All modules
CMVP Validated Module · FIPS 140-3 Security Policy

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

Certificate#4727StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorSUSE, LLC
High review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 10212 CVEs since this module's initial validation  ·  last validated 24 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/14/2029
CaveatInterim validation. When operated in approved mode. When installed, initialized and configured as specified in section 11 of the Security Policy
VendorSUSE, LLC

Approved Algorithms (503)

AlgorithmACVP Cert
AES-CBCA3045
AES-CBCA3053
AES-CBCA3061
AES-CBCA3064
AES-CBCA3075
AES-CBCA3078
AES-CBCA3090
AES-CBCA3098
AES-CBCA3106
AES-CBCA3109
AES-CBCA3125
AES-CBCA3128
AES-CBCA3131
AES-CBC-CS3A3050
AES-CBC-CS3A3059
AES-CBC-CS3A3070
AES-CBC-CS3A3084
AES-CBC-CS3A3095
AES-CBC-CS3A3104
AES-CBC-CS3A3115
AES-CBC-CS3A3128
AES-CCMA3045
AES-CCMA3053
AES-CCMA3064
AES-CCMA3075
AES-CCMA3078
AES-CCMA3090
AES-CCMA3098
AES-CCMA3109
AES-CCMA3125
AES-CCMA3128
AES-CFB128A3048
AES-CFB128A3057
AES-CFB128A3068
AES-CFB128A3082
AES-CFB128A3093
AES-CFB128A3102
AES-CFB128A3113
AES-CFB128A3128
AES-CMACA3045
AES-CMACA3053
AES-CMACA3064
AES-CMACA3075
AES-CMACA3078
AES-CMACA3090
AES-CMACA3098
AES-CMACA3109
AES-CMACA3125
AES-CMACA3128
AES-CTRA3045
AES-CTRA3053
AES-CTRA3061
AES-CTRA3064
AES-CTRA3075
AES-CTRA3078
AES-CTRA3090
AES-CTRA3098
AES-CTRA3106
AES-CTRA3109
AES-CTRA3125
AES-CTRA3128
AES-CTRA3131
AES-ECBA3043
AES-ECBA3044
AES-ECBA3045
AES-ECBA3051
AES-ECBA3052
AES-ECBA3053
AES-ECBA3055
AES-ECBA3056
AES-ECBA3061
AES-ECBA3062
AES-ECBA3063
AES-ECBA3064
AES-ECBA3065
AES-ECBA3066
AES-ECBA3075
AES-ECBA3076
AES-ECBA3077
AES-ECBA3078
AES-ECBA3079
AES-ECBA3080
AES-ECBA3088
AES-ECBA3089
AES-ECBA3090
AES-ECBA3096
AES-ECBA3097
AES-ECBA3098
AES-ECBA3100
AES-ECBA3101
AES-ECBA3106
AES-ECBA3107
AES-ECBA3108
AES-ECBA3109
AES-ECBA3110
AES-ECBA3111
AES-ECBA3125
AES-ECBA3128
AES-ECBA3129
AES-ECBA3130
AES-ECBA3131
AES-GCMA3045
AES-GCMA3051
AES-GCMA3052
AES-GCMA3053
AES-GCMA3055
AES-GCMA3056
AES-GCMA3061
AES-GCMA3062
AES-GCMA3063
AES-GCMA3064
AES-GCMA3065
AES-GCMA3066
AES-GCMA3075
AES-GCMA3076
AES-GCMA3077
AES-GCMA3078
AES-GCMA3079
AES-GCMA3080
AES-GCMA3090
AES-GCMA3096
AES-GCMA3097
AES-GCMA3098
AES-GCMA3100
AES-GCMA3101
AES-GCMA3106
AES-GCMA3107
AES-GCMA3108
AES-GCMA3109
AES-GCMA3110
AES-GCMA3111
AES-GCMA3128
AES-GCMA3129
AES-GCMA3130
AES-KWA3046
AES-KWA3054
AES-KWA3067
AES-KWA3081
AES-KWA3091
AES-KWA3099
AES-KWA3112
AES-KWA3128
AES-OFBA3049
AES-OFBA3058
AES-OFBA3069
AES-OFBA3083
AES-OFBA3094
AES-OFBA3103
AES-OFBA3114
AES-OFBA3128
AES-XTS Testing Revision 2.0A3045
AES-XTS Testing Revision 2.0A3053
AES-XTS Testing Revision 2.0A3061
AES-XTS Testing Revision 2.0A3064
AES-XTS Testing Revision 2.0A3075
AES-XTS Testing Revision 2.0A3078
AES-XTS Testing Revision 2.0A3090
AES-XTS Testing Revision 2.0A3098
AES-XTS Testing Revision 2.0A3106
AES-XTS Testing Revision 2.0A3109
AES-XTS Testing Revision 2.0A3125
AES-XTS Testing Revision 2.0A3128
AES-XTS Testing Revision 2.0A3131
Counter DRBGA3043
Counter DRBGA3044
Counter DRBGA3045
Counter DRBGA3051
Counter DRBGA3052
Counter DRBGA3053
Counter DRBGA3055
Counter DRBGA3056
Counter DRBGA3061
Counter DRBGA3062
Counter DRBGA3063
Counter DRBGA3064
Counter DRBGA3065
Counter DRBGA3066
Counter DRBGA3075
Counter DRBGA3076
Counter DRBGA3077
Counter DRBGA3078
Counter DRBGA3079
Counter DRBGA3080
Counter DRBGA3088
Counter DRBGA3089
Counter DRBGA3090
Counter DRBGA3096
Counter DRBGA3097
Counter DRBGA3098
Counter DRBGA3100
Counter DRBGA3101
Counter DRBGA3106
Counter DRBGA3107
Counter DRBGA3108
Counter DRBGA3109
Counter DRBGA3110
Counter DRBGA3111
Counter DRBGA3128
Counter DRBGA3129
Counter DRBGA3130
ECDSA KeyGen (FIPS186-4)A3044
ECDSA KeyGen (FIPS186-4)A3089
Hash DRBGA3043
Hash DRBGA3044
Hash DRBGA3045
Hash DRBGA3051
Hash DRBGA3052
Hash DRBGA3053
Hash DRBGA3055
Hash DRBGA3056
Hash DRBGA3061
Hash DRBGA3062
Hash DRBGA3063
Hash DRBGA3064
Hash DRBGA3065
Hash DRBGA3066
Hash DRBGA3071
Hash DRBGA3072
Hash DRBGA3073
Hash DRBGA3076
Hash DRBGA3077
Hash DRBGA3078
Hash DRBGA3079
Hash DRBGA3080
Hash DRBGA3088
Hash DRBGA3089
Hash DRBGA3090
Hash DRBGA3096
Hash DRBGA3097
Hash DRBGA3098
Hash DRBGA3100
Hash DRBGA3101
Hash DRBGA3106
Hash DRBGA3107
Hash DRBGA3108
Hash DRBGA3109
Hash DRBGA3110
Hash DRBGA3111
Hash DRBGA3116
Hash DRBGA3117
