TC comment for sharing of physical media #80
Description
Comment from TC:
5.1.7 Protection of the TSF (FPT) / FPT_RDM_EXT.1 Removable Devices and Media / FPT_RDM_EXT.1.2
Care has been taken to specify the dangers of sharing removable media between domains. How about a physical device like a hard disk that is passed through knowingly to 2 separate VMs. Should there be something like a warning on VM launch that the HD is available to another VM (that may not be currently powered up)? Definitely sounds problematic to implement though. I am suggesting it because it presents the same issues that removable media does.
NIAP response: this will be addressed in a future version.
Editor note:
I think this is partially covered by FDP_VMS_EXT.1. FDP_VMS_EXT.1.4 says that data can only be read or transferred to or from another Guest VM except for either virtual networking or some other mechanism explicitly specified by the ST author. You could look at this as prohibiting two Guest VMs from being able to read the same physical storage unless the ST specifically defines what you're describing here as a way to do that.
And then FDP_RIP_EXT.2 requires clearing of physical disk storage when being allocated to a Guest VM, specifically to prevent a case where a Guest VM has access to storage previously used by a different one.
For the future I would suggest tacking on another element to FDP_VMS_EXT.1 where we have the ST author specify what, if any, warnings or other mechanisms the TOE has to indicate when data sharing is allowed.