Protection Profile for Virtualization

ProtectionProfileforVirtualization

Version:1.12021-06-14

NationalInformationAssurancePartnership

RevisionHistory

Version Date Comment

1.0 2016-11-17 InitialPublication

1.1 2021-06-14 IncorporateTDs,ReferenceTLSPackage,AddEquivalencyGuidelines,etc.

Contents

1 Introduction1.1 Overview1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms1.3 CompliantTargetsofEvaluation1.3.1 TOEBoundary1.3.2 RequirementsMetbythePlatform1.3.3 ScopeofCertification1.3.4 ProductandPlatformEquivalence1.4 UseCases2 ConformanceClaims3 SecurityProblemDescription3.1 Threats3.2 Assumptions3.3 OrganizationalSecurityPolicies4 SecurityObjectives4.1 SecurityObjectivesfortheTOE4.2 SecurityObjectivesfortheOperationalEnvironment4.3 SecurityObjectivesRationale5 SecurityRequirements5.1 SecurityFunctionalRequirements5.1.1 AuditableEventsforMandatorySFRs5.1.2 SecurityAudit(FAU)5.1.3 CryptographicSupport(FCS)5.1.4 UserDataProtection(FDP)5.1.5 IdentificationandAuthentication(FIA)5.1.6 SecurityManagement(FMT)5.1.7 ProtectionoftheTSF(FPT)5.1.8 TOEAccessBanner(FTA)5.1.9 TrustedPath/Channel(FTP)5.1.10 TOESecurityFunctionalRequirementsRationale5.2 SecurityAssuranceRequirements5.2.1 ClassASE:SecurityTargetEvaluation5.2.2 ClassADV:Development5.2.3 ClassAGD:GuidanceDocuments5.2.4 ClassALC:Life-CycleSupport5.2.5 ClassATE:Tests5.2.6 ClassAVA:VulnerabilityAssessment

AppendixA- OptionalRequirementsA.1 StrictlyOptionalRequirementsA.1.1 AuditableEventsforStrictlyOptionalRequirementsA.1.2 SecurityAudit(FAU)A.1.3 ProtectionoftheTSF(FPT)A.2 ObjectiveRequirementsA.2.1 AuditableEventsforObjectiveRequirementsA.2.2 ProtectionoftheTSF(FPT)A.3 Implementation-BasedRequirementsAppendixB- Selection-BasedRequirementsB.1 AuditableEventsforSelection-BasedRequirementsB.2 CryptographicSupport(FCS)B.3 IdentificationandAuthentication(FIA)B.4 ProtectionoftheTSF(FPT)B.5 TrustedPath/Channel(FTP)AppendixC- ExtendedComponentDefinitionsC.1 ExtendedComponentsTableC.2 ExtendedComponentDefinitionsC.2.1 FAU_STG_EXTOff-LoadingofAuditDataC.2.2 FCS_CKM_EXTCryptographicKeyManagementC.2.3 FCS_ENT_EXTEntropyforVirtualMachinesC.2.4 FCS_HTTPS_EXTHTTPSProtocolC.2.5 FCS_IPSEC_EXTIPsecProtocol

C.2.6 FCS_RBG_EXTCryptographicOperation(RandomBitGeneration)C.2.7 FDP_HBI_EXTHardware-BasedIsolationMechanismsC.2.8 FDP_PPR_EXTPhysicalPlatformResourceControlsC.2.9 FDP_RIP_EXTResidualInformationinMemoryC.2.10 FDP_VMS_EXTVMSeparationC.2.11 FDP_VNC_EXTVirtualNetworkingComponentsC.2.12 FIA_AFL_EXTAuthenticationFailureHandlingC.2.13 FIA_PMG_EXTPasswordManagementC.2.14 FIA_UIA_EXTAdministratorIdentificationandAuthenticationC.2.15 FIA_X509_EXTX.509CertificateC.2.16 FMT_SMO_EXTSeparationofManagementandOperationalNetworksC.2.17 FPT_DDI_EXTDeviceDriverIsolationC.2.18 FPT_DVD_EXTNon-ExistenceofDisconnectedVirtualDevicesC.2.19 FPT_EEM_EXTExecutionEnvironmentMitigationsC.2.20 FPT_GVI_EXTGuestVMIntegrityC.2.21 FPT_HAS_EXTHardwareAssistsC.2.22 FPT_HCL_EXTHypercallControlsC.2.23 FPT_IDV_EXTSoftwareIdentificationandVersionsC.2.24 FPT_INT_EXTSupportforIntrospectionC.2.25 FPT_ML_EXTMeasuredLaunchofPlatformandVMMC.2.26 FPT_RDM_EXTRemovableDevicesandMediaC.2.27 FPT_TUD_EXTTrustedUpdatesC.2.28 FPT_VDP_EXTVirtualDeviceParametersC.2.29 FPT_VIV_EXTVMMIsolationfromVMsC.2.30 FTP_ITC_EXTTrustedChannelCommunicationsC.2.31 FTP_UIF_EXTUserInterface

AppendixD- ImplicitlySatisfiedRequirementsAppendixE- EntropyDocumentationandAssessmentE.1 DesignDescriptionE.2 EntropyJustificationE.3 OperatingConditionsE.4 HealthTestingAppendixF- EquivalencyGuidelinesF.1 IntroductionF.2 ApproachtoEquivalencyAnalysisF.3 SpecificGuidanceforDeterminingProductModelEquivalenceF.4 SpecificGuidanceforDeterminingProductVersionEquivalenceF.5 SpecificGuidanceforDeterminingPlatformEquivalenceF.5.1 HardwarePlatformEquivalenceF.5.2 SoftwarePlatformEquivalenceF.6 LevelofSpecificityforTestedandClaimedEquivalentConfigurationsAppendixG- ValidationGuidelinesAppendixH- AcronymsAppendixI- Bibliography

1Introduction

1.1OverviewThescopeofthisProtectionProfile(PP)istodescribethesecurityfunctionalityofvirtualizationtechnologiesintermsof[CC]andtodefinesecurityfunctionalandassurancerequirementsforsuchproducts.ThisPPisnotcompleteinitself,butratherprovidesasetofrequirementsthatarecommontothePP-ModulesforServerVirtualizationandforClientVirtualization.Thesecapabilitieshavebeenbrokenoutintothisgeneric‘base’PPduetothehighdegreeofsimilaritybetweenthetwoproducttypes.Duetotheincreasingprevalenceofvirtualizationtechnologyinenterprisecomputingenvironmentsandtheshifttocloudcomputing,itisessentialtoensurethatthistechnologyisimplementedsecurelyinordertomitigatetheriskintroducedbysharingmultiplecomputersandtheirresidentdataacrossasinglephysicalsystem.

1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.

1.2.1CommonCriteriaTerms

Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].

BaseProtectionProfile(Base-PP)

ProtectionProfileusedasabasistobuildaPP-Configuration.

CommonCriteria(CC)

CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).

CommonCriteriaTestingLaboratory

WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacility,accreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.

CommonEvaluationMethodology(CEM)

CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.

OperationalEnvironment(OE)

HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.

ProtectionProfile(PP)

Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.

ProtectionProfileConfiguration(PP-Configuration)

AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.

ProtectionProfileModule(PP-Module)

Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBaseProtectionProfiles.

SecurityAssuranceRequirement(SAR)

ArequirementtoassurethesecurityoftheTOE.

SecurityFunctionalRequirement(SFR)

ArequirementforsecurityenforcementbytheTOE.

SecurityTarget(ST)

Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.

TOESecurityFunctionality

Thesecurityfunctionalityoftheproductunderevaluation.

(TSF)

TOESummarySpecification(TSS)

AdescriptionofhowaTOEsatisfiestheSFRsinanST.

TargetofEvaluation(TOE)

Theproductunderevaluation.

1.2.2TechnicalTerms

Administrator AdministratorsperformmanagementactivitiesontheVS.ThesemanagementfunctionsdonotincludeadministrationofsoftwarerunningwithinGuestVMs,suchastheGuestOS.AdministratorsneednotbehumanasinthecaseofembeddedorheadlessVMs.AdministratorsareoftennothingmorethansoftwareentitiesthatoperatewithintheVM.

Auditor AuditorsareresponsibleformanagingtheauditcapabilitiesoftheTOE.AnAuditormayalsobeanAdministrator.ItisnotarequirementthattheTOEbecapableofsupportinganAuditorrolethatisseparatefromthatofanAdministrator.

Domain ADomainorInformationDomainisapolicyconstructthatgroupstogetherexecutionenvironmentsandnetworksbysensitivityofinformationandaccesscontrolpolicy.Forexample,classificationlevelsrepresentinformationdomains.Withinclassificationlevels,theremightbeotherdomainsrepresentingcommunitiesofinterestorcoalitions.InthecontextofaVS,informationdomainsaregenerallyimplementedascollectionsofVMsconnectedbyvirtualnetworks.TheVSitselfcanbeconsideredanInformationDomain,ascanitsManagementSubsystem.

GuestNetwork

SeeOperationalNetwork.

GuestOperatingSystem(OS)

AnoperatingsystemthatrunswithinaGuestVM.

GuestVM AGuestVMisaVMthatcontainsavirtualenvironmentfortheexecutionofanindependentcomputingsystem.Virtualenvironmentsexecutemissionworkloadsandimplementcustomer-specificclientorserverfunctionalityinGuestVMs,suchasawebserverordesktopproductivityapplications.

HelperVM AHelperVMisaVMthatperformsservicesonbehalfofoneormoreGuestVMs,butdoesnotqualifyasaServiceVM—andthereforeisnotpartoftheVMM.HelperVMsimplementfunctionsorservicesthatareparticulartotheworkloadsofGuestVMs.Forexample,aVMthatprovidesavirusscanningserviceforaGuestVMwouldbeconsideredaHelperVM.Forthepurposesofthisdocument,HelperVMsareconsideredatypeofGuestVM,andarethereforesubjecttoallthesamerequirements,unlessspecificallystatedotherwise.

HostOperatingSystem(OS)

AnoperatingsystemontowhichaVSisinstalled.RelativetotheVS,theHostOSispartofthePlatform.ThereneednotbeaHostOS,butoftenVSesemployaHostOSorControlDomaintosupportguestaccesstohostresources.SometimesthesedomainsarethemselvesencapsulatedwithinVMs.

Hypercall AnAPIfunctionthatallowsVM-awaresoftwarerunningwithinaVMtoinvokeVMMfunctionality.

Hypervisor TheHypervisorispartoftheVMM.ItisthesoftwareexecutiveofthephysicalplatformofaVS.AHypervisor’sprimaryfunctionistomediateaccesstoallCPUandmemoryresources,butitisalsoresponsibleforeitherthedirectmanagementorthedelegationofthemanagementofallotherhardwaredevicesonthehardwareplatform.

InformationDomain

SeeDomain.

Introspection Acapabilitythatallowsaspeciallydesignatedandprivilegeddomaintohavevisibilityintoanotherdomainforpurposesofanomalydetectionormonitoring.

ManagementNetwork

Anetwork,whichmayhavebothphysicalandvirtualizedcomponents,usedtomanageandadministeraVS.ManagementnetworksincludenetworksusedbyVSAdministratorstocommunicatewithmanagementcomponentsoftheVS,andnetworksusedbytheVSforcommunicationsbetweenVScomponents.Forpurposesofthisdocument,networksthatconnectphysicalhostsandbackendstoragenetworksforpurposesofVMtransferorbackupareconsideredmanagementnetworks.

ManagementSubsystem

ComponentsoftheVSthatallowVSAdministratorstoconfigureandmanagetheVMM,aswellasconfigureGuestVMs.VMMmanagementfunctionsincludeVMconfiguration,

virtualizednetworkconfiguration,andallocationofphysicalresources.

OperationalNetwork

AnOperationalNetworkisanetwork,whichmayhavebothphysicalandvirtualizedcomponents,usedtoconnectGuestVMstoeachotherandpotentiallytootherentitiesoutsideoftheVS.OperationalNetworkssupportmissionworkloadsandcustomer-specificclientorserverfunctionality.Alsocalleda“GuestNetwork.”

PhysicalPlatform

ThehardwareenvironmentonwhichaVSexecutes.Physicalplatformresourcesincludeprocessors,memory,devices,andassociatedfirmware.

Platform Thehardware,firmware,andsoftwareenvironmentintowhichaVSisinstalledandexecutes.

ServiceVM AServiceVMisaVMwhosepurposeistosupporttheHypervisorinprovidingtheresourcesorservicesnecessarytosupportGuestVMs.ServiceVMsmayimplementsomeportionofHypervisorfunctionality,butalsomaycontainimportantsystemfunctionalitythatisnotnecessaryforHypervisoroperation.AswithanyVM,ServiceVMsnecessarilyexecutewithoutfullHypervisorprivileges—onlytheprivilegesrequiredtoperformitsdesignedfunctionality.ExamplesofServiceVMsincludedevicedriverVMsthatmanageaccesstophysicaldevices,VMsthatprovidelife-cyclemanagementandprovisioningofHypervisorandGuestVMs,andname-serviceVMsthathelpestablishcommunicationpathsbetweenVMs.

SystemSecurityPolicy(SSP)

TheoverallpolicyenforcedbytheVSdefiningconstraintsonthebehaviorofVMsandusers.

User UsersoperateGuestVMsandaresubjecttoconfigurationpoliciesappliedtotheVSbyAdministrators.UsersneednotbehumanasinthecaseofembeddedorheadlessVMs,usersareoftennothingmorethansoftwareentitiesthatoperatewithintheVM.

VirtualMachine(VM)

AVirtualMachineisavirtualizedhardwareenvironmentinwhichanoperatingsystemmayexecute.

VirtualMachineManager(VMM)

AVMMisacollectionofsoftwarecomponentsresponsibleforenablingVMstofunctionasexpectedbythesoftwareexecutingwithinthem.Generally,theVMMconsistsofaHypervisor,ServiceVMs,andothercomponentsoftheVS,suchasvirtualdevices,binarytranslationsystems,andphysicaldevicedrivers.ItmanagesconcurrentexecutionofallVMsandvirtualizesplatformresourcesasneeded.

VirtualizationSystem(VS)

Asoftwareproductthatenablesmultipleindependentcomputingsystemstoexecuteonthesamephysicalhardwareplatformwithoutinterferencefromoneanother.Forthepurposesofthisdocument,theVSconsistsofaVirtualMachineManager(VMM),VirtualMachineabstractions,amanagementsubsystem,andothercomponents.

1.3CompliantTargetsofEvaluationAVirtualizationSystem(VS)isasoftwareproductthatenablesmultipleindependentcomputingsystemstoexecuteonthesamephysicalhardwareplatformwithoutinterferencefromoneanother.AVScreatesavirtualizedhardwareenvironment(virtualmachinesorVMs)foreachinstanceofanoperatingsystempermittingtheseenvironmentstoexecuteconcurrentlywhilemaintainingisolationandtheappearanceofexclusivecontroloverassignedcomputingresources.Forthepurposesofthisdocument,theVSconsistsofaVirtualMachineManager(VMM),VirtualMachine(VM)abstractions,amanagementsubsystem,andothercomponents.AVMMisacollectionofsoftwarecomponentsresponsibleforenablingVMstofunctionasexpectedbythesoftwareexecutingwithinthem.Generally,theVMMconsistsofaHypervisor,ServiceVMs,andothercomponentsoftheVS,suchasvirtualdevices,binarytranslationsystems,andphysicaldevicedrivers.ItmanagesconcurrentexecutionofallVMsandvirtualizesplatformresourcesasneeded.TheHypervisoristhesoftwareexecutiveofthephysicalplatformofaVS.AhypervisoroperatesatthehighestCPUprivilegelevelandmanagesaccesstoallofthephysicalresourcesofthehardwareplatform.Itexportsawell-defined,protectedinterfaceforaccesstotheresourcesitmanages.AHypervisor’sprimaryfunctionistomediateaccesstoallCPUandmemoryresources,butitisalsoresponsibleforeitherthedirectmanagementorthedelegationofthemanagementofallotherhardwaredevicesonthehardwareplatform.ThisdocumentdoesnotspecifyanyHypervisor-specificrequirements,thoughmanyVMMrequirementswouldnaturallyapplytoaHypervisor.AServiceVMisaVMwhosepurposeistosupporttheHypervisorinprovidingtheresourcesorservicesnecessarytosupportGuestVMs.ServiceVMsmayimplementsomeportionofHypervisorfunctionality,butalsomaycontainimportantsystemfunctionalitythatisnotnecessaryforHypervisoroperation.AswithanyVM,ServiceVMsnecessarilyexecutewithoutfullHypervisorprivileges—onlytheprivilegesrequiredtoperformitsdesignedfunctionality.ExamplesofServiceVMsincludedevicedriverVMsthatmanageaccesstophysicaldevices,VMsthatprovidelife-cyclemanagementandprovisioningofHypervisorandGuestVMs,andname-serviceVMsthathelpestablishcommunicationpathsbetweenVMs.

AGuestVMisaVMthatcontainsavirtualenvironmentfortheexecutionofanindependentcomputingsystem.Virtualenvironmentsexecutemissionworkloadsandimplementcustomer-specificclientorserverfunctionalityinGuestVMs,suchasawebserverordesktopproductivityapplications.AHelperVMisaVMthatperformsservicesonbehalfofoneormoreGuestVMs,butdoesnotqualifyasaServiceVM—andthereforeisnotpartoftheVMM.HelperVMsimplementfunctionsorservicesthatareparticulartotheworkloadsofGuestVMs.Forexample,aVMthatprovidesavirusscanningserviceforaGuestVMwouldbeconsideredaHelperVM.ThelinebetweenHelperandServiceVMscaneasilybeblurred.Forinstance,aVMthatimplementsacryptographicfunction—suchasanin-lineencryptionVM—couldbeidentifiedaseitheraServiceorHelperVMdependingontheparticularvirtualizationsolution.IfthecryptographicfunctionsarenecessaryonlyfortheprivacyofGuestVMdatainsupportoftheGuest’smissionapplications,itwouldbepropertoclassifytheencryptionVMasaHelper.ButiftheencryptionVMisnecessaryfortheVMMtoisolateGuestVMs,itwouldbepropertoclassifytheencryptionVMasaServiceVM.Forthepurposesofthisdocument,HelperVMsaresubjecttoallrequirementsthatapplytoGuestVMs,unlessspecificallystatedotherwise.

1.3.1TOEBoundaryFigure1showsagreatlysimplifiedviewofagenericVirtualizationSystemandPlatform.TOEcomponentsaredisplayedinRed.Non-TOEcomponentsareinBlue.ThePlatformisthehardware,firmware,andsoftwareontowhichtheVSisinstalled.TheVMMincludestheHypervisor,ServiceVMs,andVMcontainers,butnotthesoftwarethatrunsinsideGuestVMsorHelperVMs.TheManagementSubsystemispartoftheTOE,butmayormaynotbepartoftheVMM.

Figure1:VirtualizationSystemandPlatform

ForpurposesofthisProtectionProfile,theVirtualizationSystemistheTOE,subjecttosomecaveats.ThePlatformontowhichtheVSisinstalled(whichincludeshardware,platformfirmware,andHostOperatingSystem)isnotpartoftheTOE.SoftwareinstalledwiththeVSontheHostOSspecificallytosupporttheVSorimplementVSfunctionalityispartoftheTOE.Generalpurposesoftware—suchasdevicedriversforphysicaldevicesandtheHostOSitself—isnotpartoftheTOE,regardlessofwhetheritsupportsVSfunctionalityorrunsinsideaServiceVMorcontroldomain.SoftwarethatrunswithinGuestandHelperVMsisnotpartoftheTOE.Ingeneral,forvirtualizationproductsthatareinstalledonto“baremetal,”theentiresetofinstalledcomponentsconstitutetheTOE,andthehardwareconstitutesthePlatform.Alsoingeneral,forproductsthatarehostedbyorintegratedintoacommodityoperatingsystem,thecomponentsinstalledexpresslyforimplementingandsupportingvirtualizationareintheTOE,andthePlatformcomprisesthehardwareandHostOS.

1.3.2RequirementsMetbythePlatformDependingonthewaytheVSisinstalled,functionstestedunderthisPPmaybeimplementedbytheTOEorbythePlatform.ThereisnodifferenceinthetestingrequiredwhetherthefunctionisimplementedbytheTOEorbythePlatform.Ineithercase,thetestsdeterminewhetherthefunctionbeingtestedprovidesalevelofconfidenceacceptabletomeetthegoalsofthisProfilewithrespecttoaparticularproductandplatform.TheequivalencyguidelinesareintendedinparttoaddressthisTOEvs.Platformdistinction,andtoensurethatconfidenceintheevaluationresultsdonoterodebetweeninstancesofequivalentproductsonequivalentplatforms—andalso,ofcourse,toensurethattheappropriatetestingisdonewhenthedistinctionissignificant.

1.3.3ScopeofCertificationSuccessfulevaluationofaVirtualizationSystemagainstthisprofiledoesnotconstituteorimplysuccessfulevaluationofanyHostOperatingSystemorPlatform—nomatterhowtightlyintegratedwiththeVS.ThePlatform,includinganyHostOS,supportstheVSthroughprovisionofservicesandresources.SpecializedVScomponentsinstalledonorinaHostOStosupporttheVSmaybeconsideredpartoftheTOE.Butgeneral-purposeOScomponentsandfunctions—whetherornottheysupporttheVS—arenotpartoftheTOE,andthusarenotevaluatedunderthisPP.

1.3.4ProductandPlatformEquivalenceThetestsinthisProtectionProfilemustberunonallproductversionsandPlatformswithwhichtheVendorwouldliketoclaimcompliance—subjecttothisProfile’sequivalencyguidelines(seeAppendixF-EquivalencyGuidelines).

1.4UseCasesThisBase-PPdoesnotdefineanyusecasesforvirtualizationtechnology.ClientVirtualizationandServerVirtualizationproductshavedifferentusecasesandsothesearedefinedintheirrespectivePP-Modules.

2ConformanceClaimsConformanceStatement

ASecurityTargetmustclaimexactconformancetothisProtectionProfile,asdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).ThefollowingPPsandPP-ModulesareallowedtobespecifiedinaPP-ConfigurationwiththisPP-ModulewiththisPP.

PP-ModuleforClientVirtualizationSystems,Version1.1PP-ModuleforServerVirtualizationSystems,Version1.1

CCConformanceClaimsThisPPisconformanttoParts2(extended)and3(extended)ofCommonCriteriaVersion3.1,Release5[CC].

PPClaimsThisPPdoesnotclaimconformancetoanyotherPP.

PackageClaimsThisPPisFunctionalPackageforTLS-conformant.ThisPPisFunctionalPackageforSecureShell-conformant.

3SecurityProblemDescription

3.1ThreatsT.DATA_LEAKAGE

ItisafundamentalpropertyofVMsthatthedomainsencapsulatedbydifferentVMsremainseparateunlessdatasharingispermittedbypolicy.Forthisreason,allVirtualizationSystemsshallsupportapolicythatprohibitsinformationtransferbetweenVMs.ItshallbepossibletoconfigureVMssuchthatdatacannotbemovedbetweendomainsfromVMtoVM,orthroughvirtualorphysicalnetworkcomponentsunderthecontroloftheVS.WhenVMsareconfiguredassuch,itshallnotbepossiblefordatatoleakbetweendomains,neitherbytheexpresseffortsofsoftwareorusersofaVM,norbecauseofvulnerabilitiesorerrorsintheimplementationoftheVMMorotherVScomponents.Ifitispossiblefordatatoleakbetweendomainswhenprohibitedbypolicy,thenanadversaryononedomainornetworkcanobtaindatafromanotherdomain.Suchcross-domaindataleakagecan,forexample,causeclassifiedinformation,corporateproprietaryinformation,orpersonallyidentifiableinformationtobemadeaccessibletounauthorizedentities.

T.UNAUTHORIZED_UPDATEItiscommonforattackerstotargetoutdatedversionsofsoftwarecontainingknownflaws.ThismeansitisextremelyimportanttoupdateVSsoftwareassoonaspossiblewhenupdatesareavailable.Butthesourceoftheupdatesandtheupdatesthemselvesmustbetrusted.IfanattackercanwritetheirownupdatecontainingmaliciouscodetheycantakecontroloftheVS.

T.UNAUTHORIZED_MODIFICATIONSystemintegrityisacoresecurityobjectiveforVirtualizationSystems.Toachievesystemintegrity,theintegrityofeachVMMcomponentmustbeestablishedandmaintained.MalwarerunningontheplatformmustnotbeabletoundetectablymodifyVScomponentswhilethesystemisrunningoratrest.Likewise,maliciouscoderunningwithinavirtualmachinemustnotbeabletomodifyVirtualizationSystemcomponents.

T.USER_ERRORIfaVirtualizationSystemiscapableofsimultaneouslydisplayingVMsofdifferentdomainstothesameuseratthesametime,thereisalwaysthechancethattheuserwillbecomeconfusedandunintentionallyleakinformationbetweendomains.ThisisespeciallylikelyifVMsbelongingtodifferentdomainsareindistinguishable.Maliciouscodemayalsoattempttointerferewiththeuser’sabilitytodistinguishbetweendomains.TheVSmusttakemeasurestominimizethelikelihoodofsuchconfusion.

T.3P_SOFTWAREInsomeVSimplementations,functionscriticaltothesecurityoftheTOEarebynecessityperformedbysoftwarenotproducedbythevirtualizationvendor.Suchsoftwaremayincludephysicaldevicedrivers,andevennon-TOEentitiessuchasHostOperatingSystems.SincethissoftwarehasthesameorsimilarprivilegelevelastheVS,vulnerabilitiescanbeexploitedbyanadversarytocompromisetheVSandVMs.Wherepossible,theVSshouldmitigatetheresultsofpotentialvulnerabilitiesormaliciouscontentinthird-partycodeonwhichitrelies.Forexample,physicaldevicedrivers(potentiallytheHostOS)couldbeencapsulatedwithinVMsinordertolimittheeffectsofcompromise.

T.VMM_COMPROMISETheVSisdesignedtoprovidetheappearanceofexclusivitytotheVMsandisdesignedtoseparateorisolatetheirfunctionsexceptwherespecificallyshared.FailureofsecuritymechanismscouldleadtounauthorizedintrusionintoormodificationoftheVMM,orbypassoftheVMMaltogether,bynon-TOEsoftware,suchasthatrunninginGuestorHelperVMsoronthehostplatform.ThismustbepreventedtoavoidcompromisingtheVS.

T.PLATFORM_COMPROMISETheVSmustbecapableofprotectingtheplatformfromthreatsthatoriginatewithinVMsandoperationalnetworksconnectedtotheVS.Thehostingofuntrusted—evenmalicious—domainsbytheVScannotbepermittedtocompromisethesecurityandintegrityoftheplatformonwhichtheVSexecutes.IfanattackercanaccesstheunderlyingplatforminamannernotcontrolledbytheVMM,theattackermightbeabletomodifysystemfirmwareorsoftware—compromisingboththeVSandtheunderlyingplatform.

T.UNAUTHORIZED_ACCESSFunctionsperformedbythemanagementlayerincludeVMconfiguration,virtualizednetworkconfiguration,allocationofphysicalresources,andreporting.Onlycertainauthorizedsystemusers(administrators)areallowedtoexercisemanagementfunctionsorobtainsensitiveinformationfromtheTOE.VirtualizationSystemsareoftenmanagedremotelyovercommunicationnetworks.Membersofthesenetworkscanbebothgeographicallyandlogicallyseparatedfromeachother,andpassthroughavarietyofothersystemswhichmaybeunderthecontrolofanadversary,andoffertheopportunityforcommunicationstobecompromised.Anadversarywithaccesstoanopenmanagementnetworkcouldinjectcommandsintothemanagementinfrastructureorextractsensitiveinformation.Thiswouldprovideanadversarywithadministratorprivilegeontheplatform,andadministrativecontrolovertheVMsandvirtualnetworkconnections.Theadversarycouldalsogainaccesstothemanagementnetwork

byhijackingthemanagementnetworkchannel.

T.WEAK_CRYPTOTotheextentthatVMsappearisolatedwithintheVS,athreatofweakcryptographymayariseiftheVMMdoesnotprovidegoodentropytosupportsecurity-relatedfeaturesthatdependonentropytoimplementcryptographicalgorithms.Forexample,arandomnumbergeneratorkeepsanestimateofthenumberofbitsofnoiseintheentropypool.Fromthisentropypoolrandomnumbersarecreated.Goodrandomnumbersareessentialtoimplementingstrongcryptography.Cryptographyimplementedusingpoorrandomnumberscanbedefeatedbyasophisticatedadversary.SuchdefeatcanresultinthecompromiseofGuestVMdataandcredentials,andofVSdataandcredentials,andcanenableunauthorizedaccesstotheVSorVMs.

T.UNPATCHED_SOFTWAREVulnerabilitiesinoutdatedorunpatchedsoftwarecanbeexploitedbyadversariestocompromisetheVSorplatform.

T.MISCONFIGURATIONTheVSmaybemisconfigured,whichcouldimpactitsfunctioningandsecurity.Thismisconfigurationcouldbeduetoanadministrativeerrorortheuseoffaultyconfigurationdata.

T.DENIAL_OF_SERVICEAVMmayblockothersfromsystemresources(e.g.,systemmemory,persistentstorage,andprocessingtime)viaaresourceexhaustionattack.

3.2AssumptionsA.PLATFORM_INTEGRITY

TheplatformhasnotbeencompromisedpriortoinstallationoftheVS.

A.PHYSICALPhysicalsecuritycommensuratewiththevalueoftheTOEandthedataitcontainsisassumedtobeprovidedbytheenvironment.

A.TRUSTED_ADMINTOEAdministratorsaretrustedtofollowandapplyalladministratorguidance.

A.NON_MALICIOUS_USERTheuseroftheVSisnotwillfullynegligentorhostile,andusestheVSincompliancewiththeappliedenterprisesecuritypolicyandguidance.Atthesametime,maliciousapplicationscouldactastheuser,sorequirementswhichconfinemaliciousapplicationsarestillinscope.

3.3OrganizationalSecurityPoliciesThisdocumentdoesnotdefineanyadditionalOSPs.

4SecurityObjectives

4.1SecurityObjectivesfortheTOEO.VM_ISOLATION

VMsarethefundamentalsubjectofthesystem.TheVMMisresponsibleforapplyingthesystemsecuritypolicy(SSP)totheVMandallresources.Asbasicfunctionality,theVMMmustsupportasecuritypolicythatmandatesnoinformationtransferbetweenVMs.TheVMMmustsupportthenecessarymechanismstoisolatetheresourcesofallVMs.TheVMMpartitionsaplatform'sphysicalresourcesforusebythesupportedvirtualenvironments.Dependingoncustomerrequirements,aVMmayneedacompletelyisolatedenvironmentwithexclusiveaccesstosystemresourcesorsharesomeofitsresourceswithotherVMs.ItmustbepossibletoenforceasecuritypolicythatprohibitsthetransferofdatabetweenVMsthroughshareddevices.WhentheplatformsecuritypolicyallowsthesharingofresourcesacrossVMboundaries,theVMMmustensurethatallaccesstothoseresourcesisconsistentwiththepolicy.TheVMMmaydelegatetheresponsibilityforthemediationofresourcesharingtoselectServiceVMs;howeverindoingso,itremainsresponsibleformediatingaccesstotheServiceVMs,andeachServiceVMmustmediateallaccesstoanysharedresourcethathasbeendelegatedtoitinaccordancewiththeSSP.Bothvirtualandphysicaldevicesareresourcesrequiringaccesscontrol.TheVMMmustenforceaccesscontrolinaccordancewithsystemsecuritypolicy.PhysicaldevicesareplatformdeviceswithaccessmediatedviatheVMMpertheO.VMM_Integrityobjective.Virtualdevicesmayincludevirtualstoragedevicesandvirtualnetworkdevices.SomeoftheaccesscontrolrestrictionsmustbeenforcedinternaltoServiceVMs,asmaybethecaseforisolatingvirtualnetworks.VMMsmayalsoexposepurelyvirtualinterfaces.TheseareVMMspecific,andwhiletheyarenotanalogoustoaphysicaldevice,theyarealsosubjecttoaccesscontrol.

TheVMMmustsupportthemechanismstoisolateallresourcesassociatedwithvirtualnetworksandtolimitaVM'saccesstoonlythosevirtualnetworksforwhichithasbeenconfigured.TheVMMmustalsosupportthemechanismstocontroltheconfigurationsofvirtualnetworksaccordingtotheSSP.

O.VMM_INTEGRITYIntegrityisacoresecurityobjectiveforVirtualizationSystems.Toachievesystemintegrity,theintegrityofeachVMMcomponentmustbeestablishedandmaintained.ThisobjectiveconcernsonlytheintegrityoftheVS—nottheintegrityofsoftwarerunninginsideofGuestVMsorofthephysicalplatform.TheoverallobjectiveistoensuretheintegrityofcriticalcomponentsofaVS.InitialintegrityofaVScanbeestablishedthroughmechanismssuchasadigitallysignedinstallationorupdatepackage,orthroughintegritymeasurementsmadeatlaunch.IntegrityismaintainedinarunningsystembycarefulprotectionoftheVMMfromuntrustedusersandsoftware.Forexample,itmustnotbepossibleforsoftwarerunningwithinaGuestVMtoexploitavulnerabilityinadeviceorhypercallinterfaceandgaincontroloftheVMM.Thevendormustreleasepatchesforvulnerabilitiesassoonaspracticableafterdiscovery.

O.PLATFORM_INTEGRITYTheintegrityoftheVMMdependsontheintegrityofthehardwareandsoftwareonwhichtheVMMrelies.AlthoughtheVSdoesnothavecompletecontrolovertheintegrityoftheplatform,theVSshouldasmuchaspossibletrytoensurethatnousersorsoftwarehostedbytheVScanunderminetheintegrityoftheplatform.

O.DOMAIN_INTEGRITYWhiletheVSisnotresponsibleforthecontentsorcorrectfunctioningofsoftwarethatrunswithinGuestVMs,itisresponsibleforensuringthatthecorrectfunctioningofthesoftwarewithinaGuestVMisnotinterferedwithbyotherVMs.

O.MANAGEMENT_ACCESSVMMmanagementfunctionsincludeVMconfiguration,virtualizednetworkconfiguration,allocationofphysicalresources,andreporting.Onlyauthorizedusers(administrators)mayexercisemanagementfunctions.BecauseoftheprivilegesexercisedbytheVMMmanagementfunctions,itmustnotbepossiblefortheVMM’smanagementcomponentstobecompromisedwithoutadministratornotification.Thismeansthatunauthorizeduserscannotbepermittedaccesstothemanagementfunctions,andthemanagementcomponentsmustnotbeinterferedwithbyGuestVMsorunprivilegedusersonothernetworks—includingoperationalnetworksconnectedtotheTOE.VMMsincludeasetofmanagementfunctionsthatcollectivelyallowadministratorstoconfigureandmanagetheVMM,aswellasconfigureGuestVMs.ThesemanagementfunctionsarespecifictotheVSandaredistinctfromanyothermanagementfunctionsthatmightexistfortheinternalmanagementofanygivenGuestVM.TheseVMMmanagementfunctionsareprivileged,withthesecurityoftheentiresystemrelyingontheirproperuse.TheVMMmanagementfunctionscanbeclassifiedintodifferentcategoriesandthepolicyfortheiruseandtheimpacttosecuritymayvaryaccordingly.ThemanagementfunctionsaredistributedthroughouttheVMM(withintheVMMandServiceVMs).TheVMMmustsupportthenecessarymechanismstoenablethecontrolofallmanagementfunctionsaccordingtothesystemsecuritypolicy.Whenamanagementfunctionisdistributedamongmultiple

ServiceVMs,theVMsmustbeprotectedusingthesecuritymechanismsoftheHypervisorandanyServiceVMsinvolvedtoensurethattheintentofthesystemsecuritypolicyisnotcompromised.Additionally,sincehypercallspermitGuestVMstoinvoketheHypervisor,andoftenallowthepassingofdatatotheHypervisor,itisimportantthatthehypercallinterfaceiswell-guardedandthatallparametersbevalidated.TheVMMmaintainsconfigurationdataforeveryVMonthesystem.Thisconfigurationdata,whetherofServiceorGuestVMs,mustbeprotected.Themechanismsusedtoestablish,modifyandverifyconfigurationdataarepartoftheVSmanagementfunctionsandmustbeprotectedassuch.TheproperinternalconfigurationofServiceVMsthatprovidecriticalsecurityfunctionscanalsogreatlyimpactVSsecurity.Theseconfigurationsmustalsobeprotected.InternalconfigurationofGuestVMsshouldnotimpactoverallVSsecurity.TheoverallgoalistoensurethattheVMM,includingtheenvironmentsinternaltoServiceVMs,isproperlyconfiguredandthatallGuestVMconfigurationsaremaintainedconsistentwiththesystemsecuritypolicythroughouttheirlifecycle.VirtualizationSystemsareoftenmanagedremotely.Forexample,anadministratorcanremotelyupdatevirtualizationsoftware,startandshutdownVMs,andmanagevirtualizednetworkconnections.Ifaconsoleisrequired,itcouldberunonaseparatemachineoritcoulditselfruninaVM.Whenperformingremotemanagement,anadministratormustcommunicatewithaprivilegedmanagementagentoveranetwork.CommunicationswiththemanagementinfrastructuremustbeprotectedfromGuestVMsandoperationalnetworks.

O.PATCHED_SOFTWARETheVSmustbeupdatedandpatchedwhenneededinordertopreventthepotentialcompromiseoftheVMM,aswellasthenetworksandVMsthatithosts.Identifyingandapplyingneededupdatesmustbeanormalpartoftheoperatingproceduretoensurethatpatchesareappliedinatimelyandthoroughmanner.Inordertofacilitatethis,theVSmustsupportstandardsandprotocolsthathelpenhancethemanageabilityoftheVSasanITproduct,enablingittobeintegratedaspartofamanageablenetwork(e.g.,reportingcurrentpatchlevelandpatchability).

O.VM_ENTROPYVMsmusthaveaccesstogoodentropysourcestosupportsecurity-relatedfeaturesthatimplementcryptographicalgorithms.Forexample,inordertofunctionasmembersofoperationalnetworks,VMsmustbeabletocommunicatesecurelywithothernetworkentities—whethervirtualorphysical.Theymustthereforehaveaccesstosourcesofgoodentropytosupportthatsecurecommunication.

O.AUDITAnauditlogmustbecreatedthatcapturesaccessestotheobjectstheTOEprotects.Thelogoftheseaccesses,orauditevents,mustbeprotectedfrommodification,unauthorizedaccess,anddestruction.Theauditlogmustbesufficientlydetailedtoindicatethedateandtimeoftheevent,theidentifyoftheuser,thetypeofevent,andthesuccessorfailureoftheevent.

O.CORRECTLY_APPLIED_CONFIGURATIONTheTOEmustnotapplyconfigurationsthatviolatethecurrentsecuritypolicy.TheTOEmustcorrectlyapplyconfigurationsandpoliciestoanewlycreatedGuestVM,aswellastoexistingGuestVMswhenapplicableconfigurationorpolicychangesaremade.Allchangestoconfigurationandtopolicymustconformtotheexistingsecuritypolicy.Similarly,changesmadetotheconfigurationoftheTOEitselfmustnotviolatetheexistingsecuritypolicy.

O.RESOURCE_ALLOCATIONTheTOEwillprovidemechanismsthatenforceconstraintsontheallocationofsystemresourcesinaccordancewithexistingsecuritypolicy.

4.2SecurityObjectivesfortheOperationalEnvironmentOE.CONFIG

TOEadministratorswillconfiguretheVScorrectlytocreatetheintendedsecuritypolicy.

OE.PHYSICALPhysicalsecurity,commensuratewiththevalueoftheTOEandthedataitcontains,isprovidedbytheenvironment.

OE.TRUSTED_ADMINTOEAdministratorsaretrustedtofollowandapplyalladministratorguidanceinatrustedmanner.

OE.NON_MALICIOUS_USERUsersaretrustedtonotbewillfullynegligentorhostileandusetheVSincompliancewiththeappliedenterprisesecuritypolicyandguidance.

4.3SecurityObjectivesRationaleThissectiondescribeshowtheassumptions,threats,andorganizationsecuritypoliciesmaptothesecurityobjectives.

Table1:SecurityObjectivesRationaleThreat,Assumption,orOSP SecurityObjectives Rationale

T.DATA_LEAKAGE O.VM_ISOLATION LogicalseparationofVMsandenforcementofdomainintegritypreventunauthorizedtransmissionofdatafromoneVMtoanother.

O.DOMAIN_INTEGRITY LogicalseparationofVMsandenforcementofdomainintegritypreventunauthorizedtransmissionofdatafromoneVMtoanother.

T.UNAUTHORIZED_UPDATE O.VMM_INTEGRITY SystemintegritypreventstheTOEfrominstallingasoftwarepatchcontainingunknownandpotentiallymaliciouscode.

T.UNAUTHORIZED_MODIFICATION O.VMM_INTEGRITY EnforcementofVMMintegritypreventsthebypassofenforcementmechanismsandauditingensuresthatabuseoflegitimateauthoritycanbedetected.

O.AUDIT EnforcementofVMMintegritypreventsthebypassofenforcementmechanismsandauditingensuresthatabuseoflegitimateauthoritycanbedetected.

T.USER_ERROR O.VM_ISOLATION IsolationofVMsincludesclearattributionofthoseVMstotheirrespectivedomainswhichreducesthelikelihoodthatauserinadvertentlyinputsortransfersdatameantforoneVMintoanother.

T.3P_SOFTWARE O.VMM_INTEGRITY TheVMMintegritymechanismsincludeenvironment-basedvulnerabilitymitigationandpotentiallysupportforintrospectionanddevicedriverisolation,allofwhichreducethelikelihoodthatanyvulnerabilitiesinthird-partysoftwarecanbeusedtoexploittheTOE.

T.VMM_COMPROMISE O.VMM_INTEGRITY MaintainingtheintegrityoftheVMM

andensuringthatVMsexecuteinisolateddomainsmitigatetheriskthattheVMMcanbecompromisedorbypassed.

O.VM_ISOLATION MaintainingtheintegrityoftheVMMandensuringthatVMsexecuteinisolateddomainsmitigatetheriskthattheVMMcanbecompromisedorbypassed.

T.PLATFORM_COMPROMISE O.PLATFORM_INTEGRITY PlatformintegritymechanismsusedbytheTOEreducetheriskthatanattackercan‘breakout’ofaVMandaffecttheplatformonwhichtheVSisrunning.

T.UNAUTHORIZED_ACCESS O.MANAGEMENT_ACCESS EnsuringthatTSFmanagementfunctionscannotbeexecutedwithoutauthorizationpreventsuntrustedsubjectsfrommodifyingthebehavioroftheTOEinanunanticipatedmanner.

T.WEAK_CRYPTO O.VM_ENTROPY AcquisitionofgoodentropyisnecessarytosupporttheTOE'ssecurity-relatedcryptographicalgorithms.

T.UNPATCHED_SOFTWARE O.PATCHED_SOFTWARE TheabilitytopatchtheTOEsoftwareensuresthatprotectionsagainstvulnerabilitiescanbeappliedastheybecomeavailable.

T.MISCONFIGURATION O.CORRECTLY_APPLIED_CONFIGURATION Mechanismstopreventtheapplicationofconfigurationsthatviolatethecurrentsecuritypolicyhelppreventmisconfigurations.

T.DENIAL_OF_SERVICE O.RESOURCE_ALLOCATION TheabilityoftheTSFtoensuretheproperallocationofresourcesmakesdenialofserviceattacksmoredifficult.

A.PLATFORM_INTEGRITY OE.PHYSICAL Iftheunderlyingplatformhasnotbeencompromisedpriortoinstallationofthe

TOE,itsintegritycanbeassumedtobeintact.

A.PHYSICAL OE.PHYSICAL IftheTOEisdeployedinalocationthathasappropriatephysicalsafeguards,itcanbeassumedtobephysicallysecure.

A.TRUSTED_ADMIN OE.TRUSTED_ADMIN Providingguidancetoadministratorsandensuringthatindividualsareproperlytrainedandvettedbeforebeinggivenadministrativeresponsibilitieswillensurethattheyaretrusted.

