All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries. Qualcomm and Snapdragon are trademarks or registered trademarks of Qualcomm Incorporated. Other product and brand names may be trademarks or registered trademarks of their respective owners. This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited. Qualcomm Technologies, Inc. 5775 Morehouse Drive San Diego, CA 92121 U.S.A. © 2021 Qualcomm Technologies, Inc. and/or its subsidiaries. All rights reserved. Qualcomm SPU250 Security Target Lite 80-NU430-8 Rev. AD November 26, 2021 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 2 Revision history Revision Date Description AA October 20, 2021 Initial release AB October 26, 2021 Updated rationale AC November 12, 2021 Updated to address certifier’s comments AD November 26, 2021 Updated to address certifier’s comments 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 3 Contents 1 Introduction to SPU250 Security Target........................................................ 7 1.1 Security Target reference.............................................................................. 7 1.2 TOE reference .............................................................................................. 7 1.3 Conventions.................................................................................................. 7 1.4 Technical assistance..................................................................................... 8 2 Security Target overview ................................................................................ 9 2.1 Target of Evaluation...................................................................................... 9 2.2 Non-TOE hardware and software.................................................................10 2.2.1 Non-TOE Software.............................................................................10 2.2.2 Non-TOE Hardware ...........................................................................10 2.3 Security functions.........................................................................................10 2.3.1 Internal Security functions..................................................................10 2.3.2 Cryptographic services (API) .............................................................11 2.3.3 Physical protection.............................................................................11 3 TOE description............................................................................................. 12 3.1 TOE boundary and interface ........................................................................12 3.2 Scope of the TOE ........................................................................................14 3.2.1 Overview............................................................................................14 3.2.2 Hardware...........................................................................................15 3.2.3 Firmware, Software and Application...................................................17 3.2.4 Package.............................................................................................18 3.2.5 Guidance documentation ...................................................................19 3.2.6 Forms of delivery ...............................................................................19 3.2.7 TOE configuration..............................................................................20 3.2.8 TOE initialization................................................................................21 3.2.9 TOE integration..................................................................................21 3.2.10 TOE Life-Cycle ................................................................................21 4 Conformance claims ..................................................................................... 23 4.1 CC conformance claims...............................................................................23 4.2 PP claims.....................................................................................................23 4.3 Package claims............................................................................................23 4.3.1 Conformance Claim Rationale ...........................................................23 5 Security problem definition .......................................................................... 24 5.1 Definition of assets.......................................................................................24 5.2 Threats.........................................................................................................25 Qualcomm SPU250 Security Target Lite Contents 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 4 5.3 Organizational security policies....................................................................27 5.4 Assumptions ................................................................................................27 6 Security objectives........................................................................................ 28 6.1 Security objectives for the TOE....................................................................28 6.2 Security objectives for the development and operational environment .........30 6.3 Security objectives rationale.........................................................................31 7 Extended component definition................................................................... 33 7.1 FMT_CMT Control over Management by TSF components .........................33 7.1.1 Family behavior .................................................................................33 7.1.2 Component leveling ...........................................................................33 7.1.3 Management: FMT_CMT.1................................................................33 7.1.4 Audit: FMT_CMT.1.............................................................................34 7.1.5 FMT_CMT.1 management of TSF data by TSF components.............34 7.2 FDP_SDA Stored Data Authenticity .............................................................34 7.2.1 Family behavior .................................................................................34 7.2.2 Component leveling ...........................................................................34 7.2.3 Management: FDP_SDA.1.................................................................34 7.2.4 Audit: FDP_SDA.1 .............................................................................34 7.2.5 FDP_SDA.1 Stored Data Authenticity ................................................35 7.3 FDP_SDR Stored Data Replay protection....................................................35 7.3.1 Family behavior .................................................................................35 7.3.2 Component leveling ...........................................................................35 7.3.3 Management: FDP_SDR.1 ................................................................35 7.3.4 Audit: FDP_SDR.1.............................................................................35 7.3.5 FDP_SDR.1 Stored Data Replay Protection ......................................35 8 Security requirements................................................................................... 36 8.1 Security functional requirements ..................................................................36 8.1.1 Security functional requirements from the [ICPP]...............................36 8.1.2 Security functional requirements from augmentation packages .........39 8.1.3 Security functional requirements beyond those in [ICPP]...................41 8.2 Security assurance requirements.................................................................48 8.3 Security requirements rationale....................................................................48 9 TOE summary specification ......................................................................... 54 9.1 TOE summary specification rationale...........................................................54 9.1.1 Cryptographic services and random number generation ....................58 9.1.2 Secure boot and secure update .........................................................59 9.1.3 Application manager ..........................................................................60 9.1.4 Domain separation between applications executed by the TOE.........60 9.1.5 Physical protection.............................................................................60 9.1.6 Access control and management (hardware).....................................61 9.1.7 Access control and management (operating system).........................61 9.1.8 Logical protection...............................................................................62 9.1.9 Production data and OTP handling ....................................................62 9.1.10 Life-Cycle Control ............................................................................62 Qualcomm SPU250 Security Target Lite Contents 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 5 A Cryptographic mechanisms table ............................................................... 63 B References..................................................................................................... 66 B.1 Related documents......................................................................................66 B.2 Acronyms and terms....................................................................................67 Qualcomm SPU250 Security Target Lite Contents 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 6 Figures Figure 3-1 TOE components and their interfaces to SoC ..................................................................13 Figure 3-2 TOE IC dedicated software components ..........................................................................14 Figure 3-3 TOE hardware components ..............................................................................................15 Figure 3-4 TOE package.....................................................................................................................19 Figure 3-5 TOE Life-Cycle ..................................................................................................................22 Tables Table 3-1 Configuration Identifier of the TOE.....................................................................................20 Table 3-2 TOE components................................................................................................................20 Table 5-1 Security threats...................................................................................................................25 Table 5-2 Organization security policy ...............................................................................................27 Table 5-3 Security assumptions .........................................................................................................27 Table 6-1 Security objectives for the TOE..........................................................................................28 Table 6-2 Security objectives for the environment .............................................................................30 Table 8-1 Security Requirement vs Objectives mapping ...................................................................49 Table 8-2 Security Requirement dependencies .................................................................................51 Table 9-1 TOE summary specification rationale ................................................................................54 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 7 1 Introduction to SPU250 Security Target This Security Target is defined for the Qualcomm® Secure Processor Unit (SPU250) hardware and firmware embedded in the SM8350 host System-on-Chip (SoC) combined with a double data rate (DDR) memory in a package-on-package (PoP) configuration and its corresponding IC dedicated software and associated documentation. The evaluation considers the SPU hardware and the chip (the entire SoC that comprises the SPU) as well as the PoP packaging. The IC dedicated software is comprised of a firmware (a bootloader and its supporting cryptographic libraries in ROM) and a software (that is, a main control program (MCP), system applications, and software APIs providing cryptographic services to SPU applications). The documentation provided with the TOE describes the configuration requirements by the OEM (SoC integrator) and the usage of the software API by the SPU application developer. This Security Target includes claims derived from the Security IC Platform Protection Profile with Augmentation Packages (BSI-CC-PP-0084-2014) but does not claim conformance to the protection profile. Because the Target of Evaluation (TOE) is not a usual smartcard IC, additional security functions of the hardware and the operating system (OS) have been added to this Security Target. 1.1 Security Target reference “Qualcomm SPU250 Security Target Lite, 80-NU430-8 Rev. AD, Qualcomm Technologies, Inc.” 1.2 TOE reference The TOE described in this Security Target is named “Qualcomm Secure Processor Unit SPU250 (Version: 4.1) in SM8350 SoC (Qualcomm® Snapdragon™ 888) with symmetric and asymmetric crypto support”. 1.3 Conventions The security functional requirements (SFRs) have the following conventions: ◼ Assignments are underlined ◼ Selections are marked with squared brackets [ ] ◼ Refinements are written in italic ◼ Iterations are identified with an extension of the Security Functional Requirement name Qualcomm SPU250 Security Target Lite Introduction to SPU250 Security Target 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 8 For example, the requirement in the Standard is written as follows: The TSF shall perform [assignment: list of cryptographic operations] in accordance with a specified cryptographic algorithm [assignment: cryptographic algorithm] and cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards]. In this document, the requirement is written as follows: The TSF shall perform message authentication code generation in accordance with a specified cryptographic algorithm CMAC using AES and cryptographic key sizes 128 bits, 256 bits that meet the following: Specification for the ADVANCED ENCRYPTION STANDARD (AES) (FIPS 197), and Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication (NIST SP 800-38B). 1.4 Technical assistance For assistance or clarification on information in this document, submit a case to Qualcomm Technologies, Inc. (QTI) at https://createpoint.qti.qualcomm.com/. If you do not have access to the CDMATech Support website, register for access or send email to support.cdmatech@qti.qualcomm.com. 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 9 2 Security Target overview 2.1 Target of Evaluation The TOE is a subsystem called the Secure Processor Unit (SPU) serving as a Secure Element within a stacked DDR package on package SoC. It is designed as a tamperproof device providing secure storage and a secure execution environment for processing of sensitive data and for performing cryptographic operations using protected keys stored in its secure storage. Secure Elements can be used for multiple application areas that require a high level of security. Examples are as follows: ◼ User authentication and password storage ◼ Content protection ◼ Payment ◼ Subscriber Identity Module (SIM) ◼ Storage and management of digital identities ◼ Secure key storage ◼ Root of trust ◼ Secure Storage of sensitive user data (for example health care records) ◼ Insider Attack Resistance (enforcing end-user’s authentication and consent before allowing a software upgrade) The TOE has dedicated interfaces to other components of the SoC, which allow those components to communicate with the TOE and request services from the TOE. The TOE is comprised of a hardware layer and IC dedicated software providing interfaces for application developers. The TOE will allow for dedicated applications to execute on the OS of the TOE to provide security services as listed above. Those applications are not part of the TOE, but the TOE OS provides services to verify the integrity and authenticity of such applications using digital signatures. The TOE communicates with the other components of the SoC either using shared memory or using shared Configuration and Status Registers (CSRs), interrupts, and power control messages. The TOE Security Functions (TSFs) of the TOE consists of the SPU hardware and IC dedicated software executing on the SPU. Qualcomm SPU250 Security Target Lite Security Target overview 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 10 The hardware of the TSF is internally structured into two main units: ◼ The Secure Processor unit, which performs the general operations of the TSF ◼ The Crypto Management unit, which performs the cryptographic operations and generates, manages, and protects keys For a more detailed description of those units, their functions and how they are internally structured, see section 3.1 on TOE definition. 