TD0057: Update to TD0047 for Non Wear Leveled Flash Memory
PP_MD_v2.0, PP_MDM_AGENT_V2.0, PP_MDM_V2.0
PP_MD_V2.0, requirement FCS_CKM_EXT.4; PP_MDM_V2.0; PP_MDM_Agent_V2.0
TD0047 MDFPP v2.0 FCS_CKM_EXT.4 Update updated FCS_CKM_EXT.4.1 to add a rule that does not require a read-verify for non-volatile flash memory that is wear-leveled. This edit did not address the case of non-volatile flash that is not wear-leveled; there are cases where, for this type of flash memory, a read-verify after a block erase is not practical and not needed.
FCS_CKM_EXT.4.1 will be revised to remove the read-verify after a block erase for non wear-leveled non-volatile flash as follows:
FCS_CKM_EXT.4.1 The TSF shall destroy cryptographic keys in accordance with the specified cryptographic key destruction methods:
- by clearing the KEK encrypting the target key,
- in accordance with the following rules:
- For volatile memory, the destruction shall be executed by a single direct overwrite [selection: consisting of a pseudo-random pattern using the TSF’s RBG, consisting of zeroes].
- For non-volatile EEPROM, the destruction shall be executed by a single direct overwrite consisting of a pseudo random pattern using the TSF’s RBG (as specified in FCS_RBG_EXT.1), followed by a read-verify.
- For non-volatile flash memory that is not wear-leveled, the destruction shall be executed [selection: by a single direct overwrite consisting of zeros followed by a read-verify, by a block erase that erases the reference to memory that stores data as well as the data itself].
- For non-volatile flash memory that is wear-leveled, the destruction shall be executed [selection: by a single direct overwrite consisting of zeros, by a block erase].
- For non-volatile memory other than EEPROM and flash, the destruction shall be executed by overwriting three or more times with a random pattern that is changed before each write.
For flash memory that is not wear-leveled, if the act of erasing the data also erases the reference to the memory that stores the data, a read-verify is not required (because it is not possible to address the memory that was just erased).