Archived TD0062: Hypercall Parameters Testing in SVPP
In the Assurance Activity for FPT_HCL_EXT.1.4 Hypercall Controls, the third test currently reads:
3. For each function, the evaluator shall call the function from within a VM using parameter values outside the legal values specified in the TSS for that function. The test succeeds if all illegal values are rejected and the Virtualization System and VMM remain in a usable state.
There were concerns that this test would require too great an investment of time to complete and lack repeatability due to the difficulties associated with testing “all illegal values”. This could be construed as an infinite number of values, which would be impossible to test.
This third test in the assurance activity is being removed, though the first two tests remain. Additionally, the corresponding Assurance Activity Note has been removed and some of its content has been merged into the Application Note as follows:
The purpose of this requirement is to help ensure the integrity of the VMM by documenting the attack surface exposed to Guest VMs, and to ensure that Hypercall parameters supplied by software running in the untrusted Guest VM are properly validated prior to use by the VMM.
The testing described in test 3 was determined to be too broad to be reliably conducted within the constraints of the target timeframe for an evaluation.