Hash DRBGA3118
Hash DRBGA3129
Hash DRBGA3130
HMAC DRBGA3043
HMAC DRBGA3044
HMAC DRBGA3045
HMAC DRBGA3051
HMAC DRBGA3052
HMAC DRBGA3053
HMAC DRBGA3055
HMAC DRBGA3056
HMAC DRBGA3061
HMAC DRBGA3062
HMAC DRBGA3063
HMAC DRBGA3064
HMAC DRBGA3065
HMAC DRBGA3066
HMAC DRBGA3071
HMAC DRBGA3072
HMAC DRBGA3073
HMAC DRBGA3076
HMAC DRBGA3077
HMAC DRBGA3078
HMAC DRBGA3079
HMAC DRBGA3080
HMAC DRBGA3088
HMAC DRBGA3089
HMAC DRBGA3090
HMAC DRBGA3096
HMAC DRBGA3097
HMAC DRBGA3098
HMAC DRBGA3100
HMAC DRBGA3101
HMAC DRBGA3106
HMAC DRBGA3107
HMAC DRBGA3108
HMAC DRBGA3109
HMAC DRBGA3110
HMAC DRBGA3111
HMAC DRBGA3116
HMAC DRBGA3117
HMAC DRBGA3118
HMAC DRBGA3129
HMAC DRBGA3130
HMAC-SHA-1A3043
HMAC-SHA-1A3044
HMAC-SHA-1A3045
HMAC-SHA-1A3071
HMAC-SHA-1A3072
HMAC-SHA-1A3073
HMAC-SHA-1A3074
HMAC-SHA-1A3078
HMAC-SHA-1A3086
HMAC-SHA-1A3087
HMAC-SHA-1A3088
HMAC-SHA-1A3089
HMAC-SHA-1A3090
HMAC-SHA-1A3116
HMAC-SHA-1A3117
HMAC-SHA-1A3118
HMAC-SHA-1A3119
HMAC-SHA-1A3125
HMAC-SHA2-224A3043
HMAC-SHA2-224A3044
HMAC-SHA2-224A3045
HMAC-SHA2-224A3071
HMAC-SHA2-224A3072
HMAC-SHA2-224A3073
HMAC-SHA2-224A3074
HMAC-SHA2-224A3078
HMAC-SHA2-224A3087
HMAC-SHA2-224A3088
HMAC-SHA2-224A3089
HMAC-SHA2-224A3090
HMAC-SHA2-224A3116
HMAC-SHA2-224A3117
HMAC-SHA2-224A3118
HMAC-SHA2-224A3119
HMAC-SHA2-224A3125
HMAC-SHA2-224A3131
HMAC-SHA2-224A3132
HMAC-SHA2-256A3043
HMAC-SHA2-256A3044
HMAC-SHA2-256A3045
HMAC-SHA2-256A3071
HMAC-SHA2-256A3072
HMAC-SHA2-256A3073
HMAC-SHA2-256A3074
HMAC-SHA2-256A3078
HMAC-SHA2-256A3087
HMAC-SHA2-256A3088
HMAC-SHA2-256A3089
HMAC-SHA2-256A3090
HMAC-SHA2-256A3116
HMAC-SHA2-256A3117
HMAC-SHA2-256A3118
HMAC-SHA2-256A3119
HMAC-SHA2-256A3125
HMAC-SHA2-256A3131
HMAC-SHA2-256A3132
HMAC-SHA2-384A3043
HMAC-SHA2-384A3044
HMAC-SHA2-384A3045
HMAC-SHA2-384A3071
HMAC-SHA2-384A3072
HMAC-SHA2-384A3073
HMAC-SHA2-384A3078
HMAC-SHA2-384A3088
HMAC-SHA2-384A3089
HMAC-SHA2-384A3090
HMAC-SHA2-384A3116
HMAC-SHA2-384A3117
HMAC-SHA2-384A3118
HMAC-SHA2-384A3127
HMAC-SHA2-384A3132
HMAC-SHA2-512A3043
HMAC-SHA2-512A3044
HMAC-SHA2-512A3045
HMAC-SHA2-512A3071
HMAC-SHA2-512A3072
HMAC-SHA2-512A3073
HMAC-SHA2-512A3078
HMAC-SHA2-512A3088
HMAC-SHA2-512A3089
HMAC-SHA2-512A3090
HMAC-SHA2-512A3116
HMAC-SHA2-512A3117
HMAC-SHA2-512A3118
HMAC-SHA2-512A3127
HMAC-SHA2-512A3132
HMAC-SHA3-224A3047
HMAC-SHA3-224A3085
HMAC-SHA3-224A3092
HMAC-SHA3-224A3126
HMAC-SHA3-256A3047
HMAC-SHA3-256A3085
HMAC-SHA3-256A3092
HMAC-SHA3-256A3126
HMAC-SHA3-384A3047
HMAC-SHA3-384A3085
HMAC-SHA3-384A3092
HMAC-SHA3-384A3126
HMAC-SHA3-512A3047
HMAC-SHA3-512A3085
HMAC-SHA3-512A3092
HMAC-SHA3-512A3126
KAS-ECC-SSC Sp800-56Ar3A3044
KAS-ECC-SSC Sp800-56Ar3A3089
KAS-FFC-SSC Sp800-56Ar3A3043
KAS-FFC-SSC Sp800-56Ar3A3088
RSA SigVer (FIPS186-4)A3045
RSA SigVer (FIPS186-4)A3071
RSA SigVer (FIPS186-4)A3072
RSA SigVer (FIPS186-4)A3073
RSA SigVer (FIPS186-4)A3078
RSA SigVer (FIPS186-4)A3090
RSA SigVer (FIPS186-4)A3116
RSA SigVer (FIPS186-4)A3117
RSA SigVer (FIPS186-4)A3118
Safe Primes Key GenerationA3043
Safe Primes Key GenerationA3088
SHA-1A3043
SHA-1A3044
SHA-1A3045
SHA-1A3071
SHA-1A3072
SHA-1A3073
SHA-1A3074
SHA-1A3078
SHA-1A3086
SHA-1A3087
SHA-1A3088
SHA-1A3089
SHA-1A3090
SHA-1A3116
SHA-1A3117
SHA-1A3118
SHA-1A3119
SHA-1A3125
SHA2-224A3043
SHA2-224A3044
SHA2-224A3045
SHA2-224A3071
SHA2-224A3072
SHA2-224A3073
SHA2-224A3074
SHA2-224A3078
SHA2-224A3087
SHA2-224A3088
SHA2-224A3089
SHA2-224A3090
SHA2-224A3116
SHA2-224A3117
SHA2-224A3118
SHA2-224A3119
SHA2-224A3125
SHA2-224A3131
SHA2-224A3132
SHA2-256A3043
SHA2-256A3044
SHA2-256A3045
SHA2-256A3071
SHA2-256A3072
SHA2-256A3073
SHA2-256A3074
SHA2-256A3078
SHA2-256A3087
SHA2-256A3088
SHA2-256A3089
SHA2-256A3090
SHA2-256A3116
SHA2-256A3117
SHA2-256A3118
SHA2-256A3119
SHA2-256A3125
SHA2-256A3131
SHA2-256A3132
SHA2-384A3043
SHA2-384A3044
SHA2-384A3045
SHA2-384A3071
SHA2-384A3072
SHA2-384A3073
SHA2-384A3078
SHA2-384A3088
SHA2-384A3089
SHA2-384A3090
SHA2-384A3116
SHA2-384A3117
SHA2-384A3118
SHA2-384A3127
SHA2-384A3132
SHA2-512A3043
SHA2-512A3044
SHA2-512A3045
SHA2-512A3071
SHA2-512A3072
SHA2-512A3073
SHA2-512A3078
SHA2-512A3088
SHA2-512A3089
SHA2-512A3090
SHA2-512A3116
SHA2-512A3117
SHA2-512A3118
SHA2-512A3127
SHA2-512A3132
SHA3-224A3047
SHA3-224A3085
SHA3-224A3092
SHA3-224A3126
SHA3-256A3047
SHA3-256A3085
SHA3-256A3092
SHA3-256A3126
SHA3-384A3047
SHA3-384A3085
SHA3-384A3092
SHA3-384A3126
SHA3-512A3047
SHA3-512A3085
SHA3-512A3092
SHA3-512A3126

