT_MSA_EXT.1.2TheTSFshallallowAdministratorstospecifyalternativeinitialconfigurationvaluestooverridethedefaultvalueswhenaGuestVMiscreated.

ApplicationNote:Bydefault,theVMMmustenforceapolicyprohibitingsharingofdatabetweenVMs.ThedefaultpolicyappliestoallmechanismsforsharingdatabetweenVMs,includinginter-VMcommunicationchannels,sharedphysicaldevices,sharedvirtualdevices,andvirtualnetworks.Thedefaultpolicydoesnotapplytocovertchannelsandarchitecturalside-channels.

ThelistofdatasharingmechanismsimplementedbytheTOEiscontainedintheselectioninFDP_VMS_EXT.1.1.Examplesofnon-networkinter-VMsharingmechanismsare:

Userinterface-basedmechanisms,suchascopy-pasteanddrag-and-dropSharedvirtualorphysicaldevicesAPI-basedmechanismssuchasHypercalls

.

EvaluationActivities

FMT_MSA_EXT.1:TestsThisrequirementismetifFDP_VMS_EXT.1ismet.

FMT_SMO_EXT.1SeparationofManagementandOperationalNetworksFMT_SMO_EXT.1.1

TheTSFshallsupporttheconfigurationofseparatemanagementandoperationalnetworksthrough[selection:physicalmeans,logicalmeans,trustedchannel].

ApplicationNote:Managementcommunicationsmustbeseparatefromuserworkloads.Administrativecommunications—includingcommunicationsbetweenphysicalhostsconcerningloadbalancing,auditdata,VMstartupandshutdown—mustbeseparatefromguestoperationalnetworks.

“Physicalmeans”referstousingseparatephysicalnetworksformanagementandoperationalnetworks.Forexample,themachinesinthemanagementnetworkareconnectedbyseparatecablespluggedintoseparateanddedicatedphysicalportsoneachphysicalhost.

“Logicalmeans”referstousingseparatenetworkcablestoconnectphysicalhoststogetherusinggeneral-purposenetworkingports.Themanagementandoperationalnetworksarekeptseparatewithinthehostsusingseparatevirtualizednetworkingcomponents.

IftheSTauthorselects“trustedchannel”,thentheprotocolsusedfornetworkseparationmustbeselectedinFTP_ITC_EXT.1.

EvaluationActivities

FMT_SMO_EXT.1:TSSTheevaluatorshallexaminetheTSStoverifythatitdescribeshowmanagementandoperationalnetworksmaybeseparated.GuidanceTheevaluatorshallexaminetheoperationalguidancetoverifythatitdetailshowtoconfiguretheVSwithseparateManagementandOperationalNetworks.TestsTheevaluatorshallconfigurethemanagementnetworkasdocumented.Ifseparationiscryptographicorlogical,thentheevaluatorshallcapturepacketsonthemanagementnetwork.IfGuestnetworktrafficisdetected,therequirementisnotmet.

5.1.7ProtectionoftheTSF(FPT)

FPT_DVD_EXT.1Non-ExistenceofDisconnectedVirtualDevicesFPT_DVD_EXT.1.1

TheTSFshalllimitaGuestVM’saccesstovirtualdevicestothosethatarepresentintheVM’scurrentvirtualhardwareconfiguration.

ApplicationNote:ThevirtualizedhardwareabstractionimplementedbyaparticularVSmightincludethevirtualizedinterfacesformanydifferentdevices.SometimesthesedevicesarenotpresentinaparticularinstantiationofaVM.TheinterfacefordevicesnotpresentmustnotaccessiblebytheVM.

SuchinterfacesincludememorybuffersandprocessorI/Oports.

ThepurposeofthisrequirementistoreducetheattacksurfaceoftheVMMbyclosingunusedinterfaces.

EvaluationActivities

FPT_DVD_EXT.1:TestsTheevaluatorshallconnectadevicetoaVM,thenusingadevicedriverrunningintheguest,scantheVM'sprocessorI/Oportstoensurethatthedevice'sportsarepresent.(Thedevice'sinterfaceshouldbedocumentedintheTSSunderFPT_VDP_EXT.1.)TheevaluatorshallremovethedevicefromtheVMandrunthescanagain.Thisrequirementismetifthedevice'sI/Oportsarenolongerpresent.

FPT_EEM_EXT.1ExecutionEnvironmentMitigationsFPT_EEM_EXT.1.1

TheTSFshalltakeadvantageofexecutionenvironment-basedvulnerabilitymitigationmechanismssupportedbythePlatformsuchas:[selection:

Addressspacerandomization,Memoryexecutionprotection(e.g.,DEP),Stackbufferoverflowprotection,Heapcorruptiondetection,[assignment:othermechanisms],Nomechanisms

]

ApplicationNote:Processormanufacturers,compilerdevelopers,andoperatingsystemvendorshavedevelopedexecutionenvironment-basedmitigationsthatincreasethecosttoattackersbyaddingcomplexitytothetaskofcompromisingsystems.SoftwarecanoftentakeadvantageofthesemechanismsbyusingAPIsprovidedbytheoperatingsystemorbyenablingthemechanismthroughcompilerorlinkeroptions.

ThisrequirementdoesnotmandatethattheseprotectionsbeenabledthroughouttheVirtualizationSystem—onlythattheybeenabledwheretheyhavelikelyimpact.Forexample,codethatreceivesandprocessesuserinputshouldtakeadvantageofthesemechanisms.

Fortheselection,theSTauthorselectsthesupportedmechanism(s)andusestheassignmenttoincludemechanismsnotlistedintheselection,ifany.

EvaluationActivities

FPT_EEM_EXT.1:TSSTheevaluatorshallexaminetheTSStoensurethatitstates,foreachplatformlistedintheST,theexecutionenvironment-basedvulnerabilitymitigationmechanismsusedbytheTOEonthatplatform.TheevaluatorshallensurethatthelistscorrespondtowhatisspecifiedinFPT_EEM_EXT.1.1.

FPT_HAS_EXT.1HardwareAssistsFPT_HAS_EXT.1.1

TheVMMshalluse[assignment:listofhardware-basedvirtualizationassists]toreduceoreliminatetheneedforbinarytranslation.

FPT_HAS_EXT.1.2TheVMMshalluse[assignment:listofhardware-basedvirtualizationmemory-handlingassists]toreduceoreliminatetheneedforshadowpagetables.

ApplicationNote:Thesehardware-assistshelpreducethesizeandcomplexityoftheVMM,andthus,ofthetrustedcomputingbase,byeliminatingorreducingtheneedforparavirtualizationorbinarytranslation.Paravirtualizationinvolvesmodifyingguestsoftwaresothatinstructionsthatcannotbeproperlyvirtualizedareneverexecutedonthephysicalprocessor.

FortheassignmentinFPT_HAS_EXT.1,theSTauthorliststhehardware-basedvirtualizationassistsonallplatformsincludedintheSTthatareusedbytheVMMtoreduceoreliminatetheneedforsoftware-basedbinarytranslation.Examplesforthex86platformareIntelVT-xandAMD-V.“None”isanacceptableassignmentforplatformsthatdonotrequirevirtualizationassistsinordertoeliminatetheneedforbinarytranslation.ThismustbedocumentedintheTSS.

FortheassignmentinFPT_HAS_EXT.1.2,theSTauthorliststhesetofhardware-basedvirtualizationmemory-handlingextensionsforallplatformslistedintheSTthatareusedbytheVMMtoreduceoreliminatetheneedforshadowpagetables.Examplesforthex86platformareIntelEPTandAMDRVI.“None”isanacceptableassignmentforplatformsthatdonotrequirememory-handlingassistsinordertoeliminatetheneedforshadowpagetables.ThismustbedocumentedintheTSS.

EvaluationActivities

FPT_HAS_EXT.1:TSSTheevaluatorshallexaminetheTSStoensurethatitstates,foreachplatformlistedintheST,thehardwareassistsandmemory-handlingextensionsusedbytheTOEonthatplatform.TheevaluatorshallensurethattheselistscorrespondtowhatisspecifiedintheapplicableFPT_HAS_EXTcomponent.

FPT_HCL_EXT.1HypercallControlsFPT_HCL_EXT.1.1

TheTSFshallprovideaHypercallinterfaceforGuestVMstousetoinvokefunctionalityprovidedbytheVMM.

FPT_HCL_EXT.1.2TheTSFshallallowadministratorstoconfigureanyVM’sHypercallinterfacetodisableaccesstoindividualfunctions,allfunctions,orgroupsoffunctions.

FPT_HCL_EXT.1.3TheTSFshallpermitexceptionstotheconfigurationofthefollowingHypercallinterfacefunctions:[assignment:listoffunctionsthatarenotsubjecttothe

configurationcontrolsinFPT_HCL_EXT.1.2].

FPT_HCL_EXT.1.4TheTSFshallvalidatetheparameterspassedtothehypercallinterfacepriortoexecutionoftheVMMfunctionalityexposedbythatinterface.

ApplicationNote:ThepurposeofthisrequirementistohelpensuretheintegrityoftheVMMbydefiningtheattacksurfaceexposedtoGuestVMsthroughHypercalls,testingthemechanismsforreducingthatattacksurfacebydisablingHypercalls,andensuringthatHypercallparametersareproperlyvalidatedpriortousebytheVMM.

AHypercallinterfaceallowsasetofVMMfunctionstobeinvokedbysoftwarerunningwithinaVM.Hypercallinterfacesareusedbyvirtualization-awareVMstocommunicateandexchangedatawiththeVMM.Forexample,aVMcoulduseahypercallinterfacetogetinformationabouttherealworld,suchasthetimeofdayortheunderlyinghardwareofthehostsystem.AhypercallcouldalsobeusedtotransferdatabetweenVMsthroughacopy-pastemechanism.BecausehypercallinterfacesexposetheVMMtoGuestVMs,theseinterfacesconstituteattacksurface.Inordertominimizeattacksurface,theseinterfacesmustbelimitedtotheminimumneededtosupportVMfunctionality.

FortheselectioninFPT_HCL_EXT.1.2,theSTauthorselectstheapplicableactionsthatadministratorscanperformtoconfigurefunctionssupportedbytheinterface.

FortheassignmentinFPT_HCL_EXT.1.3,theSTauthorliststheinterfacefunctionsthatcannotbeconfiguredperFPT_HCL_EXT.1.2.

Avendor-providedtestharnessmayreduceevaluationtime.

ThereisnoexpectationthattheevaluatorwillneedtoreviewsourcecodeinordertoaccomplishtheAssuranceActivity.TheevaluatordocumentationreviewshouldensurethattherearedocumentedHypercallfunctionsintheTSS,thateachdocumentedHypercallfunctioncontainsthespecifiedinformation,andthattherearenotobviousorpubliclyknownHypercallfunctionsmissing.

EvaluationActivities

FPT_HCL_EXT.1:TSSTheevaluatorshallexaminetheTSSoroperationalguidancetoensureitdocumentsallHypercallfunctionsatthelevelnecessaryfortheevaluatortodisablethefunctionsandruntests1and2,below.Documentationmustinclude,foreachfunction,howtocallthefunction,functionparametersandlegalvalues,configurationsettingsforenabling/disablingthefunction,andconditionsunderwhichthefunctioncanbedisabled.TheTSSmustalsospecifythosefunctionsthatcannotbedisabled.WhilethereisnoexpectationthattheevaluatorwillneedtoexaminesourcecodeinordertoaccomplishthisAssuranceActivity,theevaluatormustensurethattherearenoobviousorpubliclyknownHypercallfunctionsmissingfromtheTSS.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensureitcontainsinstructionsforhowtoconfigureinterfacefunctionsperFPT_HCL_EXT.1.2.TestsTheevaluatorshallperformthefollowingtests:

Test1:ForeachconfigurablefunctionthatmeetsFPT_HCL_EXT.1.2,theevaluatorshallfollowtheoperationalguidancetoenablethefunction.TheevaluatorshallthenattempttocalleachfunctionfromwithintheVM.Ifthecallisallowed,thenthetestsucceeds.Test2:ForeachconfigurablefunctionthatmeetsFPT_HCL_EXT.1.2,theevaluatorshallconfiguretheTSFtodisablethefunction.TheevaluatorshallthenattempttocallthefunctionfromwithintheVM.Ifthecallisblocked,thenthetestsucceeds.

FPT_RDM_EXT.1RemovableDevicesandMediaFPT_RDM_EXT.1.1

TheTSFshallimplementcontrolsforhandlingthetransferofvirtualandphysicalremovablemediaandvirtualandphysicalremovablemediadevicesbetweeninformationdomains.

FPT_RDM_EXT.1.2TheTSFshallenforcethefollowingruleswhen[assignment:virtualorphysicalremovablemediaandvirtualorphysicalremovablemediadevices]areswitched

betweeninformationdomains,then[selection:theAdministratorhasgrantedexplicitaccessforthemediaordevicetobeconnectedtothereceivingdomain,themediainadevicethatisbeingtransferredisejectedpriortothereceivingdomainbeingallowedaccesstothedevice,theuserofthereceivingdomainexpresslyauthorizestheconnection,thedeviceormediathatisbeingtransferredispreventedfrombeingaccessedbythereceivingdomain

]

ApplicationNote:ThepurposeoftheserequirementsistoensurethatVMsarenotgiveninadvertentaccesstoinformationfromdifferentdomainsbecauseofmediaorremovablemediadevicesleftconnectedtophysicalmachines.

Removablemediaismediathatcanbeejectedfromadevice,suchasacompactdisc,floppydisk,SD,orcompactflashmemorycard.

Removablemediadevicesareremovabledevicesthatincludemedia,suchasUSBflashdrivesandUSBharddrives.Removablemediadevicescanthemselvescontainremovablemedia(e.g.,USBCDROMdrives).

Forpurposesofthisrequirement,anInformationDomainis:

a. AVMorcollectionofVMsb. TheVirtualizationSystemc. HostOSd. ManagementSubsystem

Theserequirementsalsoapplytovirtualizedremovablemedia—suchasvirtualCDdrivesthatconnecttoISOimages—aswellasphysicalmedia—suchasCDROMsandUSBflashdrives.InthecaseofvirtualCDROMs,virtualejectionofthevirtualmediaissufficient.

Inthefirstassignment,theSTauthorlistsallremovablemediaandremovablemediadevices(bothvirtualandreal)thataresupportedbytheTOE.TheSTauthorthenselectsactionsthatareappropriateforallremovablemediaandremovablemediadevices(bothvirtualandreal)thatarebeingclaimedintheassignment.

Forclarity,theSTauthormayiteratethisrequirementsothatlikeactionsaregroupedwiththeremovablemediaordevicestowhichtheyapply(e.g.,thefirstiterationcouldcontainalldevicesforwhichmediaisejectedonaswitch;theseconditerationcouldcontainalldevicesforwhichaccessispreventedonswitch,etc.).

EvaluationActivities

FPT_RDM_EXT.1:TSSTheevaluatorshallexaminetheTSStoensureitdescribestheassociationbetweenthemediaordevicessupportedbytheTOEandtheactionsthatcanoccurwhenswitchinginformationdomains.Theevaluatorshallexaminetheoperationalguidancetoensureitdocumentshowanadministratororuserconfiguresthebehaviorofeachmediaordevice.TestsTheevaluatorshallperformthefollowingtestforeachlistedmediaordevice:

Test1:TheevaluatorshallconfiguretwoVMsthataremembersofdifferentinformationdomains,withthemediaordeviceconnectedtooneoftheVMs.TheevaluatorshalldisconnectthemediaordevicefromtheVMandconnectittotheotherVM.TheevaluatorshallverifythattheactionperformedisconsistentwiththeactionassignedintheTSS.

FPT_TUD_EXT.1TrustedUpdatestotheVirtualizationSystemFPT_TUD_EXT.1.1

TheTSFshallprovideadministratorstheabilitytoquerythecurrentlyexecutedversionoftheTOEfirmware/softwareaswellasthemostrecentlyinstalledversionoftheTOEfirmware/software.

ApplicationNote:Theversioncurrentlyrunning(beingexecuted)maynotbetheversionmostrecentlyinstalled.Forinstance,maybetheupdatewasinstalledbutthesystemrequiresarebootbeforethisupdatewillrun.Therefore,itneedstobeclearthatthequeryshouldindicateboththemostrecentlyexecutedversionaswellasthemostrecentlyinstalledupdate.

FPT_TUD_EXT.1.2TheTSFshallprovideadministratorstheabilitytomanuallyinitiateupdatestoTOEfirmware/softwareand[selection:automaticupdates,nootherupdatemechanism].

FPT_TUD_EXT.1.3TheTSFshallprovidemeanstoauthenticatefirmware/softwareupdatestotheTOEusinga[selection:digitalsignaturemechanismusingcertificates,digitalsignaturemechanismnotusingcertificates,publishedhash]priortoinstallingthoseupdates.

ApplicationNote:ThedigitalsignaturemechanismreferencedinFPT_TUD_EXT.1.3isoneofthealgorithmsspecifiedinFCS_COP.1/SIG.

Ifcertificatesareusedbytheupdateverificationmechanism,certificatesarevalidatedinaccordancewithFIA_X509_EXT.1andshouldbeselectedinFIA_X509_EXT.2.1.Additionally,FPT_TUD_EXT.2mustbeincludedintheST.

“Update”inthecontextofthisSFRreferstotheprocessofreplacinganon-volatile,systemresidentsoftwarecomponentwithanother.TheformerisreferredtoastheNVimage,andthelatteristheupdateimage.WhiletheupdateimageistypicallynewerthantheNVimage,thisisnotarequirement.Therearelegitimatecaseswherethesystemownermaywanttorollbackacomponenttoanolderversion(e.g.,whenthecomponentmanufacturerreleasesafaultyupdate,orwhenthesystemreliesonanundocumentedfeaturenolongerpresentintheupdate).Likewise,theownermaywanttoupdatewiththesameversionastheNVimagetorecoverfromfaultystorage.

Alldiscretesoftwarecomponents(e.g.,applications,drivers,kernel,firmware)oftheTSF,shouldbedigitallysignedbythecorrespondingmanufacturerandsubsequentlyverifiedbythemechanismperformingtheupdate.Sinceitisrecognizedthatcomponentsmaybesignedbydifferentmanufacturers,itisessentialthattheupdateprocessverifythatboththeupdateandNVimageswereproducedbythesamemanufacturer(e.g.,bycomparingpublickeys)orsignedbylegitimatesigningkeys(e.g.,successfulverificationofcertificateswhenusingX.509certificates).

TheDigitalSignatureoptionisthepreferredmechanismforauthenticatingupdates.ThePublishedHashoptionwillberemovedfromafutureversionofthisPP.

EvaluationActivities

FPT_TUD_EXT.1:TSSTheevaluatorshallverifythattheTSSdescribesallTSFsoftwareupdatemechanismsforupdatingthesystemsoftware.UpdatestotheTOEeitherhaveahashassociatedwiththem,oraresignedbyanauthorizedsource.Theevaluatorshallverifythatthedescriptionincludeseitheradigitalsignatureorpublishedhashverificationofthesoftwarebeforeinstallationandthatinstallationfailsiftheverificationfails.TheevaluatorshallverifythattheTSSdescribesthemethodbywhichthedigitalsignatureorpublishedhashisverifiedtoincludehowthecandidateupdatesareobtained,theprocessingassociatedwithverifyingtheupdate,andtheactionsthattakeplaceforbothsuccessfulandunsuccessfulverification.Ifdigitalsignaturesareused,theevaluatorshallalsoensurethedefinitionofanauthorizedsourceiscontainedintheTSS.

IftheSTauthorindicatesthatacertificate-basedmechanismisusedforsoftwareupdatedigitalsignatureverification,theevaluatorshallverifythattheTSScontainsadescriptionofhowthecertificatesarecontainedonthedevice.TheevaluatoralsoensuresthattheTSS(oradministratorguidance)describeshowthecertificatesareinstalled/updated/selected,ifnecessary.TestsTheevaluatorshallperformthefollowingtests:

Test1:Theevaluatorperformstheversionverificationactivitytodeterminethecurrentversionoftheproduct.TheevaluatorobtainsalegitimateupdateusingproceduresdescribedintheoperationalguidanceandverifiesthatitissuccessfullyinstalledontheTOE.Aftertheupdate,theevaluatorperformstheversionverificationactivityagaintoverifytheversioncorrectlycorrespondstothatoftheupdate.Test2:Theevaluatorperformstheversionverificationactivitytodeterminethecurrentversionoftheproduct.Theevaluatorobtainsorproducesillegitimateupdatesasdefinedbelow,andattemptstoinstallthemontheTOE.TheevaluatorverifiesthattheTOErejectsalloftheillegitimateupdates.Theevaluatorperformsthistestusingallofthefollowingformsofillegitimateupdates:

1. Amodifiedversion(e.g.,usingahexeditor)ofalegitimatelysignedorhashedupdate2. Animagethathasnotbeensigned/hashed3. Animagesignedwithaninvalidhashorinvalidsignature(e.g.,byusingadifferentkey

asexpectedforcreatingthesignatureorbymanualmodificationofalegitimatehash/signature)

FPT_VDP_EXT.1VirtualDeviceParametersFPT_VDP_EXT.1.1

TheTSFshallprovideinterfacesforvirtualdevicesimplementedbytheVMMaspartofthevirtualhardwareabstraction.

FPT_VDP_EXT.1.2TheTSFshallvalidatetheparameterspassedtothevirtualdeviceinterfacepriortoexecutionoftheVMMfunctionalityexposedbythoseinterfaces.

ApplicationNote:ThepurposeofthisrequirementistoensurethattheVMMisnotvulnerabletocompromisethroughtheprocessingofmalformeddatapassedtothevirtualdeviceinterfacefromaGuestOS.TheVMMcannotassumethatanydatacomingfromaVMiswell-formed—evenifthevirtualdeviceinterfaceisuniquetotheVSandthedatacomesfromavirtualdevicedriversuppliedbytheVirtualizationVendor.

EvaluationActivities

FPT_VDP_EXT.1:TSSTheevaluatorshallexaminetheTSStoensureitlistsallvirtualdevicesaccessiblebytheguestOS.TheTSS,oraseparateproprietarydocument,mustalsodocumentallvirtualdeviceinterfacesatthelevelofI/Oports-includingportnumber(s)(absoluteorrelativetoabase),portname,andadescriptionoflegalinputvalues.TheTSSmustalsodescribetheexpectedbehavioroftheinterfacewhenpresentedwithillegalinputvalues.ThisbehaviormustbedeterministicandindicativeofparametercheckingbytheTSF.TheevaluatormustensurethattherearenoobviousorpubliclyknownvirtualI/OportsmissingfromtheTSS.Thereisnoexpectationthatevaluatorswillexaminesourcecodetoverifythe“all”partoftheAssuranceActivity.TestsForeachvirtualdeviceinterface,theevaluatorshallattempttoaccesstheinterfaceusingatleastoneparametervaluethatisoutofrangeorillegal.ThetestispassediftheinterfacebehavesinthemannerdocumentedintheTSS.Interfacesthatdonothaveinputparametersneednotbetested.ThistestcanbeperformedinconjunctionwiththetestsforFPT_DVD_EXT.1.

FPT_VIV_EXT.1VMMIsolationfromVMsFPT_VIV_EXT.1.1

TheTSFmustensurethatsoftwarerunninginaVMisnotabletodegradeordisruptthefunctioningofotherVMs,theVMM,orthePlatform.

FPT_VIV_EXT.1.2TheTSFmustensurethataGuestVMisunabletoinvokeplatformcodethatrunsataprivilegelevelequaltoorexceedingthatoftheVMMwithoutinvolvementoftheVMM.

ApplicationNote:ThisrequirementisintendedtoensurethatsoftwarerunningwithinaGuestVMcannotcompromiseotherVMs,theVMM,ortheplatform.ThisrequirementisnotmetifGuestVMsoftware—whateveritsprivilegelevel—cancrashtheVSorthePlatform,orbreakoutofitsvirtualhardwareabstractiontogainexecutionontheplatform,withinoroutsideofthecontextoftheVMM.

ThisrequirementisnotviolatedifsoftwarerunningwithinaVMcancrashtheGuestOSandthereisnowayforanattackertogainexecutionintheVMMoroutsideofthevirtualizeddomain.

FPT_VIV_EXT.1.2addressesseveralspecificmechanismsthatmustnotbepermittedtobypasstheVMMandinvokeprivilegedcodeonthePlatform.

Ataminimum,theTSFshouldenforcethefollowing:

a. Onthex86platform,avirtualSystemManagementInterrupt(SMI)cannotinvokeplatformSystemManagementMode(SMM)

b. AnattempttoupdatevirtualfirmwareorvirtualBIOScannotcausephysicalplatformfirmwareorphysicalplatformBIOStobemodified

c. AnattempttoupdatevirtualfirmwareorvirtualBIOScannotcausetheVMMtobemodified

Oftheabove,(a)doesnotapplytoplatformsthatdonotsupportSMM.Therationalebehindactivity(c)isthatafirmwareupdateofasingleVMmustnotaffectotherVMs.SoifmultipleVMssharethesamefirmwareimageaspartofacommonhardwareabstraction,thentheupdateofasinglemachine’sBIOSmustnotbeallowedtochangethecommonabstraction.ThevirtualhardwareabstractionispartoftheVMM.

EvaluationActivities

FPT_VIV_EXT.1:TSSTheevaluatorshallverifythattheTSS(oraproprietaryannextotheTSS)describeshowtheTSFensuresthatguestsoftwarecannotdegradeordisruptthefunctioningofotherVMs,theVMMortheplatform.AndhowtheTSFpreventsguestsfrominvokinghigher-privilegeplatformcode,suchastheexamplesinthenote.GuidanceThereisnooperationalguidanceforthisrequirement.TestsTherearenotestsforthisrequirement.

5.1.8TOEAccess(FTA)

FTA_TAB.1TOEAccessBannerFTA_TAB.1.1

Beforeestablishinganadministrativeusersession,theTSFshalldisplayasecurityAdministrator-specifiedadadvisorynoticeandconsentwarningmessageregardinguseoftheTOE.

