The NIT has issued a technical decision for Clarifying FPT_TUD_EXT.1 Trusted Update

For FPT_TUD_EXT.1 Test 2 the test shall be marked conditional and the condition shall be clarified. Therefore

”Test 2 [conditional]: If the TOE itself verifies a digital signature to authorize the installation of an image to update the TOE the following test shall be performed (otherwise the test shall be omitted).”

For FPT_TUD_EXT.1 Test 3 the test shall be marked conditional and the condition shall be clarified.

”Test 3 [conditional]: If the TOE itself verifies a hash value over an image against a published hash value (i.e. reference value) that has been imported to the TOE from outside such that the TOE itself authorizes the installation of an image to update the TOE, the following test shall be performed (otherwise the test shall be omitted).”

Note, that the scenario described in the issue section where the TOE provides capabilities to calculate the hash over an image but the decision about the authorization for the installation of the update is dependent on the authorization by the administrator is not regarded as a scenario where the TOE itself verifies the hash value.

For FPT_TUD_EXT.1 Test 3 part 2 the first sentence should be modified to enhance clarity.

”The evaluator uses a legitimate update and tries to perform verification of the hash value without providing the published hash value to the TOE.”

The change of wording in Test 3 part 2 has been made to remove the confusion over “storing” the hash. The objective of Test 3 part 2 is to cover the scenario where the TOE is expected to perform the hash comparison by itself but the reference value is missing.

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRFI201902.pdf

See issue description