HCD0009 - Clarification on Tests assurance activity for FPT_TST_EXT.1 TSF testing

FPT_TST_EXT.1 TSF testing

The Tests assurance activity for FPT_TST_EXT.1 TSF testing lacks clarification and context to avoid overlap with the Tests assurance activity for FPT_SBT_EXT.1 Secure Boot and limit the scope to verifying the execution of self-tests.

Update Tests assurance activity for FPT_TST_EXT.1 TSF testing to avoid overlap with the Tests assurance activity for FPT_SBT_EXT.1 Secure Boot and limit the scope to verifying the execution of self-tests.

Update FPT_TST_EXT.1.1 Application Note to make consistent.

The SD is updated as follows (yellow highlights for additions, strikethrough for deletions) per section that is being updated:

2.6.4.3. Tests

The evaluator with assistance from the vendor (if needed) shall confirm that when an error in the self-test results is induced into the TOE, the TOE no longer enters into operational mode. For example, DRGB self-test is a self-test function.

Although formal compliance is not mandated, the self-tests performed should aim for a level of confidence comparable to:

The evaluator shall either verify that the self-tests described above are carried out during initial start-up or that the developer has justified any deviation from this.

The cPP is updated as follows (yellow highlights for additions, strikethrough for deletions) per section that is being updated:

5.8.4. Application Note

Power-on self-tests may take place before the TSF is operational, in which case this SFR can be satisfied by verifying the TSF image by digital signature as specified in FCS_COP.1/SigGen, or by hash specified in FCS_COP.1/Hash.

Self-test is intended to detect malfunctions which may compromise the TSF. Since the integrity of the firmware/software is guaranteed by FPT_SBT_EXT, the function for FPT_TST_EXT should address the malfunction detection like DRBG self-test defined in ISO/IEC 18031:2011.

Issue #22