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Physical SecurityN/A
Sensitive Security Parameter Management1
Self-Tests1
Mitigation of Other AttacksN/A

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IPSEC<br/>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IPSEC<br/>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module version 3.3 and 3.4 Version 1.3 Last update: 2024-07-03 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com © 2024 SUSE, LLC / atsec information security.

Page 2

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

1 Table of Contents

2.1 2.2 2.2.1 2.2.2 2.3 2.4 2.4.1 2.4.2 2.5 2.6 2.6.1 2.6.2 2.6.3 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No 2.6.4 4.1 4.2 4.3 4.3.1 4.3.2 4.3.3 5.1 5.2 5.3 6.1 6.2 6.3 © 2024 SUSE, LLC / atsec information security.

2 of 48
Page 3

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module 9.1 9.2 9.3 9.4 9.5 9.6 9.7 10.1 10.2 10.2.1 10.3 10.4 11.1 11.1.1 11.1.2 11.1.3 11.2 11.2.1 11.2.2 11.2.3 11.2.4 11.2.5 © 2024 SUSE, LLC / atsec information security.

3 of 48
Page 4
Security level
NameISO SectionRequirementLevelISO/IEC 24759 Section 6. [Number Below]
11General11
22Cryptographic Module Specification1
33Cryptographic Module Interfaces1
44Roles, Services, and Authentication1
55Software/Firmware Security1
66Operational Environment1
77Physical SecurityN/A
88Non-invasive SecurityN/A
99Sensitive Security Parameter Management1
1010Self-tests1
1111Life-cycle Assurance1
1212Mitigation of Other AttacksN/A
ComponentsDescriptionComponents
Version 3.3Version 3.3Static kernel binary.
Version 3.3Version 3.3Integrity check HMAC value for Linux kernel static binary (HMAC file).
Version 3.3Version 3.3Cryptographic kernel object files.
ComponentsDescriptionComponents
/usr/lib64/libkcapi/fipscheck/usr/lib64/libkcapi/fipscheckIntegrity test utility (fipscheck application).
/usr/lib64/libkcapi/.fipscheck.hmac/usr/lib64/libkcapi/.fipscheck.hmacIntegrity check HMAC file for integrity test utility (HMAC file).

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module This document is the non-proprietary FIPS 140-3 Security Policy for version 3.3 and 3.4 of the SUSE Linux Enterprise Kernel Crypto API Cryptographic Module. It has a one-to-one mapping to the [SP 800-140B] starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document. N/A N/A N/A Table 1 - Security Levels © 2024 SUSE, LLC / atsec information security.

4 of 48
Page 5

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

2 Cryptographic Module Specification

2.1 Module Embodiment The SUSE Linux Enterprise Kernel Crypto API Cryptographic Module (hereafter referred to as “the module”) is a Software multi-chip standalone cryptographic module. 2.2 Module Design, Components, versions The software block diagram below shows the cryptographic boundary of the module, and its interfaces with the operational environment. Figure 1 - Cryptographic Boundary 2.2.1 Module Name and Module Version Mapping The output of “uname -r” command will return the module identifier and version number. This command returns either "5.14.21-150400.24.46-default" that maps to module version 3.3 or "5.14.21-150400.15.11-rt" that maps to module version 3.4. 2.2.2 Module Components Table 2 lists the software components of the cryptographic module, which defines its cryptographic boundary. © 2024 SUSE, LLC / atsec information security.

5 of 48
Page 6

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module © 2024 SUSE, LLC / atsec information security.

6 of 48
Page 7
Module configuration
NameOperating SystemHardware PlatformSoftware VersionProcessorPaa Pai#
1SUSE Linux Enterprise Server 15 SP4Supermicro Super Server SYS-6019P-WTR3.3 and 3.4Intel® Xeon® Silver 4215RWith and without AES-NI (PAA)1
2SUSE Linux Enterprise Server 15 SP4GIGABYTE R181- Z90-003.3 and 3.4AMD EPYCTM 7371With and without AES-NI (PAA)2
3SUSE Linux Enterprise Server 15 SP4GIGABYTE G242-P32-QZ3.3ARM Ampere® Altra®Q80-30With and without Cryptography Extensions (PAA)3
4SUSE Linux Enterprise Server 15 SP4IBM z/153.3z15With and without CPACF (PAI)4
5SUSE Linux Enterprise Server 15 SP4 on PowerVM (VIOS 3.1.4.00)IBM Power E1080 (9080- HEX)3.3Power10With and without ISA (PAA)5

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Table 2

7 of 48
Page 8

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module © 2024 SUSE, LLC / atsec information security.

