Assurance Continuity - Seagate Secure TCG SSC Self-Encrypting Drives
Date of Maintenance Completion: 2019.07.15CC Certificate Validation Report Assurance Activity
Product Type: Encrypted Storage
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Full Drive Encryption - Encryption Engine Version 2.0
Original Evaluated TOE: 2018.04.11 - Seagate Secure TCG SSC Self-Encrypting Drives
Please note: The above files are for the Original Evaluated TOE. Consequently, they do not refer to this maintained version, although they apply to the maintained version.
Assurance Continuity Maintenance Report
Please note: This serves as an addendum to the VR for the Original Evaluated TOE.
* This is the Security Target (ST) associated with the latest Maintenance Release. To view previous STs for this TOE, click here.
Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product. Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate. Such assurance can only be gained through re-evaluation.
Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary. A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target. Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents.
The TOE has been updated in the following ways.
There are five security relevant/non-SFR impacting firmware code changes involved fixing intermittent drive hang issues.
· The issue “Drive hang when issuing repeated TCG Send commands without retrieving status” occurred due to a missed state check in the TCG packet parser causing the drive to become unresponsive. (Change #6)
· The issue “Incorrect sense data return after invoke sanitize follow by power-cycle” occurred due to an omitted variable check after the sanitization had completed successfully that treated the completion state the same as ‘sanitization in progress’. (Change #7)
· The issue “Avoid updating internal state of transaction” occurred due to an internal state of a transaction updating on every transaction, rather than only on successful transactions. (Change #9)
· The issue “Drive returns wrong sense data in response to Read Long command in secure drive” occurred due to a command status field not being appropriately flag-masked for read operations in all cases. (Change #19)
· The issue “Drive may hang while executing TCG Random method in parallel with I/O” occurred due to missing request and release calls to the media scheduler. (Change #32)
One firmware change fixed a TCG Spec violation due to reporting incorrect sense data.
· The issue “Command timeouts after doing I/O while SED Band locking status is changing” occurred due to a state check not being cleared when attempting to unlock a locked band. (Change #34)
The final firmware change fixed an intermittent issue where a sanitize operation caused a drive to fall into an unresponsive but secure state.
· The issue “Sanitize overwrite operation causes data abort and corrupt format” occurred due to a slight misalignment between two security-related subroutines’ memory range permissions, which caused an intermittent drive hang waiting for memory access that could not be granted. (Change #46)
The security relevant firmware code changes are included in the following firmware versions (Summarized in the table just below):
· Issues #32, #34, and #46 are included in firmware versions 0001, 0002, A001, 0004, and 0005.
· Issues #6, #7, #9, and #19 are included in firmware versions CF04 and NF04.
None of these security relevant changes impacted the underlying security architecture, affected the implementation of the SFRs, or rendered drives into an unsecure or vulnerable state.
Hardware – Model Updates
· The changed model numbers are XS1600ME10023, XS800ME10023, XS400ME10023, XS6400LE70023, XS1600LE10023, XS1920SE10123, XS3840TE10023, XS3200ME70023, XS15360SE70143 (formerly model number XS15360SE70123), XS7680TE70023, ST900MP0166, ST600MP0156, ST900MP0126, ST600MP0026, ST1000LM050, ST500LM035, ST1200MM0069, ST2400MM0149, ST1800MM0149, and ST1200MM0149.
· There are seven new versions of firmware based on existing Common Criteria certified versions. Firmware versions 0001, 0002, 0004, 0005, and A001 are based on the existing certified firmware revision 7539; firmware version CF04 is based upon existing firmware revision CK10; and firmware version NF04 is based upon existing firmware revision CKF1.
· The new model numbers are XS800LE70024, XS1600LE70024, XS3200LE70024, XS6400LE70024, XS400ME70024, XS800ME70024, XS1600ME70024, XS3200ME70024, XS960SE70024, XS1920SE70024, XS3840SE70024, XS7680SE70024, XS3840TE70024, XS7680TE70024, and XS15360TE70024.
o The hardware change is minor in scope to replace two types of NAND packages used on the ASIC with one type of NAND package and the accompanying pin differences between the packages.
· The updated Security Target, the Entropy Document, and the Key Management Description were only changed to incorporate the updated and new model numbers and to add the new firmware versions identified above.
Seagate Security Certification Contracts
+1 (952) 402-2356