There are cases where the TOE does not, itself, perform the cryptographic verification of updates to the OS software. There may be a hardware component (e.g., system on a chip “Security Processor”) on the hardware platforms required to be in the OE to support the secure operation of the TOE, which performs the verification of the OS software. While this implementation does not appear to meet the letter of the SFR (“The OS shall…”), it does meet the intent of the PP, which is to ensure the integrity of the TOE throughout its lifecycle.

05/01/2019 - Updated to also apply to GPOS PP v4.2.1.

FPT_TUD_EXT.1.2 shall be modified as indicated by the underlined text:

FPT_TUD_EXT.1.2      The OS shall [selection: cryptographically verify, invoke platform-provided functionality to cryptographically verify] updates to itself using a digital signature prior to installation using schemes specified in FCS_COP.1(3).

Application Note: The intent of the requirement is to ensure that only digitally signed and verified TOE updates are applied to the TOE.

See issue description.