NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0443:  FPT_VDP_EXT.1 Clarification for Assurance Activity

Publication Date

Protection Profiles

Other References

Issue Description

Some I/O port documentation may remain proprietary.


This TD supersedes TD0247.

The Assurance Activity  for FPT_VDP_EXT.1 in PP_BASE_VIRTUALIZATION_V1.0 is replaced as follows:

Assurance Activity

The evaluator shall examine the TSS to ensure it lists all virtual devices accessible by the guest OS. The TSS, or a separate proprietary document, must also document all virtual device interfaces at the level of I/O ports -- including port number(s) (absolute or relative to a base), port name, and a description of legal input values.  The documentation must be sufficient to enable the evaluator to effectively run the tests in FPT_DVD_EXT.1.  The evaluator must ensure that there are no obvious or publicly known virtual I/O ports missing from the TSS.

Assurance Activity Note:

There is no expectation that evaluators will examine source code to verify the “all” part of the Assurance Activity.

The evaluator ensures that the ST includes the following statement attesting that parameters passed from a Guest VM to virtual device interfaces are thoroughly validated, that all values outside the legal values specified  in the  TSS are  rejected,  and  that any  data  passed  to  the  virtual  device  interfaces  is  unable  to degrade or disrupt the functioning of other VMs, the VMM, or the Platform:

Parameters passed from Guest VMs to virtual device interfaces are thoroughly validated and all illegal values (as specified in the TSS) are rejected.  Additionally, parameters passed from Guest VMs to virtual device interfaces are not able to degrade or disrupt the functioning of other VMs, the VMM, or the Platform.  Thorough testing and architectural design reviews have been conducted to ensure the accuracy of these claims, and there are no known design or implementation flaws that bypass or defeat the security of the virtual device interfaces.


This change clarifies that for FPT_VDP_EXT.1 the Guest-to-VMM interface must be documented only at the virtual I/O port level. Interfaces internal to the VS need not be documented for this SFR to be met. It is acceptable for the I/O port documentation to be proprietary.

Site Map              Contact Us              Home