A.NON_MALICIOUS_USER OE.NON_MALICIOUS_USER Iftheorganizationproperlyvetsandtrainsusers,itisexpectedthattheywillbenon-malicious.

OE.CONFIG IftheTOEisadministeredbyanon-maliciousandnon-negligentuser,theexpectedresultisthattheTOEwillbeconfiguredinacorrectandsecuremanner.

5SecurityRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2andassurancecomponentsfromPart3of[CC].Thefollowingconventionsareusedforthecompletionofoperations:

Refinementoperation(denotedbyboldtextorstrikethroughtext):isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:isindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."

5.1SecurityFunctionalRequirements

5.1.1AuditableEventsforMandatorySFRs

Table2:AuditableEventsforMandatoryRequirementsRequirement AuditableEvents AdditionalAuditRecordContents

FAU_GEN.1 Noeventsspecified

FAU_SAR.1 Noeventsspecified

FAU_STG.1 Noeventsspecified

FAU_STG_EXT.1 Failureofauditdatacaptureduetolackofdiskspaceorpre-definedlimit.

FAU_STG_EXT.1 Onfailureofloggingfunction,capturerecordoffailureandrecorduponrestartofloggingfunction.

FCS_CKM.1 Noeventsspecified

FCS_CKM.2 Noeventsspecified

FCS_CKM_EXT.4 Noeventsspecified

FCS_COP.1/Hash Noeventsspecified

FCS_COP.1/KeyedHash Noeventsspecified

FCS_COP.1/Sig Noeventsspecified

FCS_COP.1/UDE Noeventsspecified

FCS_ENT_EXT.1 Noeventsspecified

FCS_RBG_EXT.1 Failureoftherandomizationprocess.

FDP_HBI_EXT.1 Noeventsspecified

FDP_PPR_EXT.1 SuccessfulandfailedVMconnectionstophysicaldeviceswhereconnectionisgovernedbyconfigurablepolicy.

VMandphysicaldeviceidentifiers.

FDP_PPR_EXT.1 Securitypolicyviolations. Identifierforthesecuritypolicythatwasviolated.

FDP_RIP_EXT.1 Noeventsspecified

FDP_RIP_EXT.2 Noeventsspecified

FDP_VMS_EXT.1 Noeventsspecified

FDP_VNC_EXT.1 Successfulandfailedattemptsto VMandvirtualorphysicalnetworking

connectVMstovirtualandphysicalnetworkingcomponents.

componentidentifiers.

FDP_VNC_EXT.1 Securitypolicyviolations. Identifierforthesecuritypolicythatwasviolated.VMandvirtualorphysicalnetworkingcomponentidentifiers.

FDP_VNC_EXT.1 Administratorconfigurationofinter-VMcommunicationschannelsbetweenVMs.

VMandvirtualorphysicalnetworkingcomponentidentifiers.

FIA_AFL_EXT.1 Unsuccessfulloginattemptslimitismetorexceeded.

Originofattempt(e.g.,IPaddress).

FIA_UAU.5 Noeventsspecified

FIA_UIA_EXT.1 Administratorauthenticationattempts.

Provideduseridentity,originoftheattempt(e.g.,console,remoteIPaddress).

FIA_UIA_EXT.1 Alluseoftheidentificationandauthenticationmechanism.

Provideduseridentity,originoftheattempt(e.g.,console,remoteIPaddress).

FIA_UIA_EXT.1 [selection:Startandendofadministratorsession.,None]

Starttimeandendtimeofadministratorsession.

FMT_SMO_EXT.1 Noeventsspecified

FPT_DVD_EXT.1 Noeventsspecified

FPT_EEM_EXT.1 Noeventsspecified

FPT_HAS_EXT.1 Noeventsspecified

FPT_HCL_EXT.1 Invalidparametertohypercalldetected.

Hypercallinterfaceforwhichaccesswasattempted.

FPT_HCL_EXT.1 Hypercallinterfaceinvokedwhendocumentedpreconditionsarenotmet.

FPT_RDM_EXT.1 Connection/disconnectionofremovablemediaordeviceto/fromaVM.

VMIdentifier,Removablemedia/deviceidentifier,eventdescriptionoridentifier(connect/disconnect,ejection/insertion,etc.).

FPT_RDM_EXT.1 Ejection/insertionofremovablemediaordevicefrom/toanalreadyconnectedVM.

VMIdentifier,Removablemedia/deviceidentifier,eventdescriptionoridentifier(connect/disconnect,ejection/insertion,etc.).

FPT_TUD_EXT.1 Initiationofupdate.

FPT_TUD_EXT.1 Failureofsignatureverification.

FPT_VDP_EXT.1 Noeventsspecified

FPT_VIV_EXT.1 Noeventsspecified

FTA_TAB.1 Noeventsspecified

FTP_ITC_EXT.1 Initiationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.

FTP_ITC_EXT.1 Terminationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.

FTP_ITC_EXT.1 Failuresofthetrustedpathfunctions.

UserIDandremotesource(IPAddress)iffeasible.

FTP_UIF_EXT.1 Noeventsspecified

FTP_UIF_EXT.2 Noeventsspecified

5.1.2SecurityAudit(FAU)

FAU_GEN.1AuditDataGenerationFAU_GEN.1.1

TheTSFshallbeabletogenerateanauditrecordofthefollowingauditableevents:

a. Start-upandshutdownofauditfunctionsb. [AlladministrativeactionsrelevanttoclaimedSFRsasdefinedin

theAuditableEventsTablefromtheClientandServerPP-Modules]c. [AuditableeventsdefinedinTable2]d. [selection:

AuditableeventsdefinedinTable5forStrictlyOptionalSFRs,AuditableeventsdefinedinTable6forObjectiveSFRs,AuditableeventsdefinedinTable7forSelection-BasedSFRs,AuditableeventsfortheFunctionalPackageforTransportLayerSecurity(TLS),version1.1listedinTable3,AuditableeventsdefinedintheaudittablefortheFunctionalPackageforSecureShell(SSH),version1.0,nootherauditableevents

]

FAU_GEN.1.2TheTSFshallrecordwithineachauditrecordatleastthefollowinginformation:

a. Dateandtimeoftheeventb. Typeofeventc. Subjectandobjectidentity(ifapplicable)d. Theoutcome(successorfailure)oftheevente. [AdditionalinformationdefinedinTable2]f. [selection:

AdditionalinformationdefinedinTable5forStrictlyOptionalSFRs,AdditionalinformationdefinedinTable6forObjectiveSFRs,AdditionalinformationdefinedinTable7forSelection-BasedSFRs,AdditionalinformationfortheFunctionalPackageforTransportLayerSecurity(TLS),version1.1listedinTable3,AdditionalinformationdefinedintheaudittablefortheFunctionalPackageforSecureShell(SSH),version1.0,nootherinformation

]

ApplicationNote:TheSTauthorcanincludeotherauditableeventsdirectlyinTable2;theyarenotlimitedtothelistpresented.TheSTauthorshouldupdatethetableinFAU_GEN.1.2withanyadditionalinformationgenerated.“Subjectidentity”inFAU_GEN.1.2couldbeauseridoranidentifierspecifyingaVM,forexample.AppropriateentriesfromTable5,Table6,andTable7shouldbeincludedintheSTiftheassociatedSFRsandselectionsareincluded.TheTable2entryforFDP_VNC_EXT.1referstoconfigurationsettingsthatattachVMstovirtualizednetworkcomponents.ChangestotheseconfigurationscanbemadeduringVMexecutionorwhenVMsarenotrunning.Auditrecordsmustbegeneratedforeithercase.TheintentoftheauditrequirementforFDP_PPR_EXT.1istologthattheVMisconnectedtoaphysicaldevice(whenthedevicebecomespartoftheVM'shardwareview),nottologeverytimethatthedeviceisaccessed.Generally,thisisonlyonceatVMstartup.However,somedevicescanbeconnectedanddisconnectedduringoperation(e.g.,virtualUSBdevicessuchasCD-ROMs).Allsuchconnection/disconnectioneventsmustbelogged.ThefollowingtablecontainstheeventsenumeratedintheauditableeventstablefortheTLSFunctionalPackage.InclusionoftheseeventsintheSTissubjecttoselectionabove,inclusionofthecorrespondingSFRsintheST,andsupportintheFPasrepresentedbyaselectioninthetablebelow.

Table3:AuditableEventsfortheTLSFunctionalPackage

FCS_TLSC_EXT.1 Failuretoestablishasession.

Reasonforfailure.

FCS_TLSC_EXT.1 Failuretoverifypresentedidentifier.

Presentedidentifierandreferenceidentifier.

https://www.niap-ccevs.org/Profile/Info.cfm?PPID=439&id=439




FCS_TLSC_EXT.1 Establishment/terminationofaTLSsession.

Non-TOEendpointofconnection.

FCS_TLSS_EXT.1 Failuretoestablishasession.

Reasonforfailure.

FCS_DTLSC_EXT.1 Failureofthecertificatevaliditycheck.

IssuerNameandSubjectNameofcertificate.

FCS_DTLSS_EXT.1 Failureofthecertificatevaliditycheck.

IssuerNameandSubjectNameofcertificate.

EvaluationActivities

FAU_GEN.1TSSTheevaluatorshallchecktheTSSandensurethatitlistsalloftheauditableeventsandprovidesaformatforauditrecords.Eachauditrecordformattypeshallbecovered,alongwithabriefdescriptionofeachfield.TheevaluatorshallchecktomakesurethateveryauditeventtypemandatedbythePP-ConfigurationisdescribedintheTSS.

GuidanceTheevaluatorshallalsomakeadeterminationoftheadministrativeactionsthatarerelevantinthecontextofthisPP-Configuration.Theevaluatorshallexaminetheadministrativeguideandmakeadeterminationofwhichadministrativecommands,includingsubcommands,scripts,andconfigurationfiles,arerelatedtotheconfiguration(includingenablingordisabling)ofthemechanismsimplementedintheTOEthatarenecessarytoenforcetherequirementsspecifiedinthePPandPP-Modules.Theevaluatorshalldocumentthemethodologyorapproachtakenwhiledeterminingwhichactionsintheadministrativeguidearesecurity-relevantwithrespecttothisPP-Configuration.TestsTheevaluatorshalltesttheTOE’sabilitytocorrectlygenerateauditrecordsbyhavingtheTOEgenerateauditrecordsfortheeventslistedandadministrativeactions.Foradministrativeactions,theevaluatorshalltestthateachactiondeterminedbytheevaluatorabovetobesecurityrelevantinthecontextofthisPPisauditable.Whenverifyingthetestresults,theevaluatorshallensuretheauditrecordsgeneratedduringtestingmatchtheformatspecifiedintheadministrativeguide,andthatthefieldsineachauditrecordhavetheproperentries.

Notethatthetestingherecanbeaccomplishedinconjunctionwiththetestingofthesecuritymechanismsdirectly.

FAU_SAR.1AuditReviewFAU_SAR.1.1

TheTSFshallprovide[administrators]withthecapabilitytoread[allinformation]fromtheauditrecords.

FAU_SAR.1.2TheTSFshallprovidetheauditrecordsinamannersuitablefortheusertointerprettheinformation.


FAU_SAR.1GuidanceTheevaluatorshallreviewtheoperationalguidancefortheprocedureonhowtoreviewtheauditrecords.TestsTheevaluatorshallverifythattheauditrecordsprovidealloftheinformationspecifiedinFAU_GEN.1andthatthisinformationissuitableforhumaninterpretation.TheevaluationactivityforthisrequirementisperformedinconjunctionwiththeevaluationactivityforFAU_GEN.1.

FAU_STG.1ProtectedAuditTrailStorageFAU_STG.1.1

TheTSFshallprotectthestoredauditrecordsintheaudittrailfromunauthorizeddeletion.

FAU_STG.1.2TheTSFshallbeableto[prevent]unauthorizedmodificationstothestoredaudit

recordsintheaudittrail.

ApplicationNote:TheevaluationactivityforthisSFRisnotintendedtoimplythattheTOEmustsupportanadministrator’sabilitytodesignateindividualauditrecordsfordeletion.Thatlevelofgranularityisnotrequired.


FAU_STG.1TSSTheevaluatorshallensurethattheTSSdescribeshowtheauditrecordsareprotectedfromunauthorizedmodificationordeletion.TheevaluatorshallensurethattheTSSdescribestheconditionsthatmustbemetforauthorizeddeletionofauditrecords.TestsTheevaluatorshallperformthefollowingtests:

Test1:TheevaluatorshallaccesstheaudittrailasanunauthorizedAdministratorandattempttomodifyanddeletetheauditrecords.Theevaluatorshallverifythattheseattemptsfail.Test2:TheevaluatorshallaccesstheaudittrailasanauthorizedAdministratorandattempttodeletetheauditrecords.Theevaluatorshallverifythattheseattemptssucceed.Theevaluatorshallverifythatonlytherecordsauthorizedfordeletionaredeleted.

FAU_STG_EXT.1Off-LoadingofAuditDataFAU_STG_EXT.1.1

TheTSFshallbeabletotransmitthegeneratedauditdatatoanexternalITentityusingatrustedchannelasspecifiedinFTP_ITC_EXT.1.

FAU_STG_EXT.1.2TheTSFshall[selection:dropnewauditdata,overwritepreviousauditrecordsaccordingtothefollowingrule:[assignment:ruleforoverwritingpreviousauditrecords],[assignment:otheraction]]whenthelocalstoragespaceforauditdataisfull.

ApplicationNote:Anexternallogserver,ifavailable,mightbeusedasalternativestoragespaceincasethelocalstoragespaceisfull.An‘otheraction’couldbedefinedinthiscaseas‘sendthenewauditdatatoanexternalITentity’.


FAU_STG_EXT.1.1ProtocolsusedforimplementingthetrustedchannelmustbeselectedinFTP_ITC_EXT.1.TSSTheevaluatorshallexaminetheTSStoensureitdescribesthemeansbywhichtheauditdataaretransferredtotheexternalauditserver,andhowthetrustedchannelisprovided.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensureitdescribeshowtoestablishthetrustedchanneltotheauditserver,aswellasdescribeanyrequirementsontheauditserver(particularauditserverprotocol,versionoftheprotocolrequired,etc.),aswellasconfigurationoftheTOEneededtocommunicatewiththeauditserver.TestsTestingofthetrustedchannelmechanismistobeperformedasspecifiedintheevaluationactivitiesforFTP_ITC_EXT.1.Theevaluatorshallperformthefollowingtestforthisrequirement:

Test1:TheevaluatorshallestablishasessionbetweentheTOEandtheauditserveraccordingtotheconfigurationguidanceprovided.TheevaluatorshallthenexaminethetrafficthatpassesbetweentheauditserverandtheTOEduringseveralactivitiesoftheevaluator’schoicedesignedtogenerateauditdatatobetransferredtotheauditserver.Theevaluatorshallobservethatthesedataarenotabletobeviewedintheclearduringthistransfer,andthattheyaresuccessfullyreceivedbytheauditserver.Theevaluatorshallrecordtheparticularsoftware(name,version)usedontheauditserverduringtesting.

FAU_STG_EXT.1.2TSSTheevaluatorshallexaminetheTSStoensureitdescribeswhathappenswhenthelocalauditdatastoreisfull.GuidanceTheevaluatorshallalsoexaminetheoperationalguidancetodeterminethatitdescribestherelationshipbetweenthelocalauditdataandtheauditdatathataresenttotheauditlogserver.

Forexample,whenanauditeventisgenerated,isitsimultaneouslysenttotheexternalserverandthelocalstore,oristhelocalstoreusedasabufferand“cleared”periodicallybysendingthedatatotheauditserver.TestsTheevaluatorshallperformoperationsthatgenerateauditdataandverifythatthisdataisstoredlocally.TheevaluatorshallperformoperationsthatgenerateauditdatauntilthelocalstoragespaceisexceededandverifiesthattheTOEcomplieswiththebehaviordefinedintheSTforFAU_STG_EXT.1.2.

5.1.3CryptographicSupport(FCS)

FCS_CKM.1CryptographicKeyGenerationFCS_CKM.1.1

TheTSFshallgenerateasymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithm[selection:

RSAschemesusingcryptographickeysizes[2048-bitorgreater]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,AppendixB.3],ECCschemesusing[“NISTcurves”P-256,P-384,and[selection:P-521,noothercurves]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,AppendixB.4],FFCschemesusingcryptographickeysizes[2048-bitorgreater]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,AppendixB.1]].,FFCSchemesusingDiffie-Hellmangroup14thatmeetthefollowing:[RFC3526],FFCSchemesusingsafeprimesthatmeetthefollowing:[‘NISTSpecialPublication800-56ARevision3,“RecommendationforPair-WiseKeyEstablishmentSchemes"]

]andspecifiedcryptographickeysizes[assignment:cryptographickeysizes]thatmeetthefollowing:[assignment:listofstandards].

ApplicationNote:TheSTauthorselectsallkeygenerationschemesusedforkeyestablishmentanddeviceauthentication.Whenkeygenerationisusedforkeyestablishment,theschemesinFCS_CKM.2.1andselectedcryptographicprotocolsshallmatchtheselection.Whenkeygenerationisusedfordeviceauthentication,thepublickeyisexpectedtobeassociatedwithanX.509v3certificate.

IftheTOEactsasareceiverintheRSAkeyestablishmentscheme,theTOEdoesnotneedtoimplementRSAkeygeneration.


FCS_CKM.1TSSTheevaluatorshallensurethattheTSSidentifiesthekeysizessupportedbytheTOE.IftheSTspecifiesmorethanonescheme,theevaluatorshallexaminetheTSStoverifythatitidentifiestheusageforeachscheme.GuidanceTheevaluatorshallverifythattheAGDguidanceinstructstheadministratorhowtoconfiguretheTOEtousetheselectedkeygenerationschemesandkeysizesforallusesdefinedinthisPP.TestsNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.

KeyGenerationforFIPSPUB186-4RSASchemesTheevaluatorshallverifytheimplementationofRSAKeyGenerationbytheTOEusingtheKeyGenerationtest.ThistestverifiestheabilityoftheTSFtocorrectlyproducevaluesforthekeycomponentsincludingthepublicverificationexponente,theprivateprimefactorspandq,thepublicmodulusnandthecalculationoftheprivatesignatureexponentd.KeyPairgenerationspecifies5ways(ormethods)togeneratetheprimespandq.Theseinclude:

RandomPrimes:ProvableprimesProbableprimes

PrimeswithConditions:Primesp1,p2,q1,q2,pandqshallallbeprovableprimesPrimesp1,p2,q1,andq2shallbeprovableprimesandpandqshallbeprobable

primesPrimesp1,p2,q1,q2,pandqshallallbeprobableprimes

TotestthekeygenerationmethodfortheRandomProvableprimesmethodandforallthePrimeswithConditionsmethods,theevaluatorshallseedtheTSFkeygenerationroutinewithsufficientdatatodeterministicallygeneratetheRSAkeypair.Thisincludestherandomseeds,thepublicexponentoftheRSAkey,andthedesiredkeylength.Foreachkeylengthsupported,theevaluatorshallhavetheTSFgenerate25keypairs.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationbycomparingvaluesgeneratedbytheTSFwiththosegeneratedfromaknowngoodimplementation.KeyGenerationforEllipticCurveCryptography(ECC)FIPS186-4ECCKeyGenerationTestForeachsupportedNISTcurve(i.e.,P-256,P-384andP-521)theevaluatorshallrequiretheimplementationundertest(IUT)togenerate10private/publickeypairs.Theprivatekeyshallbegeneratedusinganapprovedrandombitgenerator(RBG).Todeterminecorrectness,theevaluatorshallsubmitthegeneratedkeypairstothepublickeyverification(PKV)functionofaknowngoodimplementation.FIPS186-4PublicKeyVerification(PKV)TestForeachsupportedNISTcurve(i.e.,P-256,P-384andP-521)theevaluatorshallgenerate10private/publickeypairsusingthekeygenerationfunctionofaknowngoodimplementationandmodifyfiveofthepublickeyvaluessothattheyareincorrect,leavingfivevaluesunchanged(i.e.,correct).Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.

KeyGenerationforFinite-FieldCryptography(FFC)TheevaluatorshallverifytheimplementationoftheParametersGenerationandtheKeyGenerationforFFCbytheTOEusingtheParameterGenerationandKeyGenerationtest.ThistestverifiestheabilityoftheTSFtocorrectlyproducevaluesforthefieldprimep,thecryptographicprimeq(dividingp-1),thecryptographicgroupgeneratorg,andthecalculationoftheprivatekeyxandpublickeyy.TheParametergenerationspecifiestwoways(ormethods)togeneratethecryptographicprimeqandthefieldprimep:

PrimesqandpshallbothbeprovableprimesPrimesqandfieldprimepshallbothbeprobableprimes

andtwowaystogeneratethecryptographicgroupgeneratorg:GeneratorgconstructedthroughaverifiableprocessGeneratorgconstructedthroughanunverifiableprocess.

TheKeygenerationspecifiestwowaystogeneratetheprivatekeyx:len(q)bitoutputofRBGwhere1�x�q-1len(q)+64bitoutputofRBG,followedbyamodq-1operationwhere1�x�q-1

ThesecuritystrengthoftheRBGshallbeatleastthatofthesecurityofferedbytheFFCparameterset.Totestthecryptographicandfieldprimegenerationmethodfortheprovableprimesmethodandthegroupgeneratorgforaverifiableprocess,theevaluatorshallseedtheTSFparametergenerationroutinewithsufficientdatatodeterministicallygeneratetheparameterset.Foreachkeylengthsupported,theevaluatorshallhavetheTSFgenerate25parametersetsandkeypairs.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationbycomparingvaluesgeneratedbytheTSFwiththosegeneratedfromaknowngoodimplementation.Verificationshallalsoconfirm

g!=0,1qdividesp-1g^qmodp=1g^xmodp=y

foreachFFCparametersetandkeypair.

Diffie-HellmanGroup14andFFCSchemesusing"safe-prime"groupsTestingforFFCSchemesusingDiffie-Hellmangroup14and"safe-prime"groupsisdoneaspartoftestinginFCS_CKM.2.1.

FCS_CKM.2CryptographicKeyDistributionFCS_CKM.2.1

TheTSFshalldistributecryptographickeysimplementfunctionalitytoperformcryptographickeyestablishmentinaccordancewithaspecifiedcryptographickeyestablishmentmethod:[selection:

RSA-basedkeyestablishmentschemesthatmeetsthefollowing:RSAES-PKCS1-v1_5asspecifiedinSection7.2ofRFC8017,“Public-KeyCryptographyStandards(PKCS)#1:RSACryptographySpecifications

Version2.2",Ellipticcurve-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56ARevision3,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography”,Finitefield-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56ARevision3,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography”,KeyestablishmentschemeusingDiffie-Hellmangroup14thatmeetsthefollowing:RFC3526

]thatmeetsthefollowing[assignment:listofstandards].


FCS_CKM.2TSSTheevaluatorshallensurethatthesupportedkeyestablishmentschemescorrespondtothekeygenerationschemesidentifiedinFCS_CKM.1.1.IftheSTspecifiesmorethanonescheme,theevaluatorshallexaminetheTSStoverifythatitidentifiestheusageforeachscheme.

GuidanceTheevaluatorshallverifythattheAGDguidanceinstructstheadministratorhowtoconfiguretheTOEtousetheselectedkeyestablishmentschemes.TestsTheevaluatorshallverifytheimplementationofthekeyestablishmentschemesofthesupportedbytheTOEusingtheapplicabletestsbelow.

KeyEstablishmentSchemesRSAES-PKCS1-v1_5KeyEstablishmentSchemesTheevaluatorshallverifythecorrectnessoftheTSF'simplementationofRSAES-PKCS1-v1_5byusingaknowngoodimplementationforeachprotocolselectedinFTP_ITC_EXT.1thatusesRSAES-PKCS1-v1_5.

SP800-56AECCKeyEstablishmentSchemes

TheevaluatorshallverifyaTOE'simplementationofSP800-56AkeyagreementschemesusingthefollowingFunctionandValiditytests.ThesevalidationtestsforeachkeyagreementschemeverifythataTOEhasimplementedthecomponentsofthekeyagreementschemeaccordingtothespecificationsintheRecommendation.ThesecomponentsincludethecalculationoftheDLCprimitives(thesharedsecretvalueZ)andthecalculationofthederivedkeyingmaterial(DKM)viatheKeyDerivationFunction(KDF).Ifkeyconfirmationissupported,theevaluatorshallalsoverifythatthecomponentsofkeyconfirmationhavebeenimplementedcorrectly,usingthetestproceduresdescribedbelow.ThisincludestheparsingoftheDKM,thegenerationofMACdataandthecalculationofMACtag.FunctionTestTheFunctiontestverifiestheabilityoftheTOEtoimplementthekeyagreementschemescorrectly.Toconductthistest,theevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachsupportedkeyagreementscheme-keyagreementrolecombination,KDFtype,and,ifsupported,keyconfirmationrole-keyconfirmationtypecombination,thetestershallgenerate10setsoftestvectors.Thedatasetconsistsofonesetofdomainparametervalues(FFC)ortheNISTapprovedcurve(ECC)per10setsofpublickeys.Thesekeysarestatic,ephemeral,orbothdependingontheschemebeingtested.TheevaluatorshallobtaintheDKM,thecorrespondingTOE’spublickeys(staticandephemeral),theMACtags,andanyinputsusedintheKDF,suchastheOtherInformationfieldOIandTOEIDfields.IftheTOEdoesnotuseaKDFdefinedinSP800-56A,theevaluatorshallobtainonlythepublickeysandthehashedvalueofthesharedsecret.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationofagivenschemebyusingaknowngoodimplementationtocalculatethesharedsecretvalue,derivethekeyingmaterialDKM,andcomparehashesorMACtagsgeneratedfromthesevalues.Ifkeyconfirmationissupported,theTSFshallperformtheaboveforeachimplementedapprovedMACalgorithm.ValidityTestTheValiditytestverifiestheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidkeyagreementresultswithorwithoutkeyconfirmation.Toconductthistest,theevaluatorshallobtainalistofthesupportingcryptographicfunctionsincludedintheSP800-56AkeyagreementimplementationtodeterminewhicherrorstheTOEshouldbeabletorecognize.Theevaluatorgeneratesasetof24(FFC)or30(ECC)testvectorsconsistingofdatasetsincludingdomain

parametervaluesorNISTapprovedcurves,theevaluator’spublickeys,theTOE’spublic/privatekeypairs,MACTag,andanyinputsusedintheKDF,suchastheotherinfoandTOEIDfields.TheevaluatorshallinjectanerrorinsomeofthetestvectorstotestthattheTOErecognizesinvalidkeyagreementresultscausedbythefollowingfieldsbeingincorrect:thesharedsecretvalueZ,theDKM,theotherinformationfieldOI,thedatatobeMACed,orthegeneratedMACTag.IftheTOEcontainsthefullorpartial(onlyECC)publickeyvalidation,theevaluatorwillalsoindividuallyinjecterrorsinbothparties’staticpublickeys,bothparties’ephemeralpublickeysandtheTOE’sstaticprivatekeytoassuretheTOEdetectserrorsinthepublickeyvalidationfunctionandthepartialkeyvalidationfunction(inECConly).Atleasttwoofthetestvectorsshallremainunmodifiedandthereforeshouldresultinvalidkeyagreementresults(theyshouldpass).TheTOEshallusethesemodifiedtestvectorstoemulatethekeyagreementschemeusingthecorrespondingparameters.TheevaluatorshallcomparetheTOE’sresultswiththeresultsusingaknowngoodimplementationverifyingthattheTOEdetectstheseerrors.

Diffie-HellmanGroup14TheevaluatorshallverifythecorrectnessoftheTSF'simplementationofDiffie-Hellmangroup14byusingaknowngoodimplementationforeachprotocolselectedinFTP_ITC_EXT.1thatusesDiffie-HellmanGroup14.

FFCSchemesusing"safe-prime"groups(identifiedinAppendixDofSP800-56ARevision3)TheevaluatorshallverifythecorrectnessoftheTSF'simplementationof"safe-prime"groupsbyusingaknowngoodimplementationforeachprotocolselectedinFTP_ITC_EXT.1thatuses"safe-prime"groups.Thistestmustbeperformedforeach"safe-prime"groupthateachprotocoluses.

FCS_CKM_EXT.4CryptographicKeyDestructionFCS_CKM_EXT.4.1

TheTSFshallcausedisusedcryptographickeysinvolatilememorytobedestroyedorrenderedunrecoverable.

ApplicationNote:Thethreataddressedbythiselementistherecoveryofdisusedcryptographickeysfromvolatilememorybyunauthorizedprocesses.TheTSFmustdestroyorcausetobedestroyedallcopiesofcryptographickeyscreatedandmanagedbytheTOEoncethekeysarenolongerneeded.ThisrequirementisthesameforallinstancesofkeyswithinTOEvolatilememoryregardlessofwhetherthememoryiscontrolledbyTOEmanufacturersoftwareorbythird-partyTOEmodules.TheevaluationactivitiesaredesignedwithflexibilitytoaddresscaseswheretheTOEmanufacturerhaslimitedinsightintothebehaviorofthird-partyTOEcomponents.

ThepreferredmethodfordestroyingkeysinTOEvolatilememoryisbydirectoverwriteofthememoryoccupiedbythekeys.Thevaluesusedforoverwritingcanbeallzeros,allones,oranyotherpatternorcombinationofvaluessignificantlydifferentthanthevalueofthekeyitselfsuchthatthekeysarerenderedinaccessibletorunningprocesses.

Someimplementationsmayfindthatdirectoverwritingofmemoryisnotfeasibleorpossibleduetoprogramminglanguageconstraints.Manymemory-andtype-safelanguagesprovidenomechanismforprogrammerstospecifythataparticularmemorylocationbeaccessedorwritten.Thevalueofsuchlanguagesisthatitismuchharderforaprogrammingerrortoresultinabufferorheapoverflow.Thedownsideisthatmultiplecopiesofkeysmightbescatteredthroughoutlanguage-runtimememory.Insuchcases,theTOEshouldtakewhateveractionsarefeasibletocausethekeystobecomeinaccessible—freeingmemory,destroyingobjects,closingapplications,programmingusingtheminimumpossiblescopeforvariablescontainingkeys.

Likewise,ifkeysresideinmemorywithintheexecutioncontextofathird-partymodule,thentheTOEshouldtakewhateverfeasibleactionsitcantocausethekeystobedestroyed.

Cryptographickeysinnon-TOEvolatilememoryarenotcoveredbythisrequirement.ThisexpresslyincludeskeyscreatedandusedbyGuestVMs.TheGuestisresponsiblefordisposingofsuchkeys.

FCS_CKM_EXT.4.2TheTSFshallcausedisusedcryptographickeysinnon-volatilestoragetobedestroyedorrenderedunrecoverable.

ApplicationNote:Theultimategoalofthiselementistoensurethatdisused

cryptographickeysareinaccessiblenotonlytocomponentsoftherunningsystem,butarealsounrecoverablethroughforensicanalysisofdiscardedstoragemedia.Theelementisdesignedtoreflectthefactthatthelattermaynotbewhollypracticalatthistimeduetothewaysomestoragetechnologiesareimplemented(e.g.,wear-levelingofflashstorage).Keystorageareasinnon-volatilestoragecanbeoverwrittenwithanyvaluethatrendersthekeysunrecoverable.Thevalueusedcanbeallzeros,allones,oranyotherpatternorcombinationofvaluessignificantlydifferentthanthevalueofthekeyitself.

TheTSFmustdestroyallcopiesofcryptographickeyscreatedandmanagedbytheTOEoncethekeysarenolongerneeded.Sincethisisasoftware-onlyTOE,thehardwarecontrollersthatmanagenon-volatilestoragemediaarenecessarilyoutsidetheTOEboundary.Thus,theTOEmanufacturerislikelytohavelittlecontrolover—orinsightinto—thefunctioningofthesestoragedevices.TheTOEmustmakea“best-effort”todestroydisusedcryptographickeysbyinvokingtheappropriateplatforminterfaces—recognizingthatthespecificactionstakenbytheplatformareoutoftheTOE’scontrol.

ButincaseswheretheTOEhasinsightintothenon-volatilestoragetechnologiesusedbytheplatform,orwheretheTOEcanspecifyapreferenceormethodfordestroyingkeys,thedestructionshouldbeexecutedbyasingle,directoverwriteconsistingofpseudorandomdataoranewkey,byarepeatingpatternofanystaticvalue,orbyablockerase.

Forkeysstoredonencryptedmedia,itissufficientforthemediaencryptionkeystobedestroyedforallkeysstoredonthemediatobeconsidereddestroyed.


FCS_CKM_EXT.4TSSTheevaluatorshallchecktoensuretheTSSlistseachtypeofkeyanditsoriginandlocationinmemoryorstorage.TheevaluatorshallverifythattheTSSdescribeswheneachtypeofkeyiscleared.TestsForeachkeyclearingsituationtheevaluatorshallperformoneofthefollowingactivities:

Theevaluatorshalluseappropriatecombinationsofspecializedoperationalordevelopmentenvironments,developmenttools(debuggers,emulators,simulators,etc.),orinstrumentedbuilds(developmental,debug,orrelease)todemonstratethatkeysareclearedcorrectly,includingallintermediatecopiesofthekeythatmayhavebeencreatedinternallybytheTOEduringnormalcryptographicprocessing.Incaseswheretestingrevealsthatthird-partysoftwaremodulesorprogramminglanguagerun-timeenvironmentsdonotproperlyoverwritekeys,thisfactmustbedocumented.Likewise,itmustbedocumentedifthereisnopracticalwaytodeterminewhethersuchmodulesorenvironmentsdestroykeysproperly.Incaseswhereitisimpossibleorimpracticabletoperformtheabovetests,theevaluatorshalldescribehowkeysaredestroyedinsuchcases,toinclude:

WhichkeysareaffectedThereasonswhytestingisimpossibleorimpracticableEvidencethatkeysaredestroyedappropriately(e.g.,citationstocomponentdocumentation,componentdeveloper/vendorattestation,componentvendortestresults)Aggravatingandmitigatingfactorsthatmayaffectthetimelinessorexecutionofkeydestruction(e.g.,caching,garbagecollection,operatingsystemmemorymanagement)

UseofdebugorinstrumentedbuildsoftheTOEandTOEcomponentsispermittedinordertodemonstratethattheTOEtakesappropriateactiontodestroykeys.Thesebuildsshouldbebasedonthesamesourcecodeasarereleasebuilds(ofcourse,withinstrumentationanddebug-specificcodeadded).

FCS_COP.1/HashCryptographicOperation(Hashing)FCS_COP.1.1/Hash

TheTSFshallperform[cryptographichashing]inaccordancewithaspecifiedcryptographicalgorithm[selection:SHA-1,SHA-256,SHA-384,SHA-512,SHA-3-224,SHA-3-256,SHA-3-384,SHA-3-512]andmessagedigestsizes[selection:160,256,384,512bits]thatmeetthefollowing:[selection:FIPSPUB180-4"SecureHashStandard",ISO/IEC10118-3:2018]

ApplicationNote:PerNISTSP800-131A,SHA-1forgeneratingdigitalsignaturesisnolongerallowed,andSHA-1forverificationofdigitalsignaturesisstronglydiscouragedastheremayberiskinacceptingthesesignatures.Itis

expectedthatvendorswillimplementSHA-2algorithmsinaccordancewithSP800-131A.

Theintentofthisrequirementistospecifythehashingfunction.Thehashselectionshallsupportthemessagedigestsizeselection.Thehashselectionshouldbeconsistentwiththeoverallstrengthofthealgorithmused(forexample,SHA256for128-bitkeys).

ValidationGuidelines:

Rule#1:If"HMAC-SHA-1"isselectedinFCS_COP.1/KeyedHashthen"SHA-1"mustbeselectedinFCS_COP.1.1/Hash.

Rule#2:If"HMAC-SHA-256"isselectedinFCS_COP.1/KeyedHashthen"SHA-256"mustbeselectedinFCS_COP.1/Hash.Rule#3:If"HMAC-SHA-384"isselectedinFCS_COP.1/KeyedHashthen"SHA-384"mustbeselectedinFCS_COP.1/Hash.

Rule#4:If"HMAC-SHA-512"isselectedinFCS_COP.1/KeyedHashthen"SHA-512"mustbeselectedinFCS_COP.1/Hash.Rule#5:If"SHA-3-224"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-224"mustbeselectedinFCS_COP.1/Hash.

Rule#6:If"SHA-3-256"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-256"mustbeselectedinFCS_COP.1/Hash.

Rule#7:If"SHA-3-384"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-384"mustbeselectedinFCS_COP.1/Hash.Rule#8:If"SHA-3-512"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-512"mustbeselectedinFCS_COP.1/Hash.


FCS_COP.1/HashTSSTheevaluatorshallcheckthattheassociationofthehashfunctionwithotherTSFcryptographicfunctions(forexample,thedigitalsignatureverificationfunction)isdocumentedintheTSS.GuidanceTheevaluatorcheckstheAGDdocumentstodeterminethatanyconfigurationthatisrequiredtobedonetoconfigurethefunctionalityfortherequiredhashsizesispresent.TestsSHA-1andSHA-2TestsTheTSFhashingfunctionscanbeimplementedinoneoftwomodes.Thefirstmodeisthebyte-orientedmode.InthismodetheTSFonlyhashesmessagesthatareanintegralnumberofbytesinlength;i.e.,thelength(inbits)ofthemessagetobehashedisdivisibleby8.Thesecondmodeisthebit-orientedmode.InthismodetheTSFhashesmessagesofarbitrarylength.Astherearedifferenttestsforeachmode,anindicationisgiveninthefollowingsectionsforthebit-orientedvs.thebyte-orientedtestMACs.TheevaluatorshallperformallofthefollowingtestsforeachhashalgorithmimplementedbytheTSFandusedtosatisfytherequirementsofthisPP.Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.

ShortMessagesTestBit-orientedModeTheevaluatorsdeviseaninputsetconsistingofm+1messages,wheremistheblocklengthofthehashalgorithm.Thelengthofthemessagesrangesequentiallyfrom0tombits.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.ShortMessagesTestByte-orientedModeTheevaluatorsdeviseaninputsetconsistingofm/8+1messages,wheremistheblocklengthofthehashalgorithm.Thelengthofthemessagesrangesequentiallyfrom0tom/8bytes,witheachmessagebeinganintegralnumberofbytes.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.SelectedLongMessagesTestBit-orientedModeTheevaluatorsdeviseaninputsetconsistingofmmessages,wheremistheblocklengthofthehashalgorithm.Thelengthoftheithmessageis512+99*i,where1�i�m.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

SelectedLongMessagesTestByte-orientedModeTheevaluatorsdeviseaninputsetconsistingofm/8messages,wheremistheblocklengthofthehashalgorithm.Thelengthoftheithmessageis512+8*99*i,where1�i�m/8.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.PseudorandomlyGeneratedMessagesTestThistestisforbyte-orientedimplementationsonly.Theevaluatorsrandomlygenerateaseedthatisnbitslong,wherenisthelengthofthemessagedigestproducedbythehashfunctiontobetested.Theevaluatorsthenformulateasetof100messagesandassociateddigestsbyfollowingthealgorithmprovidedinFigure1of[SHAVS].TheevaluatorsthenensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.SHA-3TestsThetestsbelowarederivedfromtheTheSecureHashAlgorithm-3ValidationSystem(SHA3VS),Updated:April7,2016,fromtheNationalInstituteofStandardsandTechnology.

ForeachSHA-3-XXXimplementation,XXXrepresentsd,thedigestlengthinbits.Thecapacity,c,isequalto2dbits.Therateisequalto1600-cbits.

TheTSFhashingfunctionscanbeimplementedwithoneoftwoorientations.Thefirstisabit-orientedmodethathashesmessagesofarbitrarylength.Thesecondisabyte-orientedmodethathashesmessagesthatareanintegralnumberofbytesinlength(i.e.,thelength(inbits)ofthemessagetobehashedisdivisibleby8).Separatetestsforeachorientationaregivenbelow.

TheevaluatorshallperformallofthefollowingtestsforeachhashalgorithmandorientationimplementedbytheTSFandusedtosatisfytherequirementsofthisPP.Theevaluatorshallcomparedigestvaluesproducedbyaknown-goodSHA-3implementationagainstthosegeneratedbyrunningthesamevaluesthroughtheTSF.

ShortMessagesTest,Bit-orientedMode

Theevaluatorsdeviseaninputsetconsistingofrate+1shortmessages.Thelengthofthemessagesrangessequentiallyfrom0toratebits.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.Themessageoflength0isomittediftheTOEdoesnotsupportzero-lengthmessages.

ShortMessagesTest,Byte-orientedMode

Theevaluatorsdeviseaninputsetconsistingofrate/8+1shortmessages.Thelengthofthemessagesrangessequentiallyfrom0torate/8bytes,witheachmessagebeinganintegralnumberofbytes.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.Themessageoflength0isomittediftheTOEdoesnotsupportzero-lengthmessages.

SelectedLongMessagesTest,Bit-orientedMode

Theevaluatorsdeviseaninputsetconsistingof100longmessagesranginginsizefromrate+(rate+1)torate+(100*(rate+1)),incrementingbyrate+1.(Forexample,SHA-3-256hasarateof1088bits.Therefore,100messageswillbegeneratedwithlengths2177,3266,…,109988bits.)Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

SelectedLongMessagesTest,Byte-orientedMode

Theevaluatorsdeviseaninputsetconsistingof100messagesranginginsizefrom(rate+(rate+8))to(rate+100*(rate+8)),incrementingbyrate+8.(Forexample,SHA-3-256hasarateof1088bits.Therefore100messageswillbegeneratedoflengths2184,3280,4376,…,110688bits.)Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

PseudorandomlyGeneratedMessagesMonteCarlo)Test,Byte-orientedMode

Theevaluatorssupplyaseedofdbits(wheredisthelengthofthemessagedigestproducedbythehashfunctiontobetested.Thisseedisusedbyapseudorandomfunctiontogenerate100,000messagedigests.Onehundredofthedigests(every1000thdigest)arerecordedascheckpoints.TheTOEthenusesthesameproceduretogeneratethesame100,000messagedigestsand100checkpointvalues.TheevaluatorsthencomparetheresultsgeneratedtoensurethatthecorrectresultisproducedwhenthemessagesaregeneratedbytheTSF.

FCS_COP.1/KeyedHashCryptographicOperation(KeyedHashAlgorithms)FCS_COP.1.1/KeyedHash

TheTSFshallperform[keyed-hashmessageauthentication]inaccordancewithaspecifiedcryptographicalgorithm[selection:HMAC-SHA-1,HMAC-SHA-256,HMAC-SHA-384,HMAC-SHA-512,SHA-3-224,SHA-3-256,SHA-3-384,SHA-3-512]andcryptographickeysizes[assignment:keysize(inbits)usedinHMAC]andmessagedigestsizes[selection:160,256,384,512bits]thatmeetthefollowing:[FIPSPub198-1,"TheKeyed-HashMessageAuthenticationCode,"andFIPSPub180-4,“SecureHashStandard"].

ApplicationNote:Theselectioninthisrequirementmustbeconsistentwiththekeysizespecifiedforthesizeofthekeysusedinconjunctionwiththekeyed-hashmessageauthentication.ValidationGuidelines:

Rule#1:If"HMAC-SHA-1"isselectedinFCS_COP.1/KeyedHashthen"SHA-1"mustbeselectedinFCS_COP.1.1/Hash.Rule#2:If"HMAC-SHA-256"isselectedinFCS_COP.1/KeyedHashthen"SHA-256"mustbeselectedinFCS_COP.1/Hash.

Rule#3:If"HMAC-SHA-384"isselectedinFCS_COP.1/KeyedHashthen"SHA-384"mustbeselectedinFCS_COP.1/Hash.

Rule#4:If"HMAC-SHA-512"isselectedinFCS_COP.1/KeyedHashthen"SHA-512"mustbeselectedinFCS_COP.1/Hash.Rule#5:If"SHA-3-224"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-224"mustbeselectedinFCS_COP.1/Hash.

Rule#6:If"SHA-3-256"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-256"mustbeselectedinFCS_COP.1/Hash.Rule#7:If"SHA-3-384"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-384"mustbeselectedinFCS_COP.1/Hash.