2.2 Non-TOE hardware and software 2.2.1 Non-TOE Software The TOE is embedded onto Qualcomm SnapdragonTM 888, used in mobile applications. SnapdragonTM 888 comprises a High Level Operating system (HLOS, such as Android) and Trusted Execution Environment (TEE, such as QTEE v5) that are required for the TOE to boot and properly communicate with the rest of the Hardware and Software. Only this way the TOE is operational in a commercial configuration. 2.2.2 Non-TOE Hardware The TOE requires presence of the host SoC (SnapdragonTM 888), DDR (RAM), sMMU as well as flash memory to be functional. The software image is stored encrypted in flash. DDR is required to run customer’s application onto the SPU. The SoC CryptoManager, even though not being required for the TOE to be functional, can be used to re-enable the TOE Fuse Configuration Interface (FCI) for debugging purpose. 2.3 Security functions 2.3.1 Internal Security functions The TOE implements the following internal Security functions: ◼ Access control to the various memories (OTP, RAM, ROM) and peripherals ◼ Access control to keys managed in hardware through enforcement of key policy ◼ Secure boot and secure loading of TOE software stored outside the TOE using the TOE root of trust (ROM code) ◼ Protection of User Data stored outside the TOE ◼ Secure loading of user applications stored outside the TOE ◼ Secure update mechanism of the TOE software or applications ◼ Domain separation between applications executed by the TOE (for both user and system applications) ◼ Anti-replay island and software freshness protection Qualcomm SPU250 Security Target Lite Security Target overview 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 11 2.3.2 Cryptographic services (API) Note: This section is an overview. See functional security requirements descriptions for details on each algorithm and key type/size. The TOE provides cryptographic services using the support of the Cryptographic Management Unit. Services provided through the API for user applications are as follows: ◼ Generation of random numbers (used for key generation) ◼ Secure key storage providing the possibility to have keys stored in the SP-CMU that are not readable by the SP-CPU. The SP-CPU can only request to perform cryptographic operations using those keys. ◼ Secure key generation and zeroization ◼ Symmetric encryption and decryption using the following:  AES with 128 bit and 256 bit keys  TDES with 112 bit and 168 bit keys ◼ Hash functions: SHA-1, SHA-256, SHA-384, SHA-512 ◼ HMAC using keys up to 512 bit length and using SHA-1, SHA-256, SHA-384 or SHA-512 ◼ CMAC with AES using 128 bit and 256 bit keys ◼ Asymmetric cryptographic operations:  RSA 1024 bit and 2048 bit  Elliptic curves cryptography with NIST P-192/224/256/384/521, Brainpool 256 twisted (t1), Brainpool P-192/224/256/320/384/512 non-twisted (r1) and Curve25519 curves. 2.3.3 Physical protection The TOE provides a number of functions and features that are designed to counter physical attacks. Those include the following: ◼ Memory scrambling/memory encryption ◼ Side-channel analysis countermeasures ◼ Fault attacks sensors and countermeasures ◼ Memory/registers integrity checking ◼ PoP form factor 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 12 3 TOE description 3.1 TOE boundary and interface The TOE is an independent subsystem that will be integrated in a SoC in a manner that is agnostic to the hardware and IC dedicated software implementation details. The TOE serves as an independent Root of Trust within the SoC. It does not rely on any external entity for any security enforcement, allowing it to be evaluated as a separate entity. It has its own ROM code for secure boot operations. The TOE and its hardware interfaces to the SoC into which it is integrated are shown in the following figure. The TOE Hardware interfaces are: ◼ Battery Monitor (indicates when power is lost) ◼ System Access to allow SPU to read/write in the SPU shared memory in DDR (SP-sMEM) as well as in SPU protected memory partitions in DDR and NVM. ◼ Private key Bus that is not leveraged by the TOE (The Key Policy never allows to export key on this Bus and the TOE API does not allows to change this setting) for the Inline Crypto Engine (ICE. Used for high speed file encryption/decryption) ◼ Interface to read/write shared Configuration and Status Registers (SP-sCSR) with the SoC. These CSRs are among other things used as doorbell for communication between the SPU and the rest of the SoC ◼ Interface to the RPM (Resource and Power Manager) module to provide SPU power requirement ◼ Interface to the Global Clock Controller (GCC) to provide clock requirement and receive external clock and reset signal for the entire chip, including the SPU. As indicated earlier, the TOE provides a TSF to cryptographically protect User Data before, storage in an SPU DDR partition or SPU NVM partition. This TSF also ensures that User Data read from these locations are trustworthy before processing them internally. Qualcomm SPU250 Security Target Lite TOE description 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 13 Figure 3-1 TOE components and their interfaces to SoC The TOE Software interface consist in Application Programming interfaces providing: ◼ Communication services ◼ External Memory storage (read/write) services ◼ Cryptographic services The TOE communicates with the other components of the SoC via the SPU shared memory and the SPU shared Configuration and Status Registers. Qualcomm SPU250 Security Target Lite TOE description 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 14 3.2 Scope of the TOE 3.2.1 Overview The TOE is composed of: ◼ SPU Hardware: a hardmacro synthetized independently of rest of SoC and integrated as a black box ◼ SPU (IC) dedicated software:  SPU Firmware: ROM code, which consists of Primary Boot Loader (PBL) and Mission ROM that includes drivers and low level cryptography. The PBL loads the encrypted software of the TOE as described in section 3.2.3.  SPU Software consists of following: – MCP, which provides APIs and services for the system and user applications. – SPU System Applications which provide additional TOE functionalities that are not packaged in the SPU Firmware or MCP. – User applications, which are considered as Security IC Embedded Software, and therefore out of the scope of the TOE. Note that the user applications can access HW features via the APIs and services from MCP and therefore does not have direct interaction with firmware. ◼ Cryptographic library is composed of subset of ROM code (PBL and Mission ROM), subset of MCP and SPU systems application. ◼ Package: the final device in the field consist of a PoP. One package contains the SoC integrating the SPU hardware and the other package contains the DDR that is needed for SPU to be operational and in a certified configuration. The following figure shows the TOE IC dedicated software components of the TOE as well as the Application Programming Interface of the TOE and used by User Application running in the TOE. Note that in Figure 3-2, SPU System Application and User Application are referred as S.APP and U.APP, respectively. Security IC Embedded Software IC Dedicated Software ROM - SPU firmware RAM – SPU software (loaded from NVM) PBL (Secure Boot) Mission ROM Drivers..etc MCP Kernel, API, processes functions OS API S.APP Crypto app API S.APP Asym Crypto app API CryptoLib U.APP e.g. Strongbox API U.APP API U.APP API TOE Figure 3-2 TOE IC dedicated software components Qualcomm SPU250 Security Target Lite TOE description 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 15 3.2.2 Hardware The physical boundary of the TOE includes the TOE hardware which consists of the following components: ◼ Secure Central Processing Unit (SP-CPU), which executes the main code of the TOE. ◼ Cryptographic Management Unit (SP-CMU), which provides support for random number generation and key generation as well as symmetric and asymmetric cryptographic functions. It also holds a Key Table (SP-KT). ◼ Processor Interconnect Bus, which is used for data exchange between the SP-CPU and the SP-CMU. ◼ Local Resource Manager (SP-LRM), which provides the interface to the clock, the reset line, and the interface to the sensors (voltage, temperature, logic fault, etc.). ◼ OTP and Security Controller (SP-SC) Block, which holds the One-Time Fuse Programmable ROM area, including keys that the SP-CPU can request to be used by the SP-CMU but cannot read directly. ◼ SP-Timer and SP-Watchdog, which are used to provide timer functionality for the TOE independent from other timers within the SoC. ◼ Memory: SP-RAM (for kernel, applications stacks) and SP-ROM (for the Primary Boot Loader image). ◼ The always-on Island that contains the part of the anti-replay mechanism (SP-ARI) and the Always-On Timer (SP-AOTimer). The External Memory Manager (SP-ExtMM) providing read/write capabilities to TOE external memory. Figure 3-3 TOE hardware components Qualcomm SPU250 Security Target Lite TOE description 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 16 3.2.2.1 SP-CPU The SP-CPU is the main processing unit of the TOE. It executes the general firmware and software of the TOE. This CPU provides memory protection that allows the implementation of a secure OS that separates unprivileged applications from each other and allows protection of critical resources from direct access by applications without using the OS services that control access to such critical resources. 3.2.2.2 SP-MPU The memory management unit of the TOE (SP-MPU) is responsible for controlling access to memory (SP-ROM and SP-RAM) and the SP-DMA controller in accordance with the access control attributes of the RAM areas. It is programmed by the SP-CPU from its privileged mode, allowing the OS running on the SP-CPU to protect memory areas from direct access by applications and protect memory areas assigned to one application from direct access by another application. The SP-MPU is supplemented by two permission checker embedded in the SP-RAM and SP-ROM. These combined hardware modules are referenced by the term SP-MMU in remaining of this document. 3.2.2.3 SP-CMU The SP-CMU is a separate subsystem within the TOE that is responsible for the cryptographic operations performed by the TOE as well as the generation and protection of key material used for those operations. The SP-CMU subsystem actually acts like a separate hardware security module in a general purpose operating environment. It consists of the following: ◼ Crypto engine (SP-CE) as the central processing unit of the SP-CMU (which also includes the hardware implementation of the cryptographic coprocessors: AES, SHA-1 and SHA-256). ◼ Random number generation unit (SP-RNG), which consists of two physical noise sources and a DRBG. ◼ Hardware support for accelerating asymmetric crypto operations (SP-PKA). ◼ Crypto Management Controller (SP-CMC), which manages the key storage including the transfer of keys to the key storage. The SP-CMU is programmed by the SP-CPU, which can request operations such as key generation, loading the key, or performing cryptographic operations; the SP-CPU does not have access to the keys themselves that are managed by the SP-CMC (unless the key attributes allow the key to be exported in clear outside the SP-CMU subsystem). The SP-CMC manages the keys stored in the SP-KT, which are the keys private to the TOE. Qualcomm SPU250 Security Target Lite TOE description 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 17 3.2.2.4 SP-SC The security control component (SP-SC) contains the SP-QFPROM (OTP) and is responsible for controlling access to OTP areas there. This includes protection of areas that are write-protected and control access of the SP-CPU to allow it to only access dedicated OTP items that are not indicated as read-protected. Some secret data stored in OTP are stored in encrypted form. 3.2.2.5 SP-LRM The SP-LRM is responsible for interrupt handling and management of the TOE. The sensors that detect operational problems, faults, or potential attacks are connected to the SP-LRM and cause an interrupt when they detect a problem. The SP-LRM passes the interrupt to the SP-CPU for handling and requires the SP-CPU to clear the interrupt, indicating that it has received and processed the interrupt. Alternatively, the SP-LRM can be configured to perform a cold reset upon specific sensors detection. Note that internal interrupts of the SP-CPU (such as system tick time expiration, SP-MMU permission error, and privilege exception) are handled directly by the SP-CPU and not by the SP-LRM, but an interrupt caused by the SP-Timer is handled by the SP- LRM. 3.2.3 Firmware, Software and Application The PBL and OS with the software API are considered as logical boundary of the TOE to user application. The OS manages the access to the services provided by the TOE, implements software countermeasures and controls the user applications. The TOE OS consists of: ◼ The drivers in Mission ROM (stored in ROM) ◼ The software (loaded from NVM and stored in RAM)  MCP image  System applications – Cryptoapp – Asym_cryptoapp In a nutshell, the PBL in firmware loads MCP which loads system applications. The TOE contains the firmware in SP-ROM that is used for the secure boot process (PBL and its supporting cryptographic libraries). In addition, part of the firmware contains drivers that are used in operational mode by the loaded Software (after the secure boot). The TOE also contains the software, MCP, which is stored in external non-volatile memory (NVM) and loaded into RAM at runtime by the PBL. The MCP image is stored signed and encrypted in the external memory. The PBL verifies the signature and decrypts the software each time before the MCP is executed by the SP-CPU. The OS is formed by the MCP, the System applications and the associated drivers in the firmware. The OS is running on the SP-CPU and provides services to user applications loaded for the SP-CPU. The OS verifies the integrity and authenticity and enforce confidentiality of any applications loaded to the TOE including System Applications. Qualcomm SPU250 Security Target Lite TOE description 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 18 The MCP image and the Applications are stored in external memory and can be updated by downloading a newer version in the external memory. A set of rollback counters prevent the TOE from loading an older version of MCP or an application. The OS is also responsible to separate applications executing on it from each other and control that an application uses only those services and objects it is supposed to use (as defined in the downloaded and signed application package). This OS is part of the TOE and implements some TSF. The System applications, as part of OS, are stored in external non-volatile memory (NVM) and are loaded into SP-RAM at runtime by the aforementioned MCP. The TOE contains two System applications: ◼ Cryptoapp: implements the RSA key generation service. ◼ Asym_cryptoapp: implements additional asymmetric cryptography services and the corresponding API. The OS provide the following services to User applications via APIs: ◼ Cryptographic services (AES, Hashing and message authentication codes) with keys either held as retained keys within the SP-CMU (in the SP-KT) or with keys provided by the application. If retained keys are used, the OS verifies that the application is allowed to use those keys and if they are used in accordance with the key attributes. In addition, the TOE provides random number generation services. ◼ Cryptographic services (AES, TDES, ECDSA, ECDH and RSA) with keys provided by the application. ◼ Nonvolatile memory storage for User data. User data is stored (in external DDR/NVM) encrypted, authenticated and protected against replay. The TOE maintains a unique key for each application that is used for these cryptographic operations. ◼ Communication services with external entities (for example Modem sub-system, HLOS or Trusted Execution Environment). ◼ Application loading services. 