05 Nov 2020 Security IC Platform Augmentation Package: External NVM Storage
Document Overview:
This document defines a series of additional elements of the security problem definition, security objectives, and security functional requirements (SFRs), to support those architectures of Security ICs according to [1] that use an external NVM for storage. This augmentation package provides guidelines for the option where the external NVM is considered part of the TOE (and therefore part of the evaluation of the Security IC) and for the option where the external NVM is not part of the TOE.
Other IT products different from Security ICs conformant to BSI-CC-PP-0084-2014 [1] that could benefit from the use of an external NVM (e.g., other System-On-Chip products) are out of the scope of application of this document.
The Security IC Platform Protection Profile with Augmentation Packages (BSI-CC-PP-0084-2014; Version 1.0, 13.01.2014) [1] defines standard requirements for the TOE. In particular, according to [1] the TOE must meet the following security functions requirements:
Security Functional Requirement | Dependencies |
---|---|
FRU_FLT.2 | FPT_FLS.1 |
FPT_FLS.1 | None |
FMT_LIM.1 | FMT_LIM.2 |
FMT_LIM.2 | FMT_LIM.1 |
FAU_SAS.1 | None |
FPT_PHP.3 | None |
FDP_ITT.1 | FDP_ACC.1 or FDP_IFC.1 |
FDP_IFC.1 | FDP_IFF.1 |
FPT_IFC.1 | FDP_IFF.1 |
FDP_ITT.1 | None |
FDP_SDC.1 | None |
FDP_SDI.2 | None |
FCS_RNG.1 | None |
The security functional requirements in Table 1 are common to all TOEs declaring conformance to BSI- CC-PP-0084-2014 in their security targets. Among those, specifically, FDP_SDC.1 and FDP_SDI.2 involve the security of user data stored in the TOE non-volatile memories, as per confidentiality and integrity, respectively. However, modern approaches and market needs present frequent cases where the Security IC Platform uses an external non-volatile memory storage media for the persistence of data. An external NVM refers to a storage component that is not a physical part of the same physical chip as the Security IC platform. This storage component is usually operated by the security IC through the interconnection bus between the host MCU (the Security IC) and the external NVM.
This kind of architecture brings up new security concerns in terms of protection of the code and data, which is transferred between the external NVM and the host MCU, including potentially through the interconnection bus. On the one hand, confidentiality (FDP_SDC.1) and integrity (FDP_SDI.1) of the stored user data can be potentially compromised by an attacker having physical access to the external NVM. On the other hand, an attacker can be able to replace the contents of the external NVM with a previous copy. The scenario of a Security IC Platform using an external NVM device must address such security challenges.
Therefore, it is required to review the security paradigm provided in [1] and refine it to cover the security needs derived from using an external non-volatile storage device. Such refinement of the security problem is done considering that the contents stored in the external NVM can be either user data, code, or both. This document defines an augmentation package to the BSI-CC-PP-0084-2014 protection profile. This augmentation package has been elaborated following the methodology described in [2].
External_NVM_Augmentation_Package_for_PP0084_v1.3