Rule#8:If"SHA-3-512"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-512"mustbeselectedinFCS_COP.1/Hash.


FCS_COP.1/KeyedHashTSSTheevaluatorshallexaminetheTSStoensurethatitspecifiesthefollowingvaluesusedbytheHMACfunction:keylength,hashfunctionused,blocksize,andoutputMAClengthused.TestsThefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.Foreachofthesupportedparametersets,theevaluatorshallcompose15setsoftestdata.Eachsetshallconsistofakeyandmessagedata.TheevaluatorshallhavetheTSFgenerateHMACtagsforthesesetsoftestdata.TheresultingMACtagsshallbecomparedtotheresultofgeneratingHMACtagswiththesamekeyandIVusingaknowngoodimplementation.

FCS_COP.1/SigCryptographicOperation(SignatureAlgorithms)FCS_COP.1.1/Sig

TheTSFshallperform[cryptographicsignatureservices(generationandverification)]inaccordancewithaspecifiedcryptographicalgorithm[selection:

RSAschemesusingcryptographickeysizes[2048-bitorgreater]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,Section4],ECDSAschemesusing[“NISTcurves”P-256,P-384and[selection:P-521,noothercurves]]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,Section5]

].

ApplicationNote:TheSTAuthorshouldchoosethealgorithmimplementedtoperformdigitalsignatures;ifmorethanonealgorithmisavailable,thisrequirementshouldbeiteratedtospecifythefunctionality.Forthealgorithmchosen,theSTauthorshouldmaketheappropriateassignments/selectionstospecifytheparametersthatareimplementedforthatalgorithm.


FCS_COP.1/SigTestsThefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.

ECDSAAlgorithmTestsECDSAFIPS186-4SignatureGenerationTestForeachsupportedNISTcurve(i.e.,P-256,P-384andP-521)andSHAfunctionpair,theevaluatorshallgenerate101024-bitlongmessagesandobtainforeachmessageapublickeyandtheresultingsignaturevaluesRandS.Todeterminecorrectness,theevaluatorshallusethesignatureverificationfunctionofaknowngoodimplementation.ECDSAFIPS186-4SignatureVerificationTestForeachsupportedNISTcurve(i.e.,P-256,P-384andP-521)andSHAfunctionpair,theevaluatorshallgenerateasetof101024-bitmessage,publickeyandsignaturetuplesandmodifyoneofthevalues(message,publickeyorsignature)infiveofthe10tuples.Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.

RSASignatureAlgorithmTestsSignatureGenerationTestTheevaluatorshallverifytheimplementationofRSASignatureGenerationbytheTOEusingtheSignatureGenerationTest.Toconductthistest,theevaluatorshallgenerateorobtain10messagesfromatrustedreferenceimplementationforeachmodulussize/SHAcombinationsupportedbytheTSF.TheevaluatorshallhavetheTOEusetheirprivatekeyandmodulusvaluetosignthesemessages.TheevaluatorshallverifythecorrectnessoftheTSF’ssignatureusingaknowngoodimplementationandtheassociatedpublickeystoverifythesignatures.

SignatureVerificationTestTheevaluatorshallperformtheSignatureVerificationtesttoverifytheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidsignatures.TheevaluatorshallinjecterrorsintothetestvectorsproducedduringtheSignatureVerificationTestbyintroducingerrorsinsomeofthepublickeyse,messages,IRformat,orsignatures.TheTOEattemptstoverifythesignaturesandreturnssuccessorfailure.TheevaluatorshallusethesetestvectorstoemulatethesignatureverificationtestusingthecorrespondingparametersandverifythattheTOEdetectstheseerrors.

FCS_COP.1/UDECryptographicOperation(AESDataEncryption/Decryption)FCS_COP.1.1/UDE

TheTSFshallperform[encryptionanddecryption]inaccordancewithaspecifiedcryptographicalgorithm[selection:

AESKeyWrap(KW)(asdefinedinNISTSP800-38F),AESKeyWrapwithPadding(KWP)(asdefinedinNISTSP800-38F),AES-GCM(asdefinedinNISTSP800-38D),AES-CCM(asdefinedinNISTSP800-38C),AES-XTS(asdefinedinNISTSP800-38E)mode,AES-CCMP-256(asdefinedinNISTSP800-38CandIEEE802.11ac-2013),AES-GCMP-256(asdefinedinNISTSP800-38DandIEEE802.11ac-2013),AES-CCMP(asdefinedinFIPSPUB197,NISTSP800-38CandIEEE802.11-2012),AES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)mode,AES-CTR(asdefinedinNISTSP800-38A)mode

]andcryptographickeysizes[selection:128-bitkeysizes,256-bitkeysizes].

ApplicationNote:ForthefirstselectionofFCS_COP.1.1/UDE,theSTauthorshouldchoosethemodeormodesinwhichAESoperates.Forthesecondselection,theSTauthorshouldchoosethekeysizesthataresupportedbythisfunctionality.


Rule#9:IftheSSHPackageisincludedintheSTthen"AES-CTR(asdefinedinNISTSP800-38A)mode,""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.

Rule#10:IftheTOEimplementsIPSecthen"AES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)mode,""AES-GCM(asdefinedinNISTSP800-38D),""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.


FCS_COP.1/UDEThefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.TestsAES-CBCTestsAES-CBCKnownAnswerTestsTherearefourKnownAnswerTests(KATs),describedbelow.InallKATs,theplaintext,ciphertext,andIVvaluesshallbe128-bitblocks.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.

KAT-1.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplyasetof10plaintextvaluesandobtaintheciphertextvaluethatresultsfromAES-CBCencryptionofthegivenplaintextusingakeyvalueofallzerosandanIVofallzeros.Fiveplaintextvaluesshallbeencryptedwitha128-bitall-zeroskey,andtheotherfiveshallbeencryptedwitha256-bitall-zeroskey.TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,using10ciphertextvaluesasinputandAES-CBCdecryption.KAT-2.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplyasetof10keyvaluesandobtaintheciphertextvaluethatresultsfromAES-CBCencryptionofanall-zerosplaintextusingthegivenkeyvalueandanIVofallzeros.Fiveofthekeysshallbe128-bitkeys,andtheotherfiveshallbe256-bitkeys.TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,usinganall-zerociphertextvalueasinputandAES-CBCdecryption.KAT-3.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplythetwosetsofkeyvaluesdescribedbelowandobtaintheciphertextvaluethatresultsfromAESencryptionofanall-zerosplaintextusingthegivenkeyvalueandanIVofallzeros.Thefirstsetofkeysshallhave128128-bitkeys,andthesecondsetshallhave256256-bitkeys.KeyiineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallsupplythetwosetsofkeyandciphertextvaluepairsdescribedbelowandobtaintheplaintextvaluethatresultsfromAES-CBCdecryptionofthegivenciphertextusingthegivenkeyandanIVofallzeros.Thefirstsetofkey/ciphertextpairsshallhave128128-bitkey/ciphertextpairs,andthesecondsetofkey/ciphertextpairsshallhave256256-bitkey/ciphertextpairs.KeyiineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].Theciphertextvalueineachpairshallbethevaluethatresultsinanall-zerosplaintextwhendecryptedwithitscorrespondingkey.

KAT-4.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplythesetof128plaintextvaluesdescribedbelowandobtainthetwociphertextvaluesthatresultfromAES-CBCencryptionofthegivenplaintextusinga128-bitkeyvalueofallzeroswithanIVofallzerosandusinga256-bitkeyvalueofallzeroswithanIVofallzeros,respectively.Plaintextvalueiineachsetshallhavetheleftmostibitsbeonesandtherightmost128-ibitsbezeros,foriin[1,128].TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,usingciphertextvaluesofthesameformastheplaintextintheencrypttestasinputandAES-CBCdecryption.

AES-CBCMulti-BlockMessageTestTheevaluatorshalltesttheencryptfunctionalitybyencryptingani-blockmessagewhere1<i�10.Theevaluatorshallchooseakey,anIVandplaintextmessageoflengthiblocksandencryptthemessage,usingthemodetobetested,withthechosenkeyandIV.TheciphertextshallbecomparedtotheresultofencryptingthesameplaintextmessagewiththesamekeyandIVusingaknowngoodimplementation.Theevaluatorshallalsotestthedecryptfunctionalityforeachmodebydecryptingani-blockmessagewhere1<i�10.Theevaluatorshallchooseakey,anIVandaciphertextmessageoflengthiblocksanddecryptthemessage,usingthemodetobetested,withthechosenkeyandIV.Theplaintextshallbecomparedtotheresultofdecryptingthesameciphertextmessagewith

thesamekeyandIVusingaknowngoodimplementation.

AES-CBCMonteCarloTestsTheevaluatorshalltesttheencryptfunctionalityusingasetof200plaintext,IV,andkey3-tuples.100oftheseshalluse128bitkeys,and100shalluse256bitkeys.TheplaintextandIVvaluesshallbe128-bitblocks.Foreach3-tuple,1000iterationsshallberunasfollows:

#Input:PT,IV,Keyfori=1to1000:ifi==1:CT[1]=AES-CBC-Encrypt(Key,IV,PT)PT=IVelse:CT[i]=AES-CBC-Encrypt(Key,PT)PT=CT[i-1]

Theciphertextcomputedinthe1000thiteration(i.e.,CT[1000])istheresultforthattrial.Thisresultshallbecomparedtotheresultofrunning1000iterationswiththesamevaluesusingaknowngoodimplementation.Theevaluatorshalltestthedecryptfunctionalityusingthesametestasforencrypt,exchangingCTandPTandreplacingAES-CBC-EncryptwithAES-CBC-Decrypt.

AES-CCMTestsTheevaluatorshalltestthegeneration-encryptionanddecryption-verificationfunctionalityofAES-CCMforthefollowinginputparameterandtaglengths:

128bitand256bitkeysTwopayloadlengths.Onepayloadlengthshallbetheshortestsupportedpayloadlength,greaterthanorequaltozerobytes.Theotherpayloadlengthshallbethelongestsupportedpayloadlength,lessthanorequalto32bytes(256bits).Twoorthreeassociateddatalengths.Oneassociateddatalengthshallbe0,ifsupported.Oneassociateddatalengthshallbetheshortestsupportedpayloadlength,greaterthanorequaltozerobytes.Oneassociateddatalengthshallbethelongestsupportedpayloadlength,lessthanorequalto32bytes(256bits).Iftheimplementationsupportsanassociateddatalengthof216bytes,anassociateddatalengthof216bytesshallbetested.

Noncelengths.Allsupportednoncelengthsbetween7and13bytes,inclusive,shallbetested.Taglengths.Allsupportedtaglengthsof4,6,8,10,12,14and16bytesshallbetested.Totestthegeneration-encryptionfunctionalityofAES-CCM,theevaluatorshallperformthefollowingfourtests:

Test1:ForEACHsupportedkeyandassociateddatalengthandANYsupportedpayload,nonceandtaglength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.Test2:ForEACHsupportedkeyandpayloadlengthandANYsupportedassociateddata,nonceandtaglength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.Test3:ForEACHsupportedkeyandnoncelengthandANYsupportedassociateddata,payloadandtaglength,theevaluatorshallsupplyonekeyvalueand10associateddata,payloadandnoncevalue3-tuplesandobtaintheresultingciphertext.Test4:ForEACHsupportedkeyandtaglengthandANYsupportedassociateddata,payloadandnoncelength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.

Todeterminecorrectnessineachoftheabovetests,theevaluatorshallcomparetheciphertextwiththeresultofgeneration-encryptionofthesameinputswithaknowngoodimplementation.Totestthedecryption-verificationfunctionalityofAES-CCM,forEACHcombinationofsupportedassociateddatalength,payloadlength,noncelengthandtaglength,theevaluatorshallsupplyakeyvalueand15nonce,associateddataandciphertext3-tuplesandobtaineitheraFAILresultoraPASSresultwiththedecryptedpayload.Theevaluatorshallsupply10tuplesthatshouldFAILand5thatshouldPASSpersetof15.Additionally,theevaluatorshallusetestsfromtheIEEE802.11-02/362r6document“ProposedTestvectorsforIEEE802.11TGi”,datedSeptember10,2002,Section2.1AES-CCMPEncapsulationExampleandSection2.2AdditionalAESCCMPTestVectorstofurtherverifytheIEEE802.11-2007implementationofAES-CCMP.AES-GCMTestTheevaluatorshalltesttheauthenticatedencryptfunctionalityofAES-GCMforeachcombinationofthefollowinginputparameterlengths:

128bitand256bitkeysTwoplaintextlengths.Oneoftheplaintextlengthsshallbeanon-zerointegermultipleof128bits,ifsupported.Theotherplaintextlengthshallnotbeanintegermultipleof128bits,ifsupported.

ThreeAADlengths.OneAADlengthshallbe0,ifsupported.OneAADlengthshallbeanon-zerointegermultipleof128bits,ifsupported.OneAADlengthshallnotbeanintegermultipleof128bits,ifsupported.

TwoIVlengths.If96bitIVissupported,96bitsshallbeoneofthetwoIVlengthstested.Theevaluatorshalltesttheencryptfunctionalityusingasetof10key,plaintext,AAD,andIVtuplesforeachcombinationofparameterlengthsaboveandobtaintheciphertextvalueandtagthatresultsfromAES-GCMauthenticatedencrypt.Eachsupportedtaglengthshallbetestedatleastoncepersetof10.TheIVvaluemaybesuppliedbytheevaluatorortheimplementationbeingtested,aslongasitisknown.Theevaluatorshalltestthedecryptfunctionalityusingasetof10key,ciphertext,tag,AAD,andIV5-tuplesforeachcombinationofparameterlengthsaboveandobtainaPass/FailresultonauthenticationandthedecryptedplaintextifPass.ThesetshallincludefivetuplesthatPassandfivethatFail.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.

XTS-AESTestTheevaluatorshalltesttheencryptfunctionalityofXTS-AESforeachcombinationofthefollowinginputparameterlengths:

256bit(forAES-128)and512bit(forAES-256)keysThreedataunit(i.e.,plaintext)lengths.Oneofthedataunitlengthsshallbeanon-zerointegermultipleof128bits,ifsupported.Oneofthedataunitlengthsshallbeanintegermultipleof128bits,ifsupported.Thethirddataunitlengthshallbeeitherthelongestsupporteddataunitlengthor216bits,whicheverissmaller.

usingasetof100(key,plaintextand128-bitrandomtweakvalue)3-tuplesandobtaintheciphertextthatresultsfromXTS-AESencrypt.Theevaluatormaysupplyadataunitsequencenumberinsteadofthetweakvalueiftheimplementationsupportsit.Thedataunitsequencenumberisabase-10numberrangingbetween0and255thatimplementationsconverttoatweakvalueinternally.TheevaluatorshalltestthedecryptfunctionalityofXTS-AESusingthesametestasforencrypt,replacingplaintextvalueswithciphertextvaluesandXTS-AESencryptwithXTS-AESdecrypt.

AESKeyWrap(AES-KW)andKeyWrapwithPadding(AES-KWP)TestTheevaluatorshalltesttheauthenticatedencryptionfunctionalityofAES-KWforEACHcombinationofthefollowinginputparameterlengths:

128and256bitkeyencryptionkeys(KEKs)Threeplaintextlengths.Oneoftheplaintextlengthsshallbetwosemi-blocks(128bits).Oneoftheplaintextlengthsshallbethreesemi-blocks(192bits).Thethirddataunitlengthshallbethelongestsupportedplaintextlengthlessthanorequalto64semi-blocks(4096bits).

usingasetof100keyandplaintextpairsandobtaintheciphertextthatresultsfromAES-KWauthenticatedencryption.Todeterminecorrectness,theevaluatorshallusetheAES-KWauthenticated-encryptionfunctionofaknowngoodimplementation.Theevaluatorshalltesttheauthenticated-decryptionfunctionalityofAES-KWusingthesametestasforauthenticated-encryption,replacingplaintextvalueswithciphertextvaluesandAES-KWauthenticated-encryptionwithAES-KWauthenticated-decryption.Theevaluatorshalltesttheauthenticated-encryptionfunctionalityofAES-KWPusingthesametestasforAES-KWauthenticated-encryptionwiththefollowingchangeinthethreeplaintextlengths:Oneplaintextlengthshallbeoneoctet.Oneplaintextlengthshallbe20octets(160bits).Oneplaintextlengthshallbethelongestsupportedplaintextlengthlessthanorequalto512octets(4096bits).Theevaluatorshalltesttheauthenticated-decryptionfunctionalityofAES-KWPusingthesametestasforAES-KWPauthenticated-encryption,replacingplaintextvalueswithciphertextvaluesandAES-KWPauthenticated-encryptionwithAES-KWPauthenticated-decryption.AES-CTRTest

Test1:KnownAnswerTests(KATs)TherearefourKnownAnswerTests(KATs)describedbelow.ForallKATs,theplaintext,initializationvector(IV),andciphertextvaluesshallbe128-bitblocks.Theresultsfromeachtestmayeitherbeobtainedbythevalidatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.

Test1a:Totesttheencryptfunctionality,theevaluatorshallsupplyasetof10plaintextvaluesandobtaintheciphertextvaluethatresultsfromencryptionofthegivenplaintextusingakeyvalueofallzerosandanIVofallzeros.Fiveplaintextvaluesshallbeencryptedwitha128-bitallzeroskey,andtheotherfiveshallbeencryptedwitha256-bitallzeroskey.Totestthedecryptfunctionality,theevaluatorshallperformthesametestasforencrypt,using10ciphertextvaluesasinput.

Test1b:Totesttheencryptfunctionality,theevaluatorshallsupplyasetof10keyvaluesandobtaintheciphertextvaluethatresultsfromencryptionofanallzerosplaintextusingthegivenkeyvalueandanIVofallzeros.Fiveofthekeyvaluesshallbe128-bitkeys,andtheotherfiveshallbe256-bitkeys.Totestthedecryptfunctionality,theevaluatorshallperformthesametestasforencrypt,usinganallzerociphertextvalueasinput.Test1c:Totesttheencryptfunctionality,theevaluatorshallsupplythetwosetsofkeyvaluesdescribedbelowandobtaintheciphertextvaluesthatresultfromAESencryptionofanallzerosplaintextusingthegivenkeyvaluesandanIVofallzeros.Thefirstsetofkeysshallhave128128-bitkeys,andthesecondshallhave256256-bitkeys.Key_iineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].Totestthedecryptfunctionality,theevaluatorshallsupplythetwosetsofkeyandciphertextvaluepairsdescribedbelowandobtaintheplaintextvaluethatresultsfromdecryptionofthegivenciphertextusingthegivenkeyvaluesandanIVofallzeros.Thefirstsetofkey/ciphertextpairsshallhave128128-bitkey/ciphertextpairs,andthesecondsetofkey/ciphertextpairsshallhave256256-bitpairs.Key_iineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezerosforiin[1,N].Theciphertextvalueineachpairshallbethevaluethatresultsinanallzerosplaintextwhendecryptedwithitscorrespondingkey.

Test1d:Totesttheencryptfunctionality,theevaluatorshallsupplythesetof128plaintextvaluesdescribedbelowandobtainthetwociphertextvaluesthatresultfromencryptionofthegivenplaintextusinga128-bitkeyvalueofallzerosandusinga256bitkeyvalueofallzeros,respectively,andanIVofallzeros.Plaintextvalueiineachsetshallhavetheleftmostbitsbeonesandtherightmost128-ibitsbezeros,foriin[1,128].Totestthedecryptfunctionality,theevaluatorshallperformthesametestasforencrypt,usingciphertextvaluesofthesameformastheplaintextintheencrypttestasinput.Test2:Multi-BlockMessageTestTheevaluatorshalltesttheencryptfunctionalitybyencryptingani-blockmessagewhere1less-thaniless-than-or-equalto10.Foreachitheevaluatorshallchooseakey,IV,andplaintextmessageoflengthiblocksandencryptthemessage,usingthemodetobetested,withthechosenkey.TheciphertextshallbecomparedtotheresultofencryptingthesameplaintextmessagewiththesamekeyandIVusingaknowngoodimplementation.Theevaluatorshallalsotestthedecryptfunctionalitybydecryptingani-blockmessagewhere1less-thaniless-than-or-equalto10.Foreachitheevaluatorshallchooseakeyandaciphertextmessageoflengthiblocksanddecryptthemessage,usingthemodetobetested,withthechosenkey.Theplaintextshallbecomparedtotheresultofdecryptingthesameciphertextmessagewiththesamekeyusingaknowngoodimplementation.

Test3:Monte-CarloTestForAES-CTRmodeperformtheMonteCarloTestforECBModeontheencryptionengineofthecountermodeimplementation.Thereisnoneedtotestthedecryptionengine.Theevaluatorshalltesttheencryptfunctionalityusing200plaintext/keypairs.100oftheseshalluse128bitkeys,and100oftheseshalluse256bitkeys.Theplaintextvaluesshallbe128-bitblocks.Foreachpair,1000iterationsshallberunasfollows:ForAES-ECBmode#Input:PT,Keyfori=1to1000:CT[i]=AES-ECB-Encrypt(Key,PT)PT=CT[i]Theciphertextcomputedinthe1000thiterationistheresultforthattrial.Thisresultshallbecomparedtotheresultofrunning1000iterationswiththesamevaluesusingaknowngoodimplementation.

If"invokeplatform-provided"isselected,theevaluatorconfirmsthatSSHconnectionsareonlysuccessfulifappropriatealgorithmsandappropriatekeysizesareconfigured.Todothis,theevaluatorshallperformthefollowingtests:

Test1:[Conditional:TOEisanSSHserver]TheevaluatorshallconfigureanSSHclienttoconnectwithaninvalidcryptographicalgorithmandkeysizeforeachlisteningSSHsocketconnectionontheTOE.TheevaluatorinitiatesSSHclientconnectionstoeachlisteningSSHsocketconnectionontheTOEandobservesthattheconnectionfailsineachattempt.Test2:[Conditional:TOEisanSSHclient]TheevaluatorshallconfigurealisteningSSHsocketonaremoteSSHserverthatacceptsonlyinvalidcryptographicalgorithmsandkeys.TheevaluatorusestheTOEtoattemptanSSHconnectiontothisserverandobservesthattheconnectionfails.

FCS_ENT_EXT.1EntropyforVirtualMachinesFCS_ENT_EXT.1.1

TheTSFshallprovideamechanismtomakeavailabletoVMsentropythatmeetsFCS_RBG_EXT.1through[selection:Hypercallinterface,virtualdeviceinterface,passthroughaccesstohardwareentropysource].

FCS_ENT_EXT.1.2TheTSFshallprovideindependententropyacrossmultipleVMs.

ApplicationNote:ThisrequirementensuresthatsufficiententropyisavailabletoanyVMthatrequiresit.Theentropyneednotprovidehigh-qualityentropyforeverypossiblemethodthataVMmightacquireit.TheVMMmust,however,providesomemeansforVMstogetsufficiententropy.Forexample,theVMMcanprovideaninterfacethatreturnsentropytoaGuestVM.Alternatively,theVMMcouldprovidepass-throughaccesstoentropysourcesprovidedbythehostplatform.

Thisrequirementallowsforthreegeneralwaysofprovidingentropytoguests:1)TheVScanprovideaHypercallaccessibletoVM-awareguests,2)accesstoavirtualizeddevicethatprovidesentropy,or3)pass-throughaccesstoahardwareentropysource(includingasourceofrandomnumbers).Inallcases,itispossiblethattheguestismadeVM-awarethroughinstallationofsoftwareordrivers.Forthesecondandthirdcases,itispossiblethattheguestcouldbeVM-unaware.ThereisnorequirementthattheTOEprovideentropysourcesasexpectedbyVM-unawareguests.Thatis,theTOEdoesnothavetoanticipateeverywayaguestmighttrytoacquireentropyaslongasitsuppliesamechanismthatcanbeusedbyVM-awareguests,orprovidesaccesstoastandardmechanismthataVM-unawareguestwoulduse.

TheSTauthorshouldselect“Hypercallinterface”iftheTSFprovidesanAPIfunctionthroughwhichguest-residentsoftwarecanobtainentropyorrandomnumbers.TheSTauthorshouldselect“virtualdeviceinterface”iftheTSFpresentsavirtualdeviceinterfacetotheGuestOSthroughwhichitcanobtainentropyorrandomnumbers.Suchaninterfacecouldpresentavirtualizedrealdevice,suchasaTPM,thatcanbeaccessedbyVM-unawareguests,oravirtualizedfictionaldevicethatwouldrequiretheGuestOStobeVM-aware.TheSTauthorshouldselect“passthroughaccesstohardwareentropysource”iftheTSFpermitsGuestVMstohavedirectaccesstohardwareentropyorrandomnumbersourceontheplatform.TheSTauthorshouldselectallitemsthatareappropriate.

ForFCS_ENT_EXT.1.2,theVMMmustensurethattheprovisionofentropytooneVMcannotaffectthequalityofentropyprovidedtoanotherVMonthesameplatform.


FCS_ENT_EXT.1TSSTheevaluatorshallverifythattheTSSdescribeshowtheTOEprovidesentropytoGuestVMs,andhowtoaccesstheinterfacetoacquireentropyorrandomnumbers.TheevaluatorshallverifythattheTSSdescribesthemechanismsforensuringthatoneVMdoesnotaffecttheentropyacquiredbyanother.TestsTheevaluatorshallperformthefollowingtests:

Test1:TheevaluatorshallinvokeentropyfromeachGuestVM.TheevaluatorshallverifythateachVMacquiresvaluesfromtheinterface.Test2:TheevaluatorshallinvokeentropyfrommultipleVMsasnearlysimultaneouslyaspracticable.TheevaluatorshallverifythattheentropyusedinoneVMisnotidenticaltothatinvokedfromtheotherVMs.

FCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)FCS_RBG_EXT.1.1

TheTSFshallperformalldeterministicrandombitgenerationservicesinaccordancewithNISTSpecialPublication800-90Ausing[selection:Hash_DRBG(any),HMAC_DRBG(any),CTR_DRBG(AES)]

FCS_RBG_EXT.1.2ThedeterministicRBGshallbeseededbyanentropysourcethataccumulatesentropyfrom[selection:asoftware-basednoisesource,ahardware-basednoisesource]withaminimumof[selection:128bits,192bits,256bits]ofentropyat

leastequaltothegreatestsecuritystrengthaccordingtoNISTSP800-57,ofthekeysandhashesthatitwillgenerate.

ApplicationNote:NISTSP800-90Acontainsthreedifferentmethodsofgeneratingrandomnumbers;eachofthese,inturn,dependsonunderlyingcryptographicprimitives(hashfunctions/ciphers).TheSTauthorwillselectthefunctionused,andincludethespecificunderlyingcryptographicprimitivesusedintherequirement.Whileanyoftheidentifiedhashfunctions(SHA-1,SHA-224,SHA-256,SHA-384,SHA-44512)areallowedforHash_DRBGorHMAC_DRBG,onlyAES-basedimplementationsforCTR_DRBGareallowed.

IfthekeylengthfortheAESimplementationusedhereisdifferentthanthatusedtoencrypttheuserdata,thenFCS_COP.1/UDEmayhavetobeadjustedoriteratedtoreflectthedifferentkeylength.FortheselectioninFCS_RBG_EXT.1.2,theSTauthorselectstheminimumnumberofbitsofentropythatisusedtoseedtheRBG.


FCS_RBG_EXT.1Documentationshallbeproduced—andtheevaluatorshallperformtheactivities—inaccordancewithTestsTheevaluatorshallalsoperformthefollowingtests,dependingonthestandardtowhichtheRBGconforms.Theevaluatorshallperform15trialsfortheRBGimplementation.IftheRBGisconfigurable,theevaluatorshallperform15trialsforeachconfiguration.TheevaluatorshallalsoconfirmthattheoperationalguidancecontainsappropriateinstructionsforconfiguringtheRBGfunctionality.IftheRBGhaspredictionresistanceenabled,eachtrialconsistsof(1)instantiateDRBG,(2)generatethefirstblockofrandombits(3)generateasecondblockofrandombits(4)uninstantiate.Theevaluatorverifiesthatthesecondblockofrandombitsistheexpectedvalue.Theevaluatorshallgenerateeightinputvaluesforeachtrial.Thefirstisacount(0–14).Thenextthreeareentropyinput,nonce,andpersonalizationstringfortheinstantiateoperation.Thenexttwoareadditionalinputandentropyinputforthefirstcalltogenerate.Thefinaltwoareadditionalinputandentropyinputforthesecondcalltogenerate.Thesevaluesarerandomlygenerated.“generateoneblockofrandombits”meanstogeneraterandombitswithnumberofreturnedbitsequaltotheOutputBlockLength(asdefinedinNISTSP800-90A).IftheRBGdoesnothavepredictionresistance,eachtrialconsistsof(1)instantiateDRBG,(2)generatethefirstblockofrandombits(3)reseed,(4)generateasecondblockofrandombits(5)uninstantiate.Theevaluatorverifiesthatthesecondblockofrandombitsistheexpectedvalue.Theevaluatorshallgenerateeightinputvaluesforeachtrial.Thefirstisacount(0–14).Thenextthreeareentropyinput,nonce,andpersonalizationstringfortheinstantiateoperation.Thefifthvalueisadditionalinputtothefirstcalltogenerate.Thesixthandseventhareadditionalinputandentropyinputtothecalltoreseed.Thefinalvalueisadditionalinputtothesecondgeneratecall.Thefollowingparagraphscontainmoreinformationonsomeoftheinputvaluestobegenerated/selectedbytheevaluator.

Entropyinput:thelengthoftheentropyinputvaluemustequaltheseedlengthNonce:Ifanonceissupported(CTR_DRBGwithnodfdoesnotuseanonce),thenoncebitlengthisone-halftheseedlength.Personalizationstring:Thelengthofthepersonalizationstringmustbe<=seedlength.Iftheimplementationonlysupportsonepersonalizationstringlength,thenthesamelengthcanbeusedforbothvalues.Ifmorethanonestringlengthissupported,theevaluatorshallusepersonalizationstringsoftwodifferentlengths.Iftheimplementationdoesnotuseapersonalizationstring,novalueneedstobesupplied.Additionalinput:theadditionalinputbitlengthshavethesamedefaultsandrestrictionsasthepersonalizationstringlengths.

5.1.4UserDataProtection(FDP)

FDP_HBI_EXT.1Hardware-BasedIsolationMechanismsFDP_HBI_EXT.1.1

TheTSFshalluse[selection:nomechanism,[assignment:listofplatform-provided,hardware-basedmechanisms]]toconstrainaGuestVM'sdirectaccesstothefollowingphysicaldevices:[selection:nodevices,[assignment:physicaldevicestowhichtheVMMallowsGuestVMsphysicalaccess]].

ApplicationNote:TheTSFmustuseavailablehardware-basedisolationmechanismstoconstrainVMswhenVMshavedirectaccesstophysicaldevices.“Directaccess”inthiscontextmeansthattheVMcanreadorwritedevice

memoryoraccessdeviceI/OportswithouttheVMMbeingabletointerceptandvalidateeverytransaction.


FDP_HBI_EXT.1TSSTheevaluatorshallensurethattheTSSprovidesevidencethathardware-basedisolationmechanismsareusedtoconstrainVMswhenVMshavedirectaccesstophysicaldevices,includinganexplanationoftheconditionsunderwhichtheTSFinvokestheseprotections.GuidanceTheevaluatorshallverifythattheoperationalguidancecontainsinstructionsonhowtoensurethattheplatform-provided,hardware-basedmechanismsareenabled.

FDP_PPR_EXT.1PhysicalPlatformResourceControlsFDP_PPR_EXT.1.1

TheTSFshallallowanauthorizedadministratortocontrolGuestVMaccesstothefollowingphysicalplatformresources:[assignment:listofphysicalplatformresourcestheVMMisabletocontrolaccessto].

FDP_PPR_EXT.1.2TheTSFshallexplicitlydenyallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisexplicitlydenied]].

FDP_PPR_EXT.1.3TheTSFshallexplicitlyallowallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisalwaysallowed]].

ApplicationNote:Forpurposesofthisrequirement,physicalplatformresourcesaredividedintothreecategories:

1. thosetowhichGuestOSaccessisconfigurableandmoderatedbytheVMM2. thosetowhichtheGuestOSisneverallowedtohavedirectaccess,and3. thosetowhichtheGuestOSisalwaysallowedtohavedirectaccess.

Forelement1,theSTauthorliststhephysicalplatformresourcesthatcanbeconfiguredforGuestVMaccessbyanadministrator.Forelement2,theSTauthorliststhephysicalplatformresourcestowhichGuestVMsmayneverbealloweddirectaccess.Iftherearenosuchresources,theSTauthorselects"nophysicalplatformresources."Likewise,anyresourcestowhichallGuestVMsautomaticallyhaveaccesstoaretobelistedinthethirdelement.Iftherearenosuchresources,then"nophysicalplatformresources"isselected.


FDP_PPR_EXT.1TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthemechanismbywhichtheVMMcontrolsaGuestVM'saccesstophysicalplatformresources.ThisdescriptionshallcoverallofthephysicalplatformsallowedintheevaluatedconfigurationbytheST.ItshouldexplainhowtheVMMdistinguishesamongGuestVMs,andhoweachphysicalplatformresourcethatiscontrollable(thatis,listedintheassignmentstatementinthefirstelement)isidentifiedtoanAdministrator.TheevaluatorshallensurethattheTSSdescribeshowtheGuestVMisassociatedwitheachphysicalresource,andhowotherGuestVMscannotaccessaphysicalresourcewithoutbeinggrantedexplicitaccess.ForTOEsthatimplementarobustinterface(otherthanjust"allowaccess"or"denyaccess"),theevaluatorshallensurethattheTSSdescribesthepossibleoperationsormodesofaccessbetweenaGuestVM'sandphysicalplatformresources.Ifphysicalresourcesarelistedinthesecondelement,theevaluatorshallexaminetheTSSandoperationalguidancetodeterminethatthereappearstobenowaytoconfigurethoseresourcesforaccessbyaGuestVM.Theevaluatorshalldocumentintheevaluationreporttheiranalysisofwhythecontrolsofferedtoconfigureaccesstophysicalresourcescan'tbeusedtospecifyaccesstotheresourcesidentifiedinthesecondelement(forexample,iftheinterfaceoffersadrop-downlistofresourcestoassign,andthedeniedresourcesarenotincludedonthatlist,thatwouldbesufficientjustificationintheevaluationreport).GuidanceTheevaluatorshallexaminetheoperationalguidancetodeterminethatitdescribeshowanadministratorisabletoconfigureaccesstophysicalplatformresourcesforGuestVMsforeach

platformallowedintheevaluatedconfigurationaccordingtotheST.Theevaluatorshallalsodeterminethattheoperationalguidanceidentifiesthoseresourceslistedinthesecondandthirdelementsofthecomponentandnotesthataccesstotheseresourcesisexplicitlydenied/allowed,respectively.TestsUsingtheoperationalguidance,theevaluatorshallperformthefollowingtestsforeachphysicalplatformidentifiedintheST:

Test1:Foreachphysicalplatformresourceidentifiedinthefirstelement,theevaluatorshallconfigureaGuestVMtohaveaccesstothatresourceandshowthattheGuestVMisabletosuccessfullyaccessthatresource.Test2:Foreachphysicalplatformresourceidentifiedinthefirstelement,theevaluatorshallconfigurethesystemsuchthataGuestVMdoesnothaveaccesstothatresourceandshowthattheGuestVMisunabletosuccessfullyaccessthatresource.Test3:[conditional]:ForTOEsthathavearobustcontrolinterface,theevaluatorshallexerciseeachelementoftheinterfaceasdescribedintheTSSandtheoperationalguidancetoensurethatthebehaviordescribedintheoperationalguidanceisexhibited.Test4:[conditional]:IftheTOEexplicitlydeniesaccesstocertainphysicalresources,theevaluatorshallattempttoaccesseachlisted(inFDP_PPR_EXT.1.2)physicalresourcefromaGuestVMandobservethataccessisdenied.Test5:[conditional]:IftheTOEexplicitlyallowsaccesstocertainphysicalresources,theevaluatorshallattempttoaccesseachlisted(inFDP_PPR_EXT.1.3)physicalresourcefromaGuestVMandobservethattheaccessisallowed.IftheoperationalguidancespecifiesthataccessisallowedsimultaneouslybymorethanoneGuestVM,theevaluatorshallattempttoaccesseachresourcelistedfrommorethanoneGuestVMandshowthataccessisallowed.

FDP_RIP_EXT.1ResidualInformationinMemoryFDP_RIP_EXT.1.1

TheTSFshallensurethatanypreviousinformationcontentofphysicalmemoryisclearedpriortoallocationtoaGuestVM.

ApplicationNote:PhysicalmemorymustbezeroedbeforeitismadeaccessibletoaVMforgeneralusebyaGuestOS.

ThepurposeofthisrequirementistoensurethataVMdoesnotreceivememorycontainingdatapreviouslyusedbyanotherVMorthehost.

“Forgeneraluse”meansforusebytheGuestOSinitspagetablesforrunningapplicationsorsystemsoftware.

ThisdoesnotapplytopagessharedbydesignorpolicybetweenVMsorbetweentheVMMsandVMs,suchasread-onlyOSpagesorpagesusedforvirtualdevicebuffers.


FDP_RIP_EXT.1TSSTheevaluatorshallensurethattheTSSdocumentstheprocessusedforclearingphysicalmemorypriortoallocationtoaGuestVM,providingdetailsonwhenandhowthisisperformed.Additionally,theevaluatorshallensurethattheTSSdocumentstheconditionsunderwhichphysicalmemoryisnotclearedpriortoallocationtoaGuestVM,anddescribeswhenandhowthememoryiscleared.

FDP_RIP_EXT.2ResidualInformationonDiskFDP_RIP_EXT.2.1

TheTSFshallensurethatanypreviousinformationcontentofphysicaldiskstorageisclearedtozerosuponallocationtoaGuestVM.

ApplicationNote:ThepurposeofthisrequirementistoensurethataVMdoesnotreceivediskstoragecontainingdatapreviouslyusedbyanotherVMorbythehost.

Clearingofdiskstorageonlyupondeallocationdoesnotmeetthisrequirement.

Thisdoesnotapplytodisk-residentfilessharedbydesignorpolicybetweenVMsorbetweentheVMMsandVMs,suchasread-onlydatafilesorfilesusedforinter-VMdatatransferspermittedbypolicy.


FDP_RIP_EXT.2TSSTheevaluatorshallensurethattheTSSdocumentshowtheTSFensuresthatdiskstorageiszeroeduponallocationtoGuestVMs.Also,theTSSmustdocumentanyconditionsunderwhichdiskstorageisnotclearedpriortoallocationtoaGuestVM.Anyfilesystemformatandmetadatainformationneededbytheevaluatortoperformthebelowtestshallbemadeavailabletotheevaluator,butneednotbepublishedintheTSS.TestsTheevaluatorshallperformthefollowingtest:

Test1:Onthehost,theevaluatorcreatesafilethatismorethanhalfthesizeofaconnectedphysicalstoragedevice(ormultiplefileswhoseindividualsizesadduptomorethanhalfthesizeofthestoragemedia).Thisfile(orfiles)shallbefilledentirelywithanon-zerovalue.Then,thefile(orfiles)shallbereleased(freedforusebutnotcleared).Next,theevaluator(asaVSAdministrator)createsavirtualdiskatleastthatlargeonthesamephysicalstoragedeviceandconnectsittoapowered-offVM.Then,fromoutsidetheGuestVM,scanthroughandcheckthatallthenon-metadata(asdocumentedintheTSS)inthefilecorrespondingtothatvirtualdiskissettozero.

FDP_VMS_EXT.1VMSeparationFDP_VMS_EXT.1.1

TheVSshallprovidethefollowingmechanismsfortransferringdatabetweenGuestVMs:[selection:

nomechanism,virtualnetworking,[assignment:otherinter-VMdatasharingmechanisms]

].

FDP_VMS_EXT.1.2TheTSFshallbydefaultenforceapolicyprohibitingsharingofdatabetweenGuestVMs.

FDP_VMS_EXT.1.3TheTSFshallallowAdministratorstoconfigurethemechanismsselectedinFDP_VMS_EXT.1.1toenableanddisablethetransferofdatabetweenGuestVMs.

FDP_VMS_EXT.1.4TheVSshallensurethatnoGuestVMisabletoreadortransferdatatoorfromanotherGuestVMexceptthroughthemechanismslistedinFDP_VMS_EXT.1.1.

ApplicationNote:ThefundamentalrequirementofaVirtualizationSystemistheabilitytoenforceseparationbetweeninformationdomainsimplementedasVirtualMachinesandVirtualNetworks.TheintentofthisrequirementistoensurethatVMs,VMMs,andtheVSasawholeisimplementedwiththisfundamentalrequirementinmind.

TheSTauthorshouldselect“nomechanism”intheunlikelyeventthattheVSimplementsnomechanismsfortransferringdatabetweenGuestVMs.Otherwise,theSTauthorshouldselect“virtualnetworking”andidentifyallothermechanismsthroughwhichdatacanbetransferredbetweenGuestVMs.

Examplesofnon-networkinter-VMsharingmechanismsare:Userinterface-basedmechanisms,suchascopy-pasteanddrag-and-dropSharedvirtualorphysicaldevicesAPI-basedmechanismssuchasHypercalls

FordatatransfermechanismsimplementedintermsofHypercallfunctions,FDP_VMS_EXT.1.3ismetifFPT_HCL_EXT.1.1ismetforthoseHypercallfunctions(Hypercallfunctionparametersarechecked).

Fordatatransfermechanismsthatusesharedphysicaldevices,FDP_VMS_EXT.1.3ismetifthedeviceislistedinandmeetsFDP_PPR_EXT.1.1(VMaccesstothephysicaldeviceisconfigurable).

Fordatatransfermechanismsthatusevirtualnetworking,FDP_VMS_EXT.1.3ismetifFDP_VNC_EXT.1.1ismet(VMaccesstovirtualnetworksisconfigurable).


FDP_VMS_EXT.1TSSTheevaluatorshallexaminetheTSStoverifythatitdocumentsallinter-VMcommunicationsmechanisms(asdefinedabove),andexplainshowtheTSFpreventsthetransferofdatabetweenVMsoutsideofthemechanismslistedinFDP_VMS_EXT.1.1.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensurethatitdocumentshowtoconfigureallinter-VMcommunicationsmechanisms,includinghowtheyareinvokedandhowtheyaredisabled.TestsTheevaluatorshallperformthefollowingtestsforeachdocumentedinter-VMcommunicationschannel:

Test1:a. CreatetwoVMswithoutspecifyinganycommunicationsmechanismoroverridingthe

defaultconfiguration.b. TestthatthetwoVMscannotcommunicatethroughthemechanismsselectedin

FDP_VMS_EXT.1.1.c. CreatetwonewVMs,overridingthedefaultconfigurationtoallowcommunications

throughachannelselectedinFDP_VMS_EXT.1.1.d. TestthatcommunicationscanbepassedbetweentheVMsthroughthechannel.e. CreatetwonewVMs,thefirstwiththeinter-VMcommunicationschannelcurrently

beingtestedenabled,andthesecondwiththeinter-VMcommunicationschannelcurrentlybeingtesteddisabled.

f. TestthatcommunicationscannotbepassedbetweentheVMsthroughthechannel.g. AsanAdministrator,enableinter-VMcommunicationsbetweentheVMsonthesecond

VM.h. Testthatcommunicationscanbepassedthroughtheinter-VMchannel.i. AsanAdministratoragain,disableinter-VMcommunicationsbetweenthetwoVMs.j. Testthatcommunicationscannolongerbepassedthroughthechannel.

FDP_VMS_EXT.1.2ismetifcommunicationisunsuccessfulinstep(b).FDP_VMS_EXT.1.3ismetifcommunicationissuccessfulinstep(d)andunsuccessfulinstep(f).

FDP_VNC_EXT.1VirtualNetworkingComponentsFDP_VNC_EXT.1.1

TheTSFshallallowAdministratorstoconfigurevirtualnetworkingcomponentstoconnectVMstoeachotherandtophysicalnetworks.

