Vertiv CYBEX™ SC820DPH, SC840DPH, SC920DPH, SC940DPH, SC840DPHC, SC940DPHC, SC840DVI, SC940DVI Firmware Version 44404-E7E7 Peripheral Sharing Devices Security Target Doc No: 2149-001-D102C3 Version: 1.24 19 November 2021 Vertiv 1050 Dearborn Dr, Columbus, OH 43085 Prepared by: EWA-Canada, An Intertek Company 1223 Michael Street North, Suite 200 Ottawa, Ontario, Canada K1J 7T2 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page i of ii CONTENTS 1 SECURITY TARGET INTRODUCTION.............................................1 1.1 DOCUMENT ORGANIZATION........................................................... 1 1.2 SECURITY TARGET REFERENCE....................................................... 2 1.3 TOE REFERENCE........................................................................... 2 1.4 TOE OVERVIEW............................................................................ 2 TOE Environment ...........................................................................4 1.5 TOE DESCRIPTION ....................................................................... 5 Evaluated Configuration ..................................................................5 Physical Scope ...............................................................................6 Logical Scope.................................................................................7 2 CONFORMANCE CLAIMS...............................................................9 2.1 COMMON CRITERIA CONFORMANCE CLAIM ...................................... 9 2.2 PROTECTION PROFILE CONFORMANCE CLAIM................................... 9 2.3 PACKAGE CLAIM......................................................................... 10 2.4 MODULE CLAIM.......................................................................... 10 2.5 CONFORMANCE RATIONALE ......................................................... 10 3 SECURITY PROBLEM DEFINITION..............................................11 3.1 THREATS .................................................................................. 11 3.2 ORGANIZATIONAL SECURITY POLICIES ......................................... 12 3.3 ASSUMPTIONS........................................................................... 12 4 SECURITY OBJECTIVES..............................................................14 4.1 SECURITY OBJECTIVES FOR THE TOE ............................................ 14 4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT......... 19 4.3 SECURITY OBJECTIVES RATIONALE............................................... 20 5 EXTENDED COMPONENTS DEFINITION......................................26 5.1 CLASS FDP: USER DATA PROTECTION ........................................... 27 FDP_AFL_EXT Audio Filtration ........................................................27 FDP_APC_EXT Active PSD Connections............................................28 FDP_CDS_EXT Connected Displays Supported..................................29 FDP_FIL_EXT Device Filtering ........................................................29 FDP_IPC_EXT Internal Protocol Conversion......................................30 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page ii of iii FDP_PDC_EXT Peripheral Device Connection....................................31 FDP_PUD_EXT Powering Unauthorized Devices ................................33 FDP_RDR_EXT Re-Enumeration Device Rejection .............................33 FDP_RIP_EXT Residual Information Protection .................................34 FDP_SPR_EXT Sub-Protocol Rules.................................................35 FDP_SWI_EXT PSD Switching ......................................................36 FDP_UDF_EXT Unidirectional Data Flow.........................................37 5.2 CLASS FPT: PROTECTION OF THE TSF ........................................... 38 FPT_FLS_EXT Failure with Preservation of Secure State ....................38 FPT_NTA_EXT No Access to TOE.....................................................38 FPT_TST_EXT TSF Testing .............................................................39 5.3 CLASS FTA: TOE ACCESS ............................................................ 40 FTA_CIN_EXT Continuous Indications .............................................40 6 SECURITY FUNCTIONAL REQUIREMENTS...................................42 6.1 CONVENTIONS AND APPLICABILITY .............................................. 42 Conventions ................................................................................42 Section Applicability......................................................................42 6.2 SECURITY FUNCTIONAL REQUIREMENTS FOR ALL DEVICES .............. 43 Security Audit (FAU).....................................................................46 User Data Protection (FDP)............................................................46 Identification and Authentication....................................................51 Security Management (FMT) ..........................................................52 Protection of the TSF (FPT)............................................................52 TOE Access (FTA).........................................................................53 6.3 ADDITIONAL SECURITY REQUIREMENTS FOR SC820DPH AND SC840DPH 53 User Data Protection (FDP)............................................................54 6.4 ADDITIONAL SECURITY REQUIREMENTS FOR SC920DPH AND SC940DPH 55 User Data Protection (FDP)............................................................56 6.5 ADDITIONAL SECURITY REQUIREMENTS FOR SC840DPHC ................ 57 User Data Protection (FDP)............................................................58 6.6 ADDITIONAL SECURITY REQUIREMENTS FOR SC940DPHC ................ 59 User Data Protection (FDP)............................................................60 6.7 ADDITIONAL SECURITY REQUIREMENTS FOR SC840DVI................... 61 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page iii of iv User Data Protection (FDP)............................................................62 6.8 ADDITIONAL SECURITY REQUIREMENTS FOR SC940DVI................... 63 User Data Protection (FDP)............................................................63 7 SECURITY ASSURANCE REQUIREMENTS ....................................65 8 SECURITY REQUIREMENTS RATIONALE.....................................66 8.1 SECURITY FUNCTIONAL REQUIREMENTS RATIONALE ....................... 66 8.2 DEPENDENCY RATIONALE............................................................ 66 Security Assurance Requirements Rationale.....................................68 9 TOE SUMMARY SPECIFICATION.................................................69 9.1 SECURITY AUDIT........................................................................ 69 9.2 USER DATA PROTECTION ............................................................ 70 System Controller ........................................................................70 Keyboard and Mouse Switching Functionality ...................................71 Video Switching Functionality.........................................................73 Audio Switching Functionality ........................................................77 9.3 IDENTIFICATION AND AUTHENTICATION AND SECURITY MANAGEMENT 78 9.4 PROTECTION OF THE TSF ............................................................ 79 No Access to TOE .........................................................................79 Anti-tampering Functionality..........................................................79 Reliable Timestamps.....................................................................80 TSF Testing .................................................................................80 9.5 TOE ACCESS.............................................................................. 81 10 TERMINOLOGY AND ACRONYMS ................................................82 10.1 TERMINOLOGY........................................................................... 82 10.2 ACRONYMS................................................................................ 82 11 REFERENCES..............................................................................84 ANNEX A – LETTER OF VOLATILITY .................................................... A-1 ANNEX B – SFR DEVICE MATRIX......................................................... B-1 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page iv of v LIST OF TABLES Table 1 – Non-TOE Hardware and Software................................................. 5 Table 2 – TOE Peripheral Sharing Devices and Features ................................ 6 Table 3 – Logical Scope of the TOE ............................................................ 8 Table 4 – Applicable Technical Decisions ................................................... 10 Table 5 – Threats.................................................................................. 12 Table 6 – Assumptions........................................................................... 13 Table 7 – Security Objectives for the TOE ................................................. 19 Table 8 – Security Objectives for the Operational Environment..................... 20 Table 9 – Security Objectives Rationale .................................................... 25 Table 10 – Functional Families of Extended Components ............................. 26 Table 11 – Devices and Applicable Sections............................................... 43 Table 12 – Summary of Security Functional Requirements........................... 46 Table 13 – Audio Filtration Specifications .................................................. 47 Table 14 – Summary of Additional Security Functional Requirements for SC820DPH and SC840DPH ................................................................ 54 Table 15 – Summary of Additional Security Functional Requirements for SC920DPH and SC940DPH ................................................................ 56 Table 16 – Summary of Additional Security Functional Requirements for SC840DPHC .................................................................................... 58 Table 17 – Summary of Additional Security Functional Requirements for SC940DPHC .................................................................................... 60 Table 18 – Summary of Additional Security Functional Requirements for SC840DVI....................................................................................... 62 Table 19 – Summary of Additional Security Functional Requirements for SC940DVI....................................................................................... 63 Table 20 – Security Assurance Requirements............................................. 65 Table 21 – Functional Requirement Dependencies ...................................... 67 Table 22 – Terminology ......................................................................... 82 Table 23 – Acronyms............................................................................. 83 Table 24 – References ........................................................................... 84 Table 25 – Security Functional Requirements and Devices .......................... B-1 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page v of v LIST OF FIGURES Figure 1 – Simplified Switching Diagram..................................................... 4 Figure 2 – KVM Switch Evaluated Configuration ........................................... 5 Figure 3 – Display EDID Read Function..................................................... 73 Figure 4 – Display EDID Write Function .................................................... 74 Figure 5 – Display Normal Mode .............................................................. 75 Figure 6 – Channel Selection................................................................... 81 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 1 of 84 1 SECURITY TARGET INTRODUCTION This Security Target (ST) defines the scope of the evaluation in terms of the assumptions made, the intended environment for the Target of Evaluation (TOE), the Information Technology (IT) security functional and assurance requirements to be met, and the level of confidence (evaluation assurance level) to which it is asserted that the TOE satisfies its IT security requirements. This document forms the baseline for the Common Criteria (CC) evaluation. 1.1 DOCUMENT ORGANIZATION Section 1, Security Target Introduction, provides the Security Target reference, the Target of Evaluation reference, the TOE overview and the TOE description. Section 2, Conformance Claims, describes how the ST conforms to the Common Criteria, Protection Profile (PP) and PP Modules. Section 3, Security Problem Definition, describes the expected environment in which the TOE is to be used. This section defines the set of threats that are relevant to the secure operation of the TOE, organizational security policies with which the TOE must comply, and secure usage assumptions applicable to this analysis. Section 4, Security Objectives, defines the set of security objectives to be satisfied by the TOE and by the TOE operating environment in response to the problem defined by the security problem definition. Section 5, Extended Components Definition, defines the extended components which are then detailed in Section 6. Section 6, Security Functional Requirements, specifies the security functional requirements that must be satisfied by the TOE and the IT environment. Section 7, Security Assurance Requirements, specifies the security assurance requirements that must be satisfied by the TOE and the IT environment. Section 8, Security Requirements Rationale, provides a rationale for the selection of functional and assurance requirements. Section 9, TOE Summary Specification, describes the security functions that are included in the TOE to enable it to meet the IT security functional requirements. Section 10, Terminology and Acronyms, defines the acronyms and terminology used in this ST. Section 11, References, provides a list of documents referenced in this ST. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 2 of 84 1.2 SECURITY TARGET REFERENCE ST Title: Vertiv CYBEX™ SC820DPH, SC840DPH, SC920DPH, SC940DPH, SC840DPHC, SC940DPHC, SC840DVI, SC940DVI Firmware Version 44404-E7E7 Peripheral Sharing Devices Security Target ST Version: 1.24 ST Date: 19 November 2021 1.3 TOE REFERENCE TOE Identification: Vertiv CYBEX™ SC820DPH, SC840DPH, SC920DPH, SC940DPH, SC840DPHC, SC940DPHC, SC840DVI, SC940DVI Firmware Version 44404-E7E7 Peripheral Sharing Devices TOE Developer: Vertiv TOE Type: Peripheral Sharing Device (Other Devices and Systems) 1.4 TOE OVERVIEW The Vertiv Secure Peripheral Sharing Devices (PSD) allow users to share keyboard, video, and mouse peripherals between a number of connected computers. The devices also allow for the sharing of audio device peripherals. The following security features are provided by the Vertiv Peripheral Sharing Devices: • Video Security o Computer video input interfaces are isolated through the use of separate electronic components, power and ground domains o The display is isolated by dedicated, read-only, Extended Display Identification Data (EDID) emulation for each computer o Access to the monitor’s EDID is blocked o Access to the Monitor Control Command Set (MCCS commands) is blocked o DisplayPort (DP) and High-Definition Multimedia Interface (HDMI) video peripherals are supported by the SC820DPH, SC840DPH, SC920DPH, SC940DPH, SC840DPHC and SC940DPHC devices. DVI- D video peripheral devices are supported by the SC840DVI and SC940DVI devices o Video input is accepted as DisplayPort or HDMI on the SC820DPH, SC840DPH, SC920DPH, SC940DPH, SC840DPHC and SC940DPHC devices. Additionally, the SC840DPHC and SC940DPHC accept USB- Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 3 of 84 Type C with DisplayPort as an alternate function. The SC840DVI and SC940DVI devices accept DVI-D video input • Keyboard and Mouse Security o The keyboard and mouse are isolated by dedicated, USB device emulation for each computer o One-way, peripheral-to-computer data flow is enforced through unidirectional optical data diodes o Communication from computer-to-keyboard/mouse is blocked o Non HID (Human Interface Device) data transactions are blocked • Audio Security o One-way computer to speaker sound flow is enforced through unidirectional optical data diodes • Hardware Anti-Tampering o Any attempt to open the product enclosure will activate an anti- tampering system, making the product inoperable and indicating tampering via blinking Light Emitting Diodes (LEDs) o Special holographic tampering evident labels on the product’s enclosure provide a clear visual indication if the product has been opened or compromised Vertiv secure peripheral sharing devices use multiple isolated microcontrollers (one microcontroller per connected computer) to emulate connected peripherals in order to prevent display signaling, keyboard signaling, and power signaling attacks. Figure 1 is a simplified block diagram showing the TOE keyboard and mouse data path for two ports. A Host Emulator (HE) communicates with the user keyboard via the USB protocol. The Host Emulator converts user keystrokes into unidirectional serial data. That unidirectional serial data is passed through the switch that is used to select between Computer A and Computer B. Isolated Device Emulators (DE) are connected to the data switch on one side and to the respective computers on the other side. Each key stroke is converted by the selected DE into a bi-directional stream to communicate with the computer. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 4 of 84 Figure 1 – Simplified Switching Diagram The TOE is a combined software and hardware TOE. A mapping showing the applicable SFRs for each device is included in Annex B. TOE Environment The following components are required for operation of the TOE in the evaluated configuration. Component Description Connected Computers 2-4 General purpose computers Keyboard General purpose USB keyboard Mouse General purpose USB mouse Audio output device Analog audio output device (speakers or headphones) User display Standard computer display (HDMI 2.0, DVI-D or DisplayPort 1.1, 1.2 or 1.3) Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 5 of 84 Component Description Vertiv KVM Cables USB Type-A to USB Type-B (keyboard and mouse) Video cable (DisplayPort, USB-C, DVI and HDMI) 3.5mm stereo cable (Audio cable) Table 1 – Non-TOE Hardware and Software 1.5 TOE DESCRIPTION Evaluated Configuration Figure 2 – KVM Switch Evaluated Configuration Figure 2 shows a basic evaluated configuration. In the evaluated configuration, the TOE is connected to two or four computers. The video input is DisplayPort, HDMI, DVI-D or USB-C, and one or two displays are connected. The peripheral sharing device is connected to speakers or headphones. The TOE is used with a remote control. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 6 of 84 Physical Scope The TOE consists of the devices shown in Table 2. Family Description Part Number Model Active Anti- tampering Tamper Evident labels User Authentication and audit logging Analog Audio Video in Video out Number of supported displays KM KVM Switches with active anti-tampering, analog audio, user authentication and audit logging. CGA19196 SC820DPH Yes Yes Yes Yes DP/HDMI DP/HDMI 1 Yes CGA19198 SC840DPH Yes Yes Yes Yes DP/HDMI DP/HDMI 1 Yes CGA19201 SC920DPH Yes Yes Yes Yes DP/HDMI DP/HDMI 2 Yes CGA19246 SC940DPH Yes Yes Yes Yes DP/HDMI DP/HDMI 2 Yes CGA20362 SC840DPHC Yes Yes Yes Yes DP/HDMI+ USB Type C DP/HDMI 1 Yes CGA20364 SC940DPHC Yes Yes Yes Yes DP/HDMI+ USB Type C DP/HDMI 2 Yes CGA19209 SC840DVI Yes Yes Yes Yes DVI-D DVI-D 1 Yes CGA19210 SC940DVI Yes Yes Yes Yes DVI-D DVI-D 2 Yes Remote Control CGA26687 SCAFP0004 Yes Yes N/A N/A N/A N/A N/A N/A Table 2 – TOE Peripheral Sharing Devices and Features Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 7 of 84 1.5.2.1 TOE Delivery The TOE, together with its corresponding cables are delivered to the customer via trusted carrier, such as Fed-Ex, that provide a tracking service for all shipments. 1.5.2.2 TOE Guidance The TOE includes the following guidance documentation: • CYBEX™ SC SERIES SECURE SWITCHES SC800DPHC/SC900DPHC, 590- 2284-501 Rev. B • CYBEX™ SC SERIES SECURE SWITCHES SC800/900DPH, SC800/900DVI, and SCKM100PP4, 590-2282-501B • Cybex™ SC/SCM Switching System Additional Operations and Configuration Technical Bulletin, 590-1741-501 Rev. B Guidance may be downloaded from the Vertiv website (www.vertiv.com) in .pdf format. The following guidance is available upon request by emailing support.avocent@vertiv.com: • Vertiv CYBEX™ SC820DPH, SC840DPH, SC920DPH, SC940DPH, SC840DPHC, SC940DPHC, SC840DVI, SC940DVI Firmware Version 44404-E7E7 Peripheral Sharing Devices Common Criteria Guidance Supplement, Version: 1.7 Logical Scope The logical boundary of the TOE includes all interfaces and functions within the physical boundary. The logical boundary of the TOE may be broken down by the security function classes described in Section 6. Table 3 summarizes the logical scope of the TOE. Functional Classes Description Security Audit Audit entries are generated for security related events. User Data Protection The TOE provides secure switching capabilities for keyboard and mouse, display, and audio output. The TOE ensures that only authorized peripheral devices may be used. Identification and Authentication Administrators must be identified and authenticated prior to accessing administrative functions. Security Management The TOE provides management capabilities that allow reset to factory default, management of administrator accounts and administrator password changes. The Administrator role restricts this functionality to authorized administrators. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 8 of 84 Functional Classes Description Protection of the TSF1 The TOE ensures a secure state in the case of failure, provides only restricted access, and performs self-testing. The TOE provides both passive detection of physical attack, and active resistance to attack. The TOE provides reliable timestamps in support of the audit function. TOE Access The TOE provides a continuous indication of which computer is currently selected. Table 3 – Logical Scope of the TOE 1 TOE Security Functionality Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 9 of 84 2 CONFORMANCE CLAIMS 2.1 COMMON CRITERIA CONFORMANCE CLAIM This Security Target claims to be conformant to Version 3.1 of Common Criteria for Information Technology Security Evaluation according to: • Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model; CCMB-2017-04-001, Version 3.1, Revision 5, April 2017 • Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Components; CCMB-2017-04-002, Version 3.1, Revision 5, April 2017 • Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components CCMB-2017-04-003, Version 3.1, Revision 5, April 2017 As follows: • CC Part 2 extended • CC Part 3 conformant The Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017 has been taken into account. 2.2 PROTECTION PROFILE CONFORMANCE CLAIM This ST claims exact conformance to the National Information Assurance Partnership (NIAP) PP‐Configuration for Peripheral Sharing Device, Analog Audio Output Devices, Keyboard/Mouse Devices, and Video/Display Devices [CFG_PSD‐AO‐KM‐VI_V1.0], which references the Protection Profile for Peripheral Sharing Device Version 4.0 [PP_PSD_V4.0], and the modules listed in Section 2.4. The Technical Decisions in Table 4 apply to the PP and the modules and have been accounted for in the ST and in the evaluation. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 10 of 84 Technical Decision PP or Module TD0506 [MOD_VI_V1.0] TD0507 [MOD_KM_V1.0] TD0514 [MOD_VI_V1.0] TD0518 [PP_PSD_V4.0] TD0539 [MOD_VI_V1.0] TD0557 [MOD_AO_V1.0] TD0583 [PP_PSD_V4.0] TD0584 [MOD_VI_V1.0] TD0585 [MOD_AO_V1.0] TD0586 [MOD_VI_V1.0] TD0593 [MOD_AO_V1.0], [MOD_KM_V1.0], [MOD_VI_V1.0] Table 4 – Applicable Technical Decisions 2.3 PACKAGE CLAIM This Security Target does not claim conformance with any package. 2.4 MODULE CLAIM The following PP‐Modules are specified in a PP‐Configuration with this PP: • PP‐Module for Analog Audio Output Devices, Version 1.0 • PP‐Module for Keyboard/Mouse Devices, Version 1.0 • PP‐Module for Video/Display Devices, Version 1.0 2.5 CONFORMANCE RATIONALE The TOE Keyboard, Video, Mouse (KVM) switches are inherently consistent with the Compliant Targets of Evaluation described in the [PP_PSD_V4.0] and in the PP modules listed in Section 2.4, and with the PP‐Configuration for Peripheral Sharing Device, Analog Audio Output Devices, Keyboard/Mouse Devices, and Video/Display Devices [CFG_PSD‐AO‐KM‐VI_V1.0]. The security problem definition, statement of security objectives and statement of security requirements in this ST conform exactly to the security problem definition, statement of security objectives and statement of security requirements contained in [PP_PSD_V4.0] and the modules listed in Section 2.4. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 11 of 84 3 SECURITY PROBLEM DEFINITION 3.1 THREATS Table 5 lists the threats described in Section 3.1 of the [PP_PSD_V4.0] and [MOD_AO_V1.0]. Mitigation to the threats is through the objectives identified in Section 4.1, Security Objectives for the TOE. Threat Description T.DATA_LEAK A connection via the PSD between one or more computers may allow unauthorized data flow through the PSD or its connected peripherals. T.SIGNAL_LEAK A connection via the PSD between one or more computers may allow unauthorized data flow through bit‐by‐bit signaling. T.RESIDUAL_LEAK A PSD may leak (partial, residual, or echo) user data between the intended connected computer and another unintended connected computer. T.UNINTENDED_USE A PSD may connect the user to a computer other than the one to which the user intended to connect. T.UNAUTHORIZED_DEVICES The use of an unauthorized peripheral device with a specific PSD peripheral port may allow unauthorized data flows between connected devices or enable an attack on the PSD or its connected computers. T.LOGICAL_TAMPER An attached device (computer or peripheral) with malware, or otherwise under the control of a malicious user, could modify or overwrite code or data stored in the PSD’s volatile or non‐volatile memory to allow unauthorized information flows. T.PHYSICAL_TAMPER A malicious user or human agent could physically modify the PSD to allow unauthorized information flows. T.REPLACEMENT A malicious human agent could replace the PSD during shipping, storage, or use with an alternate device that does not enforce the PSD security policies. T.FAILED Detectable failure of a PSD may cause an unauthorized information flow or weakening of PSD security functions. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 12 of 84 Threat Description T.MICROPHONE_USE A malicious agent could use an unauthorized peripheral device such as a microphone, connected to the TOE audio out peripheral device interface to eavesdrop or transfer data across an air‐gap through audio signaling. T.AUDIO_REVERSED A malicious agent could repurpose an authorized audio output peripheral device by converting it to a low‐gain microphone to eavesdrop on the surrounding audio or transfer data across an air‐gap through audio signaling. Table 5 – Threats 3.2 ORGANIZATIONAL SECURITY POLICIES There are no Organizational Security Policies applicable to this TOE. 3.3 ASSUMPTIONS The assumptions required to ensure the security of the TOE are listed in Table 6. Assumptions Description A.NO_TEMPEST Computers and peripheral devices connected to the PSD are not TEMPEST approved. The TSF may or may not isolate the ground of the keyboard and mouse computer interfaces (the USB ground). The Operational Environment is assumed not to support TEMPEST red‐black ground isolation. A.PHYSICAL The environment provides physical security commensurate with the value of the TOE and the data it processes and contains. A.NO_WIRELESS_DEVICES The environment includes no wireless peripheral devices. A.TRUSTED_ADMIN PSD Administrators and users are trusted to follow and apply all guidance in a trusted manner. A.TRUSTED_CONFIG Personnel configuring the PSD and its operational environment follow the applicable security configuration guidance. A.USER_ALLOWED_ACCESS All PSD users are allowed to interact with all connected computers. It is not the role of the PSD to prevent or otherwise control user access to connected computers. Computers or their connected network Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 13 of 84 Assumptions Description shall have the required means to authenticate the user and to control access to their various resources. A.NO_SPECIAL_ANALOG _CAPABILITIES The computers connected to the TOE are not equipped with special analog data collection cards or peripherals such as analog to digital interface, high performance audio interface, digital signal processing function, or analog video capture function. A.NO_MICROPHONES Users are trained not to connect a microphone to the TOE audio output interface. Table 6 – Assumptions Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 14 of 84 4 SECURITY OBJECTIVES The purpose of the security objectives is to address the security concerns and to show which security concerns are addressed by the TOE, and which are addressed by the environment. Threats may be addressed by the TOE or the security environment or both. Therefore, the CC identifies two categories of security objectives: • Security objectives for the TOE • Security objectives for the environment 4.1 SECURITY OBJECTIVES FOR THE TOE This section identifies and describes the security objectives that are to be addressed by the TOE, and traces each Security Functional Requirement (SFR) back to a security objective of the TOE. Security Objective Description O.COMPUTER _INTERFACE _ISOLATION The PSD shall prevent unauthorized data flow to ensure that the PSD and its connected peripheral devices cannot be exploited in an attempt to leak data. The TOE‐Computer interface shall be isolated from all other PSD‐Computer interfaces while TOE is powered. Addressed by: MOD_AO FDP_APC_EXT.1/AO, FDP_PDC_EXT.1, FDP_PDC_EXT.2/AO, FDP_PUD_EXT.1 MOD_VI FDP_APC_EXT.1/VI, FDP_PDC_EXT.1 MOD_KM FDP_APC_EXT.1/KM, FDP_FIL_EXT.1/KM, FDP_PDC_EXT.1, FDP_RDR_EXT.1, FDP_SWI_EXT.3/KM O.COMPUTER _INTERFACE _ISOLATION _TOE_UNPOWERED The PSD shall not allow data to transit a PSD‐Computer interface while the PSD is unpowered. Addressed by: MOD_AO FDP_APC_EXT.1/AO, FDP_PDC_EXT.1, FDP_PDC_EXT.2/AO, FDP_PUD_EXT.1 MOD_VI FDP_APC_EXT.1/VI, FDP_PDC_EXT.1 MOD_KM FDP_APC_EXT.1/KM, FDP_FIL_EXT.1/KM, FDP_PDC_EXT.1, FDP_RDR_EXT.1, FDP_SWI_EXT.3/KM Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 15 of 84 Security Objective Description O.USER_DATA _ISOLATION The PSD shall route user data, such as keyboard entries, only to the computer selected by the user. The PSD shall provide isolation between the data flowing from the peripheral device to the selected computer and any non‐selected computer. Addressed by: MOD_AO FDP_APC_EXT.1/AO, FDP_PDC_EXT.1, FDP_PDC_EXT.2/AO, FDP_PUD_EXT.1 MOD_VI FDP_APC_EXT.1/VI, FDP_PDC_EXT.1 MOD_KM FDP_APC_EXT.1/KM, FDP_FIL_EXT.1/KM, FDP_PDC_EXT.1, FDP_RDR_EXT.1, FDP_SWI_EXT.3/KM O.NO_USER _DATA_RETENTION The PSD shall not retain user data in non‐volatile memory after power up or, if supported, factory reset. Addressed by: PP_PSD FDP_RIP_EXT.1, FDP_RIP_EXT.2 MOD_KM FDP_RIP.1/KM O.NO_OTHER _EXTERNAL _INTERFACES The PSD shall not have any external interfaces other than those implemented by the TSF. Addressed by: PP_PSD FDP_PDC_EXT.1 O.LEAK _PREVENTION _SWITCHING The PSD shall ensure that there are no switching mechanisms that allow signal data leakage between connected computers. Addressed by: PP_PSD FDP_SWI_EXT.1, FDP_SWI_EXT.2 O.AUTHORIZED _USAGE The TOE shall explicitly prohibit or ignore unauthorized switching mechanisms, either because it supports only one connected computer or because it allows only authorized mechanisms to switch between connected computers. Authorized switching mechanisms shall require express user action restricted to console buttons, console switches, console touch screen, wired remote control, and peripheral devices using a guard. Unauthorized switching mechanisms include keyboard shortcuts, also known as “hotkeys,” automatic port scanning, control through a connected computer, and control through keyboard shortcuts. Where applicable, the results of the switching activity shall be indicated by the TSF so that it Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 16 of 84 Security Objective Description is clear to the user that the switching mechanism was engaged as intended. A conformant TOE may also provide a management function to configure some aspects of the TSF. If the TOE provides this functionality, it shall ensure that whatever management functions it provides can only be performed by authorized administrators and that an audit trail of management activities is generated. Addressed by: PP_PSD FAU_GEN.1, FDP_SWI_EXT.1, FDP_SWI_EXT.2, FIA_UAU.2, FIA_UID.2, FMT_MOF.1, FMT_SMF.1, FMT_SMR.1, FPT_STM.1, FTA_CIN_EXT.1 MOD_VI FDP_CDS_EXT.1(1), FDP_CDS_EXT.1(2), FTA_CIN_EXT.1 MOD_KM FDP_FIL_EXT.1/KM O.PERIPHERAL _PORTS_ISOLATION The PSD shall ensure that data does not flow between peripheral devices connected to different PSD interfaces. Addressed by: MOD_AO FDP_APC_EXT.1/AO, FDP_PDC_EXT.1, FDP_PDC_EXT.2/AO, FDP_PUD_EXT.1 MOD_VI FDP_APC_EXT.1/VI, FDP_PDC_EXT.1 MOD_KM FDP_APC_EXT.1/KM, FDP_FIL_EXT.1/KM, FDP_PDC_EXT.1, FDP_RDR_EXT.1, FDP_SWI_EXT.3/KM O.REJECT _UNAUTHORIZED _PERIPHERAL The PSD shall reject unauthorized peripheral device types and protocols. Addressed by: PP_PSD FDP_PDC_EXT.1 MOD_AO FDP_APC_EXT.1/AO, FDP_PDC_EXT.1, FDP_PDC_EXT.2/AO, FDP_PUD_EXT.1 MOD_VI FDP_PDC_EXT.2/VI, FDP_PDC_EXT.3/VI, FDP_IPC_EXT.1, FDP_SPR_EXT.1/DP, FDP_SPR_EXT.1/HDMI, FDP_SPR_EXT.1/DVI-D, FDP_SPR_EXT.1/USB Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 17 of 84 Security Objective Description MOD_KM FDP_APC_EXT.1/KM, FDP_FIL_EXT.1/KM, FDP_PDC_EXT.1, FDP_RDR_EXT.1, FDP_SWI_EXT.3/KM, FDP_PDC_EXT.2/KM, FDP_PDC_EXT.3/KM O.REJECT _UNAUTHORIZED _ENDPOINTS The PSD shall reject unauthorized peripheral devices connected via a Universal Serial Bus (USB) hub. Addressed by: PP_PSD FDP_PDC_EXT.1 MOD_KM FDP_APC_EXT.1/KM, FDP_FIL_EXT.1/KM, FDP_PDC_EXT.1, FDP_RDR_EXT.1, FDP_SWI_EXT.3/KM O.NO_TOE_ACCESS The PSD firmware, software, and memory shall not be accessible via its external ports. Addressed by: PP_PSD FPT_NTA_EXT.1 O.TAMPER _EVIDENT _LABEL The PSD shall be identifiable as authentic by the user and the user must be made aware of any procedures or other such information to accomplish authentication. This feature must be available upon receipt of the PSD and continue to be available during the PSD deployment. The PSD shall be labeled with at least one visible unique identifying tamper‐ evident marking that can be used to authenticate the device. The PSD manufacturer must maintain a complete list of manufactured PSD articles and their respective identification markings’ unique identifiers. Addressed by: PP_PSD FPT_PHP.1 O.ANTI_TAMPERING The PSD shall be physically enclosed so that any attempts to open or otherwise access the internals or modify the connections of the PSD would be evident, and optionally thwarted through disablement of the TOE. Note: This applies to a wired remote control as well as the main chassis of the PSD. Addressed by: PP_PSD FPT_PHP.1, FPT_PHP.3 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 18 of 84 Security Objective Description O.SELF_TEST The PSD shall perform self‐tests following power up or powered reset. Addressed by: PP_PSD FPT_TST.1 O.SELF_TEST _FAIL_TOE _DISABLE The PSD shall enter a secure state upon detection of a critical failure. Addressed by: PP_PSD FPT_FLS_EXT.1, FPT_TST_EXT.1 O.SELF_TEST _FAIL_INDICATION The PSD shall provide clear and visible user indications in the case of a self‐test failure. Addressed by: PP_PSD FPT_TST_EXT.1 O.PROTECTED _EDID The TOE shall read the connected display Extended Display Identification Data (EDID) once during the TOE power up or reboot sequence and prevent any EDID channel write transactions that connected computers initiate. Addressed by: MOD_VI FDP_PDC_EXT.2/VI, FDP_SPR_EXT.1/DP, FDP_SPR_EXT.1/HDMI, FDP_SPR_EXT.1/DVI-D, FDP_SPR_EXT.1/USB O.UNIDIRECTIONAL _VIDEO The TOE shall enforce unidirectional video data flow from the connected computer video interface to the display interface only. Addressed by: MOD_VI FDP_UDF_EXT.1/VI O.UNIDIRECTIONAL _AUDIO_OUT The PSD shall enforce the unidirectional flow of audio data from the analog audio computer interface to the analog audio peripheral interface. Addressed by: MOD_AO FDP_APC_EXT.1/AO, FDP_AFL_EXT.1, FDP_UDF_EXT.1/AO Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 19 of 84 Security Objective Description O.COMPUTER_TO _AUDIO_ISOLATION The PSD shall isolate the analog audio output function from all other TOE functions. Addressed by: MOD_AO FDP_APC_EXT.1/AO, FDP_UDF_EXT.1/AO O.EMULATED_INPUT The TOE shall emulate the keyboard and/or mouse functions from the TOE to the connected computer. Addressed by: MOD_KM FDP_PDC_EXT.2/KM, FDP_PDC_EXT.3/KM O.UNIDIRECTIONAL _INPUT The TOE shall enforce unidirectional keyboard and/or mouse device’s data flow from the peripheral device to only the selected computer. Addressed by: MOD_KM FDP_UDF_EXT.1/KM Table 7 – Security Objectives for the TOE 4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT This section identifies and describes the security objectives that are to be addressed by the IT environment or by non-technical or procedural means. Security Objective Description OE.NO_TEMPEST The operational environment will not use TEMPEST approved equipment. OE.PHYSICAL The operational environment will provide physical security, commensurate with the value of the PSD and the data that transits it. OE.NO_WIRELESS_DEVICES The operational environment will not include wireless keyboards, mice, audio, user authentication, or video devices. OE.TRUSTED_ADMIN The operational environment will ensure that trusted PSD Administrators and users are appropriately trained. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 20 of 84 Security Objective Description OE.TRUSTED_CONFIG The operational environment will ensure that administrators configuring the PSD and its operational environment follow the applicable security configuration guidance. OE.NO_SPECIAL_ANALOG _CAPABILITIES The operational environment will not have special analog data collection cards or peripherals such as analog to digital interface, high performance audio interface, or a component with digital signal processing or analog video capture functions. OE.NO_MICROPHONES The operational environment is expected to ensure that microphones are not plugged into the TOE audio output interfaces. Table 8 – Security Objectives for the Operational Environment 4.3 SECURITY OBJECTIVES RATIONALE The security objectives rationale describes how the assumptions and threats map to the security objectives. Threat or Assumption Security Objective(s) Rationale T.DATA_LEAK O.COMPUTER _INTERFACE _ISOLATION Isolation of computer interfaces prevents data from leaking between them without authorization. O.COMPUTER _INTERFACE _ISOLATION _TOE_UNPOWERED Maintaining interface isolation while the TOE is in an unpowered state ensures that data cannot leak between computer interfaces. O.USER_DATA _ISOLATION The TOE’s routing of data only to the selected computer ensures that it will not leak to any others. O.NO_OTHER _EXTERNAL _INTERFACES The absence of additional external interfaces ensures that there is no unexpected method by which data can be leaked. O.PERIPHERAL_PORTS _ISOLATION Isolation of peripheral ports prevents data from leaking between them without authorization. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 21 of 84 Threat or Assumption Security Objective(s) Rationale O.UNIDIRECTIONAL _INPUT The TOE’s enforcement of unidirectional input for keyboard/mouse data prevents leakage of computer data through a connected peripheral interface. O.PROTECTED_EDID The TOE’s protection of the EDID interface prevents its use as a vector for unauthorized data leakage via this channel. O.UNIDIRECTIONAL _VIDEO The TOE’s enforcement of unidirectional output for video data protects against data leakage via connected computers by ensuring that no video data can be input to a connected computer through this interface. T.SIGNAL_LEAK O.COMPUTER _INTERFACE _ISOLATION Isolation of computer interfaces prevents data leakage through bit‐ wise signaling because there is no mechanism by which the signal data can be communicated. O.NO_OTHER _EXTERNAL _INTERFACES The absence of additional external interfaces ensures that there is no unexpected method by which data can be leaked through bitwise signaling. O.LEAK_PREVENTION _SWITCHING The TOE’s use of switching methods that are not susceptible to signal leakage helps mitigate the signal leak threat. O.UNIDIRECTIONAL _INPUT The TOE’s enforcement of unidirectional input for keyboard/mouse data prevents leakage of computer data through bit‐ by‐bit signaling to a connected peripheral interface. O.PROTECTED_EDID The TOE’s protection of the EDID interface prevents its use as a vector for bit‐by‐bit signal leakage via this channel. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 22 of 84 Threat or Assumption Security Objective(s) Rationale O.UNIDIRECTIONAL _VIDEO The TOE’s enforcement of unidirectional output for video data protects against signaling leakage via connected computers by ensuring that no video data can be input to a connected computer through this interface. O.UNIDIRECTIONAL _AUDIO_OUT O.UNIDIRECTIONAL_AUDIO_OUT mitigates this threat by preventing the exploitation of the analog audio output to receive signaled data from a connected computer. Analog audio output in standard computers may be exploited to become audio input in some audio codecs. Audio devices such as headphones may also be used as low‐gain dynamic microphones. If the TOE design assures that analog audio reverse signal attenuation is below the noise floor level then the audio signal may not be recovered from the resultant audio stream. This prevents potential misuse of headphones connected to the TOE for audio eavesdropping. O.COMPUTER_TO _AUDIO_ISOLATION O.COMPUTER_TO_AUDIO_ISOLATION mitigates this threat by ensuring that analog audio output converted to input by a malicious driver cannot pick up signals from other computer interfaces. A TOE design that ensures that audio signals are not leaked to any other TOE interface can effectively prevent a potential signaling leakage across the TOE through analog audio. T.RESIDUAL _LEAK O.NO_USER_DATA _RETENTION The TOE’s lack of data retention ensures that a residual data leak is not possible. O.PROTECTED_EDID The TOE’s protection of the EDID interface prevents the leakage of residual data by ensuring that no such data can be written to EDID memory. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 23 of 84 Threat or Assumption Security Objective(s) Rationale T.UNINTENDED _USE O.AUTHORIZED _USAGE The TOE’s support for only switching mechanisms that require explicit user action to engage ensures that a user has sufficient information to avoid interacting with an unintended computer. T.UNAUTHORIZED _DEVICES O.REJECT _UNAUTHORIZED _ENDPOINTS The TOE’s ability to reject unauthorized endpoints mitigates the threat of unauthorized devices being used to communicate with connected computers. O.REJECT _UNAUTHORIZED _PERIPHERAL The TOE’s ability to reject unauthorized peripherals mitigates the threat of unauthorized devices being used to communicate with connected computers. O.EMULATED_INPUT The TOE’s emulation of keyboard/mouse data input ensures that a connected computer will only receive this specific type of data through a connected peripheral. O.UNIDIRECTIONAL _VIDEO The TOE’s limitation of supported video protocol interfaces prevents the connection of unauthorized devices. T.LOGICAL _TAMPER O.NO_TOE_ACCESS The TOE’s prevention of logical access to its firmware, software, and memory mitigates the threat of logical tampering. O.EMULATED_INPUT The TOE’s emulation of keyboard/mouse data input prevents logical tampering of the TSF ensuring that only known inputs to it are supported. T.PHYSICAL _TAMPER O.ANTI_TAMPERING The TOE mitigates the threat of physical tampering through use of an enclosure that provides tamper detection functionality. O.TAMPER_EVIDENT _LABEL The TOE mitigates the threat of physical tampering through use of tamper evident labels that reveal physical tampering attempts. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 24 of 84 Threat or Assumption Security Objective(s) Rationale T.REPLACEMENT O.TAMPER_EVIDENT _LABEL The TOE’s use of a tamper evident label that provides authenticity of the device mitigates the threat that it is substituted for a replacement device during the acquisition process. T.FAILED O.SELF_TEST The TOE mitigates the threat of failures leading to compromise of security functions through self‐tests of its own functionality. O.SELF_TEST_FAIL _TOE_DISABLE The TOE mitigates the threat of failures leading to compromise of security functions by disabling all data flows in the event a failure is detected. O.SELF_TEST_FAIL _INDICATION The TOE mitigates the threat of failures leading to compromise of security functions by providing users with a clear indication when it is in a failure state and should not be trusted. T.MICROPHONE _USE O.UNIDIRECTIONAL _AUDIO_OUT O.UNIDIRECTIONAL_AUDIO_OUT mitigates this threat by attenuating the strength of any inbound transmission of audio data through the TOE from a connected peripheral. If the TOE design ensures that analog audio reverse signal attenuation is below the noise floor level then any audio signal should not have sufficient strength to be usable. T.AUDIO_REVERSED O.UNIDIRECTIONAL _AUDIO_OUT O.UNIDIRECTIONAL_AUDIO_OUT mitigates this threat by ensuring that the TOE’s audio peripheral interface(s) are exclusively used to output audio. A.NO_TEMPEST OE.NO_TEMPEST If the TOE’s operational environment does not include TEMPEST approved equipment, then the assumption is satisfied. A.NO_PHYSICAL OE.PHYSICAL If the TOE’s operational environment provides physical security, then the assumption is satisfied. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 25 of 84 Threat or Assumption Security Objective(s) Rationale A.NO_WIRELESS _DEVICES OE.NO_WIRELESS _DEVICES If the TOE’s operational environment does not include wireless peripherals, then the assumption is satisfied. A.TRUSTED_ADMIN OE.TRUSTED _ADMIN If the TOE’s operational environment ensures that only trusted administrators will manage the TSF, then the assumption is satisfied. A.TRUSTED _CONFIG OE.TRUSTED _CONFIG If TOE administrators follow the provided security configuration guidance, then the assumption is satisfied. A.USER_ALLOWED _ACCESS OE.PHYSICAL If the TOE’s operational environment provides physical access to connected computers, then the assumption is satisfied. A.NO_SPECIAL _ANALOG _CAPABILITIES OE.NO_SPECIAL _ANALOG _CAPABILITIES If administrators in the TOE’s operational environment take care to ensure that computers with special analog data collection interfaces are not connected to the TOE, then the assumption that such components are not present is satisfied. A.NO _MICROPHONES OE.NO _MICROPHONES The assumption is upheld by the objective since the users in the environment are trained not to connect a microphone to the TOE audio output interface. Table 9 – Security Objectives Rationale Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 26 of 84 5 EXTENDED COMPONENTS DEFINITION The extended components definition is presented in Appendix C of the Protection Profile for Peripheral Sharing Device [PP_PSD_V4.0] and in the modules for analog audio output devices [MOD_AO_V1.0], keyboard/mouse devices [MOD_KM_V1.0], and display devices [MOD_VI_1.0]. It is repeated here to ensure the completeness of this ST. The families to which these components belong are identified in the following table: Functional Class Functional Families User Data Protection (FDP) FDP_AFL_EXT Audio Filtration FDP_APC_EXT Active PSD Connections FDP_CDS_EXT Connected Displays Supported FDP_FIL_EXT Device Filtering FDP_IPC_EXT Internal Protocol Conversion FDP_PDC_EXT Peripheral Device Connection FDP_PUD_EXT Powering Unauthorized Devices FDP_RDR_EXT Re-Enumeration Device Rejection FDP_RIP_EXT Residual Information Protection FDP_SPR_EXT Sub-Protocol Rules FDP_SWI_EXT PSD Switching FDP_UDF_EXT Unidirectional Data Flow Protection of the TSF (FPT) FPT_FLS_EXT Failure with Preservation of Secure State FPT_NTA_EXT No Access to TOE FPT_TST_EXT TSF Testing TOE Access (FTA) FTA_CIN_EXT Continuous Indications Table 10 – Functional Families of Extended Components Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 27 of 84 5.1 CLASS FDP: USER DATA PROTECTION FDP_AFL_EXT Audio Filtration Family Behavior Components in this family define the requirements for device filtering. Component Leveling FDP_AFL_EXT.1 Audio Filtration, requires the TSF to enforce outgoing audio filtration levels. Management: FDP_AFL_EXT.1 No specific management functions are identified. Audit: FDP_AFL_EXT.1 No specific audit functions are defined. FDP_AFL_EXT.1 Device Filtering Hierarchical to: No other components. Dependencies: FDP_PDC_EXT.1 Peripheral Device Connection FDP_AFL_EXT.1.1 The TSF shall ensure outgoing audio signals are filtered as per [assignment: document reference to the table below]. Frequency (kHz) Minimum Attenuation (dB) Maximum Voltage After Attenuation 14 23.9 127.65 mV 15 26.4 95.73 mV 16 30.8 57.68 mV 17 35.0 35.57 mV 18 38.8 22.96 mV 19 43.0 14.15 mV 20 46.0 10.02 mV 30 71.4 0.53 mV FDP_AFL_EXT Audio Filtration 1 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 28 of 84 Frequency (kHz) Minimum Attenuation (dB) Maximum Voltage After Attenuation 40 71.4 0.53 mV 50 71.4 0.53 mV 60 71.4 0.53 mV FDP_APC_EXT Active PSD Connections Family Behavior Components in this family define the requirements for when an external interface to the TOE is authorized to transmit data related to peripheral sharing. Component Leveling FDP_APC_EXT.1 Active PSD Connections, restricts the flow of data through the TSF. Management: FDP_APC_EXT.1 No specific management functions are identified. Audit: FDP_APC_EXT.1 There are no auditable events foreseen. FDP_APC_EXT.1 Active PSD Connections Hierarchical to: No other components. Dependencies: No dependencies FDP_APC_EXT.1.1 The TSF shall route user data only to or from the interfaces selected by the user. FDP_APC_EXT.1.2 The TSF shall ensure that no data flows between connected computers whether the TOE is powered on or powered off. FDP_APC_EXT.1.3 The TSF shall ensure that no data transits the TOE when the TOE is powered off. FDP_APC_EXT.1.4 The TSF shall ensure that no data transits the TOE when the TOE is in a failure state. FDP_APC_EXT Active PSD Connections 1 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 29 of 84 FDP_CDS_EXT Connected Displays Supported Family Behavior Components in this family define requirements for the number of display interfaces contained within the TOE. Component Leveling FDP_CDS_EXT.1, Connected Displays Supported, requires the TSF to define whether it supports one connected display at a time or multiple connected displays simultaneously. Management: FDP_CDS_EXT.1 There are no specific management functions identified. Audit: FDP_CDS_EXT.1 There are no auditable events foreseen. FDP_CDS_EXT.1 Connected Displays Supported Hierarchical to: No other components Dependencies: No other components FDP_CDS_EXT.1.1 The TSF shall support [selection: one connected display, multiple connected displays] at a time. FDP_FIL_EXT Device Filtering Family Behavior Components in this family define the requirements for device filtering. Component Leveling FDP_FIL_EXT.1 Device Filtering, requires the TSF to specify the method of device filtering used for peripheral interfaces and defines requirements for handling whitelists and blacklists. FDP_CDS_EXT Connected Displays Supported 1 FDP_FIL_EXT Device Filtering 1 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 30 of 84 Management: FDP_FIL_EXT.1 The following actions could be considered for the management functions in FMT: • Ability to configure whitelist/blacklist members Audit: FDP_FIL_EXT.1 The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST: • Configuration of whitelist/blacklist members FDP_FIL_EXT.1 Device Filtering Hierarchical to: No other components Dependencies: FDP_PDC_EXT.1 Peripheral Device Connection FDP_FIL_EXT.1.1 The TSF shall have [selection: configurable, fixed] device filtering for [assignment: list of supported peripheral interface types] interfaces. FDP_FIL_EXT.1.2 The TSF shall consider all [assignment: blacklist name] blacklisted devices as unauthorized devices for [assignment: list of supported peripheral interface types] interfaces in peripheral device connections. FDP_FIL_EXT.1.3 The TSF shall consider all [assignment: whitelist name] whitelisted devices as authorized devices for peripheral device connections only if they are not on the [assignment: blacklist name] blacklist or otherwise unauthorized. FDP_IPC_EXT Internal Protocol Conversion