ApplicationNote:ThisrequirementisintendedtoapplytointeractivesessionsbetweenahumanuserandaTOE.ITentitiesestablishingconnectionsorprogrammaticconnections(e.g.,remoteprocedurecallsoveranetwork)arenotrequiredtobecoveredbythisrequirement.

EvaluationActivities

FTA_TAB.1:TestsTheevaluatorshallconfiguretheTOEtodisplaytheadvisorywarningmessage“TESTTESTWarningMessageTESTTEST”.Theevaluatorshallthenlogoutandconfirmthattheadvisorymessageisdisplayedbeforeloggingcanoccur.

5.1.9TrustedPath/Channel(FTP)

FTP_ITC_EXT.1TrustedChannelCommunicationsFTP_ITC_EXT.1.1

TheTSFshalluse[selection:TLSasconformingtotheFunctionalPackageforTransportLayerSecurity,TLS/HTTPSasconformingtoFCS_HTTPS_EXT.1,IPsecasconformingtoFCS_IPSEC_EXT.1,SSHasconformingtotheExtendedPackageforSecureShell

]toprovideatrustedcommunicationchannelbetweenitself,and

auditservers(asrequiredbyFAU_STG_EXT.1),and[selection:

remoteadministrators(asrequiredbyFTP_TRP.1.1ifselectedinFMT_MOF_EXT.1.1intheClientorServerPP-Module),separationofmanagementandoperationalnetworks(ifselectedinFMT_SMO_EXT.1),[assignment:othercapabilities],noothercapabilities

]thatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafromdisclosureanddetectionofmodificationofthecommunicateddata.

ApplicationNote:IftheSTauthorselectseitherTLSorHTTPS,theTSFshallbevalidatedagainsttheFunctionalPackageforTLS.ThisPPdoesnotmandatethataproductimplementTLSwithmutualauthentication,butiftheproductincludesthecapabilitytoperformTLSwithmutualauthentication,thenmutualauthenticationmustbeincludedwithintheTOEboundary.TheTLSPackagerequiresthattheX509requirementsbeincludedbythePP,soselectionofTLSorHTTPScausesFIA_X509_EXT.*tobeselected.

IftheSTauthorselectsSSH,theTSFshallbevalidatedagainsttheExtendedPackageforSecureShell.TheSSHpackageimportstheX509requirementsifnecessary,soselectingSSHheredoesnotautomaticallycausetheirinclusion.

SelectionofIPSecalsoautomaticallycausesinclusionoftheX509requirements.

TheSTauthormustincludethesecurityfunctionalrequirementsforthetrustedchannelprotocolselectedinFTP_ITC_EXT.1inthemainbodyoftheST.

EvaluationActivities

FTP_ITC_EXT.1:TSSTheevaluatorwillreviewtheTSStodeterminethatitlistsalltrustedchannelstheTOEusesforremotecommunications,includingboththeexternalentitiesand/orremoteusersusedforthechannelaswellastheprotocolthatisusedforeach.TestsTheevaluatorwillconfiguretheTOEtocommunicatewitheachexternalITentityand/ortypeofremoteuseridentifiedintheTSS.TheevaluatorwillmonitornetworktrafficwhiletheVSperformscommunicationwitheachofthesedestinations.Theevaluatorwillensurethatforeachsessionatrustedchannelwasestablishedinconformancewiththeprotocolsidentifiedintheselection.

FTP_UIF_EXT.1UserInterface:I/OFocusFTP_UIF_EXT.1.1

TheTSFshallindicatetouserswhichVM,ifany,hasthecurrentinputfocus.

ApplicationNote:Thisrequirementappliestoallusers—whetherUserorAdministrator.InenvironmentswheremultipleVMsrunatthesametime,theusermusthaveawayofknowingwhichVMuserinputisdirectedtoatanygivenmoment.Thisisespeciallyimportantinmultiple-domainenvironments.

Inthecaseofahumanuser,thisisusuallyavisualindicator.InthecaseofheadlessVMs,theuserisconsideredtobeaprogram,butthisprogramstillneedstoknowwhichVMitissendinginputto;thiswouldtypicallybeaccomplishedthroughprogrammaticmeans.

EvaluationActivities

FTP_UIF_EXT.1:TSSTheevaluatorshallensurethattheTSSliststhesupporteduserinputdevices.GuidanceTheevaluatorshallensurethattheoperationalguidancespecifieshowthecurrentinputfocusisindicatedtotheuser.TestsForeachsupportedinputdevice,theevaluatorshalldemonstratethattheinputfromeachdevicelistedintheTSSisdirectedtotheVMthatisindicatedtohavetheinputfocus.

FTP_UIF_EXT.2UserInterface:IdentificationofVMFTP_UIF_EXT.2.1

TheTSFshallsupporttheuniqueidentificationofaVM’soutputdisplaytousers.

ApplicationNote:InenvironmentswhereauserhasaccesstomorethanoneVMatthesametime,theusermustbeabletodeterminetheidentityofeachVMdisplayedinordertoavoidinadvertentcross-domaindataentry.

TheremustbeamechanismforassociatinganidentifierwithaVMsothatanapplicationorprogramdisplayingtheVMcanidentifytheVMtousers.Thisisgenerallyindicatedvisuallyforhumanusers(e.g.,VMidentityinthewindowtitlebar)andprogrammaticallyforheadlessVMs(e.g.,anAPIfunction).TheidentificationmustbeuniquetotheVS,butdoesnotneedtobeuniversallyunique.

EvaluationActivities

FTP_UIF_EXT.2:TSSTheevaluatorshallensurethattheTSSdescribesthemechanismforidentifyingVMstotheuser,howidentitiesareassignedtoVMs,andhowconflictsareprevented.TestsTheevaluatorshallperformthefollowingtest:

TheevaluatorshallattempttocreateandstartatleastthreeGuestVMsonasingledisplaydevicewheretheevaluatorattemptstoassigntwooftheVMsthesameidentifier.IftheuserinterfacedisplaysdifferentidentifiersforeachVM,thentherequirementismet.Likewise,therequirementismetifthesystemrefusestocreateorstartaVMwhenthereisalreadyaVMwiththesameidentifier.

5.1.10TOESecurityFunctionalRequirementsRationaleThefollowingrationaleprovidesjustificationforeachsecurityobjectivefortheTOE,showingthattheSFRsaresuitabletomeetandachievethesecurityobjectives:

Table4:SFRRationaleOBJECTIVE ADDRESSEDBY RATIONALE

O.VM_ISOLATION FAU_GEN.1 Auditeventscanreportattemptstobreachisolation.

FCS_CKM_EXT.4 Requirescryptographickeydestructiontoprotectdomaindatainsharedstorage.

FDP_PPR_EXT.1 Requiressupportforreducingattacksurfacethroughdisablingaccesstounneededphysicalplatformresources.

FDP_RIP_EXT.1 Ensuresthatdomaindataisclearedfrommemorybeforememoryisre-allocated.

FDP_RIP_EXT.2 Ensuresthatdomaindataisclearedfromstoragebeforethestorageisre-allocated.

FDP_VMS_EXT.1 EnsuresthatauthorizeddatatransfersbetweenVMsaredonesecurely.

FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.

FPT_DVD_EXT.1 EnsuresthatVMscanaccessonlythosevirtualdevicesthattheyareconfiguredtoaccess.

FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.

FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.

FPT_HCL_EXT.1 RequiresthatAdministratorscandisableunneccessaryhypercallinterfacestoreduceattacksurface.

FPT_VDP_EXT.1 RequiresvalidationofparameterdatapassedtothehardwareabstractionbyuntrustedVMs.

FPT_VIV_EXT.1 EnsuresthatuntrustedVMscannotinvokepriviledgedcodewithoutproperhypervisormediation.

O.VMM_INTEGRITY FAU_GEN.1 Auditeventscanreportpotentialintegritybreachesandattempts.

FCS_CKM.1 Requiresgenerationofasymmetrickeysforprotectionofintegritymeasures.

FCS_COP.1 Ensuresproperfunctioningofcryptographicalgorithmsusedtoprotectdataintegrity.

FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.

FDP_PPR_EXT.1 Requiressupportforreducingattacksurfacethroughdisablingaccesstounneededphysicalplatformresources.

FDP_VMS_EXT.1 EnsuresthatauthorizeddatatransfersbetweenVMsaredonesecurely.

FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.

FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.

FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.

FPT_VDP_EXT.1 RequiresvalidationofparameterdatapassedtothehardwareabstractionbyuntrustedVMs.

FPT_VIV_EXT.1 EnsuresthatuntrustedVMscannotinvokepriviledgedcodewithoutproperhypervisormediation.

O.PLATFORM_INTEGRITY FDP_HBI_EXT.1 RequiresthattheTOEuseplatform-supportedmechanismsforaccesstophysicaldevices.

FDP_PPR_EXT.1 Requiressupportforreducingattacksurfacethroughdisablingaccesstounneededphysicalplatformresources.

FDP_VMS_EXT.1 EnsuresthatauthorizeddatatransfersbetweenVMsaredonesecurely.

FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.

FPT_DVD_EXT.1 EnsuresthatVMscannotaccessvirtualdevicesthattheyarenotonfiguredtoaccess.

FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.

FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.

FPT_HCL_EXT.1 RequiresthatAdministratorscandisableunneccessaryhypercallinterfacestoreduceattacksurface.

FPT_VDP_EXT.1 Requiresvalidationofparameterdata

passedtothehardwareabstractionbyuntrustedVMs.

FPT_VIV_EXT.1 EnsuresthatuntrustedVMscannotinvokepriviledgedcodewithoutproperhypervisormediation.

O.DOMAIN_INTEGRITY FCS_CKM_EXT.4 Requirescryptographickeydestructiontoprotectdomaindatainsharedstorage.

FCS_ENT_EXT.1 Requiresthatdomainshaveaccesstohigh-qualityentropyforcryptographicpurposes.

FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.

FDP_RIP_EXT.1 Ensuresthatdomaindataisclearedfrommemorybeforememoryisre-allocatedtoanotherdomain.

FDP_RIP_EXT.2 Ensuresthatdomaindataisclearedfromstoragebeforethestorageisre-allocatedtoanotherdomain.

FDP_VMS_EXT.1 Ensuresthatauthorizeddatatransfersbetweendomainsaredonesecurely.

FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.

FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.

FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.

FPT_RDM_EXT.1 Requiressupportforrulesforswitchingremoveablemediabetweendomainstoreducethechanceofdataspillage.

FPT_VDP_EXT.1 RequiresvalidationofparameterdatapassedtothehardwareabstractionbyuntrustedVMs.

FTP_UIF_EXT.1 Ensuresthatusersareabletodeterminethedomainwiththecurrentinputfocus.

FTP_UIF_EXT.2 EnsuresthatuserscanknowtheidentityofanyVMthattheycanaccess.

O.MANAGEMENT_ACCESS FAU_GEN.1 Auditeventsreportattemptstoaccessthemanagementsubsystem.

FCS_CKM.1 Requiresgenerationofasymmetrickeysfortrustedcommunicationschannels.

FCS_CKM.2 Requiresestablishmentofcryptographickeysfortrustedcommunicationschannels.

FCS_COP.1 Ensuresproperfunctioningofcryptographicalgorithmsusedtoimplementaccesscontrols.

FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.

FIA_AFL_EXT.1 RequiresthattheTOEdetectfailedauthenticationattemptsforAdministratoraccess.

FIA_UAU.5 EnsuresthatstrongmechanismsareusedforAdministratorauthentication.

FIA_UIA_EXT.1 RequiresthatAdministratorsbesuccessfullyauthenticatedbeforeperformingmanagementfunctions.

FMT_SMO_EXT.1 RequiresthattheTOEsupporthavingseparatemanagementandoperationalnetworks.

FTP_ITC_EXT.1 Ensuresthattrustedcommunicationschannelsareimplementedusinggoodcryptography.

O.PATCHED_SOFTWARE FPT_TUD_EXT.1 Requiressupportforproductupdates.

O.VM_ENTROPY FCS_ENT_EXT.1 Requiresthatdomainshaveaccesstohigh-qualityentropyforcryptographicpurposes.

FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.

O.AUDIT FAU_GEN.1 Requiresreportingofauditevents.

FAU_SAR.1 RequiressupportforAdministratorreviewofauditrecords.

FAU_STG.1 Requiresprotectionofstoredauditrecords.

FAU_STG_EXT.1 RequiressupportforprotectedtransmissionofauditrecordsofftheTOE.

O.CORRECTLY_APPLIED_CONFIGURATION FMT_MSA_EXT.1 EnsuresthatdatasharingbetweenVMsisturnedoffbydefault.

O.RESOURCE_ALLOCATION FCS_CKM_EXT.4 Requirescryptographickeydestructiontoensureresidualdatainsharedstorageisunrecoverable.

FDP_RIP_EXT.1 Ensuresthatdomaindataisclearedfrommemorybeforememoryisre-allocated.

FDP_RIP_EXT.2 Ensuresthatdomaindataisclearedfromstoragebeforethestorageisre-allocated.

5.2SecurityAssuranceRequirementsTheSecurityObjectivesfortheTOEinSection4wereconstructedtoaddressthreatsidentifiedinSection3.1.TheSecurityFunctionalRequirements(SFRs)inSection5.1areaformalinstantiationoftheSecurityObjectives.ThePPidentifiestheSecurityAssuranceRequirements(SARs)toframetheextenttowhichtheevaluatorassessesthedocumentationapplicablefortheevaluationandperformsindependenttesting.

ThissectionliststhesetofSecurityAssuranceRequirements(SARs)fromPart3oftheCommonCriteriaforInformationTechnologySecurityEvaluation,Version3.1,Revision4thatarerequiredinevaluationsagainstthisPP.IndividualassuranceactivitiestobeperformedarespecifiedinbothSection5.1aswellasinthissection.

AftertheSThasbeenapprovedforevaluation,theInformationTechnologySecurityEvaluationFacility(ITSEF)willobtaintheTOE,supportingenvironmentalIT,andtheadministrative/userguidesfortheTOE.TheITSEFisexpectedtoperformactionsmandatedbytheCEMfortheASEandALCSARs.TheITSEFalsoperformstheassuranceactivitiescontainedwithinSection5,whichareintendedtobeaninterpretationoftheotherCEMassurancerequirementsastheyapplytothespecifictechnologyinstantiatedintheTOE.TheassuranceactivitiesthatarecapturedinSection5alsoprovideclarificationastowhatthedeveloperneedstoprovidetodemonstratetheTOEiscompliantwiththePP.

5.2.1ClassASE:SecurityTargetEvaluationAsperASEactivitiesdefinedin[CEM]plustheTSSassuranceactivitiesdefinedforanySFRsclaimedbytheTOE.

5.2.2ClassADV:DevelopmentTheinformationabouttheTOEiscontainedintheguidancedocumentationavailabletotheenduseraswellastheTOESummarySpecification(TSS)portionoftheST.TheTOEdevelopermustconcurwiththedescriptionoftheproductthatiscontainedintheTSSasitrelatestothefunctionalrequirements.TheAssuranceActivitiescontainedinSection5.2shouldprovidetheSTauthorswithsufficientinformationtodeterminetheappropriatecontentfortheTSSsection.

ADV_FSP.1Basicfunctionalspecification

Developeractionelements:ADV_FSP.1.1D

Thedevelopershallprovideafunctionalspecification.

ADV_FSP.1.2DThedevelopershallprovideatracingfromthefunctionalspecificationtotheSFRs.

DeveloperNote:Asindicatedintheintroductiontothissection,thefunctionalspecificationiscomposedoftheinformationcontainedintheAGD_OPRandAGD_PREdocumentation,coupledwiththeinformationprovidedintheTSSoftheST.TheassuranceactivitiesinthefunctionalrequirementspointtoevidencethatshouldexistinthedocumentationandTSSsection;sincethesearedirectlyassociatedwiththeSFRs,thetracinginelementADV_FSP.1.2Disimplicitlyalreadydoneandnoadditionaldocumentationisnecessary.

Contentandpresentationelements:ADV_FSP.1.3C

ThefunctionalspecificationshalldescribethepurposeandmethodofuseforeachSFR-enforcingandSFR-supportingTSFI.

ADV_FSP.1.4CThefunctionalspecificationshallidentifyallparametersassociatedwitheachSFR-enforcingandSFR-supportingTSFI.

ADV_FSP.1.5CThefunctionalspecificationshallproviderationalefortheimplicitcategorizationofinterfacesasSFR-non-interfering.

ADV_FSP.1.6CThetracingshalldemonstratethattheSFRstracetoTSFIsinthefunctionalspecification.

Evaluatoractionelements:ADV_FSP.1.7E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.

ADV_FSP.1.8ETheevaluatorshalldeterminethatthefunctionalspecificationisanaccurateandcompleteinstantiationoftheSFRs.

ApplicationNote:TherearenospecificassuranceactivitiesassociatedwiththeseSARs.ThefunctionalspecificationdocumentationisprovidedtosupporttheevaluationactivitiesdescribedinSection5.2,andotheractivitiesdescribedforAGD,ATE,andAVASARs.Therequirementsonthecontentofthefunctionalspecificationinformationisimplicitlyassessedbyvirtueoftheotherassuranceactivitiesbeingperformed;iftheevaluatorisunabletoperformanactivitybecausethethereisinsufficientinterfaceinformation,thenanadequatefunctionalspecificationhasnotbeenprovided.

EvaluationActivities

5.2.3ClassAGD:GuidanceDocumentsTheguidancedocumentswillbeprovidedwiththedeveloper’ssecuritytarget.GuidancemustincludeadescriptionofhowtheauthorizeduserverifiesthattheOperationalEnvironmentcanfulfillitsroleforthesecurityfunctionality.Thedocumentationshouldbeinaninformalstyleandreadablebyanauthorizeduser.

GuidancemustbeprovidedforeveryoperationalenvironmentthattheproductsupportsasclaimedintheST.Thisguidanceincludes

instructionstosuccessfullyinstalltheTOEinthatenvironment;and

instructionstomanagethesecurityoftheTOEasaproductandasacomponentofthelargeroperationalenvironment.

Guidancepertainingtoparticularsecurityfunctionalityisalsoprovided;specificrequirementsonsuchguidancearecontainedintheassuranceactivitiesspecifiedwithindividualSFRswhereapplicable.

AGD_OPE.1OperationalUserGuidance

Developeractionelements:AGD_OPE.1.1D

Thedevelopershallprovideoperationaluserguidance.

DeveloperNote:Ratherthanrepeatinformationhere,thedevelopershouldreviewtheassuranceactivitiesforthiscomponenttoascertainthespecificsoftheguidancethattheevaluatorswillbecheckingfor.Thiswillprovidethenecessaryinformationforthepreparationofacceptableguidance.

Contentandpresentationelements:AGD_OPE.1.2C

Theoperationaluserguidanceshalldescribewhattheauthorizeduser-accessiblefunctionsandprivilegesthatshouldbecontrolledinasecureprocessingenvironment,includingappropriatewarnings.

AGD_OPE.1.3CTheoperationaluserguidanceshalldescribe,fortheauthorizeduser,howtousetheavailableinterfacesprovidedbytheTOEinasecuremanner.

AGD_OPE.1.4CTheoperationaluserguidanceshalldescribe,fortheauthorizeduser,theavailablefunctionsandinterfaces,inparticularallsecurityparametersunderthecontroloftheuser,indicatingsecurevaluesasappropriate.

AGD_OPE.1.5CTheoperationaluserguidanceshall,fortheauthorizeduser,clearlypresenteachtypeofsecurity-relevanteventrelativetotheuser-accessiblefunctionsthatneedtobeperformed,includingchangingthesecuritycharacteristicsofentitiesunderthecontroloftheTSF.

AGD_OPE.1.6CTheoperationaluserguidanceshallidentifyallpossiblemodesofoperationoftheTOE(includingoperationfollowingfailureoroperationalerror),theirconsequencesandimplicationsformaintainingsecureoperation.

AGD_OPE.1.7CTheoperationaluserguidanceshall,fortheauthorizeduser,describethesecuritymeasurestobefollowedinordertofulfillthesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.

AGD_OPE.1.8CTheoperationaluserguidanceshallbeclearandreasonable.

Evaluatoractionelements:AGD_OPE.1.9E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.

EvaluationActivities

AGD_OPE.1:SomeofthecontentsoftheoperationalguidancewillbeverifiedbytheassuranceactivitiesinSection5.2andevaluationoftheTOEaccordingtotheCEM.Thefollowingadditionalinformationisalsorequired.

Theoperationalguidanceshallcontaininstructionsforconfiguringthepasswordcharacteristics,numberofallowedauthenticationattemptfailures,thelockoutperiodtimesforinactivity,andthenoticeandconsentwarningthatistobeprovidedwhenauthenticating.

Theoperationalguidanceshallcontainstep-by-stepinstructionssuitableforusebyanend-useroftheVStoconfigureanew,out-of-the-boxsystemintotheconfigurationevaluatedunderthisProtectionProfile.

ThedocumentationshalldescribetheprocessforverifyingupdatestotheTOE,eitherbycheckingthehashorbyverifyingadigitalsignature.Theevaluatorshallverifythatthisprocess

includesthefollowingsteps:InstructionsforqueryingthecurrentversionoftheTOEsoftware.Forhashes,adescriptionofwherethehashforagivenupdatecanbeobtained.Fordigitalsignatures,instructionsforobtainingthecertificatethatwillbeusedbytheFCS_COP.1/SIGmechanismtoensurethatasignedupdatehasbeenreceivedfromthecertificateowner.Thismaybesuppliedwiththeproductinitially,ormaybeobtainedbysomeothermeans.Instructionsforobtainingtheupdateitself.ThisshouldincludeinstructionsformakingtheupdateaccessibletotheTOE(e.g.,placementinaspecificdirectory).Instructionsforinitiatingtheupdateprocess,aswellasdiscerningwhethertheprocesswassuccessfulorunsuccessful.Thisincludesgenerationofthehash/digitalsignature.

AGD_PRE.1Preparativeprocedures

Developeractionelements:AGD_PRE.1.1D

ThedevelopershallprovidetheTOEincludingitspreparativeprocedures.

DeveloperNote:Aswiththeoperationalguidance,thedevelopershouldlooktotheassuranceactivitiestodeterminetherequiredcontentwithrespecttopreparativeprocedures.

Contentandpresentationelements:AGD_PRE.1.2C

ThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureacceptanceofthedeliveredTOEinaccordancewiththedeveloper’sdeliveryprocedures.

AGD_PRE.1.3CThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureinstallationoftheTOEandforthesecurepreparationoftheoperationalenvironmentinaccordancewiththesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.

Evaluatoractionelements:AGD_PRE.1.4E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.

AGD_PRE.1.5ETheevaluatorshallapplythepreparativeprocedurestoconfirmthattheTOEcanbepreparedsecurelyforoperation.

EvaluationActivities

AGD_PRE.1:Asindicatedintheintroductionabove,therearesignificantexpectationswithrespecttothedocumentation—especiallywhenconfiguringtheoperationalenvironmenttosupportTOEfunctionalrequirements.TheevaluatorshallchecktoensurethattheguidanceprovidedfortheTOEadequatelyaddressesallplatforms(thatis,combinationofhardwareandoperatingsystem)claimedfortheTOEintheST.

Theoperationalguidanceshallcontainstep-by-stepinstructionssuitableforusebyanend-useroftheVStoconfigureanew,out-of-the-boxsystemintotheconfigurationevaluatedunderthisProtectionProfile.

5.2.4ClassALC:Life-CycleSupportAttheassurancelevelspecifiedforTOEsconformanttothisPP,life-cyclesupportislimitedtoanexaminationoftheTOEvendor’sdevelopmentandconfigurationmanagementprocessinordertoprovideabaselinelevelofassurancethattheTOEitselfisdevelopedinasecuremannerandthatthedeveloperhasawell-definedprocessinplacetodeliverupdatestomitigateknownsecurityflaws.Thisisaresultofthecriticalrolethatadeveloper’spracticesplayincontributingtotheoveralltrustworthinessofaproduct.

ALC_CMC.1LabelingoftheTOE

Developeractionelements:ALC_CMC.1.1D

ThedevelopershallprovidetheTOEandareferencefortheTOE.

Contentandpresentationelements:ALC_CMC.1.2C

TheTOEshallbelabeledwithitsuniquereference.

Evaluatoractionelements:ALC_CMC.1.3E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.

EvaluationActivities

ALC_CMC.1:TheevaluatorshallchecktheSTtoensurethatitcontainsanidentifier(suchasaproductname/versionnumber)thatspecificallyidentifiestheversionthatmeetstherequirementsoftheST.

TheevaluatorshallchecktheAGDguidanceandTOEsamplesreceivedfortestingtoensurethattheversionnumberisconsistentwiththatintheST.

IfthevendormaintainsawebsiteadvertisingtheTOE,theevaluatorshallexaminetheinformationonthewebsitetoensurethattheinformationintheSTissufficienttodistinguishtheproduct.

ALC_CMS.1TOECMcoverage

Developeractionelements:ALC_CMS.1.1D

ThedevelopershallprovideaconfigurationlistfortheTOE.

Contentandpresentationelements:ALC_CMS.1.2C

Theconfigurationlistshallincludethefollowing:theTOEitself;andtheevaluationevidencerequiredbytheSARs.

ALC_CMS.1.3CTheconfigurationlistshalluniquelyidentifytheconfigurationitems.

Evaluatoractionelements:ALC_CMS.1.4E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.

EvaluationActivities

ALC_CMS.1:Theevaluatorshallensurethatthedeveloperhasidentified(inpublic-facingdevelopmentguidancefortheirplatform)oneormoredevelopmentenvironmentsappropriateforuseindevelopingapplicationsforthedeveloper’splatform.Foreachofthesedevelopmentenvironments,thedevelopershallprovideinformationonhowtoconfiguretheenvironmenttoensurethatbufferoverflowprotectionmechanismsintheenvironment(s)areinvoked(e.g.,compilerandlinkerflags).Theevaluatorshallensurethatthisdocumentationalsoincludesanindicationofwhethersuchprotectionsareonbydefault,orhavetobespecificallyenabled.TheevaluatorshallensurethattheTSFisuniquelyidentified(withrespecttootherproductsfromtheTSFvendor),andthatdocumentationprovidedbythedeveloperinassociationwiththerequirementsintheSTisassociatedwiththeTSFusingthisuniqueidentification.