3.2.4 Package The TOE package is shown in an abstracted way, not to scale and without all connections in the following figure. The PoP solution consists in: ◼ The Package A containing the SoC bare die integrating the SPU hardware. ◼ The Package B containing the DDR bare die required for the system to work. The SoC is integrated into Package A during phase 4 (see 3.2.10). The package B is stacked on Package A during phase 6 (see 3.2.10). Qualcomm SPU250 Security Target Lite TOE description 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 19 Package A (upper) Package A (lower) SoC DDR Package B (upper) Package B (lower) PCB SPU Figure 3-4 TOE package 3.2.5 Guidance documentation The API for the use of the Services of the Secure Processor as well as associated guidance are provided with the software development kit. 3.2.6 Forms of delivery The TOE comprises all items that listed in Table 3-2. The TOE hardware and firmware (ROM) including the personalization data (in SP- QFPROM) will be delivered in the form of a partly packaged SoC to the device manufacturers to integrate the SoC into his devices. The integration include a step of adding a DDR package on top of the partly packaged SoC. This is called a PoP. In addition, the device manufacturers will receive the TOE software (MCP image and System Applications) as part of an overall Qualcomm SW package for the SoC. Qualcomm provides customers access to the Agile system that can be used to download the SW package. The TOE software will be loaded by the device manufacturer in the device non-volatile memory (for example flash memory). Also, the guidance documents listed in Table 3-2 can be downloaded from the data based provided in Agile. Delivery protection for all TOE components is covered by ALC_DEL and ALC_DVS. Qualcomm SPU250 Security Target Lite TOE description 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 20 3.2.7 TOE configuration The following table describes the definition of configuration identifier of the TOE. Table 3-1 Configuration Identifier of the TOE Name Identifier (Evaluated version) Description SPU hardware Version (4.1) HW version from RTL (Hardcoded) SPU firmware Version (55100000) SPU firmware: PBL and Mission ROM SPU software Build version (SPSS.A1.1.4- 00108-LAHAINA.0-1) The build version of SPU software (MCP) Foundry ID Version (F2, F6) The foundry ID of SoC F2: Samsung “S3” F6: Samsung “S5” The TOE components are as follows: Table 3-2 TOE components Item Type Item Version/Label Form of Delivery Hardware SoC embedding the SPU hard macro SM8350 4.1 bare die Firmware ROM code ▪ Secure boot loader (PBL) ▪ Mission ROM (drivers and low level cryptography) Lahaina_v1_P3R6 Included in SPU hard macro ROM Software MCP image SPSS.A1.1.4-00108- LAHAINA.0-1 Software image encrypted and signed Software System application - cryptoapp SPSS.A1.1.4-00108- LAHAINA.0-1 Software image encrypted and signed Software System application - asym_cryptoapp SPSS.A1.1.4-00108- LAHAINA.0-1 Software image encrypted and signed Document Secure Processor Unit (SPU) – Anti-replay Island (ARI) Overview for SM8350 80-PN145-16, Revision B PDF Document Qualcomm Secure Processing Unit Enablement for SM8350 Devices 80-PK177-4, Revision AD PDF Document Qualcomm Secure Processing Unit Enablement Guidelines for SM8350 Application Developers 80-PK177-5, Revision AB PDF Document SM8350 Secure Boot Enablement – User Guide 80-PK177-14, Revision AA PDF Document Secure Processor Unit SDK – API Reference 80-PV579-1, Revision AD PDF Document SMT Assembly Guidelines SM80-P0982-1, Revision E PDF Qualcomm SPU250 Security Target Lite TOE description 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 21 Item Type Item Version/Label Form of Delivery Document Qualcomm Trusted Execution Environment (TEE) Reference Manual 80-NH537-4, Revision. M PDF 3.2.8 TOE initialization The TOE is provisioned with individual keys and transition to operational state during Final Test in OSAT premises The TOE can only boot fully after it has been integrated in a device containing the Software (MCP image) during the product integration phase by the OEM. After composite product integration and during operational usage the TOE performs the following action upon boot: ◼ Life-Cycle control ◼ SPU250 configuration ◼ Software (MCP image) loading in SPU internal memory (SP-RAM), signature verification and decryption ◼ Software (MCP image) execution ◼ System applications loading in SPU internal memory (SP-RAM), signature verification and decryption 3.2.9 TOE integration The TOE is an integrated part of a larger SoC that itself is intended to be integrated into mobile or other devices. 3.2.10 TOE Life-Cycle The Life-Cycle of the TOE has been modified (refined with additional phase) compared to [ICPP] to match our TOE Life-Cycle. The Life-Cycle control of the TOE ensures that a device in Test mode cannot run the TOE software and limits access to the TOE firmware (to the minimal set of code required to boot). The Life-Cycle control of the TOE ensures that the device is in Perso mode before TOE initialization and pre-personalization (phase 5) is performed. Initialization includes static data provisioning while pre-personalization includes per chip data provisioning (such as keys) The Life-Cycle control of the TOE ensures that TOE data (stored during phase 5) and user data (stored during phase 7) are protected in Operational mode. The process of developing and manufacturing a composite product that contains the TOE is shown in the following figure. The Firmware and Software development is done as part of the TOE development and the Firmware is internally delivered for the integration into the ROM. Qualcomm SPU250 Security Target Lite TOE description 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 22 The IC packaging phase embeds the SoC into PCBs on both sides that allow the addition of the DDR and the integration into the final product. DDR addition and integration into the final product is done in Phase 6. TOE personalization includes the provisioning of keys that allow customers to perform further personalization of their SPU applications while the TOE is in Operational mode. Phase 1: IC Embedded Software Development Phase 2: IC Development Phase 3: IC Manufacturing Phase 4: IC Packaging Phase 6: Composite Product Integration Phase 5: TOE Personalization Firmware (ROM) Software (Flash) Phase 7: Personalisation TOE Delivery Device In Test mode Device In Operational mode Phase 8: Operational Usage Device In Perso mode Figure 3-5 TOE Life-Cycle 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 23 4 Conformance claims 4.1 CC conformance claims This Security Target and the TOE claim conformance to Common Criteria for Information Technology Security Evaluation, Parts 1, 2, and 3, Version 3.1, Revision 5, which is referred to in this document as [CC]. The Security Target conformance claimed is: Part 1 conformant, Part 2 extended, Part 3 conformant. 4.2 PP claims This Security Target does not claim conformance to any protection profile but is inspired by Security IC Platform Protection Profile with Augmentation Packages, Version 1.0 (BSI-CC-PP-0084-2014), which is referred to in this document as [ICPP]. 4.3 Package claims The packages for AES, TDES and Hash functions from [ICPP] have been included. The Security Target claims conformance to EAL4 augmented by ALC_DVS.2 and AVA_VAN.5. 4.3.1 Conformance Claim Rationale The TOE specified in this Security Target is a self-sufficient component of a packaged Qualcomm Snapdragon System-on-Chip (SoC). Apart from access to memory, power supply, the connectivity to consumers of the TOE functionality and the dependencies as described in Section 2.2 , the remainder of the SoC does not support any aspect of the operation of the TOE. The TOE can therefore be regarded as a Security Integrated Circuit and its package. The TOE provides different types of cryptographic services to external entities, stores and generates keys which can be used for different cryptographic operations.. The keys stored and processed by the TOE are protected against logical or physical attacks. In addition, the development and production Life-Cycle is based on the [ICPP]. 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 24 5 Security problem definition 5.1 Definition of assets The assets to be protected are as follows (as specified in the [ICPP]): ◼ User data stored inside the TOE, or processed by the TOE ◼ User data stored outside the TOE while under the control of the TOE (this covers data exported through the Nonvolatile memory driver but not the data exported on the communication driver) ◼ TSF data (data used internally by the TOE such as internal encryption keys, firmware…etc.) ◼ Security IC Embedded Software (user applications), being stored and being executed ◼ Security services provided by the TOE to applications, executed in the TOE Components of the SoC that are not part of the TOE are considered external entities and they can communicate with the TOE in a similar way an external entity communicates with a smart card. The communication between those components and the TOE is via the shared CSRs, interrupts, and the shared memory areas. The CSRs act as mailboxes where the other components send requests to the TOE, and the shared memory areas are used for bulk data transfer required to process those requests. More precisely, the TOE assets (TSF) that require protection are as follows: ◼ Root keys ◼ Keys derived from root keys ◼ Revision ◼ Life-Cycle state data ◼ Code execution control ◼ Code integrity, authenticity, confidentiality and rollback prevention (load and runtime) ◼ Data integrity, authenticity, confidentiality and Replay Protection (load and runtime) ◼ Debug/Test mode/interface Note that the term Rollback and Replay are used interchangeably throughout the document. Qualcomm SPU250 Security Target Lite Security problem definition 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 25 5.2 Threats The following threats are defined in [ICPP]. Table 5-1 Security threats Threat Description T.Leak-Inherent Inherent Information Leakage An attacker may exploit information, which is leaked from the TOE during usage of the Security IC, to disclose confidential user data as part of the assets. T.Phys-Probing Physical Probing An attacker may perform physical probing of the TOE (i) to disclose user data while stored in protected memory areas, (ii) to disclose/reconstruct user data while processed, or (iii) to disclose other critical information about the operation of the TOE to enable attacks disclosing or manipulating user data of the Composite TOE or the Security IC Embedded Software. T.Malfunction Malfunction due to Environmental Stress An attacker may cause a malfunction of TSF or the Security IC Embedded Software by applying environmental stress to (i) modify security services of the TOE, (ii) modify functions of the Security IC Embedded Software, or (iii) deactivate or affect security mechanisms of the TOE to enable attacks disclosing or manipulating user data of the Composite TOE or the Security IC Embedded Software. This may be achieved by operating the Security IC outside normal operating conditions. T.Phys-Manipulation Physical Manipulation An attacker may physically modify the Security IC to (i) modify user data of the Composite TOE, (ii) modify the Security IC Embedded Software, (iii) modify or deactivate security services of the TOE, or (iv) modify security mechanisms of the TOE to enable attacks disclosing or manipulating user data of the Composite TOE or the Security IC Embedded Software. T.Leak-Forced Information Leakage An attacker may exploit information, which is leaked from the TOE during usage of the Security IC, to disclose confidential user data of the Composite TOE as part of the assets even if the information leakage is not inherent but caused by the attacker. T.Abuse-Func Abuse of Functionality An attacker may use functions of the TOE which may not be used after TOE Delivery to (i) disclose or manipulate user data of the Composite TOE, (ii) manipulate (explore, bypass, deactivate, or change) security services of the TOE, or (iii) manipulate (explore, bypass, deactivate, or change) functions of the Security IC Embedded Software, or (iv) enable an attack disclosing or manipulating user data of the Composite TOE or the Security IC Embedded Software. T.RND Deficiency of Random Numbers An attacker may predict or obtain information about random numbers generated by the TOE security service, for instance, because of a lack of entropy of the random numbers provided. The following threats are not part of [ICPP] and have been added: T.Boot-Compromise Compromising the Boot Functionality An attacker might attempt to interfere with the boot process by attempting to boot TSF software not authorized by the TOE. T.CONFID-TSF-CODE The attacker executes an application without authorization to disclose the TSF software. Qualcomm SPU250 Security Target Lite Security problem definition 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 26 Threat Description T.CONFID-APPLI- DATA The attacker executes an application without authorization to disclose data belonging to another application. T.CONFID-TSF-DATA The attacker executes an application without authorization to disclose data belonging to the TSF. T.INTEG-APPLI- CODE The attacker executes an application to alter (part of) its own or another application’s code. T.INTEG-TSF-CODE The attacker executes an application to alter (part of) the TSF software. T.INTEG-APPLI-DATA The attacker executes an application to alter (part of) another application’s data. T.INTEG-TSF-DATA The attacker executes an application to alter (part of) TSF data. T.AUTH-TSF-DATA The attacker replaces (part of) TSF data with (part of) TSF data from another device T.AUTH-APPLI-DATA The attacker replaces (part of) application data with (part of) application data from another device T.RBP-TSF-DATA The attacker performs a rollback operation on (part of) TSF data (replay an older version) T.RBP-APPLI-DATA The attacker performs a rollback operation on (part of) application data (replay an older version) Threat agents that must be considered are as follows: ◼ Non-TOE Software executing as nonprivileged software on the SP-CPU, attempting to attack the functionality of the TOE or gain information by observing the behavior of the TOE. Only software whose manifest is vetted by Qualcomm can be loaded into the TOE. Qualcomm vets the software developer and controls privileges of the software by the manifest. To keep the evaluation to a reasonable effort, such software components are not included into the TOE. ◼ Hardware or software executing on other components of the SoC, attempting to attack the functionality of the TOE or gain information by observing the behavior of the TOE. ◼ External entities accessing the SoC via its external interfaces. ◼ External attackers that physically probe the TOE. ◼ External attackers that attempt to gain access to TSF or user data (critical information) by observing the behavior of the TOE. Qualcomm SPU250 Security Target Lite Security problem definition 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 27 5.3 Organizational security policies The following organizational security policies are defined in [ICPP]. Table 5-2 Organization security policy Policy Description P.Process-TOE Identification during TOE Development and Production An accurate identification must be established for the TOE. This requires that each instantiation of the TOE carries this unique identification. P.Crypto-Service Cryptographic services of the TOE The TOE provides secure hardware based cryptographic services for the IC Embedded Software. Application Note: the following crypto services are supported by hardware: AES, SHA-1, SHA-256, SHA-384, SHA-512, HMAC, CMAC AES and KDF and the asymmetric accelerator for ECDH/ECDSA, RSA_SIGN and RSA_ENC (for all modes, please refer to appendix B). One organizational security policy has been added that is not included in [ICPP]: P.Least-Privilege Least Privilege for TSF Components The TSF itself is structured into a number of components where some components have their own internal functions and data that is not directly accessible by other components of the TSF. This limits the access from a component to the other component on the SP-CPU. 5.4 Assumptions One assumption that is not included in [ICPP] has been added. Table 5-3 Security assumptions Assumption Description A.Process-Sec-IC Protection during Packaging, Finishing, and Personalization It is assumed that security procedures are used after delivery of the TOE by the TOE Manufacturer up to delivery to the end-consumer to maintain confidentiality and integrity of the TOE and of its manufacturing and test data (to prevent any possible copy, modification, retention, theft, or unauthorized use). This means that the Phases after TOE Delivery (refer to Sections 1.2.2 and 7.1 in [ICPP]) are assumed to be protected appropriately. For a preliminary list of assets to be protected, refer to paragraph 96 (page 29 in [ICPP]). A.Resp-Appl Treatment of User Data of the Composite TOE All user data of the Composite TOE are owned by Security IC Embedded Software. Therefore, it must be assumed that security relevant user data of the Composite TOE (especially cryptographic keys) are treated by the Security IC Embedded Software as defined for its specific application context. A.Protect-Shared- Comp It is assumed that the TEE restricts access of non-TOE components to specific interfaces of TOE; please refer to 80-NH537-4, Revision. M. 