8 of 48
Page 9
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1SUSE Linux Enterprise Server 15SP4IBM LinuxONE III LT1z15With and without CPACF (PAI)1
2SUSE Linux Enterprise Micro 5.3Supermicro Super Server SYS-6019P- WTRIntel® Xeon® Silver 4215RWith and without AES-NI (PAA)2
3SUSE Linux Enterprise Micro 5.3GIGABYTE R181-Z90-00AMD EPYCTM 7371With and without AES-NI (PAA)3
4SUSE Linux Enterprise Micro 5.3GIGABYTE G242-P32-QZARM Ampere® Altra® Q80-30With and without Cryptography Extensions (PAA)4
5SUSE Linux Enterprise Micro 5.3IBM z/15z15With and without CPACF (PAI)5
6SUSE Linux Enterprise Micro 5.3IBM LinuxONE III LT1z15With and without CPACF (PAI)6
7SUSE Linux Enterprise Server for SAP 15SP4Supermicro Super Server SYS-6019P- WTRIntel® Xeon® Silver 4215RWith and without AES-NI (PAA)7
8SUSE Linux Enterprise Server for SAP 15SP4GIGABYTE R181-Z90-00AMD EPYCTM 7371With and without AES-NI (PAA)8
9SUSE Linux Enterprise Server for SAP 15SP4 on PowerVM (VIOS 3.1.4.00)IBM Power E1080 (9080- HEX)Power10With and without ISA (PAA)9
10SUSE Linux Enterprise Desktop 15SP4Supermicro Super Server SYS-6019P- WTRIntel® Xeon® Silver 4215RWith and without AES-NI (PAA)10
11SUSE Linux Enterprise Desktop 15SP4GIGABYTE R181-Z90-00AMD EPYCTM 7371With and without AES-NI (PAA)11
1SUSE Linux Enterprise Micro 5.3Supermicro Super ServerIntel® Xeon® Silver 4215RWith and without AES-NI (PAA)1

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module 2.4.1 Version 3.3 Vendor Affirmed Operational Environments # 5.3 SYS-6019PWTR 5.3 5.3 5.3 5.3 SYS-6019PWTR E1080 (9080HEX) SYS-6019PWTR Table 4 - Vendor Affirmed Operational Environments for version 3.3 2.4.2 Version 3.4 Vendor Affirmed Operational Environments # © 2024 SUSE, LLC / atsec information security.