FDP_VNC_EXT.1.2TheTSFshallensurethatnetworktrafficvisibletoaGuestVMonavirtualnetwork--orvirtualsegmentofaphysicalnetwork--isvisibleonlytoGuestVMsconfiguredtobeonthatvirtualnetworkorsegment.

ApplicationNote:Virtualnetworksmustbeseparatedfromoneanothertoprovideisolationcommensuratewiththatprovidedbyphysicallyseparatenetworks.ItmustnotbepossiblefordatatocrossbetweenproperlyconfiguredvirtualnetworksregardlessofwhetherthetrafficoriginatedfromalocalGuestVMoraremotehost.

UnprivilegedusersmustnotbeabletoconnectVMstoeachotherortoexternalnetworks.


FDP_VNC_EXT.1TSSTheevaluatorshallexaminetheTSS(oraproprietaryannex)toverifythatitdescribesthemechanismbywhichvirtualnetworktrafficisensuredtobevisibleonlytoGuestVMsconfiguredtobeonthatvirtualnetwork.GuidanceTheevaluatormustensurethattheOperationalGuidancedescribeshowtocreatevirtualizednetworksandconnectVMstoeachotherandtophysicalnetworks.Tests

Test1:TheevaluatorshallassumetheroleoftheAdministratorandattempttoconfigureaVMtoconnecttoanetworkcomponent.Theevaluatorshallverifythattheattemptissuccessful.Theevaluatorshallthenassumetheroleofanunprivilegeduserandattemptthesameconnection.Iftheattemptfails,orthereisnowayforanunprivilegedusertoconfigureVMnetworkconnections,therequirementismet.Test2:TheevaluatorshallassumetheroleoftheAdministratorandattempttoconfigureaVMtoconnecttoaphysicalnetwork.Theevaluatorshallverifythattheattemptis

successful.Theevaluatorshallthenassumetheroleofanunprivilegeduserandmakethesameattempt.Iftheattemptfails,orthereisnowayforanunprivilegedusertoconfigureVMnetworkconnections,therequirementismet.

5.1.5IdentificationandAuthentication(FIA)

FIA_AFL_EXT.1AuthenticationFailureHandlingFIA_AFL_EXT.1.1

TheTSFshalldetectwhen[selection:[assignment:apositiveintegernumber],anadministratorconfigurablepositiveintegerwithina[assignment:rangeofacceptablevalues]

]unsuccessfulauthenticationattemptsoccurrelatedtoAdministratorsattemptingtoauthenticateremotelyusing[selection:usernameandpassword,usernameandPIN].

FIA_AFL_EXT.1.2Whenthedefinednumberofunsuccessfulauthenticationattemptshasbeenmet,theTSFshall:[selection:preventtheoffendingAdministratorfromsuccessfullyestablishingaremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntil[assignment:actiontounlock]istakenbyanAdministrator,preventtheoffendingAdministratorfromsuccessfullyestablishingaremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntilanAdministrator-definedtimeperiodhaselapsed]

ApplicationNote:TheactiontobetakenshallbepopulatedintheselectionoftheSTanddefinedintheAdministratorguidance.

ThisrequirementappliestoadefinednumberofsuccessiveunsuccessfulremotepasswordorPIN-basedauthenticationattemptsanddoesnotapplytolocalAdministrativeaccess.CompliantTOEsmayoptionallyincludecryptographicandlocalauthenticationfailuresinthenumberofunsuccessfulauthenticationattempts.


FIA_AFL_EXT.1TestsTheevaluatorshallperformthefollowingtestsforeachcredentialselectedinFIA_AFL_EXT.1.1:TheevaluatorwillsetanAdministrator-configurablethresholdnforfailedattempts,ornotetheST-specifiedassignment.

Test1:Theevaluatorwillattempttoauthenticateremotelywiththecredentialn-1times.Theevaluatorwillthenattempttoauthenticateusingagoodcredentialandverifythatauthenticationissuccessful.Test2:Theevaluatorwillmakenattemptstoauthenticateusingabadcredential.Theevaluatorwillthenattempttoauthenticateusingagoodcredentialandverifythattheattemptisunsuccessful.NotethattheauthenticationattemptsandlockoutsmustalsobeloggedasspecifiedinFAU_GEN.1.

Afterreachingthelimitforunsuccessfulauthenticationattemptstheevaluatorwillproceedasfollows:

Test1:IftheAdministratoractionselectioninFIA_AFL_EXT.1.2isselected,thentheevaluatorwillconfirmbytestingthatfollowingtheoperationalguidanceandperformingeachactionspecifiedintheSTtore-enabletheremoteAdministrator’saccessresultsinsuccessfulaccess(whenusingvalidcredentialsforthatAdministrator).Test2:IfthetimeperiodselectioninFIA_AFL_EXT.1.2isselected,theevaluatorwillwaitforjustlessthanthetimeperiodconfiguredandshowthatanauthenticationattemptusingvalidcredentialsdoesnotresultinsuccessfulaccess.Theevaluatorwillthenwaituntiljustafterthetimeperiodconfiguredandshowthatanauthenticationattemptusingvalidcredentialsresultsinsuccessfulaccess.

FIA_UAU.5MultipleAuthenticationMechanismsFIA_UAU.5.1

TheTSFshallprovidethefollowingauthenticationmechanisms:[selection:[selection:local,directory-based]authenticationbasedonusernameandpassword,authenticationbasedonusernameandaPINthatreleasesanasymmetrickeystoredinOE-protectedstorage,

[selection:local,directory-based]authenticationbasedonX.509certificates,[selection:local,directory-based]authenticationbasedonanSSHpublickeycredential

]tosupportAdministratorauthentication.

ApplicationNote:Selectionof‘authenticationbasedonusernameandpassword’requiresthatFIA_PMG_EXT.1beincludedintheST.ThisalsorequiresthattheSTincludeamanagementfunctionforpasswordmanagement.IftheSTauthorselects‘authenticationbasedonanSSHpublic-keycredential’,theTSFshallbevalidatedagainsttheFunctionalPackageforSecureShell.TheSTmustincludeFIA_X509_EXT.1andFIA_X509_EXT.2if'authenticationbasedonX.509certificates'isselected.

PINsusedtoaccessOE-protectedstoragearesetandmanagedbytheOE-protectedstoragemechanism.ThusrequirementsonPINmanagementareoutsidethescopeoftheTOE.


Rule#11:If"directory-based"isselectedanywhereinFIA_UAU.5.1then"Abilitytoconfigurename/addressofdirectoryservertobindwith"mustbeselectedintheClientorServermodulemanagementfunctiontable.Rule#12:If"authenticationbasedonusernameandpassword"isselectedinFIA_UAU.5.1then"AbilitytoconfigureAdministratorpasswordpolicyasdefinedinFIA_PMG_EXT.1"mustbeselectedintheClientorServermodulemanagementfunctiontable.

FIA_UAU.5.2TheTSFshallauthenticateanyAdministrator’sclaimedidentityaccordingtothe[assignment:rulesdescribinghowthemultipleauthenticationmechanismsprovideauthentication].


FIA_UAU.5TestsIf‘usernameandpasswordauthentication‘isselected,theevaluatorwillconfiguretheVSwithaknownusernameandpasswordandconductthefollowingtests:

Test1:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernameandpassword.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernamebutanincorrectpassword.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.

If‘usernameandPINthatreleasesanasymmetrickey‘isselected,theevaluatorwillexaminetheTSSforguidanceonsupportedprotectedstorageandwillthenconfiguretheTOEorOEtoestablishaPINwhichenablesreleaseoftheasymmetrickeyfromtheprotectedstorage(suchasaTPM,ahardwaretoken,orisolatedexecutionenvironment)withwhichtheVScaninterface.Theevaluatorwillthenconductthefollowingtests:

Test1:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernameandPIN.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernamebutanincorrectPIN.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.

If‘X.509certificateauthentication‘isselected,theevaluatorwillgenerateanX.509v3certificateforanAdministratoruserwiththeClientAuthenticationEnhancedKeyUsagefieldset.TheevaluatorwillprovisiontheVSforauthenticationwiththeX.509v3certificate.TheevaluatorwillensurethatthecertificatesarevalidatedbytheVSasperFIA_X509_EXT.1.1andthenconductthefollowingtests:

Test1:TheevaluatorwillattempttoauthenticatetotheVSusingtheX.509v3certificate.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:Theevaluatorwillgenerateasecondcertificateidenticaltothefirstexceptforthepublickeyandanyvaluesderivedfromthepublickey.TheevaluatorwillattempttoauthenticatetotheVSwiththiscertificate.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.

If‘SSHpublic-keycredentialauthentication‘isselected,theevaluatorshallgenerateapublic-privatehostkeypairontheTOEusingRSAorECDSA,andasecondpublic-privatekeypaironaremoteclient.TheevaluatorshallprovisiontheVSwiththeclientpublickeyforauthenticationoverSSH,andconductthefollowingtests:

Test1:TheevaluatorwillattempttoauthenticatetotheVSusingamessagesignedbytheclientprivatekeythatcorrespondstoprovisionedclientpublickey.Theevaluatorwill

ensurethattheauthenticationattemptissuccessful.Test2:TheevaluatorwillgenerateasecondclientkeypairandwillattempttoauthenticatetotheVSwiththeprivatekeyoverSSHwithoutfirstprovisioningtheVStosupportthenewkeypair.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.

FIA_UIA_EXT.1AdministratorIdentificationandAuthenticationFIA_UIA_EXT.1.1

TheTSFshallrequireAdministratorstobesuccessfullyidentifiedandauthenticatedusingoneofthemethodsinFIA_UAU.5beforeallowinganyTSF-mediatedmanagementfunctiontobeperformedbythatAdministrator.

ApplicationNote:Usersdonothavetoauthenticate,onlyAdministratorsneedtoauthenticate.


FIA_UIA_EXT.1TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthelogonprocessforeachlogonmethod(local,remote(HTTPS,SSH,etc.))supportedfortheproduct.Thisdescriptionshallcontaininformationpertainingtothecredentialsallowed/used,anyprotocoltransactionsthattakeplace,andwhatconstitutesa“successfullogon.”Theevaluatorshallexaminetheoperationalguidancetodeterminethatanynecessarypreparatorysteps(e.g.,establishingcredentialmaterialsuchaspre-sharedkeys,tunnels,certificates)tologginginaredescribed.Foreachsupportedloginmethod,theevaluatorshallensuretheoperationalguidanceprovidesclearinstructionsforsuccessfullyloggingon.Ifconfigurationisnecessarytoensuretheservicesprovidedbeforeloginarelimited,theevaluatorshalldeterminethattheoperationalguidanceprovidessufficientinstructiononlimitingtheallowedservices.

5.1.6SecurityManagement(FMT)

FMT_SMO_EXT.1SeparationofManagementandOperationalNetworksFMT_SMO_EXT.1.1

TheTSFshallsupporttheseparationofmanagementandoperationalnetworktrafficthrough[selection:separatephysicalnetworks,separatelogicalnetworks,trustedchannelsasdefinedinFTP_ITC_EXT.1,dataencryptionusinganalgorithmspecifiedinFCS_COP.1/UDE].

ApplicationNote:Managementcommunicationsmustbeseparatefromuserworkloadcommunications.Administrativenetworktraffic—includingcommunicationsbetweenphysicalhostsconcerningloadbalancing,auditdata,VMstartupandshutdown—mustbeisolatedfromguestoperationalnetworks.Forpurposesofthisrequirement,managementtrafficalsoincludesVMstransmittedovermanagementnetworkswhetherforbackup,livemigration,ordeployment.

“Separatephysicalnetworks”referstousingseparatephysicalinterfacesandcablestoisolatemanagementandoperationalnetworksfromeachother.

“Separatelogicalnetworks”referstousinglogicalnetworkingconstructs,suchasseparateIPspacesorvirtualnetworkstoisolatetrafficacrossgeneral-purposenetworkingports.Managementandoperationalnetworksarekeptseparatewithinthehostsusingseparatevirtualizednetworkingcomponents.

IftheSTauthorselects“trustedchannels...”thentheprotocolsusedfornetworkseparationmustbeselectedinFTP_ITC_EXT.1.

TheSTauthorselects"dataencryption..."if,forexample,theTOEencryptsVMsasdatablobsforbackup,storage,deployment,orlivemigration,anddoesnotsendthedatathroughatunnel.IftheSTauthorselects"dataencryption..."thenthealgorithmsandkeysizesmustbeselectedinFCS_COP.1/UDE.

TheSTauthorshouldselectasmanymechanismsasapply.


FMT_SMO_EXT.1

TSSTheevaluatorshallexaminetheTSStoverifythatitdescribeshowmanagementandoperationaltrafficisseparated.GuidanceTheevaluatorshallexaminetheoperationalguidancetoverifythatitdetailshowtoconfiguretheVStokeepManagementandOperationaltrafficseparate.TestsTheevaluatorshallconfiguretheTOEasdocumentedintheguidance.Ifseparationislogical,thentheevaluatorshallcapturepacketsonthemanagementnetwork.IfplaintextGuestnetworktrafficisdetected,therequirementisnotmet.Ifseparationusestrustedchannels,thentheevaluatorshallcapturepacketsonthenetworkoverwhichtrafficistunneled.IfplaintextGuestnetworktrafficisdetected,therequirementisnotmet.Ifdataencryptionisused,thentheevaluatorshallcapturepacketsonthenetworkoverwhichthedataissentwhileaVMorotherlargedatastructureisbeingtransmitted.IfplaintextVMcontentsaredetected,therequirementisnotmet.

5.1.7ProtectionoftheTSF(FPT)

FPT_DVD_EXT.1Non-ExistenceofDisconnectedVirtualDevicesFPT_DVD_EXT.1.1

TheTSFshallpreventGuestVMsfromaccessingvirtualdeviceinterfacesthatarenotpresentintheVM’scurrentvirtualhardwareconfiguration.

ApplicationNote:ThevirtualizedhardwareabstractionimplementedbyaparticularVSmightincludethevirtualizedinterfacesformanydifferentdevices.SometimesthesedevicesarenotpresentinaparticularinstantiationofaVM.TheinterfacefordevicesnotpresentmustnotbeaccessiblebytheVM.

Suchinterfacesincludememorybuffers,PCIBusinterfaces,andprocessorI/Oports.

ThepurposeofthisrequirementistoreducetheattacksurfaceoftheVMMbyblockingaccesstounusedinterfaces.


FPT_DVD_EXT.1TestsTheevaluatorshallconnectadevicetoaVM,thenfromwithintheguestscantheVM'sdevicestoensurethattheconnecteddeviceispresent--usingadevicedriverorotheravailablemeanstoscantheVM'sI/OportsorPCIBusinterfaces.(Thedevice'sinterfaceshouldbedocumentedintheTSSunderFPT_VDP_EXT.1.)TheevaluatorshallremovethedevicefromtheVMandrunthescanagain.Thisrequirementismetifthedevice'sinterfacesarenolongerpresent.

FPT_EEM_EXT.1ExecutionEnvironmentMitigationsFPT_EEM_EXT.1.1

TheTSFshalltakeadvantageofexecutionenvironment-basedvulnerabilitymitigationmechanismssupportedbythePlatformsuchas:[selection:

Addressspacerandomization,Memoryexecutionprotection(e.g.,DEP),Stackbufferoverflowprotection,Heapcorruptiondetection,[assignment:othermechanisms],Nomechanisms

]

ApplicationNote:Processormanufacturers,compilerdevelopers,andoperatingsystemvendorshavedevelopedexecutionenvironment-basedmitigationsthatincreasethecosttoattackersbyaddingcomplexitytothetaskofcompromisingsystems.SoftwarecanoftentakeadvantageofthesemechanismsbyusingAPIsprovidedbytheoperatingsystemorbyenablingthemechanismthroughcompilerorlinkeroptions.ThisrequirementdoesnotmandatethattheseprotectionsbeenabledthroughouttheVirtualizationSystem—onlythattheybeenabledwheretheyhavelikelyimpact.Forexample,codethatreceivesandprocessesuserinputshouldtakeadvantageofthesemechanisms.

Fortheselection,theSTauthorselectsthesupportedmechanismsandusestheassignmenttoincludemechanismsnotlistedintheselection,ifany.


FPT_EEM_EXT.1TSSTheevaluatorshallexaminetheTSStoensurethatitstates,foreachplatformlistedintheST,theexecutionenvironment-basedvulnerabilitymitigationmechanismsusedbytheTOEonthatplatform.TheevaluatorshallensurethatthelistscorrespondtowhatisspecifiedinFPT_EEM_EXT.1.1.

FPT_HAS_EXT.1HardwareAssistsFPT_HAS_EXT.1.1

TheVMMshalluse[assignment:listofhardware-basedvirtualizationassists]toreduceoreliminatetheneedforbinarytranslation.

FPT_HAS_EXT.1.2TheVMMshalluse[assignment:listofhardware-basedvirtualizationmemory-handlingassists]toreduceoreliminatetheneedforshadowpagetables.

ApplicationNote:Thesehardware-assistshelpreducethesizeandcomplexityoftheVMM,andthus,ofthetrustedcomputingbase,byeliminatingorreducingtheneedforparavirtualizationorbinarytranslation.Paravirtualizationinvolvesmodifyingguestsoftwaresothatinstructionsthatcannotbeproperlyvirtualizedareneverexecutedonthephysicalprocessor.

FortheassignmentinFPT_HAS_EXT.1,theSTauthorliststhehardware-basedvirtualizationassistsonallplatformsincludedintheSTthatareusedbytheVMMtoreduceoreliminatetheneedforsoftware-basedbinarytranslation.Examplesforthex86platformareIntelVT-xandAMD-V.“None”isanacceptableassignmentforplatformsthatdonotrequirevirtualizationassistsinordertoeliminatetheneedforbinarytranslation.ThismustbedocumentedintheTSS.

FortheassignmentinFPT_HAS_EXT.1.2,theSTauthorliststhesetofhardware-basedvirtualizationmemory-handlingextensionsforallplatformslistedintheSTthatareusedbytheVMMtoreduceoreliminatetheneedforshadowpagetables.Examplesforthex86platformareIntelEPTandAMDRVI.“None”isanacceptableassignmentforplatformsthatdonotrequirememory-handlingassistsinordertoeliminatetheneedforshadowpagetables.ThismustbedocumentedintheTSS.


FPT_HAS_EXT.1TSSTheevaluatorshallexaminetheTSStoensurethatitstates,foreachplatformlistedintheST,thehardwareassistsandmemory-handlingextensionsusedbytheTOEonthatplatform.TheevaluatorshallensurethattheselistscorrespondtowhatisspecifiedintheapplicableFPT_HAS_EXTcomponent.

FPT_HCL_EXT.1HypercallControlsFPT_HCL_EXT.1.1

TheTSFshallvalidatetheparameterspassedtoHypercallinterfacespriortoexecutionoftheVMMfunctionalityexposedbyeachinterface.

ApplicationNote:ThepurposeofthisrequirementistohelpensuretheintegrityoftheVMMbyprotectingtheattacksurfaceexposedtountrustedGuestVMsthroughHypercalls.

AHypercallinterfaceallowsVMMfunctionalitytobeinvokedbyVM-awareguestsoftware.Forexample,ahypercallinterfacecouldbeusedtogetinformationabouttherealworld,suchasthetimeofdayortheunderlyinghardwareofthehostsystem.AhypercallcouldalsobeusedtotransferdatabetweenVMsthroughacopy-pastemechanism.BecausehypercallinterfacesexposetheVMMtoGuestsoftware,theseinterfacesconstituteattacksurface.

Thereisnoexpectationthattheevaluatorwillneedtoreviewsourcecodein

ordertoaccomplishtheevaluationactivity.


FPT_HCL_EXT.1TSSTheevaluatorshallexaminetheTSS(orproprietaryTSSAnnex)toensurethatallhypercallfunctionsaredocumentedatthelevelnecessaryfortheevaluatortorunthebelowtest.Documentationforeachhypercallinterfacemustinclude:howtoinvoketheinterface,parametersandlegalvalues,andanyconditionsunderwhichtheinterfacecanbeinvoked(e.g.,fromguestusermode,guestprivilegedmode,duringguestbootonly).GuidanceThereisnooperationalguidanceforthiscomponent.TestsTheevaluatorshallperformthefollowingtest:ForeachhypercallinterfacedocumentedintheTSSorproprietaryTSSAnnex,theevaluatorshallattempttoinvokethefunctionfromwithintheVMusinganinvalidparameter(ifany).IftheVMMorVScrashesorgeneratesanexception,orifnoerrorisreturnedtotheguest,thenthetestfails.Ifanerrorisreturnedtotheguest,thenthetestsucceeds.

FPT_RDM_EXT.1RemovableDevicesandMediaFPT_RDM_EXT.1.1

TheTSFshallimplementcontrolsforhandlingthetransferofvirtualandphysicalremovablemediaandvirtualandphysicalremovablemediadevicesbetweeninformationdomains.

FPT_RDM_EXT.1.2TheTSFshallenforcethefollowingruleswhen[assignment:virtualorphysicalremovablemediaandvirtualorphysicalremovablemediadevices]areswitchedbetweeninformationdomains,then[selection:

theAdministratorhasgrantedexplicitaccessforthemediaordevicetobeconnectedtothereceivingdomain,themediainadevicethatisbeingtransferredisejectedpriortothereceivingdomainbeingallowedaccesstothedevice,theuserofthereceivingdomainexpresslyauthorizestheconnection,thedeviceormediathatisbeingtransferredispreventedfrombeingaccessedbythereceivingdomain

]

ApplicationNote:ThepurposeoftheserequirementsistoensurethatVMsarenotgiveninadvertentaccesstoinformationfromdifferentdomainsbecauseofmediaorremovablemediadevicesleftconnectedtophysicalmachines.Removablemediaismediathatcanbeejectedfromadevice,suchasacompactdisc,floppydisk,SD,orcompactflashmemorycard.

Removablemediadevicesareremovabledevicesthatincludemedia,suchasUSBflashdrivesandUSBharddrives.Removablemediadevicescanthemselvescontainremovablemedia(e.g.,USBCDROMdrives).

Forpurposesofthisrequirement,anInformationDomainis:

a. AVMorcollectionofVMsb. TheVirtualizationSystemc. HostOSd. ManagementSubsystem

Theserequirementsalsoapplytovirtualizedremovablemedia—suchasvirtualCDdrivesthatconnecttoISOimages—aswellasphysicalmedia—suchasCDROMsandUSBflashdrives.InthecaseofvirtualCDROMs,virtualejectionofthevirtualmediaissufficient.

Inthefirstassignment,theSTauthorlistsallremovablemediaandremovablemediadevices(bothvirtualandreal)thataresupportedbytheTOE.TheSTauthorthenselectsactionsthatareappropriateforallremovablemediaandremovablemediadevices(bothvirtualandreal)thatarebeingclaimedintheassignment.

Forclarity,theSTauthormayiteratethisrequirementsothatlikeactionsaregroupedwiththeremovablemediaordevicestowhichtheyapply(e.g.,thefirstiterationcouldcontainalldevicesforwhichmediaisejectedonaswitch;theseconditerationcouldcontainalldevicesforwhichaccessispreventedona

switch,etc.).


FPT_RDM_EXT.1TSSTheevaluatorshallexaminetheTSStoensureitdescribestheassociationbetweenthemediaordevicessupportedbytheTOEandtheactionsthatcanoccurwhenswitchinginformationdomains.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensureitdocumentshowanadministratororuserconfiguresthebehaviorofeachmediaordevice.TestsTheevaluatorshallperformthefollowingtestforeachlistedmediaordevice:

Test1:TheevaluatorshallconfiguretwoVMsthataremembersofdifferentinformationdomains,withthemediaordeviceconnectedtooneoftheVMs.TheevaluatorshalldisconnectthemediaordevicefromtheVMandconnectittotheotherVM.TheevaluatorshallverifythattheactionperformedisconsistentwiththeactionassignedintheTSS.

FPT_TUD_EXT.1TrustedUpdatestotheVirtualizationSystemFPT_TUD_EXT.1.1

TheTSFshallprovideadministratorstheabilitytoquerythecurrentlyexecutedversionoftheTOEfirmware/softwareaswellasthemostrecentlyinstalledversionoftheTOEfirmware/software.

ApplicationNote:Theversioncurrentlyrunning(beingexecuted)maynotbetheversionmostrecentlyinstalled.Forinstance,maybetheupdatewasinstalledbutthesystemrequiresarebootbeforethisupdatewillrun.Therefore,itneedstobeclearthatthequeryshouldindicateboththemostrecentlyexecutedversionaswellasthemostrecentlyinstalledupdate.

FPT_TUD_EXT.1.2TheTSFshallprovideadministratorstheabilitytomanuallyinitiateupdatestoTOEfirmware/softwareand[selection:automaticupdates,nootherupdatemechanism].

FPT_TUD_EXT.1.3TheTSFshallprovidemeanstoauthenticatefirmware/softwareupdatestotheTOEusinga[selection:digitalsignaturemechanismusingcertificates,digitalsignaturemechanismnotusingcertificates,publishedhash]priortoinstallingthoseupdates.

ApplicationNote:ThedigitalsignaturemechanismreferencedinFPT_TUD_EXT.1.3isoneofthealgorithmsspecifiedinFCS_COP.1/SIG.

Ifcertificatesareusedbytheupdateverificationmechanism,thenFIA_X509_EXT.1andFIA_X509_EXT.2mustbeincludedintheST.CertificatesarevalidatedinaccordancewithFIA_X509_EXT.1andtheappropriateselectionsshouldbemadeinFIA_X509_EXT.2.1.Additionally,FPT_TUD_EXT.2mustbeincludedintheST.

“Update”inthecontextofthisSFRreferstotheprocessofreplacinganon-volatile,systemresidentsoftwarecomponentwithanother.TheformerisreferredtoastheNVimage,andthelatteristheupdateimage.WhiletheupdateimageistypicallynewerthantheNVimage,thisisnotarequirement.Therearelegitimatecaseswherethesystemownermaywanttorollbackacomponenttoanolderversion(e.g.,whenthecomponentmanufacturerreleasesafaultyupdate,orwhenthesystemreliesonanundocumentedfeaturenolongerpresentintheupdate).Likewise,theownermaywanttoupdatewiththesameversionastheNVimagetorecoverfromfaultystorage.

Alldiscretesoftwarecomponents(e.g.,applications,drivers,kernel,firmware)oftheTSF,shouldbedigitallysignedbythecorrespondingmanufacturerandsubsequentlyverifiedbythemechanismperformingtheupdate.Sinceitisrecognizedthatcomponentsmaybesignedbydifferentmanufacturers,itisessentialthattheupdateprocessverifythatboththeupdateandNVimageswereproducedbythesamemanufacturer(e.g.,bycomparingpublickeys)orsignedbylegitimatesigningkeys(e.g.,successfulverificationofcertificateswhenusingX.509certificates).

TheDigitalSignatureoptionisthepreferredmechanismforauthenticating

updates.ThePublishedHashoptionwillberemovedfromafutureversionofthisPP.


Rule#14:IfdigitalsignaturemechanismusingcertificatesisselectedinFPT_TUD_EXT.1.3thencodesigningforsystemsoftwareupdatesmustbeselectedinFIA_X509_EXT.2.1.


FPT_TUD_EXT.1TSSTheevaluatorshallverifythattheTSSdescribesallTSFsoftwareupdatemechanismsforupdatingthesystemsoftware.UpdatestotheTOEeitherhaveahashassociatedwiththem,oraresignedbyanauthorizedsource.Theevaluatorshallverifythatthedescriptionincludeseitheradigitalsignatureorpublishedhashverificationofthesoftwarebeforeinstallationandthatinstallationfailsiftheverificationfails.TheevaluatorshallverifythattheTSSdescribesthemethodbywhichthedigitalsignatureorpublishedhashisverifiedtoincludehowthecandidateupdatesareobtained,theprocessingassociatedwithverifyingtheupdate,andtheactionsthattakeplaceforbothsuccessfulandunsuccessfulverification.Ifdigitalsignaturesareused,theevaluatorshallalsoensurethedefinitionofanauthorizedsourceiscontainedintheTSS.IftheSTauthorindicatesthatacertificate-basedmechanismisusedforsoftwareupdatedigitalsignatureverification,theevaluatorshallverifythattheTSScontainsadescriptionofhowthecertificatesarecontainedonthedevice.TheevaluatoralsoensuresthattheTSS(oradministratorguidance)describeshowthecertificatesareinstalled/updated/selected,ifnecessary.TestsTheevaluatorshallperformthefollowingtests:

Test1:Theevaluatorperformstheversionverificationactivitytodeterminethecurrentversionoftheproduct.TheevaluatorobtainsalegitimateupdateusingproceduresdescribedintheoperationalguidanceandverifiesthatitissuccessfullyinstalledontheTOE.Aftertheupdate,theevaluatorperformstheversionverificationactivityagaintoverifytheversioncorrectlycorrespondstothatoftheupdate.Test2:Theevaluatorperformstheversionverificationactivitytodeterminethecurrentversionoftheproduct.Theevaluatorobtainsorproducesillegitimateupdatesasdefinedbelow,andattemptstoinstallthemontheTOE.TheevaluatorverifiesthattheTOErejectsalloftheillegitimateupdates.Theevaluatorperformsthistestusingallofthefollowingformsofillegitimateupdates:1. Amodifiedversion(e.g.,usingahexeditor)ofalegitimatelysignedorhashedupdate2. Animagethathasnotbeensigned/hashed3. Animagesignedwithaninvalidhashorinvalidsignature(e.g.,byusingadifferentkey

asexpectedforcreatingthesignatureorbymanualmodificationofalegitimatehash/signature)

FPT_VDP_EXT.1VirtualDeviceParametersFPT_VDP_EXT.1.1

TheTSFshallprovideinterfacesforvirtualdevicesimplementedbytheVMMaspartofthevirtualhardwareabstraction.

FPT_VDP_EXT.1.2TheTSFshallvalidatetheparameterspassedtothevirtualdeviceinterfacepriortoexecutionoftheVMMfunctionalityexposedbythoseinterfaces.

ApplicationNote:ThepurposeofthisrequirementistoensurethattheVMMisnotvulnerabletocompromisethroughtheprocessingofmalformeddatapassedtothevirtualdeviceinterfacefromaGuestOS.TheVMMcannotassumethatanydatacomingfromaVMiswell-formed—evenifthevirtualdeviceinterfaceisuniquetotheVSandthedatacomesfromavirtualdevicedriversuppliedbytheVirtualizationVendor.


FPT_VDP_EXT.1TSSTheevaluatorshallexaminetheTSStoensureitlistsallvirtualdevicesaccessiblebytheguestOS.TheTSS,oraseparateproprietarydocument,mustalsodocumentallvirtualdeviceinterfacesatthelevelofI/OportsorPCIBusinterfaces-includingportnumbers(absoluteorrelativetoabase),portname,addressrange,andadescriptionoflegalinputvalues.

TheTSSmustalsodescribetheexpectedbehavioroftheinterfacewhenpresentedwithillegalinputvalues.ThisbehaviormustbedeterministicandindicativeofparametercheckingbytheTSF.TheevaluatormustensurethattherearenoobviousorpubliclyknownvirtualI/OportsmissingfromtheTSS.Thereisnoexpectationthatevaluatorswillexaminesourcecodetoverifythe“all”partoftheevaluationactivity.TestsForeachvirtualdeviceinterface,theevaluatorshallattempttoaccesstheinterfaceusingatleastoneparametervaluethatisoutofrangeorillegal.ThetestispassediftheinterfacebehavesinthemannerdocumentedintheTSS.Interfacesthatdonothaveinputparametersneednotbetested.ThistestcanbeperformedinconjunctionwiththetestsforFPT_DVD_EXT.1.

FPT_VIV_EXT.1VMMIsolationfromVMsFPT_VIV_EXT.1.1

TheTSFmustensurethatsoftwarerunninginaVMisnotabletodegradeordisruptthefunctioningofotherVMs,theVMM,orthePlatform.

FPT_VIV_EXT.1.2TheTSFmustensurethataGuestVMisunabletoinvokeplatformcodethatrunsataprivilegelevelequaltoorexceedingthatoftheVMMwithoutinvolvementoftheVMM.

ApplicationNote:ThisrequirementisintendedtoensurethatsoftwarerunningwithinaGuestVMcannotcompromiseotherVMs,theVMM,ortheplatform.ThisrequirementisnotmetifGuestVMsoftware—whateveritsprivilegelevel—cancrashtheVSorthePlatform,orbreakoutofitsvirtualhardwareabstractiontogainexecutionontheplatform,withinoroutsideofthecontextoftheVMM.

ThisrequirementisnotviolatedifsoftwarerunningwithinaVMcancrashtheGuestOSandthereisnowayforanattackertogainexecutionintheVMMoroutsideofthevirtualizeddomain.

FPT_VIV_EXT.1.2addressesseveralspecificmechanismsthatmustnotbepermittedtobypasstheVMMandinvokeprivilegedcodeonthePlatform.

Ataminimum,theTSFshouldenforcethefollowing:Onthex86platform,avirtualSystemManagementInterrupt(SMI)cannotinvokeplatformSystemManagementMode(SMM).AnattempttoupdatevirtualfirmwareorvirtualBIOScannotcausephysicalplatformfirmwareorphysicalplatformBIOStobemodified.AnattempttoupdatevirtualfirmwareorvirtualBIOScannotcausetheVMMtobemodified.

Oftheabove,thefirstbulletdoesnotapplytoplatformsthatdonotsupportSMM.TherationalebehindthethirdbulletisthatafirmwareupdateofasingleVMmustnotaffectotherVMs.SoifmultipleVMssharethesamefirmwareimageaspartofacommonhardwareabstraction,thentheupdateofasinglemachine’sBIOSmustnotbeallowedtochangethecommonabstraction.ThevirtualhardwareabstractionispartoftheVMM.


FPT_VIV_EXT.1TSSTheevaluatorshallverifythattheTSS(oraproprietaryannextotheTSS)describeshowtheTSFensuresthatguestsoftwarecannotdegradeordisruptthefunctioningofotherVMs,theVMMortheplatform.AndhowtheTSFpreventsguestsfrominvokinghigher-privilegeplatformcode,suchastheexamplesinthenote.

5.1.8TOEAccessBanner(FTA)

FTA_TAB.1TOEAccessBannerFTA_TAB.1.1

Beforeestablishinganadministrativeusersession,theTSFshalldisplayasecurityAdministrator-specifiedadvisorynoticeandconsentwarningmessageregardinguseoftheTOE.

ApplicationNote:ThisrequirementisintendedtoapplytointeractivesessionsbetweenahumanuserandaTOE.ITentitiesestablishingconnectionsorprogrammaticconnections(e.g.,remoteprocedurecallsoveranetwork)arenotrequiredtobecoveredbythisrequirement.


FTA_TAB.1TestsTheevaluatorshallconfiguretheTOEtodisplaytheadvisorywarningmessage“TESTTESTWarningMessageTESTTEST”.Theevaluatorshallthenlogoutandconfirmthattheadvisorymessageisdisplayedbeforelogincanoccur.

5.1.9TrustedPath/Channel(FTP)

FTP_ITC_EXT.1TrustedChannelCommunicationsFTP_ITC_EXT.1.1

TheTSFshalluse[selection:TLSasconformingtotheFunctionalPackageforTransportLayerSecurity,TLS/HTTPSasconformingtoFCS_HTTPS_EXT.1,IPsecasconformingtoFCS_IPSEC_EXT.1,SSHasconformingtotheFunctionalPackageforSecureShell

]and[selection:certificate-basedauthenticationoftheremotepeer,non-certificate-basedauthenticationoftheremotepeer,noauthenticationoftheremotepeer

]toprovideatrustedcommunicationchannelbetweenitself,andauditservers(asrequiredbyFAU_STG_EXT.1),and

[selection:remoteadministrators(asrequiredbyFTP_TRP.1.1ifselectedinFMT_MOF_EXT.1.1intheClientorServerPP-Module),separationofmanagementandoperationalnetworks(ifselectedinFMT_SMO_EXT.1),[assignment:othercapabilities],noothercapabilities

]thatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafromdisclosureanddetectionofmodificationofthecommunicateddata.

ApplicationNote:IftheSTauthorselectseitherTLSorHTTPS,theTSFshallbevalidatedagainsttheFunctionalPackageforTLS.ThisPPdoesnotmandatethataproductimplementTLSwithmutualauthentication,butiftheproductincludesthecapabilitytoperformTLSwithmutualauthentication,thenmutualauthenticationmustbeincludedwithintheTOEboundary.TheTLSPackagerequiresthattheX509requirementsbeincludedbythePP,soselectionofTLSorHTTPScausesFIA_X509_EXT.*tobeselected.

IftheSTauthorselectsSSH,theTSFshallbevalidatedagainsttheFunctionalPackageforSecureShell.

IftheSTauthorselects"certificate-basedauthenticationoftheremotepeer,"thenFIA_X509_EXT.1andFIA_X509_EXT.2mustbeincludedintheST."Noauthenticationoftheremotepeer"shouldbeselectedonlyiftheTOEisactingasaserverinanon-mutualauthenticationconfiguration.

TheSTauthormustincludethesecurityfunctionalrequirementsforthetrustedchannelprotocolselectedinFTP_ITC_EXT.1inthemainbodyoftheST.


Rule#9:IftheSSHPackageisincludedintheSTthen"AES-CTR(asdefinedinNISTSP800-38A)mode,""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.Rule#10:IftheTOEimplementsIPSecthen"AES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)mode,""AES-GCM(asdefinedinNISTSP800-38D),""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.

Rule#15:If"certificate-basedauthenticationoftheremotepeer"and"TLSasconformingtotheFunctionalPackageforTransportLayerSecurity"areselected

https://www.niap-ccevs.org/MMO/PP/-439-/



inFTP_ITC_EXT.1.1then"TLS"mustbeselectedinFIA_X509_EXT.2.1.

Rule#16:If"certificate-basedauthenticationoftheremotepeer"and"TLS/HTTPSasconformingtoFCS_HTTPS_EXT.1"areselectedinFTP_ITC_EXT.1.1then"HTTPS"mustbeselectedinFIA_X509_EXT.2.1.Rule#17:If"certificate-basedauthenticationoftheremotepeer"and"IPsecasconformingtoFCS_IPSEC_EXT.1"areselectedinFTP_ITC_EXT.1.1then"IPsec"mustbeselectedinFIA_X509_EXT.2.1.

Rule#18:If"certificate-basedauthenticationoftheremotepeer"and"SSHasconformingtotheFunctionalPackageforSecureShell"areselectedinFTP_ITC_EXT.1.1then"SSH"mustbeselectedinFIA_X509_EXT.2.1.


FTP_ITC_EXT.1TSSTheevaluatorwillreviewtheTSStodeterminethatitlistsalltrustedchannelstheTOEusesforremotecommunications,includingboththeexternalentitiesandremoteusersusedforthechannelaswellastheprotocolthatisusedforeach.TestsTheevaluatorwillconfiguretheTOEtocommunicatewitheachexternalITentityandtypeofremoteuseridentifiedintheTSS.TheevaluatorwillmonitornetworktrafficwhiletheVSperformscommunicationwitheachofthesedestinations.Theevaluatorwillensurethatforeachsessionatrustedchannelwasestablishedinconformancewiththeprotocolsidentifiedintheselection.

FTP_UIF_EXT.1UserInterface:I/OFocusFTP_UIF_EXT.1.1

TheTSFshallindicatetouserswhichVM,ifany,hasthecurrentinputfocus.

ApplicationNote:Thisrequirementappliestoallusers—whetherUserorAdministrator.InenvironmentswheremultipleVMsrunatthesametime,theusermusthaveawayofknowingwhichVMuserinputisdirectedtoatanygivenmoment.Thisisespeciallyimportantinmultiple-domainenvironments.

Inthecaseofahumanuser,thisisusuallyavisualindicator.InthecaseofheadlessVMs,theuserisconsideredtobeaprogram,butthisprogramstillneedstoknowwhichVMitissendinginputto;thiswouldtypicallybeaccomplishedthroughprogrammaticmeans.


FTP_UIF_EXT.1TSSTheevaluatorshallensurethattheTSSliststhesupporteduserinputdevices.GuidanceTheevaluatorshallensurethattheoperationalguidancespecifieshowthecurrentinputfocusisindicatedtotheuser.TestsForeachsupportedinputdevice,theevaluatorshalldemonstratethattheinputfromeachdevicelistedintheTSSisdirectedtotheVMthatisindicatedtohavetheinputfocus.

FTP_UIF_EXT.2UserInterface:IdentificationofVMFTP_UIF_EXT.2.1

TheTSFshallsupporttheuniqueidentificationofaVM’soutputdisplaytousers.

ApplicationNote:InenvironmentswhereauserhasaccesstomorethanoneVMatthesametime,theusermustbeabletodeterminetheidentityofeachVMdisplayedinordertoavoidinadvertentcross-domaindataentry.

TheremustbeamechanismforassociatinganidentifierwithaVMsothatanapplicationorprogramdisplayingtheVMcanidentifytheVMtousers.Thisisgenerallyindicatedvisuallyforhumanusers(e.g.,VMidentityinthewindowtitlebar)andprogrammaticallyforheadlessVMs(e.g.,anAPIfunction).TheidentificationmustbeuniquetotheVS,butdoesnotneedtobeuniversallyunique.



FTP_UIF_EXT.2TSSTheevaluatorshallensurethattheTSSdescribesthemechanismforidentifyingVMstotheuser,howidentitiesareassignedtoVMs,andhowconflictsareprevented.TestsTheevaluatorshallperformthefollowingtest:TheevaluatorshallattempttocreateandstartatleastthreeGuestVMsonasingledisplaydevicewheretheevaluatorattemptstoassigntwooftheVMsthesameidentifier.IftheuserinterfacedisplaysdifferentidentifiersforeachVM,thentherequirementismet.Likewise,therequirementismetifthesystemrefusestocreateorstartaVMwhenthereisalreadyaVMwiththesameidentifier.

5.1.10TOESecurityFunctionalRequirementsRationaleThefollowingrationaleprovidesjustificationforeachsecurityobjectivefortheTOE,showingthattheSFRsaresuitabletomeetandachievethesecurityobjectives:

Table4:SFRRationaleObjective Addressedby Rationale

O.VM_ISOLATION FAU_GEN.1 Auditeventscanreportattemptstobreachisolation.

FCS_CKM_EXT.4 Requirescryptographickeydestructiontoprotectdomaindatainsharedstorage.

FDP_PPR_EXT.1 Requiressupportforreducingattacksurfacethroughdisablingaccesstounneededphysicalplatformresources.

FDP_RIP_EXT.1 Ensuresthatdomaindataisclearedfrommemorybeforememoryisre-allocated.

FDP_RIP_EXT.2 Ensuresthatdomaindataisclearedfromphysicalstorageuponre-allocationofthestorage.

FDP_VMS_EXT.1 EnsuresthatauthorizeddatatransfersbetweenVMsaredonesecurely.

FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.

FPT_DVD_EXT.1 EnsuresthatVMscanaccessonlythosevirtualdevicesthattheyareconfiguredtoaccess.

FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.

FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.

FPT_VDP_EXT.1 RequiresvalidationofparameterdatapassedtothehardwareabstractionbyuntrustedVMs.

FPT_VIV_EXT.1 EnsuresthatuntrustedVMscannotinvokeprivilegedcodewithoutproperhypervisormediation.

O.VMM_INTEGRITY FAU_GEN.1 Auditeventscanreportpotentialintegritybreachesandattempts.

FCS_CKM.1 Requiresgenerationofasymmetrickeysforprotectionofintegritymeasures.

FCS_COP.1 Ensuresproperfunctioningof

cryptographicalgorithmsusedtoprotectdataintegrity.

FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.




FPT_DDI_EXT.1 RequiresthatphysicaldevicedriversbeisolatedotherpartsoftheTOEandfromoneanother(optional).



FPT_HCL_EXT.1 RequiresthatHypercallparametersbevalidated.

FPT_ML_EXT.1 RequiresmeasuredlaunchoftheplatformandVMM(objective).



O.PLATFORM_INTEGRITY FDP_HBI_EXT.1 RequiresthattheTOEuseplatform-supportedmechanismsforaccesstophysicaldevices.




FPT_DVD_EXT.1 EnsuresthatVMscannotaccessvirtualdevicesthattheyarenotconfiguredtoaccess.



