NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0139:  Clarification of testing for FDP_RIP_EXT.2

Publication Date

Protection Profiles

Other References

Issue Description

The Assurance Activity tests defined for FDP_RIP_EXT.2 are flawed, such that they will almost always pass even if the hypervisor does not zero out the disk block as intended by the requirement. 


FDP_RIP_EXT.2 will be modified.

Replace the Assurance Activity with the following text.

The evaluator shall ensure that the TSS documents the conditions under which physical disk storage is not cleared prior to allocation to a Guest VM. The evaluator shall also ensure that the TSS documents the metadata used in its virtual disk files.

The evaluator shall perform the following test: 

On the host, the evaluator creates a file that is more than half the size of a connected physical storage device (or multiple files whose individual sizes add up to more than half the size of the storage media).  This file (or files) shall be filled entirely with a non-zero value.  Then, the file (or files) shall be released (freed for use but not cleared).  Next, the evaluator (as a VS Administrator) creates a virtual disk at least that large on the same physical storage device and connects it to a powered-off VM.  Then, from outside the Guest VM, scan through and check that all the non-metadata (as documented in the TSS) in the file corresponding to that virtual disk is set to zero.


Test modified to ensure intent of requirement is tested and any confusion in wording removed.

Site Map              Contact Us              Home