9 of 48
Page 10
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
2SUSE Linux Enterprise Micro 5.3GIGABYTE R181-Z90-00AMD EPYCTM 7371With and without AES-NI (PAA)2
3SUSE Linux Enterprise Real Time 15SP4Supermicro Super Server SYS-6019P- WTRIntel® Xeon® Silver 4215RWith and without AES-NI (PAA)3
4SUSE Linux Enterprise Real Time 15SP4GIGABYTE R181-Z90-00AMD EPYCTM 7371With and without AES-NI (PAA)4
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AESVersion 3.3:CBC128, 192, 256-bitSymmetric encryption; Symmetric decryption
FIPS197,A3045, A3053,keys with 128-256
SP800-38AA3061, A3064,bits of security
A3075, A3078,A3075, A3078,strength
AESVersion 3.3:CBC-CS3128, 192, 256-bitSymmetric encryption; Symmetric decryption
SP800-38A-A3050, A3059,keys with 128-256
addendumA3070, A3084,bits of security
A3128A3128strength
AESVersion 3.3:CCM128, 192, 256-bitSymmetric encryption; Symmetric decryption
SP800-38CA3045, A3053,keys with 128-256
A3064, A3075,A3064, A3075,bits of security
A3078, A3125,A3078, A3125,strength
AESVersion 3.3:CFB128128, 192, 256-bitSymmetric encryption; Symmetric decryption
FIPS197,A3048, A3057,keys with 128-256
SP800-38AA3068, A3082,bits of security
A3128A3128strength
AESVersion 3.3:CMAC128, 192, 256-bitMessage authentication code (MAC)
SP800-38BA3045, A3053,keys with 128-256
A3064, A3075,A3064, A3075,bits of security
A3078, A3125,A3078, A3125,strength
AESVersion 3.3:CTR128, 192, 256-bitSymmetric encryption; Symmetric decryption
FIPS197,A3045, A3053,keys with 128-256
SP800-38AA3061, A3064,bits of security
A3075, A3078,A3075, A3078,strength
AESVersion 3.3:ECB128, 192, 256-bitSymmetric encryption; Symmetric decryption
FIPS197,A3043, A3044,keys with 128-256
SP800-38AA3045, A3051,bits of security
A3052, A3053,A3052, A3053,strength
AESVersion 3.3:GCM with external IV128, 192, 256-bitSymmetric decryption
SP800-38DA3045, A3053,keys with 128-256
A3061, A3064,A3061, A3064,bits of security
A3075, A3078,A3075, A3078,strength
AESVersion 3.3:GCM with internal IV128, 192, 256-bitSymmetric encryption
SP800-38DA3051, A3055,(RFC4106)keys with 128-256
RFC4106A3062, A3065,(IV Gen Mode 8.2.1)bits of security
A3076, A3079,A3076, A3079,strength
AESVersion 3.3:GCM with external IV128, 192, 256-bitSymmetric decryption
SP800-38DA3052, A3056,(RFC4106)keys with 128-256
RFC4106A3063, A3066,bits of security
A3077, A3080,A3077, A3080,strength
AESVersion 3.3:KW128, 192, 256-bitKey wrapping; Key unwrapping
SP800-38FA3046, A3054,keys with 128-256
A3067, A3081,A3067, A3081,bits of security
A3128A3128strength
AESVersion 3.3:OFB128, 192, 256-bitSymmetric encryption; Symmetric decryption
SP800-38AA3049, A3058,keys with 128-256
A3069, A3083,A3069, A3083,bits of security
A3128A3128strength
AESVersion 3.3:XTS128, 256-bit keysSymmetric encryption and Symmetric decryption (for data storage)
SP800-38EA3045, A3053,with 128 and 256-
A3061, A3064,A3061, A3064,bits of security
A3075, A3078,A3075, A3078,strength
CKG SP800-VendorFIPS 186-4EC: P-256, P384Key generation
133rev2Affirmedkeys with 128 and
DRBGVersion 3.3:CTR_DRBG:128, 192, 256-bitDeterministic random bit generation
SP800-A3043, A3044,AES-128, AES-192,keys with 128,
90Arev1A3045, A3051,AES-256 with DF,192 and 256 bits
A3052, A3053,A3052, A3053,with/without PRof security
A3055, A3056,A3055, A3056,strength
Version 3.3:Version 3.3:Hash_DRBG:N/A
A3043, A3044,A3043, A3044,SHA-1, SHA2-256,
A3045, A3051,A3045, A3051,SHA2-384, SHA2-512
A3052, A3053,A3052, A3053,with/without PR
A3055, A3056,A3055, A3056,HMAC_DRBG:³ 112-bit keys
SHA-1, SHA2-256,SHA-1, SHA2-256,with 112-256 bits
SHA2-384, SHA2-512SHA2-384, SHA2-512of security
with/without PRwith/without PRstrength
ECDSAVersion 3.3:B.4.2 TestingP-256, P-384 keysEC Diffie-Hellman key generation
FIPS186-4A3044candidateswith 128 and 192
Version 3.4:Version 3.4:bits of security
A3089A3089strength
ESVVersion 3.3:CPU Jitter SourceN/ARandom number
SP800-90BE19generation
HMACVersion 3.3:SHA-1³ 112-bit keysMessage
FIPS198-1A3086with 112-256 bitsauthentication code
Version 3.3:Version 3.3:SHA-1, SHA2-224,of security(MAC)
A3074, A3087,A3074, A3087,SHA2-256
Version 3.3:Version 3.3:SHA-1, SHA2-224,
A3043, A3044,A3043, A3044,SHA2-256, SHA2-384,
A3045, A3071,A3045, A3071,SHA2-512
Version 3.3:Version 3.3:SHA2-224, SHA2-256
Version 3.3Version 3.3SHA2-224, SHA2-256,
A3132A3132SHA2-384, SHA2-512
Version 3.3Version 3.3SHA2-384, SHA2-512
Version 3.3:Version 3.3:SHA3-224, SHA3-256,
A3047, A3085,A3047, A3085,SHA3-384, SHA3-512
KAS ECC-Version 3.3:Ephemeral unifiedP-256, P-384 keysEC Diffie-Hellman
SSCA3044with 128 and 192shared secret
SP800-Version 3.4:bits of securitycomputation
56Arev3strength
KAS FCC-Version 3.3:dhEphem with safe2048, 3072, 4096,Diffie-Hellman shared
SSCA3043prime groups6144, 8192-bitsecret computation
SP800-Version 3.4:keys with 112-200
56Arev3A3088bits of security
IG D.F 2 (1)strength
KTSVersion 3.3:AES-CCM128, 192, 256-bitKey Wrapping and Unwrapping
SP800-38FA3045, A3053,keys with 128,
A3064, A3075,A3064, A3075,192 and 256 bits
A3078, A3125,A3078, A3125,of security
A3128A3128strength
Version 3.3:Version 3.3:AES-GCM128, 192, 256-bit
Version 3.3:Version 3.3:AES-KW128, 192, 256-bit
A3046, A3054,A3046, A3054,keys with 128-256
A3067, A3081,A3067, A3081,bits of security
A3128A3128strength
KTS(AES)AES-CBC and HMAC-128, 256-bit keys
SP800-38FVersion 3.3:SHA-1 or HMAC-SHA2with 128, 256 bits
FIPS140-3A3045, A3053,of security
IG D.GA3061, A3064,strength
RSAVersion 3.3:PKCS#1v1.5:2048, 3072, 4096-Integrity test using
FIPS186-4A3045, A3071,SHA-1, SHA2-224,bit keys with 112-digital signature
A3072, A3073,A3072, A3073,SHA2-256, SHA2-384,149 bits ofverification
A3078A3078SHA2-512security strength
Version 3.4:Version 3.4:(usage of SHA-1 is
A3117, A3118A3117, A3118Use)
Safe PrimesVersion 3.3:Safe Prime Groups:2048, 3072, 4096,Diffie-Hellman shared
ffdhe8192,ffdhe8192,bits of security
MODP-2048, MODP-MODP-2048, MODP-strength
SHA-3Version 3.3:SHA3-224, SHA3-256,N/AMessage Digest
FIPS202A3047, A3085,SHA3-384, SHA3-512
SHSVersion 3.3:SHA-1N/AMessage digest
FIPS180-4A3086
Version 3.3:Version 3.3:SHA-1, SHA2-224,
A3074, A3087,A3074, A3087,SHA2-256
Version 3.3:Version 3.3:SHA-1, SHA2-224,
A3043, A3044,A3043, A3044,SHA2-256, SHA2-384,
A3045, A3071,A3045, A3071,SHA2-512
Version 3.3:Version 3.3:SHA2-224, SHA2-256
Version 3.3Version 3.3SHA2-224, SHA2-256,
A3132A3132SHA2-384, SHA2-512
Version 3.3Version 3.3SHA2-384, SHA2-512

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module # SYS-6019PWTR SYS-6019PWTR Table 5 - Vendor Affirmed Operational Environments for version 3.4 2.5 Modes of Operation of the Module After following the instructions for installation and configuration provided in section 11 the module is pre-configured to be operating in the Approved mode. When the module starts up successfully, after passing all the pre-operational self-test and conditional cryptographic algorithm self-tests (CASTs), the module is operating in the Approved mode of operation. Please see section 4 for the details on service indicator provided by the module that identifies when an approved service is called. If any service from the non-approved services list is called, the module transitions to nonapproved mode automatically. 2.6 Security Functions 2.6.1 Approved Algorithms Table 6 below lists all security functions of the module, including specific key strengths employed for approved services. © 2024 SUSE, LLC / atsec information security.

10 of 48
Page 11

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module © 2024 SUSE, LLC / atsec information security.

11 of 48
Page 12

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module © 2024 SUSE, LLC / atsec information security.

12 of 48
Page 13

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module © 2024 SUSE, LLC / atsec information security.

13 of 48
Page 14

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module N/A © 2024 SUSE, LLC / atsec information security.

14 of 48
Page 15

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module N/A KAS ECCSSC SP80056Arev3 KAS FCCSSC SP80056Arev3 © 2024 SUSE, LLC / atsec information security.

15 of 48
Page 16

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module © 2024 SUSE, LLC / atsec information security.

16 of 48
Page 17

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module N/A N/A © 2024 SUSE, LLC / atsec information security.

17 of 48
Page 18

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Table 6 - Approved Algorithms 2.6.2 Non-Approved Algorithms Allowed in the Approved Mode of Operation The module does not implement non-approved algorithms allowed in the approved mode of operation. 2.6.3 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed The module does not implement non-approved algorithms allowed in the approved mode of operation with no security claimed.. 2.6.4 Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Table 7 lists non-approved algorithms that are not allowed in the approved mode of operation. These algorithms are used by the non-approved services listed in Table 11. Algorithm/Functions Use/Function AES-GCM with external IV Symmetric encryption AES-GMAC Message authentication code (MAC) © 2024 SUSE, LLC / atsec information security.