ALC_TSU_EXT.1TimelySecurityUpdatesThiscomponentrequirestheTOEdeveloper,inconjunctionwithanyothernecessaryparties,toprovideinformationastohowtheVSisupdatedtoaddresssecurityissuesinatimelymanner.Thedocumentationdescribestheprocessofprovidingupdatestothepublicfromthetimeasecurityflawisreported/discovered,tothetimeanupdateisreleased.Thisdescriptionincludesthepartiesinvolved(e.g.,thedeveloper,hardwarevendors)andthestepsthatareperformed(e.g.,developertesting),includingworstcasetimeperiods,beforeanupdateismadeavailabletothepublic.

Developeractionelements:

ALC_TSU_EXT.1.1DThedevelopershallprovideadescriptionintheTSSofhowtimelysecurityupdatesaremadetotheTOE.

Contentandpresentationelements:ALC_TSU_EXT.1.2C

ThedescriptionshallincludetheprocessforcreatinganddeployingsecurityupdatesfortheTOEsoftware/firmware.

ALC_TSU_EXT.1.3CThedescriptionshallexpressthetimewindowasthelengthoftime,indays,betweenpublicdisclosureofavulnerabilityandthepublicavailabilityofsecurityupdatestotheTOE.

ApplicationNote:Thetotallengthoftimemaybepresentedasasummationoftheperiodsoftimethateachparty(e.g.,TOEdeveloper,hardwarevendor)onthecriticalpathconsumes.Thetimeperioduntilpublicavailabilityperdeploymentmechanismmaydiffer;eachisdescribed.

ALC_TSU_EXT.1.4CThedescriptionshallincludethemechanismspubliclyavailableforreportingsecurityissuespertainingtotheTOE.

ApplicationNote:Thereportingmechanismcouldincludewebsites,emailaddresses,andameanstoprotectthesensitivenatureofthereport(e.g.,publickeysthatcouldbeusedtoencryptthedetailsofaproof-of-conceptexploit).

Evaluatoractionelements:ALC_TSU_EXT.1.5E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.

EvaluationActivities

5.2.5ClassATE:TestsTestingisspecifiedforfunctionalaspectsofthesystemaswellasaspectsthattakeadvantageofdesignorimplementationweaknesses.TheformerisdonethroughATE_INDfamily,whilethelatteristhroughtheAVA_VANfamily.AttheassurancelevelspecifiedinthisPP,testingisbasedonadvertisedfunctionalityandinterfaceswithdependencyontheavailabilityofdesigninformation.Oneoftheprimaryoutputsoftheevaluationprocessisthetestreportasspecifiedinthefollowingrequirements.

ATE_IND.1IndependentTesting-ConformanceTestingisperformedtoconfirmthefunctionalitydescribedintheTSSaswellastheadministrative(includingconfigurationandoperation)documentationprovided.ThefocusofthetestingistoconfirmthattherequirementsspecifiedinSection5.1arebeingmet,althoughsomeadditionaltestingisspecifiedforSARsinSection5.2.TheAssuranceActivitiesidentifytheadditionaltestingactivitiesassociatedwiththesecomponents.Theevaluatorproducesatestreportdocumentingtheplanforandresultsoftesting,aswellascoverageargumentsfocusedontheplatform/TOEcombinationsthatareclaimingconformancetothisPP.

Developeractionelements:ATE_IND.1.1D

ThedevelopershallprovidetheTOEfortesting.

Contentandpresentationelements:ATE_IND.1.2C

TheTOEshallbesuitablefortesting.

Evaluatoractionelements:ATE_IND.1.3E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.

ATE_IND.1.4ETheevaluatorshalltestasubsetoftheTSFtoconfirmthattheTSFoperatesasspecified.

EvaluationActivities

ATE_IND.1:Theevaluatorshallprepareatestplanandreportdocumentingthetestingaspectsofthesystem.WhileitisnotnecessarytohaveonetestcasepertestlistedinanAssuranceActivity,theevaluatorsmustdocumentinthetestplanthateachapplicabletestingrequirementintheSTiscovered.

TheTestPlanidentifiestheplatformstobetested,andforthoseplatformsnotincludedinthetestplanbutincludedintheST,thetestplanprovidesajustificationfornottestingtheplatforms.Thisjustificationmustaddressthedifferencesbetweenthetestedplatformsandtheuntestedplatforms,andmakeanargumentthatthedifferencesdonotaffectthetestingtobeperformed.Itisnotsufficienttomerelyassertthatthedifferenceshavenoaffect;rationalemustbeprovided.IfallplatformsclaimedintheSTaretested,thennorationaleisnecessary.

Thetestplandescribesthecompositionofeachplatformtobetested,andanysetupthatisnecessarybeyondwhatiscontainedintheAGDdocumentation.ItshouldbenotedthattheevaluatorsareexpectedtofollowtheAGDdocumentationforinstallationandsetupofeachplatformeitheraspartofatestorasastandardpre-testcondition.Thismayincludespecialtestdriversortools.Foreachdriverortool,anargument(notjustanassertion)isprovidedthatthedriverortoolwillnotadverselyaffecttheperformanceofthefunctionalitybytheTOEanditsplatform.Thisalsoincludestheconfigurationofcryptographicenginestobeused.ThecryptographicalgorithmsimplementedbytheseenginesarethosespecifiedbythisPPandusedbythecryptographicprotocolsbeingevaluated(IPsec,TLS/HTTPS,SSH).

Thetestplanidentifieshigh-leveltestobjectivesaswellasthetestprocedurestobefollowedtoachievethoseobjectives.Theseproceduresincludeexpectedresults.Thetestreport(whichcouldjustbeanannotatedversionofthetestplan)detailstheactivitiesthattookplacewhenthetestprocedureswereexecuted,andincludestheactualresultsofthetests.Thisshallbeacumulativeaccount,soiftherewasatestrunthatresultedinafailure;afixinstalled;andthenasuccessfulre-runofthetest,thereportwouldshowa“fail”and“pass”result(andthesupportingdetails),andnotjustthe“pass”result.

5.2.6ClassAVA:VulnerabilityAssessmentForthefirstgenerationofthisProtectionProfile,theevaluationlabisexpectedtosurveyopensourcestolearnwhatvulnerabilitieshavebeendiscoveredinthesetypesofproducts.Inmostcases,thesevulnerabilitieswillrequiresophisticationbeyondthatofabasicattacker.Untilpenetrationtoolsarecreatedanduniformlydistributedtotheevaluationlabs,evaluatorswillnotbeexpectedtotestforthesevulnerabilitiesintheTOE.Thelabswillbeexpectedtocommentonthelikelihoodofthesevulnerabilitiesgiventhedocumentationprovidedbythevendor.ThisinformationwillbeusedinthedevelopmentofpenetrationtestingtoolsandforthedevelopmentoffuturePPs.

AVA_VAN.1Vulnerabilitysurvey

Developeractionelements:AVA_VAN.1.1D

ThedevelopershallprovidetheTOEfortesting.

Contentandpresentationelements:AVA_VAN.1.2C

TheTOEshallbesuitablefortesting.

Evaluatoractionelements:AVA_VAN.1.3E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.

AVA_VAN.1.4ETheevaluatorshallperformasearchofpublicdomainsourcestoidentifypotentialvulnerabilitiesintheTOE.

AVA_VAN.1.5ETheevaluatorshallconductpenetrationtesting,basedontheidentifiedpotentialvulnerabilities,todeterminethattheTOEisresistanttoattacksperformedbyanattackerpossessingBasicattackpotential.

EvaluationActivities

AVA_VAN.1:AswithATE_INDtheevaluatorshallgenerateareporttodocumenttheirfindingswithrespecttothisrequirement.ThisreportcouldphysicallybepartoftheoveralltestreportmentionedinATE_IND,oraseparatedocument.Theevaluatorperformsasearchofpublicinformationto

determinethevulnerabilitiesthathavebeenfoundinvirtualizationingeneral,aswellasthosethatpertaintotheparticularTOE.Theevaluatordocumentsthesourcesconsultedandthevulnerabilitiesfoundinthereport.Foreachvulnerabilityfound,theevaluatoreitherprovidesarationalewithrespecttoitsnon-applicabilityortheevaluatorformulatesatest(usingtheguidelinesprovidedinATE_IND)toconfirmthevulnerability,ifsuitable.Suitabilityisdeterminedbyassessingtheattackvectorneededtotakeadvantageofthevulnerability.Forexample,ifthevulnerabilitycanbedetectedbypressingakeycombinationonboot-up,atestwouldbesuitableattheassurancelevelofthisPP.Ifexploitingthevulnerabilityrequiresexpertskillsandanelectronmicroscope,forinstance,thenatestwouldnotbesuitableandanappropriatejustificationwouldbeformulated.

AppendixA-OptionalRequirementsAsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbytheTOE)arecontainedinthebodyofthisPP.ThisappendixcontainsthreeothertypesofoptionalrequirementsthatmaybeincludedintheST,butarenotrequiredinordertoconformtothisPP.However,appliedmodules,packagesand/orusecasesmayrefinespecificrequirementsasmandatory.

Thefirsttype(A.1StrictlyOptionalRequirements)arestrictlyoptionalrequirementsthatareindependentoftheTOEimplementinganyfunction.IftheTOEfulfillsanyoftheserequirementsorsupportsacertainfunctionality,thevendorisencouragedtoincludedtheSFRsintheST,butarenotrequiredinordertoconformtothisPP.

Thesecondtype(A.2ObjectiveRequirements)areobjectiverequirementsthatdescribesecurityfunctionalitynotyetwidelyavailableincommercialtechnology.TherequirementsarenotcurrentlymandatedinthebodyofthisPP,butwillbeincludedinthebaselinerequirementsinfutureversionsofthisPP.Adoptionbyvendorsisencouragedandexpectedassoonaspossible.

Thethirdtype(A.3Implementation-basedRequirements)aredependentontheTOEimplementingaparticularfunction.IftheTOEfulfillsanyoftheserequirements,thevendormusteitheraddtherelatedSFRordisablethefunctionalityfortheevaluatedconfiguration.

A.1StrictlyOptionalRequirements

A.1.1AuditableEventsforStrictlyOptionalRequirements

Table5:AuditEventsforOptionalRequirements

Requirement AuditableEvents AdditionalAuditRecordContents

FAU_ARP.1 Actionstakenduetopotentialsecurityviolations.

FAU_SAA.1 Enablinganddisablingofanyoftheanalysismechanisms.

FAU_SAA.1 AutomatedresponsesperformedbytheTSF.

FPT_GVI_EXT.1 Actionstakenduetofailedintegritycheck.

A.1.2SecurityAudit(FAU)

FAU_ARP.1SecurityAuditAutomaticResponseFAU_ARP.1.1

TheTSFshalltake[assignment:listofactions]upondetectionofapotentialsecurityviolation.

ApplicationNote:Incertaincases,itmaybeusefulforVirtualizationSystemstoperformautomatedresponsestocertainsecurityevents.AnexamplemayincludehaltingaVMwhichhastakensomeactiontoviolateakeysystemsecuritypolicy.Thismaybeespeciallyusefulwithheadlessendpointswhenthereisnohumanuserintheloop.

ThepotentialsecurityviolationmentionedinFAU_ARP.1.1referstoFAU_SAA.1.

EvaluationActivities

FAU_ARP.1:TestsTheevaluatorshallgenerateapotentialsecurityviolationasdefinedinFAU_SAA.1andverifythateachactionintheassignmentinFAU_ARP.1.1isperformedbytheTSFasaresult.TheevaluatorshallperformthisactionforeachsecurityviolationthatisdefinedinFAU_SAA.1.

FAU_SAA.1SecurityAuditAnalysisFAU_SAA.1.1

TheTSFshallbeabletoapplyasetofrulesinmonitoringtheauditedeventsandbasedupontheserulesindicateapotentialviolationoftheenforcementoftheSFRs.

FAU_SAA.1.2

TheTSFshallenforcethefollowingrulesformonitoringauditedevents:

a. accumulationorcombinationof[assignment:subsetofdefinedauditableevents]knowntoindicateapotentialsecurityviolation

b. [assignment:anyotherrules]

ApplicationNote:ThepotentialsecurityviolationdescribedinFAU_SAA.1canbeusedasatriggerforautomatedresponsesasdefinedinFAU_ARP.1.

EvaluationActivities

FAU_SAA.1:TestsTheevaluatorshallcauseeachcombinationofauditableeventsdefinedinFAU_SAA.1.2tooccur,andverifythatapotentialsecurityviolationisindicatedbytheTSF.

A.1.3ProtectionoftheTSF(FPT)

FPT_GVI_EXT.1GuestVMIntegrityFPT_GVI_EXT.1.1

TheTSFshallverifytheintegrityofGuestVMsthroughthefollowingmechanisms:[assignment:listofGuestVMintegritymechanisms].

ApplicationNote:TheprimarypurposeofthisrequirementistoidentifyanddescribethemechanismsusedtoverifytheintegrityofGuestVMsthathavebeen'imported'insomefashion,thoughthesemechanismscouldalsobeappliedtoallGuestVMs,dependingonthemechanismused.ImportationforthisrequirementcouldincludeVMmigration(liveorotherwise),theimportationofvirtualdiskfilesthatwerepreviouslyexported,VMsinsharedstorage,etc.ItispossiblethatatrustedVMcouldhavebeenmodifiedduringthemigrationorimport/exportprocess,orVMscouldhavebeenobtainedfromuntrustedsourcesinthefirstplace,sointegritychecksontheseVMscanbeaprudentmeasuretotake.TheseintegritycheckscouldbeasthoroughasmakingsuretheentireVMexactlymatchesapreviouslyknownVM(byhashforexample),orbysimplycheckingcertainconfigurationsettingstoensurethattheVM'sconfigurationwillnotviolatethesecuritymodeloftheVS.

EvaluationActivities

FPT_GVI_EXT.1:TSSForeachmechanismlistedintheassignment,theevaluatorshallensurethattheTSSdocumentsthemechanism,includinghowitverifiesVMintegrity,whichsetofGuestVMsitwillcheck(allGuestVMs,onlymigratedVMs,etc.),whensuchchecksoccur(beforeVMstartup,immediatelyfollowingimportation/migration,ondemand,etc.),andwhichactionsaretakenifaVMfailstheintegritycheck(orwhichrangeofactionsarepossibleiftheactionisconfigurable).

A.2ObjectiveRequirements

A.2.1AuditableEventsforObjectiveRequirements

Table6:AuditEventsforObjectiveRequirementsRequirement AuditableEvents AdditionalAuditRecordContents

FPT_DDI_EXT.1 Noeventsspecified

FPT_IDV_EXT.1 Noeventsspecified

FPT_INT_EXT.1 Introspectioninitiated/enabled. TheVMintrospected.

FPT_ML_EXT.1 Integrityinitiated/enabled. Integritymeasurementvalues.

A.2.2ProtectionoftheTSF(FPT)

FPT_DDI_EXT.1DeviceDriverIsolationFPT_DDI_EXT.1.1

TheTSFshallensurethatdevicedriversforphysicaldevicesareisolatedfrom

theVMMandallotherdomains.

ApplicationNote:Inordertofunctiononphysicalhardware,theVMMmusthaveaccesstothedevicedriversforthephysicalplatformonwhichitruns.Thesedriversareoftenwrittenbythirdparties,andyetareeffectivelyapartoftheVMM.ThustheintegrityoftheVMMinpartdependsonthequalityofthirdpartycodethatthevirtualizationvendorhasnocontrolover.Byencapsulatingthesedriverswithinoneormorededicateddriverdomains(e.g.,ServiceVMorVMs)thedamageofadriverfailureorvulnerabilitycanbecontainedwithinthedomain,andwouldnotcompromisetheVMM.Whendriverdomainshaveexclusiveaccesstoaphysicaldevice,hardwareisolationmechanisms,suchasIntel'sVT-d,AMD'sInput/OutputMemoryManagementUnit(IOMMU),orARM'sSystemMemoryManagementUnit(MMU)shouldbeusedtoensurethatoperationsperformedbyDirectMemoryAccess(DMA)hardwareareproperlyconstrained.

EvaluationActivities

FPT_DDI_EXT.1:TSSTheevaluatorshallexaminetheTSSdocumentationtoverifythatitdescribesthemechanismusedfordevicedriverisolation.IftheTSSdocumentindicatesthatahardwareisolationmechanismisused,theevaluatorshallverifythattheTSSdocumentationenumeratesthehardware-isolatedDMA-capabledevices,andthatitalsoprovidesacompletelistoftheaccessibletargetsformemorytransactionsforeachofthoseDMA-capabledevices.(AnexampleofinformationthatmightbeincludedintheTSSdocumentation:alistingofallpagesbelongingtothedriverdomain,theidentificationofasubsetofthedriverdomain'spagesthatthedriverdomainhaspermittedthedeviceaccessto,ortheidentificationofadedicatedareaofmemoryreservedforthedeviceordriverdomain).

FPT_IDV_EXT.1SoftwareIdentificationandVersionsFPT_IDV_EXT.1.1

TheTSFshallincludesoftwareidentification(SWID)tagsthatcontainaSoftwareIdentityelementandanEntityelementasdefinedinISO/IEC19770-2:2009.

FPT_IDV_EXT.1.2TheTSFshallstoreSWIDsina.swidtagfileasdefinedinISO/IEC19770-2:2009.

ApplicationNote:SWIDtagsareXMLfilesembeddedwithinsoftwarethatprovideastandardmethodforITdepartmentstotrackandmanagethesoftware.ThepresenceofSWIDscangreatlysimplifythesoftwaremanagementprocessandimprovesecuritybyenhancingtheabilityofITdepartmentstomanageupdates.

EvaluationActivities

FPT_IDV_EXT.1:TSSTheevaluatorshallexaminetheTSStoensureitdescribeshowSWIDtagsareimplementedandtheformatofthetags.TheevaluatorshallverifythattheformatcomplieswithFPT_IDV_EXT.1.1andthatSWIDsarestoredinaccordancewithFPT_IDV_EXT.1.2.TestsTheevaluatorshallperformthefollowingtest:

Test1:TheevaluatorshallcheckfortheexistenceofSWIDtagsina.swidtagfile.TheevaluatorshallopenthefileandverifythateachSWIDcontainsatleastaSoftwareIdentityelementandanEntityelement.

FPT_INT_EXT.1SupportforIntrospectionFPT_INT_EXT.1.1

TheTSFshallsupportamechanismforpermittingtheVMMorprivilegedVMstoaccesstheinternalsofanotherVMforpurposesofintrospection.

ApplicationNote:Introspectioncanbeusedtosupportmalwareandanomalydetectionfromoutsideoftheguestenvironment.ThisnotonlyhelpsprotecttheGuestOS,italsoprotectstheVSbyprovidinganopportunityfortheVStodetectthreatstoitselfthatoriginatewithinVMs,andthatmayattempttobreakoutoftheVMandcompromisetheVMMorotherVMs.

ThehostingofmalwaredetectionsoftwareoutsideoftheguestVMhelpsprotecttheguestandhelpsensuretheintegrityofthemalwaredetection/antivirussoftware.ThiscapabilitycanbeimplementedintheVMMitself,butideallyitshouldbehostedbyaServiceVMsothatitcanbebettercontainedanddoesnotintroducebugsintotheVMM.

EvaluationActivities

FPT_INT_EXT.1:TSSTheevaluatorshallexaminetheTSSdocumentationtoverifythatitdescribestheinterfaceforVMintrospectionandwhethertheintrospectionisperformedbytheVMMoranotherVM.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensurethatitcontainsinstructionsforconfigurationoftheintrospectionmechanism.

FPT_ML_EXT.1MeasuredLaunchofPlatformandVMMFPT_ML_EXT.1.1

TheTSFshallsupportameasuredlaunchoftheVirtualizationSystem.MeasuredcomponentsoftheVSshallincludethestaticexecutableimageoftheHypervisorand:[selection:

StaticexecutableimagesoftheManagementSubsystem,[assignment:listof(staticimagesof)ServiceVMs],[assignment:listofconfigurationfiles],noothercomponents

]

FPT_ML_EXT.1.2TheTSFshallmakethemeasurementsselectedinFPT_ML_EXT.1.1availabletotheManagementSubsystem.

ApplicationNote:AmeasuredlaunchoftheplatformandVSdemonstratesthattheproperTOEsoftwarewasloaded.Ameasuredlaunchprocessemploysverifiableintegritymeasurementmechanisms.Forexample,aVSmayhashcomponentssuchas:thehypervisor,serviceVMsand/ortheManagementSubsystem.Ameasuredlaunchprocessonlyallowscomponentstobeexecutedafterthemeasurementhasbeenrecorded.Anexampleprocessmayaddeachcomponent’shashbeforeitisexecutedsothatthefinalhashreflectstheevidenceofacomponent’sstatepriortoexecution.Themeasurementmaybeverifiedasthesystemboots,butthisisnotrequired.

ThePlatformisoutsideoftheTOE.However,thisrequirementspecifiesthattheVSmustbecapableofreceivingPlatformmeasurementsifthePlatformprovidesthem.ThisrequirementisrequiringTOEsupportforPlatformmeasurementsifprovided;itisnotplacingarequirementonthePlatformtotakesuchmeasurements.

Ifavailable,hardwareshouldbeusedtostoremeasurementsinsuchamannerthattheycannotbemodifiedinanymannerexcepttobeextended.Thesemeasurementsshouldbeproducedinarepeatablemannersothatathirdpartycanverifythemeasurementsifgiventheinputs.Hardwaredevices,likeTrustedPlatformModules(TPM),TrustZone,andMMUaresomeexamplesthatmayserveasfoundationsforstoringandreportingmeasurements.

Platformswitharootoftrustformeasurement(RTM)shouldinitiatethemeasuredlaunchprocess.ThismayincludecoreBIOSorthechipset.ThechipsetisthepreferredRTM,butcoreBIOSorotherfirmwareisacceptable.InsystemwithoutatraditionalRTM,thefirstcomponentthatbootswouldbeconsideredtheRTM,thisisnotpreferred.

EvaluationActivities

FPT_ML_EXT.1:TSSTheevaluatorshallverifythattheTSSorOperationalGuidancedescribeshowintegritymeasurementsareperformedandmadeavailabletotheManagementSubsystem.TheevaluatorshallexaminetheoperationalguidancetoverifythatitdocumentshowtoaccessthemeasurementsintheManagementSubsystem.TestsTheevaluatorshallperformthefollowingtests:

Test1:TheevaluatorshallstarttheVS,loginasanAdministrator,andverifythatthemeasurementsforthespecifiedcomponentsareviewableintheManagementSubsystem.

A.3Implementation-basedRequirementsThisPPdoesnotdefineanyImplementation-basedrequirements.

AppendixB-Selection-basedRequirementsAsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbytheTOEoritsunderlyingplatform)arecontainedinthebodyofthisPP.ThereareadditionalrequirementsbasedonselectionsinthebodyofthePP:ifcertainselectionsaremade,thenadditionalrequirementsbelowmustbeincluded.

B.1AuditableEventsforSelection-basedRequirementsTable7:AuditEventsforSelection-basedRequirements

Requirement AuditableEvents AdditionalAuditRecordContents

FCS_HTTPS_EXT.1 FailuretoestablishaHTTPSSession. Reasonforfailure.Non-TOEendpointofconnection(IPaddress)forfailures.

FCS_HTTPS_EXT.1 Establishment/TerminationofaHTTPSsession.

Non-TOEendpointofconnection(IPaddress).

FCS_IPSEC_EXT.1 FailuretoestablishanIPsecSA. Reasonforfailure.Non-TOEendpointofconnection(IPaddress).

FCS_IPSEC_EXT.1 Establishment/TerminationofanIPsecSAA.

Non-TOEendpointofconnection(IPaddress).

FIA_PMG_EXT.1 Noeventsspecified

FIA_X509_EXT.1 Failuretovalidateacertificate. Reasonforfailure.

FIA_X509_EXT.2 Noeventsspecified

FPT_TUD_EXT.2 Noeventsspecified

FTP_TRP.1 Initiationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.

FTP_TRP.1 Terminationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.

FTP_TRP.1 Failuresofthetrustedpathfunctions. UserIDandremotesource(IPAddress)iffeasible.

B.2CryptographicSupport(FCS)

FCS_HTTPS_EXT.1HTTPSProtocol

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFTP_ITC_EXT.1.1,FIA_X509_EXT.2.1.

FCS_HTTPS_EXT.1.1TheTSFshallimplementtheHTTPSprotocolthatcomplieswithRFC2818.

ApplicationNote:ThisSFRisincludedintheSTiftheSTAuthorselects"TLS/HTTPS"inFTP_ITC_EXT.1.1.

TheSTauthormustprovideenoughdetailtodeterminehowtheimplementationiscomplyingwiththestandard(s)identified;thiscanbedoneeitherbyaddingelementstothiscomponent,orbyadditionaldetailintheTSS.

FCS_HTTPS_EXT.1.2TheTSFshallimplementHTTPSusingTLS.

EvaluationActivities

FCS_HTTPS_EXT.1:TSSTheevaluatorshallchecktheTSStoensurethatitisclearonhowHTTPSusesTLStoestablishanadministrativesession,focusingonanyclientauthenticationrequiredbytheTLSprotocolvs.

securityadministratorauthenticationwhichmaybedoneatadifferentleveloftheprocessingstack.TestsTestingforthisactivityisdoneaspartoftheTLStesting;thismayresultinadditionaltestingiftheTLStestsaredoneattheTLSprotocollevel.

FCS_IPSEC_EXT.1IPsecProtocol

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFTP_ITC_EXT.1.1,FIA_X509_EXT.2.1.

FCS_IPSEC_EXT.1.1TheTSFshallimplementtheIPsecarchitectureasspecifiedinRFC4301.

ApplicationNote:ThisSFRisincludedintheSTiftheSTAuthorselected"IPsec"inFTP_ITC_EXT.1.1.