FPT_HCL_EXT.1 RequiresthatHypercallparametersbevalidated.

FPT_ML_EXT.1 RequiresmeasuredlaunchoftheplatformandVMM(objective).

FPT_VDP_EXT.1 Requiresvalidationofparameterdata

passedtothehardwareabstractionbyuntrustedVMs.


O.DOMAIN_INTEGRITY FCS_CKM_EXT.4 Requirescryptographickeydestructiontoprotectdomaindatainsharedstorage.

FCS_ENT_EXT.1 Requiresthatdomainshaveaccesstohigh-qualityentropyforcryptographicpurposes.


FDP_RIP_EXT.1 Ensuresthatdomaindataisclearedfrommemorybeforememoryisre-allocatedtoanotherdomain.

FDP_RIP_EXT.2 Ensuresthatdomaindataisclearedfromphysicalstorageuponre-allocationofthestoragetoanotherdomain.

FDP_VMS_EXT.1 Ensuresthatauthorizeddatatransfersbetweendomainsaredonesecurely.



FPT_GVI_EXT.1 RequiresthattheTOEsupportGuestVMmeasurementsandintegritychecks(optional).


FPT_INT_EXT.1 RequiresthattheTOEsupportintrospectionintoGuestVMs(optional).

FPT_RDM_EXT.1 Requiressupportforrulesforswitchingremoveablemediabetweendomainstoreducethechanceofdataspillage.


FTP_UIF_EXT.1 Ensuresthatusersareabletodeterminethedomainwiththecurrentinputfocus.

FTP_UIF_EXT.2 EnsuresthatuserscanknowtheidentityofanyVMthattheycanaccess.

O.MANAGEMENT_ACCESS FAU_GEN.1 Auditeventsreportattemptstoaccessthemanagementsubsystem.

FCS_CKM.1 Requiresgenerationofasymmetrickeysfortrustedcommunicationschannels.

FCS_CKM.2 Requiresestablishmentofcryptographickeysfortrustedcommunicationschannels.

FCS_COP.1 Ensuresproperfunctioningofcryptographicalgorithmsusedto

implementaccesscontrols.

FCS_HTTPS_EXT.1 EnsuresthatHTTPStrustedcommunicationschannelsareimplementedproperly.

FCS_IPSEC_EXT.1 EnsuresthatIPsectrustedcommunicationschannelsareimplementedproperly.


FIA_AFL_EXT.1 RequiresthattheTOEdetectfailedauthenticationattemptsforAdministratoraccess.

FIA_PMG_EXT.1 Ensuresthatpassword-basedadministratorloginisproperlyimplemented.

FIA_UAU.5 EnsuresthatstrongmechanismsareusedforAdministratorauthentication.

FIA_UIA_EXT.1 RequiresthatAdministratorsbesuccessfullyauthenticatedbeforeperformingmanagementfunctions.

FIA_X509_EXT.1 Ensuresthatcertificatevalidationisimplementedproperly.

FIA_X509_EXT.2 Ensuresthatcertificate-basedauthenticationisimplementedproperly.tfunctions.

FMT_SMO_EXT.1 RequiresthattheTOEsupporthavingseparatemanagementandoperationalnetworks.

FTP_ITC_EXT.1 Ensuresthattrustedcommunicationschannelsareimplementedusinggoodcryptography.

FTP_TRP.1 Ensuresthatcertaincommunicationsuseatrustedpath.

O.PATCHED_SOFTWARE FPT_IDV_EXT.1 Requiressupportforsoftwareidentificationlabels(optional).

FPT_TUD_EXT.1 Requiressupportforproductupdates.

FPT_TUD_EXT.2 Specifiesrequirementsforcertificate-basedcodesigningforupdate.

O.VM_ENTROPY FCS_ENT_EXT.1 Requiresthatdomainshaveaccesstohigh-qualityentropyforcryptographicpurposes.


O.AUDIT FAU_ARP.1 Requiressupportforautomaticresponsestoauditevents(optional).

FAU_GEN.1 Requiresreportingofauditevents.

FAU_SAA.1 Requiressupportforrulesforindicatingsecurityviolationsbasedonauditevents(optional).

FAU_SAR.1 RequiressupportforAdministratorreviewofauditrecords.

FAU_STG.1 Requiresprotectionofstoredaudit

records.

FAU_STG_EXT.1 RequiressupportforprotectedtransmissionofauditrecordsofftheTOE.

O.CORRECTLY_APPLIED_CONFIGURATION FDP_VMS_EXT.1 EnsuresthatdatasharingbetweenVMsisturnedoffbydefault.

O.RESOURCE_ALLOCATION FCS_CKM_EXT.4 Requirescryptographickeydestructiontoensureresidualdatainsharedstorageisunrecoverable.

FDP_RIP_EXT.1 Ensuresthatdomaindataisclearedfrommemorybeforememoryisre-allocated.

FDP_RIP_EXT.2 Ensuresthatdomaindataisclearedfromstorageuponre-allocationofthestorage.

5.2SecurityAssuranceRequirementsTheSecurityObjectivesfortheTOEinSection4wereconstructedtoaddressthreatsidentifiedinSection3.1.TheSecurityFunctionalRequirements(SFRs)inSection5.1areaformalinstantiationoftheSecurityObjectives.ThePPidentifiestheSecurityAssuranceRequirements(SARs)toframetheextenttowhichtheevaluatorassessesthedocumentationapplicablefortheevaluationandperformsindependenttesting.ThissectionliststhesetofSecurityAssuranceRequirements(SARs)fromPart3oftheCommonCriteriaforInformationTechnologySecurityEvaluation,Version3.1,Revision5thatarerequiredinevaluationsagainstthisPP.IndividualevaluationactivitiestobeperformedarespecifiedinbothSection5.1aswellasinthissection.AftertheSThasbeenapprovedforevaluation,theInformationTechnologySecurityEvaluationFacility(ITSEF)willobtaintheTOE,supportingenvironmentalIT,andtheadministrative/userguidesfortheTOE.TheITSEFisexpectedtoperformactionsmandatedbytheCEMfortheASEandALCSARs.TheITSEFalsoperformstheevaluationactivitiescontainedwithinSection5,whichareintendedtobeaninterpretationoftheotherCEMassurancerequirementsastheyapplytothespecifictechnologyinstantiatedintheTOE.TheevaluationactivitiesthatarecapturedinSection5alsoprovideclarificationastowhatthedeveloperneedstoprovidetodemonstratetheTOEiscompliantwiththePP.

5.2.1ClassASE:SecurityTargetEvaluationAsperASEactivitiesdefinedin[CEM]plustheTSSevaluationactivitiesdefinedforanySFRsclaimedbytheTOE.

5.2.2ClassADV:DevelopmentTheinformationabouttheTOEiscontainedintheguidancedocumentationavailabletotheenduseraswellastheTOESummarySpecification(TSS)portionoftheST.TheTOEdevelopermustconcurwiththedescriptionoftheproductthatiscontainedintheTSSasitrelatestothefunctionalrequirements.TheevaluationactivitiescontainedinSection5.2shouldprovidetheSTauthorswithsufficientinformationtodeterminetheappropriatecontentfortheTSSsection.

ADV_FSP.1Basicfunctionalspecification

Developeractionelements:ADV_FSP.1.1D

Thedevelopershallprovideafunctionalspecification.

ADV_FSP.1.2DThedevelopershallprovideatracingfromthefunctionalspecificationtotheSFRs.

DeveloperNote:Asindicatedintheintroductiontothissection,thefunctionalspecificationiscomposedoftheinformationcontainedintheAGD_OPRandAGD_PREdocumentation,coupledwiththeinformationprovidedintheTSSoftheST.TheevaluationactivitiesinthefunctionalrequirementspointtoevidencethatshouldexistinthedocumentationandTSSsection;sincethesearedirectlyassociatedwiththeSFRs,thetracinginelementADV_FSP.1.2Disimplicitlyalreadydoneandnoadditionaldocumentationisnecessary.

Contentandpresentationelements:ADV_FSP.1.1C

Thefunctionalspecificationshalldescribethepurposeandmethodofusefor

eachSFR-enforcingandSFR-supportingTSFI.

ADV_FSP.1.2CThefunctionalspecificationshallidentifyallparametersassociatedwitheachSFR-enforcingandSFR-supportingTSFI.

ADV_FSP.1.3CThefunctionalspecificationshallproviderationalefortheimplicitcategorizationofinterfacesasSFR-non-interfering.

ADV_FSP.1.4CThetracingshalldemonstratethattheSFRstracetoTSFIsinthefunctionalspecification.

Evaluatoractionelements:ADV_FSP.1.1E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.

ADV_FSP.1.2ETheevaluatorshalldeterminethatthefunctionalspecificationisanaccurateandcompleteinstantiationoftheSFRs.

ApplicationNote:TherearenospecificevaluationactivitiesassociatedwiththeseSARs.ThefunctionalspecificationdocumentationisprovidedtosupporttheevaluationactivitiesdescribedinSection5.2,andotheractivitiesdescribedforAGD,ATE,andAVASARs.Therequirementsonthecontentofthefunctionalspecificationinformationisimplicitlyassessedbyvirtueoftheotherevaluationactivitiesbeingperformed;iftheevaluatorisunabletoperformanactivitybecausethereisinsufficientinterfaceinformation,thenanadequatefunctionalspecificationhasnotbeenprovided.

5.2.3ClassAGD:GuidanceDocumentsTheguidancedocumentswillbeprovidedwiththedeveloper’ssecuritytarget.GuidancemustincludeadescriptionofhowtheauthorizeduserverifiesthattheOperationalEnvironmentcanfulfillitsroleforthesecurityfunctionality.Thedocumentationshouldbeinaninformalstyleandreadablebyanauthorizeduser.GuidancemustbeprovidedforeveryoperationalenvironmentthattheproductsupportsasclaimedintheST.Thisguidanceincludes

instructionstosuccessfullyinstalltheTOEinthatenvironment;andinstructionstomanagethesecurityoftheTOEasaproductandasacomponentofthelargeroperationalenvironment.

Guidancepertainingtoparticularsecurityfunctionalityisalsoprovided;specificrequirementsonsuchguidancearecontainedintheevaluationactivitiesspecifiedwithindividualSFRswhereapplicable.

AGD_OPE.1OperationalUserGuidance

Developeractionelements:AGD_OPE.1.1D

Thedevelopershallprovideoperationaluserguidance.

DeveloperNote:Ratherthanrepeatinformationhere,thedevelopershouldreviewtheevaluationactivitiesforthiscomponenttoascertainthespecificsoftheguidancethattheevaluatorswillbecheckingfor.Thiswillprovidethenecessaryinformationforthepreparationofacceptableguidance.

Contentandpresentationelements:AGD_OPE.1.1C

Theoperationaluserguidanceshalldescribewhatforeachuserroletheauthorizeduser-accessiblefunctionsandprivilegesthatshouldbecontrolledinasecureprocessingenvironment,includingappropriatewarnings.

AGD_OPE.1.2CTheoperationaluserguidanceshalldescribe,foreachuserroletheauthorizeduser,howtousetheavailableinterfacesprovidedbytheTOEinasecuremanner.

AGD_OPE.1.3CTheoperationaluserguidanceshalldescribe,foreachuserroletheauthorizeduser,theavailablefunctionsandinterfaces,inparticularallsecurityparametersunderthecontroloftheuser,indicatingsecurevaluesasappropriate.

AGD_OPE.1.4CTheoperationaluserguidanceshall,foreachuserroletheauthorizeduser,

clearlypresenteachtypeofsecurity-relevanteventrelativetotheuser-accessiblefunctionsthatneedtobeperformed,includingchangingthesecuritycharacteristicsofentitiesunderthecontroloftheTSF.

AGD_OPE.1.5CTheoperationaluserguidanceshallidentifyallpossiblemodesofoperationoftheTOE(includingoperationfollowingfailureoroperationalerror),theirconsequencesandimplicationsformaintainingsecureoperation.

AGD_OPE.1.6CTheoperationaluserguidanceshall,foreachuserroletheauthorizeduser,describethesecuritymeasurestobefollowedinordertofulfillthesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.

AGD_OPE.1.7CTheoperationaluserguidanceshallbeclearandreasonable.

Evaluatoractionelements:AGD_OPE.1.1E



AGD_OPE.1SomeofthecontentsoftheoperationalguidancewillbeverifiedbytheevaluationactivitiesinSection5.2andevaluationoftheTOEaccordingtotheCEM.Thefollowingadditionalinformationisalsorequired.Theoperationalguidanceshallcontaininstructionsforconfiguringthepasswordcharacteristics,numberofallowedauthenticationattemptfailures,thelockoutperiodtimesforinactivity,andthenoticeandconsentwarningthatistobeprovidedwhenauthenticating.Theoperationalguidanceshallcontainstep-by-stepinstructionssuitableforusebyanend-useroftheVStoconfigureanew,out-of-the-boxsystemintotheconfigurationevaluatedunderthisProtectionProfile.ThedocumentationshalldescribetheprocessforverifyingupdatestotheTOE,eitherbycheckingthehashorbyverifyingadigitalsignature.Theevaluatorshallverifythatthisprocessincludesthefollowingsteps:

InstructionsforqueryingthecurrentversionoftheTOEsoftware.Forhashes,adescriptionofwherethehashforagivenupdatecanbeobtained.Fordigitalsignatures,instructionsforobtainingthecertificatethatwillbeusedbytheFCS_COP.1/SIGmechanismtoensurethatasignedupdatehasbeenreceivedfromthecertificateowner.Thismaybesuppliedwiththeproductinitially,ormaybeobtainedbysomeothermeans.Instructionsforobtainingtheupdateitself.ThisshouldincludeinstructionsformakingtheupdateaccessibletotheTOE(e.g.,placementinaspecificdirectory).Instructionsforinitiatingtheupdateprocess,aswellasdiscerningwhethertheprocesswassuccessfulorunsuccessful.Thisincludesgenerationofthehash/digitalsignature.

AGD_PRE.1Preparativeprocedures

Developeractionelements:AGD_PRE.1.1D

ThedevelopershallprovidetheTOEincludingitspreparativeprocedures.

DeveloperNote:Aswiththeoperationalguidance,thedevelopershouldlooktotheevaluationactivitiestodeterminetherequiredcontentwithrespecttopreparativeprocedures.

Contentandpresentationelements:AGD_PRE.1.1C

ThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureacceptanceofthedeliveredTOEinaccordancewiththedeveloper’sdeliveryprocedures.

AGD_PRE.1.2CThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureinstallationoftheTOEandforthesecurepreparationoftheoperationalenvironmentinaccordancewiththesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.

Evaluatoractionelements:AGD_PRE.1.1E


AGD_PRE.1.2ETheevaluatorshallapplythepreparativeprocedurestoconfirmthattheTOEcanbepreparedsecurelyforoperation.


AGD_PRE.1Asindicatedintheintroductionabove,therearesignificantexpectationswithrespecttothedocumentation—especiallywhenconfiguringtheoperationalenvironmenttosupportTOEfunctionalrequirements.TheevaluatorshallchecktoensurethattheguidanceprovidedfortheTOEadequatelyaddressesallplatforms(thatis,combinationofhardwareandoperatingsystem)claimedfortheTOEintheST.Theoperationalguidanceshallcontainstep-by-stepinstructionssuitableforusebyanend-useroftheVStoconfigureanew,out-of-the-boxsystemintotheconfigurationevaluatedunderthisProtectionProfile.

5.2.4ClassALC:Life-CycleSupportAttheassurancelevelspecifiedforTOEsconformanttothisPP,life-cyclesupportislimitedtoanexaminationoftheTOEvendor’sdevelopmentandconfigurationmanagementprocessinordertoprovideabaselinelevelofassurancethattheTOEitselfisdevelopedinasecuremannerandthatthedeveloperhasawell-definedprocessinplacetodeliverupdatestomitigateknownsecurityflaws.Thisisaresultofthecriticalrolethatadeveloper’spracticesplayincontributingtotheoveralltrustworthinessofaproduct.

ALC_CMC.1LabelingoftheTOE

Developeractionelements:ALC_CMC.1.1D

ThedevelopershallprovidetheTOEandareferencefortheTOE.

Contentandpresentationelements:ALC_CMC.1.1C

TheTOEshallbelabeledwithitsuniquereference.

Evaluatoractionelements:ALC_CMC.1.1E



ALC_CMC.1TheevaluatorshallchecktheSTtoensurethatitcontainsanidentifier(suchasaproductname/versionnumber)thatspecificallyidentifiestheversionthatmeetstherequirementsoftheST.TheevaluatorshallchecktheAGDguidanceandTOEsamplesreceivedfortestingtoensurethattheversionnumberisconsistentwiththatintheST.IfthevendormaintainsawebsiteadvertisingtheTOE,theevaluatorshallexaminetheinformationonthewebsitetoensurethattheinformationintheSTissufficienttodistinguishtheproduct.

ALC_CMS.1TOECMcoverage

Developeractionelements:ALC_CMS.1.1D

ThedevelopershallprovideaconfigurationlistfortheTOE.

Contentandpresentationelements:ALC_CMS.1.1C

Theconfigurationlistshallincludethefollowing:theTOEitself;andthe

evaluationevidencerequiredbytheSARs.

ALC_CMS.1.2CTheconfigurationlistshalluniquelyidentifytheconfigurationitems.

Evaluatoractionelements:ALC_CMS.1.1E



ALC_CMS.1Theevaluatorshallensurethatthedeveloperhasidentified(inpublic-facingdevelopmentguidancefortheirplatform)oneormoredevelopmentenvironmentsappropriateforuseindevelopingapplicationsforthedeveloper’splatform.Foreachofthesedevelopmentenvironments,thedevelopershallprovideinformationonhowtoconfiguretheenvironmenttoensurethatbufferoverflowprotectionmechanismsintheenvironmentareinvoked(e.g.,compilerandlinkerflags).Theevaluatorshallensurethatthisdocumentationalsoincludesanindicationofwhethersuchprotectionsareonbydefault,orhavetobespecificallyenabled.TheevaluatorshallensurethattheTSFisuniquelyidentified(withrespecttootherproductsfromtheTSFvendor),andthatdocumentationprovidedbythedeveloperinassociationwiththerequirementsintheSTisassociatedwiththeTSFusingthisuniqueidentification.

ALC_TSU_EXT.1TimelySecurityUpdatesThiscomponentrequirestheTOEdeveloper,inconjunctionwithanyothernecessaryparties,toprovideinformationastohowtheVSisupdatedtoaddresssecurityissuesinatimelymanner.Thedocumentationdescribestheprocessofprovidingupdatestothepublicfromthetimeasecurityflawisreported/discovered,tothetimeanupdateisreleased.Thisdescriptionincludesthepartiesinvolved(e.g.,thedeveloper,hardwarevendors)andthestepsthatareperformed(e.g.,developertesting),includingworstcasetimeperiods,beforeanupdateismadeavailabletothepublic.

Developeractionelements:ALC_TSU_EXT.1.1D

ThedevelopershallprovideadescriptionintheTSSofhowtimelysecurityupdatesaremadetotheTOE.

Contentandpresentationelements:ALC_TSU_EXT.1.1C

ThedescriptionshallincludetheprocessforcreatinganddeployingsecurityupdatesfortheTOEsoftware/firmware.

ALC_TSU_EXT.1.2CThedescriptionshallexpressthetimewindowasthelengthoftime,indays,betweenpublicdisclosureofavulnerabilityandthepublicavailabilityofsecurityupdatestotheTOE.

ApplicationNote:Thetotallengthoftimemaybepresentedasasummationoftheperiodsoftimethateachparty(e.g.,TOEdeveloper,hardwarevendor)onthecriticalpathconsumes.Thetimeperioduntilpublicavailabilityperdeploymentmechanismmaydiffer;eachisdescribed.

ALC_TSU_EXT.1.3CThedescriptionshallincludethemechanismspubliclyavailableforreportingsecurityissuespertainingtotheTOE.

ApplicationNote:Thereportingmechanismcouldincludewebsites,emailaddresses,andameanstoprotectthesensitivenatureofthereport(e.g.,publickeysthatcouldbeusedtoencryptthedetailsofaproof-of-conceptexploit).

Evaluatoractionelements:ALC_TSU_EXT.1.1E


5.2.5ClassATE:TestsTestingisspecifiedforfunctionalaspectsofthesystemaswellasaspectsthattakeadvantageofdesignorimplementationweaknesses.TheformerisdonethroughtheATE_INDfamily,whilethelatteristhroughtheAVA_VANfamily.AttheassurancelevelspecifiedinthisPP,testingisbasedonadvertisedfunctionalityandinterfaceswithdependencyontheavailabilityofdesigninformation.Oneoftheprimaryoutputsofthe

evaluationprocessisthetestreportasspecifiedinthefollowingrequirements.

ATE_IND.1IndependentTesting-ConformanceTestingisperformedtoconfirmthefunctionalitydescribedintheTSSaswellastheadministrative(includingconfigurationandoperation)documentationprovided.ThefocusofthetestingistoconfirmthattherequirementsspecifiedinSection5.1arebeingmet,althoughsomeadditionaltestingisspecifiedforSARsinSection5.2.Theevaluationactivitiesidentifytheadditionaltestingactivitiesassociatedwiththesecomponents.Theevaluatorproducesatestreportdocumentingtheplanforandresultsoftesting,aswellascoverageargumentsfocusedontheplatform/TOEcombinationsthatareclaimingconformancetothisPP.

Developeractionelements:ATE_IND.1.1D

ThedevelopershallprovidetheTOEfortesting.

Contentandpresentationelements:ATE_IND.1.1C

TheTOEshallbesuitablefortesting.

Evaluatoractionelements:ATE_IND.1.1E


ATE_IND.1.2ETheevaluatorshalltestasubsetoftheTSFtoconfirmthattheTSFoperatesasspecified.


ATE_IND.1Theevaluatorshallprepareatestplanandreportdocumentingthetestingaspectsofthesystem.Whileitisnotnecessarytohaveonetestcasepertestlistedinanevaluationactivity,theevaluatorsmustdocumentinthetestplanthateachapplicabletestingrequirementintheSTiscovered.TheTestPlanidentifiestheplatformstobetested,andforthoseplatformsnotincludedinthetestplanbutincludedintheST,thetestplanprovidesajustificationfornottestingtheplatforms.Thisjustificationmustaddressthedifferencesbetweenthetestedplatformsandtheuntestedplatforms,andmakeanargumentthatthedifferencesdonotaffectthetestingtobeperformed.Itisnotsufficienttomerelyassertthatthedifferenceshavenoaffect;rationalemustbeprovided.IfallplatformsclaimedintheSTaretested,thennorationaleisnecessary.Thetestplandescribesthecompositionofeachplatformtobetested,andanysetupthatisnecessarybeyondwhatiscontainedintheAGDdocumentation.ItshouldbenotedthattheevaluatorsareexpectedtofollowtheAGDdocumentationforinstallationandsetupofeachplatformeitheraspartofatestorasastandardpre-testcondition.Thismayincludespecialtestdriversortools.Foreachdriverortool,anargument(notjustanassertion)isprovidedthatthedriverortoolwillnotadverselyaffecttheperformanceofthefunctionalitybytheTOEanditsplatform.Thisalsoincludestheconfigurationofcryptographicenginestobeused.ThecryptographicalgorithmsimplementedbytheseenginesarethosespecifiedbythisPPandusedbythecryptographicprotocolsbeingevaluated(IPsec,TLS/HTTPS,SSH).Thetestplanidentifieshigh-leveltestobjectivesaswellasthetestprocedurestobefollowedtoachievethoseobjectives.Theseproceduresincludeexpectedresults.Thetestreport(whichcouldjustbeanannotatedversionofthetestplan)detailstheactivitiesthattookplacewhenthetestprocedureswereexecuted,andincludestheactualresultsofthetests.Thisshallbeacumulativeaccount,soiftherewasatestrunthatresultedinafailure;afixinstalled;andthenasuccessfulre-runofthetest,thereportwouldshowa“fail”and“pass”result(andthesupportingdetails),andnotjustthe“pass”result.

5.2.6ClassAVA:VulnerabilityAssessmentForthefirstgenerationofthisProtectionProfile,theevaluationlabisexpectedtosurveyopensourcestolearnwhatvulnerabilitieshavebeendiscoveredinthesetypesofproducts.Inmostcases,thesevulnerabilitieswillrequiresophisticationbeyondthatofabasicattacker.Untilpenetrationtoolsarecreatedanduniformlydistributedtotheevaluationlabs,evaluatorswillnotbeexpectedtotestforthesevulnerabilitiesintheTOE.Thelabswillbeexpectedtocommentonthelikelihoodofthesevulnerabilitiesgiventhedocumentationprovidedbythevendor.ThisinformationwillbeusedinthedevelopmentofpenetrationtestingtoolsandforthedevelopmentoffuturePPs.

AVA_VAN.1Vulnerabilitysurvey

Developeractionelements:AVA_VAN.1.1D

ThedevelopershallprovidetheTOEfortesting.

Contentandpresentationelements:AVA_VAN.1.1C

TheTOEshallbesuitablefortesting.

Evaluatoractionelements:AVA_VAN.1.1E


AVA_VAN.1.2ETheevaluatorshallperformasearchofpublicdomainsourcestoidentifypotentialvulnerabilitiesintheTOE.

AVA_VAN.1.3ETheevaluatorshallconductpenetrationtesting,basedontheidentifiedpotentialvulnerabilities,todeterminethattheTOEisresistanttoattacksperformedbyanattackerpossessingBasicattackpotential.


AVA_VAN.1AswithATE_INDtheevaluatorshallgenerateareporttodocumenttheirfindingswithrespecttothisrequirement.ThisreportcouldphysicallybepartoftheoveralltestreportmentionedinATE_IND,oraseparatedocument.Theevaluatorperformsasearchofpublicinformationtodeterminethevulnerabilitiesthathavebeenfoundinvirtualizationingeneral,aswellasthosethatpertaintotheparticularTOE.Theevaluatordocumentsthesourcesconsultedandthevulnerabilitiesfoundinthereport.Foreachvulnerabilityfound,theevaluatoreitherprovidesarationalewithrespecttoitsnon-applicabilityortheevaluatorformulatesatest(usingtheguidelinesprovidedinATE_IND)toconfirmthevulnerability,ifsuitable.Suitabilityisdeterminedbyassessingtheattackvectorneededtotakeadvantageofthevulnerability.Forexample,ifthevulnerabilitycanbedetectedbypressingakeycombinationonboot-up,atestwouldbesuitableattheassurancelevelofthisPP.Ifexploitingthevulnerabilityrequiresexpertskillsandanelectronmicroscope,forinstance,thenatestwouldnotbesuitableandanappropriatejustificationwouldbeformulated.

AppendixA-OptionalRequirementsAsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbytheTOE)arecontainedinthebodyofthisPP.ThisappendixcontainsthreeothertypesofoptionalrequirementsthatmaybeincludedintheST,butarenotrequiredinordertoconformtothisPP.However,appliedmodules,packagesand/orusecasesmayrefinespecificrequirementsasmandatory.

Thefirsttype(A.1StrictlyOptionalRequirements)arestrictlyoptionalrequirementsthatareindependentoftheTOEimplementinganyfunction.IftheTOEfulfillsanyoftheserequirementsorsupportsacertainfunctionality,thevendorisencouragedtoincludetheSFRsintheST,butarenotrequiredinordertoconformtothisPP.

Thesecondtype(A.2ObjectiveRequirements)areobjectiverequirementsthatdescribesecurityfunctionalitynotyetwidelyavailableincommercialtechnology.TherequirementsarenotcurrentlymandatedinthebodyofthisPP,butwillbeincludedinthebaselinerequirementsinfutureversionsofthisPP.Adoptionbyvendorsisencouragedandexpectedassoonaspossible.

Thethirdtype(A.3Implementation-BasedRequirements)aredependentontheTOEimplementingaparticularfunction.IftheTOEfulfillsanyoftheserequirements,thevendormusteitheraddtherelatedSFRordisablethefunctionalityfortheevaluatedconfiguration.

A.1StrictlyOptionalRequirements

A.1.1AuditableEventsforStrictlyOptionalRequirements

Table5:AuditableEventsforOptionalRequirements

Requirement AuditableEvents AdditionalAuditRecordContents

FAU_ARP.1 Actionstakenduetopotentialsecurityviolations.

FAU_SAA.1 Enablinganddisablingofanyoftheanalysismechanisms.

FAU_SAA.1 AutomatedresponsesperformedbytheTSF.

FPT_GVI_EXT.1 Actionstakenduetofailedintegritycheck.

A.1.2SecurityAudit(FAU)

FAU_ARP.1SecurityAuditAutomaticResponseFAU_ARP.1.1

TheTSFshalltake[assignment:listofactions]upondetectionofapotentialsecurityviolation.

ApplicationNote:Incertaincases,itmaybeusefulforVirtualizationSystemstoperformautomatedresponsestocertainsecurityevents.AnexamplemayincludehaltingaVMwhichhastakensomeactiontoviolateakeysystemsecuritypolicy.Thismaybeespeciallyusefulwithheadlessendpointswhenthereisnohumanuserintheloop.

ThepotentialsecurityviolationmentionedinFAU_ARP.1.1referstoFAU_SAA.1.


FAU_ARP.1TestsTheevaluatorshallgenerateapotentialsecurityviolationasdefinedinFAU_SAA.1andverifythateachactionintheassignmentinFAU_ARP.1.1isperformedbytheTSFasaresult.TheevaluatorshallperformthisactionforeachsecurityviolationthatisdefinedinFAU_SAA.1.

FAU_SAA.1PotentialViolationAnalysisFAU_SAA.1.1

TheTSFshallbeabletoapplyasetofrulesinmonitoringtheauditedeventsandbasedupontheserulesindicateapotentialviolationoftheenforcementoftheSFRs.

FAU_SAA.1.2

TheTSFshallenforcethefollowingrulesformonitoringauditedevents:

a. Accumulationorcombinationof[assignment:subsetofdefinedauditableevents]knowntoindicateapotentialsecurityviolation;

b. [assignment:anyotherrules].

ApplicationNote:ThepotentialsecurityviolationdescribedinFAU_SAA.1canbeusedasatriggerforautomatedresponsesasdefinedinFAU_ARP.1.


FAU_SAA.1TestsTheevaluatorshallcauseeachcombinationofauditableeventsdefinedinFAU_SAA.1.2tooccur,andverifythatapotentialsecurityviolationisindicatedbytheTSF.

A.1.3ProtectionoftheTSF(FPT)

FPT_GVI_EXT.1GuestVMIntegrityFPT_GVI_EXT.1.1

TheTSFshallverifytheintegrityofGuestVMsthroughthefollowingmechanisms:[assignment:listofGuestVMintegritymechanisms].

ApplicationNote:TheprimarypurposeofthisrequirementistoidentifyanddescribethemechanismsusedtoverifytheintegrityofGuestVMsthathavebeen'imported'insomefashion,thoughthesemechanismscouldalsobeappliedtoallGuestVMs,dependingonthemechanismused.ImportationforthisrequirementcouldincludeVMmigration(liveorotherwise),theimportationofvirtualdiskfilesthatwerepreviouslyexported,VMsinsharedstorage,etc.ItispossiblethatatrustedVMcouldhavebeenmodifiedduringthemigrationorimport/exportprocess,orVMscouldhavebeenobtainedfromuntrustedsourcesinthefirstplace,sointegritychecksontheseVMscanbeaprudentmeasuretotake.TheseintegritycheckscouldbeasthoroughasmakingsuretheentireVMexactlymatchesapreviouslyknownVM(byhashforexample),orbysimplycheckingcertainconfigurationsettingstoensurethattheVM'sconfigurationwillnotviolatethesecuritymodeloftheVS.


FPT_GVI_EXT.1TSSForeachmechanismlistedintheassignment,theevaluatorshallensurethattheTSSdocumentsthemechanism,includinghowitverifiesVMintegrity,whichsetofGuestVMsitwillcheck(allGuestVMs,onlymigratedVMs,etc.),whensuchchecksoccur(beforeVMstartup,immediatelyfollowingimportation/migration,ondemand,etc.),andwhichactionsaretakenifaVMfailstheintegritycheck(orwhichrangeofactionsarepossibleiftheactionisconfigurable).

A.2ObjectiveRequirements

A.2.1AuditableEventsforObjectiveRequirements

Table6:AuditableEventsforObjectiveRequirementsRequirement AuditableEvents AdditionalAuditRecordContents

FPT_DDI_EXT.1 Noeventsspecified

FPT_IDV_EXT.1 Noeventsspecified

FPT_INT_EXT.1 Introspectioninitiated/enabled. TheVMintrospected.

FPT_ML_EXT.1 Integrityinitiated/enabled. Integritymeasurementvalues.

A.2.2ProtectionoftheTSF(FPT)

FPT_DDI_EXT.1DeviceDriverIsolationFPT_DDI_EXT.1.1

TheTSFshallensurethatdevicedriversforphysicaldevicesareisolatedfrom

theVMMandallotherdomains.

ApplicationNote:Inordertofunctiononphysicalhardware,theVMMmusthaveaccesstothedevicedriversforthephysicalplatformonwhichitruns.Thesedriversareoftenwrittenbythirdparties,andyetareeffectivelyapartoftheVMM.ThustheintegrityoftheVMMinpartdependsonthequalityofthirdpartycodethatthevirtualizationvendorhasnocontrolover.Byencapsulatingthesedriverswithinoneormorededicateddriverdomains(e.g.,ServiceVMorVMs)thedamageofadriverfailureorvulnerabilitycanbecontainedwithinthedomain,andwouldnotcompromisetheVMM.Whendriverdomainshaveexclusiveaccesstoaphysicaldevice,hardwareisolationmechanisms,suchasIntel'sVT-d,AMD'sInput/OutputMemoryManagementUnit(IOMMU),orARM'sSystemMemoryManagementUnit(MMU)shouldbeusedtoensurethatoperationsperformedbyDirectMemoryAccess(DMA)hardwareareproperlyconstrained.


FPT_DDI_EXT.1TSSTheevaluatorshallexaminetheTSSdocumentationtoverifythatitdescribesthemechanismusedfordevicedriverisolation.IftheTSSdocumentindicatesthatahardwareisolationmechanismisused,theevaluatorshallverifythattheTSSdocumentationenumeratesthehardware-isolatedDMA-capabledevices,andthatitalsoprovidesacompletelistoftheaccessibletargetsformemorytransactionsforeachofthoseDMA-capabledevices.(AnexampleofinformationthatmightbeincludedintheTSSdocumentation:alistingofallpagesbelongingtothedriverdomain,theidentificationofasubsetofthedriverdomain'spagesthatthedriverdomainhaspermittedthedeviceaccessto,ortheidentificationofadedicatedareaofmemoryreservedforthedeviceordriverdomain).

FPT_IDV_EXT.1SoftwareIdentificationandVersionsFPT_IDV_EXT.1.1

TheTSFshallincludesoftwareidentification(SWID)tagsthatcontainaSoftwareIdentityelementandanEntityelementasdefinedinISO/IEC19770-2:2009.

FPT_IDV_EXT.1.2TheTSFshallstoreSWIDsina.swidtagfileasdefinedinISO/IEC19770-2:2009.

ApplicationNote:SWIDtagsareXMLfilesembeddedwithinsoftwarethatprovideastandardmethodforITdepartmentstotrackandmanagethesoftware.ThepresenceofSWIDscangreatlysimplifythesoftwaremanagementprocessandimprovesecuritybyenhancingtheabilityofITdepartmentstomanageupdates.


FPT_IDV_EXT.1TSSTheevaluatorshallexaminetheTSStoensureitdescribeshowSWIDtagsareimplementedandtheformatofthetags.TheevaluatorshallverifythattheformatcomplieswithFPT_IDV_EXT.1.1andthatSWIDsarestoredinaccordancewithFPT_IDV_EXT.1.2.TestsTheevaluatorshallperformthefollowingtest:

Test1:TheevaluatorshallcheckfortheexistenceofSWIDtagsina.swidtagfile.TheevaluatorshallopenthefileandverifythateachSWIDcontainsatleastaSoftwareIdentityelementandanEntityelement.

FPT_INT_EXT.1SupportforIntrospectionFPT_INT_EXT.1.1

TheTSFshallsupportamechanismforpermittingtheVMMorprivilegedVMstoaccesstheinternalsofanotherVMforpurposesofintrospection.

ApplicationNote:Introspectioncanbeusedtosupportmalwareandanomalydetectionfromoutsideoftheguestenvironment.ThisnotonlyhelpsprotecttheGuestOS,italsoprotectstheVSbyprovidinganopportunityfortheVStodetectthreatstoitselfthatoriginatewithinVMs,andthatmayattempttobreakoutoftheVMandcompromisetheVMMorotherVMs.

ThehostingofmalwaredetectionsoftwareoutsideoftheguestVMhelpsprotecttheguestandhelpsensuretheintegrityofthemalwaredetection/antivirussoftware.ThiscapabilitycanbeimplementedintheVMMitself,butideallyitshouldbehostedbyaServiceVMsothatitcanbebettercontainedanddoesnotintroducebugsintotheVMM.


FPT_INT_EXT.1TSSTheevaluatorshallexaminetheTSSdocumentationtoverifythatitdescribestheinterfaceforVMintrospectionandwhethertheintrospectionisperformedbytheVMMoranotherVM.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensurethatitcontainsinstructionsforconfigurationoftheintrospectionmechanism.

FPT_ML_EXT.1MeasuredLaunchofPlatformandVMMFPT_ML_EXT.1.1

TheTSFshallsupportameasuredlaunchoftheVirtualizationSystem.MeasuredcomponentsoftheVSshallincludethestaticexecutableimageoftheHypervisorand:[selection:

StaticexecutableimagesoftheManagementSubsystem,[assignment:listof(staticimagesof)ServiceVMs],[assignment:listofconfigurationfiles],noothercomponents

]

FPT_ML_EXT.1.2TheTSFshallmakethemeasurementsselectedinFPT_ML_EXT.1.1availabletotheManagementSubsystem.

ApplicationNote:AmeasuredlaunchoftheplatformandVSdemonstratesthattheproperTOEsoftwarewasloaded.Ameasuredlaunchprocessemploysverifiableintegritymeasurementmechanisms.Forexample,aVSmayhashcomponentssuchasthehypervisor,serviceVMs,ortheManagementSubsystem.Ameasuredlaunchprocessonlyallowscomponentstobeexecutedafterthemeasurementhasbeenrecorded.Anexampleprocessmayaddeachcomponent’shashbeforeitisexecutedsothatthefinalhashreflectstheevidenceofacomponent’sstatepriortoexecution.Themeasurementmaybeverifiedasthesystemboots,butthisisnotrequired.

ThePlatformisoutsideoftheTOE.However,thisrequirementspecifiesthattheVSmustbecapableofreceivingPlatformmeasurementsifthePlatformprovidesthem.ThisrequirementisrequiringTOEsupportforPlatformmeasurementsifprovided;itisnotplacingarequirementonthePlatformtotakesuchmeasurements.

Ifavailable,hardwareshouldbeusedtostoremeasurementsinsuchamannerthattheycannotbemodifiedinanymannerexcepttobeextended.Thesemeasurementsshouldbeproducedinarepeatablemannersothatathirdpartycanverifythemeasurementsifgiventheinputs.Hardwaredevices,likeTrustedPlatformModules(TPM),TrustZone,andMMUaresomeexamplesthatmayserveasfoundationsforstoringandreportingmeasurements.

Platformswitharootoftrustformeasurement(RTM)shouldinitiatethemeasuredlaunchprocess.ThismayincludecoreBIOSorthechipset.ThechipsetisthepreferredRTM,butcoreBIOSorotherfirmwareisacceptable.InasystemwithoutatraditionalRTM,thefirstcomponentthatbootswouldbeconsideredtheRTM,thisisnotpreferred.


FPT_ML_EXT.1TSSTheevaluatorshallverifythattheTSSorOperationalGuidancedescribeshowintegritymeasurementsareperformedandmadeavailabletotheManagementSubsystem.TheevaluatorshallexaminetheoperationalguidancetoverifythatitdocumentshowtoaccessthemeasurementsintheManagementSubsystem.TestsTheevaluatorshallperformthefollowingtest:

Test1:TheevaluatorshallstarttheVS,loginasanAdministrator,andverifythatthemeasurementsforthespecifiedcomponentsareviewableintheManagementSubsystem.

A.3Implementation-BasedRequirementsThisPPdoesnotdefineanyImplementation-Basedrequirements.

AppendixB-Selection-BasedRequirementsAsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbytheTOEoritsunderlyingplatform)arecontainedinthebodyofthisPP.ThereareadditionalrequirementsbasedonselectionsinthebodyofthePP:ifcertainselectionsaremade,thenadditionalrequirementsbelowmustbeincluded.

B.1AuditableEventsforSelection-BasedRequirementsTable7:AuditableEventsforSelection-basedRequirements

Requirement AuditableEvents AdditionalAuditRecordContents

FCS_HTTPS_EXT.1 FailuretoestablishaHTTPSSession. Reasonforfailure.Non-TOEendpointofconnection(IPaddress)forfailures.

FCS_HTTPS_EXT.1 Establishment/TerminationofaHTTPSsession.

Non-TOEendpointofconnection(IPaddress).

FCS_IPSEC_EXT.1 FailuretoestablishanIPsecSA. Reasonforfailure.Non-TOEendpointofconnection(IPaddress).

FCS_IPSEC_EXT.1 Establishment/TerminationofanIPsecSAA.

Non-TOEendpointofconnection(IPaddress).

FIA_PMG_EXT.1 Noeventsspecified

FIA_X509_EXT.1 Failuretovalidateacertificate. Reasonforfailure.

FIA_X509_EXT.2 Noeventsspecified

FPT_TUD_EXT.2 Noeventsspecified

FTP_TRP.1 Initiationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.

FTP_TRP.1 Terminationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.

FTP_TRP.1 Failuresofthetrustedpathfunctions. UserIDandremotesource(IPAddress)iffeasible.

B.2CryptographicSupport(FCS)

FCS_HTTPS_EXT.1HTTPSProtocol

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_X509_EXT.2.1,FTP_ITC_EXT.1.1.

FCS_HTTPS_EXT.1.1TheTSFshallimplementtheHTTPSprotocolthatcomplieswithRFC2818.

ApplicationNote:ThisSFRisincludedintheSTiftheSTAuthorselects"TLS/HTTPS"inFTP_ITC_EXT.1.1.

TheSTauthormustprovideenoughdetailtodeterminehowtheimplementationiscomplyingwiththestandardsidentified;thiscanbedoneeitherbyaddingelementstothiscomponent,orbyadditionaldetailintheTSS.

FCS_HTTPS_EXT.1.2TheTSFshallimplementHTTPSusingTLS.


FCS_HTTPS_EXT.1TSSTheevaluatorshallchecktheTSStoensurethatitisclearonhowHTTPSusesTLStoestablishanadministrativesession,focusingonanyclientauthenticationrequiredbytheTLSprotocolvs.

securityadministratorauthenticationwhichmaybedoneatadifferentleveloftheprocessingstack.TestsTestingforthisactivityisdoneaspartoftheTLStesting;thismayresultinadditionaltestingiftheTLStestsaredoneattheTLSprotocollevel.

FCS_IPSEC_EXT.1IPsecProtocol

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_X509_EXT.2.1,FTP_ITC_EXT.1.1.

FCS_IPSEC_EXT.1.1TheTSFshallimplementtheIPsecarchitectureasspecifiedinRFC4301.

ApplicationNote:ThisSFRisincludedintheSTiftheSTAuthorselected"IPsec"inFTP_ITC_EXT.1.1.

RFC4301callsforanIPsecimplementationtoprotectIPtrafficthroughtheuseofaSecurityPolicyDatabase(SPD).TheSPDisusedtodefinehowIPpacketsaretobehandled:PROTECTthepacket(e.g.,encryptthepacket),BYPASStheIPsecservices(e.g.,noencryption),orDISCARDthepacket(e.g.,dropthepacket).TheSPDcanbeimplementedinvariousways,includingrouteraccesscontrollists,firewallrulesets,a"traditional"SPD,etc.Regardlessoftheimplementationdetails,thereisanotionofa"rule"thatapacketis"matched"againstandaresultingactionthattakesplace.