Family Behavior Components in this family define requirements for the TOE’s ability to convert one protocol into another for internal processing. Component Leveling FDP_IPC_EXT.1, Internal Protocol Conversion, requires the TSF to specify an input protocol that the TOE receives, the protocol that the TSF converts it to, and whether the data is output from the TOE as the original protocol or as the converted one. Management: FDP_IPC_EXT.1 There are no specific management functions identified. Audit: FDP_IPC_EXT.1 There are no auditable events foreseen. FDP_IPC_EXT Internal Protocol Conversion 1 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 31 of 84 FDP_IPC_EXT.1 Internal Protocol Conversion Hierarchical to: No other components Dependencies: FDP_PDC_EXT.2 Authorized Connection Protocols FDP_IPC_EXT.1.1 The TSF shall convert the [assignment: original protocol] protocol at the [assignment: TOE external interface(s)] into the [assignment: converted protocol] protocol within the TOE. FDP_IPC_EXT.1.2 The TSF shall output the [assignment: converted protocol] protocol from inside the TOE to [assignment: TOE external interface(s)] as [selection: [assignment: original protocol] protocol], [assignment: converted protocol] protocol]. FDP_PDC_EXT Peripheral Device Connection Family Behavior Components in this family define the requirements for peripheral device connections. This family is defined in the PSD PP. The PP‐Modules [MOD_KM_V1.0] and [MOD_VI_V1.0] augment the extended family by adding two additional components, FDP_PDC_EXT.2 and FDP_PDC_EXT.3. The new components and their impact on the extended family’s component leveling are shown below; reference the PSD PP for all other definitions for this family. Component Leveling FDP_PDC_EXT.1 Peripheral Device Connection, requires the TSF to limit external connections to only authorized devices. FDP_PDC_EXT.2 Authorized Devices, defines the types of physical devices that the TSF will permit to connect to it. FDP_PDC_EXT.3, Authorized Connection Protocols, defines the protocols that the TSF will authorize over its physical/logical interfaces, as well as any rules that are applicable to these interfaces. FDP_PDC_EXT Peripheral Device 1 2 3 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 32 of 84 Management: FDP_PDC_EXT.1, FDP_PDC_EXT.2, FDP_PDC_EXT.3 No specific management functions are identified. Audit: FDP_PDC_EXT.1 The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST: • Acceptance or rejection of a peripheral Audit: FDP_PDC_EXT.2, FDP_PDC_EXT.3 There are no specific auditable events foreseen. FDP_PDC_EXT.1 Peripheral Device Connection Hierarchical to: No other components. Dependencies: No dependencies FDP_PDC_EXT.1.1 The TSF shall reject connections with unauthorized devices upon TOE power up and upon connection of a peripheral device to a powered‐on TOE. FDP_PDC_EXT.1.2 The TSF shall reject connections with devices presenting unauthorized interface protocols upon TOE power up and upon connection of a peripheral device to a powered‐on TOE. FDP_PDC_EXT.1.3 The TOE shall have no external interfaces other than those claimed by the TSF. FDP_PDC_EXT.1.4 The TOE shall not have wireless interfaces. FDP_PDC_EXT.1.5 The TOE shall provide a visual or auditory indication to the User when a peripheral is rejected. FDP_PDC_EXT.2 Authorized Devices Hierarchical to: No other components. Dependencies: FDP_PDC_EXT.1 Peripheral Device Connection FDP_PDC_EXT.2.1 The TSF shall allow connections with authorized devices as defined in [assignment: devices specified in the PP or PP‐Module in which this SFR is defined] and [assignment: devices specified in another PP or PP‐Module that shares a PP Configuration with the PP or PP‐ Module in which this SFR is defined] upon TOE power up and upon connection of a peripheral device to a powered‐on TOE. FDP_PDC_EXT.2.2 The TSF shall allow connections with authorized devices presenting authorized interface protocols as defined in [assignment: devices specified in the PP or PP Module in which this SFR is defined] and [assignment: devices specified in another PP or PP‐Module that shares a PP‐Configuration with the PP or PP‐Module in which this SFR is defined] upon TOE power up and upon connection of a peripheral device to a powered‐on TOE. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 33 of 84 FDP_PDC_EXT.3 Authorized Connection Protocols Hierarchical to: No other components. Dependencies: FDP_PDC_EXT.1 Peripheral Device Connection FDP_PDC_EXT.3.1 The TSF shall have interfaces for the [assignment: list of supported protocols associated with physical and/or logical TSF interfaces] protocols. FDP_PDC_EXT.3.2 The TSF shall apply the following rules to the supported protocols: [assignment: rules defining the handling for communications over this protocol (e.g. any processing that must be done by the TSF prior to transmitting it through the TOE, circumstances or frequency with which the protocol is invoked)]. FDP_PUD_EXT Powering Unauthorized Devices Family Behavior Components in this family define the requirements for unauthorized device powering. Component Leveling FDP_PUD_EXT.1 Powering Unauthorized Devices, requires the TSF to not power any unauthorized devices connected to the peripheral interface. Management: FDP_PUD_EXT.1 No specific management functions are identified. Audit: FDP_PUD_EXT.1 There are no specific auditable events foreseen. FDP_PUD_EXT.1 Powering Unauthorized Devices Hierarchical to: No other components. Dependencies: FDP_PDC_EXT.1 Peripheral Device Connection FDP_PUD_EXT.1.1 The TSF shall not provide power to any unauthorized device connected to the analog audio peripheral interface. FDP_RDR_EXT Re-Enumeration Device Rejection Family Behavior Components in this family define requirements to reject device spoofing attempts through reenumeration. FDP_PUD_EXT Powering Unauthorized Devices 1 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 34 of 84 Component Leveling FDP_RDR_EXT.1 Re‐Enumeration Device Rejection, requires the TSF to reject re‐ enumeration as an unauthorized device. Management: FDP_RDR_EXT.1 No specific management functions are identified. Audit: FDP_RDR_EXT.1 There are no specific auditable events foreseen. FDP_RDR_EXT.1 Re-Enumeration Device Rejection Hierarchical to: No other components. Dependencies: FDP_PDC_EXT.1 Peripheral Device Connection FDP_RDR_EXT.1.1 The TSF shall reject any device that attempts to enumerate again as a different unauthorized device. FDP_RIP_EXT Residual Information Protection Family Behavior Components in this family define the requirements for how the TSF prevents data disclosure from its memory. Component Leveling FDP_RIP_EXT.1 Residual Information Protection, requires the TSF to prevent the writing of user data to non‐volatile memory. FDP_RIP_EXT.2 Purge of Residual Information, requires the TSF to have a purge function to clear its memory of all stored non‐audit data. FDP_RDR_EXT Re- Enumeration Device Rejection 1 FDP_RIP_EXT Residual Information Protection 1 2 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 35 of 84 Management: FDP_RIP_EXT.1, FDP_RIP_EXT.2 The following actions could be considered for the management functions in FMT: • Ability to trigger the TSF’s purge function Audit: FDP_RIP_EXT.1 There are no auditable events foreseen. Audit: FDP_RIP_EXT.2 The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST: • Purging of the TSF’s memory FDP_RIP_EXT.1 Residual Information Protection Hierarchical to: No other components. Dependencies: No dependencies FDP_RIP_EXT.1.1 The TSF shall ensure that no user data is written to TOE non‐volatile memory or storage. FDP_RIP_EXT.2 Purge of Residual Information Hierarchical to: No other components. Dependencies: No dependencies FDP_RIP_EXT.2.1 The TOE shall have a purge memory or restore factory defaults function accessible to the administrator to delete all TOE stored configuration and settings except for logging. FDP_SPR_EXT Sub-Protocol Rules Family Behavior Components in this family define the sub‐protocols that the TSF allows or blocks depending on the protocols it supports. Component Leveling FDP_SPR_EXT.1 Sub‐Protocol Rules, requires the TSF to specify the allowed and blocked sub‐protocols based on the protocol it supports. Management: FDP_SPR_EXT.1 No specific management functions are identified. Audit: FDP_SPR_EXT.1 There are no auditable events foreseen. FDP_SPR_EXT Sub- Protocol Rules 1 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 36 of 84 FDP_SPR_EXT.1 Sub-Protocol Rules Hierarchical to: No other components. Dependencies: FDP_PDC_EXT.3 Authorized Connection Protocols FDP_SPR_EXT.1.1 The TSF shall apply the following rules for the [assignment: supported protocol] protocol: • block the following video/display sub‐protocols: o [assignment: list of blocked sub‐protocols] • allow the following video/display sub‐protocols: o [assignment: list of allowed sub‐protocols]. FDP_SWI_EXT PSD Switching Family Behavior Components in this family define the requirements for how the TSF protects against inadvertent data switching. Component Leveling FDP_SWI_EXT.1 PSD Switching, requires action on the part of a user in order for the TSF’s switching mechanisms to be activated. FDP_SWI_EXT.2 PSD Switching Methods, places restrictions on how the TSF’s switching mechanisms can be controlled. FDP_SWI_EXT.3/KM Tied Switching, requires the TSF to ensure that multiple connected peripherals are always switched to the same connected computer. Management: FDP_SWI_EXT.1, FDP_SWI_EXT.2, FDP_SWI_EXT.3/KM No specific management functions are identified. Audit: FDP_SWI_EXT.1, FDP_SWI_EXT.2, FDP_SWI_EXT.3/KM There are no auditable events foreseen. FDP_SWI_EXT PSD Switching 1 2 3 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 37 of 84 FDP_SWI_EXT.1 PSD Switching Hierarchical to: No other components. Dependencies: No dependencies FDP_SWI_EXT.1.1 The TSF shall ensure that [selection: the TOE supports only one connected computer, switching can be initiated only through express user action]. FDP_SWI_EXT.2 PSD Switching Methods Hierarchical to: No other components. Dependencies: FDP_SWI_EXT.1 PSD Switching FDP_SWI_EXT.2.1 The TSF shall ensure that no switching can be initiated through automatic port scanning, control through a connected computer, or control through keyboard shortcuts. FDP_SWI_EXT.2.2 The TSF shall ensure that switching can be initiated only through express user action using [selection: console buttons, console switches, console touch screen, wired remote control, peripheral devices using a guard]. FDP_SWI_EXT.3/KM Tied Switching Hierarchical to: No other components. Dependencies: FDP_SWI_EXT.1 PSD Switching FDP_SWI_EXT.3.1/KM The TSF shall ensure that [assignment: two or more tied peripheral devices] are always switched together to the same connected computer. FDP_UDF_EXT Unidirectional Data Flow Family Behavior Components in this family define unidirectional transmission of user data. Component Leveling FDP_UDF_EXT.1 Unidirectional Data Flow, requires the TSF to provide unidirectional (one‐way) communications between a given pair of interface types. Management: FDP_UDF_EXT.1 No specific management functions are identified. Audit: FDP_UDF_EXT.1 There are no auditable events foreseen. FDP_UDF_EXT Unidirectional Data Flow 1 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 38 of 84 FDP_UDF_EXT.1 Unidirectional Data Flow Hierarchical to: No other components. Dependencies: FDP_APC_EXT.1 Active PSD Connections FDP_UDF_EXT.1.1 The TSF shall ensure [assignment: type of data] data transits the TOE unidirectionally from the [assignment: origin point of data] interface to the [assignment: destination point of data] interface. 5.2 CLASS FPT: PROTECTION OF THE TSF FPT_FLS_EXT Failure with Preservation of Secure State Family Behavior Components in this family define the secure failure requirements for the TSF. Component Leveling FPT_FLS_EXT.1 Failure with Preservation of Secure State, requires the TSF to go into a secure state upon the detection of selected failures. Management: FPT_FLS_EXT.1 No specific management functions are identified. Audit: FPT_FLS_EXT.1 There are no auditable events foreseen. FPT_FLS_EXT.1 Failure with Preservation of Secure State Hierarchical to: No other components. Dependencies: FPT_TST.1 TSF Testing FPT_PHP.3 Resistance to Physical Attack FPT_FLS_EXT.1.1 The TSF shall preserve a secure state when the following types of failures occur: failure of the power‐on self‐test and [selection: failure of the anti‐tamper function, no other failures]. FPT_NTA_EXT No Access to TOE Family Behavior Components in this family define what TSF information may be externally accessible. FDP_FLS_EXT Failure with Preservation of Secure State 1 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 39 of 84 Component Leveling FPT_NTA_EXT.1 No Access to TOE, requires the TSF to block access to non‐ authorized TSF data via external ports. Management: FPT_NTA_EXT.1 No specific management functions are identified. Audit: FPT_NTA_EXT.1 There are no auditable events foreseen. FPT_NTA_EXT.1 No Access to TOE Hierarchical to: No other components. Dependencies: No dependencies FPT_NTA_EXT.1.1 TOE firmware, software, and memory shall not be accessible via the TOE’s external ports, with the following exceptions: [selection: the EDID memory of Video TOEs may be accessible from connected computers; the configuration data, settings, and logging data that may be accessible by authorized administrators; no other exceptions]. FPT_TST_EXT TSF Testing Family Behavior Components in this family define how the TSF responds to a self‐test failure. Component Leveling FPT_TST_EXT.1 TSF Testing, requires the TSF to shutdown normal functions and provide a visual or auditory indication that a self‐test has failed. Management: FPT_TST_EXT.1 No specific management functions are identified. FPT_NTA_EXT No Access to TOE 1 FPT_TST_EXT TSF Testing 1 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 40 of 84 Audit: FPT_TST_EXT.1 The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST: • Indication that the TSF self‐test was completed • Failure of self‐test FPT_TST_EXT.1 TSF Testing Hierarchical to: No other components. Dependencies: FPT_TST.1 TSF Testing FPT_TST_EXT.1.1 The TSF shall respond to a self‐test failure by providing users with a [selection: visual, auditory] indication of failure and by shutdown of normal TSF functions. 5.3 CLASS FTA: TOE ACCESS FTA_CIN_EXT Continuous Indications Family Behavior Components in this family define how the TSF displays its switching status. Component Leveling FTA_CIN_EXT.1 Continuous Indications, requires the TSF to display a visual indication of what computers are selected. Management: FTA_CIN_EXT.1 No specific management functions are identified. Audit: FTA_CIN_EXT.1 There are no auditable events foreseen. FTA_CIN_EXT.1 Continuous Indications Hierarchical to: No other components. Dependencies: FDP_APC_EXT.1 Active PSD Connections FTA_CIN_EXT.1.1 The TSF shall display a visible indication of the selected computers at all times when the TOE is powered. FTA_CIN_EXT Continuous Indications 1 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 41 of 84 FTA_CIN_EXT.1.2 The TSF shall implement the visible indication using the following mechanism: easily visible graphical and/or textual markings of each source video on the display, [selection: a button, a panel with lights, a screen with dimming function, a screen with no dimming function, [assignment: description of visible indication]]. FTA_CIN_EXT.1.3 The TSF shall ensure that while the TOE is powered the current switching status is reflected by [selection: the indicator, multiple indicators which never display conflicting information]. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 42 of 84 6 SECURITY FUNCTIONAL REQUIREMENTS Section 6 provides security functional and assurance requirements that must be satisfied by a compliant TOE. 6.1 CONVENTIONS AND APPLICABILITY Conventions The CC permits four types of operations to be performed on functional requirements: selection, assignment, refinement, and iteration. These operations are shown using the same conventions as those in the PSD PP. This is defined in the PP as: • Assignment: Indicated by surrounding brackets and italics, e.g., [assigned item]. • Selection: Indicated by surrounding brackets and italics, e.g., [selected item]. • Refinement: Refined components are identified by using bold for additional information, or strikeout for deleted text. • Iteration: Iteration operations for iterations within the Protection Profile and associated modules are identified with a slash (‘/’) and an identifier (e.g. “/KM”). • Iteration: Where an SFR does not apply equally to all devices and multiple iterations of the SFR are required, a number has been appended to the SFR identifier. (e.g. FDP_CDS_EXT.1(1) Connected Displays Supported) Extended SFRs are identified by the inclusion of “EXT” in the SFR name. Section Applicability Table 11 shows the TOE models and the Section 6 Subsections that include the SFRs claimed for that device. TOE Model Sections Describing Security Functionality SC820DPH Section 6.2 and Section 6.3 SC840DPH Section 6.2 and Section 6.3 SC920DPH Section 6.2 and Section 6.4 SC940DPH Section 6.2 and Section 6.4 SC840DPHC Section 6.2 and Section 6.5 Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 43 of 84 TOE Model Sections Describing Security Functionality SC940DPHC Section 6.2 and Section 6.6 SC840DVI Section 6.2 and Section 6.7 SC940DVI Section 6.2 and Section 6.8 Table 11 – Devices and Applicable Sections 6.2 SECURITY FUNCTIONAL REQUIREMENTS FOR ALL DEVICES Section 6.2 details the security functional requirements that apply to all TOE devices. Class Identifier Name Source Security Audit (FAU) FAU_GEN.1 Audit data generation [PP_PSD_V4.0] User Data Protection (FDP) FDP_AFL_EXT.1 Audio Filtration [MOD_AO_V1.0] FDP_APC_EXT.1/AO Active PSD Connections [MOD_AO_V1.0] FDP_APC_EXT.1/KM Active PSD Connections [MOD_KM_V1.0] FDP_APC_EXT.1/VI Active PSD Connections [MOD_VI_V1.0] FDP_FIL_EXT.1/KM Device Filtering (Keyboard/Mouse) [MOD_KM_V1.0] FDP_PDC_EXT.1 Peripheral Device Connection [PP_PSD_V4.0] [MOD_AO_V1.0]2 [MOD_VI_V1.0]3 [MOD_KM_V1.0]4 2 There is no modification to this SFR in the [MOD_AO_V1.0]. However, there are additions to the Peripheral Device Connections associated with this SFR and additional evaluation activities. 