RFC4301callsforanIPsecimplementationtoprotectIPtrafficthroughtheuseofaSecurityPolicyDatabase(SPD).TheSPDisusedtodefinehowIPpacketsaretobehandled:PROTECTthepacket(e.g.,encryptthepacket),BYPASStheIPsecservices(e.g.,noencryption),orDISCARDthepacket(e.g.,dropthepacket).TheSPDcanbeimplementedinvariousways,includingrouteraccesscontrollists,firewallrulesets,a"traditional"SPD,etc.Regardlessoftheimplementationdetails,thereisanotionofa"rule"thatapacketis"matched"againstandaresultingactionthattakesplace.

Whiletheremustbeameanstoordertherules,ageneralapproachtoorderingisnotmandated,aslongastheTOEcandistinguishtheIPpacketsandapplytherulesaccordingly.TheremaybemultipleSPDs(oneforeachnetworkinterface),butthisisnotrequired.

FCS_IPSEC_EXT.1.2TheTSFshallimplement[selection:transportmode,tunnelmode].

ApplicationNote:IftheTOEisusedtoconnecttoaVPNgatewayforthepurposesofestablishingasecureconnectiontoaprivatenetwork,theSTauthorshallselecttunnelmode.IftheTOEusesIPsectoestablishanend-to-endconnectiontoanotherIPsecVPNClient,theSTauthorshallselecttransportmode.IftheTOEusesIPsectoestablishaconnectiontoaspecificendpointdeviceforthepurposeofsecureremoteadministration,theSTauthorshallselecttransportmode.

FCS_IPSEC_EXT.1.3TheTSFshallhaveanominal,finalentryintheSPDthatmatchesanythingthatisotherwiseunmatched,anddiscardsit.

FCS_IPSEC_EXT.1.4TheTSFshallimplementtheIPsecprotocolESPasdefinedbyRFC4303usingthecryptographicalgorithms[AES-GCM-128,AES-GCM-256(asspecifiedinRFC4106),[selection:AES-CBC-128(specifiedinRFC3602),AES-CBC-256(specifiedinRFC3602),nootheralgorithms]]togetherwithaSecureHashAlgorithm(SHA)-basedHMAC.

FCS_IPSEC_EXT.1.5TheTSFshallimplementtheprotocol:

[selection:IKEv1,usingMainModeforPhase1exchanges,asdefinedinRFC2407,RFC2408,RFC2409,RFC4109,[selection:nootherRFCsforextendedsequencenumbers,RFC4304forextendedsequencenumbers],[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions],and[selection:supportforXAUTH,nosupportforXAUTH],IKEv2asdefinedinRFC7296(withmandatorysupportforNATtraversalasspecifiedinsection2.23),RFC8784,RFC8247,and[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions].

]

ApplicationNote:IftheTOEimplementsSHA-2hashalgorithmsforIKEv1orIKEv2,theSTauthorshallselectRFC4868.

FCS_IPSEC_EXT.1.6TheTSFshallensuretheencryptedpayloadinthe[selection:IKEv1,IKEv2]

protocolusesthecryptographicalgorithmsAES-CBC-128,AES-CBC-256asspecifiedinRFC6379and[selection:AES-GCM-128asspecifiedinRFC5282,AES-GCM-256asspecifiedinRFC5282,nootheralgorithm].

FCS_IPSEC_EXT.1.7TheTSFshallensurethat[selection:

IKEv2SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimesarefixedbasedon[selection:numberofpackets/numberofbytes,lengthoftime].Iflengthoftimeisused,itmustincludeatleastoneoptionthatis24hoursorlessforPhase1SAsand8hoursorlessforPhase2SAs.

]

ApplicationNote:TheSTauthorisaffordedaselectionbasedontheversionofIKEintheirimplementation.ThereisafurtherselectionwithinthisselectionthatallowstheSTauthortospecifywhichentityisresponsiblefor“configuring”thelifeoftheSA.AnimplementationthatallowsanadministratortoconfiguretheclientoraVPNgatewaythatpushestheSAlifetimedowntotheclientarebothacceptable.

AsfarasSAlifetimesareconcerned,theTOEcanlimitthelifetimebasedonthenumberofbytestransmitted,orthenumberofpacketstransmitted.Eitherpacket-basedorvolume-basedSAlifetimesareacceptable;theSTauthormakestheappropriateselectiontoindicatewhichtypeoflifetimelimitsaresupported.

TheSTauthorchooseseithertheIKEv1requirementsorIKEv2requirements(orboth,dependingontheselectioninFCS_IPSEC_EXT.1.5.TheIKEv1requirementcanbeaccomplishedeitherbyprovidingAuthorizedAdministrator-configurablelifetimes(withappropriateinstructionsindocumentsmandatedbyAGD_OPE),orby“hardcoding”thelimitsintheimplementation.ForIKEv2,therearenohardcodedlimits,butinthiscaseitisrequiredthatanadministratorbeabletoconfigurethevalues.Ingeneral,instructionsforsettingtheparametersoftheimplementation,includinglifetimeoftheSAs,shouldbeincludedintheoperationalguidancegeneratedforAGD_OPE.ItisappropriatetorefinetherequirementintermsofnumberofMB/KBinsteadofnumberofpackets,aslongastheTOEiscapableofsettingalimitontheamountoftrafficthatisprotectedbythesamekey(thetotalvolumeofallIPsectrafficprotectedbythatkey).

FCS_IPSEC_EXT.1.8TheTSFshallensurethatallIKEprotocolsimplementDHgroups[19(256-bitRandomECP),20(384-bitRandomECP),and[selection:24(2048-bitMODPwith256-bitPOS),15(3072-bitMODP),14(2048-bitMODP),nootherDHgroups]].

ApplicationNote:TheselectionisusedtospecifyadditionalDHgroupssupported.ThisappliestoIKEv1andIKEv2exchanges.ItshouldbenotedthatifanyadditionalDHgroupsarespecified,theymustcomplywiththerequirements(intermsoftheephemeralkeysthatareestablished)listedinFCS_CKM.1.

SincetheimplementationmayallowdifferentDiffie-HellmangroupstobenegotiatedforuseinformingtheSAs,theassignmentsinFCS_IPSEC_EXT.1.9andFCS_IPSEC_EXT.1.10maycontainmultiplevalues.ForeachDHgroupsupported,theSTauthorconsultsTable2in800-57todeterminethe“bitsofsecurity”associatedwiththeDHgroup.Eachuniquevalueisthenusedtofillintheassignment(for1.9theyaredoubled;for1.10theyareinserteddirectlyintotheassignment).Forexample,supposetheimplementationsupportsDHgroup14(2048-bitMODP)andgroup20(ECDHusingNISTcurveP-384).FromTable2,thebitsofsecurityvalueforgroup14is112,andforgroup20itis192.ForFCS_IPSEC_EXT.1.9,then,theassignmentwouldread“[224,384]”andforFCS_IPSEC_EXT.1.10itwouldread“[112,192]”(althoughinthiscasetherequirementshouldprobablyberefinedsothatitmakessensemathematically).

FCS_IPSEC_EXT.1.9TheTSFshallgeneratethesecretvaluexusedintheIKEDiffie-Hellmankeyexchange(“x”ingxmodp)usingtherandombitgeneratorspecifiedinFCS_RBG_EXT.1,andhavingalengthofatleast[assignment:(oneormore)number(s)ofbitsthatisatleasttwicethe“bitsofsecurity”valueassociatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General]bits.

FCS_IPSEC_EXT.1.10TheTSFshallgeneratenoncesusedinIKEexchangesinamannersuchthattheprobabilitythataspecificnoncevaluewillberepeatedduringthelifeaspecificIPsecSAislessthan1in2^[assignment:(oneormore)“bitsofsecurity”value(s)associatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General].

FCS_IPSEC_EXT.1.11TheTSFshallensurethatallIKEprotocolsperformpeerauthenticationusinga[selection:RSA,ECDSA]thatuseX.509v3certificatesthatconformtoRFC4945and[selection:Pre-sharedKeys,noothermethod].

ApplicationNote:Atleastonepublic-key-basedPeerAuthenticationmethodisrequiredinordertoconformtothisPP-Module;oneormoreofthepublickeyschemesischosenbytheSTauthortoreflectwhatisimplemented.TheSTauthoralsoensuresthatappropriateFCSrequirementsreflectingthealgorithmsused(andkeygenerationcapabilities,ifprovided)arelistedtosupportthosemethods.NotethattheTSSwillelaborateonthewayinwhichthesealgorithmsaretobeused(forexample,2409specifiesthreeauthenticationmethodsusingpublickeys;eachonesupportedwillbedescribedintheTSS).

If“pre-sharedkeys”isselected,theselection-basedrequirementFIA_PSK_EXT.1mustbeclaimed.

FCS_IPSEC_EXT.1.12TheTSFshallnotestablishanSAifthe[[selection:IPaddress,FullyQualifiedDomainName(FQDN),userFQDN,DistinguishedName(DN)]and[selection:nootherreferenceidentifiertype,[assignment:othersupportedreferenceidentifiertypes]]]containedinacertificatedoesnotmatchtheexpectedvalue(s)fortheentityattemptingtoestablishaconnection.

ApplicationNote:TheTOEmustsupportatleastoneofthefollowingidentifiertypes:IPaddress,FullyQualifiedDomainName(FQDN),userFQDN,orDistinguishedName(DN).Inthefuture,theTOEwillberequiredtosupportalloftheseidentifiertypes.TheTOEisexpectedtosupportasmanyIPaddressformats(IPv4andIPv6)asIPversionssupportedbytheTOEingeneral.TheSTauthormayassignadditionalsupportedidentifiertypesinthesecondselection.

FCS_IPSEC_EXT.1.13TheTSFshallnotestablishanSAifthepresentedidentifierdoesnotmatchtheconfiguredreferenceidentifierofthepeer.

ApplicationNote:Atthistime,onlythecomparisonbetweenthepresentedidentifierinthepeer’scertificateandthepeer’sreferenceidentifierismandatedbythetestingbelow.However,inthefuture,thisrequirementwilladdresstwoaspectsofthepeercertificatevalidation:1)comparisonofthepeer’sIDpayloadtothepeer’scertificatewhicharebothpresentedidentifiers,asrequiredbyRFC4945and2)verificationthatthepeeridentifiedbytheIDpayloadandthecertificateisthepeerexpectedbytheTOE(perthereferenceidentifier).Atthattime,theTOEwillberequiredtodemonstratebothaspects(i.e.thattheTOEenforcesthatthepeer’sIDpayloadmatchesthepeer’scertificatewhichbothmatchconfiguredpeerreferenceidentifiers).

ExcludingtheDNidentifiertype(whichisnecessarilytheSubjectDNinthepeercertificate),theTOEmaysupporttheidentifierineithertheCommonNameorSubjectAlternativeName(SAN)orboth.Ifbotharesupported,thepreferredlogicistocomparethereferenceidentifiertoapresentedSAN,andonlyifthepeer’scertificatedoesnotcontainaSAN,tofallbacktoacomparisonagainsttheCommonName.Inthefuture,theTOEwillberequiredtocomparethereferenceidentifiertothepresentedidentifierintheSANonly,ignoringtheCommonName.

TheconfigurationofthepeerreferenceidentifierisaddressedbyFMT_SMF.1.1/VPN.

FCS_IPSEC_EXT.1.14The[selection:TSF,VPNGateway]shallbeabletoensurebydefaultthatthestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase1,IKEv2IKE_SA]connectionisgreaterthanorequaltothestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase2,IKEv2CHILD_SA]connection.

ApplicationNote:Ifthisfunctionalityisconfigurable,theTSFmaybeconfiguredbyaVPNGatewayorbyanAdministratoroftheTOEitself.

TheSTauthorchooseseitherorbothoftheIKEselectionsbasedonwhatisimplementedbytheTOE.Obviously,theIKEversion(s)chosenshouldbeconsistentnotonlyinthiselement,butwithotherchoicesforotherelementsinthiscomponent.Whileitisacceptableforthiscapabilitytobeconfigurable,thedefaultconfigurationintheevaluatedconfiguration(either"outofthebox"orbyconfigurationguidanceintheAGDdocumentation)mustenablethisfunctionality.

EvaluationActivities

FCS_IPSEC_EXT.1:TSSInadditiontotheTSSEAsfortheindividualFCS_IPSEC_EXT.1elementsbelow,theevaluatorshallperformthefollowing:IftheTOEboundaryincludesageneral-purposeoperatingsystemormobiledevice,theevaluatorshallexaminetheTSStoensurethatitdescribeswhethertheVPNclientcapabilityisarchitecturallyintegratedwiththeplatformitselforwhetheritisaseparateexecutablethatisbundledwiththeplatform.GuidanceInadditiontotheOperationalGuidanceEAsfortheindividualFCS_IPSEC_EXT.1elementsbelow,theevaluatorshallperformthefollowing:IftheconfigurationoftheIPsecbehaviorisfromanenvironmentalsource,mostnotablyaVPNgateway(e.gthroughreceiptofrequiredconnectionparametersfromaVPNgateway),theevaluatorshallensurethattheoperationalguidancecontainsanyappropriateinformationforensuringthatthisconfigurationcanbeproperlyapplied.NoteinthiscasethattheimplementationoftheIPsecprotocolmustbeenforcedentirelywithintheTOEboundary;i.e.itisnotpermissibleforasoftwareapplicationTOEtobeagraphicalfront-endforIPsecfunctionalityimplementedtotallyorinpartbytheunderlyingOSplatform.ThebehaviorreferencedhereisforthepossibilitythattheconfigurationoftheIPsecconnectionisinitiatedfromoutsidetheTOE,whichispermissiblesolongastheTSFissolelyresponsibleforenforcingtheconfiguredbehavior.However,itisallowablefortheTSFtorelyonlow-levelplatform-providednetworkingfunctionstoimplementtheSPDfromtheclient(e.g.,enforcementofpacketroutingdecisions).

TestsAsaprerequisiteforperformingtheTestEAsfortheindividualFCS_IPSEC_EXT.1elementsbelow,theevaluatorshalldothefollowing:Theevaluatorshallminimallycreateatestenvironmentequivalenttothetestenvironmentillustratedbelow.ThetrafficgeneratorusedtoconstructnetworkpacketsshouldprovidetheevaluatorwiththeabilitymanipulatefieldsintheICMP,IPv4,IPv6,UDP,andTCPpacketheaders.Theevaluatorshallprovidejustificationforanydifferencesinthetestenvironment.

Figure2:IPsecTestEnvironmentNotethattheevaluatorshallperformalltestsusingtheVirtualizationSystemandarepresentativesampleofplatformslistedintheST(forTOEsthatclaimtosupportmultipleplatforms).FCS_IPSEC_EXT.1.1TSSTheevaluatorshallexaminetheTSSanddeterminethatitdescribeshowtheIPseccapabilitiesareimplemented.TheevaluatorshallensurethattheTSSdescribesatahighlevelthearchitecturalrelationshipbetweentheIPsecimplementationandtherestoftheTOE(e.g.istheIPsecimplementationanintegratedpartoftheVSorisitastandaloneexecutablethatisbundledintotheVS).TheevaluatorshallensurethattheTSSdescribeshowtheSPDisimplementedandtherulesforprocessingbothinboundandoutboundpacketsintermsoftheIPsecpolicy.TheTSSdescribestherulesthatareavailableandtheresultingactionsavailableaftermatchingarule.TheTSSdescribeshowtheavailablerulesandactionsformtheSPDusingtermsdefinedinRFC4301

suchasBYPASS(e.g.,noencryption),DISCARD(e.g.,dropthepacket),andPROTECT(e.g.,encryptthepacket)actionsdefinedinRFC4301.Asnotedinsection4.4.1ofRFC4301,theprocessingofentriesintheSPDisnon-trivialandtheevaluatorshalldeterminethatthedescriptionintheTSSissufficienttodeterminewhichruleswillbeappliedgiventherulestructureimplementedbytheTOE.Forexample,iftheTOEallowsspecificationofranges,conditionalrules,etc.,theevaluatorshalldeterminethatthedescriptionofruleprocessing(forbothinboundandoutboundpackets)issufficienttodeterminetheactionthatwillbeapplied,especiallyinthecasewheretwodifferentrulesmayapply.Thisdescriptionshallcoverboththeinitialpackets(thatis,noSAisestablishedontheinterfaceorforthatparticularpacket)aswellaspacketsthatarepartofanestablishedSA.GuidanceTheevaluatorshallexaminetheoperationalguidancetoverifyitinstructstheAdministratorhowtoconstructentriesintotheSPDthatspecifyaruleforprocessingapacket.Thedescriptionincludesallthreecases–arulethatensurespacketsareencrypted/decrypted,dropped,andflowthroughtheTOEwithoutbeingencrypted.TheevaluatorshalldeterminethatthedescriptionintheoperationalguidanceisconsistentwiththedescriptionintheTSS,andthatthelevelofdetailintheoperationalguidanceissufficienttoallowtheadministratortosetuptheSPDinanunambiguousfashion.ThisincludesadiscussionofhoworderingofrulesimpactstheprocessingofanIPpacket.

TestsTheevaluatorusestheoperationalguidancetoconfiguretheTOEtocarryoutthefollowingtests:

Test1:TheevaluatorshallconfiguretheSPDsuchthatthereisarulefordroppingapacket,encryptingapacket,andallowingapackettoflowinplaintext.Theselectorsusedintheconstructionoftheruleshallbedifferentsuchthattheevaluatorcangenerateapacketandsendpacketstothegatewaywiththeappropriatefields(fieldsthatareusedbytherule-e.g.,theIPaddresses,TCP/UDPports)inthepacketheader.Theevaluatorperformsbothpositiveandnegativetestcasesforeachtypeofrule(e.g.,apacketthatmatchestheruleandanotherthatdoesnotmatchtherule).Theevaluatorobservesviatheaudittrail,andpacketcapturesthattheTOEexhibitedtheexpectedbehavior:appropriatepacketsweredropped,allowedtoflowwithoutmodification,encryptedbytheIPsecimplementation.Test2:Theevaluatorshalldeviseseveralteststhatcoveravarietyofscenariosforpacketprocessing.AswithTest1,theevaluatorensuresbothpositiveandnegativetestcasesareconstructed.ThesescenariosshallexercisetherangeofpossibilitiesforSPDentriesandprocessingmodesasoutlinedintheTSSandoperationalguidance.Potentialareastocoverincluderuleswithoverlappingrangesandconflictingentries,inboundandoutboundpackets,andpacketsthatestablishSAsaswellaspacketsthatbelongtoestablishedSAs.Theevaluatorshallverify,viatheaudittrailandpacketcaptures,foreachscenariothattheexpectedbehaviorisexhibited,andisconsistentwithboththeTSSandtheoperationalguidance.

FCS_IPSEC_EXT.1.2TSSTheevaluatorcheckstheTSStoensureitstatesthatamIPsecVPNcanbeestablishedtooperateintunnelmodeortransportmode(asselected).GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsonhowtoconfiguretheconnectionineachmodeselected.Ifbothtransportmodeandtunnelmodeareimplemented,theevaluatorshallreviewtheoperationalguidancetodeterminehowtheuseofagivenmodeisspecified.

TestsTheevaluatorshallperformthefollowingtest(s)basedontheselectionschosen:

Test1:(conditional):Iftunnelmodeisselected,theevaluatorusestheoperationalguidancetoconfiguretheTOE/platformtooperateintunnelmodeandalsoconfiguresaVPNpeertooperateintunnelmode.TheevaluatorconfigurestheTOE/platformandtheVPNpeertouseanyoftheallowablecryptographicalgorithms,authenticationmethods,etc.toensureanallowableSAcanbenegotiated.TheevaluatorshalltheninitiateaconnectionfromtheTOE/PlatformtotheVPNpeer.Theevaluatorobserves(forexample,intheaudittrailandthecapturedpackets)thatasuccessfulconnectionwasestablishedusingthetunnelmode.Test2:(conditional):Iftransportmodeisselectted,theevaluatorusestheoperationalguidancetoconfiguretheTOE/platformtooperateintransportmodeandalsoconfiguresaVPNpeertooperateintransportmode.TheevaluatorconfigurestheTOE/platformandtheVPNpeertouseanyoftheallowedcryptographicalgorithms,authenticationmethods,etc.toensureanallowableSAcanbenegotiated.TheevaluatortheninitiatesaconnectionfromtheTOE/platformtoconnecttotheVPNpeer.Theevaluatorobserves(forexample,intheaudittrailandthecapturedpackets)thatasuccessfulconnectionwasestablishedusingthetransportmode.

FCS_IPSEC_EXT.1.3

TSSIfbothtransportmodeandtunnelmodeareimplemented,theevaluatorshallreviewtheoperationalguidancetodeterminehowtheuseofagivenmodeisspecified.

GuidanceTheevaluatorshallcheckthattheoperationalguidanceprovidesinstructionsonhowtoconstructoracquiretheSPDandusestheguidancetoconfiguretheTOEforthefollowingtest.TestsTheevaluatorshallperformthefollowingtest:

Test1::TheevaluatorshallconfiguretheSPDsuchthatithasentriesthatcontainoperationsthatDISCARD,PROTECT,and(ifapplicable)BYPASSnetworkpackets.TheevaluatormayusetheSPDthatwascreatedforverificationofFCS_IPSEC_EXT.1.1.TheevaluatorshallconstructanetworkpacketthatmatchesaBYPASSentryandsendthatpacket.Theevaluatorshouldobservethatthenetworkpacketispassedtotheproperdestinationinterfacewithnomodification.Theevaluatorshallthenmodifyafieldinthepacketheader;suchthatitnolongermatchestheevaluator-createdentries(theremaybea“TOE-created”finalentrythatdiscardspacketsthatdonotmatchanypreviousentries).Theevaluatorsendsthepacket,andobservesthatthepacketwasnotpermittedtoflowtoanyoftheTOE’sinterfaces.

FCS_IPSEC_EXT.1.4TSSTheevaluatorshallexaminetheTSStoverifythatthealgorithmsAES-GCM-128andAES-GCM-256areimplemented.Ifthe"ST"authorhasselectedeitherAES-CBC-128orAES-CBC-256intherequirement,thentheevaluatorverifiestheTSSdescribestheseaswell.Inaddition,theevaluatorensuresthattheSHA-basedHMACalgorithmconformstothealgorithmsspecifiedinFCS_COP.1/KeyHashCryptographicOperations(KeyedHashAlgorithms).

GuidanceTheevaluatorcheckstheoperationalguidancetoensureitprovidesinstructionsonhowtheTOEisconfiguredtousethealgorithmsselectedinthiscomponentandwhetherthisisperformedthroughdirectconfiguration,definedduringinitialinstallation,ordefinedbyacquiringconfigurationsettingsfromanenvironmentalcomponent.Tests

Test1:TheevaluatorshallconfiguretheTOE/platformasindicatedintheoperationalguidanceconfiguringtheTOE/platformtouseeachofthesupportedalgorithms,attempttoestablishaconnectionusingESP,andverifythattheattemptsucceeds.

FCS_IPSEC_EXT.1.5TSSTheevaluatorshallexaminetheTSStoverifythatIKEv1and/orIKEv2areimplemented.IfIKEv1isimplemented,theevaluatorshallverifythattheTSSindicateswhetherornotXAUTHissupported,andthataggressivemodeisnotusedforIKEv1Phase1exchanges(i.e.onlymainmodeisused).Itmaybethattheseareconfigurableoptions.

GuidanceTheevaluatorshallchecktheoperationalguidancetoensureitinstructstheadministratorhowtoconfiguretheTOEtouseIKEv1and/orIKEv2(asselected),andusestheguidancetoconfiguretheTOEtoperformNATtraversalforthetestbelow.IfXAUTHisimplemented,theevaluatorshallverifythattheoperationalguidanceprovidesinstructionsonhowitisenabledordisabled.IftheTOEsupportsIKEv1,theevaluatorshallverifythattheoperationalguidanceeitherassertsthatonlymainmodeisusedforPhase1exchanges,orprovidesinstructionsfordisablingaggressivemode.TestsTestsareperformedinconjunctionwiththeotherIPsecevaluationactivitieswiththeexceptionoftheactivitiesbelow:

Test1::TheevaluatorshallconfiguretheTOEsothatitwillperformNATtraversalprocessingasdescribedintheTSSandRFC7296,section2.23.TheevaluatorshallinitiateanIPsecconnectionanddeterminethattheNATissuccessfullytraversed.IftheTOEsupportsIKEv1withorwithoutXAUTH,theevaluatorshallverifythatthistestcanbesuccessfullyrepeatedwithXAUTHenabledanddisabledinthemannerspecifiedbytheoperationalguidance.IftheTOEonlysupportsIKEv1withXAUTH,theevaluatorshallverifythatconnectionsnotusingXAUTHareunsuccessful.IftheTOEonlysupportsIKEv1withoutXAUTH,theevaluatorshallverifythatconnectionsusingXAUTHareunsuccessful.Test2:(conditional)::IftheTOEsupportsIKEv1,theevaluatorshallperformanyapplicableoperationalguidancestepstodisabletheuseofaggressivemodeandthenattempttoestablishaconnectionusinganIKEv1Phase1connectioninaggressivemode.Thisattemptshouldfail.TheevaluatorshallshowthattheTOEwillrejectaVPNgatewayfrominitiatinganIKEv1Phase1connectioninaggressivemode.Theevaluatorshouldthenshowthatmainmodeexchangesaresupported.

FCS_IPSEC_EXT.1.6

TSSTheevaluatorshallensuretheTSSidentifiesthealgorithmsusedforencryptingtheIKEv1and/orIKEv2payload,andthatthealgorithmsAES-CBC-128,AES-CBC-256arespecified,andifothersarechosenintheselectionoftherequirement,thoseareincludedintheTSSdiscussion.

GuidanceTheevaluatorcheckstheoperationalguidancetoensureitprovidesinstructionsonhowtheTOEisconfiguredtousethealgorithmsselectedinthiscomponentandwhetherthisisperformedthroughdirectconfiguration,definedduringinitialinstallation,ordefinedbyacquiringconfigurationsettingsfromanenvironmentalcomponent.TestsTheevaluatorshallusetheoperationalguidancetoconfiguretheTOE(ortoconfiguretheOperationalEnvironmenttohavetheTOEreceiveconfiguration)toperformthefollowingtestforeachciphersuiteselected:

Test1:TheevaluatorshallconfiguretheTOEtousetheciphersuiteundertesttoencrypttheIKEv1and/orIKEv2payloadandestablishaconnectionwithapeerdevice,whichisconfiguredtoonlyacceptthepayloadencryptedusingtheindicatedciphersuite.Theevaluatorwillconfirmthealgorithmwasthatusedinthenegotiation.Theevaluatorwillconfirmthattheconnectionissuccessfulbyconfirmingthatdatacanbepassedthroughtheconnectiononceitisestablished.Forexample,theevaluatormayconnecttoawebpageontheremotenetworkandverifythatitcanbereached.