Whiletheremustbeameanstoordertherules,ageneralapproachtoorderingisnotmandated,aslongastheTOEcandistinguishtheIPpacketsandapplytherulesaccordingly.TheremaybemultipleSPDs(oneforeachnetworkinterface),butthisisnotrequired.

FCS_IPSEC_EXT.1.2TheTSFshallimplement[selection:transportmode,tunnelmode].

ApplicationNote:IftheTOEisusedtoconnecttoaVPNgatewayforthepurposesofestablishingasecureconnectiontoaprivatenetwork,theSTauthorshallselecttunnelmode.IftheTOEusesIPsectoestablishanend-to-endconnectiontoanotherIPsecVPNClient,theSTauthorshallselecttransportmode.IftheTOEusesIPsectoestablishaconnectiontoaspecificendpointdeviceforthepurposeofsecureremoteadministration,theSTauthorshallselecttransportmode.

FCS_IPSEC_EXT.1.3TheTSFshallhaveanominal,finalentryintheSPDthatmatchesanythingthatisotherwiseunmatched,anddiscardsit.

FCS_IPSEC_EXT.1.4TheTSFshallimplementtheIPsecprotocolESPasdefinedbyRFC4303usingthecryptographicalgorithms[AES-GCM-128,AES-GCM-256(asspecifiedinRFC4106),[selection:AES-CBC-128(specifiedinRFC3602),AES-CBC-256(specifiedinRFC3602),nootheralgorithms]]togetherwithaSecureHashAlgorithm(SHA)-basedHMAC.

FCS_IPSEC_EXT.1.5TheTSFshallimplementtheprotocol:

[selection:IKEv1,usingMainModeforPhase1exchanges,asdefinedinRFC2407,RFC2408,RFC2409,RFC4109,[selection:nootherRFCsforextendedsequencenumbers,RFC4304forextendedsequencenumbers],[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions],and[selection:supportforXAUTH,nosupportforXAUTH],IKEv2asdefinedinRFC7296(withmandatorysupportforNATtraversalasspecifiedinsection2.23),RFC8784,RFC8247,and[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions].

]

ApplicationNote:IftheTOEimplementsSHA-2hashalgorithmsforIKEv1orIKEv2,theSTauthorshallselectRFC4868.

FCS_IPSEC_EXT.1.6TheTSFshallensuretheencryptedpayloadinthe[selection:IKEv1,IKEv2]

protocolusesthecryptographicalgorithmsAES-CBC-128,AES-CBC-256asspecifiedinRFC6379and[selection:AES-GCM-128asspecifiedinRFC5282,AES-GCM-256asspecifiedinRFC5282,nootheralgorithm].

FCS_IPSEC_EXT.1.7TheTSFshallensurethat[selection:

IKEv2SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimesarefixedbasedon[selection:numberofpackets/numberofbytes,lengthoftime].Iflengthoftimeisused,itmustincludeatleastoneoptionthatis24hoursorlessforPhase1SAsand8hoursorlessforPhase2SAs.

]

ApplicationNote:TheSTauthorisaffordedaselectionbasedontheversionofIKEintheirimplementation.ThereisafurtherselectionwithinthisselectionthatallowstheSTauthortospecifywhichentityisresponsiblefor“configuring”thelifeoftheSA.AnimplementationthatallowsanadministratortoconfiguretheclientoraVPNgatewaythatpushestheSAlifetimedowntotheclientarebothacceptable.

AsfarasSAlifetimesareconcerned,theTOEcanlimitthelifetimebasedonthenumberofbytestransmitted,orthenumberofpacketstransmitted.Eitherpacket-basedorvolume-basedSAlifetimesareacceptable;theSTauthormakestheappropriateselectiontoindicatewhichtypeoflifetimelimitsaresupported.

TheSTauthorchooseseithertheIKEv1requirementsorIKEv2requirements(orboth,dependingontheselectioninFCS_IPSEC_EXT.1.5.TheIKEv1requirementcanbeaccomplishedeitherbyprovidingAuthorizedAdministrator-configurablelifetimes(withappropriateinstructionsindocumentsmandatedbyAGD_OPE),orby“hardcoding”thelimitsintheimplementation.ForIKEv2,therearenohardcodedlimits,butinthiscaseitisrequiredthatanadministratorbeabletoconfigurethevalues.Ingeneral,instructionsforsettingtheparametersoftheimplementation,includinglifetimeoftheSAs,shouldbeincludedintheoperationalguidancegeneratedforAGD_OPE.ItisappropriatetorefinetherequirementintermsofnumberofMB/KBinsteadofnumberofpackets,aslongastheTOEiscapableofsettingalimitontheamountoftrafficthatisprotectedbythesamekey(thetotalvolumeofallIPsectrafficprotectedbythatkey).

FCS_IPSEC_EXT.1.8TheTSFshallensurethatallIKEprotocolsimplementDHgroups[19(256-bitRandomECP),20(384-bitRandomECP),and[selection:24(2048-bitMODPwith256-bitPOS),15(3072-bitMODP),14(2048-bitMODP),nootherDHgroups]].

ApplicationNote:TheselectionisusedtospecifyadditionalDHgroupssupported.ThisappliestoIKEv1andIKEv2exchanges.ItshouldbenotedthatifanyadditionalDHgroupsarespecified,theymustcomplywiththerequirements(intermsoftheephemeralkeysthatareestablished)listedinFCS_CKM.1.

SincetheimplementationmayallowdifferentDiffie-HellmangroupstobenegotiatedforuseinformingtheSAs,theassignmentsinFCS_IPSEC_EXT.1.9andFCS_IPSEC_EXT.1.10maycontainmultiplevalues.ForeachDHgroupsupported,theSTauthorconsultsTable2in800-57todeterminethe“bitsofsecurity”associatedwiththeDHgroup.Eachuniquevalueisthenusedtofillintheassignment(for1.9theyaredoubled;for1.10theyareinserteddirectlyintotheassignment).Forexample,supposetheimplementationsupportsDHgroup14(2048-bitMODP)andgroup20(ECDHusingNISTcurveP-384).FromTable2,thebitsofsecurityvalueforgroup14is112,andforgroup20itis192.ForFCS_IPSEC_EXT.1.9,then,theassignmentwouldread“[224,384]”andforFCS_IPSEC_EXT.1.10itwouldread“[112,192]”(althoughinthiscasetherequirementshouldprobablyberefinedsothatitmakessensemathematically).

FCS_IPSEC_EXT.1.9TheTSFshallgeneratethesecretvaluexusedintheIKEDiffie-Hellmankeyexchange(“x”ingxmodp)usingtherandombitgeneratorspecifiedinFCS_RBG_EXT.1,andhavingalengthofatleast[assignment:(oneormore)numberofbitsthatisatleasttwicethe“bitsofsecurity”valueassociatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General]bits.

FCS_IPSEC_EXT.1.10TheTSFshallgeneratenoncesusedinIKEexchangesinamannersuchthattheprobabilitythataspecificnoncevaluewillberepeatedduringthelifeaspecificIPsecSAislessthan1in2^[assignment:(oneormore)“bitsofsecurity”valueassociatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General].

FCS_IPSEC_EXT.1.11TheTSFshallensurethatallIKEprotocolsperformpeerauthenticationusinga[selection:RSA,ECDSA]thatuseX.509v3certificatesthatconformtoRFC4945and[selection:Pre-sharedKeys,noothermethod].

ApplicationNote:Atleastonepublic-key-basedPeerAuthenticationmethodisrequiredinordertoconformtothisPP-Module;oneormoreofthepublickeyschemesischosenbytheSTauthortoreflectwhatisimplemented.TheSTauthoralsoensuresthatappropriateFCSrequirementsreflectingthealgorithmsused(andkeygenerationcapabilities,ifprovided)arelistedtosupportthosemethods.NotethattheTSSwillelaborateonthewayinwhichthesealgorithmsaretobeused(forexample,2409specifiesthreeauthenticationmethodsusingpublickeys;eachonesupportedwillbedescribedintheTSS).

If“pre-sharedkeys”isselected,theselection-basedrequirementFIA_PSK_EXT.1mustbeclaimed.

FCS_IPSEC_EXT.1.12TheTSFshallnotestablishanSAifthe[[selection:IPaddress,FullyQualifiedDomainName(FQDN),userFQDN,DistinguishedName(DN)]and[selection:nootherreferenceidentifiertype,[assignment:othersupportedreferenceidentifiertypes]]]containedinacertificatedoesnotmatchtheexpectedvaluesfortheentityattemptingtoestablishaconnection.

ApplicationNote:TheTOEmustsupportatleastoneofthefollowingidentifiertypes:IPaddress,FullyQualifiedDomainName(FQDN),userFQDN,orDistinguishedName(DN).Inthefuture,theTOEwillberequiredtosupportalloftheseidentifiertypes.TheTOEisexpectedtosupportasmanyIPaddressformats(IPv4andIPv6)asIPversionssupportedbytheTOEingeneral.TheSTauthormayassignadditionalsupportedidentifiertypesinthesecondselection.

FCS_IPSEC_EXT.1.13TheTSFshallnotestablishanSAifthepresentedidentifierdoesnotmatchtheconfiguredreferenceidentifierofthepeer.

ApplicationNote:Atthistime,onlythecomparisonbetweenthepresentedidentifierinthepeer’scertificateandthepeer’sreferenceidentifierismandatedbythetestingbelow.However,inthefuture,thisrequirementwilladdresstwoaspectsofthepeercertificatevalidation:1)comparisonofthepeer’sIDpayloadtothepeer’scertificatewhicharebothpresentedidentifiers,asrequiredbyRFC4945and2)verificationthatthepeeridentifiedbytheIDpayloadandthecertificateisthepeerexpectedbytheTOE(perthereferenceidentifier).Atthattime,theTOEwillberequiredtodemonstratebothaspects(i.e.thattheTOEenforcesthatthepeer’sIDpayloadmatchesthepeer’scertificatewhichbothmatchconfiguredpeerreferenceidentifiers).

ExcludingtheDNidentifiertype(whichisnecessarilytheSubjectDNinthepeercertificate),theTOEmaysupporttheidentifierineithertheCommonNameorSubjectAlternativeName(SAN)orboth.Ifbotharesupported,thepreferredlogicistocomparethereferenceidentifiertoapresentedSAN,andonlyifthepeer’scertificatedoesnotcontainaSAN,tofallbacktoacomparisonagainsttheCommonName.Inthefuture,theTOEwillberequiredtocomparethereferenceidentifiertothepresentedidentifierintheSANonly,ignoringtheCommonName.

TheconfigurationofthepeerreferenceidentifierisaddressedbyFMT_SMF.1.1/VPN.

FCS_IPSEC_EXT.1.14The[selection:TSF,VPNGateway]shallbeabletoensurebydefaultthatthestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase1,IKEv2IKE_SA]connectionisgreaterthanorequaltothestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase2,IKEv2CHILD_SA]connection.

ApplicationNote:Ifthisfunctionalityisconfigurable,theTSFmaybeconfiguredbyaVPNGatewayorbyanAdministratoroftheTOEitself.

TheSTauthorchooseseitherorbothoftheIKEselectionsbasedonwhatisimplementedbytheTOE.Obviously,theIKEversionschosenshouldbeconsistentnotonlyinthiselement,butwithotherchoicesforotherelementsinthiscomponent.Whileitisacceptableforthiscapabilitytobeconfigurable,thedefaultconfigurationintheevaluatedconfiguration(either"outofthebox"orbyconfigurationguidanceintheAGDdocumentation)mustenablethisfunctionality.


FCS_IPSEC_EXT.1TSSInadditiontotheTSSEAsfortheindividualFCS_IPSEC_EXT.1elementsbelow,theevaluatorshallperformthefollowing:IftheTOEboundaryincludesageneral-purposeoperatingsystemormobiledevice,theevaluatorshallexaminetheTSStoensurethatitdescribeswhethertheVPNclientcapabilityisarchitecturallyintegratedwiththeplatformitselforwhetheritisaseparateexecutablethatisbundledwiththeplatform.GuidanceInadditiontotheOperationalGuidanceEAsfortheindividualFCS_IPSEC_EXT.1elementsbelow,theevaluatorshallperformthefollowing:IftheconfigurationoftheIPsecbehaviorisfromanenvironmentalsource,mostnotablyaVPNgateway(e.gthroughreceiptofrequiredconnectionparametersfromaVPNgateway),theevaluatorshallensurethattheoperationalguidancecontainsanyappropriateinformationforensuringthatthisconfigurationcanbeproperlyapplied.NoteinthiscasethattheimplementationoftheIPsecprotocolmustbeenforcedentirelywithintheTOEboundary;i.e.itisnotpermissibleforasoftwareapplicationTOEtobeagraphicalfront-endforIPsecfunctionalityimplementedtotallyorinpartbytheunderlyingOSplatform.ThebehaviorreferencedhereisforthepossibilitythattheconfigurationoftheIPsecconnectionisinitiatedfromoutsidetheTOE,whichispermissiblesolongastheTSFissolelyresponsibleforenforcingtheconfiguredbehavior.However,itisallowablefortheTSFtorelyonlow-levelplatform-providednetworkingfunctionstoimplementtheSPDfromtheclient(e.g.,enforcementofpacketroutingdecisions).

TestsAsaprerequisiteforperformingtheTestEAsfortheindividualFCS_IPSEC_EXT.1elementsbelow,theevaluatorshalldothefollowing:Theevaluatorshallminimallycreateatestenvironmentequivalenttothetestenvironmentillustratedbelow.ThetrafficgeneratorusedtoconstructnetworkpacketsshouldprovidetheevaluatorwiththeabilitymanipulatefieldsintheICMP,IPv4,IPv6,UDP,andTCPpacketheaders.Theevaluatorshallprovidejustificationforanydifferencesinthetestenvironment.

Figure2:IPsecTestEnvironmentNotethattheevaluatorshallperformalltestsusingtheVirtualizationSystemandarepresentativesampleofplatformslistedintheST(forTOEsthatclaimtosupportmultipleplatforms).FCS_IPSEC_EXT.1.1TSSTheevaluatorshallexaminetheTSSanddeterminethatitdescribeshowtheIPseccapabilitiesareimplemented.TheevaluatorshallensurethattheTSSdescribesatahighlevelthearchitecturalrelationshipbetweentheIPsecimplementationandtherestoftheTOE(e.g.,istheIPsecimplementationanintegratedpartoftheVSorisitastandaloneexecutablethatisbundledintotheVS).TheevaluatorshallensurethattheTSSdescribeshowtheSPDisimplementedandtherulesforprocessingbothinboundandoutboundpacketsintermsoftheIPsecpolicy.TheTSSdescribestherulesthatareavailableandtheresultingactionsavailableaftermatchingarule.TheTSSdescribeshowtheavailablerulesandactionsformtheSPDusingtermsdefinedinRFC4301

suchasBYPASS(e.g.,noencryption),DISCARD(e.g.,dropthepacket),andPROTECT(e.g.,encryptthepacket)actionsdefinedinRFC4301.Asnotedinsection4.4.1ofRFC4301,theprocessingofentriesintheSPDisnon-trivialandtheevaluatorshalldeterminethatthedescriptionintheTSSissufficienttodeterminewhichruleswillbeappliedgiventherulestructureimplementedbytheTOE.Forexample,iftheTOEallowsspecificationofranges,conditionalrules,etc.,theevaluatorshalldeterminethatthedescriptionofruleprocessing(forbothinboundandoutboundpackets)issufficienttodeterminetheactionthatwillbeapplied,especiallyinthecasewheretwodifferentrulesmayapply.Thisdescriptionshallcoverboththeinitialpackets(thatis,noSAisestablishedontheinterfaceorforthatparticularpacket)aswellaspacketsthatarepartofanestablishedSA.

GuidanceTheevaluatorshallexaminetheoperationalguidancetoverifyitinstructstheAdministratorhowtoconstructentriesintotheSPDthatspecifyaruleforprocessingapacket.Thedescriptionincludesallthreecases–arulethatensurespacketsareencrypted/decrypted,dropped,andflowthroughtheTOEwithoutbeingencrypted.TheevaluatorshalldeterminethatthedescriptionintheoperationalguidanceisconsistentwiththedescriptionintheTSS,andthatthelevelofdetailintheoperationalguidanceissufficienttoallowtheadministratortosetuptheSPDinanunambiguousfashion.ThisincludesadiscussionofhoworderingofrulesimpactstheprocessingofanIPpacket.

TestsTheevaluatorusestheoperationalguidancetoconfiguretheTOEtocarryoutthefollowingtests:

Test1:TheevaluatorshallconfiguretheSPDsuchthatthereisarulefordroppingapacket,encryptingapacket,andallowingapackettoflowinplaintext.Theselectorsusedintheconstructionoftheruleshallbedifferentsuchthattheevaluatorcangenerateapacketandsendpacketstothegatewaywiththeappropriatefields(fieldsthatareusedbytherule-e.g.,theIPaddresses,TCP/UDPports)inthepacketheader.Theevaluatorperformsbothpositiveandnegativetestcasesforeachtypeofrule(e.g.,apacketthatmatchestheruleandanotherthatdoesnotmatchtherule).Theevaluatorobservesviatheaudittrail,andpacketcapturesthattheTOEexhibitedtheexpectedbehavior:appropriatepacketsweredropped,allowedtoflowwithoutmodification,encryptedbytheIPsecimplementation.Test2:Theevaluatorshalldeviseseveralteststhatcoveravarietyofscenariosforpacketprocessing.AswithTest1,theevaluatorensuresbothpositiveandnegativetestcasesareconstructed.ThesescenariosshallexercisetherangeofpossibilitiesforSPDentriesandprocessingmodesasoutlinedintheTSSandoperationalguidance.Potentialareastocoverincluderuleswithoverlappingrangesandconflictingentries,inboundandoutboundpackets,andpacketsthatestablishSAsaswellaspacketsthatbelongtoestablishedSAs.Theevaluatorshallverify,viatheaudittrailandpacketcaptures,foreachscenariothattheexpectedbehaviorisexhibited,andisconsistentwithboththeTSSandtheoperationalguidance.

FCS_IPSEC_EXT.1.2TSSTheevaluatorcheckstheTSStoensureitstatesthatanIPsecVPNcanbeestablishedtooperateintunnelmodeortransportmode(asselected).

GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsonhowtoconfiguretheconnectionineachmodeselected.Ifbothtransportmodeandtunnelmodeareimplemented,theevaluatorshallreviewtheoperationalguidancetodeterminehowtheuseofagivenmodeisspecified.

TestsTheevaluatorshallperformthefollowingtestsbasedontheselectionschosen:

Test1:(conditional):Iftunnelmodeisselected,theevaluatorusestheoperationalguidancetoconfiguretheTOE/platformtooperateintunnelmodeandalsoconfiguresaVPNpeertooperateintunnelmode.TheevaluatorconfigurestheTOE/platformandtheVPNpeertouseanyoftheallowablecryptographicalgorithms,authenticationmethods,etc.toensureanallowableSAcanbenegotiated.TheevaluatorshalltheninitiateaconnectionfromtheTOE/PlatformtotheVPNpeer.Theevaluatorobserves(forexample,intheaudittrailandthecapturedpackets)thatasuccessfulconnectionwasestablishedusingthetunnelmode.Test2:(conditional):Iftransportmodeisselectted,theevaluatorusestheoperationalguidancetoconfiguretheTOE/platformtooperateintransportmodeandalsoconfiguresaVPNpeertooperateintransportmode.TheevaluatorconfigurestheTOE/platformandtheVPNpeertouseanyoftheallowedcryptographicalgorithms,authenticationmethods,etc.toensureanallowableSAcanbenegotiated.Theevaluatortheninitiatesaconnectionfrom

theTOE/platformtoconnecttotheVPNpeer.Theevaluatorobserves(forexample,intheaudittrailandthecapturedpackets)thatasuccessfulconnectionwasestablishedusingthetransportmode.

FCS_IPSEC_EXT.1.3TSSIfbothtransportmodeandtunnelmodeareimplemented,theevaluatorshallreviewtheoperationalguidancetodeterminehowtheuseofagivenmodeisspecified.

GuidanceTheevaluatorshallcheckthattheoperationalguidanceprovidesinstructionsonhowtoconstructoracquiretheSPDandusestheguidancetoconfiguretheTOEforthefollowingtest.

TestsTheevaluatorshallperformthefollowingtest:

Test1::TheevaluatorshallconfiguretheSPDsuchthatithasentriesthatcontainoperationsthatDISCARD,PROTECT,and(ifapplicable)BYPASSnetworkpackets.TheevaluatormayusetheSPDthatwascreatedforverificationofFCS_IPSEC_EXT.1.1.TheevaluatorshallconstructanetworkpacketthatmatchesaBYPASSentryandsendthatpacket.Theevaluatorshouldobservethatthenetworkpacketispassedtotheproperdestinationinterfacewithnomodification.Theevaluatorshallthenmodifyafieldinthepacketheader;suchthatitnolongermatchestheevaluator-createdentries(theremaybea“TOE-created”finalentrythatdiscardspacketsthatdonotmatchanypreviousentries).Theevaluatorsendsthepacket,andobservesthatthepacketwasnotpermittedtoflowtoanyoftheTOE’sinterfaces.

FCS_IPSEC_EXT.1.4TSSTheevaluatorshallexaminetheTSStoverifythatthealgorithmsAES-GCM-128andAES-GCM-256areimplemented.Ifthe"ST"authorhasselectedeitherAES-CBC-128orAES-CBC-256intherequirement,thentheevaluatorverifiestheTSSdescribestheseaswell.Inaddition,theevaluatorensuresthattheSHA-basedHMACalgorithmconformstothealgorithmsspecifiedinFCS_COP.1/KeyedHashCryptographicOperations(KeyedHashAlgorithms).

GuidanceTheevaluatorcheckstheoperationalguidancetoensureitprovidesinstructionsonhowtheTOEisconfiguredtousethealgorithmsselectedinthiscomponentandwhetherthisisperformedthroughdirectconfiguration,definedduringinitialinstallation,ordefinedbyacquiringconfigurationsettingsfromanenvironmentalcomponent.

TestsTest1:TheevaluatorshallconfiguretheTOE/platformasindicatedintheoperationalguidanceconfiguringtheTOE/platformtouseeachofthesupportedalgorithms,attempttoestablishaconnectionusingESP,andverifythattheattemptsucceeds.

FCS_IPSEC_EXT.1.5TSSTheevaluatorshallexaminetheTSStoverifythatIKEv1orIKEv2(asselected)areimplemented.IfIKEv1isimplemented,theevaluatorshallverifythattheTSSindicateswhetherornotXAUTHissupported,andthataggressivemodeisnotusedforIKEv1Phase1exchanges(i.e.onlymainmodeisused).Itmaybethattheseareconfigurableoptions.

GuidanceTheevaluatorshallchecktheoperationalguidancetoensureitinstructstheadministratorhowtoconfiguretheTOEtouseIKEv1orIKEv2(asselected),andusestheguidancetoconfiguretheTOEtoperformNATtraversalforthetestbelow.IfXAUTHisimplemented,theevaluatorshallverifythattheoperationalguidanceprovidesinstructionsonhowitisenabledordisabled.IftheTOEsupportsIKEv1,theevaluatorshallverifythattheoperationalguidanceeitherassertsthatonlymainmodeisusedforPhase1exchanges,orprovidesinstructionsfordisablingaggressivemode.

TestsTestsareperformedinconjunctionwiththeotherIPsecevaluationactivitieswiththeexceptionoftheactivitiesbelow:

Test1::TheevaluatorshallconfiguretheTOEsothatitwillperformNATtraversalprocessingasdescribedintheTSSandRFC7296,section2.23.TheevaluatorshallinitiateanIPsecconnectionanddeterminethattheNATissuccessfullytraversed.IftheTOEsupportsIKEv1withorwithoutXAUTH,theevaluatorshallverifythatthistestcanbe

successfullyrepeatedwithXAUTHenabledanddisabledinthemannerspecifiedbytheoperationalguidance.IftheTOEonlysupportsIKEv1withXAUTH,theevaluatorshallverifythatconnectionsnotusingXAUTHareunsuccessful.IftheTOEonlysupportsIKEv1withoutXAUTH,theevaluatorshallverifythatconnectionsusingXAUTHareunsuccessful.Test2:(conditional)::IftheTOEsupportsIKEv1,theevaluatorshallperformanyapplicableoperationalguidancestepstodisabletheuseofaggressivemodeandthenattempttoestablishaconnectionusinganIKEv1Phase1connectioninaggressivemode.Thisattemptshouldfail.TheevaluatorshallshowthattheTOEwillrejectaVPNgatewayfrominitiatinganIKEv1Phase1connectioninaggressivemode.Theevaluatorshouldthenshowthatmainmodeexchangesaresupported.

FCS_IPSEC_EXT.1.6TSSTheevaluatorshallensuretheTSSidentifiesthealgorithmsusedforencryptingtheIKEv1orIKEv2payload,andthatthealgorithmsAES-CBC-128,AES-CBC-256arespecified,andifothersarechosenintheselectionoftherequirement,thoseareincludedintheTSSdiscussion.

GuidanceTheevaluatorcheckstheoperationalguidancetoensureitprovidesinstructionsonhowtheTOEisconfiguredtousethealgorithmsselectedinthiscomponentandwhetherthisisperformedthroughdirectconfiguration,definedduringinitialinstallation,ordefinedbyacquiringconfigurationsettingsfromanenvironmentalcomponent.

TestsTheevaluatorshallusetheoperationalguidancetoconfiguretheTOE(ortoconfiguretheOperationalEnvironmenttohavetheTOEreceiveconfiguration)toperformthefollowingtestforeachciphersuiteselected:

Test1:TheevaluatorshallconfiguretheTOEtousetheciphersuiteundertesttoencrypttheIKEv1orIKEv2payloadandestablishaconnectionwithapeerdevice,whichisconfiguredtoonlyacceptthepayloadencryptedusingtheindicatedciphersuite.Theevaluatorwillconfirmthealgorithmwasthatusedinthenegotiation.Theevaluatorwillconfirmthattheconnectionissuccessfulbyconfirmingthatdatacanbepassedthroughtheconnectiononceitisestablished.Forexample,theevaluatormayconnecttoawebpageontheremotenetworkandverifythatitcanbereached.

FCS_IPSEC_EXT.1.7TSSTherearenoTSSEAsforthisrequirement.

GuidanceTheevaluatorshallchecktheoperationalguidancetoensureitprovidesinstructionsonhowtheTOEconfiguresthevaluesforSAlifetimes.Inaddition,theevaluatorshallcheckthattheguidancehastheoptionforeithertheAdministratororVPNGatewaytoconfigurePhase1SAsiftime-basedlimitsaresupported.Currentlytherearenovaluesmandatedforthenumberofpacketsornumberofbytes,theevaluatorshallsimplychecktheoperationalguidancetoensurethatthiscanbeconfiguredifselectedintherequirement.TestsWhentestingthisfunctionality,theevaluatorneedstoensurethatbothsidesareconfiguredappropriately.FromtheRFC“AdifferencebetweenIKEv1andIKEv2isthatinIKEv1SAlifetimeswerenegotiated.InIKEv2,eachendoftheSAisresponsibleforenforcingitsownlifetimepolicyontheSAandrekeyingtheSAwhennecessary.Ifthetwoendshavedifferentlifetimepolicies,theendwiththeshorterlifetimewillendupalwaysbeingtheonetorequesttherekeying.Ifthetwoendshavethesamelifetimepolicies,itispossiblethatbothwillinitiatearekeyingatthesametime(whichwillresultinredundantSAs).Toreducetheprobabilityofthishappening,thetimingofrekeyingrequestsSHOULDbejittered.”EachofthefollowingtestsshallbeperformedforeachversionofIKEselectedintheFCS_IPSEC_EXT.1.5protocolselection:

Test1:(Conditional)::Theevaluatorshallconfigureamaximumlifetimeintermsofthe#ofpackets(orbytes)allowedfollowingtheoperationalguidance.TheevaluatorshallestablishanSAanddeterminethatoncetheallowed#ofpackets(orbytes)throughthisSAisexceeded,theconnectionisclosed.Test2:(Conditional):TheevaluatorshallconstructatestwhereaPhase1SAisestablishedandattemptedtobemaintainedformorethan24hoursbeforeitisrenegotiated.TheevaluatorshallobservethatthisSAisclosedorrenegotiatedin24hoursorless.IfsuchanactionrequiresthattheTOEbeconfiguredinaspecificway,theevaluatorshallimplementtestsdemonstratingthattheconfigurationcapabilityoftheTOEworksasdocumentedintheoperationalguidance.Test3:[conditional]:TheevaluatorshallperformatestsimilartoTest2forPhase2SAs,exceptthatthelifetimewillbe8hoursorlessinsteadof24hoursorless.Test4:[conditional]:IfafixedlimitforIKEv1SAsissupported,theevaluatorshall

establishanSAandobservethattheconnectionisclosedafterthefixedtrafficortimevalueisreached.

FCS_IPSEC_EXT.1.8TSSTheevaluatorshallchecktoensurethattheDHgroupsspecifiedintherequirementarelistedasbeingsupportedintheTSS.IfthereismorethanoneDHgroupsupported,theevaluatorcheckstoensuretheTSSdescribeshowaparticularDHgroupisspecified/negotiatedwithapeer.GuidanceTherearenoAGDEAsforthisrequirement.TestsTheevaluatorshallperformthefollowingtest:

Test1:ForeachsupportedDHgroup,theevaluatorshalltesttoensurethatallsupportedIKEprotocolscanbesuccessfullycompletedusingthatparticularDHgroup.

FCS_IPSEC_EXT.1.9TSSTheevaluatorshallchecktoensurethat,foreachDHgroupsupported,theTSSdescribestheprocessforgenerating"x"(asdefinedinFCS_IPSEC_EXT.1.9)andeachnonce.TheevaluatorshallverifythattheTSSindicatesthattherandomnumbergeneratedthatmeetstherequirementsinthisEPisused,andthatthelengthof"x"andthenoncesmeetthestipulationsintherequirement.

GuidanceTherearenoAGDEAsforthisrequirement.

TestsTherearenotestEAsforthisrequirement.

FCS_IPSEC_EXT.1.10EAsforthiselementaretestedthroughEAsforFCS_IPSEC_EXT.1.9.FCS_IPSEC_EXT.1.11TSSTheevaluatorensuresthattheTSSidentifiesRSAorECDSAasbeingusedtoperformpeerauthentication.Ifpre-sharedkeysarechosenintheselection,theevaluatorshallchecktoensurethattheTSSdescribeshowpre-sharedkeysareestablishedandusedinauthenticationofIPsecconnections.ThedescriptionintheTSSshallalsoindicatehowpre-sharedkeyestablishmentisaccomplisheddependingonwhethertheTSFcangenerateapre-sharedkey,acceptapre-sharedkey,orboth.TheevaluatorshallensurethattheTSSdescribeshowtheTOEcomparesthepeer’spresentedidentifiertothereferenceidentifier.ThisdescriptionshallincludewhetherthecertificatepresentedidentifieriscomparedtotheIDpayloadpresentedidentifier,whichfieldsofthecertificateareusedasthepresentedidentifier(DN,CommonName,orSAN)and,ifmultiplefieldsaresupported,thelogicalordercomparison.IftheSTauthorassignedanadditionalidentifiertype,theTSSdescriptionshallalsoincludeadescriptionofthattypeandthemethodbywhichthattypeiscomparedtothepeer’spresentedcertificate.

GuidanceTheevaluatorshallcheckthattheoperationalguidancedescribeshowpre-sharedkeysaretobegeneratedandestablished.TheevaluatorensurestheoperationalguidancedescribeshowtosetuptheTOEtousethecryptographicalgorithmsRSAorECDSA(asselected).InordertoconstructtheenvironmentandconfiguretheTOEforthefollowingtests,theevaluatorwillensurethattheoperationalguidancealsodescribeshowtoconfiguretheTOEtoconnecttoatrustedCA,andensureavalidcertificateforthatCAisloadedintotheTOEasatrustedCA.Theevaluatorshallalsoensurethattheoperationalguidanceincludestheconfigurationofthereferenceidentifiersforthepeer.

TestsForefficiency’ssake,thetestingthatisperformedherehasbeencombinedwiththetestingforFIA_X509_EXT.2andFIA_X509_EXT.3(forIPsecconnectionsanddependingontheBase-PP),FCS_IPSEC_EXT.1.12,andFCS_IPSEC_EXT.1.13.ThefollowingtestsshallberepeatedforeachpeerauthenticationprotocolselectedintheFCS_IPSEC_EXT.1.11selectionabove:

Test1::TheevaluatorshallhavetheTOEgenerateapublic-privatekeypair,andsubmitaCSR(CertificateSigningRequest)toaCA(trustedbyboththeTOEandthepeerVPNusedtoestablishaconnection)foritssignature.ThevaluesfortheDN(CommonName,

Organization,OrganizationalUnit,andCountry)willalsobepassedintherequest.Alternatively,theevaluatormayimporttotheTOEapreviouslygeneratedprivatekeyandcorrespondingcertificate.Test2:TheevaluatorshallconfiguretheTOEtouseaprivatekeyandassociatedcertificatesignedbyatrustedCAandshallestablishanIPsecconnectionwiththepeer.Test3:TheevaluatorshalltestthattheTOEcanproperlyhandlerevokedcertificates–conditionalonwhetherCRLorOCSPisselected;ifbothareselected,andthenatestisperformedforeachmethod.ForthiscurrentversionofthePP-Module,theevaluatorhastoonlytestoneupinthetrustchain(futuredraftsmayrequiretoensurethevalidationisdoneuptheentirechain).Theevaluatorshallensurethatavalidcertificateisused,andthattheSAisestablished.Theevaluatorthenattemptsthetestwithacertificatethatwillberevoked(foreachmethodchosenintheselection)toensurewhenthecertificateisnolongervalidthattheTOEwillnotestablishanSA.Test4:[conditional]:Theevaluatorshallgenerateapre-sharedkeyanduseit,asindicatedintheoperationalguidance,toestablishanIPsecconnectionwiththeVPNGWpeer.Ifthegenerationofthepre-sharedkeyissupported,theevaluatorshallensurethatestablishmentofthekeyiscarriedoutforaninstanceoftheTOEgeneratingthekeyaswellasaninstanceoftheTOEmerelytakinginandusingthekey.Foreachsupportedidentifiertype(excludingDNs),theevaluatorshallrepeatthefollowingtests:Test5:Foreachfieldofthecertificatesupportedforcomparison,theevaluatorshallconfigurethepeer’sreferenceidentifierontheTOE(pertheadministrativeguidance)tomatchthefieldinthepeer’spresentedcertificateandshallverifythattheIKEauthenticationsucceeds.Test6:Foreachfieldofthecertificatesupportforcomparison,theevaluatorshallconfigurethepeer’sreferenceidentifierontheTOE(pertheadministrativeguidance)tonotmatchthefieldinthepeer’spresentedcertificateandshallverifythattheIKEauthenticationfails.Thefollowingtestsareconditional:Test7:[conditional]:If,accordingtotheTSS,theTOEsupportsbothCommonNameandSANcertificatefieldsandusesthepreferredlogicoutlinedintheApplicationNote,thetestsabovewiththeCommonNamefieldshallbeperformedusingpeercertificateswithnoSANextension.Additionally,theevaluatorshallconfigurethepeer’sreferenceidentifierontheTOEtonotmatchtheSANinthepeer’spresentedcertificatebuttomatchtheCommonNameinthepeer’spresentedcertificate,andverifythattheIKEauthenticationfails.Test8:[conditional]:IftheTOEsupportsDNidentifiertypes,theevaluatorshallconfigurethepeer'sreferenceidentifierontheTOE(pertheadministrativeguidance)tomatchthesubjectDNinthepeer'spresentedcertificateandshallverifythattheIKEauthenticationsucceeds.Todemonstrateabit-wisecomparisonoftheDN,theevaluatorshallchangeasinglebitintheDN(preferably,inanObjectIdentifier(OID)intheDN)andverifythattheIKEauthenticationfails.TodemonstrateacomparisonofDNvalues,theevaluatorshallchangeanyoneofthefourDNvaluesandverifythattheIKEauthenticationfails.Test9:[conditional]:IftheTOEsupportsbothIPv4andIPv6andsupportsIPaddressidentifiertypes,theevaluatormustrepeattest1and2withbothIPv4addressidentifiersandIPv6identifiers.Additionally,theevaluatorshallverifythattheTOEverifiesthattheIPheadermatchestheidentifiersbysettingthepresentedidentifiersandthereferenceidentifierwiththesameIPaddressthatdiffersfromtheactualIPaddressofthepeerintheIPheadersandverifyingthattheIKEauthenticationfails.Test10:[conditional]:If,accordingtotheTSS,theTOEperformscomparisonsbetweenthepeer’sIDpayloadandthepeer’scertificate,theevaluatorshallrepeatthefollowingtestforeachcombinationofsupportedidentifiertypesandsupportedcertificatefields(asabove).TheevaluatorshallconfigurethepeertopresentadifferentIDpayloadthanthefieldinthepeer’spresentedcertificateandverifythattheTOEfailstoauthenticatetheIKEpeer.

FCS_IPSEC_EXT.1.12EAsforthiselementaretestedthroughEAsforFCS_IPSEC_EXT.1.11.FCS_IPSEC_EXT.1.13EAsforthiselementaretestedthroughEAsforFCS_IPSEC_EXT.1.11.FCS_IPSEC_EXT.1.14TSSTheevaluatorshallcheckthattheTSSdescribesthepotentialstrengths(intermsofthenumberofbitsinthesymmetrickey)ofthealgorithmsthatareallowedfortheIKEandESPexchanges.TheTSSshallalsodescribethechecksthataredonewhennegotiatingIKEv1Phase2andIKEv2CHILD_SAsuitestoensurethatthestrength(intermsofthenumberofbitsofkeyinthesymmetricalgorithm)ofthenegotiatedalgorithmislessthanorequaltothatoftheIKESAthatisprotectingthenegotiation.GuidanceTherearenoAGDEAsforthisrequirement.TestsTheevaluatorfollowstheguidancetoconfiguretheTOEtoperformthefollowingtests:

Test1:ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallsuccessfullynegotiateanIPsecconnectionusingeachofthesupportedalgorithmsandhashfunctionsidentifiedintherequirements.Test2:[conditional]:ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallattempttoestablishanSAforESPthatselectsanencryptionalgorithmwithmorestrengththanthatbeingusedfortheIKESA(i.e.,symmetricalgorithmwithakeysizelargerthanthatbeingusedfortheIKESA).Suchattemptsshouldfail.Test3:ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallattempttoestablishanIKESAusinganalgorithmthatisnotoneofthesupportedalgorithmsandhashfunctionsidentifiedintherequirements.Suchanattemptshouldfail.Test4::ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallattempttoestablishanSAforESP(assumestheproperparameterswhereusedtoestablishtheIKESA)thatselectsanencryptionalgorithmthatisnotidentifiedinFCS_IPSEC_EXT.1.4.Suchanattemptshouldfail.

B.3IdentificationandAuthentication(FIA)

FIA_PMG_EXT.1PasswordManagement

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_UAU.5.1.

FIA_PMG_EXT.1.1TheTSFshallprovidethefollowingpasswordmanagementcapabilitiesforadministrativepasswords:

a. Passwordsshallbeabletobecomposedofanycombinationofupperandlowercasecharacters,digits,andthefollowingspecialcharacters:[selection:“!”,“@”,“#”,“$”,“%”,“^”,“&”,“*”,“(“,“)”,[assignment:othercharacters]]

b. Minimumpasswordlengthshallbeconfigurablec. Passwordsofatleast15charactersinlengthshallbesupported

ApplicationNote:ThisSFRisincludedintheSTiftheSTAuthorselects‘authenticationbasedonusernameandpassword’inFIA_UAU.5.1.

TheSTauthorselectsthespecialcharactersthataresupportedbytheTOE;theymayoptionallylistadditionalspecialcharacterssupportedusingtheassignment.“Administrativepasswords”referstopasswordsusedbyadministratorstogainaccesstotheManagementSubsystem.


FIA_PMG_EXT.1GuidanceTheevaluatorshallexaminetheoperationalguidancetodeterminethatitprovidesguidancetosecurityadministratorsinthecompositionofstrongpasswords,andthatitprovidesinstructionsonsettingtheminimumpasswordlength.TestsTheevaluatorshallalsoperformthefollowingtest.

Test1:Theevaluatorshallcomposepasswordsthateithermeettherequirements,orfailtomeettherequirements,insomeway.Foreachpassword,theevaluatorshallverifythattheTOEsupportsthepassword.Whiletheevaluatorisnotrequired(norisitfeasible)totestallpossiblecombinationsofpasswords,theevaluatorshallensurethatallcharacters,rulecharacteristics,andaminimumlengthlistedintherequirementaresupported,andjustifythesubsetofthosecharacterschosenfortesting.

FIA_X509_EXT.1X.509CertificateValidation

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_UAU.5.1,FPT_TUD_EXT.1.3,FTP_ITC_EXT.1.1.

FIA_X509_EXT.1.1TheTSFshallvalidatecertificatesinaccordancewiththefollowingrules:

RFC5280certificatevalidationandcertificatepathvalidationThecertificatepathmustterminatewithatrustedcertificate

TheTOEshallvalidateacertificatepathbyensuringthepresenceofthebasicConstraintsextension,thattheCAflagissettoTRUEforallCAcertificates,andthatanypathconstraintsaremet.TheTSFshallvalidatethatanyCAcertificateincludescaSigningpurposeinthekeyusagefieldTheTSFshallvalidaterevocationstatusofthecertificateusing[selection:OCSPasspecifiedinRFC6960,aCRLasspecifiedinRFC5759,anOCSPTLSStatusRequestExtension(OCSPstapling)asspecifiedinRFC6066,OCSPTLSMulti-CertificateStatusRequestExtension(i.e.,OCSPMulti-Stapling)asspecifiedinRFC6961].TheTSFshallvalidatetheextendedKeyUsagefieldaccordingtothefollowingrules:

CertificatesusedfortrustedupdatesandexecutablecodeintegrityverificationshallhavetheCodeSigningPurpose(id-kp3withOID1.3.6.1.5.5.7.3.3)intheextendedKeyUsagefield.ServercertificatespresentedforTLSshallhavetheServerAuthenticationpurpose(id-kp1withOID1.3.6.1.5.5.7.3.1)intheextendedKeyUsagefield.ClientcertificatespresentedforTLSshallhavetheClientAuthenticationpurpose(id-kp2withOID1.3.6.1.5.5.7.3.2)intheEKUfield.OCSPcertificatespresentedforOCSPresponsesshallhavetheOCSPSigningPurpose(id-kp9withOID1.3.6.1.5.5.7.3.9)intheEKUfield.

ApplicationNote:ThisSFRmustbeincludedintheSTiftheselectionforFPT_TUD_EXT.1.3is“digitalsignaturemechanism,”if"certificate-basedauthenticationoftheremotepeer"isselectedinFTP_ITC_EXT.1.1,orif"authenticationbasedonX.509certificates"isselectedinFIA_UAU.5.1.

FIA_X509_EXT.1.1liststherulesforvalidatingcertificates.TheSTauthorshallselectwhetherrevocationstatusisverifiedusingOCSPorCRLs.FIA_X509_EXT.2requiresthatcertificatesareusedforIPsec;thisuserequiresthattheextendedKeyUsagerulesareverified.CertificatesmayoptionallybeusedforSSH,TLS,andHTTPsand,ifimplemented,mustbevalidatedtocontainthecorrespondingextendedKeyUsage.

OCSPstaplingandOCSPmulti-staplingsupportonlyTLSservercertificatevalidation.Ifothercertificatetypesarevalidated,eitherOCSPorCRLmustbeclaimed.IfOCSPisnotsupportedtheEKUprovisionforcheckingtheOCSPSigningpurposeismetbydefault.

RegardlessoftheselectionofTSForTOEplatform,thevalidationmustresultinatrustedrootCAcertificateinarootstoremanagedbytheplatform.

OCSPresponsesaresignedusingeitherthecertificate’sissuer’sCAcertificateoranOCSPcertificateissuedtoanOCSPresponderdelegatedbythatissuertosignOCSPresponses.AcompliantTOEisabletovalidateOCSPresponsesineithercase,buttheOCSPsigningextendedkeyusagepurposeisonlyrequiredtobecheckedinOCSPcertificates.