3 There is no modification to this SFR in the [MOD_VI_V1.0]. However, there are additions to the Peripheral Device Connections associated with this SFR and additional evaluation activities. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 44 of 84 Class Identifier Name Source FDP_PDC_EXT.2/AO Peripheral Device Connection (Audio Output) [MOD_AO_V1.0] FDP_PDC_EXT.2/KM Authorized Devices (Keyboard/Mouse) [MOD_KM_V1.0] FDP_PDC_EXT.2/VI Authorized Devices (Video Output) [MOD_VI_V1.0] FDP_PDC_EXT.3/KM Authorized Connection Protocols (Keyboard/Mouse) [MOD_KM_V1.0] FDP_PUD_EXT.1 Powering Unauthorized Devices [MOD_AO_V1.0] FDP_RDR_EXT.1 Re-Enumeration Device Rejection [MOD_KM_V1.0] FDP_RIP_EXT.1 Residual Information Protection [PP_PSD_V4.0] FDP_RIP.1/KM Residual Information Protection (Keyboard Data) [MOD_KM_V1.0] FDP_RIP_EXT.2 Purge of Residual Information [PP_PSD_V4.0] FDP_SWI_EXT.1 PSD Switching [PP_PSD_V4.0] FDP_SWI_EXT.2 PSD Switching Methods [PP_PSD_V4.0] [MOD_KM_V1.0]5 FDP_SWI_EXT.3/KM Tied Switching [MOD_KM_V1.0] 4 There is no modification to this SFR in the [MOD_KM_V1.0]. However, there are additions to the Peripheral Device Connections associated with this SFR and additional evaluation activities. 5 There is no modification to this SFR in [MOD_KM_V1.0], and the additional evaluation activities are not triggered by the selections in FDP_SWI_EXT.2.2. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 45 of 84 Class Identifier Name Source FDP_UDF_EXT.1/AO Unidirectional Data Flow (Audio Output) [MOD_AO_V1.0] FDP_UDF_EXT.1/KM Unidirectional Data Flow (Keyboard/Mouse) [MOD_KM_V1.0] FDP_UDF_EXT.1/VI Unidirectional Data Flow (Video Output) [MOD_VI_V1.0] Identification and Authentication (FIA) FIA_UAU.2 User Authentication Before Any Action [PP_PSD_V4.0] FIA_UID.2 User Identification Before Any Action [PP_PSD_V4.0] Security Management (FMT) FMT_MOF.1 Management of Security Functions Behavior [PP_PSD_V4.0] FMT_SMF.1 Specification of Management Functions [PP_PSD_V4.0] FMT_SMR.1 Security Roles [PP_PSD_V4.0] Protection of the TSF (FPT) FPT_FLS_EXT.1 Failure with Preservation of Secure State [PP_PSD_V4.0] FPT_NTA_EXT.1 No Access to TOE [PP_PSD_V4.0] FPT_PHP.1 Passive Detection of Physical Attack [PP_PSD_V4.0] FPT_PHP.3 Resistance to Physical Attack [PP_PSD_V4.0] FPT_STM.1 Reliable Time Stamps [PP_PSD_V4.0] FPT_TST.1 TSF testing [PP_PSD_V4.0] FPT_TST_EXT.1 TSF Testing [PP_PSD_V4.0] Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 46 of 84 Class Identifier Name Source TOE Access (FTA) FTA_CIN_EXT.1 Continuous Indications [PP_PSD_V4.0] [MOD_VI_V1.0]6 Table 12 – Summary of Security Functional Requirements Security Audit (FAU) 6.2.1.1 FAU_GEN.1 Audit data generation FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a. Start-up and shutdown of the audit functions; b. All auditable events for the [not specified] level of audit; and c. [administrator login, administrator logout, self‐test failures, peripheral device acceptance and rejections, [Reset to factory default, create administrator account, change password]]. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a. Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b. For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [no other information]. User Data Protection (FDP) 6.2.2.1 FDP_AFL_EXT.1 Audio Filtration FDP_AFL_EXT.1.1 The TSF shall ensure outgoing audio signals are filtered as per [Audio Filtration Specifications table]. Frequency (kHz) Minimum Attenuation (dB) Maximum Voltage After Attenuation 14 23.9 127.65 mV 15 26.4 95.73 mV 16 30.8 57.68 mV 17 35.0 35.57 mV 18 38.8 22.96 mV 6 The refinement from [MOD_VI_V1.0] has been included in FTA_CIN_EXT.1.2. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 47 of 84 Frequency (kHz) Minimum Attenuation (dB) Maximum Voltage After Attenuation 19 43.0 14.15 mV 20 46.0 10.02 mV 30 71.4 0.53 mV 40 71.4 0.53 mV 50 71.4 0.53 mV 60 71.4 0.53 mV Table 13 – Audio Filtration Specifications 6.2.2.2 FDP_APC_EXT.1/AO Active PSD Connections FDP_APC_EXT.1.1/AO The TSF shall route user data only to or from the interfaces selected by the user. FDP_APC_EXT.1.2/AO The TSF shall ensure that no data or electrical signals flow between connected computers whether the TOE is powered on or powered off. FDP_APC_EXT.1.3/AO The TSF shall ensure that no data transits the TOE when the TOE is powered off. FDP_APC_EXT.1.4/AO The TSF shall ensure that no data transits the TOE when the TOE is in a failure state. 6.2.2.3 FDP_APC_EXT.1/KM Active PSD Connections FDP_APC_EXT.1.1/KM The TSF shall route user data only to or from the interfaces selected by the user. FDP_APC_EXT.1.2/KM The TSF shall ensure that no data or electrical signals flow between connected computers whether the TOE is powered on or powered off. FDP_APC_EXT.1.3/KM The TSF shall ensure that no data transits the TOE when the TOE is powered off. FDP_APC_EXT.1.4/KM The TSF shall ensure that no data transits the TOE when the TOE is in a failure state. 6.2.2.4 FDP_APC_EXT.1/VI Active PSD Connections FDP_APC_EXT.1.1/VI The TSF shall route user data only to or from the interfaces selected by the user. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 48 of 84 FDP_APC_EXT.1.2/VI The TSF shall ensure that no data or electrical signals flow between connected computers whether the TOE is powered on or powered off. FDP_APC_EXT.1.3/VI The TSF shall ensure that no data transits the TOE when the TOE is powered off. FDP_APC_EXT.1.4/VI The TSF shall ensure that no data transits the TOE when the TOE is in a failure state. 6.2.2.5 FDP_FIL_EXT.1/KM Device Filtering (Keyboard/Mouse) FDP_FIL_EXT.1.1/KM The TSF shall have [fixed] device filtering for [keyboard, mouse] interfaces. FDP_FIL_EXT.1.2/KM The TSF shall consider all [PSD KM] blacklisted devices as unauthorized devices for [keyboard, mouse] interfaces in peripheral device connections. FDP_FIL_EXT.1.3/KM The TSF shall consider all [PSD KM] whitelisted devices as authorized devices for [keyboard, mouse] interfaces in peripheral device connections only if they are not on the [PSD KM] blacklist or otherwise unauthorized. 6.2.2.6 FDP_PDC_EXT.1 Peripheral Device Connection FDP_PDC_EXT.1.1 The TSF shall reject connections with unauthorized devices upon TOE power up and upon connection of a peripheral device to a powered‐on TOE. FDP_PDC_EXT.1.2 The TSF shall reject connections with devices presenting unauthorized interface protocols upon TOE power up and upon connection of a peripheral device to a powered‐on TOE. FDP_PDC_EXT.1.3 The TOE shall have no external interfaces other than those claimed by the TSF. FDP_PDC_EXT.1.4 The TOE shall not have wireless interfaces. FDP_PDC_EXT.1.5 The TOE shall provide a visual or auditory indication to the User when a peripheral is rejected. 6.2.2.7 FDP_PDC_EXT.2/AO Peripheral Device Connection (Audio Output) FDP_PDC_EXT.2.1/AO The TSF shall allow connections with authorized devices as defined in [Appendix E] and [ • authorized devices as defined in the PP‐Module for Keyboard/Mouse Devices, • authorized devices as defined in the PP‐Module for Video/Display Devices ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 49 of 84 FDP_PDC_EXT.2.2/AO The TSF shall allow connections with authorized devices presenting authorized interface protocols as defined in [Appendix E] and [ • authorized devices presenting authorized interface protocols as defined in the PP‐Module for Keyboard/Mouse Devices, • authorized devices presenting authorized interface protocols as defined in the PP‐Module for Video/Display Devices ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. 6.2.2.8 FDP_PDC_EXT.2/KM Authorized Devices (Keyboard/Mouse) FDP_PDC_EXT.2.1/KM The TSF shall allow connections with authorized devices and functions as defined in [Appendix E] and [ • authorized devices as defined in the PP‐Module for Audio Output Devices, • authorized devices as defined in the PP‐Module for Video/Display Devices ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. FDP_PDC_EXT.2.2/KM The TSF shall allow connections with authorized devices presenting authorized interface protocols as defined in [Appendix E] and [ • authorized devices presenting authorized interface protocols as defined in the PP‐Module for Audio Output Devices, • authorized devices presenting authorized interface protocols as defined in the PP‐Module for Video/Display Devices ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. 6.2.2.9 FDP_PDC_EXT.2/VI Peripheral Device Connection (Video Output) FDP_PDC_EXT.2.1/VI The TSF shall allow connections with authorized devices as defined in [Appendix E] and [ • authorized devices as defined in the PP‐Module for Audio Output Devices, • authorized devices and functions as defined in the PP‐Module for Keyboard/Mouse Devices, ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 50 of 84 FDP_PDC_EXT.2.2/VI The TSF shall allow connections with authorized devices presenting authorized interface protocols as defined in [Appendix E] and [ • authorized devices presenting authorized interface protocols as defined in the PP‐Module for Audio Output Devices, • authorized devices presenting authorized interface protocols as defined in the PP‐Module for Keyboard/Mouse Devices, ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. 6.2.2.10 FDP_PDC_EXT.3/KM Authorized Connection Protocols (Keyboard/Mouse) FDP_PDC_EXT.3.1/KM The TSF shall have interfaces for the [USB (keyboard), USB (mouse)] protocols. FDP_PDC_EXT.3.2/KM The TSF shall apply the following rules to the supported protocols: [the TSF shall emulate any keyboard or mouse device functions from the TOE to the connected computer]. 6.2.2.11 FDP_PUD_EXT.1 Powering Unauthorized Devices FDP_PUD_EXT.1.1 The TSF shall not provide power to any unauthorized device connected to the analog audio peripheral interface. 6.2.2.12 FDP_RDR_EXT.1 Re-Enumeration Device Rejection FDP_RDR_EXT.1.1 The TSF shall reject any device that attempts to enumerate again as a different unauthorized device. 6.2.2.13 FDP_RIP_EXT.1 Residual Information Protection FDP_RIP_EXT.1.1 The TSF shall ensure that no user data is written to TOE non‐volatile memory or storage. 6.2.2.14 FDP_RIP.1/KM Residual Information Protection (Keyboard Data) FDP_RIP.1.1/KM The TSF shall ensure that any keyboard data in volatile memory is purged upon switching computers. 6.2.2.15 FDP_RIP_EXT.2 Purge of Residual Information FDP_RIP_EXT.2.1 The TOE shall have a purge memory or restore factory defaults function accessible to the administrator to delete all TOE stored configuration and settings except for logging. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 51 of 84 6.2.2.16 FDP_SWI_EXT.1 PSD Switching FDP_SWI_EXT.1.1 The TSF shall ensure that [switching can be initiated only through express user action]. 6.2.2.17 FDP_SWI_EXT.2 PSD Switching Methods FDP_SWI_EXT.2.1 The TSF shall ensure that no switching can be initiated through automatic port scanning, control through a connected computer, or control through keyboard shortcuts. FDP_SWI_EXT.2.2 The TSF shall ensure that switching can be initiated only through express user action using [console buttons, wired remote control]. 6.2.2.18 FDP_SWI_EXT.3/KM Tied Switching FDP_SWI_EXT.3.1/KM The TSF shall ensure that [connected keyboard and mouse peripheral devices] are always switched together to the same connected computer. 6.2.2.19 FDP_UDF_EXT.1/AO Unidirectional Data Flow (Audio Output) FDP_UDF_EXT.1.1/AO The TSF shall ensure [analog audio output data] transits the TOE unidirectionally from [the TOE analog audio output computer] interface to [the TOE analog audio output peripheral] interface. 6.2.2.20 FDP_UDF_EXT.1/KM Unidirectional Data Flow (Keyboard/Mouse) FDP_UDF_EXT.1.1/KM The TSF shall ensure [keyboard, mouse] data transits the TOE unidirectionally from the [TOE [keyboard, mouse]] peripheral interface(s) to the [TOE [keyboard, mouse]] interface. 6.2.2.21 FDP_UDF_EXT.1/VI Unidirectional Data Flow (Video Output) FDP_UDF_EXT.1.1/VI The TSF shall ensure [video] data transits the TOE unidirectionally from the [TOE computer video] interface to the [TOE peripheral device display] interface. Identification and Authentication 6.2.3.1 FIA_UAU.2 User Authentication Before Any Action FIA_UAU.2.1 The TSF shall require each administrator to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that administrator. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 52 of 84 6.2.3.2 FIA_UID.2 User Identification Before Any Action FIA_UID.2.1 The TSF shall require each administrator to be successfully identified before allowing any other TSF-mediated actions on behalf of that administrator. Security Management (FMT) 6.2.4.1 FMT_MOF.1 Management of Security Functions Behavior FMT_MOF.1.1 The TSF shall restrict the ability to [modify the behavior of] the functions [Reset to factory default, create/delete administrator account, change password] to [the authorized administrator]. 6.2.4.2 FMT_SMF.1 Specification of Management Functions FMT_SMF.1.1 The TOE shall be capable of performing the following management functions: [Reset to factory default, create/delete administrator account, change password]. 6.2.4.3 FMT_SMR.1 Security roles FMT_SMR.1.1 The TSF shall maintain the roles [administrators]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. Protection of the TSF (FPT) 6.2.5.1 FPT_FLS_EXT.1 Failure with Preservation of Secure State FPT_FLS_EXT.1.1 The TSF shall preserve a secure state when the following types of failures occur: failure of the power‐on self‐test and [failure of the anti-tamper function]. 6.2.5.2 FPT_NTA_EXT.1 No Access to TOE FPT_NTA_EXT.1.1 TOE firmware, software, and memory shall not be accessible via the TOE’s external ports, with the following exceptions: [the Extended Display Identification Data (EDID) memory of Video TOEs may be accessible from connected computers; the configuration data, settings, and logging data that may be accessible by authorized administrators]. 6.2.5.3 FPT_PHP.1 Passive Detection of Physical Attack FPT_PHP.1.1 The TSF shall provide unambiguous detection of physical tampering that might compromise the TSF. FPT_PHP.1.2 The TSF shall provide the capability to determine whether physical tampering with the TSF's devices or TSF's elements has occurred. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 53 of 84 6.2.5.4 FPT_PHP.3 Resistance to Physical Attack FPT_PHP.3.1 The TSF shall resist [a physical attack for the purpose of gaining access to the internal components, to damage the anti‐tamper battery, to drain or exhaust the anti‐tamper battery] to the [TOE enclosure and any remote controllers] by the attacked component becoming permanently disabled. 6.2.5.5 FPT_STM.1 Reliable Time Stamps FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. 6.2.5.6 FPT_TST.1 TSF Testing FPT_TST.1.1 The TSF shall run a suite of self-tests [during initial start-up and at the conditions [no other conditions]] to demonstrate the correct operation of [user control functions and [active anti-tamper functionality]]. FPT_TST.1.2 The TSF shall provide authorized users with the capability to verify the integrity of [TSF data]. FPT_TST.1.3 The TSF shall provide authorized users with the capability to verify the integrity of [TSF]. 6.2.5.7 FPT_TST_EXT.1 TSF Testing FPT_TST_EXT.1.1 The TSF shall respond to a self‐test failure by providing users with a [visual, auditory] indication of failure and by shutdown of normal TSF functions. TOE Access (FTA) 6.2.6.1 FTA_CIN_EXT.1 Continuous Indications FTA_CIN_EXT.1.1 The TSF shall display a visible indication of the selected computers at all times when the TOE is powered. FTA_CIN_EXT.1.2 The TSF shall implement the visible indication using the following mechanism: easily visible graphical and/or textual markings of each source video on the display, [[illuminated buttons]]. FTA_CIN_EXT.1.3 The TSF shall ensure that while the TOE is powered the current switching status is reflected by [multiple indicators which never display conflicting information]. 6.3 ADDITIONAL SECURITY REQUIREMENTS FOR SC820DPH AND SC840DPH Section 6.3 details the security functional requirements that are satisfied by the SC820DPH and SC840DPH TOE devices. These devices support a single connected display (FDP_CDS_EXT.1(1)) and support both DisplayPort and HDMI Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 54 of 84 video protocols for both video in and video out (FDP_PDC_EXT.3/VI(1), FDP_IPC_EXT.1(1), FDP_SPR_EXT.1/DP, FDP_SPR_EXT.1/HDMI). Class Identifier Name Source User Data Protection (FDP) FDP_CDS_EXT.1(1) Connected Displays Supported [MOD_VI_V1.0] FDP_PDC_EXT.3/VI(1) Authorized Connection Protocols (Video Output) [MOD_VI_V1.0] FDP_IPC_EXT.1 Internal Protocol Conversion [MOD_VI_V1.0] FDP_SPR_EXT.1/DP Sub-Protocol Rules (DisplayPort Protocol) [MOD_VI_V1.0] FDP_SPR_EXT.1/HDMI Sub-Protocol Rules (HDMI Protocol) [MOD_VI_V1.0] Table 14 – Summary of Additional Security Functional Requirements for SC820DPH and SC840DPH User Data Protection (FDP) 6.3.1.1 FDP_CDS_EXT.1(1) Connected Displays Supported FDP_CDS_EXT.1.1(1) The TSF shall support [one connected display] at a time. 6.3.1.2 FDP_IPC_EXT.1 Internal Protocol Conversion FDP_IPC_EXT.1.1 The TSF shall convert the [DisplayPort] protocol at the [DisplayPort computer video interface] into the [HDMI] protocol within the TOE. FDP_IPC_EXT.1.2 The TSF shall output the [HDMI] protocol from inside the TOE to [peripheral display interface(s)] as [[DisplayPort] protocol, [HDMI] protocol]. 