FCS_IPSEC_EXT.1.7TSSTherearenoTSSEAsforthisrequirement.GuidanceTheevaluatorshallchecktheoperationalguidancetoensureitprovidesinstructionsonhowtheTOEconfiguresthevaluesforSAlifetimes.Inaddition,theevaluatorshallcheckthattheguidancehastheoptionforeithertheAdministratororVPNGatewaytoconfigurePhase1SAsiftime-basedlimitsaresupported.Currentlytherearenovaluesmandatedforthenumberofpacketsornumberofbytes,theevaluatorshallsimplychecktheoperationalguidancetoensurethatthiscanbeconfiguredifselectedintherequirement.TestsWhentestingthisfunctionality,theevaluatorneedstoensurethatbothsidesareconfiguredappropriately.FromtheRFC“AdifferencebetweenIKEv1andIKEv2isthatinIKEv1SAlifetimeswerenegotiated.InIKEv2,eachendoftheSAisresponsibleforenforcingitsownlifetimepolicyontheSAandrekeyingtheSAwhennecessary.Ifthetwoendshavedifferentlifetimepolicies,theendwiththeshorterlifetimewillendupalwaysbeingtheonetorequesttherekeying.Ifthetwoendshavethesamelifetimepolicies,itispossiblethatbothwillinitiatearekeyingatthesametime(whichwillresultinredundantSAs).Toreducetheprobabilityofthishappening,thetimingofrekeyingrequestsSHOULDbejittered.”EachofthefollowingtestsshallbeperformedforeachversionofIKEselectedintheFCS_IPSEC_EXT.1.5protocolselection:

Test1:(Conditional)::Theevaluatorshallconfigureamaximumlifetimeintermsofthe#ofpackets(orbytes)allowedfollowingtheoperationalguidance.TheevaluatorshallestablishanSAanddeterminethatoncetheallowed#ofpackets(orbytes)throughthisSAisexceeded,theconnectionisclosed.Test2:(Conditional):TheevaluatorshallconstructatestwhereaPhase1SAisestablishedandattemptedtobemaintainedformorethan24hoursbeforeitisrenegotiated.TheevaluatorshallobservethatthisSAisclosedorrenegotiatedin24hoursorless.IfsuchanactionrequiresthattheTOEbeconfiguredinaspecificway,theevaluatorshallimplementtestsdemonstratingthattheconfigurationcapabilityoftheTOEworksasdocumentedintheoperationalguidance.Test3:[conditional]:TheevaluatorshallperformatestsimilartoTest2forPhase2SAs,exceptthatthelifetimewillbe8hoursorlessinsteadof24hoursorless.Test4:[conditional]:IfafixedlimitforIKEv1SAsissupported,theevaluatorshallestablishanSAandobservethattheconnectionisclosedafterthefixedtrafficand/ortimevalueisreached.

FCS_IPSEC_EXT.1.8TSSTheevaluatorshallchecktoensurethattheDHgroupsspecifiedintherequirementarelistedasbeingsupportedintheTSS.IfthereismorethanoneDHgroupsupported,theevaluatorcheckstoensuretheTSSdescribeshowaparticularDHgroupisspecified/negotiatedwithapeer.GuidanceTherearenoAGDEAsforthisrequirement.TestsTheevaluatorshallperformthefollowingtest:

Test1:ForeachsupportedDHgroup,theevaluatorshalltesttoensurethatallsupportedIKEprotocolscanbesuccessfullycompletedusingthatparticularDHgroup.

FCS_IPSEC_EXT.1.9TSS

Theevaluatorshallchecktoensurethat,foreachDHgroupsupported,theTSSdescribestheprocessforgenerating"x"(asdefinedinFCS_IPSEC_EXT.1.9)andeachnonce.TheevaluatorshallverifythattheTSSindicatesthattherandomnumbergeneratedthatmeetstherequirementsinthisEPisused,andthatthelengthof"x"andthenoncesmeetthestipulationsintherequirement.

GuidanceTherearenoAGDEAsforthisrequirement.TestsTherearenotestEAsforthisrequirement.FCS_IPSEC_EXT.1.10EAsforthiselementaretestedthroughEAsforFCS_IPSEC_EXT.1.9.FCS_IPSEC_EXT.1.11TSSTheevaluatorensuresthattheTSSidentifiesRSAand/orECDSAasbeingusedtoperformpeerauthentication.Ifpre-sharedkeysarechosenintheselection,theevaluatorshallchecktoensurethattheTSSdescribeshowpre-sharedkeysareestablishedandusedinauthenticationofIPsecconnections.ThedescriptionintheTSSshallalsoindicatehowpre-sharedkeyestablishmentisaccomplisheddependingonwhethertheTSFcangenerateapre-sharedkey,acceptapre-sharedkey,orboth.TheevaluatorshallensurethattheTSSdescribeshowtheTOEcomparesthepeer’spresentedidentifiertothereferenceidentifier.ThisdescriptionshallincludewhetherthecertificatepresentedidentifieriscomparedtotheIDpayloadpresentedidentifier,whichfield(s)ofthecertificateareusedasthepresentedidentifier(DN,CommonName,orSAN)and,ifmultiplefieldsaresupported,thelogicalordercomparison.IftheSTauthorassignedanadditionalidentifiertype,theTSSdescriptionshallalsoincludeadescriptionofthattypeandthemethodbywhichthattypeiscomparedtothepeer’spresentedcertificate.

GuidanceTheevaluatorshallcheckthattheoperationalguidancedescribeshowpre-sharedkeysaretobegeneratedandestablished.TheevaluatorensurestheoperationalguidancedescribeshowtosetuptheTOEtousethecryptographicalgorithmsRSAand/orECDSA.InordertoconstructtheenvironmentandconfiguretheTOEforthefollowingtests,theevaluatorwillensurethattheoperationalguidancealsodescribeshowtoconfiguretheTOEtoconnecttoatrustedCA,andensureavalidcertificateforthatCAisloadedintotheTOEasatrustedCA.Theevaluatorshallalsoensurethattheoperationalguidanceincludestheconfigurationofthereferenceidentifier(s)forthepeer.

TestsForefficiency’ssake,thetestingthatisperformedherehasbeencombinedwiththetestingforFIA_X509_EXT.2andFIA_X509_EXT.3(forIPsecconnectionsanddependingontheBase-PP),FCS_IPSEC_EXT.1.12,andFCS_IPSEC_EXT.1.13.ThefollowingtestsshallberepeatedforeachpeerauthenticationprotocolselectedintheFCS_IPSEC_EXT.1.11selectionabove:

Test1::TheevaluatorshallhavetheTOEgenerateapublic-privatekeypair,andsubmitaCSR(CertificateSigningRequest)toaCA(trustedbyboththeTOEandthepeerVPNusedtoestablishaconnection)foritssignature.ThevaluesfortheDN(CommonName,Organization,OrganizationalUnit,andCountry)willalsobepassedintherequest.Alternatively,theevaluatormayimporttotheTOEapreviouslygeneratedprivatekeyandcorrespondingcertificate.Test2:TheevaluatorshallconfiguretheTOEtouseaprivatekeyandassociatedcertificatesignedbyatrustedCAandshallestablishanIPsecconnectionwiththepeer.Test3:TheevaluatorshalltestthattheTOEcanproperlyhandlerevokedcertificates–conditionalonwhetherCRLorOCSPisselected;ifbothareselected,andthenatestisperformedforeachmethod.ForthiscurrentversionofthePP-Module,theevaluatorhastoonlytestoneupinthetrustchain(futuredraftsmayrequiretoensurethevalidationisdoneuptheentirechain).Theevaluatorshallensurethatavalidcertificateisused,andthattheSAisestablished.Theevaluatorthenattemptsthetestwithacertificatethatwillberevoked(foreachmethodchosenintheselection)toensurewhenthecertificateisnolongervalidthattheTOEwillnotestablishanSA.Test4:[conditional]:Theevaluatorshallgenerateapre-sharedkeyanduseit,asindicatedintheoperationalguidance,toestablishanIPsecconnectionwiththeVPNGWpeer.Ifthegenerationofthepre-sharedkeyissupported,theevaluatorshallensurethatestablishmentofthekeyiscarriedoutforaninstanceoftheTOEgeneratingthekeyaswellasaninstanceoftheTOEmerelytakinginandusingthekey.Foreachsupportedidentifiertype(excludingDNs),theevaluatorshallrepeatthefollowingtests:

Test5:Foreachfieldofthecertificatesupportedforcomparison,theevaluatorshallconfigurethepeer’sreferenceidentifierontheTOE(pertheadministrativeguidance)to

matchthefieldinthepeer’spresentedcertificateandshallverifythattheIKEauthenticationsucceeds.Test6:Foreachfieldofthecertificatesupportforcomparison,theevaluatorshallconfigurethepeer’sreferenceidentifierontheTOE(pertheadministrativeguidance)tonotmatchthefieldinthepeer’spresentedcertificateandshallverifythattheIKEauthenticationfails.Thefollowingtestsareconditional:Test7:[conditional]:If,accordingtotheTSS,theTOEsupportsbothCommonNameandSANcertificatefieldsandusesthepreferredlogicoutlinedintheApplicationNote,thetestsabovewiththeCommonNamefieldshallbeperformedusingpeercertificateswithnoSANextension.Additionally,theevaluatorshallconfigurethepeer’sreferenceidentifierontheTOEtonotmatchtheSANinthepeer’spresentedcertificatebuttomatchtheCommonNameinthepeer’spresentedcertificate,andverifythattheIKEauthenticationfails.Test8:[conditional]:IftheTOEsupportsDNidentifiertypes,theevaluatorshallconfigurethepeer'sreferenceidentifierontheTOE(pertheadministrativeguidance)tomatchthesubjectDNinthepeer'spresentedcertificateandshallverifythattheIKEauthenticationsucceeds.Todemonstrateabit-wisecomparisonoftheDN,theevaluatorshallchangeasinglebitintheDN(preferably,inanObjectIdentifier(OID)intheDN)andverifythattheIKEauthenticationfails.TodemonstrateacomparisonofDNvalues,theevaluatorshallchangeanyoneofthefourDNvaluesandverifythattheIKEauthenticationfails.Test9:[conditional]:IftheTOEsupportsbothIPv4andIPv6andsupportsIPaddressidentifiertypes,theevaluatormustrepeattest1and2withbothIPv4addressidentifiersandIPv6identifiers.Additionally,theevaluatorshallverifythattheTOEverifiesthattheIPheadermatchestheidentifiersbysettingthepresentedidentifiersandthereferenceidentifierwiththesameIPaddressthatdiffersfromtheactualIPaddressofthepeerintheIPheadersandverifyingthattheIKEauthenticationfails.Test10:[conditional]:If,accordingtotheTSS,theTOEperformscomparisonsbetweenthepeer’sIDpayloadandthepeer’scertificate,theevaluatorshallrepeatthefollowingtestforeachcombinationofsupportedidentifiertypesandsupportedcertificatefields(asabove).TheevaluatorshallconfigurethepeertopresentadifferentIDpayloadthanthefieldinthepeer’spresentedcertificateandverifythattheTOEfailstoauthenticatetheIKEpeer.

FCS_IPSEC_EXT.1.12EAsforthiselementaretestedthroughEAsforFCS_IPSEC_EXT.1.11.FCS_IPSEC_EXT.1.13EAsforthiselementaretestedthroughEAsforFCS_IPSEC_EXT.1.11.FCS_IPSEC_EXT.1.14TSSTheevaluatorshallcheckthattheTSSdescribesthepotentialstrengths(intermsofthenumberofbitsinthesymmetrickey)ofthealgorithmsthatareallowedfortheIKEandESPexchanges.TheTSSshallalsodescribethechecksthataredonewhennegotiatingIKEv1Phase2and/orIKEv2CHILD_SAsuitestoensurethatthestrength(intermsofthenumberofbitsofkeyinthesymmetricalgorithm)ofthenegotiatedalgorithmislessthanorequaltothatoftheIKESAthisisprotectingthenegotiation.GuidanceTherearenoAGDEAsforthisrequirement.TestsTheevaluatorfollowstheguidancetoconfiguretheTOEtoperformthefollowingtests:

Test1:ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallsuccessfullynegotiateanIPsecconnectionusingeachofthesupportedalgorithmsandhashfunctionsidentifiedintherequirements.Test2:[conditional]:ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallattempttoestablishanSAforESPthatselectsanencryptionalgorithmwithmorestrengththanthatbeingusedfortheIKESA(i.e.,symmetricalgorithmwithakeysizelargerthanthatbeingusedfortheIKESA).Suchattemptsshouldfail.Test3:ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallattempttoestablishanIKESAusinganalgorithmthatisnotoneofthesupportedalgorithmsandhashfunctionsidentifiedintherequirements.Suchanattemptshouldfail.Test4::ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallattempttoestablishanSAforESP(assumestheproperparameterswhereusedtoestablishtheIKESA)thatselectsanencryptionalgorithmthatisnotidentifiedinFCS_IPSEC_EXT.1.4.Suchanattemptshouldfail.

B.3IdentificationandAuthentication(FIA)

FIA_PMG_EXT.1PasswordManagement

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_UAU.5.1.

FIA_PMG_EXT.1.1TheTSFshallprovidethefollowingpasswordmanagementcapabilitiesforadministrativepasswords:

a. Passwordsshallbeabletobecomposedofanycombinationofupperandlowercasecharacters,digits,andthefollowingspecialcharacters:[selection:“!”,“@”,“#”,“$”,“%”,“^”,“&”,“*”,“(“,“)”,[assignment:othercharacters]]

b. Minimumpasswordlengthshallbeconfigurablec. Passwordsofatleast15charactersinlengthshallbesupported

ApplicationNote:ThisSFRisincludedintheSTiftheSTAuthorselects‘authenticationbasedonusernameandpassword’inFIA_UAU.5.1.

TheSTauthorselectsthespecialcharactersthataresupportedbytheTOE;theymayoptionallylistadditionalspecialcharacterssupportedusingtheassignment.“Administrativepasswords”referstopasswordsusedbyadministratorstogainaccesstotheManagementSubsystem.

EvaluationActivities

FIA_PMG_EXT.1:GuidanceTheevaluatorshallexaminetheoperationalguideancetodeterminethatitprovidesguidancetosecurityadministratorsinthecompositionofstrongpasswords,andthatitprovidesinstructionsonsettingtheminimumpasswordlength.TestsTheevaluatorshallalsoperformthefollowingtests.Notethatoneormoreofthesetestsmaybeperformedwithasingletestcase.

Test1:Theevaluatorshallcomposepasswordsthateithermeettherequirements,orfailtomeettherequirements,insomeway.Foreachpassword,theevaluatorshallverifythattheTOEsupportsthepassword.Whiletheevaluatorisnotrequired(norisitfeasible)totestallpossiblecombinationsofpasswords,theevaluatorshallensurethatallcharacters,rulecharacteristics,andaminimumlengthlistedintherequirementaresupported,andjustifythesubsetofthosecharacterschosenfortesting.

FIA_X509_EXT.1X.509CertificateValidation

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFPT_TUD_EXT.1.3,FIA_UAU.5.1,FTP_ITC_EXT.1.1,FTP_ITC_EXT.1.1,FTP_ITC_EXT.1.1.

FIA_X509_EXT.1.1TheTSFshallvalidatecertificatesinaccordancewiththefollowingrules:

RFC5280certificatevalidationandcertificatepathvalidationThecertificatepathmustterminatewithatrustedcertificateTheTOEshallvalidateacertificatepathbyensuringthepresenceofthebasicConstraintsextension,thattheCAflagissettoTRUEforallCAcertificates,andthatanypathconstraintsaremet.TheTSFshallvalidatethatanyCAcertificateincludescaSigningpurposeinthekeyusagefieldTheTSFshallvalidaterevocationstatusofthecertificateusing[selection:OCSPasspecifiedinRFC6960,aCRLasspecifiedinRFC5759,anOCSPTLSStatusRequestExtension(OCSPstapling)asspecifiedinRFC6066,OCSPTLSMulti-CertificateStatusRequestExtension(i.e.,OCSPMulti-Stapling)asspecifiedinRFC6961].TheTSFshallvalidatetheextendedKeyUsagefieldaccordingtothefollowingrules:

CertificatesusedfortrustedupdatesandexecutablecodeintegrityverificationshallhavetheCodeSigningPurpose(id-kp3withOID1.3.6.1.5.5.7.3.3)intheextendedKeyUsagefield.ServercertificatespresentedforTLSshallhavetheServerAuthenticationpurpose(id-kp1withOID1.3.6.1.5.5.7.3.1)intheextendedKeyUsagefield.ClientcertificatespresentedforTLSshallhavetheClientAuthenticationpurpose(id-kp2withOID1.3.6.1.5.5.7.3.2)intheEKUfield.OCSPcertificatespresentedforOCSPresponsesshallhavetheOCSPSigningPurpose(id-kp9withOID1.3.6.1.5.5.7.3.9)intheEKUfield.

ApplicationNote:ThisSFRmustbeincludedintheSTiftheselectionfor

FPT_TUD_EXT.1.3is“digitalsignaturemechanism,”oriftheselectionforFTP_ITC_EXT.1includes“IPsec,”“TLS,”or“TLS/HTTPS.”

FIA_X509_EXT.1.1liststherulesforvalidatingcertificates.TheSTauthorshallselectwhetherrevocationstatusisverifiedusingOCSPorCRLs.FIA_X509_EXT.2requiresthatcertificatesareusedforIPsec;thisuserequiresthattheextendedKeyUsagerulesareverified.CertificatesmayoptionallybeusedforSSH,TLS,andHTTPsand,ifimplemented,mustbevalidatedtocontainthecorrespondingextendedKeyUsage.

OCSPstaplingandOCSPmulti-staplingsupportonlyTLSservercertificatevalidation.Ifothercertificatetypesarevalidated,eitherOCSPorCRLmustbeclaimed.IfOCSPisnotsupportedtheEKUprovisionforcheckingtheOCSPSigningpurposeismetbydefault.

RegardlessoftheselectionofTSForTOEplatform,thevalidationmustresultinatrustedrootCAcertificateinarootstoremanagedbytheplatform.

FIA_X509_EXT.1.2TheTSFshallonlytreatacertificateasaCAcertificateifthebasicConstraintsextensionispresentandtheCAflagissettoTRUE.

ApplicationNote:ThisrequirementappliestocertificatesthatareusedandprocessedbytheTSFandrestrictsthecertificatesthatmaybeaddedastrustedCAcertificates.

EvaluationActivities

FIA_X509_EXT.1:TSSTheevaluatorshallensuretheTSSdescribeswherethecheckofvalidityofthecertificatestakesplace.TheevaluatorensurestheTSSalsoprovidesadescriptionofthecertificatepathvalidationalgorithm.

TheevaluatorshallexaminetheTSStoconfirmthatitdescribesthebehavioroftheTOEwhenaconnectioncannotbeestablishedduringthevaliditycheckofacertificateusedinestablishingatrustedchannel.Iftherequirementthattheadministratorisabletospecifythedefaultaction,thentheevaluatorshallensurethattheoperationalguidancecontainsinstructionsonhowthisconfigurationactionisperformed.TestsThetestsdescribedmustbeperformedinconjunctionwiththeotherCertificateServicesassuranceactivities,includingtheuseslistedinFIA_X509_EXT.2.1.ThetestsfortheextendedKeyUsagerulesareperformedinconjunctionwiththeusesthatrequirethoserules.

Test1:Theevaluatorshalldemonstratethatvalidatingacertificatewithoutavalidcertificationpathresultsinthefunctionfailing,foreachofthefollowingreasons,inturn:

byestablishingacertificatepathinwhichoneoftheissuingcertificatesisnotaCAcertificate,byomittingthebasicConstraintsfieldinoneoftheissuingcertificates,bysettingthebasicConstraintsfieldinanissuingcertificatetohaveCA=False,byomittingtheCAsigningbitofthekeyusagefieldinanissuingcertificate,andbysettingthepathlengthfieldofavalidCAfieldtoavaluestrictlylessthanthecertificatepath.

TheevaluatorshallthenestablishavalidcertificatepathconsistingofvalidCAcertificates,anddemonstratethatthefunctionsucceeds.TheevaluatorshallthenremovetrustinoneoftheCAcertificates,andshowthatthefunctionfails.Test2:Theevaluatorshalldemonstratethatvalidatinganexpiredcertificateresultsinthefunctionfailing.Test3:TheevaluatorshalltestthattheTOEcanproperlyhandlerevokedcertificates–conditionalonwhetherCRL,OCSP,OCSPstapling,orOCSPmulti-staplingisselected;ifmultiplemethodsareselected,andthenatestisperformedforeachmethod.Theevaluatorhastoonlytestoneupinthetrustchain(futurerevisionsmayrequiretoensurethevalidationisdoneuptheentirechain).Theevaluatorshallensurethatavalidcertificateisused,andthatthevalidationfunctionsucceeds.Theevaluatorshallthenattemptthetestwithacertificatethatwillberevoked(foreachmethodchosenintheselection)andverifythatthevalidationfunctionfails.Test4:IfanyOCSPoptionisselected,theevaluatorshallconfiguretheOCSPserveroruseaman-in-the-middletooltopresentacertificatethatdoesnothavetheOCSPsigningpurposeandverifythatvalidationoftheOCSPresponsefails.IfCRLisselected,theevaluatorshallconfiguretheCAtosignaCRLwithacertificatethatdoesnothavethecRLsignkeyusagebitsetandverifythatvalidationoftheCRLfails.Test5:(ConditionalonsupportforECcertificatesasindicatedinFCS_COP.1/SIG).The

evaluatorshallestablishavalid,trustedcertificatechainconsistingofanECleafcertificate,anECIntermediateCAcertificatenotdesignatedasatrustanchor,andanECcertificatedesignatedasatrustedanchor,wheretheellipticcurveparametersarespecifiedasanamedcurve.TheevaluatorshallconfirmthattheTOEvalidatesthecertificatechain..Test6:(ConditionalonsupportforECcertificatesasindicatedinFCS_COP.1/SIG).TheevaluatorshallreplacetheintermediatecertificateinthecertificatechainforTest5withamodifiedcertificate,wherethemodifiedintermediateCAhasapublickeyinformationfieldwheretheECparametersusesanexplicitformatversionoftheEllipticCurveparametersinthepublickeyinformationfieldoftheintermediateCAcertificatefromTest5,andthemodifiedIntermediateCAcertificateissignedbythetrustedECrootCA,buthavingnootherchanges.TheevaluatorshallconfirmtheTOEtreatsthecertificateasinvalid.

FIA_X509_EXT.2X.509CertificateAuthentication

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFPT_TUD_EXT.1.3,FIA_UAU.5.1,FTP_ITC_EXT.1.1,FTP_ITC_EXT.1.1,FTP_ITC_EXT.1.1.

FIA_X509_EXT.2.1TheTSFshalluseX.509v3certificatesasdefinedbyRFC5280tosupportauthenticationfor[selection:IPsec,TLS,HTTPS,SSH],and[selection:codesigningforsystemsoftwareupdates,codesigningforintegrityverification,[assignment:otheruses],noadditionaluses]

ApplicationNote:ThisSFRmustbeincludedintheSTiftheselectionforFPT_TUD_EXT.1.3is“digitalsignaturemechanismusingcertificates,”oriftheselectionforFTP_ITC_EXT.1.1includes“IPsec,”“TLS,”or“TLS/HTTPS,”orifFIA_UAUrequiresauthenticationusingX.509certificates.

FIA_X509_EXT.2.2WhentheTSFcannotestablishaconnectiontodeterminethevalidityofacertificate,theTSFshall[selection:allowtheadministratortochoosewhethertoacceptthecertificateinthesecases,acceptthecertificate,notacceptthecertificate].

ApplicationNote:Oftenaconnectionmustbeestablishedtochecktherevocationstatusofacertificate-eithertodownloadaCRLortoperformalookupusingOCSP.Theselectionisusedtodescribethebehaviorintheeventthatsuchaconnectioncannotbeestablished(forexample,duetoanetworkerror).IftheTOEhasdeterminedthecertificatevalidaccordingtoallotherrulesinFIA_X509_EXT.1,thebehaviorindicatedintheselectionshalldeterminethevalidity.TheTOEmustnotacceptthecertificateifitfailsanyoftheothervalidationrulesinFIA_X509_EXT.1.Iftheadministrator-configuredoptionisselectedbytheSTAuthor,theSTAuthormustensurethatthisisalsodefinedasamanagementfunctionthatisprovidedbytheTOE.

EvaluationActivities

FIA_X509_EXT.2:TSSTheevaluatorshallchecktheTSStoensurethatitdescribeshowtheTOEchooseswhichcertificatestouse,andanynecessaryinstructionsintheadministrativeguidanceforconfiguringtheoperatingenvironmentsothattheTOEcanusethecertificates.

TheevaluatorshallexaminetheTSStoconfirmthatitdescribesthebehavioroftheTOEwhenaconnectioncannotbeestablishedduringthevaliditycheckofacertificateusedinestablishingatrustedchannel.Iftherequirementthattheadministratorisabletospecifythedefaultaction,thentheevaluatorshallensurethattheoperationalguidancecontainsinstructionsonhowthisconfigurationactionisperformed.TestsTheevaluatorshallperformTest1foreachfunctionlistedinFIA_X509_EXT.2.1thatrequirestheuseofcertificates:

Test1:Theevaluatorshalldemonstratethatusingacertificatewithoutavalidcertificationpathresultsinthefunctionfailing.Usingtheadministrativeguidance,theevaluatorshallthenloadacertificateorcertificatesneededtovalidatethecertificatetobeusedinthefunction,anddemonstratethatthefunctionsucceeds.Theevaluatorthenshalldeleteoneofthecertificates,andshowthatthefunctionfails.Test2:Theevaluatorshalldemonstratethatusingavalidcertificatethatrequirescertificatevalidationcheckingtobeperformedinatleastsomepartbycommunicatingwithanon-TOEITentity.TheevaluatorshallthenmanipulatetheenvironmentsothattheTOEisunabletoverifythevalidityofthecertificate,andobservethattheactionselectedin

FIA_X509_EXT.2.2isperformed.Iftheselectedactionisadministrator-configurable,thentheevaluatorshallfollowtheoperationalguidancetodeterminethatallsupportedadministrator-configurableoptionsbehaveintheirdocumentedmanner.