FIA_X509_EXT.1.2TheTSFshallonlytreatacertificateasaCAcertificateifthebasicConstraintsextensionispresentandtheCAflagissettoTRUE.

ApplicationNote:ThisrequirementappliestocertificatesthatareusedandprocessedbytheTSFandrestrictsthecertificatesthatmaybeaddedastrustedCAcertificates.


FIA_X509_EXT.1TSSTheevaluatorshallensuretheTSSdescribeswherethecheckofvalidityofthecertificatestakesplace.TheevaluatorensurestheTSSalsoprovidesadescriptionofthecertificatepathvalidationalgorithm.

TheevaluatorshallexaminetheTSStoconfirmthatitdescribesthebehavioroftheTOEwhenaconnectioncannotbeestablishedduringthevaliditycheckofacertificateusedinestablishingatrustedchannel.Iftherequirementthattheadministratorisabletospecifythedefaultaction,thentheevaluatorshallensurethattheoperationalguidancecontainsinstructionsonhowthisconfigurationactionisperformed.TestsThetestsdescribedmustbeperformedinconjunctionwiththeotherCertificateServices

evaluationactivities,includingtheuseslistedinFIA_X509_EXT.2.1.ThetestsfortheextendedKeyUsagerulesareperformedinconjunctionwiththeusesthatrequirethoserules.

Test1:Theevaluatorshalldemonstratethatvalidatingacertificatewithoutavalidcertificationpathresultsinthefunctionfailing,foreachofthefollowingreasons,inturn:

byestablishingacertificatepathinwhichoneoftheissuingcertificatesisnotaCAcertificate,byomittingthebasicConstraintsfieldinoneoftheissuingcertificates,bysettingthebasicConstraintsfieldinanissuingcertificatetohaveCA=False,byomittingtheCAsigningbitofthekeyusagefieldinanissuingcertificate,andbysettingthepathlengthfieldofavalidCAfieldtoavaluestrictlylessthanthecertificatepath.

TheevaluatorshallthenestablishavalidcertificatepathconsistingofvalidCAcertificates,anddemonstratethatthefunctionsucceeds.TheevaluatorshallthenremovetrustinoneoftheCAcertificates,andshowthatthefunctionfails.Test2:Theevaluatorshalldemonstratethatvalidatinganexpiredcertificateresultsinthefunctionfailing.Test3:TheevaluatorshalltestthattheTOEcanproperlyhandlerevokedcertificates–conditionalonwhetherCRL,OCSP,OCSPstapling,orOCSPmulti-staplingisselected;ifmultiplemethodsareselected,thenatestisperformedforeachmethod.Theevaluatorhastoonlytestoneupinthetrustchain(futurerevisionsmayrequiretoensurethevalidationisdoneuptheentirechain).Theevaluatorshallensurethatavalidcertificateisused,andthatthevalidationfunctionsucceeds.Theevaluatorshallthenattemptthetestwithacertificatethatwillberevoked(foreachmethodchosenintheselection)andverifythatthevalidationfunctionfails.Test4:IfanyOCSPoptionisselected,theevaluatorshallpresentadelegatedOCSPcertificatethatdoesnothavetheOCSPsigningpurposeandverifythatvalidationoftheOCSPresponsefails.IfCRLisselected,theevaluatorshallconfiguretheCAtosignaCRLwithacertificatethatdoesnothavethecRLsignkeyusagebitsetandverifythatvalidationoftheCRLfails.Test5:(ConditionalonsupportforECcertificatesasindicatedinFCS_COP.1/SIG).Theevaluatorshallestablishavalid,trustedcertificatechainconsistingofanECleafcertificate,anECIntermediateCAcertificatenotdesignatedasatrustanchor,andanECcertificatedesignatedasatrustedanchor,wheretheellipticcurveparametersarespecifiedasanamedcurve.TheevaluatorshallconfirmthattheTOEvalidatesthecertificatechain..Test6:(ConditionalonsupportforECcertificatesasindicatedinFCS_COP.1/SIG).TheevaluatorshallreplacetheintermediatecertificateinthecertificatechainforTest5withamodifiedcertificate,wherethemodifiedintermediateCAhasapublickeyinformationfieldwheretheECparametersusesanexplicitformatversionoftheEllipticCurveparametersinthepublickeyinformationfieldoftheintermediateCAcertificatefromTest5,andthemodifiedIntermediateCAcertificateissignedbythetrustedECrootCA,buthavingnootherchanges.TheevaluatorshallconfirmtheTOEtreatsthecertificateasinvalid.

FIA_X509_EXT.2X.509CertificateAuthentication

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_UAU.5.1,FPT_TUD_EXT.1.3,FTP_ITC_EXT.1.1.

FIA_X509_EXT.2.1TheTSFshalluseX.509v3certificatesasdefinedbyRFC5280tosupportauthenticationfor[selection:IPsec,TLS,HTTPS,SSH,codesigningforsystemsoftwareupdates,[assignment:otheruses]]

ApplicationNote:ThisSFRmustbeincludedintheSTiftheselectionforFPT_TUD_EXT.1.3is“digitalsignaturemechanism,”if"certificate-basedauthenticationoftheremotepeer"isselectedinFTP_ITC_EXT.1,orif"authenticationbasedonX.509certificates"isselectedinFIA_UAU.5.1.

ThisSFRmustalsobeincludedintheSTifX.509certificate-basedauthenticationisusedfor"otheruses"aslistedintheassignmentinFIA_X509_EXT.2.1.

ValidationGuidelines:Rule#9:IftheSSHPackageisincludedintheSTthen"AES-CTR(asdefinedinNISTSP800-38A)mode,""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.

Rule#14:IfdigitalsignaturemechanismusingcertificatesisselectedinFPT_TUD_EXT.1.3thencodesigningforsystemsoftwareupdatesmustbeselectedinFIA_X509_EXT.2.1.

Rule#15:If"certificate-basedauthenticationoftheremotepeer"and"TLSasconformingtotheFunctionalPackageforTransportLayerSecurity"areselectedinFTP_ITC_EXT.1.1then"TLS"mustbeselectedinFIA_X509_EXT.2.1.

Rule#16:If"certificate-basedauthenticationoftheremotepeer"and"TLS/HTTPSasconformingtoFCS_HTTPS_EXT.1"areselectedinFTP_ITC_EXT.1.1then"HTTPS"mustbeselectedinFIA_X509_EXT.2.1.Rule#17:If"certificate-basedauthenticationoftheremotepeer"and"IPsecasconformingtoFCS_IPSEC_EXT.1"areselectedinFTP_ITC_EXT.1.1then"IPsec"mustbeselectedinFIA_X509_EXT.2.1.

Rule#18:If"certificate-basedauthenticationoftheremotepeer"and"SSHasconformingtotheFunctionalPackageforSecureShell"areselectedinFTP_ITC_EXT.1.1then"SSH"mustbeselectedinFIA_X509_EXT.2.1.

FIA_X509_EXT.2.2WhentheTSFcannotestablishaconnectiontodeterminethevalidityofacertificate,theTSFshall[selection:allowtheadministratortochoosewhethertoacceptthecertificateinthesecases,acceptthecertificate,notacceptthecertificate].

ApplicationNote:Oftenaconnectionmustbeestablishedtochecktherevocationstatusofacertificate-eithertodownloadaCRLortoperformalookupusingOCSP.Theselectionisusedtodescribethebehaviorintheeventthatsuchaconnectioncannotbeestablished(forexample,duetoanetworkerror).IftheTOEhasdeterminedthecertificatevalidaccordingtoallotherrulesinFIA_X509_EXT.1,thebehaviorindicatedintheselectionshalldeterminethevalidity.TheTOEmustnotacceptthecertificateifitfailsanyoftheothervalidationrulesinFIA_X509_EXT.1.Iftheadministrator-configuredoptionisselectedbytheSTAuthor,theSTAuthormustensurethatthisisalsodefinedasamanagementfunctionthatisprovidedbytheTOE.


Rule#13:If"allowtheadministratortochoosewhethertoacceptthecertificateinthesecases"isselectedthen"Abilitytoconfigureactiontakenifunabletodeterminethevalidityofacertificate"intheClientorServermodulemanagementfunctiontablemustalsobeselected.


FIA_X509_EXT.2TSSTheevaluatorshallchecktheTSStoensurethatitdescribeshowtheTOEchooseswhichcertificatestouse,andanynecessaryinstructionsintheadministrativeguidanceforconfiguringtheoperatingenvironmentsothattheTOEcanusethecertificates.TheevaluatorshallexaminetheTSStoconfirmthatitdescribesthebehavioroftheTOEwhenaconnectioncannotbeestablishedduringthevaliditycheckofacertificateusedinestablishingatrustedchannel.Iftherequirementstatesthattheadministratorspecifiesthedefaultaction,thentheevaluatorshallensurethattheoperationalguidancecontainsinstructionsonhowthisconfigurationactionisperformed.TestsTheevaluatorshallperformTest1foreachfunctionlistedinFIA_X509_EXT.2.1thatrequirestheuseofcertificates:

Test1:Theevaluatorshalldemonstratethatusingacertificatewithoutavalidcertificationpathresultsinthefunctionfailing.Usingtheadministrativeguidance,theevaluatorshallthenloadacertificateorcertificatesneededtovalidatethecertificatetobeusedinthefunction,anddemonstratethatthefunctionsucceeds.Theevaluatorthenshalldeleteoneofthecertificates,andshowthatthefunctionfails.Test2:Theevaluatorshalldemonstratethatusingavalidcertificaterequiresthatcertificatevalidationcheckingbeperformedinatleastsomepartbycommunicatingwithanon-TOEITentity.TheevaluatorshallthenmanipulatetheenvironmentsothattheTOEisunabletoverifythevalidityofthecertificate,andobservethattheactionselectedinFIA_X509_EXT.2.2isperformed.Iftheselectedactionisadministrator-configurable,thentheevaluatorshallfollowtheoperationalguidancetodeterminethatallsupportedadministrator-configurableoptionsbehaveintheirdocumentedmanner.

B.4ProtectionoftheTSF(FPT)

FPT_TUD_EXT.2TrustedUpdateBasedonCertificates



Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_X509_EXT.2.1,FPT_TUD_EXT.1.3.

FPT_TUD_EXT.2.1TheTSFshallnotinstallanupdateifthecodesigningcertificateisdeemedinvalid.

ApplicationNote:Certificatesmayoptionallybeusedforcodesigningofsystemsoftwareupdates(FPT_TUD_EXT.1.3).ThiselementmustbeincludedintheSTifcertificatesareusedforvalidatingupdates.If“codesigningforsystemsoftwareupdates”isselectedinFIA_X509_EXT.2.1,FPT_TUD_EXT.2mustbeincludedintheST.

Validityisdeterminedbythecertificatepath,theexpirationdate,andtherevocationstatusinaccordancewithFIA_X509_EXT.1.


FPT_TUD_EXT.2TestsTheevaluationactivityforthisrequirementisperformedinconjunctionwiththeevaluationactivityforFIA_X509_EXT.1andFIA_X509_EXT.2.

B.5TrustedPath/Channel(FTP)

FTP_TRP.1TrustedPath

Theinclusionofthisselection-basedcomponentdependsuponaselectionin.

FTP_TRP.1.1TheTSFshalluseatrustedchannelasspecifiedinFTP_ITC_EXT.1toprovideatrustedcommunicationpathbetweenitselfand[remote]administratorsthatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafrom[modification,disclosure].

FTP_TRP.1.2TheTSFshallpermit[remoteadministrators]toinitiatecommunicationviathetrustedpath.

FTP_TRP.1.3TheTSFshallrequiretheuseofthetrustedpathfor[[allremoteadministrationactions]].

ApplicationNote:ThisSFRisincludedintheSTif"remote"isselectedinFMT_MOF_EXT.1.1oftheclientorserverPP-Module.

ProtocolsusedtoimplementtheremoteadministrationtrustedchannelmustbeselectedinFTP_ITC_EXT.1.

ThisrequirementensuresthatauthorizedremoteadministratorsinitiateallcommunicationwiththeTOEviaatrustedpath,andthatallcommunicationswiththeTOEbyremoteadministratorsisperformedoverthispath.ThedatapassedinthistrustedcommunicationchannelareencryptedasdefinedtheprotocolchoseninthefirstselectioninFTP_ITC_EXT.1.TheSTauthorchoosesthemechanismormechanismssupportedbytheTOE,andthenensuresthatthedetailedrequirementsinAppendixBcorrespondingtotheirselectionarecopiedtotheSTifnotalreadypresent.


FTP_TRP.1TSSTheevaluatorshallexaminetheTSStodeterminethatthemethodsofremoteTOEadministrationareindicated,alongwithhowthosecommunicationsareprotected.TheevaluatorshallalsoconfirmthatallprotocolslistedintheTSSinsupportofTOEadministrationareconsistentwiththosespecifiedintherequirement,andareincludedintherequirementsintheST.

GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsforestablishingtheremoteadministrativesessionsforeachsupportedmethod.TestsTheevaluatorshallalsoperformthefollowingtests:

Test1:Theevaluatorsshallensurethatcommunicationsusingeachspecified(intheoperationalguidance)remoteadministrationmethodistestedduringthecourseoftheevaluation,settinguptheconnectionsasdescribedintheoperationalguidanceandensuringthatcommunicationissuccessful.Test2:Foreachmethodofremoteadministrationsupported,theevaluatorshallfollowtheoperationalguidancetoensurethatthereisnoavailableinterfacethatcanbeusedbyaremoteusertoestablishremoteadministrativesessionswithoutinvokingthetrustedpath.Test3:Theevaluatorshallensure,foreachmethodofremoteadministration,thechanneldataisnotsentinplaintext.Test4:Theevaluatorshallensure,foreachmethodofremoteadministration,modificationofthechanneldataisdetectedbytheTOE.

Additionalevaluationactivitiesareassociatedwiththespecificprotocols.

AppendixC-ExtendedComponentDefinitionsThisappendixcontainsthedefinitionsforallextendedrequirementsspecifiedinthePP-Module.

C.1ExtendedComponentsTableAllextendedcomponentsspecifiedinthePP-Modulearelistedinthistable:

Table8:ExtendedComponentDefinitionsFunctionalClass FunctionalComponents

SecurityAudit(FAU) FAU_STG_EXTOff-LoadingofAuditData

CryptographicSupport(FCS) FCS_CKM_EXTCryptographicKeyManagementFCS_ENT_EXTEntropyforVirtualMachinesFCS_HTTPS_EXTHTTPSProtocolFCS_IPSEC_EXTIPsecProtocolFCS_RBG_EXTCryptographicOperation(RandomBitGeneration)

UserDataProtection(FDP) FDP_HBI_EXTHardware-BasedIsolationMechanismsFDP_PPR_EXTPhysicalPlatformResourceControlsFDP_RIP_EXTResidualInformationinMemoryFDP_VMS_EXTVMSeparationFDP_VNC_EXTVirtualNetworkingComponents

IdentificationandAuthentication(FIA)

FIA_AFL_EXTAuthenticationFailureHandlingFIA_PMG_EXTPasswordManagementFIA_UIA_EXTAdministratorIdentificationandAuthenticationFIA_X509_EXTX.509Certificate

SecurityManagement(FMT) FMT_SMO_EXTSeparationofManagementandOperationalNetworks

ProtectionoftheTSF(FPT) FPT_DDI_EXTDeviceDriverIsolationFPT_DVD_EXTNon-ExistenceofDisconnectedVirtualDevicesFPT_EEM_EXTExecutionEnvironmentMitigationsFPT_GVI_EXTGuestVMIntegrityFPT_HAS_EXTHardwareAssistsFPT_HCL_EXTHypercallControlsFPT_IDV_EXTSoftwareIdentificationandVersionsFPT_INT_EXTSupportforIntrospectionFPT_ML_EXTMeasuredLaunchofPlatformandVMMFPT_RDM_EXTRemovableDevicesandMediaFPT_TUD_EXTTrustedUpdatesFPT_VDP_EXTVirtualDeviceParametersFPT_VIV_EXTVMMIsolationfromVMs

TrustedPath/Channel(FTP) FTP_ITC_EXTTrustedChannelCommunicationsFTP_UIF_EXTUserInterface

C.2ExtendedComponentDefinitions

C.2.1FAU_STG_EXTOff-LoadingofAuditData

FamilyBehaviorThisfamilydefinesrequirementsfortheTSFtobeabletosecurelytransmitauditdatabetweentheTOEandanexternalITentity.

ComponentLeveling

FAU_STG_EXT 1

FAU_STG_EXT.1,Off-LoadingofAuditData,requirestheTSFtotransmitauditdatausingatrustedchanneltoanoutsideentityandtospecifytheactiontobetakenwhenlocalauditstorageisfull.

Management:FAU_STG_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. Abilitytoconfigureandmanagetheauditsystemandauditdata,includingtheabilitytoconfigure

name/addressofaudit/loggingservertowhichtosendaudit/loggingrecords.

Audit:FAU_STG_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Failureofauditdatacaptureduetolackofdiskspaceorpre-definedlimit.b. Onfailureofloggingfunction,capturerecordoffailureandrecorduponrestartofloggingfunction.

FAU_STG_EXT.1Off-LoadingofAuditDataHierarchicalto:Noothercomponents.Dependenciesto:FAU_GEN.1AuditDataGenerationFTP_ITC_EXT.1TrustedChannelCommunications

FAU_STG_EXT.1.1TheTSFshallbeabletotransmitthegeneratedauditdatatoanexternalITentityusingatrustedchannelasspecifiedinFTP_ITC_EXT.1.

FAU_STG_EXT.1.2

TheTSFshall[selection:dropnewauditdata,overwritepreviousauditrecordsaccordingtothefollowingrule:[assignment:ruleforoverwritingpreviousauditrecords],[assignment:otheraction]]whenthelocalstoragespaceforauditdataisfull.

C.2.2FCS_CKM_EXTCryptographicKeyManagement

FamilyBehaviorThisfamilydefinesrequirementsformanagementofcryptographickeys.

ComponentLeveling

FCS_CKM_EXT 1

FCS_CKM_EXT.4,CryptographicKeyDestruction,requirestheTSFtodestroyormakeunrecoverableemptykeysinvolatileandnon-volatilememory.Notethatcomponentlevel4isusedherebecauseofthiscomponent’ssimilaritytotheCCPart2componentFCS_CKM.4.

Management:FCS_CKM_EXT.4Nospecificmanagementfunctionsareidentified.

Audit:FCS_CKM_EXT.4Therearenoauditableeventsforeseen.

FCS_CKM_EXT.4CryptographicKeyDestructionHierarchicalto:Noothercomponents.Dependenciesto:[FCS_CKM.1CryptographicKeyGeneration,orFCS_CKM.2CryptographicKeyDistribution]

FCS_CKM_EXT.4.1TheTSFshallcausedisusedcryptographickeysinvolatilememorytobedestroyedorrenderedunrecoverable.

FCS_CKM_EXT.4.2TheTSFshallcausedisusedcryptographickeysinnon-volatilestoragetobedestroyedorrenderedunrecoverable.

C.2.3FCS_ENT_EXTEntropyforVirtualMachines

FamilyBehaviorThisfamilydefinesrequirementsforavailabilityofentropydatageneratedorcollectedbytheTSF.

ComponentLeveling

FCS_ENT_EXT 1

FCS_ENT_EXT.1,EntropyforVirtualMachines,requirestheTSFtoprovideentropydatatoVMsinaspecifiedmanner.

Management:FCS_ENT_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FCS_ENT_EXT.1Therearenoauditableeventsforeseen.

FCS_ENT_EXT.1EntropyforVirtualMachinesHierarchicalto:Noothercomponents.Dependenciesto:FCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)

FCS_ENT_EXT.1.1TheTSFshallprovideamechanismtomakeavailabletoVMsentropythatmeetsFCS_RBG_EXT.1through[selection:Hypercallinterface,virtualdeviceinterface,passthroughaccesstohardwareentropysource].

FCS_ENT_EXT.1.2TheTSFshallprovideindependententropyacrossmultipleVMs.

C.2.4FCS_HTTPS_EXTHTTPSProtocol

FamilyBehaviorThisfamilydefinesrequirementsforprotectingremotemanagementsessionsbetweentheTOEandaSecurityAdministrator.ThisfamilydescribeshowHTTPSwillbeimplemented.

ComponentLeveling

FCS_HTTPS_EXT 1

FCS_HTTPS_EXT.1,HTTPSProtocol,definesrequirementsfortheimplementationoftheHTTPSprotocol.

Management:FCS_HTTPS_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FCS_HTTPS_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. FailuretoestablishanHTTPSsession.b. Establishment/terminationofanHTTPSsession.

FCS_HTTPS_EXT.1HTTPSProtocolHierarchicalto:Noothercomponents.Dependenciesto:[FCS_TLSC_EXT.1TLSClientProtocol,orFCS_TLSC_EXT.2TLSClientProtocolwithMutualAuthentication,orFCS_TLSS_EXT.1TLSServerProtocol,orFCS_TLSS_EXT.2TLSServerProtocolwithMutualAuthentication]

FCS_HTTPS_EXT.1.1TheTSFshallimplementtheHTTPSprotocolthatcomplieswithRFC2818.

FCS_HTTPS_EXT.1.2TheTSFshallimplementHTTPSusingTLS.

C.2.5FCS_IPSEC_EXTIPsecProtocol

FamilyBehaviorThisfamilydefinesrequirementsforprotectingcommunicationsusingIPsec.

ComponentLeveling

FCS_IPSEC_EXT 1

FCS_IPSEC_EXT.1,IPsecProtocol,requiresthatIPsecbeimplementedasspecified.

Management:FCS_IPSEC_EXT.1

Nospecificmanagementfunctionsareidentified.

Audit:FCS_IPSEC_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. FailuretoestablishanIPsecSA.b. Establishment/TerminationofanIPsecSA.

FCS_IPSEC_EXT.1IPsecProtocolHierarchicalto:Noothercomponents.Dependenciesto:FCS_CKM.1CryptographicKeyGenerationFCS_CKM.2CryptographicKeyEstablishmentFCS_COP.1CryptographicOperationFCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)FIA_X509_EXT.1X.509CertificateValidation

FCS_IPSEC_EXT.1.1TheTSFshallimplementtheIPsecarchitectureasspecifiedinRFC4301.

FCS_IPSEC_EXT.1.2

TheTSFshallimplement[selection:transportmode,tunnelmode].

FCS_IPSEC_EXT.1.3TheTSFshallhaveanominal,finalentryintheSPDthatmatchesanythingthatisotherwiseunmatched,anddiscardsit.

FCS_IPSEC_EXT.1.4TheTSFshallimplementtheIPsecprotocolESPasdefinedbyRFC4303usingthecryptographicalgorithms[AES-GCM-128,AES-GCM-256(asspecifiedinRFC4106),[selection:AES-CBC-128(specifiedinRFC3602),AES-CBC-256(specifiedinRFC3602),nootheralgorithms]]togetherwithaSecureHashAlgorithm(SHA)-basedHMAC.

FCS_IPSEC_EXT.1.5TheTSFshallimplementtheprotocol:[selection:

IKEv1,usingMainModeforPhase1exchanges,asdefinedinRFC2407,RFC2408,RFC2409,RFC4109,[selection:nootherRFCsforextendedsequencenumbers,RFC4304forextendedsequencenumbers],[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions],and[selection:supportforXAUTH,nosupportforXAUTH],IKEv2asdefinedinRFC7296(withmandatorysupportforNATtraversalasspecifiedinsection2.23),RFC8784,RFC8247,and[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions].

]

FCS_IPSEC_EXT.1.6

TheTSFshallensuretheencryptedpayloadinthe[selection:IKEv1,IKEv2]protocolusesthecryptographicalgorithmsAES-CBC-128,AES-CBC-256asspecifiedinRFC6379and[selection:AES-GCM-128asspecifiedinRFC5282,AES-GCM-256asspecifiedinRFC5282,nootheralgorithm].

FCS_IPSEC_EXT.1.7

TheTSFshallensurethat[selection:IKEv2SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimesarefixedbasedon[selection:numberofpackets/numberofbytes,lengthoftime].Iflengthoftimeisused,itmustincludeatleastoneoptionthatis24hoursorlessforPhase1SAsand8hoursorlessforPhase2SAs.

]

FCS_IPSEC_EXT.1.8TheTSFshallensurethatallIKEprotocolsimplementDHgroups[19(256-bitRandomECP),20(384-bitRandomECP),and[selection:24(2048-bitMODPwith256-bitPOS),15(3072-bitMODP),14(2048-bit

MODP),nootherDHgroups]].

FCS_IPSEC_EXT.1.9TheTSFshallgeneratethesecretvaluexusedintheIKEDiffie-Hellmankeyexchange(“x”ingxmodp)usingtherandombitgeneratorspecifiedinFCS_RBG_EXT.1,andhavingalengthofatleast[assignment:(oneormore)numberofbitsthatisatleasttwicethe“bitsofsecurity”valueassociatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General]bits.

FCS_IPSEC_EXT.1.10TheTSFshallgeneratenoncesusedinIKEexchangesinamannersuchthattheprobabilitythataspecificnoncevaluewillberepeatedduringthelifeaspecificIPsecSAislessthan1in2^[assignment:(oneormore)“bitsofsecurity”valueassociatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General].

FCS_IPSEC_EXT.1.11

TheTSFshallensurethatallIKEprotocolsperformpeerauthenticationusinga[selection:RSA,ECDSA]thatuseX.509v3certificatesthatconformtoRFC4945and[selection:Pre-sharedKeys,noothermethod].

FCS_IPSEC_EXT.1.12

TheTSFshallnotestablishanSAifthe[[selection:IPaddress,FullyQualifiedDomainName(FQDN),userFQDN,DistinguishedName(DN)]and[selection:nootherreferenceidentifiertype,[assignment:othersupportedreferenceidentifiertypes]]]containedinacertificatedoesnotmatchtheexpectedvaluesfortheentityattemptingtoestablishaconnection.

FCS_IPSEC_EXT.1.13TheTSFshallnotestablishanSAifthepresentedidentifierdoesnotmatchtheconfiguredreferenceidentifierofthepeer.

FCS_IPSEC_EXT.1.14

The[selection:TSF,VPNGateway]shallbeabletoensurebydefaultthatthestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase1,IKEv2IKE_SA]connectionisgreaterthanorequaltothestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase2,IKEv2CHILD_SA]connection.

C.2.6FCS_RBG_EXTCryptographicOperation(RandomBitGeneration)

FamilyBehaviorThisfamilydefinesrequirementsforrandombit/numbergeneration.

ComponentLeveling

FCS_RBG_EXT 1

FCS_RBG_EXT.1,CryptographicOperation(RandomBitGeneration),requiresrandombitgenerationtobeperformedinaccordancewithselectedstandardsandseededbyanentropysource.

Management:FCS_RBG_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FCS_RBG_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Failureoftherandomizationprocess.

FCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)Hierarchicalto:Noothercomponents.Dependenciesto:FCS_COP.1CryptographicOperation

FCS_RBG_EXT.1.1TheTSFshallperformalldeterministicrandombitgenerationservicesinaccordancewithNISTSpecialPublication800-90Ausing[selection:Hash_DRBG(any),HMAC_DRBG(any),CTR_DRBG(AES)]

FCS_RBG_EXT.1.2

ThedeterministicRBGshallbeseededbyanentropysourcethataccumulatesentropyfrom[selection:a

software-basednoisesource,ahardware-basednoisesource]withaminimumof[selection:128bits,192bits,256bits]ofentropyatleastequaltothegreatestsecuritystrengthaccordingtoNISTSP800-57,ofthekeysandhashesthatitwillgenerate.

C.2.7FDP_HBI_EXTHardware-BasedIsolationMechanisms

FamilyBehaviorThisfamilydefinesrequirementsforisolationofGuestVMsfromthehardwareresourcesofthephysicaldeviceonwhichtheGuestVMsaredeployed.

ComponentLeveling

FDP_HBI_EXT 1

FDP_HBI_EXT.1,Hardware-BasedIsolationMechanisms,requirestheTSFtoidentifythemechanismsusedtoisolateGuestVMsfromplatformhardwareresources.

Management:FDP_HBI_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FDP_HBI_EXT.1Therearenoauditableeventsforeseen.

FDP_HBI_EXT.1Hardware-BasedIsolationMechanismsHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparation

FDP_HBI_EXT.1.1

TheTSFshalluse[selection:nomechanism,[assignment:listofplatform-provided,hardware-basedmechanisms]]toconstrainaGuestVM'sdirectaccesstothefollowingphysicaldevices:[selection:nodevices,[assignment:physicaldevicestowhichtheVMMallowsGuestVMsphysicalaccess]].

C.2.8FDP_PPR_EXTPhysicalPlatformResourceControls

FamilyBehaviorThisfamilydefinesrequirementsforthephysicalresourcesthattheTOEwillalloworprohibitGuestVMstoaccess.

ComponentLeveling

FDP_PPR_EXT 1

FDP_PPR_EXT.1,PhysicalPlatformResourceControls,requirestheTSFtodefinethehardwareresourcesthatGuestVMsmayalwaysaccess,mayneveraccess,andmayconditionallyaccessbasedonadministrativeconfiguration.

Management:FDP_PPR_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. AbilitytoconfigureVMaccesstophysicaldevices.

Audit:FDP_PPR_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. SuccessfulandfailedVMconnectionstophysicaldeviceswhereconnectionisgovernedbyconfigurablepolicy.

b. Securitypolicyviolations.

FDP_PPR_EXT.1PhysicalPlatformResourceControlsHierarchicalto:Noothercomponents.Dependenciesto:FDP_HBI_EXT.1Hardware-BasedIsolationMechanismsFMT_SMR.1SecurityRoles

FDP_PPR_EXT.1.1TheTSFshallallowanauthorizedadministratortocontrolGuestVMaccesstothefollowingphysicalplatformresources:[assignment:listofphysicalplatformresourcestheVMMisabletocontrolaccessto].

FDP_PPR_EXT.1.2

TheTSFshallexplicitlydenyallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisexplicitlydenied]].

FDP_PPR_EXT.1.3

TheTSFshallexplicitlyallowallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisalwaysallowed]].

C.2.9FDP_RIP_EXTResidualInformationinMemory

FamilyBehaviorThisfamilydefinesrequirementsforensuringthatallocationofdatatoaGuestVMdoesnotcauseadisclosureofresidualdatafromapreviousVM.

ComponentLeveling

FDP_RIP_EXT12

FDP_RIP_EXT.1,ResidualInformationinMemory,requirestheTSFtoensurethatphysicalmemoryisclearedtozerospriortoitsallocationtoaGuestVM.

Management:FDP_RIP_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FDP_RIP_EXT.1Therearenoauditableeventsforeseen.

FDP_RIP_EXT.1ResidualInformationinMemoryHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FDP_RIP_EXT.1.1TheTSFshallensurethatanypreviousinformationcontentofphysicalmemoryisclearedpriortoallocationtoaGuestVM.FDP_RIP_EXT.2,ResidualInformationonDisk,requirestheTSFtoensurethatphysicaldiskstorageiscleareduponallocationtoaGuestVM.

Management:FDP_RIP_EXT.2Nospecificmanagementfunctionsareidentified.

Audit:FDP_RIP_EXT.2Therearenoauditableeventsforeseen.

FDP_RIP_EXT.2ResidualInformationonDiskHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FDP_RIP_EXT.2.1TheTSFshallensurethatanypreviousinformationcontentofphysicaldiskstorageisclearedtozerosuponallocationtoaGuestVM.

C.2.10FDP_VMS_EXTVMSeparation

FamilyBehaviorThisfamilydefinesrequirementsforthelogicalseparationofmultipleGuestVMsthataremanagedbythesameVirtualizationSystem.

ComponentLeveling

FDP_VMS_EXT 1

FDP_VMS_EXT.1,VMSeparation,requirestheTSFtomaintainlogicalseparationbetweenGuestVMsexcept

throughtheuseofspecificconfigurablemethods.

Management:FDP_VMS_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. Abilitytoconfigureinter-VMdatasharing.

Audit:FDP_VMS_EXT.1Therearenoauditableeventsforeseen.

FDP_VMS_EXT.1VMSeparationHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FDP_VMS_EXT.1.1

TheVSshallprovidethefollowingmechanismsfortransferringdatabetweenGuestVMs:[selection:nomechanism,virtualnetworking,[assignment:otherinter-VMdatasharingmechanisms]

].

FDP_VMS_EXT.1.2TheTSFshallbydefaultenforceapolicyprohibitingsharingofdatabetweenGuestVMs.

FDP_VMS_EXT.1.3TheTSFshallallowAdministratorstoconfigurethemechanismsselectedinFDP_VMS_EXT.1.1toenableanddisablethetransferofdatabetweenGuestVMs.

FDP_VMS_EXT.1.4TheVSshallensurethatnoGuestVMisabletoreadortransferdatatoorfromanotherGuestVMexceptthroughthemechanismslistedinFDP_VMS_EXT.1.1.

C.2.11FDP_VNC_EXTVirtualNetworkingComponents

FamilyBehaviorThisfamilydefinesrequirementsforconfigurationofvirtualnetworkingbetweenGuestVMsthataremanagedbytheVirtualizationSystem.

ComponentLeveling

FDP_VNC_EXT 1

FDP_VNC_EXT.1,VirtualNetworkingComponents,requirestheTSFtosupporttheconfigurationofvirtualnetworkingbetweenGuestVMs.

Management:FDP_VNC_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. AbilitytoconfigurevirtualnetworksincludingVM.

Audit:FDP_VNC_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. SuccessfulandfailedattemptstoconnectVMstovirtualandphysicalnetworkingcomponents.b. Securitypolicyviolations.c. Administratorconfigurationofinter-VMcommunicationschannelsbetweenVMs.

FDP_VNC_EXT.1VirtualNetworkingComponentsHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparationFMT_SMR.1SecurityRoles

FDP_VNC_EXT.1.1TheTSFshallallowAdministratorstoconfigurevirtualnetworkingcomponentstoconnectVMstoeachother

andtophysicalnetworks.

FDP_VNC_EXT.1.2TheTSFshallensurethatnetworktrafficvisibletoaGuestVMonavirtualnetwork--orvirtualsegmentofaphysicalnetwork--isvisibleonlytoGuestVMsconfiguredtobeonthatvirtualnetworkorsegment.

C.2.12FIA_AFL_EXTAuthenticationFailureHandling

FamilyBehaviorThisfamilydefinesrequirementsfordetectionandpreventionofbruteforceauthenticationattempts.

ComponentLeveling

FIA_AFL_EXT 1

FIA_AFL_EXT.1,AuthenticationFailureHandling,requirestheTSFtolockanadministratoraccountwhenanexcessivenumberoffailedauthenticationattemptshavebeenobserveduntilsomerestorativeeventoccurstoenabletheaccount.

Management:FIA_AFL_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. Abilitytoconfigurelockoutpolicythroughunsuccessfulauthenticationattempts.

Audit:FIA_AFL_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Unsuccessfulloginattemptslimitismetorexceeded.

FIA_AFL_EXT.1AuthenticationFailureHandlingHierarchicalto:Noothercomponents.Dependenciesto:FIA_UIA_EXT.1AdministratorIdentificationandAuthenticationFMT_SMR.1SecurityRoles

FIA_AFL_EXT.1.1

TheTSFshalldetectwhen[selection:[assignment:apositiveintegernumber],anadministratorconfigurablepositiveintegerwithina[assignment:rangeofacceptablevalues]

]unsuccessfulauthenticationattemptsoccurrelatedtoAdministratorsattemptingtoauthenticateremotelyusing[selection:usernameandpassword,usernameandPIN].

FIA_AFL_EXT.1.2

Whenthedefinednumberofunsuccessfulauthenticationattemptshasbeenmet,theTSFshall:[selection:preventtheoffendingAdministratorfromsuccessfullyestablishingaremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntil[assignment:actiontounlock]istakenbyanAdministrator,preventtheoffendingAdministratorfromsuccessfullyestablishingaremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntilanAdministrator-definedtimeperiodhaselapsed]

C.2.13FIA_PMG_EXTPasswordManagement

FamilyBehaviorThisfamilydefinesrequirementsforthecompositionofadministratorpasswords.

ComponentLeveling

FIA_PMG_EXT 1

FIA_PMG_EXT.1,PasswordManagement,requirestheTSFtoensurethatadministratorpasswordsmeetadefinedpasswordpolicy.

Management:FIA_PMG_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. AbilitytoconfigureAdministratorpasswordpolicy,includingtheabilitytochangedefaultauthorizationfactors.

Audit:FIA_PMG_EXT.1

Therearenoauditableeventsforeseen.

FIA_PMG_EXT.1PasswordManagementHierarchicalto:Noothercomponents.Dependenciesto:FIA_UIA_EXT.1AdministratorIdentificationandAuthentication

FIA_PMG_EXT.1.1TheTSFshallprovidethefollowingpasswordmanagementcapabilitiesforadministrativepasswords:

a. Passwordsshallbeabletobecomposedofanycombinationofupperandlowercasecharacters,digits,andthefollowingspecialcharacters:[selection:“!”,“@”,“#”,“$”,“%”,“^”,“&”,“*”,“(“,“)”,[assignment:othercharacters]]

b. Minimumpasswordlengthshallbeconfigurablec. Passwordsofatleast15charactersinlengthshallbesupported

C.2.14FIA_UIA_EXTAdministratorIdentificationandAuthentication

FamilyBehaviorThisfamilydefinesrequirementsforensuringthataccesstotheTSFisnotgrantedtounauthenticatedsubjects.

ComponentLeveling

FIA_UIA_EXT 1

FIA_UIA_EXT.1,AdministratorIdentificationandAuthentication,requirestheTSFtoensurethatallsubjectsattemptingtoperformTSF-mediatedactionsareidentifiedandauthenticatedpriortoauthorizingtheseactionstobeperformed.

Management:FIA_UIA_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FIA_UIA_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Administratorauthenticationattempts.b. Alluseoftheidentificationandauthenticationmechanism.c. Administratorsessionstarttimeandendtime.

FIA_UIA_EXT.1AdministratorIdentificationandAuthenticationHierarchicalto:Noothercomponents.Dependenciesto:FIA_UAU.5MultipleAuthenticationMechanisms

FIA_UIA_EXT.1.1TheTSFshallrequireAdministratorstobesuccessfullyidentifiedandauthenticatedusingoneofthemethodsinFIA_UAU.5beforeallowinganyTSF-mediatedmanagementfunctiontobeperformedbythatAdministrator.

C.2.15FIA_X509_EXTX.509Certificate

FamilyBehaviorThisfamilydefinesrequirementsforthevalidationanduseofX.509certificates.

ComponentLeveling

FIA_X509_EXT12

FIA_X509_EXT.1,X.509CertificateValidation,defineshowtheTSFmustvalidateX.509certificatesthatarepresentedtoit.

Management:FIA_X509_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. Configurationofactiontotakeifunabletodeterminethevalidityofacertificate.

Audit:FIA_X509_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Failuretovalidateacertificate.

FIA_X509_EXT.1X.509CertificateValidationHierarchicalto:Noothercomponents.Dependenciesto:FPT_STM.1ReliableTimeStamps

FIA_X509_EXT.1.1TheTSFshallvalidatecertificatesinaccordancewiththefollowingrules:

RFC5280certificatevalidationandcertificatepathvalidationThecertificatepathmustterminatewithatrustedcertificateTheTOEshallvalidateacertificatepathbyensuringthepresenceofthebasicConstraintsextension,thattheCAflagissettoTRUEforallCAcertificates,andthatanypathconstraintsaremet.TheTSFshallvalidatethatanyCAcertificateincludescaSigningpurposeinthekeyusagefieldTheTSFshallvalidaterevocationstatusofthecertificateusing[selection:OCSPasspecifiedinRFC6960,aCRLasspecifiedinRFC5759,anOCSPTLSStatusRequestExtension(OCSPstapling)asspecifiedinRFC6066,OCSPTLSMulti-CertificateStatusRequestExtension(i.e.,OCSPMulti-Stapling)asspecifiedinRFC6961].TheTSFshallvalidatetheextendedKeyUsagefieldaccordingtothefollowingrules:

CertificatesusedfortrustedupdatesandexecutablecodeintegrityverificationshallhavetheCodeSigningPurpose(id-kp3withOID1.3.6.1.5.5.7.3.3)intheextendedKeyUsagefield.ServercertificatespresentedforTLSshallhavetheServerAuthenticationpurpose(id-kp1withOID1.3.6.1.5.5.7.3.1)intheextendedKeyUsagefield.ClientcertificatespresentedforTLSshallhavetheClientAuthenticationpurpose(id-kp2withOID1.3.6.1.5.5.7.3.2)intheEKUfield.OCSPcertificatespresentedforOCSPresponsesshallhavetheOCSPSigningPurpose(id-kp9withOID1.3.6.1.5.5.7.3.9)intheEKUfield.

FIA_X509_EXT.1.2TheTSFshallonlytreatacertificateasaCAcertificateifthebasicConstraintsextensionispresentandtheCAflagissettoTRUE.FIA_X509_EXT.2,X.509CertificateAuthentication,requirestheTSFtoidentifythefunctionsforwhichitusesX.509certificatesforauthentication

Management:FIA_X509_EXT.2ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. ConfigurationofTSFbehaviorwhencertificaterevocationstatuscannotbedetermined.

Audit:FIA_X509_EXT.2Therearenoauditableeventsforeseen.

FIA_X509_EXT.2X.509CertificateAuthenticationHierarchicalto:Noothercomponents.Dependenciesto:FIA_X509_EXT.1X.509CertificateValidationFTP_ITC_EXT.1TrustedChannelCommunications

FIA_X509_EXT.2.1

TheTSFshalluseX.509v3certificatesasdefinedbyRFC5280tosupportauthenticationfor[assignment:securetransportprotocols],and[assignment:otheruses].

FIA_X509_EXT.2.2WhentheTSFcannotestablishaconnectiontodeterminethevalidityofacertificate,theTSFshall[assignment:actiontotake].

C.2.16FMT_SMO_EXTSeparationofManagementandOperationalNetworks

FamilyBehaviorThisfamilydefinesrequirementsforseparationofmanagementandoperationalnetworks.

ComponentLeveling

FMT_SMO_EXT 1

FMT_SMO_EXT.1,SeparationofManagementandOperationalNetworks,requirestheTSFtoseparateitsmanagementandoperationalnetworksthroughadefinedmechanism.

Management:FMT_SMO_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FMT_SMO_EXT.1Therearenoauditableeventsforeseen.

FMT_SMO_EXT.1SeparationofManagementandOperationalNetworksHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FMT_SMO_EXT.1.1

TheTSFshallsupporttheseparationofmanagementandoperationalnetworktrafficthrough[selection:separatephysicalnetworks,separatelogicalnetworks,trustedchannelsasdefinedinFTP_ITC_EXT.1,dataencryptionusinganalgorithmspecifiedinFCS_COP.1/UDE].

C.2.17FPT_DDI_EXTDeviceDriverIsolation

FamilyBehaviorThisfamilydefinesrequirementsforisolationofdevicedrivers

ComponentLeveling

FPT_DDI_EXT 1

FPT_DDI_EXT.1,DeviceDriverIsolation,requirestheTSFtoisolatedevicedriversforphysicaldevicesfromallvirtualdomains.

Management:FPT_DDI_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_DDI_EXT.1Therearenoauditableeventsforeseen.

FPT_DDI_EXT.1DeviceDriverIsolationHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_DDI_EXT.1.1TheTSFshallensurethatdevicedriversforphysicaldevicesareisolatedfromtheVMMandallotherdomains.

C.2.18FPT_DVD_EXTNon-ExistenceofDisconnectedVirtualDevices

FamilyBehaviorThisfamilydefinesrequirementsforensuringthatGuestVMscannotaccessthevirtualhardwareinterfacesdisabledordisconnectedvirtualdevices.

ComponentLeveling

FPT_DVD_EXT 1

FPT_DVD_EXT.1,Non-ExistenceofDisconnectedVirtualDevices,requirestheTSFtopreventGuestVMsfromaccessingvirtualdevicesthatitisnotconfiguredtohaveaccessto.

