The Assurance Activity for FPT_VDP_EXT.1 Virtual Device Parameters currently reads:

The evaluator shall examine the TSS to ensure it includes the documentation of all virtual device interfaces, including I/O ports, protocols, and data formats. The evaluator shall perform the following test:

• Test 1: For each virtual device interface, the evaluator shall access the interface from within a VM using parameter values outside the legal values specified in the TSS. The test succeeds if all illegal values are rejected and the Virtualization System and VMM remain in a usable state.

There were concerns that this test would require too great an investment of time to complete and lack repeatability due to the difficulties associated with testing “all illegal values”.  This could be construed as an infinite number of values, which would be impossible to test.

This assurance activity is being moved to a vendor attestation activity. The updated requirement is as follows:

FPT_VDP_EXT.1.2 is an attestation requirement.  The vendor must attest that parameters passed from a VM to a virtual device interface are not able to degrade or disrupt the functioning of other VMs, the VMM, or the Platform.  The vendor must attest that there are no design or implementation flaws that permit the above.

Assurance Activity:

The evaluator shall examine the TSS to ensure it documents all virtual device interfaces, including I/O ports, protocols, and data formats.

The evaluator ensures that the ST includes the following statement attesting that parameters passed from a Guest VM to virtual device interfaces are thoroughly validated, that all values outside the legal values specified in the TSS are rejected, and that any data passed to the virtual device interfaces is unable to degrade or disrupt the functioning of other VMs, the VMM, or the Platform:

Parameters passed from Guest VMs to virtual device interfaces are thoroughly validated and all illegal values (as specified in the TSS) are rejected.  Additionally, parameters passed from Guest VMs to virtual device interfaces are not able to degrade or disrupt the functioning of other VMs, the VMM, or the Platform.  Thorough testing and architectural design reviews have been conducted to ensure the accuracy of these claims, and there are no design or implementation flaws that bypass or defeat the security of the virtual device interfaces.

The Assurance Activity was determined to be too broad to be reliably conducted within the constraints of the target timeframe for an evaluation.