B.4ProtectionoftheTSF(FPT)

FPT_TUD_EXT.2TrustedUpdateBasedonCertificates

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFPT_TUD_EXT.1.3,FIA_X509_EXT.2.1.

FPT_TUD_EXT.2.1TheTSFshallnotinstallanupdateifthecodesigningcertificateisdeemedinvalid.

ApplicationNote:Certificatesmayoptionallybeusedforcodesigningofsystemsoftwareupdates(FPT_TUD_EXT.1.3).ThiselementmustbeincludedintheSTifcertificatesareusedforvalidatingupdates.If“codesigningforsystemsoftwareupdates”isselectedinFIA_X509_EXT.2.1,FPT_TUD_EXT.2mustbeincludedintheST.

Validityisdeterminedbythecertificatepath,theexpirationdate,andtherevocationstatusinaccordancewithFIA_X509_EXT.1.

EvaluationActivities

FPT_TUD_EXT.2:TestsTheassuranceactivityforthisrequirementisperformedinconjunctionwiththeassuranceactivityforFIA_X509_EXT.1andFIA_X509_EXT.2.

B.5TrustedPath/Channel(FTP)

FTP_TRP.1TrustedPath

Theinclusionofthisselection-basedcomponentdependsuponaselectionin.

FTP_TRP.1.1TheTSFshalluseatrustedchannelasspecifiedinFTP_ITC_EXT.1toprovideatrustedcommunicationpathbetweenitselfand[remote]administratorsthatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafrom[modification,disclosure].

FTP_TRP.1.2TheTSFshallpermitremoteadministratorstoinitiatecommunicationviathetrustedpath.

FTP_TRP.1.3TheTSFshallrequiretheuseofthetrustedpathfor[[allremoteadministrationactions]].

ApplicationNote:ThisSFRisincludedintheSTif"remote"isselectedinFMT_MOF_EXT.1.1oftheclientorserverPP-Module.

ProtocolsusedtoimplementtheremoteadministrationtrustedchannelmustbeselectedinFTP_ITC_EXT.1.

ThisrequirementensuresthatauthorizedremoteadministratorsinitiateallcommunicationwiththeTOEviaatrustedpath,andthatallcommunicationswiththeTOEbyremoteadministratorsisperformedoverthispath.Thedatapassedinthistrustedcommunicationchannelareencryptedasdefinedtheprotocolchoseninthefirstselection.TheSTauthorchoosesthemechanismormechanismssupportedbytheTOE,andthenensuresthatthedetailedrequirementsinAppendixBcorrespondingtotheirselectionarecopiedtotheSTifnotalreadypresent.

EvaluationActivities

FTP_TRP.1:TSSTheevaluatorshallexaminetheTSStodeterminethatthemethodsofremoteTOEadministrationareindicated,alongwithhowthosecommunicationsareprotected.TheevaluatorshallalsoconfirmthatallprotocolslistedintheTSSinsupportofTOEadministrationareconsistentwiththosespecifiedintherequirement,andareincludedintherequirementsintheST.GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsforestablishingtheremoteadministrativesessionsforeachsupportedmethod.TestsTheevaluatorshallalsoperformthefollowingtests:

Test1:Theevaluatorsshallensurethatcommunicationsusingeachspecified(intheoperationalguidance)remoteadministrationmethodistestedduringthecourseoftheevaluation,settinguptheconnectionsasdescribedintheoperationalguidanceandensuringthatcommunicationissuccessful.Test2:Foreachmethodofremoteadministrationsupported,theevaluatorshallfollowtheoperationalguidancetoensurethatthereisnoavailableinterfacethatcanbeusedbyaremoteusertoestablishremoteadministrativesessionswithoutinvokingthetrustedpath.Test3:Theevaluatorshallensure,foreachmethodofremoteadministration,thechanneldataisnotsentinplaintext.Test4:Theevaluatorshallensure,foreachmethodofremoteadministration,modificationofthechanneldataisdetectedbytheTOE.

Furtherassuranceactivitiesareassociatedwiththespecificprotocols.

AppendixC-ExtendedComponentDefinitionsThisappendixcontainsthedefinitionsforallextendedrequirementsspecifiedinthePP.

C.1ExtendedComponentsTableAllextendedcomponentsspecifiedinthePParelistedinthistable:

Table8:ExtendedComponentDefinitionsFunctionalClass FunctionalComponents

SecurityAudit(FAU) FAU_STG_EXTOff-LoadingofAuditData

SecurityAudit(FAU) FAU_FAK_EXTFakeAuditData

CryptographicSupport(FCS) FCS_CKM_EXTCryptographicKeyManagement

CryptographicSupport(FCS) FCS_ENT_EXTEntropyforVirtualMachines

CryptographicSupport(FCS) FCS_HTTPS_EXTHTTPSProtocol

CryptographicSupport(FCS) FCS_IPSEC_EXTIPsecProtocol

CryptographicSupport(FCS) FCS_RBG_EXTCryptographicOperation(RandomBitGeneration)

UserDataProtection(FDP) FDP_HBI_EXTHardware-BasedIsolationMechanisms

UserDataProtection(FDP) FDP_PPR_EXTPhysicalPlatformResourceControls

UserDataProtection(FDP) FDP_RIP_EXTResidualInformationinMemory

UserDataProtection(FDP) FDP_VMS_EXTVMSeparation

UserDataProtection(FDP) FDP_VNC_EXTVirtualNetworkingComponents

IdentificationandAuthentication(FIA)

FIA_AFL_EXTAuthenticationFailureHandling

IdentificationandAuthentication(FIA)

FIA_PMG_EXTPasswordManagement

IdentificationandAuthentication(FIA)

FIA_UIA_EXTAdministratorIdentificationandAuthentication

IdentificationandAuthentication(FIA)

FIA_X509_EXTX.509Certificate

SecurityManagement(FMT) FMT_MSA_EXTDefaultDataSharingConfiguration

SecurityManagement(FMT) FMT_SMO_EXTSeparationofManagementandOperationalNetworks

ProtectionoftheTSF(FPT) FPT_DDI_EXTDeviceDriverIsolation

ProtectionoftheTSF(FPT) FPT_DVD_EXTNon-ExistenceofDisconnectedVirtualDevices

ProtectionoftheTSF(FPT) FPT_EEM_EXTExecutionEnvironmentMitigations

ProtectionoftheTSF(FPT) FPT_GVI_EXTGuestVMIntegrity

ProtectionoftheTSF(FPT) FPT_HAS_EXTHardwareAssists

ProtectionoftheTSF(FPT) FPT_HCL_EXTHypercallControls

ProtectionoftheTSF(FPT) FPT_IDV_EXTSoftwareIdentificationandVersions

ProtectionoftheTSF(FPT) FPT_INT_EXTSupportforIntrospection

ProtectionoftheTSF(FPT) FPT_ML_EXTMeasuredLaunchofPlatformandVMM

ProtectionoftheTSF(FPT) FPT_RDM_EXTRemovableDevicesandMedia

ProtectionoftheTSF(FPT) FPT_TUD_EXTTrustedUpdates

ProtectionoftheTSF(FPT) FPT_VDP_EXTVirtualDeviceParameters

ProtectionoftheTSF(FPT) FPT_VIV_EXTVMMIsolationfromVMs

ProtectionoftheTSF(FPT) FPT_VIV_EXTVMMIsolationfromVMs

TrustedPath/Channel(FTP) FTP_ITC_EXTTrustedChannelCommunications

TrustedPath/Channel(FTP) FTP_UIF_EXTUserInterface

C.2ExtendedComponentDefinitions

FAU_STG_EXTOff-LoadingofAuditData

FamilyBehaviorThisfamilydefinesrequirementsfortheTSFtobeabletosecurelytransmitauditdatabetweentheTOEandanexternalITentity.FAU_STG_EXT FAU_STG_EXT.1

ComponentLevelingFAU_STG_EXT.1,Off-LoadingofAuditData,requirestheTSFtotransmitauditdatausingatrustedchanneltoanoutsideentityandtospecifytheactiontobetakenwhenlocalauditstorageisfull.

Management:FAU_STG_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. Abilitytoconfigureandmanagetheauditsystemandauditdata.

Audit:FAU_STG_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Failureofauditdatacaptureduetolackofdiskspaceorpre-definedlimit.b. Onfailureofloggingfunction,capturerecordoffailureandrecorduponrestartofloggingfunction.

FAU_STG_EXT.1Off-LoadingofAuditDataHierarchicalto:Noothercomponents.Dependenciesto:FAU_GEN.1AuditDataGenerationFTP_ITC_EXT.1TrustedChannelCommunications

FAU_STG_EXT.1.1

TheTSFshallbeabletotransmitthegeneratedauditdatatoanexternalITentityusingatrustedchannelasspecifiedinFTP_ITC_EXT.1.

FAU_STG_EXT.1.2

TheTSFshall[selection:dropnewauditdata,overwritepreviousauditrecordsaccordingtothefollowingrule:[assignment:ruleforoverwritingpreviousauditrecords],[assignment:otheraction]]whenthelocalstoragespaceforauditdataisfull.

FAU_FAK_EXTFakeAuditData

FamilyBehaviorThisfamilydefinesrequirementsthataretotallyfake.FAU_FAK_EXT FAU_FAK_EXT.1

ComponentLevelingFAU_FAK_EXT.1,FakeAuditReview,requirestheTSFtotransmitfakeauditdatausingacup-and-stringtrustedchanneltoanoutsideentityandtospecifytheactiontobetakenwhenlocalauditstorageisoverflown.

Management:FAU_FAK_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFAU:

a. Abilitytoconfigureandmanagethefakeauditsystemandauditdata.

Audit:FAU_FAK_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Failureoffakeauditdatacaptureduetolackofdiskspaceorpre-definedlimit.b. Onfailureofloggingfunction,capturerecordoffailureandrecorduponrestartofloggingfunction.

FAU_FAK_EXT.1FakeAuditReviewHierarchicalto:Noothercomponents.Dependenciesto:FAU_GEN.1AuditDataGenerationFTP_ITC_EXT.1TrustedChannelCommunications

FAU_FAK_EXT.1.1

FCS_CKM_EXTCryptographicKeyManagement

FamilyBehaviorThisfamilydefinesrequirementsformanagementofcryptographickeys.FCS_CKM_EXT FCS_CKM_EXT.4

ComponentLevelingFCS_CKM_EXT.4,CryptographicKeyDestruction,requirestheTSFtodestroyormakeunrecoverableemptykeysinvolatileandnon-volatilememory.Notethatcomponentlevel4isusedherebecauseofthiscomponent’ssimilaritytotheCCPart2componentFCS_CKM.4.

Management:FCS_CKM_EXT.4Thefollowingactionscouldbeconsideredforthemanagementfunctionsin0FMT:

a. Managingthecryptographicfunctionality.

Audit:FCS_CKM_EXT.4Therearenoauditableeventsforeseen.

FCS_CKM_EXT.4CryptographicKeyDestructionHierarchicalto:Noothercomponents.Dependenciesto:[FCS_CKM.1CryptographicKeyGeneration,orFCS_CKM.2CryptographicKeyDistribution]

FCS_CKM_EXT.4.1

TheTSFshallcausedisusedcryptographickeysinvolatilememorytobedestroyedorrenderedunrecoverable.

FCS_CKM_EXT.4.2

TheTSFshallcausedisusedcryptographickeysinnon-volatilestoragetobedestroyedorrenderedunrecoverable.

FCS_ENT_EXTEntropyforVirtualMachines

FamilyBehaviorThisfamilydefinesrequirementsforavailabilityofentropydatageneratedorcollectedbytheTSF.FCS_ENT_EXT FCS_ENT_EXT.1

ComponentLevelingFCS_ENT_EXT.1,Extended:EntropyforVirtualMachines,requirestheTSFtoprovideentropydatatoVMsinaspecifiedmanner.

Management:FCS_ENT_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FCS_ENT_EXT.1Therearenoauditableeventsforeseen.

FCS_ENT_EXT.1Extended:EntropyforVirtualMachinesHierarchicalto:Noothercomponents.Dependenciesto:FCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)

FCS_ENT_EXT.1.1

TheTSFshallprovideamechanismtomakeavailabletoVMsentropythatmeetsFCS_RBG_EXT.1through[selection:Hypercallinterface,virtualdeviceinterface,passthroughaccesstohardwareentropysource].

FCS_ENT_EXT.1.2

TheTSFshallprovideindependententropyacrossmultipleVMs.

FCS_HTTPS_EXTHTTPSProtocol

FamilyBehaviorThisfamilydefinesrequirementsforprotectingremotemanagementsessionsbetweentheTOEandaSecurityAdministrator.ThisfamilydescribeshowHTTPSwillbeimplemented.FCS_HTTPS_EXT FCS_HTTPS_EXT.1

ComponentLevelingFCS_HTTPS_EXT.1,HTTPSProtocol,definesrequirementsfortheimplementationoftheHTTPSprotocol.

Management:FCS_HTTPS_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FCS_HTTPS_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. FailuretoestablishanHTTPSsession.b. Establishment/terminationofanHTTPSsession.

FCS_HTTPS_EXT.1HTTPSProtocolHierarchicalto:Noothercomponents.Dependenciesto:[FCS_TLSC_EXT.1TLSClientProtocol,orFCS_TLSC_EXT.2TLSClientProtocolwithMutualAuthentication,orFCS_TLSS_EXT.1TLSServerProtocol,orFCS_TLSS_EXT.2TLSServerProtocolwithMutualAuthentication]

FCS_HTTPS_EXT.1.1

TheTSFshallimplementtheHTTPSprotocolthatcomplieswithRFC2818.

FCS_HTTPS_EXT.1.2

TheTSFshallimplementHTTPSusingTLS.

FCS_IPSEC_EXTIPsecProtocol

FamilyBehaviorThisfamilydefinesrequirementsforprotectingcommunicationsusingIPsec.FCS_IPSEC_EXT FCS_IPSEC_EXT.1

ComponentLevelingFCS_IPSEC_EXT.1,IPsecProtocol,requiresthatIPsecbeimplementedasspecified.

Management:FCS_IPSEC_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. Managingthecryptographicfunctionality.

Audit:FCS_IPSEC_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. FailuretoestablishanIPsecSA.b. Establishment/TerminationofanIPsecSA.

FCS_IPSEC_EXT.1IPsecProtocolHierarchicalto:Noothercomponents.Dependenciesto:FCS_CKM.1CryptographicKeyGenerationFCS_CKM.2CryptographicKeyEstablishmentFCS_COP.1CryptographicOperationFCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)FIA_X509_EXT.1X.509CertificateValidation

FCS_IPSEC_EXT.1.1

TheTSFshallimplementtheIPsecarchitectureasspecifiedinRFC4301.

FCS_IPSEC_EXT.1.2

TheTSFshallimplement[selection:transportmode,tunnelmode].

FCS_IPSEC_EXT.1.3

TheTSFshallhaveanominal,finalentryintheSPDthatmatchesanythingthatisotherwiseunmatched,anddiscardsit.

FCS_IPSEC_EXT.1.4

TheTSFshallimplementtheIPsecprotocolESPasdefinedbyRFC4303usingthecryptographicalgorithms[AES-GCM-128,AES-GCM-256(asspecifiedinRFC4106),[selection:AES-CBC-128(specifiedinRFC3602),AES-CBC-256(specifiedinRFC3602),nootheralgorithms]]togetherwithaSecureHashAlgorithm(SHA)-basedHMAC.

FCS_IPSEC_EXT.1.5

TheTSFshallimplementtheprotocol:

[selection:IKEv1,usingMainModeforPhase1exchanges,asdefinedinRFC2407,RFC2408,RFC2409,RFC4109,[selection:nootherRFCsforextendedsequencenumbers,RFC4304forextendedsequencenumbers],[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions],and[selection:supportforXAUTH,nosupportforXAUTH],IKEv2asdefinedinRFC7296(withmandatorysupportforNATtraversalasspecifiedinsection2.23),RFC8784,RFC8247,and[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions].

]

FCS_IPSEC_EXT.1.6

TheTSFshallensuretheencryptedpayloadinthe[selection:IKEv1,IKEv2]protocolusesthecryptographicalgorithmsAES-CBC-128,AES-CBC-256asspecifiedinRFC6379and[selection:AES-GCM-128asspecifiedinRFC5282,AES-GCM-256asspecifiedinRFC5282,nootheralgorithm].

FCS_IPSEC_EXT.1.7

TheTSFshallensurethat[selection:IKEv2SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimesarefixedbasedon[selection:numberofpackets/numberofbytes,lengthoftime].Iflengthoftimeisused,itmustincludeatleastoneoptionthatis24hoursorlessforPhase1SAsand8hoursorlessforPhase2SAs.

]

FCS_IPSEC_EXT.1.8

TheTSFshallensurethatallIKEprotocolsimplementDHgroups[19(256-bitRandomECP),20(384-bitRandomECP),and[selection:24(2048-bitMODPwith256-bitPOS),15(3072-bitMODP),14(2048-bitMODP),nootherDHgroups]].

FCS_IPSEC_EXT.1.9

TheTSFshallgeneratethesecretvaluexusedintheIKEDiffie-Hellmankeyexchange(“x”ingxmodp)usingtherandombitgeneratorspecifiedinFCS_RBG_EXT.1,andhavingalengthofatleast[assignment:(oneormore)number(s)ofbitsthatisatleasttwicethe“bitsofsecurity”valueassociatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General]bits.

FCS_IPSEC_EXT.1.10

TheTSFshallgeneratenoncesusedinIKEexchangesinamannersuchthattheprobabilitythataspecificnoncevaluewillberepeatedduringthelifeaspecificIPsecSAislessthan1in2^[assignment:(oneormore)“bitsofsecurity”value(s)associatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2of

NISTSP800-57,RecommendationforKeyManagement–Part1:General].

FCS_IPSEC_EXT.1.11

TheTSFshallensurethatallIKEprotocolsperformpeerauthenticationusinga[selection:RSA,ECDSA]thatuseX.509v3certificatesthatconformtoRFC4945and[selection:Pre-sharedKeys,noothermethod].

FCS_IPSEC_EXT.1.12

TheTSFshallnotestablishanSAifthe[[selection:IPaddress,FullyQualifiedDomainName(FQDN),userFQDN,DistinguishedName(DN)]and[selection:nootherreferenceidentifiertype,[assignment:othersupportedreferenceidentifiertypes]]]containedinacertificatedoesnotmatchtheexpectedvalue(s)fortheentityattemptingtoestablishaconnection.

FCS_IPSEC_EXT.1.13

TheTSFshallnotestablishanSAifthepresentedidentifierdoesnotmatchtheconfiguredreferenceidentifierofthepeer.

FCS_IPSEC_EXT.1.14

The[selection:TSF,VPNGateway]shallbeabletoensurebydefaultthatthestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase1,IKEv2IKE_SA]connectionisgreaterthanorequaltothestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase2,IKEv2CHILD_SA]connection.

FCS_RBG_EXTCryptographicOperation(RandomBitGeneration)

FamilyBehaviorThisfamilydefinesrequirementsforrandombit/numbergeneration.FCS_RBG_EXT FCS_RBG_EXT.1

ComponentLevelingFCS_RBG_EXT.1,CryptographicOperation(RandomBitGeneration),requiresrandombitgenerationtobeperformedinaccordancewithselectedstandardsandseededbyanentropysource.

Management:FCS_RBG_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FCS_RBG_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Failureoftherandomizationprocess.

FCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)Hierarchicalto:Noothercomponents.Dependenciesto:FCS_COP.1CryptographicOperation

FCS_RBG_EXT.1.1

TheTSFshallperformalldeterministicrandombitgenerationservicesinaccordancewithNISTSpecialPublication800-90Ausing[selection:Hash_DRBG(any),HMAC_DRBG(any),CTR_DRBG(AES)]

FCS_RBG_EXT.1.2

ThedeterministicRBGshallbeseededbyanentropysourcethataccumulatesentropyfrom[selection:asoftware-basednoisesource,ahardware-basednoisesource]withaminimumof[selection:128bits,192bits,256bits]ofentropyatleastequaltothegreatestsecuritystrengthaccordingtoNISTSP800-57,ofthekeysandhashesthatitwillgenerate.

FDP_HBI_EXTHardware-BasedIsolationMechanisms

FamilyBehaviorThisfamilydefinesrequirementsforisolationofGuestVMsfromthehardwareresourcesofthephysicaldeviceonwhichtheGuestVMsaredeployed.FDP_HBI_EXT FDP_HBI_EXT.1

ComponentLeveling

FDP_HBI_EXT.1,Hardware-BasedIsolationMechanisms,requirestheTSFtoidentifythemechanismsusedtoisolateGuestVMsfromplatformhardwareresources.

Management:FDP_HBI_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FDP_HBI_EXT.1Therearenoauditableeventsforeseen.

FDP_HBI_EXT.1Hardware-BasedIsolationMechanismsHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparation

FDP_HBI_EXT.1.1

TheTSFshalluse[selection:nomechanism,[assignment:listofplatform-provided,hardware-basedmechanisms]]toconstrainaGuestVM'sdirectaccesstothefollowingphysicaldevices:[selection:nodevices,[assignment:physicaldevicestowhichtheVMMallowsGuestVMsphysicalaccess]].

FDP_PPR_EXTPhysicalPlatformResourceControls

FamilyBehaviorThisfamilydefinesrequirementsforthephysicalresourcesthattheTOEwillalloworprohibitGuestVMstoaccess.FDP_PPR_EXT FDP_PPR_EXT.1

ComponentLevelingFDP_PPR_EXT.1,PhysicalPlatformResourceControls,requirestheTSFtodefinethehardwareresourcesthatGuestVMsmayalwaysaccess,mayneveraccess,andmayconditionallyaccessbasedonadministrativeconfiguration.

Management:FDP_PPR_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. AbilitytoconfigureVMaccesstophysicaldevices.

Audit:FDP_PPR_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. SuccessfulandfailedVMconnectionstophysicaldeviceswhereconnectionisgovernedbyconfigurablepolicy.

b. Securitypolicyviolations.

FDP_PPR_EXT.1PhysicalPlatformResourceControlsHierarchicalto:Noothercomponents.Dependenciesto:FDP_HBI_EXT.1Hardware-BasedIsolationMechanismsFMT_SMR.1SecurityRoles

FDP_PPR_EXT.1.1

TheTSFshallallowanauthorizedadministratortocontrolGuestVMaccesstothefollowingphysicalplatformresources:[assignment:listofphysicalplatformresourcestheVMMisabletocontrolaccessto].

FDP_PPR_EXT.1.2

TheTSFshallexplicitlydenyallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisexplicitlydenied]].

FDP_PPR_EXT.1.3

TheTSFshallexplicitlyallowallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisalwaysallowed]].

FDP_RIP_EXTResidualInformationinMemory

FamilyBehavior

ThisfamilydefinesrequirementsforensuringthatallocationofdatatoaGuestVMdoesnotcauseadisclosureofresidualdatafromapreviousVM.

FDP_RIP_EXTFDP_RIP_EXT.1FDP_RIP_EXT.2

ComponentLevelingFDP_RIP_EXT.1,ResidualInformationinMemory,requirestheTSFtoensurethatphysicalmemoryisclearedtozerospriortoitsallocationtoaGuestVM.

Management:FDP_RIP_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FDP_RIP_EXT.1Therearenoauditableeventsforeseen.

FDP_RIP_EXT.1ResidualInformationinMemoryHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FDP_RIP_EXT.1.1

TheTSFshallensurethatanypreviousinformationcontentofphysicalmemoryisclearedpriortoallocationtoaGuestVM.

ComponentLevelingFDP_RIP_EXT.2,ResidualInformationonDisk,requirestheTSFtoensurethatphysicaldiskstorageisclearedpriortoitsallocationtoaGuestVM.

Management:FDP_RIP_EXT.2Nospecificmanagementfunctionsareidentified.

Audit:FDP_RIP_EXT.2Therearenoauditableeventsforeseen.

FDP_RIP_EXT.2ResidualInformationonDiskHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FDP_RIP_EXT.2.1

TheTSFshallensurethatanypreviousinformationcontentofphysicaldiskstorageisclearedtozerospriortoallocationtoaGuestVM.

FDP_VMS_EXTVMSeparation

FamilyBehaviorThisfamilydefinesrequirementsforthelogicalseparationofmultipleGuestVMsthataremanagedbythesameVirtualizationSystem.FDP_VMS_EXT FDP_VMS_EXT.1

ComponentLevelingFDP_VMS_EXT.1,VMSeparation,requirestheTSFtomaintainlogicalseparationbetweenGuestVMsexceptthroughtheuseofspecificconfigurablemethods.

Management:FDP_VMS_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. Abilitytoconfigureinter-VMdatasharing.

Audit:FDP_VMS_EXT.1Therearenoauditableeventsforeseen.

FDP_VMS_EXT.1VMSeparationHierarchicalto:Noothercomponents.Dependenciesto:FMT_MSA_EXT.1DefaultDataSharingConfigurationFMT_SMR.1SecurityRoles

FDP_VMS_EXT.1.1

TheVSshallprovidethefollowingmechanismsfortransferringdatabetweenGuestVMs:[selection:nomechanism,virtualnetworking,[assignment:otherinter-VMdatasharingmechanisms]

].

FDP_VMS_EXT.1.2

TheTSFshallallowAdministratorstoconfigurethemechanismsselectedinFDP_VMS_EXT.1.1toenableanddisablethetransferofdatabetweenGuestVMs.