Management:FPT_DVD_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_DVD_EXT.1Therearenoauditableeventsforeseen.

FPT_DVD_EXT.1Non-ExistenceofDisconnectedVirtualDevicesHierarchicalto:Noothercomponents.Dependenciesto:FPT_VDP_EXT.1VirtualDeviceParameters

FPT_DVD_EXT.1.1TheTSFshallpreventGuestVMsfromaccessingvirtualdeviceinterfacesthatarenotpresentintheVM’scurrentvirtualhardwareconfiguration.

C.2.19FPT_EEM_EXTExecutionEnvironmentMitigations

FamilyBehaviorThisfamilydefinesrequirementsfortheTOE’scompatibilitywithplatformmechanismsthatpreventvulnerabilitiesthatallowfortheexecutionofunauthorizedcodeorbypassofaccessrestrictionsonmemoryorstorage.

ComponentLeveling

FPT_EEM_EXT 1

FPT_EEM_EXT.1,ExecutionEnvironmentMitigations,requirestheTSFtoidentifytheexecutionenvironment-basedprotectionmechanismsthatitcanuseforself-protection.

Management:FPT_EEM_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_EEM_EXT.1Therearenoauditableeventsforeseen.

FPT_EEM_EXT.1ExecutionEnvironmentMitigationsHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_EEM_EXT.1.1TheTSFshalltakeadvantageofexecutionenvironment-basedvulnerabilitymitigationmechanismssupportedbythePlatformsuchas:[selection:

Addressspacerandomization,Memoryexecutionprotection(e.g.,DEP),Stackbufferoverflowprotection,Heapcorruptiondetection,[assignment:othermechanisms],Nomechanisms

]

C.2.20FPT_GVI_EXTGuestVMIntegrity

FamilyBehaviorThisfamilydefinesrequirementsfortheTOEtoasserttheintegrityofGuestVMs.

ComponentLeveling

FPT_GVI_EXT 1

FPT_GVI_EXT.1,GuestVMIntegrity,requirestheTSFtospecifythemechanismsitusestoverifytheintegrityofGuestVMs.

Management:FPT_GVI_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_GVI_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Actionstakenduetofailedintegritycheck.

FPT_GVI_EXT.1GuestVMIntegrityHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_GVI_EXT.1.1

TheTSFshallverifytheintegrityofGuestVMsthroughthefollowingmechanisms:[assignment:listofGuest

VMintegritymechanisms].

C.2.21FPT_HAS_EXTHardwareAssists

FamilyBehaviorThisfamilydefinesrequirementsforuseofhardware-basedvirtualizationassistsasperformanceenhancements.

ComponentLeveling

FPT_HAS_EXT 1

FPT_HAS_EXT.1,HardwareAssists,requirestheTSFtoidentifythehardwareassistsitusestoreduceTOEcomplexity.

Management:FPT_HAS_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_HAS_EXT.1Therearenoauditableeventsforeseen.

FPT_HAS_EXT.1HardwareAssistsHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_HAS_EXT.1.1

TheVMMshalluse[assignment:listofhardware-basedvirtualizationassists]toreduceoreliminatetheneedforbinarytranslation.

FPT_HAS_EXT.1.2

TheVMMshalluse[assignment:listofhardware-basedvirtualizationmemory-handlingassists]toreduceoreliminatetheneedforshadowpagetables.

C.2.22FPT_HCL_EXTHypercallControls

FamilyBehaviorThisfamilydefinesrequirementsforcontrolofHypercallinterfaces.

ComponentLeveling

FPT_HCL_EXT 1

FPT_HCL_EXT.1,HypercallControls,requirestheTSFtoimplementappropriateparametervalidationtoprotecttheVMMfromunauthorizedaccessthroughahypercallinterface.

Management:FPT_HCL_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_HCL_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Invalidparametertohypercalldetected.b. Hypercallinterfaceinvokedwhendocumentedpreconditionsarenotmet.

FPT_HCL_EXT.1HypercallControlsHierarchicalto:Noothercomponents.Dependenciesto:FMT_SMR.1SecurityRoles

FPT_HCL_EXT.1.1TheTSFshallvalidatetheparameterspassedtoHypercallinterfacespriortoexecutionoftheVMMfunctionalityexposedbyeachinterface.

C.2.23FPT_IDV_EXTSoftwareIdentificationandVersions

FamilyBehavior

ThisfamilydefinesrequirementsfortheuseofSWIDtagstoidentifytheTOE.

ComponentLeveling

FPT_IDV_EXT 1

FPT_IDV_EXT.1,SoftwareIdentificationandVersions,requirestheTSFtoidentifyitselfusingSWIDtags.

Management:FPT_IDV_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_IDV_EXT.1Therearenoauditableeventsforeseen.

FPT_IDV_EXT.1SoftwareIdentificationandVersionsHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_IDV_EXT.1.1TheTSFshallincludesoftwareidentification(SWID)tagsthatcontainaSoftwareIdentityelementandanEntityelementasdefinedinISO/IEC19770-2:2009.

FPT_IDV_EXT.1.2TheTSFshallstoreSWIDsina.swidtagfileasdefinedinISO/IEC19770-2:2009.

C.2.24FPT_INT_EXTSupportforIntrospection

FamilyBehaviorThisfamilydefinesrequirementsforsupportingVMintrospection.

ComponentLeveling

FPT_INT_EXT 1

FPT_INT_EXT.1,SupportforIntrospection,requirestheTSFtosupportintrospection.

Management:FPT_INT_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_INT_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Introspectioninitiated/enabled.

FPT_INT_EXT.1SupportforIntrospectionHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_INT_EXT.1.1TheTSFshallsupportamechanismforpermittingtheVMMorprivilegedVMstoaccesstheinternalsofanotherVMforpurposesofintrospection.

C.2.25FPT_ML_EXTMeasuredLaunchofPlatformandVMM

FamilyBehaviorThisfamilydefinesrequirementsformeasuredlaunch.

ComponentLeveling

FPT_ML_EXT 1

FPT_ML_EXT.1,MeasuredLaunchofPlatformandVMM,requirestheTSFtosupportameasuredlaunchofitself.

Management:FPT_ML_EXT.1

Nospecificmanagementfunctionsareidentified.

Audit:FPT_ML_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Integritymeasurementscollected.

FPT_ML_EXT.1MeasuredLaunchofPlatformandVMMHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FPT_ML_EXT.1.1TheTSFshallsupportameasuredlaunchoftheVirtualizationSystem.MeasuredcomponentsoftheVSshallincludethestaticexecutableimageoftheHypervisorand:[selection:

StaticexecutableimagesoftheManagementSubsystem,[assignment:listof(staticimagesof)ServiceVMs],[assignment:listofconfigurationfiles],noothercomponents

]

FPT_ML_EXT.1.2TheTSFshallmakethemeasurementsselectedinFPT_ML_EXT.1.1availabletotheManagementSubsystem.

C.2.26FPT_RDM_EXTRemovableDevicesandMedia

FamilyBehaviorThisfamilydefinesrequirementsforenforcementofdomainisolationwhenremovabledevicescanbeconnectedtoadomain.

ComponentLeveling

FPT_RDM_EXT 1

FPT_RDM_EXT.1,RemovableDevicesandMedia,requirestheTSFtoensurethatVMsarenotinadvertentlygivenaccesstoinformationindifferentdomainsbecauseremovablemediaissimultaneouslyaccessiblefromseparatedomains.

Management:FPT_RDM_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

Abilitytoconfigureremovablemediapolicy.Abilitytoconnect/disconnectremovabledevicesto/fromaVM.

Audit:FPT_RDM_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Connection/disconnectionofremovablemediaordeviceto/fromaVM.b. Ejection/insertionofremovablemediaordevicefrom/toanalreadyconnectedVM.

FPT_RDM_EXT.1RemovableDevicesandMediaHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparation

FPT_RDM_EXT.1.1TheTSFshallimplementcontrolsforhandlingthetransferofvirtualandphysicalremovablemediaandvirtualandphysicalremovablemediadevicesbetweeninformationdomains.

FPT_RDM_EXT.1.2

TheTSFshallenforcethefollowingruleswhen[assignment:virtualorphysicalremovablemediaandvirtualorphysicalremovablemediadevices]areswitchedbetweeninformationdomains,then[selection:

theAdministratorhasgrantedexplicitaccessforthemediaordevicetobeconnectedtothereceivingdomain,themediainadevicethatisbeingtransferredisejectedpriortothereceivingdomainbeingallowedaccesstothedevice,theuserofthereceivingdomainexpresslyauthorizestheconnection,thedeviceormediathatisbeingtransferredispreventedfrombeingaccessedbythereceivingdomain

]

C.2.27FPT_TUD_EXTTrustedUpdates

FamilyBehaviorThisfamilydefinesrequirementsforensuringthatupdatestotheTOEsoftwareandfirmwarearegenuine.

ComponentLeveling

FPT_TUD_EXT12

FPT_TUD_EXT.1,TrustedUpdatestotheVirtualizationSystem,requirestheTSFtodefinethemechanismforapplyingandverifyingTOEupdates.

Management:FPT_TUD_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a. AbilitytoupdatetheVirtualizationSystem.

Audit:FPT_TUD_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Initiationofupdate.b. Failureofsignatureverification.

FPT_TUD_EXT.1TrustedUpdatestotheVirtualizationSystemHierarchicalto:Noothercomponents.Dependenciesto:FCS_COP.1CryptographicOperation

FPT_TUD_EXT.1.1TheTSFshallprovideadministratorstheabilitytoquerythecurrentlyexecutedversionoftheTOEfirmware/softwareaswellasthemostrecentlyinstalledversionoftheTOEfirmware/software.

FPT_TUD_EXT.1.2TheTSFshallprovideadministratorstheabilitytomanuallyinitiateupdatestoTOEfirmware/softwareand[selection:automaticupdates,nootherupdatemechanism].

FPT_TUD_EXT.1.3

TheTSFshallprovidemeanstoauthenticatefirmware/softwareupdatestotheTOEusinga[assignment:integrityaction]priortoinstallingthoseupdates.FPT_TUD_EXT.2,TrustedUpdateBasedonCertificates,requirestheTSFtovalidateupdatesusingacodesigningcertificate.

Management:FPT_TUD_EXT.2Nospecificmanagementfunctionsareidentified.

Audit:FPT_TUD_EXT.2Therearenoauditableeventsforeseen.

FPT_TUD_EXT.2TrustedUpdateBasedonCertificatesHierarchicalto:Noothercomponents.Dependenciesto:FPT_TUD_EXT.1TrustedUpdatestotheVirtualizationSystemFIA_X509_EXT.1X.509ValidationFIA_X509_EXT.2X.509Authentication

FPT_TUD_EXT.2.1TheTSFshallnotinstallanupdateifthecodesigningcertificateisdeemedinvalid.

C.2.28FPT_VDP_EXTVirtualDeviceParameters

FamilyBehaviorThisfamilydefinesrequirementsforprocessingdatatransmittedtotheTOEfromaGuestVM.

ComponentLeveling

FPT_VDP_EXT 1

FPT_VDP_EXT.1,VirtualDeviceParameters,requirestheTSFtointerfacewithGuestVMsthroughvirtualhardwareabstractionssothatanydatatransmittedtotheTOEfromaGuestVMcanbevalidatedaswell-formed.

Management:FPT_VDP_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_VDP_EXT.1Therearenoauditableeventsforeseen.

FPT_VDP_EXT.1VirtualDeviceParametersHierarchicalto:Noothercomponents.Dependenciesto:FPT_VIV_EXT.1VMMIsolationfromVMs

FPT_VDP_EXT.1.1TheTSFshallprovideinterfacesforvirtualdevicesimplementedbytheVMMaspartofthevirtualhardwareabstraction.

FPT_VDP_EXT.1.2TheTSFshallvalidatetheparameterspassedtothevirtualdeviceinterfacepriortoexecutionoftheVMMfunctionalityexposedbythoseinterfaces.

C.2.29FPT_VIV_EXTVMMIsolationfromVMs

FamilyBehaviorThisfamilydefinesrequirementsforensuringtheTOEislogicallyisolatedfromitsGuestVMs

ComponentLeveling

FPT_VIV_EXT 1

FPT_VIV_EXT.1,VMMIsolationfromVMs,requirestheTSFtoensurethatthereisnomechanismbywhichaGuestVMcaninterfacewiththeTOE,otherVMs,orthehardwareplatformwithoutauthorization.

Management:FPT_VIV_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FPT_VIV_EXT.1Therearenoauditableeventsforeseen.

FPT_VIV_EXT.1VMMIsolationfromVMsHierarchicalto:Noothercomponents.Dependenciesto:FDP_PPR_EXT.1PhysicalPlatformResourceControlsFDP_VMS_EXT.1VMSeparation

FPT_VIV_EXT.1.1TheTSFmustensurethatsoftwarerunninginaVMisnotabletodegradeordisruptthefunctioningofotherVMs,theVMM,orthePlatform.

FPT_VIV_EXT.1.2TheTSFmustensurethataGuestVMisunabletoinvokeplatformcodethatrunsataprivilegelevelequaltoorexceedingthatoftheVMMwithoutinvolvementoftheVMM.

C.2.30FTP_ITC_EXTTrustedChannelCommunications

FamilyBehaviorThisfamilydefinesrequirementsforprotectionofdataintransitbetweentheTOEanditsoperationalenvironment.

ComponentLeveling

FTP_ITC_EXT 1

FTP_ITC_EXT.1,TrustedChannelCommunications,requirestheTSFtoimplementoneormorecryptographicprotocolstosecureconnectivitybetweentheTSFandvariousexternalentities.

Management:FTP_ITC_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FTP_ITC_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

a. Initiationofthetrustedchannel.b. Terminationofthetrustedchannel.c. Failuresofthetrustedpathfunctions.

FTP_ITC_EXT.1TrustedChannelCommunicationsHierarchicalto:Noothercomponents.Dependenciesto:FAU_STG_EXT.1Off-LoadingofAuditData

FTP_ITC_EXT.1.1

TheTSFshalluse[assignment:transportmechanism]and[assignment:authenticationmechanism]toprovideatrustedcommunicationchannelbetweenitself,andauditservers(asrequiredbyFAU_STG_EXT.1),and

[assignment:remoteentities]thatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafromdisclosureanddetectionofmodificationofthecommunicateddata.

C.2.31FTP_UIF_EXTUserInterface

FamilyBehaviorThisfamilydefinesrequirementsforunambiguouslyidentifyingthespecificGuestVMthataTOEuserisinteractingwithatanygivenpointintime.

ComponentLeveling

FTP_UIF_EXT12

FTP_UIF_EXT.1,UserInterface:I/OFocus,requirestheTSFtounambiguouslyidentifytheGuestVMthathasthecurrentinputfocusforinputperipherals.

Management:FTP_UIF_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FTP_UIF_EXT.1Therearenoauditableeventsforeseen.

FTP_UIF_EXT.1UserInterface:I/OFocusHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies

FTP_UIF_EXT.1.1TheTSFshallindicatetouserswhichVM,ifany,hasthecurrentinputfocus.FTP_UIF_EXT.2,UserInterface:IdentificationofVM,requirestheTOEtoperformpoweronself-teststoverifyitsfunctionalityandtheintegrityofitsstoredexecutablecode.

Management:FTP_UIF_EXT.2Nospecificmanagementfunctionsareidentified.

Audit:FTP_UIF_EXT.2Therearenoauditableeventsforeseen.

FTP_UIF_EXT.2UserInterface:IdentificationofVMHierarchicalto:Noothercomponents.

Dependenciesto:Nodependencies

FTP_UIF_EXT.2.1TheTSFshallsupporttheuniqueidentificationofaVM’soutputdisplaytousers.

AppendixD-ImplicitlySatisfiedRequirementsThisappendixlistsrequirementsthatshouldbeconsideredsatisfiedbyproductssuccessfullyevaluatedagainstthisPP.TheserequirementsarenotfeaturedexplicitlyasSFRsandshouldnotbeincludedintheST.TheyarenotincludedasstandaloneSFRsbecauseitwouldincreasethetime,cost,andcomplexityofevaluation.Thisapproachispermittedby[CC]Part1,8.2Dependenciesbetweencomponents.Thisinformationbenefitssystemsengineeringactivitieswhichcallforinclusionofparticularsecuritycontrols.EvaluationagainstthePPprovidesevidencethatthesecontrolsarepresentandhavebeenevaluated..Table9:ImplicitlySatisfiedRequirements

Requirement RationaleforSatisfaction

FCS_CKM.4–CryptographicKeyDestruction

FCS_CKM.1hasadependencyonFCS_CKM.4.TheextendedSFRFCS_CKM_EXT.4addressesthisdependencybydefininganalternaterequirementforkeydestruction.


FCS_CKM.2hasadependencyonFCS_CKM.4.TheextendedSFRFCS_CKM_EXT.4addressesthisdependencybydefininganalternaterequirementforkeydestruction.


EachiterationofFCS_COP.1hasadependencyonFCS_CKM.4.TheextendedSFRFCS_CKM_EXT.4addressesthisdependencybydefininganalternaterequirementforkeydestruction.

FIA_UID.1–TimingofIdentification

FMT_SMR.2hasadependencyonFIA_UID.1.TheextendedSFRFIA_UID_EXT.1expressesthisdependencybyalsorequiringuseridentificationforuseoftheTOE.

FPT_STM.1–ReliableTimeStamps

FAU_GEN.1hasadependencyonFPT_STM.1.WhilenotexplicitlystatedinthePP,itisassumedthatthiswillbeprovidedbytheunderlyinghardwareplatformonwhichtheTOEisinstalled.ThisisbecausetheTOEisinstalledasasoftwareorfirmwareproductthatrunsongeneral-purposecomputinghardwaresoahardwareclockisassumedtobeavailable.

FPT_STM.1–ReliableTimeStamps

FIA_X509_EXT.1hasadependencyonFPT_STM.1.WhilenotexplicitlystatedinthePP,itisassumedthatthiswillbeprovidedbytheunderlyinghardwareplatformonwhichtheTOEisinstalled.ThisisbecausetheTOEisinstalledasasoftwareorfirmwareproductthatrunsongeneral-purposecomputinghardwaresoahardwareclockisassumedtobeavailable.

AppendixE-EntropyDocumentationandAssessment

E.1DesignDescriptionDocumentationshallincludethedesignoftheentropysourceasawhole,includingtheinteractionofallentropysourcecomponents.Itwilldescribetheoperationoftheentropysourcetoincludehowitworks,howentropyisproduced,andhowunprocessed(raw)datacanbeobtainedfromwithintheentropysourcefortestingpurposes.Thedocumentationshouldwalkthroughtheentropysourcedesignindicatingwheretherandomcomesfrom,whereitispassednext,anypost-processingoftherawoutputs(hash,XOR,etc.),if/whereitisstored,andfinally,howitisoutputfromtheentropysource.Anyconditionsplacedontheprocess(e.g.,blocking)shouldalsobedescribedintheentropysourcedesign.Diagramsandexamplesareencouraged.Thisdesignmustalsoincludeadescriptionofthecontentofthesecurityboundaryoftheentropysourceandadescriptionofhowthesecurityboundaryensuresthatanadversaryoutsidetheboundarycannotaffecttheentropyrate.

E.2EntropyJustificationThereshouldbeatechnicalargumentforwheretheunpredictabilityinthesourcecomesfromandwhythereisconfidenceintheentropysourceexhibitingprobabilisticbehavior(anexplanationoftheprobabilitydistributionandjustificationforthatdistributiongiventheparticularsourceisonewaytodescribethis).ThisargumentwillincludeadescriptionoftheexpectedentropyrateandexplainhowyouensurethatsufficiententropyisgoingintotheTOErandomizerseedingprocess.Thisdiscussionwillbepartofajustificationforwhytheentropysourcecanbereliedupontoproducebitswithentropy.

E.3OperatingConditionsDocumentationwillalsoincludetherangeofoperatingconditionsunderwhichtheentropysourceisexpectedtogeneraterandomdata.Itwillclearlydescribethemeasuresthathavebeentakeninthesystemdesigntoensuretheentropysourcecontinuestooperateunderthoseconditions.Similarly,documentationshalldescribetheconditionsunderwhichtheentropysourceisknowntomalfunctionorbecomeinconsistent.Methodsusedtodetectfailureordegradationofthesourceshallbeincluded.

E.4HealthTestingMorespecifically,allentropysourcehealthtestsandtheirrationalewillbedocumented.Thiswillincludeadescriptionofthehealthtests,therateandconditionsunderwhicheachhealthtestisperformed(e.g.,atstartup,continuously,oron-demand),theexpectedresultsforeachhealthtest,andrationaleindicatingwhyeachtestisbelievedtobeappropriatefordetectingoneormorefailuresintheentropysource.

AppendixF-EquivalencyGuidelines

F.1IntroductionThepurposeofequivalenceinPP-basedevaluationsistofindabalancebetweenevaluationrigorandcommercialpracticability--toensurethatevaluationsmeetcustomerexpectationswhilerecognizingthatthereislittletobegainedfromrequiringthateveryvariationinaproductorplatformbefullytested.IfaproductisfoundtobecompliantwithaPPononeplatform,thenallequivalentproductsonequivalentplatformsarealsoconsideredtobecompliantwiththePP.

AVendorcanmakeaclaimofequivalenceiftheVendorbelievesthataparticularinstanceoftheirProductimplementsPP-specifiedsecurityfunctionalityinawayequivalenttotheimplementationofthesamefunctionalityonanotherinstanceoftheirProductonwhichthefunctionalitywastested.TheProductinstancescandifferinversionnumberorfeaturelevel(model),ortheinstancesmayrunondifferentplatforms.Equivalencycanbeusedtoreducethetestingrequiredacrossclaimedevaluatedconfigurations.ItcanalsobeusedduringAssuranceMaintenancetoreducetestingneededtoaddmoreevaluatedconfigurationstoacertification.

TheseequivalencyguidelinesdonotreplaceAssuranceMaintenancerequirementsorNIAPPolicy#5requirementsforCAVPcertificates.Normayequivalencybeusedtoleverageevaluationswithexpiredcertifications.

ThisdocumentprovidesguidancefordeterminingwhetherProductsandPlatformsareequivalentforpurposesofevaluationagainsttheProtectionProfileforVirtualization(VPP)wheninstantiatedwitheithertheClientorServerPP-Module.

Equivalencehastwoaspects:

1. ProductEquivalence:ProductsmaybeconsideredequivalentiftherearenodifferencesbetweenProductModelsandProductVersionswithrespecttoPP-specifiedsecurityfunctionality.

2. PlatformEquivalence:PlatformsmaybeconsideredequivalentiftherearenosignificantdifferencesintheservicestheyprovidetotheProduct--orinthewaytheplatformsprovidethoseservices--withrespecttoPP-specifiedsecurityfunctionality.

TheequivalencydeterminationismadeinaccordancewiththeseguidelinesbytheValidatorandSchemeusinginformationprovidedbytheEvaluator/Vendor.

F.2ApproachtoEquivalencyAnalysisTherearetwoscenariosforperformingequivalencyanalysis.Oneiswhenaproducthasbeencertifiedandthevendorwantstoshowthatalaterproductshouldbeconsideredcertifiedduetoequivalencewiththeearlierproduct.Theotheriswhenmultipleproductvariantsaregoingthoughevaluationtogetherandthevendorwouldliketoreducetheamountoftestingthatmustbedone.Thebasicrulesfordeterminingequivalencearethesameinbothcases.Butthereisoneadditionalconsiderationthatappliestoequivalencewithpreviouslycertifiedproducts.Thatis,theproductwithwhichequivalenceisbeingclaimedmusthaveavalidcertificationinaccordancewithschemerulesandtheAssuranceMaintenanceprocessmustbefollowed.Ifaproduct’scertificationhasexpired,thenequivalencecannotbeclaimedwiththatproduct.

Whenperformingequivalencyanalysis,theEvaluator/VendorshouldfirstusethefactorsandguidelinesforProductModelequivalencetodeterminethesetofProductModelstobeevaluated.Ingeneral,ProductModelsthatdonotdifferinPP-specifiedsecurityfunctionalityareconsideredequivalentforpurposesofevaluationagainsttheVPP.

IfmultiplerevisionlevelsofProductModelsaretobeevaluated--ortodeterminewhetherarevisionofanevaluatedproductneedsre-evaluation--theEvaluator/VendorandValidatorshouldusethefactorsandguidelinesforProductVersionequivalencetodeterminewhetherProductVersionsareequivalent.

HavingdeterminedthesetofProductModelsandVersionstobeevaluated,thenextstepistodeterminethesetofPlatformsthattheProductsmustbetestedon.

Eachnon-equivalentProductforwhichcomplianceisclaimedmustbefullytestedoneachnon-equivalentplatformforwhichcomplianceisclaimed.Fornon-equivalentProductsonequivalentplatforms,onlythedifferencesthataffectPP-specifiedsecurityfunctionalitymustbetestedforeachproduct.

IfthesetofequivalentProductsincludesonlybare-metalinstallations,thentheequivalencyanalysisiscomplete.Butifanymembersofthesetincludehostedinstallationsorinstallationsthatintegratewithanexistinghostoperatingsystemorcontroldomain,thensoftwareplatformequivalencemustbetakenintoconsideration.TheEvaluator/VendorandValidatorshouldusethefactorsandguidanceforsoftwareplatformequivalencetodeterminewhetherdifferentmodelsorversionsofhostorcontroldomainoperatingsystemsrequireseparatetesting.

“DifferencesinPP-SpecifiedSecurityFunctionality”DefinedIfPP-specifiedsecurityfunctionalityisimplementedbytheTOE,thendifferencesintheactualimplementationbetweenversionsorproductmodelsbreakequivalenceforthatfeature.Likewise,iftheTOEimplementsthefunctionalityinoneversionormodelandthefunctionalityisimplementedbytheplatforminanotherversionormodel,thenequivalenceisbroken.Ifthefunctionalityisimplementedbytheplatforminmultiplemodelsorversionsonequivalentplatforms,thenthefunctionalityisconsidereddifferentiftheproductinvokestheplatformdifferentlytoperformthefunction.

F.3SpecificGuidanceforDeterminingProductModelEquivalenceProductModelequivalenceattemptstodeterminewhetherdifferentfeaturelevelsofthesameproductacrossaproductlineareequivalentforpurposesofPPtesting.Forexample,ifaproducthasa“basic”editionandan“enterprise”edition,isitnecessarytotestbothmodels?Ordoestestingonemodelprovidesufficientconfidencethatbothmodelsarecompliant?

Table10,below,liststhefactorsfordeterminingProductModelequivalence.

Table10:FactorsforDeterminingProductModelEquivalence

Factor Same/Different Guidance

TargetPlatform

Different ProductModelsthatvirtualizedifferentinstructionsets(e.g.,x86,ARM,POWER,SPARC,MIPS)arenotequivalent.

InstallationTypes

Different IfaProductcanbeinstalledeitheronbaremetalorontoanoperatingsystemandthevendorwantstoclaimthatbothinstallationtypesconstituteasingleModel,thenseetheguidancefor“PP-SpecifiedFunctionality,”below.

SoftwarePlatform

Different ProductModelsthatrunonsubstantiallydifferentsoftwareenvironments,suchasdifferenthostoperatingsystems,arenotequivalent.Modelsthatinstallondifferentversionsofthesamesoftwareenvironmentmaybeequivalentdependingonthebelowfactors.

PP-SpecifiedFunctionality

Same IfthedifferencesbetweenModelsaffectonlynon-PP-specifiedfunctionality,thentheModelsareequivalent.

Different IfPP-specifiedsecurityfunctionalityisaffectedbythedifferencesbetweenModels,thentheModelsarenotequivalentandmustbetestedseparately.Itisnecessarytotestonlythefunctionalityaffectedbythesoftwaredifferences.Ifonlydifferencesaretested,thenthedifferencesmustbeenumerated,andforeachdifferencetheVendormustprovideanexplanationofwhyeachdifferencedoesordoesnotaffectPP-specifiedfunctionality.IftheProductModelsarefullytestedseparately,thenthereisnoneedtodocumentthedifferences.

F.4SpecificGuidanceforDeterminingProductVersionEquivalenceIncasesofversionequivalence,differencesareexpressedintermsofchangesimplementedinrevisionsofanevaluatedProduct.Ingeneral,versionsareequivalentifthechangeshavenoeffectonanysecurity-relevantclaimsabouttheTOEorevaluationevidence.Non-security-relevantchangestoTOEfunctionalityortheadditionofnon-security-relevantfunctionalitydoesnotaffectequivalence.

Table11:FactorsforDeterminingProductVersionEquivalence

Factor Same/Different Guidance

ProductModels

Different VersionsofdifferentProductModelsarenotequivalentunlesstheModelsareequivalentasdefinedinSection3.


Same Ifthedifferencesaffectonlynon-PP-specifiedfunctionality,thentheVersionsareequivalent.

Different IfPP-specifiedsecurityfunctionalityisaffectedbythedifferences,thentheVersionsareconsideredtobenotequivalentandmustbetestedseparately.Itisnecessaryonlytotestthefunctionalityaffectedbythechanges.Ifonlythedifferencesaretested,thenforeachdifferencetheVendormustprovideanexplanationofwhythedifferencedoesordoesnotaffectPP-specifiedfunctionality.IftheProductVersionsarefully

testedseparately,thenthereisnoneedtodocumentthedifferences.

F.5SpecificGuidanceforDeterminingPlatformEquivalencePlatformequivalenceisusedtodeterminetheplatformsthataproductmustbetestedon.Theseguidelinesaredividedintosectionsfordetermininghardwareequivalenceandsoftware(hostOS/controldomain)equivalence.IftheProductisinstalledontobaremetal,thenonlyhardwareequivalenceisrelevant.IftheProductisinstalledontoanOS—orisintegratedintoanOS—thenbothhardwareandsoftwareequivalencearerequired.Likewise,iftheProductcanbeinstalledeitheronbaremetaloronanoperatingsystem,bothhardwareandsoftwareequivalencearerelevant.

F.5.1HardwarePlatformEquivalenceIfaVirtualizationSolutionrunsdirectlyonhardwarewithoutanoperatingsystem,thenplatformequivalenceisbasedprimarilyonprocessorarchitectureandinstructionsets.

Platformswithdifferentprocessorarchitecturesandinstructionsetsarenotequivalent.Thisisprobablynotanissuebecausethereislikelytobeadifferentproductmodelfordifferenthardwareenvironments.

Equivalencyanalysisbecomesimportantwhencomparingplatformswiththesameprocessorarchitecture.ProcessorswiththesamearchitecturethathaveinstructionsetsthataresubsetsorsupersetsofeachotherarenotdisqualifiedfrombeingequivalentforpurposesofaVPPevaluation.IftheVStakesthesamecodepathswhenexecutingPP-specifiedsecurityfunctionalityondifferentprocessorsofthesamefamily,thentheprocessorscanbeconsideredequivalentwithrespecttothatapplication.

Forexample,ifaVSfollowsonecodepathonplatformsthatsupporttheAES-NIinstructionandanotheronplatformsthatdonot,thenthosetwoplatformsarenotequivalentwithrespecttothatVSfunctionality.ButiftheVSfollowsthesamecodepathwhetherornottheplatformsupportsAES-NI,thentheplatformsareequivalentwithrespecttothatfunctionality.

TheplatformsareequivalentwithrespecttotheVSiftheplatformsareequivalentwithrespecttoallPP-specifiedsecurityfunctionality.

Table12:FactorsforDeterminingHardwarePlatformEquivalence

Factor Same/Different/None Guidance

PlatformArchitectures

Different Hardwareplatformsthatimplementdifferentprocessorarchitecturesandinstructionsetsarenotequivalent.


Same Forplatformswiththesameprocessorarchitecture,theplatformsareequivalentwithrespecttotheapplicationifexecutionofallPP-specifiedsecurityfunctionalityfollowsthesamecodepathonbothplatforms.

F.5.2SoftwarePlatformEquivalenceIftheProductinstallsontoorintegrateswithanoperatingsystemthatisnotinstalledwiththeproduct--andthusisnotpartoftheTOE--thentheProductmustbetestedonallnon-equivalentSoftwarePlatforms.

TheguidanceforProductModel(Section3)specifiesthatProductsintendedforuseonsubstantiallydifferentoperatingsystems(e.g.,Windowsvs.Linuxvs.SunOS)aredifferentModels.Therefore,platformsrunningsubstantiallydifferentoperatingsystemsarenotequivalent.Likewise,operatingsystemswithdifferentmajorversionnumbersarenotequivalentforpurposesofthisPP.

Asaresult,SoftwarePlatformequivalenceislargelyconcernedwithrevisionsandvariationsofoperatingsystemsthataresubstantiallythesame(e.g.,differentversionsandrevisionlevelsofWindowsorLinux).

Table13:FactorsforDeterminingSoftwarePlatformEquivalence

Factor Same/Different/None Guidance

PlatformType/Vendor

Different Operatingsystemsthataresubstantiallydifferentorcomefromdifferentvendorsarenotequivalent.

PlatformVersions

Different Operatingsystemsarenotequivalentiftheyhavedifferentmajorversionnumbers.


Same Ifthedifferencesbetweensoftwareplatformmodelsorversionsaffectonlynon-PP-specifiedfunctionality,thenthesoftwareplatformsareequivalent.

Different IfPP-specifiedsecurityfunctionalityisaffectedbythedifferencesbetweensoftwareplatformversionsormodels,thenthesoftwareplatformsarenotconsideredequivalentandmustbetestedseparately.Itisnecessaryonlytotestthefunctionalityaffectedbythechanges.Ifonlythedifferencesaretested,thenforeachdifferencetheVendormustprovideanexplanationofwhythedifferencedoesordoesnotaffectPP-specifiedfunctionality.IftheProductsarefullytestedoneachplatform,thenthereisnoneedtodocumentthedifferences.

F.6LevelofSpecificityforTestedandClaimedEquivalentConfigurationsInordertomakeequivalencydeterminations,thevendorandevaluatormustagreeontheequivalencyclaims.TheymustthenprovidetheschemewithsufficientinformationabouttheTOEinstancesandplatformsthatwereevaluated,andtheTOEinstancesandplatformsthatareclaimedtobeequivalent.

TheSTmustdescribeallconfigurationsevaluateddowntoprocessormanufacturer,modelnumber,andmicroarchitectureversion.

TheinformationregardingclaimedequivalentconfigurationsdependsontheplatformthattheVSwasdevelopedforandrunson.

Bare-MetalVS

ForVSesthatrunwithoutanoperatingsystemonbare-metalorvirtualbare-metal,theclaimedconfigurationmustdescribetheplatformdowntothespecificprocessormanufacturer,modelnumber,andmicroarchitectureversion.TheVendormustdescribethedifferencesintheTOEwithrespecttoPP-specifiedsecurityfunctionalityandhowtheTOEoperatesdifferentlytoleverageplatformdifferences(e.g.,instructionsetextensions)inthetestedconfigurationversustheclaimedequivalentconfiguration.

VSwithOSSupport

ForVSesthatrunonanOShostorwiththeassistanceofanOS,thentheclaimedconfigurationmustdescribetheOSdowntoitsspecificmodelandversionnumber.TheVendormustdescribethedifferencesintheTOEwithrespecttoPP-specifiedsecurityfunctionalityandhowtheTOEfunctionsdifferentlytoleverageplatformdifferencesinthetestedconfigurationversustheclaimedequivalentconfiguration.

AppendixG-ValidationGuidelinesThisappendixcontains"rules"specifiedbythePPAuthorsthatindicatewhethercertainselectionsrequirethemakingofotherselectionsinorderforaSecurityTargettobevalid.Forexample,selecting"HMAC-SHA-3-384"asasupportedkeyed-hashalgorithmwouldrequirethat"SHA-3-384"beselectedasahashalgorithm.Thisappendixcontainsonlysuch"rules"ashavebeendefinedbythePPAuthors,anddoesnotnecessarilyrepresentallsuchdependenciesinthedocument.

Rule#1If"HMAC-SHA-1"isselectedinFCS_COP.1/KeyedHashthen"SHA-1"mustbeselectedinFCS_COP.1.1/Hash.

IF FromFCS_COP.1.1/KeyedHash:*selectHMAC-SHA-1

THEN FromFCS_COP.1.1/Hash:*selectSHA-1

Rule#2If"HMAC-SHA-256"isselectedinFCS_COP.1/KeyedHashthen"SHA-256"mustbeselectedinFCS_COP.1/Hash.









Rule#5If"SHA-3-224"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-224"mustbeselectedinFCS_COP.1/Hash.

IF FromFCS_COP.1.1/KeyedHash:*selectSHA-3-224

THEN FromFCS_COP.1.1/Hash:*selectSHA-3-224










Rule#9IftheSSHPackageisincludedintheSTthen"AES-CTR(asdefinedinNISTSP800-38A)mode,""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.

IF OR

FromFTP_ITC_EXT.1.1:*selectSSHasconformingtotheFunctionalPackageforSecureShell

FromFIA_X509_EXT.2.1:*selectSSH

THENFromFCS_COP.1.1/UDE:*selectAES-CTR(asdefinedinNISTSP800-38A)mode*select128-bitkeysizes*select256-bitkeysizes

Rule#10IftheTOEimplementsIPSecthen"AES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)mode,""AES-GCM(asdefinedinNISTSP800-38D),""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.

IF FromFTP_ITC_EXT.1.1:*selectIPsecasconformingtoFCS_IPSEC_EXT.1

FromFCS_COP.1.1/UDE:


THEN*selectAES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)mode*selectAES-GCM(asdefinedinNISTSP800-38D)*select128-bitkeysizes*select256-bitkeysizes

Rule#11If"directory-based"isselectedanywhereinFIA_UAU.5.1then"Abilitytoconfigurename/addressofdirectoryservertobindwith"mustbeselectedintheClientorServermodulemanagementfunctiontable.

IF OR

FromFIA_UAU.5.1:*select[selection:local,directory-based]authenticationbasedonX.509certificates*selectdirectory-based

FromFIA_UAU.5.1:*select[selection:local,directory-based]authenticationbasedonanSSHpublickeycredential*selectdirectory-based

FromFIA_UAU.5.1:*select[selection:local,directory-based]authenticationbasedonusernameandpassword*selectdirectory-based

THENFromthePP-ModuleforServerVirtualization:FromFMT_MOF_EXT.1.2:*selectAbilitytoconfigurename/addressofdirectoryservertobindwith

Rule#12If"authenticationbasedonusernameandpassword"isselectedinFIA_UAU.5.1then"AbilitytoconfigureAdministratorpasswordpolicyasdefinedinFIA_PMG_EXT.1"mustbeselectedintheClientorServermodulemanagementfunctiontable.

IF FromFIA_UAU.5.1:*select[selection:local,directory-based]authenticationbasedonusernameandpassword

THEN OR

FromthePP-ModuleforServerVirtualization:FromFMT_MOF_EXT.1.2:*selectAbilitytoconfigureAdministratorpasswordpolicyasdefinedinFIA_PMG_EXT.1

FromthePP-ModuleforClientVirtualization:FromFMT_MOF_EXT.1.2:*selectAbilitytoconfigureAdministratorpasswordpolicyasdefinedinFIA_PMG_EXT.1

Rule#13If"allowtheadministratortochoosewhethertoacceptthecertificateinthesecases"isselectedthen"Abilitytoconfigureactiontakenifunabletodeterminethevalidityofacertificate"intheClientorServermodulemanagementfunctiontablemustalsobeselected.

IF FromFIA_X509_EXT.2.2:*selectallowtheadministratortochoosewhethertoacceptthecertificateinthesecases

THEN OR

FromthePP-ModuleforClientVirtualization:FromFMT_MOF_EXT.1.2:*selectAbilitytoconfigureactiontakenifunabletodeterminethevalidityofacertificate

FromthePP-ModuleforServerVirtualization:FromFMT_MOF_EXT.1.2:*selectAbilitytoconfigureactiontakenifunabletodeterminethevalidityofacertificate






Rule#14IfdigitalsignaturemechanismusingcertificatesisselectedinFPT_TUD_EXT.1.3thencodesigningforsystemsoftwareupdatesmustbeselectedinFIA_X509_EXT.2.1.

IF FromFPT_TUD_EXT.1.3:*selectdigitalsignaturemechanismusingcertificates

THEN FromFIA_X509_EXT.2.1:*selectcodesigningforsystemsoftwareupdates

Rule#15If"certificate-basedauthenticationoftheremotepeer"and"TLSasconformingtotheFunctionalPackageforTransportLayerSecurity"areselectedinFTP_ITC_EXT.1.1then"TLS"mustbeselectedinFIA_X509_EXT.2.1.

IFFromFTP_ITC_EXT.1.1:*selectcertificate-basedauthenticationoftheremotepeer*selectTLSasconformingtotheFunctionalPackageforTransportLayerSecurity

THEN FromFIA_X509_EXT.2.1:*selectTLS

Rule#16If"certificate-basedauthenticationoftheremotepeer"and"TLS/HTTPSasconformingtoFCS_HTTPS_EXT.1"areselectedinFTP_ITC_EXT.1.1then"HTTPS"mustbeselectedinFIA_X509_EXT.2.1.

IFFromFTP_ITC_EXT.1.1:*selectcertificate-basedauthenticationoftheremotepeer*selectTLS/HTTPSasconformingtoFCS_HTTPS_EXT.1

THEN FromFIA_X509_EXT.2.1:*selectHTTPS

Rule#17If"certificate-basedauthenticationoftheremotepeer"and"IPsecasconformingtoFCS_IPSEC_EXT.1"areselectedinFTP_ITC_EXT.1.1then"IPsec"mustbeselectedinFIA_X509_EXT.2.1.

IFFromFTP_ITC_EXT.1.1:*selectcertificate-basedauthenticationoftheremotepeer*selectIPsecasconformingtoFCS_IPSEC_EXT.1

THEN FromFIA_X509_EXT.2.1:*selectIPsec

Rule#18If"certificate-basedauthenticationoftheremotepeer"and"SSHasconformingtotheFunctionalPackageforSecureShell"areselectedinFTP_ITC_EXT.1.1then"SSH"mustbeselectedinFIA_X509_EXT.2.1.

IFFromFTP_ITC_EXT.1.1:*selectcertificate-basedauthenticationoftheremotepeer*selectSSHasconformingtotheFunctionalPackageforSecureShell

THEN FromFIA_X509_EXT.2.1:*selectSSH





AppendixH-Acronyms

Acronym Meaning

AES AdvancedEncryptionStandard

Base-PP BaseProtectionProfile

CC CommonCriteria

CEM CommonEvaluationMethodology

CPU CentralProcessingUnit

DEP DataExecutionPrevention

DKM DerivedKeyingMaterial

DSS DigitalSignatureStandard

ECC EllipticCurveCryptography

FFC Finite-FieldCryptography

FIPS FederalInformationProcessingStandard

IEC InternationalElectrotechnicalCommission

IP InternetProtocol

ISO InternationalOrganizationforStandardization

IT InformationTechnology

ITSEF InformationTechnologySecurityEvaluationFacility

KDF KeyDerivationFunction

MAC MessageAuthenticationCode

NIST NationalInstituteofStandardsandTechnology

NVLAP NationalVoluntaryLaboratoryAccreditationProgram

OE OperationalEnvironment

OS OperatingSystem

PKV PublicKeyVerification

PP ProtectionProfile

PP-Configuration ProtectionProfileConfiguration

PP-Module ProtectionProfileModule

RSA Rivest,Shamir,Adleman

SAR SecurityAssuranceRequirement

SFR SecurityFunctionalRequirement

SP SpecialPublication

SPD SecurityPolicyDatabase

SSP SystemSecurityPolicy

ST SecurityTarget

SWID SoftwareIdentification

TOE TargetofEvaluation

TPM TrustedPlatformModule

TSF TOESecurityFunctionality

TSFI TSFInterface

TSS TOESummarySpecification

VM VirtualMachine

VMM VirtualMachineManager

VS VirtualizationSystem

AppendixI-Bibliography

Identifier Title

[CEM] CommonEvaluationMethodologyforInformationTechnologySecurity-EvaluationMethodology,CCMB-2017-04-004,Version3.1,Revision5,April2017.

[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1Revision5,April2017.

http://www.commoncriteriaportal.org/files/ccfiles/CEMV3.1R5.pdf

http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf

