NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0247:  FPT_VDP_EXT.1 Clarification for Assurance Activity

Publication Date

Protection Profiles

Other References

Issue Description

In the Assurance Activity, parts of the documentation requirements are unclear.


08/21/2019: This TD has been superseded by TD0443.

The assurance activity for FPT_VDP_EXT.1 in PP_BASE_VIRTUALIZATION_V1.0. is modified (bold text) as follows:

Assurance Activity:

The evaluator shall examine the TSS to ensure it documents all virtual device interfaces at the virtual I/O port level, to specify port number (absolute or relative to a base), port name, and a description of legal input values.  The documentation must be sufficient to enable the evaluator to effectively run the tests in FPT_DVD_EXT.1.  The evaluator must ensure that there are no obvious or publicly known virtual I/O ports missing from the TSS.

Assurance Activity Note:

There is no expectation that evaluators will examine source code to verify the “all” part of the Assurance Activity.

The evaluator ensures that the ST includes the following statement attesting that parameters passed from a Guest VM to virtual device interfaces are thoroughly validated, that all values outside the legal values specified  in the  TSS are  rejected,  and  that any  data  passed  to  the  virtual  device  interfaces  is  unable  to degrade or disrupt the functioning of other VMs, the VMM, or the Platform:

Parameters passed from Guest VMs to virtual device interfaces are thoroughly validated and all illegal values (as specified in the TSS) are rejected.  Additionally, parameters passed from Guest VMs to virtual device interfaces are not able to degrade or disrupt the functioning of other VMs, the VMM, or the Platform.  Thorough testing and architectural design reviews have been conducted to ensure the accuracy of these claims, and there are no known design or implementation flaws that bypass or defeat the security of the virtual device interfaces.



This change clarifies that for this SFR the Guest-to-VMM interface must be documented only at the virtual I/O port level. Interfaces internal to the VS need not be documented for this SFR to be met.

Site Map              Contact Us              Home