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 28 6 Security objectives The Security Objectives are taken from [ICPP] with some additional security objectives added. 6.1 Security objectives for the TOE Table 6-1 Security objectives for the TOE Objective Description O.Leak-Inherent Protection against Inherent Information Leakage The TOE must provide protection against disclosure of confidential data stored and/or processed in the Security IC by measurement and analysis of the shape and amplitude of signals (for example on the power, clock, or I/O lines) and by measurement and analysis of the time between events found by measuring signals (for instance, on the power, clock, or I/O lines). O.Phys-Probing Protection against Physical Probing (Refined) Refinement: The TOE must provide protection against disclosure/reconstruction of user data while transferred or stored in protected memory areas and processed by the hardware or against the disclosure of other critical information about the operation of the TOE. This includes protection against measuring through galvanic contacts, which is direct physical probing on the chips surface except on pads being bonded (using standard tools for measuring voltage and current) or measuring not using galvanic contacts but other types of physical interaction between charges (using tools used in solid-state physics research and IC failure analysis) with a prior reverse-engineering to understand the design and its properties and functions. The TOE must be designed and fabricated so that it requires a high combination of complex equipment, knowledge, skill, and time to derive detailed design information or other information that could be used to compromise security through such a physical attack. O.Malfunction Protection against Malfunctions The TOE must ensure its correct operation. The TOE must indicate or prevent its operation outside the normal operating conditions where reliability and secure operation have not been proven or tested. This is to prevent malfunctions. Examples of environmental conditions are voltage, clock frequency, temperature, or external energy fields. O.Phys-Manipulation Protection against Physical Manipulation The TOE must provide protection against manipulation of the TOE (including its software and TSF data), the Security IC Embedded Software, and user data of the Composite TOE. This includes protection against reverse-engineering (understanding the design and its properties and functions), manipulation of the hardware and any data, as well as undetected manipulation of memory contents. Qualcomm SPU250 Security Target Lite Security objectives 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 29 Objective Description O.Leak-Forced Protection against Forced Information Leakage ▪ The Security IC must be protected against disclosure of confidential data processed in the Security IC (using methods as described under O.Leak-Inherent) even if the information leakage is not inherent but caused by the attacker by forcing a malfunction (see O.Malfunction: Protection against Malfunctions) and/or ▪ by a physical manipulation (see O.Phys-Manipulation: Protection against Physical Manipulation). If this is not the case, signals that normally do not contain significant information about secrets could become an information channel for a leakage attack. O.Abuse-Func Protection against Abuse of Functionality The TOE must prevent that functions of the TOE, which may not be used after TOE Delivery, can be abused to (i) disclose critical user data of the Composite TOE, (ii) manipulate critical user data of the Composite TOE, (iii) manipulate Security IC Embedded Software, or (iv) bypass, deactivate, change, or explore security features or security services of the TOE. Details depend, for instance, on the capabilities of the Test Features provided by the IC Dedicated Test Software, which are not specified here. O.Identification TOE Identification The TOE must provide means to store Initialization Data and Pre-personalization Data in its nonvolatile memory. The Initialization Data (or parts of it) are used for TOE identification. O.RND Random Numbers The TOE will ensure the cryptographic quality of random number generation. For instance, random numbers shall not be predictable and shall have a sufficient entropy. The TOE will ensure that no information about the produced random numbers is available to an attacker because they might be used, for instance, to generate cryptographic keys. O.AES Cryptographic service AES The TOE provides secure hardware based cryptographic services for the AES for encryption and decryption. O.TDES Cryptographic service Triple-DES The TOE provides secure software based cryptographic services implementing the Triple-DES encryption and decryption O.SHA Cryptographic Service Hash Function The TOE provides secure hardware-based cryptographic services for secure hash calculation. Security Objectives in addition to the ones defined in [ICPP]: O.Defense-in-Depth Defense-In-depth The TOE shall ensure that critical functions and TSF data cannot be accessed by a malicious software executing on the SP-CPU. O.Secure-Boot Secure Boot Process The TOE shall ensure that only authorized software is loaded during the boot process after the integrity and authenticity of that software has been verified. O.RSA The TOE provides secure cryptographic services implementing the RSA algorithm for signature generation, verification and encryption. This implementation uses dedicated hardware support provided by the TOE. O.ECDSA The TOE provides secure cryptographic services implementing the ECDSA algorithm based on the NIST P-192/224/256/384/521, Brainpool 256 twisted (t1) and Brainpool P-192/224/256/320/384/512 non-twisted (r1) for signature generation and verification. This implementation uses dedicated hardware support provided by the TOE. Qualcomm SPU250 Security Target Lite Security objectives 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 30 Objective Description O.ECDH The TOE provides secure cryptographic services implementing the ECDH algorithm based on the NIST P-192/224/256/384/521, Brainpool 256 twisted (t1), Brainpool P- 192/224/256/320/384/512 non-twisted (r1) and Curve25519 curves for key generation and shared secret generation. This implementation uses dedicated hardware support provided by the TOE. O.KDF The TOE provides secure cryptographic services implementing the Key Derivation Function algorithm based on NIST SP 800-108. This implementation uses dedicated hardware support provided by the TOE. O.HMAC The TOE provides secure hardware-based cryptographic services for Keyed-Hash Message Authentication Code (HMAC) (FIPS 198-1) calculation. O.CMAC The TOE provides message authentication code generation in accordance with ADVANCED ENCRYPTION STANDARD (AES) (FIPS 197) and the CMAC Mode for Authentication (NIST SP 800-38B). O.OSData.Access Restriction of access to data maintained by operating system The TSF must restrict access of any type of software applications running on the SPU exclusively to its own data stored in volatile and non-volatile memory. O.OSData.Protect Protection of data maintained by operating system The TSF must protect TSF code, TSF data, application code and application data using cryptographic functions with a cryptographic strength commensurate with the value of the data against loss of confidentiality, integrity, authenticity and against rollback. O.Reallocation Reallocation of resources The TOE shall ensure that the re-allocation of an internal memory block for the runtime areas maintained by the TOE operating system does not disclose any information that was previously stored. 6.2 Security objectives for the development and operational environment One security objective has been added that is not included in [ICPP]. Table 6-2 Security objectives for the environment Objective Description OE.Process-Sec-IC Protection during Composite Product Manufacturing Security procedures shall be used after TOE Delivery up to delivery to the end-consumer to maintain confidentiality and integrity of the TOE and of its manufacturing and test data (to prevent any possible copy, modification, retention, theft, or unauthorized use). This means that Phases after TOE Delivery up to the end of Phase 6 (refer to Section 1.2.3 of [ICPP]) must be protected appropriately. For a preliminary list of assets to be protected, see section 5.1. OE.Resp-Appl Treatment of user data of the Composite TOE Security relevant user data of the Composite TOE (especially cryptographic keys) are treated by the Security IC Embedded software as required by the security needs of the specific application context. OE.Protect-Shared- Comp The TEE shall be configured to restrict access of non-TOE components to specific interfaces of TOE, please refer to 80-NH537-4, Revision. M. Qualcomm SPU250 Security Target Lite Security objectives 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 31 6.3 Security objectives rationale For the threats, assumptions, organizational security policies, and security objectives that are listed in [ICPP], the rationale described there applies. This includes the policy P.Crypto-Service and the included objectives O.AES, O.TDES and O.SHA. There have been the following threats, assumptions, organizational security policies, and objectives added in this Security Target: ◼ Threats:  T.Boot-Compromise  T.CONFID-TSF-CODE  T.CONFID-APPLI-DATA  T.CONFID-TSF-DATA  T.INTEG-APPLI-CODE  T.INTEG-TSF-CODE  T.INTEG-APPLI-DATA  T.INTEG-TSF-DATA  T.RBP-TSF-DATA  T.RBP-APPLI-DATA  T.AUTH-TSF-DATA  T.AUTH-APPLI-DATA ◼ Assumptions:  A.Protect-Shared-Comp ◼ Organizational security policies:  P.Least-Privilege ◼ Security objectives:  O.Defense-in-Depth  O.Secure-Boot  O.RSA  O.ECDSA  O.ECDH  O.CMAC  O.HMAC  O.KDF  O.OSData.Access  O.OSData.Protect  O.Reallocation Qualcomm SPU250 Security Target Lite Security objectives 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 32 ◼ Security objectives on the operational environment:  OE.Protect-Shared-Comp The threat T.Boot-Compromise is addressed by the security objective O.Secure-Boot, which requires that the software loaded during the boot process is verified for its authenticity and integrity before it is executed. The threats T.CONFID-TSF-CODE, T.CONFID-TSF-DATA, T.INTEG-TSF-CODE, T.INTEG-TSF-DATA, T.RBP-TSF-DATA and T.AUTH-TSF-DATA are addressed by the security objective of O.OSData.Protect that requires that TSF data maintained by the operating system is protected with cryptographic mechanisms including encryption, MAC and replay counter to prevent unauthorized disclosure or modification or exchange. The threats are derived from [JCSPP]. The threats T.CONFID-APPLI-DATA and T.INTEG-APPLI-DATA are addressed by the security objective O.OSData.Access limiting applications to access only their own data maintained by the operating system. The threats are derived from [JCSPP]. The threats T.CONFID-APPLI-DATA, T.INTEG-APPLI-CODE, T.INTEG-APPLI-DATA, T.RBP-APPLI-DATA and T.AUTH-APPLI-DATA are addressed by the security objective O.OSData.Protect requires that user data maintained by the operating system is protected with cryptographic mechanisms to prevent unauthorized access. The threats are derived from [JCSPP]. The threat of T.CONFID-APPLI-DATA, T.INTEG-APPLI-DATA, T.CONFID-TSF-DATA, and T.INTEG-TSF-DATA are addressed by the security objective O.Reallocation requiring the operating system to clear internal memory resources upon reallocation. The threats and objective are derived from [JCSPP]. The organizational security policy P.Least-Privilege is addressed by the additional security objective O.Defense-in-Depth, which requires that critical resources are protected by more than just one ring of protection. The organizational security policy P.Crypto-Service is used as intended in [ICPP]. P.Crypto-Service implements a number of cryptographic functions supported by the hardware platform (O.RSA, O.ECDSA, O.ECDH, O.HMAC, O.CMAC, O.KDF). The assumption A.Protect-Shared-Comp is addressed by the security on the operational environment OE.Protect-Shared-Comp which requires the TEE component to be configured to restrict access of non-TOE components to specific interfaces of TOE. 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 33 7 Extended component definition This Security Target uses the extended components based on [ICPP]: ◼ FCS_RNG.1 ◼ FMT_LIM.1 ◼ FMT_LIM.2 ◼ FAU_SAS.1 ◼ FDP_SDC.1 For the complete specification and justification of those extended SFRs, the reader is referred to [ICPP]. The following additional extended components are defined for this Security Target. 7.1 FMT_CMT Control over Management by TSF components 7.1.1 Family behavior This family allows the specification of defined TSF components that take control over the management of TSF data. The main difference between the existing components of Part 2 of [CC] and the one defined here is that the management function is not restricted to a specified role, but is restricted to defined TSF components. This SFR does not have any dependencies on other management SFRs as it does not require administrative intervention since the management mechanism is hard-coded into the TSF. 7.1.2 Component leveling FMT_CMT.1 Management of TSF data allows dedicated TSF components to manage TSF data. 7.1.3 Management: FMT_CMT.1 There are no management activities foreseen. Qualcomm SPU250 Security Target Lite Extended component definition 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 34 7.1.4 Audit: FMT_CMT.1 The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST: Basic: All modifications to the values of TSF data. 7.1.5 FMT_CMT.1 management of TSF data by TSF components Hierarchical to: No other components Dependencies: No other components FMT_CMT.1.1 The TSF shall restrict the ability to [selection: change_default, query, modify, delete, clear, [assignment: other operations]] the [assignment: list of TSF data] to [assignment: the defined TSF components]. 7.2 FDP_SDA Stored Data Authenticity 7.2.1 Family behavior This family provides requirements that address protection of user data and TSF data authenticity while these data are stored within memory areas protected by the TSF. The TSF provides access to the data in the memory through the specified TOE interfaces only and detect modification of memory information bypassing these TOE interfaces. The TSF complement the family Stored data integrity (FDP_SDI) which protects the user data from integrity errors while being stored in the memory. 7.2.2 Component leveling FDP_SDA.1 Requires the TOE to protect the authenticity of information of user data and TSF data in specified memory areas. 7.2.3 Management: FDP_SDA.1 There are no management activities. 7.2.4 Audit: FDP_SDA.1 There are no actions defined to be auditable Qualcomm SPU250 Security Target Lite Extended component definition 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 35 7.2.5 FDP_SDA.1 Stored Data Authenticity Hierarchical to: No other components Dependencies: No other components FDP_SDA.1.1 The TSF shall ensure the authenticity of user data and TSF data while it is stored in the [assignment: memory area] 7.3 FDP_SDR Stored Data Replay protection 7.3.1 Family behavior This family provides requirements that address protection of user data and TSF data against replay attack while these data are stored within memory areas protected by the TSF. The TSF provides access to the data in the memory through the specified TOE interfaces only and detect replay of otherwise valid data through bypassing these TOE interfaces. It complement the family Stored data integrity (FDP_SDI) which protects the user data from integrity errors while being stored in the memory. 7.3.2 Component leveling FDP_SDR.1 Requires the TOE to protect against replay attack of information of user data and TSF data in specified memory areas. 7.3.3 Management: FDP_SDR.1 There are no management activities. 7.3.4 Audit: FDP_SDR.1 There are no actions defined to be auditable 7.3.5 FDP_SDR.1 Stored Data Replay Protection Hierarchical to: No other components Dependencies: No other components FDP_SDR.1.1 The TSF shall detect replay of user data and TSF data while it is stored in the [assignment: memory area] 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 36 8 Security requirements 8.1 Security functional requirements 8.1.1 Security functional requirements from the [ICPP] FRU_FLT.2 – Limited fault tolerance FRU_FLT.2.1 – The TSF shall ensure the operation of all the TOE’s capabilities when the following failures occur: exposure to operating conditions that are not detected according to the requirement “Failure with preservation of secure state (FPT_FLS.1)”. Refinement: The term failure above means circumstances. The TOE prevents failures for the circumstances defined above. FPT_FLS.1 – Failure with preservation of secure state FPT_FLS.1.1 – The TSF shall preserve a secure state when the following types of failures occur: exposure to operating conditions which may not be tolerated according to the requirement “Limited fault tolerance (FRU_FLT.2)” and where therefore a malfunction could occur. Refinement: The term failure above also covers circumstances. The TOE prevents failures for the circumstances defined above. FMT_LIM.1 – Limited capabilities FMT_LIM.1.1 – The TSF shall be designed and implemented in a manner that limits their capabilities so that in conjunction with “Limited availability (FMT_LIM.2)” the following policy is enforced: Deploying Test Features after TOE Delivery does not allow user data of the Composite TOE to be disclosed or manipulated, TSF data to be disclosed or manipulated, software to be reconstructed, and no substantial information about construction of TSF to be gathered which may enable other attacks. Application Note: Composite TOE refers to the Secure Process hardware component part of the SoC (excluding the remainder of the SoC) with the firmware and software executing on the SP-CPU. Software executing on other parts of the SoC (including software executing in the Arm TrustZone of the SoC master processor) is not considered here. Such software can be viewed similar to the software in entities external to the IC such as the software in a smart card reader. All such software in other parts of the SoC is considered as non-interfering. Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 37 FMT_LIM.2 – Limited availability FMT_LIM.2.1 – The TSF shall be designed and implemented in a manner that limits their availability so that in conjunction with “Limited capabilities (FMT_LIM.1)” the following policy is enforced: Deploying Test Features after TOE Delivery does not allow user data of the Composite TOE to be disclosed or manipulated, TSF data to be disclosed or manipulated, software to be reconstructed, and no substantial information about construction of TSF to be gathered which may enable other attacks. FAU_SAS.1 – Audit storage FAU_SAS.1.1 – The TSF shall provide the test process before TOE Delivery with the capability to store [the Initialization Data, Pre-personalization data] in the SP-QFPROM. FDP_SDC.1(1) – Stored data confidentiality FDP_SDC.1.1(1) – The TSF shall ensure the confidentiality of the information of the user data and the TSF data while it is stored in the memory area within TOE HW boundary. Application Note: Different memory areas have different access protection mechanisms. Especially, key material stored in the SP-CMU key tables is confidentiality-protected even from any software executing on the SP-CPU. These keys can be either TSF data or user data and, therefore, the SFR has been refined to also include TSF data. The TSF data to which this applies are keys used by the TSF internally (hardware keys), while managed keys can be user data when they are defined for and used by an application executing on the operating system of the SP-CPU. FDP_SDI.2(1) – Stored data integrity monitoring and action FDP_SDI.2.1(1) – The TSF shall monitor user data stored in containers controlled by the TSF for parity errors using parity check/Error Correcting Code and errors after partial power collapse using a checksum function on all objects, based on the following attributes: data stored in SP- RAM, data stored in the SP-CMU key tables. FDP_SDI.2.2(1) – Upon detection of a data integrity error, the TSF shall perform a cold reset and increment a fault counter. Application Note: Another SFR, defined in section 8.1.3.2, handles the special case of the operating system image stored in RAM. FPT_PHP.3 – Resistance to physical attack FPT_PHP.3.1 – The TSF shall resist physical manipulation and physical probing to the TSF by responding automatically such that the SFRs are always enforced. Refinement: The TSF will implement appropriate mechanisms to continuously counter physical manipulation and physical probing. Due to the nature of these attacks (especially manipulation), the TSF can by no means detect attacks on all of its elements. Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 38 Therefore, permanent protection against these attacks is required ensuring that security functional requirements are enforced. Hence, “automatic response” means here (i) assuming that there might be an attack at any time and (ii) countermeasures are provided at any time. FDP_ITT.1 – Basic internal transfer protection FDP_ITT.1.1 – The TSF shall enforce the Data Processing Policy to prevent the [disclosure] of user data when it is transmitted between physically separated parts of the TOE. Refinement: The different memories, the CPU and other functional units of the TOE (for example a cryptographic co-processor) are seen as physically separated parts of the TOE. FPT_ITT.1 – Basic internal TSF data transfer protection FPT_ITT.1.1 – The TSF shall protect TSF data from [disclosure] when it is transmitted between separate parts of the TOE. Refinement: The different memories, the CPU, and other functional units of the TOE (for example a cryptographic co-processor) are seen as physically separated parts of the TOE. FDP_IFC.1 – Subset information flow control FDP_IFC.1.1 – The TSF shall enforce the Data Processing Policy on all confidential data when they are processed or transferred by the TOE or by the Security IC Embedded Software. The following Security Function Policy (SFP) Data Processing Policy is defined for the requirement “Subset information flow control (FDP_IFC.1)”: “User data of the Composite TOE and TSF data shall not be accessible from the TOE except when the Security IC Embedded Software decides to communicate the user data of the Composite TOE via an external interface. The protection shall be applied to confidential data only but without the distinction of attributes controlled by the Security IC Embedded Software.” Application Note: Security IC Embedded Software in the case of the TOE is any software running on the SP-CPU. Application Note: The component FDP_IFC.1 in the CC has a dependency on FDP_IFF.1, which is not resolved in [ICPP]. The discussion of this omission in [ICPP] is not very convincing. Basically, it requires that the TOE decides which data it considers to be confidential such that it shall not be exported over any of the TOE external interfaces. FCS_RNG.1 – Random number generation (Class PTG.3) FCS_RNG.1.1 – The TSF shall provide a [hybrid physical] random number generator that implements: (PTG.3.1) A total failure test detects a total failure of entropy source immediately when the RNG has started. When a total failure has been detected, no random numbers will be output. Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 39 (PTG.3.2) If a total failure of the entropy source occurs while the RNG is being operated, the RNG [prevents the output of any internal random number that depends on some raw random numbers that have been generated after the total failure of the entropy source]. (PTG.3.3) The online test shall detect non-tolerable statistical defects of the raw random number sequence (i) immediately when the RNG is started, and (ii) while the RNG is being operated. The TSF must not output any random numbers before the power-up online test and the seeding of the DRG.3 post-processing algorithm have finished successfully or when a defect has been detected. (PTG.3.4) The online test procedure shall be effective to detect non- tolerable weaknesses of the random numbers soon. (PTG.3.5) The online test procedure checks the raw random number sequence. It is triggered [continuously]. The online test is suitable for detecting non-tolerable statistical defects of the statistical properties of the raw random numbers within an acceptable period of time. (PTG.3.6) The algorithmic post-processing algorithm belongs to Class DRG.3 with cryptographic state transition function and cryptographic output function, and the output data rate of the post- processing algorithm shall not exceed its input data rate. FCS_RNG.1.2 – The TSF shall provide [numbers in 32-bit blocks] that meet: (PTG.3.7) Statistical test suites cannot practically distinguish the internal random numbers from output sequences of an ideal RNG. The internal random numbers must pass test procedure A [and procedure B]. (PTG.3.8) The internal random numbers shall [use PTRNG of class PTG.2 as random source for the post-processing]. 8.1.2 Security functional requirements from augmentation packages The following section contains security functional requirements from packages defined in [ICPP]: ◼ Cryptographic services package AES ◼ Cryptographic services package TDES ◼ Cryptographic services package Hash functions Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 40 8.1.2.1 Cryptographic services package AES This package is included to address the provision of Advanced Encryption Standard encryption/decryption. The package’s organizational security policy and security objectives were added to the respective lists in Sections 5 and 6 . This package adds the following SFRs. 8.1.2.1.1 Security functional requirements FCS_COP.1/AES– Cryptographic operation – AES FCS_COP.1.1/AES – The TSF shall perform encryption and decryption with additional authentication in CCM mode in accordance with a specified cryptographic algorithm AES in ECB mode, CBC mode, CTR mode and CCM mode and cryptographic key sizes 128 bit, 256 bit that meet the following: Specification for the ADVANCED ENCRYPTION STANDARD (AES) (FIPS 197), Recommendation for Block Cipher Modes of Operation, Methods and Techniques (NIST SP 800-38A) and Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality (NIST SP 800- 38C). FCS_CKM.4/AES – Cryptographic key destruction – AES FCS_CKM.4.1/AES – The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method overwriting with zeroes or overwriting the protecting key encryption key in the key hierarchy with ones that meets the following: none. 8.1.2.2 Cryptographic services package TDES This package is included to address the provision of Triple-DES encryption/decryption. The package’s organizational security policy and security objectives were added to the respective lists in Sections 4 and 5. This package adds the following SFRs. 8.1.2.2.1 Security functional requirements FCS_COP.1/TDES – Cryptographic operation – TDES FCS_COP.1.1/TDES – The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm TDES in ECB mode, CBC mode and cryptographic key sizes 112 bit, 168 bit that meet the following Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher (NIST SP 800-67) and Recommendation for Block Cipher Modes of Operation, Methods and Techniques (NIST SP 800-38A). Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 41 FCS_CKM.4/TDES Cryptographic key destruction – TDES FCS_CKM.4.1/TDES – The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method overwriting with random values that meets the following: none. 8.1.2.3 Cryptographic services package Hash functions This package is included to address the provision of secure hash functions. 8.1.2.3.1 Security functional requirements FCS_COP.1/SHA– Cryptographic operation – SHA FCS_COP.1.1/SHA – The TSF shall perform hashing in accordance with a specified cryptographic algorithm [SHA-1, SHA-256, SHA-384, SHA-512] and cryptographic key sizes none that meet the following: Secure Hash Standard (SHS) (FIPS 180-4). 8.1.3 Security functional requirements beyond those in [ICPP] The TOE implements a set of additional security functions that are beyond what is defined in [ICPP]. This includes functions provided by the hardware as well as functions provided by the operating system of the SP-CPU, which is part of the TOE and its TSF. The SFRs for those functions are grouped for specific additional functions, which are described in general at the beginning of each group before stating the SFRs for those functions in CC terminology. 8.1.3.1 Group 1: Cryptographic functions This group describes the cryptographic functions that are beyond those defined in [ICPP]. This includes the asymmetric algorithms. FCS_CKM.1/SYM – Cryptographic key generation – Symmetric Keys FCS_CKM.1.1/SYM – The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm capable of generating a random bit sequence and specified cryptographic key sizes : ▪ AES: 128 bits, 256 bits ▪ CMAC AES: 128 bits, 256 bits ▪ HMAC SHA-1: 256 bits ▪ HMAC SHA-256: 256 bits ▪ HMAC SHA-384: 256 bits ▪ HMAC SHA-512: 256 bits Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 42 that meet the following: NIST SP 800-133 Section 6 with V being a string of zeroes. FCS_CKM.1/KDF – Cryptographic key generation – Key Derivation Function FCS_CKM.1.1/KDF – The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm Key Derivation Function in Counter Mode using HMAC SHA-256 and specified cryptographic key sizes: ▪ AES: 128 bits, 256 bits ▪ CMAC AES: 128 bits, 256 bits ▪ HMAC SHA-1: 256 bits ▪ HMAC SHA-256: 256 bits ▪ HMAC SHA-384: 256 bits ▪ HMAC SHA-512: 256 bits that meet the following: NIST SP 800-108 Section 5.1, FIPS 198-1, FIPS 180-4. FCS_CKM.4/HMAC/CMAC – Cryptographic key destruction FCS_CKM.4.1/HMAC/CMAC – The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method overwriting with zeroes for keys of size above 32 bytes or overwriting the protecting key encryption key in the key hierarchy with ones for all other keys that meets the following: none. FCS_COP.1/CMAC – Cryptographic operation FCS_COP.1.1/CMAC – The TSF shall perform message authentication code generation in accordance with a specified cryptographic algorithm CMAC using AES and cryptographic key sizes 128 bits, 256 bits that meet the following: Specification for the ADVANCED ENCRYPTION STANDARD (AES) (FIPS 197), and Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication (NIST SP 800-38B). FCS_COP.1/HMAC – Cryptographic operation FCS_COP.1.1/HMAC – The TSF shall perform message authentication code generation in accordance with a specified cryptographic algorithm HMAC using SHA-1 or SHA-256, SHA-384, SHA-512 and cryptographic key sizes 256 bits for SHA-1 and SHA-256, 512 bits for SHA-384 and SHA-512 that meet the following: The Keyed-Hash Message Authentication Code (HMAC) (FIPS 198-1) and Secure Hash Standard (SHS) (FIPS 180-4). Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 43 FCS_CKM.1/ECDH – Cryptographic key generation – ECDH FCS_CKM.1.1/ECDH – The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm ECDH key generation with ECC key lengths corresponding to the ECC parameters for NIST P-192/224/256/384/521, Brainpool 256 twisted (t1), Brainpool P-192/224/256/320/384/512 non-twisted (r1) and Curve25519 curves and specified cryptographic key sizes implied by the curve that meet the following: FIPS 186-4 Appendix B.4.2 supported by FIPS 186-4 Appendix D.1.2, RFC 5639 and RFC 7748. FCS_CKM.1/ECDSA – Cryptographic key generation – ECDSA FCS_CKM.1.1/ECDSA – The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm ECC key generation with ECC key lengths corresponding to the ECC parameters for NIST P-192/224/256/384/521, Brainpool 256 twisted (t1) and Brainpool P-192/224/256/320/384/512 non-twisted (r1) curves and specified cryptographic key sizes implied by the curve that meet the following: FIPS 186-4 Appendix B.4.2 supported by FIPS 186-4 Appendix D.1.2 and RFC 5639. FCS_CKM.1/RSA – Cryptographic key generation – RSA FCS_CKM.1.1/RSA – The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm RSA key generation and specified cryptographic key sizes 1024 and 2048 bits that meet the following: FIPS 186-4 Appendix B.3 and BSI TR- 02102-1. FCS_CKM.4/RSA/ECDSA/ECDH – Cryptographic key destruction FCS_CKM.4.1/RSA/ECDSA/ECDH– The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method overwriting with zeroes that meets the following: none. FCS_COP.1/RSA_SIGN – Cryptographic operation FCS_COP.1.1/RSA_SIGN – The TSF shall perform signature generation and verification in accordance with a specified cryptographic algorithm RSA and cryptographic key sizes 1024 bits, 2048 bits (RSA) that meet the following: FIPS 186-4 Section 5, PKCS#1 v2.1 PSS, PKCS#1 v1.5. FCS_COP.1/RSA_ENC – Cryptographic operation FCS_COP.1.1/RSA_ENC – The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm RSA and cryptographic key sizes 1024 bits, 2048 bits (RSA) that meet the following: FIPS 186-4 Section 5, PKCS#1 v2.1 OAEP, PKCS#1 v1.5. Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 44 FCS_COP.1/ECDSA – Cryptographic operation FCS_COP.1.1/ECDSA – The TSF shall perform signature generation and verification in accordance with a specified cryptographic algorithm ECDSA with ECC key lengths corresponding to the ECC parameters for NIST P- 192/224/256/384/521, Brainpool 256 twisted (t1) and Brainpool P- 192/224/256/320/384/512 non-twisted (r1) curves and cryptographic key sizes implied by the curve that meet the following: FIPS 186-4 Section 6 supported by FIPS 186-4 Appendix D.1.2 and RFC 5639. FCS_COP.1/ECDH – Cryptographic operation FCS_COP.1.1/ECDH – The TSF shall perform shared secret generation in accordance with a specified cryptographic algorithm ECDH with ECC key lengths corresponding to the ECC parameters for NIST P- 192/224/256/384/521, Brainpool 256 twisted (t1), Brainpool P- 192/224/256/320/384/512 non-twisted (r1) and Curve25519 curves and cryptographic key sizes implied by the curve that meet the following: NIST SP 800-56A Section 5.7.1.2 supported by FIPS 186- 4 Appendix D.1.2, RFC5639 and RFC 7748. 8.1.3.2 Group 2: Secure boot This group describes the functions for the secure boot and startup process of the TOE. This includes the verification of the authenticity and integrity of the boot code and application executables, and the decryption of that data for a cold boot and the integrity verification of that data in SP-RAM in case of a warm boot. The case for the cold boot is defined using SFR FDP_ITC.1 and the case of the warm boot is defined using SFR FDP_SDI.2(2). FDP_ITC.1 – Import of user data without security attributes FDP_ITC.1.1 – The TSF shall enforce the no access control policy when importing user data, controlled under the SFP, from outside of the TOE. FDP_ITC.1.2 – The TSF shall ignore any security attributes associated with the user data when imported from outside of the TOE. FDP_ITC.1.3 – The TSF shall enforce the following rules when user data controlled under the SFP from outside the TOE: ▪ The TSF shall verify the digital signature of the boot image and application executables. ▪ The TSF shall verify the version number of the boot image and application executables to be equal or larger than the version number known to the TOE to prevent a rollback. ▪ The TSF shall stop execution when any of the aforementioned validation steps fail. ▪ When the aforementioned validation steps are successful, the TSF shall decrypt the boot image and application executables. Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 45 Application Note: Within this SFR, the user data referred to is boot image and application executables. FDP_SDI.2(2) – Stored data integrity monitoring and action FDP_SDI.2.1(2) – The TSF shall monitor user data stored in containers controlled by the TSF for integrity errors on all objects, based on the following attributes: 64-bits SUM complemented value of the SP-RAM content. FDP_SDI.2.2(2) – Upon detection of a data integrity error, the TSF shall start a cold boot process, which erase the SP-RAM. Application Note: This SFR is a refinement for the specific user data operating system image and application executables and data stored in SP-RAM. 8.1.3.3 Group 3: Access control policies for hardware components The TOE implements a set of policies that control access to critical hardware components such as OTP items, access control of applications to memory areas, and access control to keys. Access control to OTP items includes access by the TSF itself. Access control to keys is also a TSF internal access control mechanism where access to keys from SP-CPU is controlled, in general, by the SP-CMU. Those access control policies are related to TSF data rather than user data and are, therefore, expressed by extended SFRs for the management of TSF data. FMT_CMT.1(1) – Management of TSF data by TSF components FMT_CMT.1.1(1) – The TSF shall restrict the ability to [modify and define] the memory areas shared with other components of the SoC to SP-ExtMM controlled by the SP-CPU. FMT_CMT.1(2) – Management of TSF data by TSF components FMT_CMT.1.1(2) – The TSF shall restrict the ability to [modify and access] the key table to SP-CMU. FMT_CMT.1(3) – Management of TSF data by TSF components FMT_CMT.1.1(3) – The TSF shall restrict the ability to [use] the hardware support for cryptographic operations and the random number generator to SP- CMU. FMT_CMT.1(4) – Management of TSF data by TSF components FMT_CMT.1.1(4) – The TSF shall restrict the ability to [program] the SP-ExtMM and SP-MMU to SP-CPU when in privileged mode. Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 46 FMT_CMT.1(5) – Management of TSF data by TSF components FMT_CMT.1.1(5) – The TSF shall restrict the ability to [access] the areas in the SP- ROM to SP-CPU based on the restrictions implemented by the SP- ROM permission checker. FMT_CMT.1(6) – Management of TSF data by TSF components FMT_CMT.1.1(6) – The TSF shall restrict the ability to [patch] the SP-ROM memory to the OTP patch logic and the CSR patch mechanism. 8.1.3.4 Group 4: Access control policies for software-managed data The TOE implements a set of policies that control access to user and TSF data managed by the operating system. The operating system access control SFP relates to all processes managed by the TOE and relies on data encryption on a per process basis. Each process uses its own key and therefore prevent access to its data by other processes. A process can be the TOE operating system or an application running in the TOE. FDP_ACC.2 Complete access control FDP_ACC.2.1 – The TSF shall enforce the operating system access control SFP on ▪ Subjects: operating system, applications, and ▪ Objects: all non-volatile data storage objects holding application data, application code, TSF data and TSF code and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2 – The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. FDP_ACF.1 Security attribute based access control FDP_ACF.1.1 – The TSF shall enforce the operating system access control SFP to objects based on the following: ▪ Subjects: all subjects are associated with dedicated encryption keys, ▪ Objects: non-volatile data storage objects encrypted with one of the encryption keys and associated anti-rollback information. FDP_ACF.1.2 – The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: non-volatile storage data will be encrypted with the subject- specific key during write operations and will be decrypted with that key during read operations, and will be marked with the anti-rollback information to prevent data rollback. FDP_ACF.1.3 – The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: none. Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 47 FDP_ACF.1.4 – The TSF shall explicitly deny access of subjects to objects based on the following additional rules: none. FMT_MSA.3 - Static attribute initialization FMT_MSA.3.1– The TSF shall enforce the operating system access control SFP to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2– The TSF shall allow nobody to specify alternative initial values to override the default values when an object or information is created. FDP_RIP.1/Keys - Subset residual information protection FDP_RIP.1.1/Keys – The TSF shall ensure that any previous information content of a resource is made unavailable upon the [deallocation of the resource from] the following objects: the interface buffers to the cryptographic services. FDP_RIP.1/Transient - Subset residual information protection FDP_RIP.1.1/Transient – The TSF shall ensure that any previous information content of a resource is made unavailable upon the [deallocation of the resource from] the following objects: any transient object. 8.1.3.5 Group 5: Protection of data stored outside the TOE The TOE implements a set security mechanisms to protect user data and TSF dedicated data stored outside the TOE in memories shared with the host SoC. The provided protection include integrity, confidentiality, authenticity and anti-rollback to protect against eavesdropping, modification and replay attacks. FDP_SDI.2(3) – Stored Data Integrity FDP_SDI.2.1(3) – The TSF shall monitor user data stored in containers controlled by the TSF for any integrity errors on all objects, based on the following attributes: SHA-256 hash tree and CMAC-AES-256 for persistent data store and AES-CCM-256 for volatile data store while data is stored in the memory area outside the TOE hardware boundary. FDP_SDI.2.2(3) – Upon detection of a data integrity error, the TSF shall prevent the data from being used by the TOE. FDP_SDC.1(2) – Stored Data Confidentiality FDP_SDC.1.1(2) – The TSF shall ensure the confidentiality of the information of the user data and the TSF data while it is stored in the memory area outside the TOE hardware boundary. Application Note: The TOE encrypt (AES-CBC-256) persistent user data before being exported outside the TOE (NVM storage use case). Confidentiality is ensured by the fact Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 48 that the TOE generates a cryptographic key using a random number to encrypt the user data. This key is not known outside of the TOE nor is it exportable. Application Note: The TOE encrypt (AES-CCM-256) transient user data before being exported outside the TOE (swap use case). Confidentiality is ensured by the fact that the TOE generates a cryptographic key using a random number to encrypt the user data. This key is not known outside of the TOE nor is it exportable. FDP_SDA.1 – Stored Data Authenticity FDP_SDA.1.1 – The TSF shall ensure the authenticity of the information of user data and TSF data while it is stored in the memory area outside the TOE hardware boundary. Application Note: The TOE is capable of identifying whether user data and TSF data originate from the TOE or not. Only such data is loaded back into the TOE for processing. This is ensured by the fact that the user data is always authenticated by using a dedicated cryptographic key, generated within TOE. This key is generated using a random number and not known outside of the TOE nor is it exportable. Application Note: For persistent data, the key is persistent across reset. For transient data, the key is volatile (stored in SP-RAM). FDP_SDR.1 – Stored Data Replay Protection FDP_SDR.1.1 – The TSF shall detect replay of user data and TSF data while it is stored in the memory area outside the TOE hardware boundary. Application Note: The TOE is capable of identifying whether user data is replay or not (current version of user data is replaced by an older version with valid encryption / authentication code by an attacker). This is ensured by the fact that the TOE manage and store internally a monotonic counter that is used in the computation of the authentication code as defined in FDP_SDI.2(3). Application Note: For persistent data, the counter is managed by the Anti-Replay Island (SP-ARI) and is persistent across reset. For transient data, the counter is volatile (stored in SP-RAM). 8.2 Security assurance requirements The Security Assurance Requirements are as defined in [ICPP], including the refinements defined there. 8.3 Security requirements rationale Section 6.3 of [ICPP] defines the security requirements rationale for the objectives and SFRs defined in [ICPP], and Section 7 of [ICPP] defines the additional security requirements rationale for the optional packages. This rationale applies for all security objectives and SFRs taken from [ICPP]. This section, therefore, addresses only the rationale for the additional security objectives and SFRs defined in this Security Target. This Security Target adds the following additional security objectives: ◼ O.Defense-in-Depth Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 49 ◼ O.Secure-Boot ◼ O.RSA ◼ O.ECDSA ◼ O.ECDH ◼ O.KDF ◼ O.CMAC ◼ O.HMAC ◼ O.OSData.Access ◼ O.OSData.Protect ◼ O.Reallocation Those security objectives are addressed by the following additional SFRs. In addition, the following table includes the objectives rationale for the optional packages defined in [ICPP]. Table 8-1 Security Requirement vs Objectives mapping Objective Description O.AES The security objective of the TOE to provide secure hardware based cryptographic services for the AES for encryption and decryption is addressed by the SFRs of FCS_COP.1/AES and FCS_CKM.4/AES defining the cryptographic operation of the cipher and the associated functionality of key destruction. O.TDES The security objective of the TOE to provide secure software based cryptographic services for the TDES for encryption and decryption is addressed by the SFRs of FCS_COP.1/TDES and FCS_CKM.4/TDES defining the cryptographic operation of the cipher and the associated functionality of key destruction. O.SHA The security objective of the TOE to provide secure hardware-based cryptographic services for secure hash calculation is addressed by the SFR of FCS_COP.1/SHA defining the cryptographic operation of the cipher. O.CMAC The security objective of the TOE to provide secure hardware based cryptographic services for the CMAC-AES is addressed by the SFRs of FCS_COP.1/CMAC and FCS_CKM.4/HMAC/CMAC and FCS_CKM.1/SYM defining the cryptographic operation of the cipher used for Message Authentication Code generation and the associated functionality of key destruction. O.HMAC The security objective of the TOE to provide secure hardware based cryptographic services for the HMAC is addressed by the SFRs of FCS_COP.1/HMAC and FCS_CKM.4/HMAC/CMAC and FCS_CKM.1/SYM defining the cryptographic operation of the cipher used for Message Authentication Code generation and the associated functionality of key destruction. (HMAC keys larger than 32-byte are not protected by the CMU (key table mechanism). O.Defense-in-Depth The security objective of the TOE to ensure that critical functions and TSF data cannot be accessed by a simple breach of security of the software executing on the SP-CPU is addressed by the SFRs FMT_CMT.1(1) to FMT_CMT.1(6) which define various security functions offered by the SP-CPU that can and must be utilized by the TOE. Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 50 Objective Description O.Secure-Boot The security objective of the TOE to ensure that only authorized software is loaded during the boot process after the integrity and authenticity of that software has been verified is addressed by the SFRs FDP_ITC.1 and FDP_SDI.2(2). Both define the integrity protection mechanism of the software imported from outside of the TOE. O.RSA The security objective of the TOE to provide secure cryptographic services implementing the RSA algorithm for signature generation and verification and encryption and decryption is addressed by the SFRs FCS_CKM.1/RSA, FCS_CKM.4/RSA/ECDSA/ECDH, FCS_COP.1/RSA_SIGN and FCS_COP.1/RSA_ENC which collectively define the key generation, destruction and cryptographic operation of RSA. O.ECDSA The security objective of the TOE to provide secure cryptographic services implementing the ECDSA algorithm based on the NIST P-192/224/256/384/521, Brainpool 256 twisted (t1) and Brainpool P-192/224/256/320/384/512 non- twisted (r1) curves for signature generation and verification is addressed by the SFRs FCS_CKM.1/ECDSA, FCS_CKM.4/RSA/ECDSA/ECDH and FCS_COP.1/ECDSA which collectively define the key generation, destruction and cryptographic operation of ECDSA. O.ECDH The security objective of the TOE to provide secure cryptographic services implementing the ECDH algorithm based on the NIST P-192/224/256/384/521, Brainpool 256 twisted (t1), Brainpool P-192/224/256/320/384/512 non-twisted (r1) and Curve25519 curves for shared secret generation is addressed by the SFRs FCS_CKM.1/ECDH, FCS_CKM.4/RSA/ECDSA/ECDH, and FCS_COP.1/ECDH which collectively define the key generation, destruction and cryptographic operation of ECDH. O.KDF The security objective of the TOE to provide secure cryptographic services implementing the Key Derivation Function algorithm based on NIST SP 800-108 is addressed by the SFR FCS_CKM.1/KDF specifying such key derivation function. O.OSData.Access The security objective of the TSF to restrict access of software applications exclusively to its own data stored in volatile and non-volatile memory is addressed by the SFRs of FDP_ACC.2, FDP_ACF.1, FMT_MSA.3 which collectively define such access control mechanism. O.OSData.Protect The security objective of the TSF to protect TSF code, TSF data, application code and application data using cryptographic functions with a cryptographic strength commensurate with the value of the data against loss of confidentiality, integrity, authenticity and against rollback is addressed by the SFRs of FDP_ACC.2, FDP_ACF.1, FMT_MSA.3, FDP_SDI.2(3), FDP_SDI.2(2), FDP_SDC.1(2), FDP_SDA.1, FDP_SDR.1 which collectively define such protection control mechanism. The Hardware managed symmetric keys maintained by the TOE are protected as specified in FMT_CMT.1(2). O.Reallocation The security objective of the TOE to ensure that the re-allocation of a memory block for the runtime areas maintained by the TOE operating system does not disclose any information that was previously stored is addressed by the SFRs of FDP_RIP.1/Keys, FDP_RIP.1/Transient which define a clearing of residual information from storage locations upon the deallocation of the resource. The following table provides the SFR dependency analysis for the SFRs covering the aforementioned objectives. Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 51 Table 8-2 Security Requirement dependencies SFR Dependencies Fulfillment FCS_CKM.1/SYM [FCS_CKM.2 or FCS_COP.1] FCS_CKM.4 FCS_COP.1/AES FCS_COP.1/CMAC FCS_COP.1/HMAC FCS_CKM.4/AES FCS_CKM.4/HMAC/CMAC FCS_CKM.1/KDF [FCS_CKM.2 or FCS_COP.1] FCS_CKM.4 FCS_COP.1/AES FCS_COP.1/CMAC FCS_COP.1/HMAC FCS_CKM.4/AES FCS_CKM.4/HMAC/CMAC FCS_CKM.1/ECDH [FCS_CKM.2 or FCS_COP.1] FCS_CKM.4 FCS_COP.1/ECDH FCS_CKM.4/RSA/ECDSA/ECDH FCS_CKM.1/ECDSA [FCS_CKM.2 or FCS_COP.1] FCS_CKM.4 FCS_COP.1/ECDSA FCS_CKM.4/RSA/ECDSA/ECDH FCS_CKM.1/RSA [FCS_CKM.2 or FCS_COP.1] FCS_CKM.4 FCS_COP.1/RSA_SIGN FCS_COP.1/RSA_ENC FCS_CKM.4/RSA/ECDSA/ECDH FCS_CKM.4/AES [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.1/SYM FCS_CKM.4/TDES [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.1/TDES is not fulfilled. Indeed TDES implementation does not leverage the CMU HW to protect the TDES key, so TDES key management is let to the caller. FCS_CKM.4/HMAC/CMAC [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.1/SYM FCS_CKM.1/KDF FCS_CKM.4/RSA/ECDSA/ ECDH [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.1/ECDH FCS_CKM.1/ECDSA FCS_CKM.1/RSA FCS_COP.1/AES [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.4 FCS_CKM.1/SYM FCS_CKM.1/KDF FCS_CKM.4/AES FCS_COP.1/TDES [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.4 FCS_CKM.1/TDES is not fulfilled. Indeed TDES implementation does not leverage the CMU HW to protect the TDES key, so TDES key management is let to the caller. FCS_CKM.4/TDES FCS_COP.1/SHA [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.4 The hash generation does not require any key which implies that the dependency on key generation or key import is not applicable and thus unmet. The hash generation does not use cryptographically sensitive parameters which implies that no such parameters must be destroyed. Thus, the dependency on key destruction is unmet. Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 52 SFR Dependencies Fulfillment FCS_COP.1/CMAC [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.4 FCS_CKM.1/SYM FCS_CKM.1/KDF FCS_CKM.4/HMAC/CMAC FCS_COP.1/HMAC [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.4 FCS_CKM.1/SYM FCS_CKM.1/KDF FCS_CKM.4/HMAC/CMAC FCS_COP.1/ECDSA [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.4 FCS_CKM.1/ECDSA FCS_CKM.4/RSA/ECDSA/ECDH FCS_COP.1/ECDH [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.4 FCS_CKM.1/ECDH FCS_CKM.4/RSA/ECDSA/ECDH FCS_COP.1/RSA_SIGN [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.4 FCS_CKM.1/RSA FCS_CKM.4/RSA/ECDSA/ECDH FCS_COP.1/RSA_ENC [FCS_ITC.1 or FCS_ITC.2 or FCS_CKM.1] FCS_CKM.4 FCS_CKM.1/RSA FCS_CKM.4/RSA/ECDSA/ECDH FDP_ITC.1 [FDP_ACC.1 or FDP_IFC.1] FMT_MSA.3 The data forming the TOE software and that is imported by the TOE is encrypted and signed. No access control policy or information flow control is required because the associated keys are stored inside the TOE. By relying on the cryptographic protection the TOE ensures the application of the rules defined FDP_ITC.1. FDP_SDI.2(2) No dependencies FMT_CMT.1(1) No dependencies FMT_CMT.1(2) No dependencies FMT_CMT.1(3) No dependencies FMT_CMT.1(4) No dependencies FMT_CMT.1(5) No dependencies FMT_CMT.1(6) No dependencies FDP_ACC.2 FDP_ACF.1 FDP_ACF.1 FDP_ACF.1 FDP_ACC.1 FMT_MSA.3 FDP_ACC.2 FMT_MSA.3 FMT_MSA.3 FMT_MSA.1 FMT_SMR.1 The dependency of FMT_MSA.3 to FMT_MSA.1 and FMT_SMR.1 is unmet, because the default value cannot be altered or managed. FDP_RIP.1/Keys No dependencies FDP_RIP.1/Transient No dependencies FDP_SDI.2(3) No dependencies FDP_SDC.1(2) No dependencies FDP_SDA.1 No dependencies FDP_SDR.1 No dependencies Qualcomm SPU250 Security Target Lite Security requirements 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 53 NOTE: The security objectives of O.Leak-Inherent, O.Phys-Probing, O.Malfunction, O.Phys- Manipulation, and O.Leak-Forced defined in [ICPP] support the secure implementation of all crypto services introduced by P.Crypto-Service. The TOE will ensure the confidentiality of the user data and TSF data for these crypto services. 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 54 9 TOE summary specification 9.1 TOE summary specification rationale The following table maps the SFRs to the sections of the TSS containing the descriptions of how those SFRs are implemented. Table 9-1 TOE summary specification rationale SFR 9.1.1.1 Random number generation 9.1.1.2 AES coprocessor 9.1.1.3 Hashing 9.1.1.4 Authentication 9.1.1.5 Key Derivation Function 9.1.1.6 Key protection 9.1.1.7 TDES 9.1.1.8 RSA, ECDSA, ECDH 9.1.2.1 Secure boot 9.1.2.2 Secure software update 9.1.3 Application manager 9.1.4 Domain separation between applications executed by the TOE 9.1.5 Physical protection 9.1.6.1 Control memory areas shared with other components of the SoC 9.1.6.2 Control access to keys and the key table 9.1.6.3 Control use of hardware support for cryptographic operations and random number generation 9.1.6.4 Control access to the SP-RAM by software on the SP-CPU 9.1.7.1 Cryptographic protection of persistent data stored outside the TOE 9.1.7.2 Cryptographic protection of transient data and code stored outside the TOE 9.1.7.3 Reallocation of shared resources 9.1.8.1 Logical protection, SP-ROM 9.1.8.2 Logical protection, SP-RAM 9.1.9 Production data and OTP handling 9.1.10 Life-Cycle Control FRU_FLT.2 X FPT_FLS.1 X FMT_LIM.1 X FMT_LIM.2 X FAU_SAS.1 X Qualcomm SPU250 Security Target Lite TOE summary specification 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 55 SFR 9.1.1.1 Random number generation 9.1.1.2 AES coprocessor 9.1.1.3 Hashing 9.1.1.4 Authentication 9.1.1.5 Key Derivation Function 9.1.1.6 Key protection 9.1.1.7 TDES 9.1.1.8 RSA, ECDSA, ECDH 9.1.2.1 Secure boot 9.1.2.2 Secure software update 9.1.3 Application manager 9.1.4 Domain separation between applications executed by the TOE 9.1.5 Physical protection 9.1.6.1 Control memory areas shared with other components of the SoC 9.1.6.2 Control access to keys and the key table 9.1.6.3 Control use of hardware support for cryptographic operations and random number generation 9.1.6.4 Control access to the SP-RAM by software on the SP-CPU 9.1.7.1 Cryptographic protection of persistent data stored outside the TOE 9.1.7.2 Cryptographic protection of transient data and code stored outside the TOE 9.1.7.3 Reallocation of shared resources 9.1.8.1 Logical protection, SP-ROM 9.1.8.2 Logical protection, SP-RAM 9.1.9 Production data and OTP handling 9.1.10 Life-Cycle Control FDP_SDC.1(1) X FDP_SDI.2(1) X X FPT_PHP.3 X FDP_ITT.1 X FPT_ITT.1 X FDP_IFC.1 X FCS_RNG.1 X FCS_COP.1/AES X FCS_CKM.4/AES X FCS_COP.1/TDES X FCS_CKM.4/TDES X FCS_COP.1/RSA_SIGN X FCS_COP.1/RSA_ENC X FCS_CKM.1/RSA X FCS_COP.1/ECDSA X FCS_CKM.1/ECDSA X FCS_COP.1/ECDH X FCS_CKM.1/ECDH X Qualcomm SPU250 Security Target Lite TOE summary specification 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 56 SFR 9.1.1.1 Random number generation 9.1.1.2 AES coprocessor 9.1.1.3 Hashing 9.1.1.4 Authentication 9.1.1.5 Key Derivation Function 9.1.1.6 Key protection 9.1.1.7 TDES 9.1.1.8 RSA, ECDSA, ECDH 9.1.2.1 Secure boot 9.1.2.2 Secure software update 9.1.3 Application manager 9.1.4 Domain separation between applications executed by the TOE 9.1.5 Physical protection 9.1.6.1 Control memory areas shared with other components of the SoC 9.1.6.2 Control access to keys and the key table 9.1.6.3 Control use of hardware support for cryptographic operations and random number generation 9.1.6.4 Control access to the SP-RAM by software on the SP-CPU 9.1.7.1 Cryptographic protection of persistent data stored outside the TOE 9.1.7.2 Cryptographic protection of transient data and code stored outside the TOE 9.1.7.3 Reallocation of shared resources 9.1.8.1 Logical protection, SP-ROM 9.1.8.2 Logical protection, SP-RAM 9.1.9 Production data and OTP handling 9.1.10 Life-Cycle Control FCS_CKM.4/RSA/ECDSA/ECDH X FCS_COP.1/SHA X FCS_CKM.1/SYM X FCS_CKM.1/KDF X FCS_CKM.4/HMAC/CMAC X FCS_COP.1/CMAC X FCS_COP.1/HMAC X FDP_ITC.1 X X X FDP_SDI.2(2) X X FMT_CMT.1(1) X FMT_CMT.1(2) X FMT_CMT.1(3) X FMT_CMT.1(4) X X FMT_CMT.1(5) X FMT_CMT.1(6) X FDP_ACC.2 X FDP_ACF.1 X FMT_MSA.3 X Qualcomm SPU250 Security Target Lite TOE summary specification 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 57 SFR 9.1.1.1 Random number generation 9.1.1.2 AES coprocessor 9.1.1.3 Hashing 9.1.1.4 Authentication 9.1.1.5 Key Derivation Function 9.1.1.6 Key protection 9.1.1.7 TDES 9.1.1.8 RSA, ECDSA, ECDH 9.1.2.1 Secure boot 9.1.2.2 Secure software update 9.1.3 Application manager 9.1.4 Domain separation between applications executed by the TOE 9.1.5 Physical protection 9.1.6.1 Control memory areas shared with other components of the SoC 9.1.6.2 Control access to keys and the key table 9.1.6.3 Control use of hardware support for cryptographic operations and random number generation 9.1.6.4 Control access to the SP-RAM by software on the SP-CPU 9.1.7.1 Cryptographic protection of persistent data stored outside the TOE 9.1.7.2 Cryptographic protection of transient data and code stored outside the TOE 9.1.7.3 Reallocation of shared resources 9.1.8.1 Logical protection, SP-ROM 9.1.8.2 Logical protection, SP-RAM 9.1.9 Production data and OTP handling 9.1.10 Life-Cycle Control FDP_RIP.1/Keys X FDP_RIP.1/Transient X FDP_SDI.2(3) X X FDP_SDC.1(2) X X FDP_SDA.1 X X FDP_SDR.1 X X Qualcomm SPU250 Security Target Lite TOE summary specification 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 58 9.1.1 Cryptographic services and random number generation 9.1.1.1 Random number generation The implemented physical random number generator together with the associated post processing provide the functionality defined by FCS_RNG.1 and FCS_CKM.1/SYM. 9.1.1.2 AES coprocessor A first AES coprocessor implemented as part of the SP-CMU provides AES encryption and decryption with the various crypto modes as required by FCS_COP.1/AES. 9.1.1.3 Hashing A coprocessor implemented as part of the SP-CMU supports the different hashing algorithms as required by FCS_COP.1/SHA. The coprocessor needs to be configured with the required hashing algorithm before the operation is started. 9.1.1.4 Authentication A second AES coprocessor implemented as part of the SP-CMU provides AES authentication functionality as required by FCS_COP.1/CMAC. A SHA co-processor supports an HMAC implementation as required by FCS_COP.1/HMAC. 9.1.1.5 Key Derivation Function The key table implemented in the SP-CMU provides the key derivation functionality as required by FCS_CKM.1/KDF. 9.1.1.6 Key protection The key table evaluates the key properties and ensures that keys are only used for the intended usage. In addition, the implementation of the key table limits access to the keys by SP-CPU. Keys released by the software cannot be further used. Thereby, the key table implements the protection of keys as required by FCS_CKM.4/AES, FCS_CKM.4/HMAC/CMAC and FDP_RIP.1/Keys. For RSA/ECDH/ECDSA, once the key is released, it is destructed by as required by FCS_CKM.4/RSA/ECDSA/ECDH. The key table is also protected through the implementation of parity control as per FDP_SDI.2(1). Qualcomm SPU250 Security Target Lite TOE summary specification 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 59 9.1.1.7 TDES The TDES is implemented in the software of the TOE and provides TDES encryption and decryption with the various crypto modes as required by FCS_COP.1/TDES and key destruction as required by FCS_CKM.4/TDES. 9.1.1.8 RSA, ECDSA, ECDH An asymmetric cryptography coprocessor implemented in hardware supplemented by a cryptographic library implemented in the TOE provides RSA, ECDSA and ECDH cryptographic operations as required by FCS_COP.1/RSA_SIGN, FCS_COP.1/RSA_ENC, FCS_COP.1/ECDSA and FCS_COP.1/ECDH as well as key generation as required by FCS_CKM.1/RSA, FCS_CKM.1/ECDSA, FCS_CKM.1/ECDH. 9.1.2 Secure boot and secure update 9.1.2.1 Secure boot The boot image is stored outside the TOE and loaded during startup by the boot loader stored in the SP-ROM as part of the TOE. The boot loader performs the following cold boot sequence: SP-CPU initializes all memory areas (programming of the SP-MMU of the SP-CPU). SP-CPU copies the MCP image from the shared SoC RAM to the SP-RAM (not accessible to the rest of the SoC). SP-CPU verifies the digital signature (ECC P-384 and SHA-256) of the (encrypted) MCP image stored in the SP-RAM. If this verification fails, the execution stops. SP-CPU decrypts the MCP image in place. SP-CPU passes control to the MCP image (jump to Main Control Program). The boot image does not maintain specific properties or access control during the storage outside the TOE. The protection relies on the digital signature, the encryption and the protected version number as required by FDP_ITC.1. 