6.3.1.3 FDP_PDC_EXT.3/VI(1) Authorized Connection Protocols (Video Output) FDP_PDC_EXT.3.1/VI(1) The TSF shall have interfaces for the [HDMI, DisplayPort] protocols. FDP_PDC_EXT.3.2/VI(1) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power‐on or reboot]. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 55 of 84 6.3.1.4 FDP_SPR_EXT.1/DP Sub-Protocol Rules (DisplayPort Protocol) FDP_SPR_EXT.1.1/DP The TSF shall apply the following rules for the [DisplayPort] protocol: • block the following video/display sub‐protocols: o [CEC, o EDID from computer to display, o HDCP, o MCCS] • allow the following video/display sub‐protocols: o [EDID from display to computer, o HPD from display to computer, o Link Training]. 6.3.1.5 FDP_SPR_EXT.1/HDMI Sub-Protocol Rules (HDMI Protocol) FDP_SPR_EXT.1.1/HDMI The TSF shall apply the following rules for the [HDMI] protocol: • block the following video/display sub‐protocols: o [ARC o CEC, o EDID from computer to display, o HDCP, o HEAC, o HEC, o MCCS] • allow the following video/display sub‐protocols: o [EDID from display to computer, o HPD from display to computer]. 6.4 ADDITIONAL SECURITY REQUIREMENTS FOR SC920DPH AND SC940DPH Section 6.4 details the security functional requirements that are satisfied by the SC920DPH and SC940DPH TOE devices. These devices support two connected displays (FDP_CDS_EXT.1(2)) and support both DisplayPort and HDMI video protocols for both video in and video out (FDP_PDC_EXT.3/VI(1), FDP_IPC_EXT.1(1), FDP_SPR_EXT.1/DP, FDP_SPR_EXT.1/HDMI). Class Identifier Name Source User Data Protection (FDP) FDP_CDS_EXT.1(2) Connected Displays Supported [MOD_VI_V1.0] FDP_IPC_EXT.1 Internal Protocol Conversion [MOD_VI_V1.0] Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 56 of 84 Class Identifier Name Source FDP_PDC_EXT.3/VI(1) Authorized Connection Protocols (Video Output) [MOD_VI_V1.0] FDP_SPR_EXT.1/DP Sub-Protocol Rules (DisplayPort Protocol) [MOD_VI_V1.0] FDP_SPR_EXT.1/HDMI Sub-Protocol Rules (HDMI Protocol) [MOD_VI_V1.0] Table 15 – Summary of Additional Security Functional Requirements for SC920DPH and SC940DPH User Data Protection (FDP) 6.4.1.1 FDP_CDS_EXT.1(2) Connected Displays Supported FDP_CDS_EXT.1.1(2) The TSF shall support [multiple connected displays] at a time. 6.4.1.2 FDP_IPC_EXT.1 Internal Protocol Conversion FDP_IPC_EXT.1.1 The TSF shall convert the [DisplayPort] protocol at the [DisplayPort computer video interface] into the [HDMI] protocol within the TOE. FDP_IPC_EXT.1.2 The TSF shall output the [HDMI] protocol from inside the TOE to [peripheral display interface(s)] as [[DisplayPort] protocol, [HDMI] protocol]. 6.4.1.3 FDP_PDC_EXT.3/VI(1) Authorized Connection Protocols (Video Output) FDP_PDC_EXT.3.1/VI(1) The TSF shall have interfaces for the [HDMI, DisplayPort] protocols. FDP_PDC_EXT.3.2/VI(1) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power‐on or reboot]. 6.4.1.4 FDP_SPR_EXT.1/DP Sub-Protocol Rules (DisplayPort Protocol) FDP_SPR_EXT.1.1/DP The TSF shall apply the following rules for the [DisplayPort] protocol: • block the following video/display sub‐protocols: o [CEC, o EDID from computer to display, o HDCP, o MCCS] • allow the following video/display sub‐protocols: Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 57 of 84 o [EDID from display to computer, o HPD from display to computer, o Link Training]. 6.4.1.5 FDP_SPR_EXT.1/HDMI Sub-Protocol Rules (HDMI Protocol) FDP_SPR_EXT.1.1/HDMI The TSF shall apply the following rules for the [HDMI] protocol: • block the following video/display sub‐protocols: o [ARC o CEC, o EDID from computer to display, o HDCP, o HEAC, o HEC, o MCCS] • allow the following video/display sub‐protocols: o [EDID from display to computer, o HPD from display to computer]. 6.5 ADDITIONAL SECURITY REQUIREMENTS FOR SC840DPHC Section 6.5 details the security functional requirements that are satisfied by the SC840DPHC TOE device. This device supports a single connected display (FDP_CDS_EXT.1(1)) and supports DisplayPort, HDMI and USB Type C with DisplayPort as an alternate function for video in and DisplayPort and HDMI for video out (FDP_PDC_EXT.3/VI(2), FDP_IPC_EXT.1(1), FDP_SPR_EXT.1/DP, FDP_SPR_EXT.1/HDMI, FDP_SPR_EXT.1/USB). Class Identifier Name Source User Data Protection (FDP) FDP_CDS_EXT.1(1) Connected Displays Supported [MOD_VI_V1.0] FDP_IPC_EXT.1 Internal Protocol Conversion [MOD_VI_V1.0] FDP_PDC_EXT.3/VI(2) Authorized Connection Protocols (Video Output) [MOD_VI_V1.0] FDP_SPR_EXT.1/DP Sub-Protocol Rules (DisplayPort Protocol) [MOD_VI_V1.0] FDP_SPR_EXT.1/HDMI Sub-Protocol Rules (HDMI Protocol) [MOD_VI_V1.0] Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 58 of 84 Class Identifier Name Source FDP_SPR_EXT.1/USB Sub-Protocol Rules (USB-C Protocol) [MOD_VI_V1.0] Table 16 – Summary of Additional Security Functional Requirements for SC840DPHC User Data Protection (FDP) 6.5.1.1 FDP_CDS_EXT.1(1) Connected Displays Supported FDP_CDS_EXT.1.1(1) The TSF shall support [one connected display] at a time. 6.5.1.2 FDP_IPC_EXT.1 Internal Protocol Conversion FDP_IPC_EXT.1.1 The TSF shall convert the [DisplayPort] protocol at the [DisplayPort computer video interface] into the [HDMI] protocol within the TOE. FDP_IPC_EXT.1.2 The TSF shall output the [HDMI] protocol from inside the TOE to [peripheral display interface(s)] as [[DisplayPort] protocol, [HDMI] protocol]. 6.5.1.3 FDP_PDC_EXT.3/VI(2) Authorized Connection Protocols (Video Output) FDP_PDC_EXT.3.1/VI(2) The TSF shall have interfaces for the [HDMI, DisplayPort, USB Type-C with DisplayPort as alternate function] protocols. FDP_PDC_EXT.3.2/VI(2) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power‐on or reboot]. 6.5.1.4 FDP_SPR_EXT.1/DP Sub-Protocol Rules (DisplayPort Protocol) FDP_SPR_EXT.1.1/DP The TSF shall apply the following rules for the [DisplayPort] protocol: • block the following video/display sub‐protocols: o [CEC, o EDID from computer to display, o HDCP, o MCCS] • allow the following video/display sub‐protocols: o [EDID from display to computer, o HPD from display to computer, o Link Training]. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 59 of 84 6.5.1.5 FDP_SPR_EXT.1/HDMI Sub-Protocol Rules (HDMI Protocol) FDP_SPR_EXT.1.1/HDMI The TSF shall apply the following rules for the [HDMI] protocol: • block the following video/display sub‐protocols: o [ARC o CEC, o EDID from computer to display, o HDCP, o HEAC, o HEC, o MCCS] • allow the following video/display sub‐protocols: o [EDID from display to computer, o HPD from display to computer]. 6.5.1.6 FDP_SPR_EXT.1/USB Sub-Protocol Rules (USB-C Protocol) FDP_SPR_EXT.1.1/USB The TSF shall apply the following rules for the [USB Type‐C with DisplayPort as alternate function] protocol: • block the following video/display sub‐protocols: o [CEC, o EDID from computer to display, o HDCP, o MCCS] • allow the following video/display sub‐protocols: o [EDID from display to computer, o HPD from display to computer, o Link Training]. 6.6 ADDITIONAL SECURITY REQUIREMENTS FOR SC940DPHC Section 6.6 details the security functional requirements that are satisfied by the SC940DPHC TOE device. This device supports two connected displays (FDP_CDS_EXT.1(2)) and supports DisplayPort, HDMI and USB Type C with DisplayPort as an alternate function for video in and DisplayPort and HDMI for video out (FDP_PDC_EXT.3/VI(2), FDP_IPC_EXT.1(1), FDP_SPR_EXT.1/DP, FDP_SPR_EXT.1/HDMI, FDP_SPR_EXT.1/USB). Class Identifier Name Source User Data Protection (FDP) FDP_CDS_EXT.1(2) Connected Displays Supported [MOD_VI_V1.0] FDP_IPC_EXT.1 Internal Protocol Conversion [MOD_VI_V1.0] Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 60 of 84 Class Identifier Name Source FDP_PDC_EXT.3/VI(2) Authorized Connection Protocols (Video Output) [MOD_VI_V1.0] FDP_SPR_EXT.1/DP Sub-Protocol Rules (DisplayPort Protocol) [MOD_VI_V1.0] FDP_SPR_EXT.1/HDMI Sub-Protocol Rules (HDMI Protocol) [MOD_VI_V1.0] FDP_SPR_EXT.1/USB Sub-Protocol Rules (USB-C Protocol) [MOD_VI_V1.0] Table 17 – Summary of Additional Security Functional Requirements for SC940DPHC User Data Protection (FDP) 6.6.1.1 FDP_CDS_EXT.1(2) Connected Displays Supported FDP_CDS_EXT.1.1(2) The TSF shall support [multiple connected displays] at a time. 6.6.1.2 FDP_IPC_EXT.1 Internal Protocol Conversion FDP_IPC_EXT.1.1 The TSF shall convert the [DisplayPort] protocol at the [DisplayPort computer video interface] into the [HDMI] protocol within the TOE. FDP_IPC_EXT.1.2 The TSF shall output the [HDMI] protocol from inside the TOE to [peripheral display interface(s)] as [[DisplayPort] protocol, [HDMI] protocol]. 6.6.1.3 FDP_PDC_EXT.3/VI(2) Authorized Connection Protocols (Video Output) FDP_PDC_EXT.3.1/VI(2) The TSF shall have interfaces for the [HDMI, DisplayPort, USB Type-C with DisplayPort as alternate function] protocols. FDP_PDC_EXT.3.2/VI(2) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power‐on or reboot]. 6.6.1.4 FDP_SPR_EXT.1/DP Sub-Protocol Rules (DisplayPort Protocol) FDP_SPR_EXT.1.1/DP The TSF shall apply the following rules for the [DisplayPort] protocol: • block the following video/display sub‐protocols: o [CEC, o EDID from computer to display, Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 61 of 84 o HDCP, o MCCS] • allow the following video/display sub‐protocols: o [EDID from display to computer, o HPD from display to computer, o Link Training]. 6.6.1.5 FDP_SPR_EXT.1/HDMI Sub-Protocol Rules (HDMI Protocol) FDP_SPR_EXT.1.1/HDMI The TSF shall apply the following rules for the [HDMI] protocol: • block the following video/display sub‐protocols: o [ARC o CEC, o EDID from computer to display, o HDCP, o HEAC, o HEC, o MCCS] • allow the following video/display sub‐protocols: o [EDID from display to computer, o HPD from display to computer]. 6.6.1.6 FDP_SPR_EXT.1/USB Sub-Protocol Rules (USB-C Protocol) FDP_SPR_EXT.1.1/USB The TSF shall apply the following rules for the [USB Type‐C with DisplayPort as alternate function] protocol: • block the following video/display sub‐protocols: o [CEC, o EDID from computer to display, o HDCP, o MCCS] • allow the following video/display sub‐protocols: o [EDID from display to computer, o HPD from display to computer, o Link Training]. 6.7 ADDITIONAL SECURITY REQUIREMENTS FOR SC840DVI Section 6.7 details the security functional requirements that are satisfied by the SC840DVI TOE device. This device supports a single connected display (FDP_CDS_EXT.1(1)) and supports DVI-D for both video in and video out (FDP_PDC_EXT.3/VI(3), FDP_SPR_EXT.1/DVI-D). Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 62 of 84 Class Identifier Name Source User Data Protection (FDP) FDP_CDS_EXT.1(1) Connected Displays Supported [MOD_VI_V1.0] FDP_PDC_EXT.3/VI(3) Authorized Connection Protocols (Video Output) [MOD_VI_V1.0] FDP_SPR_EXT.1/DVI-D Sub-Protocol Rules (DVI-D Protocol) [MOD_VI_V1.0] Table 18 – Summary of Additional Security Functional Requirements for SC840DVI User Data Protection (FDP) 6.7.1.1 FDP_CDS_EXT.1(1) Connected Displays Supported FDP_CDS_EXT.1.1(1) The TSF shall support [one connected display] at a time. 6.7.1.2 FDP_PDC_EXT.3/VI(3) Authorized Connection Protocols (Video Output) FDP_PDC_EXT.3.1/VI(3) The TSF shall have interfaces for the [DVI-D] protocols. FDP_PDC_EXT.3.2/VI(3) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power‐on or reboot]. 6.7.1.3 FDP_SPR_EXT.1/DVI-D Sub-Protocol Rules (DVI-D Protocol) FDP_SPR_EXT.1.1/DVI-D The TSF shall apply the following rules for the [DVI-D] protocol: • block the following video/display sub‐protocols: o [ARC, o CEC, o EDID from computer to display, o HDCP, o HEAC, o HEC, o MCCS] • allow the following video/display sub‐protocols: o [EDID from display to computer, o HPD from display to computer]. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 63 of 84 6.8 ADDITIONAL SECURITY REQUIREMENTS FOR SC940DVI Section 6.8 details the security functional requirements that are satisfied by the SC940DVI TOE device. This device supports two connected displays (FDP_CDS_EXT.1(2)) and supports DVI-D for both video in and video out (FDP_PDC_EXT.3/VI(3), FDP_SPR_EXT.1/DVI-D). Class Identifier Name Source User Data Protection (FDP) FDP_CDS_EXT.1(2) Connected Displays Supported [MOD_VI_V1.0] FDP_PDC_EXT.3/VI(3) Authorized Connection Protocols (Video Output) [MOD_VI_V1.0] FDP_SPR_EXT.1/DVI-D Sub-Protocol Rules (DVI-D Protocol) [MOD_VI_V1.0] Table 19 – Summary of Additional Security Functional Requirements for SC940DVI User Data Protection (FDP) 6.8.1.1 FDP_CDS_EXT.1(2) Connected Displays Supported FDP_CDS_EXT.1.1(2) The TSF shall support [multiple connected displays] at a time. 6.8.1.2 FDP_PDC_EXT.3/VI(3) Authorized Connection Protocols (Video Output) FDP_PDC_EXT.3.1/VI(3) The TSF shall have interfaces for the [DVI-D] protocols. FDP_PDC_EXT.3.2/VI(3) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power‐on or reboot]. 6.8.1.3 FDP_SPR_EXT.1/DVI-D Sub-Protocol Rules (DVI-D Protocol) FDP_SPR_EXT.1.1/DVI-D The TSF shall apply the following rules for the [DVI-D] protocol: • block the following video/display sub‐protocols: o [ARC, o CEC, o EDID from computer to display, o HDCP, o HEAC, o HEC, o MCCS] Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 64 of 84 • allow the following video/display sub‐protocols: o [EDID from display to computer, o HPD from display to computer]. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 65 of 84 7 SECURITY ASSURANCE REQUIREMENTS The assurance requirements are summarized in Table 20. Assurance Class Assurance Components Identifier Name Development (ADV) ADV_FSP.1 Basic Functional Specification Guidance Documents (AGD) AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures Life-Cycle Support (ALC) ALC_CMC.1 Labeling of the TOE ALC_CMS.1 TOE CM Coverage Security Target Evaluation (ASE) ASE_CCL.1 Conformance claims ASE_ECD.1 Extended Components Definition ASE_INT.1 ST Introduction ASE_OBJ.2 Security Objectives ASE_REQ.2 Derived Security Requirements ASE_SPD.1 Security Problem Definition ASE_TSS.1 TOE Summary Specification Tests (ATE) ATE_IND.1 Independent Testing - Conformance Vulnerability Assessment (AVA) AVA_VAN.1 Vulnerability Survey Table 20 – Security Assurance Requirements Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 66 of 84 8 SECURITY REQUIREMENTS RATIONALE 8.1 SECURITY FUNCTIONAL REQUIREMENTS RATIONALE Table 7 provides a mapping between the SFRs and Security Objectives. 8.2 DEPENDENCY RATIONALE Table 21 identifies the Security Functional Requirements and their associated dependencies. It also indicates whether the ST explicitly addresses each dependency. SFR Dependencies Rationale Statement FAU_GEN.1 FPT_STM.1 Included FDP_AFL_EXT.1 FDP_PDC_EXT.1 Included FDP_APC_EXT.1/AO None N/A FDP_APC_EXT.1/KM None N/A FDP_APC_EXT.1/VI None N/A FDP_CDS_EXT.1(1) None N/A FDP_CDS_EXT.1(2) None N/A FDP_FIL_EXT.1/KM FDP_PDC_EXT.1 Included FDP_IPC_EXT.1 FDP_PDC_EXT.2 Included FDP_PDC_EXT.1 None N/A FDP_PDC_EXT.2/AO FDP_PDC_EXT.1 Included FDP_PDC_EXT.2/KM FDP_PDC_EXT.1 Included FDP_PDC_EXT.2/VI FDP_PDC_EXT.2 Included FDP_PDC_EXT.3/KM FDP_PDC_EXT.1 Included FDP_PDC_EXT.3/VI(1) FDP_PDC_EXT.2 Included FDP_PDC_EXT.3/VI(2) FDP_PDC_EXT.2 Included FDP_PDC_EXT.3/VI(3) FDP_PDC_EXT.2 Included FDP_PUD_EXT.1 FDP_PDC_EXT.1 Included FDP_RDR_EXT.1 FDP_PDC_EXT.1 Included FDP_RIP_EXT.1 None N/A Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 67 of 84 SFR Dependencies Rationale Statement FDP_RIP.1/KM None N/A FDP_RIP_EXT.2 None N/A FDP_SPR_EXT.1/DP FDP_PDC_EXT.3 Included FDP_SPR_EXT.1/DVI-D FDP_PDC_EXT.3 Included FDP_SPR_EXT.1/HDMI FDP_PDC_EXT.3 Included FDP_SPR_EXT.1/USB FDP_PDC_EXT.3 Included FDP_SWI_EXT.1 None N/A FDP_SWI_EXT.2 FDP_SWI_EXT.1 Included FDP_SWI_EXT.3/KM FDP_SWI_EXT.1 Included FDP_UDF_EXT.1/AO FDP_APC_EXT.1 Included FDP_UDF_EXT.1/KM FDP_APC_EXT.1 Included FDP_UDF_EXT.1/VI FDP_APC_EXT.1 Included FIA_UAU.2 FIA_UID.1 Included FIA_UID.2 None N/A FMT_MOF.1 FMT SMF.1 FMT_SMR.1 Included Included FMT_SMF.1 None N/A FMT_SMR.1 FIA_UID.1 Included FPT_FLS_EXT.1 FPT_TST.1 FPT_PHP.3 Included Included only if anti‐tamper is selected in FPT_FLS_EXT.1.1 FPT_NTA_EXT.1 None N/A FPT_PHP.1 None N/A FPT_PHP.3 None N/A FPT_STM.1 none N/A FPT_TST.1 None N/A FPT_TST_EXT.1 FPT_TST.1 Included FTA_CIN_EXT.1 FDP_APC_EXT.1 Included Table 21 – Functional Requirement Dependencies Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 68 of 84 Security Assurance Requirements Rationale The TOE assurance requirements for this ST consist of the requirements indicated in the [PP_PSD_V4.0]. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 69 of 84 9 TOE SUMMARY SPECIFICATION This section provides a description of the security functions and assurance measures of the TOE that meet the TOE security requirements. 9.1 SECURITY AUDIT The TOE is equipped with non-volatile memory and Random Access Memory (RAM) for the storage of audit records. There are two separate storage areas: • Critical RAM and One Time Programming (OTP) Logs o The critical RAM log area stores the following information:  Tampering events – there are six possible event flags  Self-test failure – a record of the latest self-test failure is recorded with error code information  Peripheral device rejection  Reset to factory default event  Changes to the primary administrator password o The OTP log maintains the critical events in parallel with the Critical RAM log. This log stores up to 64 events and does not overwrite. It stops recording when the log is full. • Non-critical (RAM) Logs o Peripheral device acceptance o Non-security related configuration changes o Administrator login o Administrator logout o Creation and removal of administrator accounts o Administrator password changes (other than for the primary administrator) o Password lock events All events describe the event outcome and include the date and time. Where applicable, the username of the administrator who initiated the action is also recorded. Logs cannot be deleted by the administrator. The critical logs hold up to 64 events. The non-critical logs hold up to 128 events. In both log files, the oldest logs are overwritten when the storage space allocated to the logs becomes full. Audit records can only be read by authorized administrators through the TOE device’s terminal mode. Instructions for logging into the device and entering terminal mode are detailed in the Vertiv Administrator Guide [Vertiv Admin]. TOE Security Functional Requirements addressed: FAU_GEN.1. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 70 of 84 9.2 USER DATA PROTECTION System Controller Each device includes a System Controller which is responsible for device management, user interaction, system control security functions, and device monitoring. It receives user input from the switches on the front panel or the remote control and drives the TOE channel select lines that control switching circuits within the TOE. The System Controller includes a microcontroller with internal non-volatile, Read Only Memory (ROM). The controller function manages the TOE functionality through a pre-programmed state machine loaded on the ROM as read-only firmware during product manufacturing. Following boot up of the TOE, the channel select lines are set to Channel 1 by default. The channel select lines are also used to link the System Controller channel select commands to the Field Programmable Gate Array (FPGA) that supports video processing. The user determines the host computer to be connected to the peripherals by pressing a button on the TOE front panel or on the remote control. The front panel button of the selected computer is illuminated. Switching can only be initiated through express user action. TOE Security Functional Requirements addressed: FDP_SWI_EXT.1, FDP_SWI_EXT.2. 9.2.1.1 Active PSD Connections The TOE ensures that data flows only between the peripherals and the connected computer selected by the user. No data transits the TOE when the TOE is powered off, or when the TOE is in a failure state. A failure state occurs when the TOE fails a self-test when powering on, or when the anti-tampering function has been triggered. TOE Security Functional Requirements addressed: FDP_APC_EXT.1/AO, FDP_APC_EXT.1/KM, FDP_APC_EXT.1/VI. 9.2.1.2 Connected Computer Interfaces The connected computers are attached to the TOE as follows: • The TOE connects to the keyboard and mouse port using a USB A to USB B cable. The USB A end attaches to the computer, and the USB B end attaches to the TOE. • The TOE is connected to the computer video port using a video cable supporting DisplayPort, DVI-D, HDMI, or a USB-Type C Display Port interface. • The TOE audio-in is connected to the computer audio-out using a 1/8” stereo plug cable. TOE Security Functional Requirements addressed: FDP_PDC_EXT.1. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 71 of 84 9.2.1.3 Residual Information Protection The Letter of Volatility is included as Annex A. A Restore to Factory Default (RFD) action may be initiated by an authorized administrator through the administration console, or by selecting Left Ctrl | Left Ctrl | f11 | r from the keyboard of the connected computer. When the RFD command is issued, it initiates the following actions: • All peripheral devices are logically disconnected from the selected computer • The front panel LEDs blink together • The TOE resets, purging the appropriate data • The TOE performs a normal power up and self-test sequence When the device completes the reboot, the peripherals will be connected to channel #1 and all default settings will be restored. The data in the critical logs, and the primary administrator username and password data are maintained in the OTP Memory of the System Controller. TOE Security Functional Requirements addressed: FDP_RIP_EXT.1, FDP_RIP_EXT.2. Keyboard and Mouse Switching Functionality 9.2.2.1 Keyboard and Mouse Enumeration The TOE determines whether or not a peripheral device that has been plugged into the keyboard and mouse peripheral ports is allowed to operate with the TOE. The TOE uses optical data diodes to enforce a unidirectional data flow from the user peripherals to the coupled hosts, and uses isolated device emulators to prevent data leakage through the peripheral switching circuitry. The Serial Random Access Memory (SRAM) in the host and device emulator circuitry stores USB Host stack parameters and up to the last 4 key codes. User data may be briefly retained; however, there are no data buffers. Data is erased during power off of the KVM, and when the user switches channels. When the TOE switches from one computer to another, the system controller ensures that the keyboard and mouse stacks are deleted, and that any data received from the keyboard in the first 100 milliseconds following switching is deleted. This is done to ensure that any data buffered in the keyboard microcontroller is not passed to the newly selected computer. The TOE supports USB Type A HIDs on keyboard and mouse ports. The USB bidirectional communication protocol is converted into a unidirectional proprietary protocol, and is then converted back into the USB bidirectional protocol to communicate with the coupled computer hosts. A USB keyboard is connected to the TOE keyboard host emulator through the console keyboard port. The keyboard host emulator is a microcontroller which enumerates the connected keyboard and verifies that it is a permitted device Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 72 of 84 type. Once the keyboard has been verified, the USB keyboard sends scan codes, which are generated when the user types. These scan codes are converted by the keyboard host emulator into a proprietary protocol data stream that is combined with the data stream from the mouse host emulator. Similarly, the USB mouse is connected to the TOE mouse host emulator through the USB mouse port. The mouse host emulator is a microcontroller which enumerates the connected mouse and verifies that it is a permitted device type. Once the mouse device has been verified, it sends serial data generated by mouse movement and button use. The mouse serial data is converted by the mouse host emulator into a proprietary protocol data stream that is combined with the data stream from the keyboard host emulator. TOE Security Functional Requirements addressed: FDP_PDC_EXT.3/KM, FDP_UDF_EXT.1/KM, FDP_RIP.1/KM. 9.2.2.2 Keyboard and Mouse Switching Functionality The combined data stream is passed through the channel select lines to the selected host channel. The channel select lines are driven by the System Controller Module, and the selection is based on user input through use of the mouse or keyboard. Once a channel is selected, the combined mouse and keyboard data stream is passed through an optical data diode and routed to the specific host channel device emulator. The optical data diode is an opto-coupler designed to physically prevent reverse data flow. The keyboard and mouse can only be switched together. Device emulators are USB enabled microcontrollers that are programmed to emulate a standard USB keyboard and mouse composite device. The combined data stream is converted back to bidirectional data before reaching the selected host computer. Since the keyboard and mouse function are emulated by the TOE, the connected computer is not able to send data to the keyboard that would allow it to indicate that Caps Lock, Num Lock or Scroll Lock are set. These are indicated on the TOE front panel, on the right hand side, as shown in Figure 6 in Section 7.5. TOE Security Functional Requirements addressed: FDP_APC_EXT.1/KM, FDP_UDF_EXT.1/KM, FDP_SWI_EXT.3/KM. 9.2.2.3 Keyboard and Mouse Compatible Device Types The TOE employs fixed device filtering and accepts only USB HID devices at the keyboard and mouse peripheral ports. Only USB Type A connections are permitted. The TOE does not support a wireless connection to a mouse, keyboard or USB hub. TOE Security Functional Requirements addressed: FDP_PDC_EXT.1, FDP_PDC_EXT.2/KM, FDP_FIL_EXT.1/KM. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 73 of 84 9.2.2.4 Re-Enumeration Device Rejection If a connected device attempts to re-enumerate as a different USB device type, it will be rejected by the TOE. TOE Security Functional Requirements addressed: FDP_RDR_EXT.1. Video Switching Functionality Video data flow is comprised of unidirectional Extended Display Identification Data (EDID) and video data flow paths. Figure 3 shows a data flow during the display EDID read function. Figure 3 – Display EDID Read Function An EDID read event only occurs as the TOE is being powered up. The video controller reads the EDID content from the display device to verify that it is valid and usable. If data is not valid, TOE operation will cease and wait for the display peripheral to be changed. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 74 of 84 Figure 4 – Display EDID Write Function Figure 4 illustrates the video controller (shown in blue) as it writes the EDID content into the first channel emulated EDID Electrically Erasable Programmable Read-Only Memory (EEPROM) chip (shown in gray). The thick lines in this figure indicate native video lines, and the thin lines indicate Inter-Integrated Circuit (I2C) lines. The EDID multiplexer couples the I2C lines to the first EDID mode switch (shown in orange). The first EDID mode switch switches the video controller I2C lines to the first emulated EDID EEPROM chip (shown in gray). The chip write protect switch opens to enable writing. The video controller uses the I2C lines to write to the first emulated EDID EEPROM chip. Once the write operation is complete and verified, the video controller switches the EDID multiplexer to the next channel and the operation repeats until all chips are programmed. Once the write operation is complete, the video controller switches to normal operating mode, as shown in Figure 5 below. In EDID write mode, the Emulated EDID EEPROM chips are switched to their respective computers to enable reading of the EDID information. The write protect switches are switched back to protected mode to prevent any attempt to write to the EEPROM or to transmit MCCS commands. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 75 of 84 Figure 5 – Display Normal Mode In normal mode, each computer interface operates independently. The power to each emulated EDID EEPROM is received from its respective computer through the video cable. The main video multiplexer is switched to the user selected computer to enable the proper video display. During TOE normal operation (Figure 5), any attempt by a connected computer to affect the EDID channel is blocked by the architecture. Each computer is only able to affect its own emulated EDID EEPROM. Video input interfaces are isolated from one another. Isolation is achieved through the use of separate power and ground planes, separate electronic components and a separate emulated EDID chip for each channel. The EDID function is emulated by an independent emulation EEPROM chip for each computer channel. These chips read content from the connected display once during TOE power up. Any subsequent change to the display peripheral will be ignored. The TOE will reject any display device that does not present valid EDID content. An LED on the rear panel of the TOE will indicate a rejected display device. The TOE supports DisplayPort versions 1.1, 1.2 and 1.3, HDMI 2.0, DVI-D and USB-C connections: Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 76 of 84 • For DisplayPort connections, the TOE video function filters the AUX channel by converting it to I2C EDID only. DisplayPort video is converted into an HDMI video stream, and the I2C EDID lines connected to the emulated EDID EEPROM functions as shown in the figures above. This allows EDID to be passed from the display to the computer (as described above), and allows Hot-Plug Detection (HPD) and Link Training information to pass through the TOE. AUX channel threats are mitigated through the conversion from DisplayPort to HDMI protocols. Traffic types including USB, Ethernet, MCCS, and EDID write from the computer to the display are blocked by the TOE. High-bandwidth Digital Content Protection (HDCP) and Consumer Electronics Control (CEC) functions are not connected. o The DisplayPort protocol is supported on the SC820DPH, SC840DPH, SC920DPH, SC940DPH, SC840DPHC, SC940DPHC devices only. • For HDMI connections, EDID information is allowed to pass from the display to the computer, as described above. HPD information is also allowed to pass. Other protocols, including Audio Return Channel (ARC), EDID from the computer to the display, MCCS, HDMI Ethernet and Audio Return Channel (HEAC), and HDMI Ethernet Channel (HEC) are blocked. HDCP and Consumer Electronics Control (CEC) functions are not connected. o The HDMI protocol is supported on the SC820DPH, SC840DPH, SC920DPH, SC940DPH, SC840DPHC, SC940DPHC devices only. • For DVI-D connections, EDID information is allowed to pass from the display to the computer, as described above. HPD information is also allowed to pass from the display to the computer. Other protocols, including Audio Return Channel (ARC), EDID from the computer to the display, HDMI Ethernet and Audio Return Channel (HEAC), HDMI Ethernet Channel (HEC) and MCCS are blocked. HDCP and Consumer Electronics Control (CEC) functions are not connected. o The DVI-D protocol is supported on the SC840DVI and SC940DVI devices only. • For USB-C connections, EDID information is allowed to pass from the display to the computer, as described above. HPD information and Link Training are also allowed to pass. Other protocols, including EDID from the computer to the display, and MCCS are blocked. HDCP and Consumer Electronics Control (CEC) functions are not connected. o The USB Type-C with DisplayPort as an alternate function is supported on the SC840DPHC and SC940DPHC devices only. The TOE video function blocks MCCS write transactions through the emulated EDID EEPROMs. The emulated EEPROMs support only EDID read transactions, and are isolated by the write protect switch. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 77 of 84 Following triggering of the anti-tampering function, following a failed self-test, or when the TOE is powered off, all video input signals are isolated from other video inputs and from the video output interfaces by the active video re-drivers. Emulated EDID EEPROMs may still operate since they are powered by their respective computers; however, the video function remains isolated. TOE Security Functional Requirements addressed: FDP_IPC_EXT.1, FDP_SPR_EXT.1/DP, FDP_SPR_EXT.1/DVI-D, FDP_SPR_EXT.1/HDMI, FDP_SPR_EXT.1/USB. 9.2.3.1 Video Compatible Device Types The SC820DPH, SC840DPH, SC920DPH, SC940DPH, SC840DPHC and SC940DPHC TOE devices accept any DisplayPort or HDMI display device at the video peripheral ports. The SC840DVI and SC940DVI devices accept any DVI-D device at the video peripheral ports. The TOE does not support a wireless connection to a video display. The SC820DPH, SC840DPH, SC840DPHC and SC840DVI devices support a single video display and the SC920DPH, SC940DPH, SC940DPHC and SC940DVI devices support two video displays. TOE Security Functional Requirements addressed: FDP_PDC_EXT.1, FDP_PDC_EXT.2/VI, FDP_PDC_EXT.3/VI(1), FDP_PDC_EXT.3/VI(2), FDP_PDC_EXT.3/VI(3), FDP_CDS_EXT.1(1), FDP_CDS_EXT.1(2). Audio Switching Functionality The TOE audio data flow path is electrically isolated from all other functions and interfaces to prevent signaling data leakages to and from the audio paths. Audio switching is controlled by the system controller function through dedicated unidirectional command lines. Audio signals cannot be digitized or otherwise sampled by any TOE circuitry. The TOE audio switching multiplexer uses a combination of mechanical relays and a solid-state multiplexer to ensure isolation. Unidirectional flow data diodes prevent audio data flow from an audio device to a selected computer. There is a separate audio interface for each computer. Each interface is electrically isolated from other interfaces, and from other TOE circuitry. These features ensure that the audio filtration specification requirements are met. The TOE does not supply power to the analog audio output interface, and cannot be configured to do so. Therefore, it cannot be used to supply power to an unauthorized device on that interface. When the TOE is powered off, an audio isolation relay is open, thereby isolating the audio input from the computer interfaces from all other circuitry and interfaces. Following triggering of the anti-tampering function, or following a failed self-test, the TOE will de-energize this audio isolation relay to isolate the audio inputs. The audio subsystem does not store, convert or delay audio data flows. Therefore, there is no risk of audio overflow when switching between channels. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 78 of 84 The audio switching functionality features a separate channel selection control with an optional freeze function. This allows the audio port to stay connected to a specific computer while switching keyboard, video, and mouse between other computers. The use of analog microphone or line-in audio devices is strictly prohibited as indicated in the user guidance. The TOE will reject a microphone through the following two methods: • There is an analog audio data diode that forces data to flow only from a computer to an audio peripheral device • There is a microphone Direct Current (DC) bias barrier that blocks an electret microphone DC bias if the TOE is deliberately or inadvertently connected to the microphone input jack of a connected computer TOE Security Functional Requirements addressed: FDP_AFL_EXT.1, FDP_PUD_EXT.1, FDP_UDF_EXT.1/AO. 9.2.4.1 Audio Compatible Device Types The TOE accepts analog headphones or analog speakers connected via a 1/8” (3.5mm) audio jack at the audio peripheral port. The TOE does not support a wireless connection to an audio output device. TOE Security Functional Requirements addressed: FDP_PDC_EXT.1, FDP_PDC_EXT.2/AO. 9.3 IDENTIFICATION AND AUTHENTICATION AND SECURITY MANAGEMENT In order to access administrative functions, a user must be in possession of an administrator username and password. A single administrator role is supported by the TOE. Administrators authenticate to the TOE by entering a username and password. The default administrator username is ‘admin1234’. The primary administrator account cannot be deleted. The password remains the same and does not revert to the default when an RFD is performed. Up to nine additional administrator accounts may be created. These additional accounts and associated passwords are removed when an RFD is performed. For these accounts, usernames must be between 8 and 11 characters in length, and may be made up of uppercase and lowercase letters. These additional administrator accounts can be deleted. The default administrator password is ‘1234ABCDefg!@#’, and must be changed on the first login. Administrator passwords must be between 8 and 15 characters in length and may contain uppercase letters, lowercase letters, numbers or any of the following special characters: ‘!’, ‘@’, ‘#’, ‘$’, ‘%’, ‘^’, ‘&’, ‘*’, ‘(’, ‘)’, ‘-’, or ‘_’. The password must contain at least one uppercase letter, one lowercase letter, one number and one special character. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 79 of 84 Passwords are stored in the non-volatile memory in a proprietary, obfuscated format. Lost usernames or passwords cannot be recovered. The user is locked out after three failed login attempts. The user may cycle the device power and try again. Once logged in, the administrator may use the functions described in the Vertiv CYBEX™ SC820DPH, SC840DPH, SC920DPH, SC940DPH, SC840DPHC, SC940DPHC, SC840DVI, SC940DVI Firmware Version 44404-E7E7 Peripheral Sharing Devices Common Criteria Guidance Supplement and the [VERTIV Admin] to manage the TOE. The administrator login and any changes made are recorded in the audit logs along with the date and time of the event. The administrator can use the administrator console function to perform the following tasks: • Manage administrator accounts (change password, create/delete administrator account) • Reset to factory defaults – note that this does not reset the username and password of the primary administrator, and does not reset the critical logs TOE Security Functional Requirements addressed: FIA_UAU.2, FIA_UID.2, FMT_MOF.1, FMT_SMF.1, FMT_SMR.1. 9.4 PROTECTION OF THE TSF No Access to TOE Connected computers do not have access to TOE firmware or memory, with the following exceptions: • EDID data is accessible to connected computers from the TOE • Authorized administrators use a connected computer to access configuration data and settings • Authorized administrators use a connected computer to access TOE audit records All of the TOE microcontrollers run from internal protected flash memory. Firmware cannot be updated from an external source. Firmware cannot be read or rewritten through the use of Joint Test Action Group (JTAG) tools. Firmware is executed on Static Random Access Memory (SRAM) with the appropriate protections to prevent external access and tampering of code or stacks. TOE Security Functional Requirements addressed: FPT_NTA_EXT.1. Anti-tampering Functionality The TOE provides both passive and active anti-tampering functionality. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 80 of 84 9.4.2.1 Passive Detection of Physical Tampering The TOE enclosure was designed specifically to prevent physical tampering. It features a stainless-steel welded chassis and panels that prevent external access through bending or brute force. Additionally, each device is fitted with one or more holographic Tampering Evident Labels placed at critical locations on the TOE enclosure. If the label is removed, the word ‘VOID’ appears on both the label and the product surface. The remote control also has a holographic Tampering Evident Label placed at a critical location. TOE Security Functional Requirements addressed: FPT_PHP.1. 9.4.2.2 Resistance to Physical Attack The anti-tampering system is mechanically coupled to the TOE enclosure to detect any attempt to access the TOE internal circuitry. Any attempt to separate the pieces of the enclosure to access the internal circuitry will trigger the anti- tampering function. Power is provided to the circuitry by the TOE power supply and by a backup battery. If the self-test detects that the battery is depleted or failing, the anti-tampering function will be triggered. When the anti-tampering function on the switch is triggered, is causes an internal microscopic fuse on the System Controller (on-die) to melt. This permanently disables all interfaces and user functions of the device, and causes the front panel LEDs to blink sequentially and continuously. The TOE anti- tampering function is irreversible. Device anti-tampering events are recorded in TOE internal non-volatile memory with the time and date and may be read from the audit logs. When the anti-tampering mechanism on the remote control is triggered, the remote control device becomes permanently disabled. TOE Security Functional Requirements addressed: FPT_FLS_EXT.1, FPT_PHP.3. Reliable Timestamps Each device includes a real-time clock powered by a battery. The time is set during production. TOE Security Functional Requirements addressed: FPT_STM.1. TSF Testing The TOE performs a self-test at initial start-up (i.e. when the device is powered on). A user may enter self-test failure mode by performing the following steps: 1. To enter self-test failure mode, press and hold the channel 1 button, and power on the device. The channel indicators on the front panel light up sequentially, and the audio, video, and keyboard/mouse USB ports are disabled. 2. To exit self-test failure mode, cycle the power. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 81 of 84 The self-test runs independently at each microcontroller and performs the following checks: • Verification of the front panel push-buttons • Verification of the active anti-tampering functionality, including the continued functionality of the backup battery • Verification of the integrity of the microcontroller firmware • Verification of computer port isolation. This is tested by sending test packets to various interfaces and attempting to detect this traffic at all other interfaces If the self-test fails, the LEDs on the front panel blink and the device makes a clicking sound to indicate the failure. The TOE disables the PSD switching functionality, and remains in a disabled state until the self-test is rerun and passes. All self-test failures are recorded in the log file, together with the date and time. TOE Security Functional Requirements addressed: FPT_FLS_EXT.1, FPT_TST.1, FPT_TST_EXT.1. 9.5 TOE ACCESS The TOE user switches between computers by pressing the corresponding front panel button on the device, or by pressing a button on the remote control. The front panel button corresponding to the selected computer will illuminate. When switching between computers with audio output connections, the speakers or headphones are switched accordingly. When switching to a computer that is not connected to an audio output device, the audio output device will remain mapped to the last channel that supported the connection. A user can select the ‘Freeze Audio’ button on the front panel to lock the audio output device to the currently connected computer. When the user switches the other peripherals to another channel, the audio output device will remain attached to the previously selected channel, and the ‘Freeze Audio’ LED will be illuminated. The audio output device channel is indicated by an LED to the left of the channel. To release the freeze, the user selects ‘Freeze Audio’ a second time. Figure 6 shows the selection buttons. Figure 6 – Channel Selection On power up or power up following reset, all peripherals are connected to channel #1, and the corresponding push button LED will be illuminated. TOE Security Functional Requirements addressed: FTA_CIN_EXT.1. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 82 of 84 10TERMINOLOGY AND ACRONYMS 10.1 TERMINOLOGY The following terminology is used in this ST: Term Description AO AO refers to the requirements for Audio Output Devices. AUX AUX refers to the auxiliary channel, particularly as it applies to the DisplayPort protocol. KM KM refers to the requirements for Keyboard/Mouse Devices. VI VI refers to the requirements for Video/Display Devices. Table 22 – Terminology 10.2 ACRONYMS The following acronyms are used in this ST: Acronym Definition ARC Audio Return Channel CC Common Criteria CEC Consumer Electronics Control dB decibel DC Direct Current DE Device Emulator DP DisplayPort EDID Extended Display Identification Data EEPROM Electrically Erasable Programmable Read-Only Memory FPGA Field Programmable Gate Array HDCP High-bandwidth Digital Content Protection HDMI High-Definition Multimedia Interface HE Host Emulator HEAC HDMI Ethernet and Audio Return Channel HEC HDMI Ethernet Channel Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 83 of 84 Acronym Definition HID Human Interface Device HPD Hot-Plug Detection I2C Inter-Integrated Circuit ID Identification IT Information Technology JTAG Joint Test Action Group kHz kilohertz KVM Keyboard, Video, Mouse LED Light Emitting Diode MCCS Monitor Control Command Set mV millivolt NIAP National Information Assurance Partnership OTP One Time Programming PP Protection Profile PSD Peripheral Sharing Device RAM Random Access Memory RFD Restore to Factory Default ROM Read Only Memory SFR Security Functional Requirement SRAM Serial Random Access Memory ST Security Target TOE Target of Evaluation TSF TOE Security Functionality USB Universal Serial Bus VID/PID Vendor Identification/Product Identification Table 23 – Acronyms Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page 84 of 84 11REFERENCES Identifier Title [CC] Common Criteria for Information Technology Security Evaluation – • Part 1: Introduction and General Model, CCMB‐2017‐ 04‐001, Version 3.1 Revision 5, April 2017 • Part 2: Security Functional Components, CCMB‐2017‐ 04‐002, Version 3.1 Revision 5, April 2017 • Part 3: Security Assurance Components, CCMB‐2017‐ 04‐003, Version 3.1 Revision 5, April 2017 [CEM] Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, CCMB‐2017‐04‐004, Version 3.1 Revision 5, April 2017 [Vertiv Admin] Cybex™ SC/SCM Switching System Additional Operations and Configuration Technical Bulletin, 590-1741-501 Rev. B [PP_PSD_V4.0] Protection Profile for Peripheral Sharing Device, Version: 4.0, 2019‐07‐19 [MOD_AO_V1.0] PP‐Module for Analog Audio Output Devices, Version 1.0, 2019‐07‐19 [MOD_KM_V1.0] PP‐Module for Keyboard/Mouse Devices, Version 1.0, 2019‐07‐ 19 [MOD_VI_1.0] PP‐Module for Video/Display Devices, Version 1.0, 2019‐07‐19 [CFG_PSD‐AO‐KM‐ VI_V1.0] PP‐Configuration for Peripheral Sharing Device, Analog Audio Output Devices, Keyboard/Mouse Devices, and Video/Display Devices, 19 July 2019 Table 24 – References Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page A-1 of A-2 ANNEX A – LETTER OF VOLATILITY The table below provides volatility information and memory types for the Vertiv Peripheral Sharing Devices. User data is not retained in any TOE device when the power is turned off. Product Models No. in each product Function, Manufacturer and Part Number Storage Type Size Power Source (if not the TOE) Volatility Contains User Data Effect of RFD SC840DPH SC940DPH SC840DPHC SC940DPHC 1 System Controller, Host emulators: ST Microelectronics STM32F446ZCT Embedded SRAM1 128KB Volatile May contain user data Data is purged Embedded Flash2 256KB Non-Volatile No user data Firmware is retained Embedded EEPROM3 4KB Non-Volatile No user data Log data is retained OTP Memory 512bytes Non-Volatile Event logs are saved Data is not purged on RFD 5 in SH or 10 in DH models Video Controller: ST Microelectronics STM32F070C6T6 Embedded SRAM1 6KB Volatile No user data Data is purged Embedded Flash2 32KB Non-Volatile No user data Firmware is retained Embedded EEPROM3 4KB Non-Volatile No user data Data is purged on RFD 4 Device emulators: ST Microelectronics STM32F070C6T6 Embedded SRAM1 6KB Connected computer Volatile May contain user data Data is purged Embedded Flash2 32KB Non-Volatile No user data Firmware is retained Embedded EEPROM3 4KB Non-Volatile No user data Data is purged on RFD Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page A-2 of A-3 Product Models No. in each product Function, Manufacturer and Part Number Storage Type Size Power Source (if not the TOE) Volatility Contains User Data Effect of RFD SC820DPH SC920DPH 1 System Controller, Host emulators: ST Microelectronics STM32F446ZCT Embedded SRAM1 128KB Volatile May contain user data Data is purged Embedded Flash2 256KB Non-Volatile No user data Firmware is retained Embedded EEPROM3 4KB Non-Volatile No user data Log data is retained OTP Memory 512bytes Non-Volatile Event logs are saved Data is not purged on RFD 3 in SH or 6 in DH models Video Controller: ST Microelectronics STM32F070C6T6 Embedded SRAM1 16KB Volatile No user data Data is purged Embedded Flash2 128KB Non-Volatile No user data Firmware is retained Embedded EEPROM3 4KB Non-Volatile No user data Data is purged on RFD 2 Device emulators: ST Microelectronics STM32F070C6T6 Embedded SRAM1 16KB Connected computer Volatile May contain user data Data is purged Embedded Flash2 128KB Non-Volatile No user data Firmware is retained Embedded EEPROM3 4KB Non-Volatile No user data Data is purged on RFD SC840DVI SC940DVI 1 System Controller, Host emulators: ST Microelectronics STM32F446ZCT Embedded SRAM1 128KB Volatile May contain user data Data is purged Embedded Flash2 256KB Non-Volatile No user data Firmware is retained Embedded EEPROM3 4KB Non-Volatile No user data Log data is retained Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page A-3 of A-4 Product Models No. in each product Function, Manufacturer and Part Number Storage Type Size Power Source (if not the TOE) Volatility Contains User Data Effect of RFD OTP Memory 512bytes Non-Volatile Event logs are saved Data is not purged on RFD 1 in KVM SH, 2 in KVM DH Video Controller: ST Microelectronics STM32F070C6T6 Embedded SRAM1 16KB Volatile No user data Data is purged Embedded Flash2 128KB Non-Volatile No user data Firmware is retained Embedded EEPROM3 4KB Non-Volatile No user data Data is purged on RFD 4 Device emulators: ST Microelectronics STM32F070C6T6 Embedded SRAM1 6KB Connected computer Volatile May contain user data Data is purged Embedded Flash2 32KB Non-Volatile No user data Firmware is retained Embedded EEPROM3 4KB Non-Volatile No user data Data is purged on RFD 4 in 4P SH or 8 in 4P DH EDID Emulator: ST Microelectronics M24C02-WMN6TP EEPROM4 2 KB Non-Volatile No user data Data is purged on RFD Notes: 1 SRAM stores USB Host stack parameters and up to the last 4 key-codes. Data is erased during power off of the KVM, and when the user switches channels. Device emulators receive power from the individual connected computers and therefore devices are powered on as long as the associated computer is powered on and connected. 2 Flash storage is used to store firmware code. It contains no user data. Flash storage is permanently locked by fuses after initial programming to prevent rewriting. It is an integral part of the ST Microcontroller together with SRAM and EEPROM. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page A-4 of A-4 3 EEPROM is used to store operational parameters, such as display Plug & Play. They contain no user data. These devices receive power from the individual computers connected to the TOE, and therefore are powered on as long as the associated computer is powered on and connected. Vertiv Peripheral Sharing Devices with Keyboard, Video, Mouse, and Audio Security Target Doc No: 2149-001-D102C3 Version: 1.24 Date: 19 November 2021 Page B-1 of B-1 ANNEX B – SFR DEVICE MATRIX Table 25 indicates the SFRs supported by each device. FAU_GEN.1 FDP_AFL_EXT.1 FDP_APC_EXT.1/AO FDP_APC_EXT.1/KM FDP_APC_EXT.1/VI FDP_CDS_EXT.1(1) FDP_CDS_EXT.1(2) FDP_FIL_EXT.1/KM FDP_IPC_EXT.1 FDP_PDC_EXT.1 FDP_PDC_EXT.2/AO FDP_PDC_EXT.2/KM FDP_PDC_EXT.2/VI FDP_PDC_EXT.3/KM FDP_PDC_EXT.3/VI(1) FDP_PDC_EXT.3/VI(2) FDP_PDC_EXT.3/VI(3) FDP_PUD_EXT.1 FDP_RDR_EXT.1 FDP_RIP_EXT.1 FDP_RIP.1/KM FDP_RIP_EXT.2 FDP_SPR_EXT.1/DP FDP_SPR_EXT.1/DVI-D FDP_SPR_EXT.1/HDMI FDP_SPR_EXT.1/USB FDP_SWI_EXT.1 FDP_SWI_EXT.2 FDP_SWI_EXT.3/KM FDP_UDF_EXT.1/AO FDP_UDF_EXT.1/KM FDP_UDF_EXT.1/VI FIA_UAU.2 FIA_UID.2 FMT_MOF.1 FMT_SMF.1 FMT_SMR.1 FPT_FLS_EXT.1 FPT_NTA_EXT.1 FPT_PHP.1 FPT_PHP.3 FPT_STM.1 FPT_TST.1 FPT_TST_EXT.1 FTA_CIN_EXT.1 SC820DPH X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X SC840DPH X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X SC920DPH X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X SC940DPH X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X SC840DPHC X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X SC940DPHC X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X SC840DVI X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X SC940DVI X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X SCAFP0004* X X X X X X Table 25 – Security Functional Requirements and Devices * The remote control device contributes to the enforcement of the specified SFRs. The remote control is only used with another device.