Compliant Product - Apple FileVault 2 on T2 systems running macOS Catalina 10.15
Certificate Date: 2021.04.29CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11078-2021
Product Type: Encrypted Storage
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Full Drive Encryption - Authorization Acquisition Version 2.0 + Errata 20190201
collaborative Protection Profile for Full Drive Encryption - Encryption Engine Version 2.0 + Errata 20190201
CC Testing Lab: Acumen Security
The TOE is a full drive encryption product which supports authorization acquisition and encryption engine. The TOE is Unix-based operating system which leverages Apple T2 security processor to perform the full disk encryption. The operating system core is a POSIX compliant operating system built on top of the XNU kernel with standard Unix facilities available from the command line interface.
The TOE is comprised of both software and hardware. The TOE hardware consists of the Apple T2 Security Chip which is a custom silicon for the Mac. It contains the Secure Enclave coprocessor which provides security related functionality for all the EE functionality (i.e., other than encryption/decryption of storage data) and all of the cryptographic functionality for AA (i.e., PBKDF2). The Password Acquisition component (AA) is the pre-boot component on the disk and captures the user password and passes it to the T2/SEP. The T2 provides a dedicated AES crypto engine built into the Direct Memory Access (DMA) path between the storage and main memory of the host platform. The T2 chip is placed in the data path between the Intel chip and the storage, enabling it to encrypt/decrypt all data flowing between these two components.
Note: The Apple T2 Security Chip is the same exact chip across all platforms. All processing for Cryptography related to FileVault (FDE) is all performed using the Apple T2 / SEP rather than the Intel chipset, so multiple Intel Chips or microarchitectures play no role in the processing (encryption/decryption) and the management of those keys for data under FileVault.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Apple FileVault 2 on T2 systems running macOS Catalina 10.15 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. Acumen Security determined that the Evaluation Assurance Level (EAL) for the product is EAL 1. The product, when delivered configured as identified in the Apple FileVault 2 on T2 systems running macOS Catalina 10.15 Common Criteria Configuration Guide, satisfies all of the security functional requirements stated in the Apple FileVault 2 on T2 systems running macOS Catalina 10.15 Security Target. The project underwent CCEVS Validator review. The evaluation was completed in April 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
Logical Scope of the TOE
The TOE implements the following security functional requirements from [FDE EE v2.0e] and [FDE AA v2.0e] as listed below:
Cryptographic Support (FCS)
Each of these cryptographic algorithms have been validated for conformance to the requirements specified in their respective standards, as identified (in Table 4 CAVP Algorithm Testing References of the ST).
User Data Protection (FDP)
The TOE encrypts all user data using XTS-AES 128 using a 256-bit key.
Security Management (FMT)
The TOE can perform management functions. The administrator has full access to carry out all management functions and the user have limited privilege. The Disk Utility program operating on macOS invokes management functionality of the AA component in the T2 chip.
Protection of the TSF (FPT)
The TOE implements the following protection of TSF data:
· Protection of Key and Key Material.
· Power Saving States.
· Timing of Power Saving States.
· TSF Testing.
· Trusted updates using digital signatures.
The macOS (Operational Environment) retrieves the update package from the Apple update server and forwards the package to the AA component in the T2 chip. The TOE validates the digital signature for the package before it is installed.
Fiona Pattinson and Shawn Geddis