In the FE EP, the FPT_KYP_EXT.1 requirement calls for the protection of keys in non-volitale storage, and gives a number of options.  Since the this is an EP on top of the Application Software EP, it seems like an acceptable option should be that the keys are stored in the underlying platform keystore.

FPT_KYP_EXT.1  in the Software File Encryption EP  is modified as follows.

FPT_KYP_EXT.1 Extended: Protection of Key and Key Material (FPT_KYP_EXT)

FPT_KYP_EXT.1.1 The TSF shall

  [selection:

-          not store keys in non-volatile memory;

-          only store keys in non-volatile memory when

       [selection:

-          wrapped, as specified in FCS_COP.1(5);

-          encrypted, as specified in FCS_COP.1(1);

-          stored in the underlying platform's keystore as specified by FCS_STO_EXT.1.1 (from the AS PP);

-          The plaintext key is not part of the key chain as specified in FCS_KYC_EXT.1;

-          The plaintext key will no longer provide access to the encrypted data after initial provisioning;

-          The plaintext key is a key split that is combined as specified in FCS_SMC_EXT.1, and the other half of the key split is either

              [selection:

                 - wrapped as specified in FCS_COP.1(5);

                 - derived and not stored in non-volatile memory.

              ];

-          The plaintext key is stored on an external storage device for use as an authorization factor;

-          The plaintext key is used to wrap a key as specified in FCS_COP.1(5) that is already wrapped as specified in FCS_COP.1(5);

       ]

  ].

There are no modifications necessary to the application notes or the assurance activities.

See issue description.