18 of 48
Page 19
Approved algorithm
NameUse Function
RSARSA encryption primitive; RSA decryption primitive; RSA signature generation primitive; RSA signature verification primitive
ECDSAECDSA signature verification primitive

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Table 7 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation © 2024 SUSE, LLC / atsec information security.

19 of 48
Page 20
Ports and interfaces
NamePhysical PortLogical Interface
Data InputAPI data input parameters from kernel system calls, kernel command lineData Input
Data OutputAPI output parameters from kernel system callsData Output
Control InputAPI function calls, API control input parameters from kernel system calls, kernel command lineControl Input
Status OutputAPI return values, kernel logsStatus Output

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

3 Cryptographic Module Ports and Interfaces

As a software-only module, the module does not have physical ports. The operator can only interact with the module through the API provided by the module. Thus, the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. All data output via data output interface is inhibited when the module is performing preoperational test or zeroization or when the module enters error state. Table 8 - Ports and Interfaces

1 The control output interface is omitted on purpose because the module does not implement it.

© 2024 SUSE, LLC / atsec information security.

20 of 48
Page 21
Service
NameRolesInputOutput
Symmetric encryptionCrypto Officer (CO)Key, plaintextCiphertext
Symmetric decryptionKey, ciphertextPlaintext
Random number generationNumber of bitsRandom number
Message digestMessageDigest of the message
Message authentication code (MAC)Message, keyMessage authentication code
Encrypt-then-MAC operationMessage, AES Key, HMAC keyAuthenticated message
RSA encryption primitiveKey, plaintextCiphertext
RSA decryption primitiveKey, ciphertextPlaintext
RSA signature generation primitiveKey, hashed messageSignature
RSA signature verification primitiveKey, signatureHashed message
Key wrappingKey wrapping key, key to be wrappedWrapped key
Key unwrappingWrapped key, key unwrapping keyUnwrapped key
EC Diffie-Hellman shared secret computationPrivate key, public key from peerShared secret
Diffie-Hellman shared secret computationPrivate key, public key from peerShared secret
EC Diffie-Hellman key generationDomain parametersGenerated key
Diffie-Hellman key generation using safe primesDomain parametersGenerated key
Error detection codeNoneCode
Data compressionData to compressCompressed data
Memory copy operationSource, destination, offset, amountReturn codes and/or log messages
Show statusNoneReturn codes and/or log messages
Self-testsNoneReturn codes and/or log
Digital signature verificationMessage, hash algorithm, public keyVerification result
ECDSA digital signature verification primitiveKey, signatureHashed message
Module installation and configurationConfiguration parametersReturn codes and/or log
Module initializationNoneNone
Show module name and versionNoneName and version information

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

4 Roles, services, and authentication

4.1 Roles The module supports the Crypto Officer role only. This sole role is implicitly assumed by the operator of the module when performing a service. The module does not support authentication. © 2024 SUSE, LLC / atsec information security.

21 of 48
Page 22

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Table 9 - Roles, Service Commands, Input and Output 4.2 Authentication The module does not support authentication. 4.3 Services The module provides services to the users that assume one of the available roles. All services are shown in Table 10 and Table 11. 4.3.1 Service Indicator The module provides an approved service indicator as specified in the “Indicator” column in Table 10. 4.3.2 Approved Services Table 10 lists the approved services. For each service, the table lists the associated cryptographic algorithm(s), the role to perform the service, the cryptographic keys or CSPs involved, and their access type(s). No support of intermediate key generation is provided. The following convention is used to specify access rights to a CSP:

22 of 48
Page 23
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Symmetric encryption; Symmetric decryptionPerform AES encryption and decryptionCOAES keyAES-CBC, AES-CBS-CS3, AES-CFB128, AES-CTR, AES-ECB, AES-OFB, AES-XTSW, Ecrypto_skcipher_setkey
AES-CCMAES-CCMcrypto_aead_setkey returns 0
AES-GCMAES-GCMcrypto_tfm_get_flags has the CRYPTO_TFM_FIPS_COMP LIANCE flag set
Random number generationGenerate random numbersEntropy inputDRBGW, Ecrypto_rng_get_bytes
DRBG seed, DRBG internal stateDRBG seed, DRBG internal stateG, E
Message digestCompute SHA hashesNoneSHA-1, SHA2, SHA3N/Acrypto_shash_init returns 0
Message authenticatio n code (MAC)Compute HMACHMAC keyHMACW, Ecrypto_shash_init returns
Compute AES- based CMACCompute AES- based CMACAES keyCMAC with AESW, Ecrypto_cmac_digest_init
Encrypt- then-MAC operationPerform AES encryption then compute MACAES key, HMAC keyAES-CBC, HMAC- [SHA- 1, SHA2]W, Ecrypto_shash_init returns
Key wrappingPerform AES- based key wrappingAES keyAES-KW, AES- CCM, AES- GCMW, Ecrypto_skcipher_setkey
Perform AES- based key wrapping and HMACPerform AES- based key wrapping and HMACAES key, HMAC keyAES-CBC and HMACW, Ecrypto_skcipher_setkey
Key unwrappingPerform AES- based key unwrappingAES keyAES-KW, AES- CCM, AES- GCMW, Ecrypto_skcipher_setkey returns 0
Perform AES- based key unwrapping and HMACPerform AES- based key unwrapping and HMACAES key, HMAC keyAES-CBC and HMACW, Ecrypto_skcipher_setkey returns 0; crypto_shash_init returns 0
EC Diffie- Hellman shared secret computationPerform ECDH shared secret computationEC Diffie- Hellman public, EC Diffie- Hellman private keyEC Diffie- HellmanW, Ecrypto_kpp_compute_sh ared_secret returns 0
EC Diffie- Hellman shared secretEC Diffie- Hellman shared secretG, R
Key generation for EC Diffie- Hellman shared secret computation2Perform ECDH key generationModule- generated EC Diffie-Hellman public key, Module- generated EC Diffie-Hellman private keyGeneration per Section 5.6.1.2 of SP800- 56Arev3 exclusively for EC Diffie- HellmanE, G, Rcrypto_kpp_set_secret and crypto_kpp_generate_pu blic_key return 0
Diffie- Hellman shared secret computationPerform DH shared secret computationDiffie-Hellman public key, Diffie-Hellman private keyDiffie- HellmanW, Ecrypto_kpp_compute_sh ared_secret returns 0
Diffie-Hellman shared secretDiffie-Hellman shared secretG, R
Diffie- Hellman key generation using safe primesPerform DH key generationModule- generated Diffie-Hellman public key, Module- generated private keyGeneration per Section 5.6.1.1 of SP800- 56Arev3 exclusively for Diffie- HellmanE, G, Rcrypto_kpp_set_secret and crypto_kpp_generate_pu blic_key return 0
Error detection codeDetect, report, correct memory errors with crc32c3, 3 crct10difCONoneN/AN/AImplicit (always approved)
Data compressionCompress data with deflate3 , lz43, lz4hc3, lzo3, zlib3, 8423NoneN/AN/AImplicit (always approved)
Memory copy operationCopy memoryNoneN/AN/AImplicit (always approved)
Show statusShow module statusNoneN/AN/AImplicit (always approved)
On-Demand Self-testsPerform self- tests on demandNoneAES, CMAC, SHS, SHA-3, HMAC, DRBG, EC Diffie- Hellman, Diffie- Hellman, RSA, DRBGN/AImplicit (always approved)
Module installation and configurationInstall and configure moduleNoneN/AN/AImplicit (always approved)
Module initializationInitialize moduleNoneN/AN/AImplicit (always approved)
Show statusShow module statusNoneN/AN/AImplicit (always approved)
Show module name and versionShow module name and versionNoneN/AN/AImplicit (always approved)
Symmetric encryptionPerform AES-GCM encryption using external IVCOAES
Message authentication code (MAC)Perform message authentication code (MAC) using AES-GMAC
RSA encryption primitiveCompute RSA cipherRSA
RSA decryption primitiveCompute plaintext from RSA cipher
RSA signature generation primitiveSign using RSA
RSA signature verification primitiveVerify RSA-based signatures

