clarification on "multiple connected displays" needed #1
Description
There are two separate situations where a TOE could select multiple connected displays, each of which should be handled differently in the SFRs and testing. This is partially covered by TD0539 which has been incorporated into the module, but it may not be fully clear to the reader.
The first situation is one where the TOE has multiple monitor plugs, but both of the plugs are tied to the same computer as all of the other peripherals, i.e. a dual-head display. In this situation there is no need for the TOE to use on-screen display because the selected monitors are always pointed to the same channel as the other peripherals and so the chassis indicator unambiguously identifies the active computer.
In this case, the additional testing that is needed versus having only a single connected display is to verify that all of the isolation between ports is true for both ports. i.e. on a single-head two-port TOE, the only isolation testing is to verify that port 1 and port 2 are isolated. In a dual-head TOE, the isolation must be shown between 1a and 2a, 1a and 2b, 1b and 2a, and 1b and 2 b. Additionally, it's possible for each head to support a different video protocol so any sub-protocol handling must be taken into consideration.
The second situation is the combiner use case function, where the TOE may have a dedicated monitor that has a "security camera" style feed that can be configured to point at multiple computers simultaneously (e.g. a 4 port TOE could have a quad-box of each connected monitor on a single screen).
In this case, it is necessary for each feed to be labeled with on-screen display.
Since the test activities are ideally separated by selection, FDP_CDS_EXT.1.1 could alternatively say something like "The TSF shall support [selection: one connected display for the active computer, multiple connected displays for the active computer, one connected display for multiple computers]." Then only the latter selection requires on-screen display in accordance with FTA_CIN_EXT.1.
Note that there are PSD products that have two displays where one display is tied to the active computer and the second display is a combiner that can be configured separately from the other peripherals. Assuming that this is a permissible use case, it is suggested that only the combiner monitor require OSD and the other one is understood to point to the same computer as the other peripherals, identified by the chassis indicator. However, isolation between these two ports would also need to be tested so that the presence of the combiner monitor isn't a vehicle for side channel disclosure on the primary monitor.