FDP_VMS_EXT.1.3

TheVSshallensurethatnoGuestVMisabletoreadortransferdatatoorfromanotherGuestVMexceptthroughthemechanismslistedinFDP_VMS_EXT.1.1.

FDP_VNC_EXTVirtualNetworkingComponents

FamilyBehaviorThisfamilydefinesrequirementsforconfigurationofvirtualnetworkingbetweenGuestVMsthataremanagedbytheVirtualizationSystem.FDP_VNC_EXT FDP_VNC_EXT.1

ComponentLevelingFDP_VNC_EXT.1,VirtualNetworkingComponents,requirestheTSFtosupporttheconfigurationofvirtualnetworkingbetweenGuestVMs.

Management:FDP_VNC_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. AbilitytoconfigurevirtualnetworksincludingVM.

Audit:FDP_VNC_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. SuccessfulandfailedattemptstoconnectVMstovirtualandphysicalnetworkingcomponents.b. Securitypolicyviolations.c. Administratorconfigurationofinter-VMcommunicationschannelsbetweenVMs.

FDP_VNC_EXT.1VirtualNetworkingComponentsHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparationFMT_SMR.1SecurityRoles

FDP_VNC_EXT.1.1

TheTSFshallallowAdministratorstoconfigurevirtualnetworkingcomponentstoconnectVMstoeachother,andtophysicalnetworks.

FDP_VNC_EXT.1.2

TheTSFshallensurethatnetworktrafficvisibletoaGuestVMonavirtualnetwork--orvirtualsegmentofaphysicalnetwork--isvisibleonlytoGuestVMsconfiguredtobeonthatvirtualnetworkorsegment.

FIA_AFL_EXTAuthenticationFailureHandling

FamilyBehaviorThisfamilydefinesrequirementsfordetectionandpreventionofbruteforceauthenticationattempts.FIA_AFL_EXT FIA_AFL_EXT.1

ComponentLevelingFIA_AFL_EXT.1,AuthenticationFailureHandling,requirestheTSFtolockanadministratoraccountwhenanexcessivenumberoffailedauthenticationattemptshavebeenobserveduntilsomerestorativeeventoccurstoenabletheaccount.

Management:FIA_AFL_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. Abilitytoconfigurelockoutpolicythroughunsuccessfulauthenticationattempts.b. Abilitytounlockalockedadministratoraccount.

Audit:FIA_AFL_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Thresholdreachedforsuccessivefailedauthenticationattempts.

FIA_AFL_EXT.1AuthenticationFailureHandlingHierarchicalto:Noothercomponents.Dependenciesto:FIA_UIA_EXT.1AdministratorIdentificationandAuthenticationFMT_SMR.1SecurityRoles

FIA_AFL_EXT.1.1

TheTSFshalldetectwhen[selection:[assignment:apositiveintegernumber],anadministratorconfigurablepositiveintegerwithina[assignment:rangeofacceptablevalues]

]unsuccessfulauthenticationattemptsoccurrelatedtoAdministratorsattemptingtoauthenticateremotelyusing[selection:usernameandpassword,usernameandPIN].

FIA_AFL_EXT.1.2

Whenthedefinednumberofunsuccessfulauthenticationattemptshasbeenmet,theTSFshall:[selection:preventtheoffendingAdministratorfromsuccessfullyestablishingremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntil[assignment:actiontounlock]istakenbyanAdministrator,preventtheoffendingAdministratorfromsuccessfullyestablishingremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntilanAdministratordefinedtimeperiodhaselapsed]

FIA_PMG_EXTPasswordManagement

FamilyBehaviorThisfamilydefinesrequirementsforthecompositionofadministratorpasswords.FIA_PMG_EXT FIA_PMG_EXT.1

ComponentLevelingFIA_PMG_EXT.1,PasswordManagement,requirestheTSFtoensurethatadministratorpasswordsmeetadefinedpasswordpolicy.

Management:FIA_PMG_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. AbilitytoconfigureAdministratorpasswordpolicy.

Audit:FIA_PMG_EXT.1Therearenoauditableeventsforeseen.

FIA_PMG_EXT.1PasswordManagementHierarchicalto:Noothercomponents.Dependenciesto:FIA_UIA_EXT.1AdministratorIdentificationandAuthentication

FIA_PMG_EXT.1.1

TheTSFshallprovidethefollowingpasswordmanagementcapabilitiesforadministrativepasswords:

a. Passwordsshallbeabletobecomposedofanycombinationofupperandlowercasecharacters,digits,andthefollowingspecialcharacters:[selection:“!”,“@”,“#”,“$”,“%”,“^”,“&”,“*”,“(“,“)”,[assignment:othercharacters]]

b. Minimumpasswordlengthshallbeconfigurablec. Passwordsofatleast15charactersinlengthshallbesupported

FIA_UIA_EXTAdministratorIdentificationandAuthentication

FamilyBehaviorThisfamilydefinesrequirementsforensuringthataccesstotheTSFisnotgrantedtounauthenticated

subjects.FIA_UIA_EXT FIA_UIA_EXT.1

ComponentLevelingFIA_UIA_EXT.1,AdministratorIdentificationandAuthentication,requirestheTSFtoensurethatallsubjectsattemptingtoperformTSF-mediatedactionsareidentifiedandauthenticatedpriortoauthorizingtheseactionstobeperformed.

Management:FIA_UIA_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FIA_UIA_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Administratorauthenticationattempts.b. Alluseoftheidentificationandauthenticationmechanism.c. Administratorsessionstarttimeandendtime.

FIA_UIA_EXT.1AdministratorIdentificationandAuthenticationHierarchicalto:Noothercomponents.Dependenciesto:FIA_UAU.5MultipleAuthenticationMechanisms

FIA_UIA_EXT.1.1

TheTSFshallrequireAdministratorstobesuccessfullyidentifiedandauthenticatedusingoneofthemethodsinFIA_UAU.5beforeallowinganyTSF-mediatedmanagementfunctiontobeperformedbythatAdministrator.

FIA_X509_EXTX.509Certificate

FamilyBehaviorThisfamilydefinesrequirementsforthevalidationanduseofX.509certificates.

FIA_X509_EXTFIA_X509_EXT.1FIA_X509_EXT.2

ComponentLevelingFIA_X509_EXT.1,X.509CertificateValidation,defineshowtheTSFmustvalidateX.509certificatesthatarepresentedtoit.

Management:FIA_X509_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. Configurationofcertificaterevocationcheckingmethod.

Audit:FIA_X509_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Failuretovalidateacertificate.

FIA_X509_EXT.1X.509CertificateValidationHierarchicalto:Noothercomponents.Dependenciesto:FPT_STM.1ReliableTimeStamps

FIA_X509_EXT.1.1

TheTSFshallvalidatecertificatesinaccordancewiththefollowingrules:RFC5280certificatevalidationandcertificatepathvalidationThecertificatepathmustterminatewithatrustedcertificateTheTOEshallvalidateacertificatepathbyensuringthepresenceofthebasicConstraintsextension,thattheCAflagissettoTRUEforallCAcertificates,andthatanypathconstraintsaremet.TheTSFshallvalidatethatanyCAcertificateincludescaSigningpurposeinthekeyusagefieldTheTSFshallvalidaterevocationstatusofthecertificateusing[selection:OCSPasspecifiedinRFC6960,aCRLasspecifiedinRFC5759,anOCSPTLSStatusRequestExtension(OCSPstapling)asspecifiedinRFC6066,OCSPTLSMulti-CertificateStatusRequestExtension(i.e.,OCSPMulti-Stapling)asspecifiedinRFC6961].TheTSFshallvalidatetheextendedKeyUsagefieldaccordingtothefollowingrules:

CertificatesusedfortrustedupdatesandexecutablecodeintegrityverificationshallhavetheCodeSigningPurpose(id-kp3withOID1.3.6.1.5.5.7.3.3)intheextendedKeyUsagefield.ServercertificatespresentedforTLSshallhavetheServerAuthenticationpurpose(id-kp1with

OID1.3.6.1.5.5.7.3.1)intheextendedKeyUsagefield.ClientcertificatespresentedforTLSshallhavetheClientAuthenticationpurpose(id-kp2withOID1.3.6.1.5.5.7.3.2)intheEKUfield.OCSPcertificatespresentedforOCSPresponsesshallhavetheOCSPSigningPurpose(id-kp9withOID1.3.6.1.5.5.7.3.9)intheEKUfield.

FIA_X509_EXT.1.2

TheTSFshallonlytreatacertificateasaCAcertificateifthebasicConstraintsextensionispresentandtheCAflagissettoTRUE.

ComponentLevelingFIA_X509_EXT.2,X.509CertificateAuthentication,requirestheTSFtoidentifythefunctionsforwhichitusesX.509certificatesforauthentication

Management:FIA_X509_EXT.2ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. ConfigurationofTSFbehaviorwhencertificaterevocationstatuscannotbedetermined.

Audit:FIA_X509_EXT.2Therearenoauditableeventsforeseen.

FIA_X509_EXT.2X.509CertificateAuthenticationHierarchicalto:Noothercomponents.Dependenciesto:FIA_X509_EXT.1X.509CertificateValidationFTP_ITC_EXT.1TrustedChannelCommunications

FIA_X509_EXT.2.1

TheTSFshalluseX.509v3certificatesasdefinedbyRFC5280tosupportauthenticationfor[selection:IPsec,TLS,HTTPS,SSH],and[selection:codesigningforsystemsoftwareupdates,codesigningforintegrityverification,[assignment:otheruses],noadditionaluses]

FIA_X509_EXT.2.2

WhentheTSFcannotestablishaconnectiontodeterminethevalidityofacertificate,theTSFshall[selection:allowtheadministratortochoosewhethertoacceptthecertificateinthesecases,acceptthecertificate,notacceptthecertificate].

FMT_MSA_EXTDefaultDataSharingConfiguration

FamilyBehaviorThisfamilydefinesrequirementsforthedefaultdatasharingbehaviorforGuestVMs.FMT_MSA_EXT FMT_MSA_EXT.1

ComponentLevelingFMT_MSA_EXT.1,DefaultDataSharingConfiguration,requirestheTSFtodefineitsdefaultsecuritypostureforsharingofdatabetweenGuestVMs.

Management:FMT_MSA_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. AbilitytosetdefaultinitialVMconfigurations.

Audit:FMT_MSA_EXT.1Therearenoauditableeventsforeseen.

FMT_MSA_EXT.1DefaultDataSharingConfigurationHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparation

FMT_MSA_EXT.1.1

TheTSFshallbydefaultenforceapolicyprohibitingsharingofdatabetweenGuestVMs.

FMT_MSA_EXT.1.2

TheTSFshallallowAdministratorstospecifyalternativeinitialconfigurationvaluestooverridethedefaultvalueswhenaGuestVMiscreated.

FMT_SMO_EXTSeparationofManagementandOperationalNetworks

FamilyBehaviorThisfamilydefinesrequirementsforseparationofmanagementandoperationalnetworks.FMT_SMO_EXT FMT_SMO_EXT.1

ComponentLevelingFMT_SMO_EXT.1,SeparationofManagementandOperationalNetworks,requirestheTSFtoseparateitsmanagementandoperationalnetworksthroughadefinedmechanism.

Management:FMT_SMO_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FMT_SMO_EXT.1Therearenoauditableeventsforeseen.

FMT_SMO_EXT.1SeparationofManagementandOperationalNetworksHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FMT_SMO_EXT.1.1

TheTSFshallsupporttheconfigurationofseparatemanagementandoperationalnetworksthrough[selection:physicalmeans,logicalmeans,trustedchannel].

FPT_DDI_EXTDeviceDriverIsolation

FamilyBehaviorThisfamilydefinesrequirementsforisolationofdevicedriversFPT_DDI_EXT FPT_DDI_EXT.1

ComponentLevelingFPT_DDI_EXT.1,DeviceDriverIsolation,requirestheTSFtoisolatedevicedriversforphysicaldevicesfromallvirtualdomains.

Management:FPT_DDI_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_DDI_EXT.1Therearenoauditableeventsforeseen.

FPT_DDI_EXT.1DeviceDriverIsolationHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_DDI_EXT.1.1

TheTSFshallensurethatdevicedriversforphysicaldevicesareisolatedfromtheVMMandallotherdomains.

FPT_DVD_EXTNon-ExistenceofDisconnectedVirtualDevices

FamilyBehaviorThisfamilydefinesrequirementsforensuringthatGuestVMscannotaccessthedevicedriversfordisabledordisconnectedvirtualdevices.FPT_DVD_EXT FPT_DVD_EXT.1

ComponentLevelingFPT_DVD_EXT.1,Non-ExistenceofDisconnectedVirtualDevices,requirestheTSFtopreventGuestVMsfromaccessingvirtualdevicesthatitisnotconfiguredtohaveaccessto.

Management:FPT_DVD_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_DVD_EXT.1Therearenoauditableeventsforeseen.

FPT_DVD_EXT.1Non-ExistenceofDisconnectedVirtualDevicesHierarchicalto:Noothercomponents.Dependenciesto:FPT_VDP_EXT.1VirtualDeviceParameters

FPT_DVD_EXT.1.1

TheTSFshalllimitaGuestVM’saccesstovirtualdevicestothosethatarepresentintheVM’scurrentvirtualhardwareconfiguration.

FPT_EEM_EXTExecutionEnvironmentMitigations

FamilyBehaviorThisfamilydefinesrequirementsfortheTOE’scompatibilitywithplatformmechanismsthatpreventvulnerabilitiesthatallowfortheexecutionofunauthorizedcodeorbypassofaccessrestrictionsonmemoryorstorage.FPT_EEM_EXT FPT_EEM_EXT.1

ComponentLevelingFPT_EEM_EXT.1,ExecutionEnvironmentMitigations,requirestheTSFtoidentifytheexecutionenvironment-basedprotectionmechanismsthatitcanuseforself-protection.

Management:FPT_EEM_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_EEM_EXT.1Therearenoauditableeventsforeseen.

FPT_EEM_EXT.1ExecutionEnvironmentMitigationsHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_EEM_EXT.1.1

TheTSFshalltakeadvantageofexecutionenvironment-basedvulnerabilitymitigationmechanismssupportedbythePlatformsuchas:[selection:

Addressspacerandomization,Memoryexecutionprotection(e.g.,DEP),Stackbufferoverflowprotection,Heapcorruptiondetection,[assignment:othermechanisms],Nomechanisms

]

FPT_GVI_EXTGuestVMIntegrity

FamilyBehaviorThisfamilydefinesrequirementsfortheTOEtoasserttheintegrityofGuestVMs.FPT_GVI_EXT FPT_GVI_EXT.1

ComponentLevelingFPT_GVI_EXT.1,GuestVMIntegrity,requirestheTSFtospecifythemechanismsitusestoverifytheintegrityofGuestVMs.

Management:FPT_GVI_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_GVI_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Actionstakenduetofailedintegritycheck.

FPT_GVI_EXT.1GuestVMIntegrityHierarchicalto:Noothercomponents.

Dependenciesto:Nodependencies.

FPT_GVI_EXT.1.1

TheTSFshallverifytheintegrityofGuestVMsthroughthefollowingmechanisms:[assignment:listofGuestVMintegritymechanisms].

FPT_HAS_EXTHardwareAssists

FamilyBehaviorThisfamilydefinesrequirementsforuseofhardware-basedvirtualizationassistsasperformanceenhancements.FPT_HAS_EXT FPT_HAS_EXT.1

ComponentLevelingFPT_HAS_EXT.1,HardwareAssists,requirestheTSFtoidentifythehardwareassistsitusestoreduceTOEcomplexity.

Management:FPT_HAS_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_HAS_EXT.1Therearenoauditableeventsforeseen.

FPT_HAS_EXT.1HardwareAssistsHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_HAS_EXT.1.1

TheVMMshalluse[assignment:listofhardware-basedvirtualizationassists]toreduceoreliminatetheneedforbinarytranslation.

FPT_HAS_EXT.1.2

TheVMMshalluse[assignment:listofhardware-basedvirtualizationmemory-handlingassists]toreduceoreliminatetheneedforshadowpagetables.

FPT_HCL_EXTHypercallControls

FamilyBehaviorThisfamilydefinesrequirementsforcontrolofHypercallinterfaces.FPT_HCL_EXT FPT_HCL_EXT.1

ComponentLevelingFPT_HCL_EXT.1,HypercallControls,requirestheTSFtoimplementaHypercallinterfacewithappropriateaccesscontrolstoprotectGuestVMsfromunauthorizedaccessviathisinterface.

Management:FPT_HCL_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. Abilitytoenable/disableVMaccesstoHypercallfunctions.

Audit:FPT_HCL_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. AttemptstoaccessdisabledHypercallinterfaces.b. Securitypolicyviolations.

FPT_HCL_EXT.1HypercallControlsHierarchicalto:Noothercomponents.Dependenciesto:FMT_SMR.1SecurityRoles

FPT_HCL_EXT.1.1

TheTSFshallprovideaHypercallinterfaceforGuestVMstousetoinvokefunctionalityprovidedbytheVMM.

FPT_HCL_EXT.1.2

TheTSFshallallowadministratorstoconfigureanyVM’sHypercallinterfacetodisableaccesstoindividualfunctions,allfunctions,orgroupsoffunctions.

FPT_HCL_EXT.1.3

TheTSFshallpermitexceptionstotheconfigurationofthefollowingHypercallinterfacefunctions:[assignment:listoffunctionsthatarenotsubjecttotheconfigurationcontrolsinFPT_HCL_EXT.1.2].

FPT_HCL_EXT.1.4

TheTSFshallvalidatetheparameterspassedtothehypercallinterfacepriortoexecutionoftheVMMfunctionalityexposedbythatinterface.

FPT_IDV_EXTSoftwareIdentificationandVersions

FamilyBehaviorThisfamilydefinesrequirementsfortheuseofSWIDtagstoidentifytheTOE.FPT_IDV_EXT FPT_IDV_EXT.1

ComponentLevelingFPT_IDV_EXT.1,SoftwareIdentificationandVersions,requirestheTSFtoidentifyitselfusingSWIDtags.

Management:FPT_IDV_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_IDV_EXT.1Therearenoauditableeventsforeseen.

FPT_IDV_EXT.1SoftwareIdentificationandVersionsHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_IDV_EXT.1.1

TheTSFshallincludesoftwareidentification(SWID)tagsthatcontainaSoftwareIdentityelementandanEntityelementasdefinedinISO/IEC19770-2:2009.

FPT_IDV_EXT.1.2

TheTSFshallstoreSWIDsina.swidtagfileasdefinedinISO/IEC19770-2:2009.

FPT_INT_EXTSupportforIntrospection

FamilyBehaviorThisfamilydefinesrequirementsforsupportingVMintrospection.FPT_INT_EXT FPT_INT_EXT.1

ComponentLevelingFPT_INT_EXT.1,SupportforIntrospection,requirestheTSFtosupportintrospection.

Management:FPT_INT_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_INT_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Introspectioninitiated/enabled.

FPT_INT_EXT.1SupportforIntrospectionHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_INT_EXT.1.1

TheTSFshallsupportamechanismforpermittingtheVMMorprivilegedVMstoaccesstheinternalsof

anotherVMforpurposesofintrospection.

FPT_ML_EXTMeasuredLaunchofPlatformandVMM

FamilyBehaviorThisfamilydefinesrequirementsformeasuredlaunch.FPT_ML_EXT FPT_ML_EXT.1

ComponentLevelingFPT_ML_EXT.1,MeasuredLaunchofPlatformandVMM,requirestheTSFtosupportameasuredlaunchofitself.

Management:FPT_ML_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_ML_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Integritymeasurementscollected.

FPT_ML_EXT.1MeasuredLaunchofPlatformandVMMHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_ML_EXT.1.1

TheTSFshallsupportameasuredlaunchoftheVirtualizationSystem.MeasuredcomponentsoftheVSshallincludethestaticexecutableimageoftheHypervisorand:[selection:

StaticexecutableimagesoftheManagementSubsystem,[assignment:listof(staticimagesof)ServiceVMs],[assignment:listofconfigurationfiles],noothercomponents

]

FPT_ML_EXT.1.2

TheTSFshallmakethemeasurementsselectedinFPT_ML_EXT.1.1availabletotheManagementSubsystem.

FPT_RDM_EXTRemovableDevicesandMedia

FamilyBehaviorThisfamilydefinesrequirementsforenforcementofdomainisolationwhenremovabledevicescanbeconnectedtoadomain.FPT_RDM_EXT FPT_RDM_EXT.1

ComponentLevelingFPT_RDM_EXT.1,RemovableDevicesandMedia,requirestheTSFtoensurethatVMsarenotinadvertentlygivenaccesstoinformationindifferentdomainsbecauseremovablemediaissimultaneouslyaccessiblefromseparatedomains.

Management:FPT_RDM_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. Abilitytoconfigureremovablemediapolicy.

Audit:FPT_RDM_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Connection/disconnectionofremovablemediaordeviceto/fromaVM.b. Ejection/insertionofremovablemediaordevicefrom/toanalreadyconnectedVM.

FPT_RDM_EXT.1RemovableDevicesandMediaHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparation

FPT_RDM_EXT.1.1

TheTSFshallimplementcontrolsforhandlingthetransferofvirtualandphysicalremovablemediaandvirtualandphysicalremovablemediadevicesbetweeninformationdomains.

FPT_RDM_EXT.1.2

TheTSFshallenforcethefollowingruleswhen[assignment:virtualorphysicalremovablemediaandvirtualorphysicalremovablemediadevices]areswitchedbetweeninformationdomains,then[selection:

theAdministratorhasgrantedexplicitaccessforthemediaordevicetobeconnectedtothereceivingdomain,themediainadevicethatisbeingtransferredisejectedpriortothereceivingdomainbeingallowedaccesstothedevice,theuserofthereceivingdomainexpresslyauthorizestheconnection,thedeviceormediathatisbeingtransferredispreventedfrombeingaccessedbythereceivingdomain

]

FPT_TUD_EXTTrustedUpdates

FamilyBehaviorThisfamilydefinesrequirementsforensuringthatupdatestotheTOEsoftwareandfirmwarearegenuine.

FPT_TUD_EXTFPT_TUD_EXT.1FPT_TUD_EXT.2

ComponentLevelingFPT_TUD_EXT.1,TrustedUpdatestotheVirtualizationSystem,requirestheTSFtodefinethemechanismforapplyingandverifyingTOEupdates.

Management:FPT_TUD_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. AbilitytoupdatetheVirtualizationSystem.

Audit:FPT_TUD_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Initiationofupdate.b. Failureofsignatureverification.

FPT_TUD_EXT.1TrustedUpdatestotheVirtualizationSystemHierarchicalto:Noothercomponents.Dependenciesto:FCS_COP.1CryptographicOperation

FPT_TUD_EXT.1.1

TheTSFshallprovideadministratorstheabilitytoquerythecurrentlyexecutedversionoftheTOEfirmware/softwareaswellasthemostrecentlyinstalledversionoftheTOEfirmware/software.

FPT_TUD_EXT.1.2

TheTSFshallprovideadministratorstheabilitytomanuallyinitiateupdatestoTOEfirmware/softwareand[selection:automaticupdates,nootherupdatemechanism].

FPT_TUD_EXT.1.3

TheTSFshallprovidemeanstoauthenticatefirmware/softwareupdatestotheTOEusinga[selection:digitalsignaturemechanismusingcertificates,digitalsignaturemechanismnotusingcertificates,publishedhash]priortoinstallingthoseupdates.

ComponentLevelingFPT_TUD_EXT.2,TrustedUpdateBasedonCertificates,requirestheTSFtovalidateupdatesusingacodesigningcertificate.

Management:FPT_TUD_EXT.2Nospecificmanagementfunctionsareidentified.

Audit:FPT_TUD_EXT.2Therearenoauditableeventsforeseen.

FPT_TUD_EXT.2TrustedUpdateBasedonCertificatesHierarchicalto:Noothercomponents.

Dependenciesto:FPT_TUD_EXT.1TrustedUpdatestotheVirtualizationSystemFIA_X509_EXT.1X.509ValidationFIA_X509_EXT.2X.509Authentication

FPT_TUD_EXT.2.1

TheTSFshallnotinstallanupdateifthecodesigningcertificateisdeemedinvalid.

FPT_VDP_EXTVirtualDeviceParameters

FamilyBehaviorThisfamilydefinesrequirementsforprocessingdatatransmittedtotheTOEfromaGuestVM.FPT_VDP_EXT FPT_VDP_EXT.1

ComponentLevelingFPT_VDP_EXT.1,VirtualDeviceParameters,,requirestheTSFtointerfacewithGuestVMsthroughvirtualhardwareabstractionssothatanydatatransmittedtotheTOEfromaGuestVMcanbevalidatedaswell-formed.

Management:FPT_VDP_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_VDP_EXT.1Therearenoauditableeventsforeseen.

FPT_VDP_EXT.1VirtualDeviceParametersHierarchicalto:Noothercomponents.Dependenciesto:FPT_VIV_EXT.1VMMIsolationfromVMs

FPT_VDP_EXT.1.1

TheTSFshallprovideinterfacesforvirtualdevicesimplementedbytheVMMaspartofthevirtualhardwareabstraction.

FPT_VDP_EXT.1.2

TheTSFshallvalidatetheparameterspassedtothevirtualdeviceinterfacepriortoexecutionoftheVMMfunctionalityexposedbythoseinterfaces.

FPT_VIV_EXTVMMIsolationfromVMs

FamilyBehaviorThisfamilydefinesrequirementsforensuringtheTOEislogicallyisolatedfromitsGuestVMsFPT_VIV_EXT FPT_VIV_EXT.1

ComponentLevelingFPT_VIV_EXT.1,VMMIsolationfromVMs,requirestheTSFtoensurethatthereisnomechanismbywhichaGuestVMcaninterfacewiththeTOE,otherVMs,orthehardwareplatformwithoutauthorization.

Management:FPT_VIV_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_VIV_EXT.1Therearenoauditableeventsforeseen.

FPT_VIV_EXT.1VMMIsolationfromVMsHierarchicalto:Noothercomponents.Dependenciesto:FDP_PPR_EXT.1PhysicalPlatformResourceControlsFDP_VMS_EXT.1VMSeparation

FPT_VIV_EXT.1.1

TheTSFmustensurethatsoftwarerunninginaVMisnotabletodegradeordisruptthefunctioningofotherVMs,theVMM,orthePlatform.