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module W, E N/A W, E W, E W, E W, E G, E Encryptthen-MAC CCM, AESGCM W, E W, E CCM, AESGCM W, E W, E © 2024 SUSE, LLC / atsec information security.

23 of 48
Page 24

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module EC DiffieHellman EC DiffieHellman W, E G, R SP80056Arev3 Modulegenerated EC Modulegenerated EC E, G, R DiffiePerform DH DiffieHellman W, E G, R Modulegenerated Modulegenerated E, G, R N/A N/A DiffieHellman key SP80056Arev3 for DiffieHellman N/A

2 The module performs a pairwise consistency test for EC Diffie-Hellman as outlined in section

5.6.2.1.4 of SP 800-56Arev3. This key generation service is for exclusive use of the EC DiffieHellman shared secret computation service.

3 This algorithm does not provide any cryptographic attribute, i.e., its purpose in the module is not

security relevant © 2024 SUSE, LLC / atsec information security.

24 of 48
Page 25
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Memory copy operationCopy memoryNoneN/AN/AImplicit (always approved)
Show statusShow module statusNoneN/AN/AImplicit (always approved)
On-Demand Self-testsPerform self- tests on demandNoneAES, CMAC, SHS, SHA-3, HMAC, DRBG, EC Diffie- Hellman, Diffie- Hellman, RSA, DRBGN/AImplicit (always approved)
Module installation and configurationInstall and configure moduleNoneN/AN/AImplicit (always approved)
Module initializationInitialize moduleNoneN/AN/AImplicit (always approved)
Show statusShow module statusNoneN/AN/AImplicit (always approved)
Show module name and versionShow module name and versionNoneN/AN/AImplicit (always approved)
Symmetric encryptionPerform AES-GCM encryption using external IVCOAES
Message authentication code (MAC)Perform message authentication code (MAC) using AES-GMAC
RSA encryption primitiveCompute RSA cipherRSA
RSA decryption primitiveCompute plaintext from RSA cipher
RSA signature generation primitiveSign using RSA
RSA signature verification primitiveVerify RSA-based signatures
ECDSA signature verification primitiveVerify ECDSA-based signaturesECDSA

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module N/A N/A N/A N/A EC DiffieHellman, DiffieHellman, N/A N/A N/A N/A N/A N/A N/A Z N/A N/A Table 10 - Approved Services 4.3.3 Table 11 lists the non-approved services. The details of the non-approved cryptographic algorithms available in non-approved mode can be found in Table 7. © 2024 SUSE, LLC / atsec information security.

25 of 48
Page 26

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Table 11 - Non-Approved Services © 2024 SUSE, LLC / atsec information security.

26 of 48
Page 27

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

5 Software/Firmware security

5.1 Integrity Techniques The module uses the HMAC-SHA2-256 algorithm for the integrity test of the static kernel binary and the fipscheck application. The HMAC calculation is performed by the fipscheck application itself. Additionally, the module uses RSA signature verification with a SHA2-256 message digest and a 2048-bit key for the integrity test of each of the kernel object files loaded during boot-up time. If the integrity values do not match the expected values, the test fails, and the module enters the error state. 5.2 On-Demand Integrity Test Integrity tests are performed as part of the Pre-Operational Self-Tests. The module provides the Self-Test service to perform self-tests on demand. This service performs the same cryptographic algorithm tests executed during power-up. Pre-Operational Self-Tests can also be invoked by calling the kernel_restart() which effectively powers off the module and then reloads the module. During the execution of the on-demand self-tests, services are not available, and no data output or input is possible. 5.3 Executable Code The module consists of executable code in the form of the files listed in Table 2. © 2024 SUSE, LLC / atsec information security.

27 of 48
Page 28

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

6 Operational Environment

6.1 Applicability This module operates in a modifiable operational environment per the FIPS 140-3 level 1 specifications. The SUSE Linux Enterprise Server operating system is used as the basis of other products. Compliance is maintained for SUSE products whenever the binary is found unchanged per the vendor affirmation from SUSE based on the allowance FIPS 140-3 management manual [FIPS140-3_MM] section 7.9.1 bullet 1 a i). Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when supported if the specific operational environment is not listed on the validation certificate. 6.2 Policy Instrumentation tools like the ptrace system call, gdb and strace utilities, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-tested operational environment. 6.3 Requirements The module shall be installed as stated in section 11. The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. © 2024 SUSE, LLC / atsec information security.

28 of 48
Page 29

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

7 Physical Security

The module is comprised of software only, and therefore this section is not applicable. © 2024 SUSE, LLC / atsec information security.

29 of 48
Page 30

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

8 Non-invasive Security

This module does not implement any non-invasive security mechanism, and therefore this section is not applicable. © 2024 SUSE, LLC / atsec information security.

