|
7512 | 7512 | by default. |
7513 | 7513 | </Guidance> |
7514 | 7514 | <Tests> |
7515 | | - The evaluator shall attempt to access test and debug functions/ports. Connect probes or |
| 7515 | + The evaluator shall attempt to access test and debug functions/ports. If the test and debug |
| 7516 | + functions/ports allow for authorization credentials, the evaluator shall create an arbitrary |
| 7517 | + authorization credential that is not provided by the vendor. The evaluator shall connect probes or |
7516 | 7518 | adapters to ports, pads, or interfaces as necessary. Utilize package analyzer or other |
7517 | | - tools as appropriate. If FMT_LIM.2 is also utilized, then the evaluator may not utilize |
7518 | | - a signing key for this test. |
| 7519 | + tools as appropriate. |
7519 | 7520 | <testlist> |
7520 | 7521 | The evaluator shall conduct the following tests: |
7521 | 7522 | <test>Execute all documented get, read, and query commands. Examine the captured output. |
7522 | 7523 | Output must not contain user data, TSF data, or firmware instructions. No output is |
7523 | 7524 | also acceptable.</test> |
7524 | 7525 | <test>The evaluator shall execute all documented set, write, and allocate functions with |
7525 | 7526 | the intent to inject arbitrary examination data through the TSF boundary. Attempts to |
7526 | | - alter user data, TSF data, and TOE firmware should fail. </test> |
| 7527 | + alter user data, TSF data, and TOE firmware must fail.</test> |
7527 | 7528 | </testlist> |
7528 | 7529 | </Tests> |
7529 | 7530 | </aactivity> |
|
7536 | 7537 | <f-element id="fmt-lim-2e1"> |
7537 | 7538 | <title> |
7538 | 7539 | The TSF shall be designed in a manner that limits its availability so that in conjunction |
7539 | | - with “Limited capabilities (FMT_LIM.1)” the following policy is enforced: [ |
7540 | | - The TSF shall <selectables onlyone="yes"> |
7541 | | - <selectable>disable access through hardware</selectable> |
7542 | | - <selectable>control access by a signing key</selectable> |
7543 | | - </selectables> to testing and debug features.] |
| 7540 | + with “Limited capabilities (FMT_LIM.1)” the following policy is enforced: |
| 7541 | + [Deploying test and debug features after |
| 7542 | + TOE delivery does not allow user data of the TOE to be disclosed or manipulated, TSF data |
| 7543 | + to be disclosed or manipulated, and firmware to be reconstructed such that information about |
| 7544 | + construction of the TSF may enable other attacks.] |
7544 | 7545 | </title> |
7545 | 7546 | <note role="application"> |
7546 | | - This requirement means that test and debug functions/ports may not be accessible following |
| 7547 | + The GPCP may implement test and debug features such as (but not limited to) JTAG, SWD, UART, |
| 7548 | + and USB. The TOE shall prevent abuse of such functionality after the production test phase. |
| 7549 | + The protection can be achieved by limiting the capability of the implemented features and/or |
| 7550 | + limiting their availability.<h:p/> |
| 7551 | + Limited availability means that test and debug functions/ports may not be accessible following |
7547 | 7552 | TOE production. Examples of test and debug functions/ports include but are not limited to |
7548 | 7553 | JTAG, SWD, UART, and USB. This requirement should be included in the ST for use cases that |
7549 | | - include the threat T.PHYSICAL. |
| 7554 | + include the threat T.PHYSICAL.<h:p/> |
| 7555 | + Limited capability prevents misuse or compromise of TSF data or user data, or the characterization |
| 7556 | + of security functions and security services – even if the functions/ports can be activated – |
| 7557 | + while limited availability controls or prevents access to the capabilities after testing. |
| 7558 | + In most cases, both types of limitations are implemented to ensure the required protection. |
7550 | 7559 | </note> |
7551 | 7560 | <aactivity> |
7552 | 7561 | <TSS> |
|
7561 | 7570 | and test and debug mechanisms identified by reverse engineers. The TOE shall be |
7562 | 7571 | configured to enforce TSF boundaries per vendor configuration instructions (this may |
7563 | 7572 | require disabling test and debugging features in firmware configuration).<h:p/> |
7564 | | - |
7565 | | - If "<h:i>disable access through hardware</h:i>" is selected:<h:br/> |
7566 | | - The evaluator shall examine the TSS to determine the location of the test and debug |
7567 | | - functions/ports on the TSF, to include the order of the ports (i.e. Data In, Data Out, |
7568 | | - Clock, and similar as appropriate for the interface/specification).<h:p/> |
7569 | | - |
7570 | | - If "<h:i>control access by a signing key</h:i>" is selected:<h:br/> |
7571 | | - The evaluator shall examine the TSS to determine how access to the test and debug portsare controlled by a |
7572 | | - signing key. The evaluator shall examine the TSS to determine when the test and debug ports can be accessed, |
7573 | | - i.e. what has the access to the signing key. |
7574 | 7573 | </TSS> |
7575 | 7574 | <Guidance> |
7576 | 7575 | TOEs that do not provide test and debug functionality/ports are compliant with this |
|
7579 | 7578 | by default. |
7580 | 7579 | </Guidance> |
7581 | 7580 | <Tests> |
7582 | | - The evaluator shall attempt to access test and debug functions/ports. Connect probes or |
7583 | | - adaptors to ports, pads, or interfaces as necessary. Utilize a package analyzer or other |
7584 | | - tools as appropriate. If FMT_LIM.1 is also utilized, then get/read/query and set/write/allocate |
7585 | | - functions may perform actions on user data, TSF data, and firmware when a signing key is |
7586 | | - used to provide authentication. |
| 7581 | + The evaluator shall attempt to access test and debug functions/ports. If the test and debug |
| 7582 | + functions/ports allow for authorization credentials, the evaluator shall create an arbitrary |
| 7583 | + authorization credential that is not provided by the vendor. The evaluator shall connect probes or |
| 7584 | + adapters to ports, pads, or interfaces as necessary. Utilize package analyzer or other |
| 7585 | + tools as appropriate. |
7587 | 7586 | <testlist> |
7588 | 7587 | The evaluator shall conduct the following tests: |
7589 | | - <test>If "<h:i>disable access through hardware</h:i>" is selected then the evaluator shall |
7590 | | - utilize the test and debug ports to retrieve arbitrary data. The test succeeds if an |
7591 | | - error is returned or no response is observed. The test fails if arbitrary data is |
7592 | | - returned.</test> |
7593 | | - <test>If “<h:i>control access by a signing key</h:i>” is selected then the evaluator shall |
7594 | | - create a signing key used for test and debug features. The evaluator shall query the |
7595 | | - test and debug ports for its arbitrary data and provide the signing key to authorize |
7596 | | - this query. The test succeeds if data is returned to the evaluator. The test fails if |
7597 | | - no data is returned.</test> |
| 7588 | + <test>Execute all documented get, read, and query commands. Examine the captured output. |
| 7589 | + Output must not contain user data, TSF data, or firmware instructions. No output is |
| 7590 | + also acceptable.</test> |
| 7591 | + <test>The evaluator shall execute all documented set, write, and allocate functions with |
| 7592 | + the intent to inject arbitrary examination data through the TSF boundary. Attempts to |
| 7593 | + alter user data, TSF data, and TOE firmware must fail.</test> |
7598 | 7594 | </testlist> |
7599 | 7595 | </Tests> |
7600 | 7596 | </aactivity> |
|
0 commit comments