9.1.2.2 Secure software update In case the boot loader detects an updated boot image during the verification process, the new software version is verified in the same way. In addition, the version number maintained in the SP-QFPROM is verified and updated accordingly in case a greater version number is identified. Thereby the update functionality implements the security mechanisms required by FDP_ITC.1. Qualcomm SPU250 Security Target Lite TOE summary specification 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 60 9.1.3 Application manager The application manager uses the same security mechanisms required by FDP_ITC.1. This comprises the integrity and authenticity verification based on a valid signature, the decryption of the application image and the rollback protection for version control. User and TSF data belonging to a dedicated application is encrypted on process basis with different keys to enforce the access control policy required by FDP_ACC.2, FDP_ACF.1 and FMT_MSA.3. Thereby the user data and the TSF data of different applications is only accessible by the associated application. 9.1.4 Domain separation between applications executed by the TOE The TOE implements a dedicated control for the access to external memory as well as for the access to internal memories and resources that can be configured in privileged mode. This separation is required by FMT_CMT.1(4). 9.1.5 Physical protection The TOE provides protection mechanisms against non-invasive, semi-invasive, and invasive physical attacks. These countermeasures protect against side-channel attacks, fault injection attacks, and against the various physical attacks. The TOE implements countermeasures against side-channel attacks including constant execution time, masking (for example by the AES coprocessors) and random polarity switching for the SP-CPU bus as required by FDP_ITT.1, FPT_ITT.1 and FDP_IFC.1.1. The TOE implements countermeasures against fault injection attacks comprising redundant logic and error detection/correction code for the following components SP- CPU, SP-QFPROM, SP-ROM, SP-RAM, SP-KT and TOE internal buses as required by FPT_FLS.1. The TOE boot-up time is at least 2.5 minutes. Further on, the TOE includes sensors to detect invalid operational conditions. Sensors are implemented to control the TOE internal voltages, the TOE internal frequency and the TOE internal temperature. In addition, the TOE implements parity checks, redundancy checks and fault detection logic as required by FPT_FLS.1. Internal clock generation and filtering of the power supply provide the limited fault tolerance as required by FRU_FLT.2. General countermeasures like the generation of additional temporal noise by various means (software and hardware), the memory protection mechanism implemented for SP-ROM and SP-RAM and the SP-QFPROM as well as the RTL obfuscation together with specific options and constrains for the physical layout provide the protection as required by FPT_PHP.3. Qualcomm SPU250 Security Target Lite TOE summary specification 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 61 9.1.6 Access control and management (hardware) 9.1.6.1 Control memory areas shared with other components of the SoC Access to the external RAM used to share data with other components of the SoC is controlled by a dedicated memory manager as required by FMT_CMT.1(1). The memory manager is able to support different windows in parallel. 9.1.6.2 Control access to keys and the key table Access to keys stored in the key table is limited to the SP-CMU and does not allow the IC dedicated software executed on the SP-CPU to compromise keys via the software. This protection is required by FMT_CMT.1(2). 9.1.6.3 Control use of hardware support for cryptographic operations and random number generation The access to coprocessors and the random number generator providing the cryptographic support to the IC dedicated software is limited to SP-CMU. This protection is required by FMT_CMT.1(3). 9.1.6.4 Control access to the SP-RAM by IC dedicated software on the SP-CPU Access to the SP-RAM of the TOE is controlled by a Memory Management Unit (MMU) that can only be configured in privileged SP-CPU mode as required by FMT_CMT.1(4). 9.1.7 Access control and management (operating system) 9.1.7.1 Cryptographic protection of persistent data stored outside the TOE The confidentiality, integrity, authenticity and replay-protection of data stored in the non- volatile memory outside the TOE boundary is ensured by cryptographic mechanisms. The encryption of the data is required by FDP_SDC.1(2), the integrity protection is required by FDP_SDI.2(3), the authenticity is required by FDP_SDA.1 and the replay protection is required by FDP_SDR.1. 9.1.7.2 Cryptographic protection of transient data and code stored outside the TOE The confidentiality, integrity, authenticity and replay-protection of data stored in the DDR memory outside the TOE boundary is ensured by cryptographic mechanisms. The encryption of the data is required by FDP_SDC.1(2), the integrity protection is required by FDP_SDI.2(3), the authenticity is required by FDP_SDA.1 and the replay protection is required by FDP_SDR.1. Qualcomm SPU250 Security Target Lite TOE summary specification 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 62 9.1.7.3 Reallocation of shared resources The operation system implements the protection of memory areas that may get accessible by other applications or processes based on re-allocation of resources. Buffers with sensitive parameters and memory areas that are de-allocated are cleared as required by FDP_RIP.1/Transient. 9.1.8 Logical protection 9.1.8.1 SP-ROM The SP-ROM is only accessible to the SP-CPU based on the control of the SP-MMU and the associated permission checker of SP-ROM as required by FMT_CMT.1(5). The SP-ROM is partitioned and SP-ROM content can only be patched by OTP patch (SP- QFPROM) logic or CSR patch mechanism as required by FMT_CMT.1(6). The SP-ROM implements memory encryption and parity control as required by FDP_SDC.1(1) . 9.1.8.2 SP-RAM The SP-RAM access is restricted to SP-CPU based on the control of the SP-MMU and the SP-DMA controller as well as the associated permission checker of SP-RAM. The SP-RAM implements memory encryption and parity control as required by FDP_SDC.1(1) and FDP_SDI.2(1) . Further on a specific integrity check during warm boot is implemented as required by FDP_SDI.2(2). 9.1.9 Production data and OTP handling Data for the identification of the TOE and the associated initialization and pre- personalization data is stored in the SP-QFPROM as required by FAU_SAS.1. 9.1.10 Life-Cycle Control The TOE implements Life-Cycle control based on a combination of access control to TOE functionality and the coding of the Life-Cycle phase in the SP-QFPROM. This implements the requirements FMT_LIM.1 and FMT_LIM.2. 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 63 A Cryptographic mechanisms table Purpose Cryptographic Mechanism Standard of Implementation Key Size in Bits / Key types Key Origin Image Authenticity and Integrity RSA-signature verification with SHA- 256 and PKCS#1 1.5 padding FIPS 186-4 FIPS 180-4 RFC 3447 2048 Qualcomm managed private key Image Confidentiality AES-CBC FIPS 197 NIST SP 800-38A 128 Qualcomm managed symmetric key User and TOE Data while in NVM Confidentiality AES-CBC FIPS 197 NIST SP 800-38A 256 Key generated and managed by TOE operating system using TOE RNG User and TOE Data while in NVM Integrity & Authenticity SHA-256 tree and AES in CMAC mode FIPS-180-4 FIPS 197 NIST SP 800-38B Hash tree specifics provided in developer document 256 Key generated and managed by TOE operating system using TOE RNG User and TOE Data while in external DDR Confidentiality AES-CBC FIPS 197 NIST SP 800-38A 256 Key generated and managed by TOE operating system using TOE RNG User and TOE Data while in external DDR Integrity & Authenticity SHA-256 FIPS 180-4 256 N/A Reference hash stays in TOE API AES (ECB, CBC, CTR, CMAC, CCM) FIPS 197 NIST SP 800-38A NIST SP 800-38B NIST SP 800-38C NIST SP 800-38E 128, 256 User-provided key managed by the TOE or key generated and managed by TOE operating system or CMU using TOE RNG API SHA1 SHA-256 SHA-384 SHA-512 FIPS 180-4 none N/A API RNG PTG.3 of BSI- AIS20/AIS31 NIST SP 800-90A none N/A Qualcomm SPU250 Security Target Lite Cryptographic mechanisms table 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 64 Purpose Cryptographic Mechanism Standard of Implementation Key Size in Bits / Key types Key Origin API HMAC-SHA1 HMAC-SHA256 HMAC-SHA-384 HMAC-SHA-512 FIPS198-1 256 (SHA-1, SHA- 256) 512 (SHA-384, SHA-512) User-provided key managed by the TOE or key generated and managed by TOE operating system or CMU using TOE RNG API Generate random symmetric key NIST SP 800-133 128, 192, 256 API Key Derivation Function in Counter Mode based on HMAC SHA-256 NIST SP 800-108 FIPS 198-1 FIPS 180-4 256 API TDES (ECB, CBC) FIPS 46-3 NIST SP 800-38A 112,168 User-provided key managed by the TOE operating system API RSA signature/verify with SHA-1, SHA-256, SHA-384, SHA-512 and RSASSA-PSS and PKCS#1 v1.5 padding schemes FIPS 186-4 FIPS 180-4 RFC 3447 1024, 2048 User-provided key or key generated by TOE operating system using TOE RNG API RSA encryption / decryption with RSAES-OAEP and PKCS#1 v1.5 padding schemes FIPS 186-4 RFC 3447 1024, 2048 User-provided key or key generated by TOE operating system using TOE RNG API ECDSA Cryptographic key generation Signature Generation / Verification FIPS 186-4 ECC key lengths corresponding to following ECC parameters: NIST P-192 NIST P-224 NIST P-256 NIST P-384 NIST P-521 Brainpool P-256 (t1) Brainpool P-192 (r1) Brainpool P-224 (r1) Brainpool P-256 (r1) Brainpool P-320 (r1) Brainpool P-384 (r1) Brainpool P-512 (r1) User-provided key or key generated by TOE operating system (MCP) using TOE RNG Qualcomm SPU250 Security Target Lite Cryptographic mechanisms table 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 65 Purpose Cryptographic Mechanism Standard of Implementation Key Size in Bits / Key types Key Origin API ECDH Cryptographic key generation Shared secret generation NIST SP 800-56A FIPS 186-4 ECC key lengths corresponding to following ECC parameters: NIST P-192 NIST P-224 NIST P-256 NIST P-384 NIST P-521 Brainpool P-256 (t1) Brainpool P-192 (r1) Brainpool P-224 (r1) Brainpool P-256 (r1) Brainpool P-320 (r1) Brainpool P-384 (r1) Brainpool P-512 (r1) Curve25519 User-provided key or key generated by TOE operating system (MCP) using TOE RNG API RSA key generation FIPS 186-4 BSI TR-02102-1 1024, 2048 Seed comes from RNG 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 66 B References B.1 Related documents Title Number Standards Common Criteria for Information Technology Security Evaluation, Parts 1, 2, and 3, Version 3.1, Revision 5; [CC] Part 1: CCMB-2017-04-001 Part 2: CCMB-2017-04-002 Part 3: CCMB-2017-04-003 DATA ENCRYPTION STANDARD (DES) FIPS 46-3 Secure Hash Standard (SHS) FIPS 180-4 Digital Signature Standard (DSS) FIPS 186-4 ADVANCED ENCRYPTION STANDARD (AES) FIPS 197 The Keyed-Hash Message Authentication Code (HMAC) FIPS 198-1 Recommendation for Block Cipher Modes of Operation, Methods and Techniques NIST SP 800-38A Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality NIST SP 800-38C Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices NIST SP 800-38E Recommendation for Key-Derivation Methods in Key-Establishment Schemes NIST SP 800-56A Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST SP 800-90A Recommendation for Key Derivation Using Pseudorandom Functions (Revised) NIST SP 800-108 Recommendation for Cryptographic Key Generation NIST SP 800-133 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 RFC 3447 Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation RFC 5639 Elliptic Curves for Security RFC 7748 A proposal for: Functionality classes for random number generators BSI-AIS20/AIS31 Cryptographic Mechanisms: Recommendations and Key Lengths BSI TR-02102-1 Resources Security IC Platform Protection Profile with Augmentation Packages, Version 1.0; [ICPP] BSI-CC-PP-0084-2014 Java Card Protection Profile – Open Configuration, Version 3.0.5, [JCSPP] BSI-CC-PP-0099-2017 Qualcomm SPU250 Security Target Lite References 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 67 Title Number User Guidances Secure Processor Unit (SPU) – Anti-replay Island (ARI) Overview for SM8350 80-PN145-16, Revision B Qualcomm Secure Processing Unit Enablement for SM8350 Devices 80-PK177-4, Revision AD Qualcomm Secure Processing Unit Enablement Guidelines for SM8350 Application Developers 80-PK177-5, Revision AB SM8350 Secure Boot Enablement 80-PK177-14, Revision AA Secure Processor Unit SDK – API Reference 80-PV579-1, Revision AD SMT Assembly Guidelines SM80-P0982-1, Revision E Qualcomm Trusted Execution Environment (TEE) Reference Manual 80-NH537-4, Revision. M B.2 Acronyms and terms Acronym or term Definition AES Advanced Encryption Standard AIS Application Notes and Interpretation of the Scheme API Application programming interface ARI Anti-replay island BSI Bundesamt für Sicherheit in der Informationstechnik (German: Federal Office for Security) CBC Cipher block chaining CC Common Criteria CCM Counter with CBC-MAC CMAC Cipher-based Message Authentication Code CSR Configuration and status register CTR Counter DES Data Encryption Standard DDR Double Data Rate ECB Electronic codebook ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm FIPS Federal Information Processing Standards FCI Fuse Configuration Interface GCC Global Clock Controller GCM Galois counter mode HLOS High Level Operating system HMAC Hash-based Message Authentication Code HW Hardware IC Integrated circuit KDF Key derivation function MCP Main control program NIST National Institute of Standards and Technology Qualcomm SPU250 Security Target Lite References 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 68 Acronym or term Definition NOC Network on chip NVM Non-volatile memory OAEP Optimal Asymmetric Encryption Padding OEM Original equipment manufacturer OS Operating system OTP One-time programmable PBL Primary Boot Loader PCB Printed circuit board PKCS Public Key Cryptography Standard PoP Package-on-package PP Protection Profile PSS Probabilistic Signature Scheme QTI Qualcomm Technologies Inc. RAM Random access memory RFC Request for Comments RNG Random number generator ROM Read only memory RPM Resource and power manager RSA Rivest, Shamir, Adleman RTL Register transfer level SFP Security function policy SFR Security functional requirement SHA Secure Hash Algorithm SIM Subscriber Identity Module SoC System-on-chip SP-AOTimer Always-on timer SP-ARI Anti-replay Island SP-CE Crypto engine SP-CMC Crypto management controller SP-CMU Cryptographic management unit SP-CPU Central processing unit SP-DMA Direct memory access SP-ExtMM External memory manager SP-KT Key table SP-LRM Local resource manager SP-MMU Memory management unit SP-PKA Asymmetric crypto operation SP-QFPROM Qualcomm Fuse-Programmable Read-Only Memory SP-SC Security controller SP-sMEM Shared memory SP-sCSR Shared configuration and status registers SPU Secure Processor Unit Qualcomm SPU250 Security Target Lite References 80-NU430-8 Rev. AD MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 69 Acronym or term Definition ST Security Target SW Software TEE Trusted Execution Environment TIC Test interface controller TOE Target of evaluation TR Technical report TSF TOE security function TSS TOE summary specification xPU External protection unit; (x is memory/register/address)