Supporting Document v1.1 FPT_BDP_EXT.1 Section 2.4.1.7.1

[xahun]

Supporting Document v1.1 FPT_BDP_EXT.1 Section 2.4.1.7.1 "b. TSFI invocation test" - It is entirely unclear how an evaluator might "identify any TSFIs that output plaintext...". Also, the test concludes with essentially "if they cannot find any, no need to do this test" which seems backwards. This test should be recast and start with whatever the condition is (e.g., if the guidance has any TSFIs that..., then the evaluator shall test....). However, it seems like this so-called test activity is really an ADV_FSP issue where the evaluator should be ensuring that none of the identified TSFIs indicate that they export plaintext data.

[woodbe]

@n-kai will provide some further explanation about this text for the next call.

[n-kai]

Fingerprint sensor vendors provide the sensor with a SDK that provides interfaces including debug interfaces that can be invoked by a Rich OS and dump raw fingerprint images. Such debug interfaces are necessary during the integration; however, sometimes mobile device vendors apply minimal changes to the SDK and integrate it into the device carelessly without properly disabling such debug interfaces (e.g., see 1). I believe that it’s mobile vendor’s responsibility to properly disable such interfaces in a production device, this is the reason why I added "b. TSFI invocation test". This test activity may be an ADV_FSP issue but as explained in 1, the evaluator should also look at how the mobile vendors disable the debug interfaces because this kind of mistake happens repeatedly.

*1 https://www.synopsys.com/blogs/software-security/cve-2020-7958-trustlet-tee-attack/