FPT_VIV_EXT.1.2

TheTSFmustensurethataGuestVMisunabletoinvokeplatformcodethatrunsataprivilegelevelequaltoorexceedingthatoftheVMMwithoutinvolvementoftheVMM.

FTP_ITC_EXTTrustedChannelCommunications

FamilyBehaviorThisfamilydefinesrequirementsforprotectionofdataintransitbetweentheTOEanditsoperationalenvironment.FTP_ITC_EXT FTP_ITC_EXT.1

ComponentLevelingFTP_ITC_EXT.1,TrustedChannelCommunications,requirestheTSFtoimplementoneormorecryptographicprotocolstosecureconnectivitybetweentheTSFandvariousexternalentities.

Management:FTP_ITC_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. Abilitytoconfigurethecryptographicfunctionality.

Audit:FTP_ITC_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Initiationofthetrustedchannel.b. Terminationofthetrustedchannel.c. Failuresofthetrustedpathfunctions.

FTP_ITC_EXT.1TrustedChannelCommunicationsHierarchicalto:Noothercomponents.Dependenciesto:FAU_STG_EXT.1Off-LoadingofAuditData

FTP_ITC_EXT.1.1

TheTSFshalluse[selection:TLSasconformingtotheFunctionalPackageforTransportLayerSecurity,TLS/HTTPSasconformingtoFCS_HTTPS_EXT.1,IPsecasconformingtoFCS_IPSEC_EXT.1,SSHasconformingtotheExtendedPackageforSecureShell

]toprovideatrustedcommunicationchannelbetweenitself,and

auditservers(asrequiredbyFAU_STG_EXT.1),and[selection:

remoteadministrators(asrequiredbyFTP_TRP.1.1ifselectedinFMT_MOF_EXT.1.1intheClientorServerPP-Module),separationofmanagementandoperationalnetworks(ifselectedinFMT_SMO_EXT.1),[assignment:othercapabilities],noothercapabilities

]thatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafromdisclosureanddetectionofmodificationofthecommunicateddata.

FTP_UIF_EXTUserInterface

FamilyBehaviorThisfamilydefinesrequirementsforunambiguouslyidentifyingthespecificGuestVMthataTOEuserisinteractingwithatanygivenpointintime.

FTP_UIF_EXTFTP_UIF_EXT.1FTP_UIF_EXT.2

ComponentLevelingFTP_UIF_EXT.1,UserInterface:I/OFocus,requirestheTSFtounambiguouslyidentifytheGuestVMthathasthecurrentinputfocusforinputperipherals.

Management:FTP_UIF_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FTP_UIF_EXT.1Therearenoauditableeventsforeseen.

FTP_UIF_EXT.1UserInterface:I/OFocusHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies

FTP_UIF_EXT.1.1

TheTSFshallindicatetouserswhichVM,ifany,hasthecurrentinputfocus.

ComponentLevelingFTP_UIF_EXT.2,UserInterface:IdentificationofVM,requirestheTOEtoperformpoweronself-teststoverifyitsfunctionalityandtheintegrityofitsstoredexecutablecode.

Management:FTP_UIF_EXT.2Nospecificmanagementfunctionsareidentified.

Audit:FTP_UIF_EXT.2Therearenoauditableeventsforeseen.

FTP_UIF_EXT.2UserInterface:IdentificationofVMHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies

FTP_UIF_EXT.2.1

TheTSFshallsupporttheuniqueidentificationofaVM’soutputdisplaytousers.

AppendixD-ImplicitlySatisfiedRequirementsThisappendixlistsrequirementsthatshouldbeconsideredsatisfiedbyproductssuccessfullyevaluatedagainstthisProtectionProfile.However,theserequirementsarenotfeaturedexplicitlyasSFRsandshouldnotbeincludedintheST.TheyarenotincludedasstandaloneSFRsbecauseitwouldincreasethetime,cost,andcomplexityofevaluation.Thisapproachispermittedby[CC]Part1,8.2Dependenciesbetweencomponents.Thisinformationbenefitssystemsengineeringactivitieswhichcallforinclusionofparticularsecuritycontrols.EvaluationagainsttheProtectionProfileprovidesevidencethatthesecontrolsarepresentandhavebeenevaluated.ThisappendixlistsrequirementsthatshouldbeconsideredsatisfiedbyproductssuccessfullyevaluatedagainstthisPP.TheserequirementsarenotfeaturedexplicitlyasSFRsandshouldnotbeincludedintheST.TheyarenotincludedasstandaloneSFRsbecauseitwouldincreasethetime,cost,andcomplexityofevaluation.Thisapproachispermittedby[CC]Part1,8.2Dependenciesbetweencomponents.Thisinformationbenefitssystemsengineeringactivitieswhichcallforinclusionofparticularsecuritycontrols.EvaluationagainstthePPprovidesevidencethatthesecontrolsarepresentandhavebeenevaluated.Table9:ImplicitlySatisfiedRequirements

Requirement RationaleforSatisfaction

FAU_GEN.1–AuditDataGeneratio

FAU_GEN.1hasadependencyonFPT_STM.1.WhilenotexplicitlystatedinthePP,itisassumedthatthiswillbeprovidedbytheunderlyinghardwareplatformonwhichtheTOEisinstalled.ThisisbecausetheTOEisinstalledasasoftwareorfirmwareproductthatrunsongeneral-purposecomputinghardwaresoahardwareclockisassumedtobeavailable.

FCS_CKM.1–CryptographicKeyGeneration

FCS_CKM.1hasadependencyonFCS_CKM.4.TheextendedSFRFCS_CKM_EXT.4addressesthisdependencybydefininganalternaterequirementforkeydestruction.

FCS_CKM.2–CryptographicKeyEstablishment

FCS_CKM.2hasadependencyonFCS_CKM.4.TheextendedSFRFCS_CKM_EXT.4addressesthisdependencybydefininganalternaterequirementforkeydestruction.

FCS_COP.1–CryptographicOperation

EachiterationofFCS_COP.1hasadependencyonFCS_CKM.4.TheextendedSFRFCS_CKM_EXT.4addressesthisdependencybydefininganalternaterequirementforkeydestruction.

FIA_X509_EXT.1–X.509CertificateValidation

FIA_X509_EXT.1hasadependencyonFPT_STM.1.WhilenotexplicitlystatedinthePP,itisassumedthatthiswillbeprovidedbytheunderlyinghardwareplatformonwhichtheTOEisinstalled.ThisisbecausetheTOEisinstalledasasoftwareorfirmwareproductthatrunsongeneral-purposecomputinghardwaresoahardwareclockisassumedtobeavailable.

FMT_SMR.2–RestrictionsonSecurityRoles

FMT_SMR.2hasadependencyonFIA_UID.1.TheextendedSFRFIA_UID_EXT.1expressesthisdependencybyalsorequiringuseridentificationforuseoftheTOE.

AppendixE-EntropyDocumentationandAssessment

E.1DesignDescriptionDocumentationshallincludethedesignoftheentropysourceasawhole,includingtheinteractionofallentropysourcecomponents.Itwilldescribetheoperationoftheentropysourcetoincludehowitworks,howentropyisproduced,andhowunprocessed(raw)datacanbeobtainedfromwithintheentropysourcefortestingpurposes.Thedocumentationshouldwalkthroughtheentropysourcedesignindicatingwheretherandomcomesfrom,whereitispassednext,anypost-processingoftherawoutputs(hash,XOR,etc.),if/whereitisstored,andfinally,howitisoutputfromtheentropysource.Anyconditionsplacedontheprocess(e.g.,blocking)shouldalsobedescribedintheentropysourcedesign.Diagramsandexamplesareencouraged.

Thisdesignmustalsoincludeadescriptionofthecontentofthesecurityboundaryoftheentropysourceandadescriptionofhowthesecurityboundaryensuresthatanadversaryoutsidetheboundarycannotaffecttheentropyrate.

E.2EntropyJustificationThereshouldbeatechnicalargumentforwheretheunpredictabilityinthesourcecomesfromandwhythereisconfidenceintheentropysourceexhibitingprobabilisticbehavior(anexplanationoftheprobabilitydistributionandjustificationforthatdistributiongiventheparticularsourceisonewaytodescribethis).ThisargumentwillincludeadescriptionoftheexpectedentropyrateandexplainhowyouensurethatsufficiententropyisgoingintotheTOErandomizerseedingprocess.Thisdiscussionwillbepartofajustificationforwhytheentropysourcecanbereliedupontoproducebitswithentropy.

E.3OperatingConditionsDocumentationwillalsoincludetherangeofoperatingconditionsunderwhichtheentropysourceisexpectedtogeneraterandomdata.Itwillclearlydescribethemeasuresthathavebeentakeninthesystemdesigntoensuretheentropysourcecontinuestooperateunderthoseconditions.Similarly,documentationshalldescribetheconditionsunderwhichtheentropysourceisknowntomalfunctionorbecomeinconsistent.Methodsusedtodetectfailureordegradationofthesourceshallbeincluded.

E.4HealthTestingMorespecifically,allentropysourcehealthtestsandtheirrationalewillbedocumented.Thiswillincludeadescriptionofthehealthtests,therateandconditionsunderwhicheachhealthtestisperformed(e.g.,atstartup,continuously,oron-demand),theexpectedresultsforeachhealthtest,andrationaleindicatingwhyeachtestisbelievedtobeappropriatefordetectingoneormorefailuresintheentropysource.

AppendixF-EquivalencyGuidelines

F.1IntroductionThepurposeofequivalenceinPP-basedevaluationsistofindabalancebetweenevaluationrigorandcommercialpracticability--toensurethatevaluationsmeetcustomerexpectationswhilerecognizingthatthereislittletobegainedfromrequiringthateveryvariationinaproductorplatformbefullytested.IfaproductisfoundtobecompliantwithaPPononeplatform,thenallequivalentproductsonequivalentplatformsarealsoconsideredtobecompliantwiththePP.

AVendorcanmakeaclaimofequivalenceiftheVendorbelievesthataparticularinstanceoftheirProductimplementsPP-specifiedsecurityfunctionalityinawayequivalenttotheimplementationofthesamefunctionalityonanotherinstanceoftheirProductonwhichthefunctionalitywastested.TheProductinstancescandifferinversionnumberorfeaturelevel(model),ortheinstancesmayrunondifferentplatforms.Equivalencycanbeusedtoreducethetestingrequiredacrossclaimedevaluatedconfigurations.ItcanalsobeusedduringAssuranceMaintenancetoreducetestingneededtoaddmoreevaluatedconfigurationstoacertification.

TheseequivalencyguidelinesdonotreplaceAssuranceMaintenancerequirementsorNIAPPolicy#5requirementsforCAVPcertificates.Normayequivalencybeusedtoleverageevaluationswithexpiredcertifications.

ThisdocumentprovidesguidancefordeterminingwhetherProductsandPlatformsareequivalentforpurposesofevaluationagainsttheProtectionProfileforVirtualization(VPP)wheninstantiatedwitheithertheClientorServerPP-Module.

Equivalencehastwoaspects:

1. ProductEquivalence:ProductsmaybeconsideredequivalentiftherearenodifferencesbetweenProductModelsandProductVersionswithrespecttoPP-specifiedsecurityfunctionality.

2. PlatformEquivalence:PlatformsmaybeconsideredequivalentiftherearenosignificantdifferencesintheservicestheyprovidetotheProduct--orinthewaytheplatformsprovidethoseservices--withrespecttoPP-specifiedsecurityfunctionality.

TheequivalencydeterminationismadeinaccordancewiththeseguidelinesbytheValidatorandSchemeusinginformationprovidedbytheEvaluator/Vendor.

F.2ApproachtoEquivalencyAnalysisTherearetwoscenariosforperformingequivalencyanalysis.Oneiswhenaproducthasbeencertifiedandthevendorwantstoshowthatalaterproductshouldbeconsideredcertifiedduetoequivalencewiththeearlierproduct.Theotheriswhenmultipleproductvariantsaregoingthoughevaluationtogetherandthevendorwouldliketoreducetheamountoftestingthatmustbedone.Thebasicrulesfordeterminingequivalencearethesameinbothcases.Butthereisoneadditionalconsiderationthatappliestoequivalencewithpreviouslycertifiedproducts.Thatis,theproductwithwhichequivalenceisbeingclaimedmusthaveavalidcertificationinaccordancewithschemerulesandtheAssuranceMaintenanceprocessmustbefollowed.Ifaproduct’scertificationhasexpired,thenequivalencecannotbeclaimedwiththatproduct.

Whenperformingequivalencyanalysis,theEvaluator/VendorshouldfirstusethefactorsandguidelinesforProductModelequivalencetodeterminethesetofProductModelstobeevaluated.Ingeneral,ProductModelsthatdonotdifferinPP-specifiedsecurityfunctionalityareconsideredequivalentforpurposesofevaluationagainsttheVPP.

IfmultiplerevisionlevelsofProductModelsaretobeevaluated--ortodeterminewhetherarevisionofanevaluatedproductneedsre-evaluation--theEvaluator/VendorandValidatorshouldusethefactorsandguidelinesforProductVersionequivalencetodeterminewhetherProductVersionsareequivalent.

HavingdeterminedthesetofProductModelsandVersionstobeevaluated,thenextstepistodeterminethesetofPlatformsthattheProductsmustbetestedon.

Eachnon-equivalentProductforwhichcomplianceisclaimedmustbefullytestedoneachnon-equivalentplatformforwhichcomplianceisclaimed.Fornon-equivalentProductsonequivalentplatforms,onlythedifferencesthataffectPP-specifiedsecurityfunctionalitymustbetestedforeachproduct.

IfthesetofequivalentProductsincludesonlybare-metalinstallations,thentheequivalencyanalysisiscomplete.Butifanymembersofthesetincludehostedinstallationsorinstallationsthatintegratewithanexistinghostoperatingsystemorcontroldomain,thensoftwareplatformequivalencemustbetakenintoconsideration.TheEvaluator/VendorandValidatorshouldusethefactorsandguidanceforsoftwareplatformequivalencetodeterminewhetherdifferentmodelsorversionsofhostorcontroldomainoperatingsystemsrequireseparatetesting.

“DifferencesinPP-SpecifiedSecurityFunctionality”DefinedIfPP-specifiedsecurityfunctionalityisimplementedbytheTOE,thendifferencesintheactualimplementationbetweenversionsorproductmodelsbreakequivalenceforthatfeature.Likewise,iftheTOEimplementsthefunctionalityinoneversionormodelandthefunctionalityisimplementedbytheplatforminanotherversionormodel,thenequivalenceisbroken.Ifthefunctionalityisimplementedbytheplatforminmultiplemodelsorversionsonequivalentplatforms,thenthefunctionalityisconsidereddifferentiftheproductinvokestheplatformdifferentlytoperformthefunction.

F.3SpecificGuidanceforDeterminingProductModelEquivalenceProductModelequivalenceattemptstodeterminewhetherdifferentfeaturelevelsofthesameproductacrossaproductlineareequivalentforpurposesofPPtesting.Forexample,ifaproducthasa“basic”editionandan“enterprise”edition,isitnecessarytotestbothmodels?Ordoestestingonemodelprovidesufficientassurancethatbothmodelsarecompliant?

Table10,below,liststhefactorsfordeterminingProductModelequivalence.

Table10:FactorsforDeterminingProductModelEquivalence

Factor Same/Different Guidance

TargetPlatform

Different ProductModelsthatvirtualizedifferentinstructionsets(e.g.x86,ARM,POWER,SPARC,MIPS)arenotequivalent.

InstallationTypes

Different IfaProductcanbeinstalledeitheronbaremetalorontoanoperatingsystemandthevendorwantstoclaimthatbothinstallationtypesconstituteasingleModel,thenseetheguidancefor“PP-SpecifiedFunctionality,”below.

SoftwarePlatform

Different ProductModelsthatrunonsubstantiallydifferentsoftwareenvironments,suchasdifferenthostoperatingsystems,arenotequivalent.Modelsthatinstallondifferentversionsofthesamesoftwareenvironmentmaybeequivalentdependingonthebelowfactors.

PP-SpecifiedFunctionality

Same IfthedifferencesbetweenModelsaffectonlynon-PP-specifiedfunctionality,thentheModelsareequivalent.

Different IfPP-specifiedsecurityfunctionalityisaffectedbythedifferencesbetweenModels,thentheModelsarenotequivalentandmustbetestedseparately.Itisnecessarytotestonlythefunctionalityaffectedbythesoftwaredifferences.Ifonlydifferencesaretested,thenthedifferencesmustbeenumerated,andforeachdifferencetheVendormustprovideanexplanationofwhyeachdifferencedoesordoesnotaffectPP-specifiedfunctionality.IftheProductModelsarefullytestedseparately,thenthereisnoneedtodocumentthedifferences.

F.4SpecificGuidanceforDeterminingProductVersionEquivalenceIncasesofversionequivalence,differencesareexpressedintermsofchangesimplementedinrevisionsofanevaluatedProduct.Ingeneral,versionsareequivalentifthechangeshavenoeffectonanysecurity-relevantclaimsabouttheTOEorassuranceevidence.Non-security-relevantchangestoTOEfunctionalityortheadditionofnon-security-relevantfunctionalitydoesnotaffectequivalence.

Table11:FactorsforDeterminingProductVersionEquivalence

Factor Same/Different Guidance

ProductModels

Different VersionsofdifferentProductModelsarenotequivalentunlesstheModelsareequivalentasdefinedinSection3.

PP-SpecifiedFunctionality

Same Ifthedifferencesaffectonlynon-PP-specifiedfunctionality,thentheVersionsareequivalent.

Different IfPP-specifiedsecurityfunctionalityisaffectedbythedifferences,thentheVersionsareconsideredtobenotequivalentandmustbetestedseparately.Itisnecessaryonlytotestthefunctionalityaffectedbythechanges.Ifonlythedifferencesaretested,thenforeachdifferencetheVendormustprovideanexplanationofwhythedifferencedoesordoesnotaffectPP-specifiedfunctionality.IftheProductVersionsarefully

testedseparately,thenthereisnoneedtodocumentthedifferences.

F.5SpecificGuidanceforDeterminingPlatformEquivalencePlatformequivalenceisusedtodeterminetheplatformsthataproductmustbetestedon.Theseguidelinesaredividedintosectionsfordetermininghardwareequivalenceandsoftware(hostOS/controldomain)equivalence.IftheProductisinstalledontobaremetal,thenonlyhardwareequivalenceisrelevant.IftheProductisinstalledontoanOS—orisintegratedintoanOS—thenbothhardwareandsoftwareequivalencearerequired.Likewise,iftheProductcanbeinstalledeitheronbaremetaloronanoperatingsystem,bothhardwareandsoftwareequivalencearerelevant.

F.5.1HardwarePlatformEquivalenceIfaVirtualizationSolutionrunsdirectlyonhardwarewithoutanoperatingsystem,thenplatformequivalenceisbasedprimarilyonprocessorarchitectureandinstructionsets.

Platformswithdifferentprocessorarchitecturesandinstructionsetsarenotequivalent.Thisisprobablynotanissuebecausethereislikelytobeadifferentproductmodelfordifferenthardwareenvironments.

Equivalencyanalysisbecomesimportantwhencomparingplatformswiththesameprocessorarchitecture.ProcessorswiththesamearchitecturethathaveinstructionsetsthataresubsetsorsupersetsofeachotherarenotdisqualifiedfrombeingequivalentforpurposesofaVPPevaluation.IftheVStakesthesamecodepathswhenexecutingPP-specifiedsecurityfunctionalityondifferentprocessorsofthesamefamily,thentheprocessorscanbeconsideredequivalentwithrespecttothatapplication.

Forexample,ifaVSfollowsonecodepathonplatformsthatsupporttheAES-NIinstructionandanotheronplatformsthatdonot,thenthosetwoplatformsarenotequivalentwithrespecttothatVSfunctionality.ButiftheVSfollowsthesamecodepathwhetherornottheplatformsupportsAES-NI,thentheplatformsareequivalentwithrespecttothatfunctionality.

TheplatformsareequivalentwithrespecttotheVSiftheplatformsareequivalentwithrespecttoallPP-specifiedsecurityfunctionality.

Table12:FactorsforDeterminingHardwarePlatformEquivalence

Factor Same/Different/None Guidance

PlatformArchitectures

Different Hardwareplatformsthatimplementdifferentprocessorarchitecturesandinstructionsetsarenotequivalent.

PP-SpecifiedFunctionality

Same Forplatformswiththesameprocessorarchitecture,theplatformsareequivalentwithrespecttotheapplicationifexecutionofallPP-specifiedsecurityfunctionalityfollowsthesamecodepathonbothplatforms.

F.5.2SoftwarePlatformEquivalenceIftheProductinstallsontoorintegrateswithanoperatingsystemthatisnotinstalledwiththeproduct--andthusisnotpartoftheTOE--thentheProductmustbetestedonallnon-equivalentSoftwarePlatforms.

TheguidanceforProductModel(Section3)specifiesthatProductsintendedforuseonsubstantiallydifferentoperatingsystems(e.g.Windowsvs.Linuxvs.SunOS)aredifferentModels.Therefore,platformsrunningsubstantiallydifferentoperatingsystemsaredefactonotequivalent.Likewise,operatingsystemswithdifferentmajorversionnumbersarenotequivalentforpurposesofthisPP.

Asaresult,SoftwarePlatformequivalenceislargelyconcernedwithrevisionsandvariationsofoperatingsystemsthataresubstantiallythesame(e.g.differentversionsandrevisionlevelsofWindowsorLinux).

Table13:FactorsforDeterminingSoftwarePlatformEquivalence

Factor Same/Different/None Guidance

PlatformType/Vendor

Different Operatingsystemsthataresubstantiallydifferentorcomefromdifferentvendorsarenotequivalent.

PlatformVersions

Different Operatingsystemsarenotequivalentiftheyhavedifferentmajorversionnumbers.

PP-SpecifiedFunctionality

Same Ifthedifferencesbetweensoftwareplatformmodelsorversionsaffectonlynon-PP-specifiedfunctionality,thenthesoftwareplatformsareequivalent.

Different IfPP-specifiedsecurityfunctionalityisaffectedbythedifferencesbetweensoftwareplatformversionsormodels,thenthesoftwareplatformsarenotconsideredequivalentandmustbetestedseparately.Itisnecessaryonlytotestthefunctionalityaffectedbythechanges.Ifonlythedifferencesaretested,thenforeachdifferencetheVendormustprovideanexplanationofwhythedifferencedoesordoesnotaffectPP-specifiedfunctionality.IftheProductsarefullytestedoneachplatform,thenthereisnoneedtodocumentthedifferences.

F.6LevelofSpecificityforTestedConfigurationsandClaimedEquivalentConfigurationsInordertomakeequivalencydeterminations,thevendorandevaluatormustagreeontheequivalencyclaims.TheymustthenprovidetheschemewithsufficientinformationabouttheTOEinstancesandplatformsthatwereevaluated,andtheTOEinstancesandplatformsthatareclaimedtobeequivalent.

TheSTmustdescribeallconfigurationsevaluateddowntoprocessormanufacturer,modelnumber,andmicroarchitectureversion.

TheinformationregardingclaimedequivalentconfigurationsdependsontheplatformthattheVSwasdevelopedforandrunson.

Bare-MetalVS

ForVSesthatrunwithoutanoperatingsystemonbare-metalorvirtualbare-metal,theclaimedconfigurationmustdescribetheplatformdowntothespecificprocessormanufacturer,modelnumber,andmicroarchitectureversion.TheVendormustdescribethedifferencesintheTOEwithrespecttoPP-specifiedsecurityfunctionalityandhowtheTOEoperatesdifferentlytoleverageplatformdifferences(e.g.,instructionsetextensions)inthetestedconfigurationversustheclaimedequivalentconfiguration.

VSwithOSSupport

ForVSesthatrunonanOShostorwiththeassistanceofanOS,thentheclaimedconfigurationmustdescribetheOSdowntoitsspecificmodelandversionnumber.TheVendormustdescribethedifferencesintheTOEwithrespecttoPP-specifiedsecurityfunctionalityandhowtheTOEfunctionsdifferentlytoleverageplatformdifferencesinthetestedconfigurationversustheclaimedequivalentconfiguration.

AppendixG-Referencesext-comp-def

Identifier Title

[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1,Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1,Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1,Revision5,April2017.

[CEM] CommonEvaluationMethodologyforInformationTechnologySecurity-EvaluationMethodology,CCMB-2017-04-004,Version3.1,Revision5,April2017.

AppendixH-Acronyms

Acronym Meaning

AES AdvancedEncryptionStandard

Base-PP BaseProtectionProfile

CC CommonCriteria

CEM CommonEvaluationMethodology

CPU CentralProcessingUnit

DEP DataExecutionPrevention

DKM DerivedKeyingMaterial

DSS DigitalSignatureStandard

ECC EllipticCurveCryptography

FFC Finite-FieldCryptography

FIPS FederalInformationProcessingStandard

IEC InternationalElectrotechnicalCommission

IP InternetProtocol

ISO InternationalOrganizationforStandardization

IT InformationTechnology

ITSEF InformationTechnologySecurityEvaluationFacility

KDF KeyDerivationFunction

MAC MessageAuthenticationCode

NIST NationalInstituteofStandardsandTechnology

NVLAP NationalVoluntaryLaboratoryAccreditationProgram

OE OperationalEnvironment

OS OperatingSystem

PKV PublicKeyVerification

PP ProtectionProfile

PP-Configuration ProtectionProfileConfiguration

PP-Module ProtectionProfileModule

RSA Rivest,Shamir,Adleman

SAR SecurityAssuranceRequirement

SFR SecurityFunctionalRequirement

SP SpecialPublication

SPD SecurityPolicyDatabase

SSP SystemSecurityPolicy

ST SecurityTarget

SWID SoftwareIdentification

TOE TargetofEvaluation

TPM TrustedPlatformModule

TSF TOESecurityFunctionality

TSFI TSFInterface

TSS TOESummarySpecification

VM VirtualMachine

VMM VirtualMachineManager

VS VirtualizationSystem