TD0809: Update to FCS_COP.1/SIGN for CNSA 1.0 compliance with Secure Boot exception
Publication Date
2023.12.08
Protection Profiles
PP_OS_V4.3
Other References
FCS_COP.1.1/SIGN
Issue Description
GPOS PP 4.3 FCS_COP.1/SIGN allows support for RSA signatures of 2048-bit and greater. GPOS PP 4.3 is intended to be CNSA 1.0 compliant, so the RSA minimum signature key size should be 3072-bit. However, this causes some issues for secure boot, so an exception for that is being made for now, but will be removed in a later version. Resolution
This TD updates changes made by TD0727, which is now archived.
FCS_COP.1.1/SIGN in PP_OS_V4.3 is modified as follows, with green-highlighted underlines indicating additions:
FCS_COP.1.1/SIGN The OS shall perform [cryptographic signature services (generation and verification)] in accordance with a specified cryptographic algorithm [selection:
]
The following evaluation activities are added to PP_OS_V4.3:
TSS [Conditional: if “2048-bit (for secure boot only) or greater” is selected] The evaluator shall check that the TSS documents that 2048-bit RSA is used only for secure boot and a greater key size is used for any other functions. Guidance [Conditional: if “2048-bit (for secure boot only) or greater” is selected] The evaluator shall check that the AGD documents any configuration needed to ensure 2048-bit RSA is used only for secure boot and a greater key size is used for any other functions. Justification
See Issue Description. |