ADV_HLD.4 Semiformal high-level explanation
Dependencies:
ADV_FSP.3 Semiformal functional specification
ADV_RCR.2 Semiformal correspondence demonstration
Developer action elements:
ADV_HLD.4.1D The developer shall provide the high-level design of the TSF.
Content and presentation of evidence elements:
ADV_HLD.4.1C The presentation of the high-level design shall be semiformal.
ADV_HLD.4.2C The high-level design shall be internally consistent.
ADV_HLD.4.3C The high-level design shall describe the structure of the TSF in terms of subsystems.
ADV_HLD.4.4C The high-level design shall describe the security functionality provided by each subsystem of the TSF.
ADV_HLD.4.5C The high-level design shall identify any underlying hardware, firmware, and/or software required by the TSF with a presentation of the functions provided by the supporting protection mechanisms implemented in that hardware, firmware, or software.
ADV_HLD.4.6C The high-level design shall identify all interfaces to the subsystems of the TSF.
ADV_HLD.4.7C The high-level design shall identify which of the interfaces to the subsystems of the TSF are externally visible.
ADV_HLD.4.8C The high-level design shall describe the purpose and method of use of all interfaces to the subsystems of the TSF, providing complete details of all effects, exceptions and error messages.
ADV_HLD.4.9C The high-level design shall describe the separation of the TOE into TSP-enforcing and other subsystems.
ADV_HLD.4.10C The high-level design shall justify that the identified means of achieving separation, including any protection mechanisms, are sufficient to ensure a clear and effective separation of TSP-enforcing from non-TSP-enforcing functions.
ADV_HLD.4.11C The high-level design shall justify that the TSF mechanisms are sufficient to implement the security functions identified in the high-level design.
Evaluator action elements:
ADV_HLD.4.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ADV_HLD.4.2E The evaluator shall determine that the high-level design is an accurate and complete instantiation of the TOE security functional requirements.