30 of 48
Page 31
Sensitive security parameter
NameStrengthGenerationEstablishmentZeroizationUseImport ExportSecurityStora
Name/TypmentrelatedtFunction andge
ekeysCert. Number
AES key128, 192, 256N/AN/AZeroized when freeing the cipher handlerUse: Symmetric encryption; Symmetric decryption; Message authenticati on code (MAC) Related keys: N/AImport: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/AAES-CBC, AES- CBC-CS3, AES- CFB128, AES- CMAC, AES-CTR, AES-ECB, AES- CCM, AES-CMAC, AES-GCM, AES- KW, AES-OFB, AES-XTS, CTR_DRBG A3043, A3044, A3045, A3049, A3050, A3051, A3052, A3053, A3054, A3055, A3056, A3057, A3058, A3059, A3061, A3062, A3063, A3064, A3065, A3066, A3068, A3069, A3070, A3075, A3076, A3077, A3078, A3079, A3080, A3082, A3083, A3084, A3088, A3089, A3090, A3093, A3094, A3095, A3096, A3097, A3098, A3099, A3100, A3101, A3102, A3103, A3104, A3106, A3107, A3108, A3109, A3110, A3111, A3113, A3115, A3125, A3128, A3129, A3130, A3131RAM
HMAC key112 to 256N/AN/AZeroized when freeing the cipher handlerUse: Message authenticati on code (MAC) Related keys: N/AImport: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/AHMAC A3043, A3044, A3045, A3047, A3071, A3072, A3073, A3074, A3078, A3085, A3086, A3087, A3088, A3089, A3090, A3092, A3116, A3117, A3118, A3119, A3125, A3126, A3127, A3131, A3132RAM
Name/TypmentrelatedtFunction andge
ekeysCert. Number
Entropy input IG D.L compliant192 to 384Obtained from the SP800-90B entropy sourceN/AZeroized when freeing the cipher handlerUse: Random number generation Related keys: DRBG seedImport/Expor t: N/A; it remains within the cryptographic boundary.ESV E19, E20RAM
DRBG seed IG D.L compliant192 to 384Derived from the entropy input as defined in SP800-90Arev1N/AZeroized when freeing the cipher handlerUse: Random number generation Related keys: Entropy input, DRBG internal stateImport/Expor t: N/A; it remains within the cryptographic boundary.CTR_DRBG A3043, A3044, A3045, A3051, A3052, A3053, A3055, A3056, A3061, A3062, A3063, A3064, A3065, A3066, A3075, A3076, A3077, A3078, A3079, A3080, A3088, A3089, A3090, A3096, A3097, A3098, A3100, A3101, A3106, A3107, A3108, A3109, A3110, A3111, A3128, A3129, A3130 Hash_DRBG, HMAC_DRBG A3043, A3044, A3045, A3051, A3052, A3053, A3055, A3056, A3061, A3062, A3063, A3064, A3065, A3066, A3071, A3072, A3073, A3076, A3077, A3078, A3079, A3080, A3088, A3089, A3090, A3096, A3097, A3098, A3100, A3101, A3106, A3107, A3108, A3109, A3110, A3111, A3116, A3117, A3118, A3129, A3130RAM
DRBG internal state (V, C or key) IG D.L compliant128 to 256Computed as defined in SP800-90Arev1N/AZeroized when freeing the cipher handlerUse: Random number generation Related keys: DRBG seedImport/Expor t: N/A; it remains within the cryptographic boundaryRAM
Module- generated EC Diffie- Hellman public key128, 192Generated using the FIPS 186-4 key generation method, random values are obtained from the SP800 90Arev1 DRBGN/AZeroized when freeing the cipher handlerUse: EC Diffie- Hellman key generation Related keys: Module- generated EC Diffie- Hellman private keyImport: N/A Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format.KAS ECC-SSC A3044, A3089RAM
Name/TypmentrelatedtFunction andge
ekeysCert. Number
Module- generated EC Diffie- Hellman private key128, 192Generated using the FIPS 186-4 key generation method, random values are obtained from the SP800 90Arev1 DRBGN/AZeroized when freeing the cipher handlerUse: EC Diffie- Hellman key generation, EC Diffie- Hellman shared secret computatio n Related keys: Module- generated EC Diffie- Hellman pubilc keyImport: N/A Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format.KAS ECC-SSC A3044, A3089RAM
EC Diffie- Hellman public key128, 192N/AN/AZeroized when freeing the cipher handlerUse: EC Diffie- Hellman shared secret computatio n Related keys: EC Diffie- Hellman shared secretImport: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/AKAS ECC-SSC A3044, A3089RAM
EC Diffie- Hellman private key128, 192N/AN/AZeroized when freeing the cipher handlerUse: EC Diffie- Hellman shared secret computatio n Related keys: EC Diffie- Hellman shared secretImport: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/AKAS ECC-SSC A3044, A3089RAM
Module- generated Diffie- Hellman public key128 to 200Public and private keys are generating using the SP 800-56Arev3 Safe Primes key generation method, random values are obtained from the SP800-90Arev1 DRBG.N/AZeroized when freeing the cipher handlerUse: Key generation Related keys: Module- generated Diffie- Hellman shared secretImport: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/AKAS FFC-SSC A3043, A3088RAM
Name/TypmentrelatedtFunction andge
ekeysCert. Number
Module- generated Diffie- Hellman private key128 to 200Public and private keys are generating using the SP 800-56Arev3 Safe Primes key generation method, random values are obtained from the SP800-90Arev1 DRBG.N/AZeroized when freeing the cipher handlerUse: Key generation Related keys: Module- generated Diffie- Hellman shared secretImport: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/AKAS FFC-SSC A3043, A3088RAM
Diffie- Hellman public key128 to 200Public and private keys are generating using the SP 800-56Arev3 Safe Primes key generation method, random values are obtained from the SP800-90Arev1 DRBG.N/AZeroized when freeing the cipher handlerUse: Diffie- Hellman shared secret computatio n Related keys: Diffie- Hellman shared secretImport: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/AKAS FFC-SSC A3043, A3088RAM
Diffie- Hellman private key128 to 200Public and private keys are generating using the SP 800-56Arev3 Safe Primes key generation method, random values are obtained from the SP800-90Arev1 DRBG.N/AZeroized when freeing the cipher handlerUse: Diffie- Hellman shared secret computatio n Related keys: Diffie- Hellman shared secretImport: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/AKAS FFC-SSC A3043, A3088RAM
EC Diffie- Hellman Shared secret112 to 200N/AComputed during the EC Diffie Hellman shared secret computati on according to SP 800- 56Arev3.Zeroized when freeing the cipher handlerUse: EC Diffie- Hellman shared secret computatio n Related keys: EC Diffie- Hellman public key, EC Diffie-Import: N/A Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format.KAS ECC-SSC A3044, A3089RAM
Name/TypmentrelatedtFunction andge
ekeysCert. Number
Diffie- Hellman Shared secret112 to 200N/AComputed during the Diffie Hellman shared secret computati on according to SP 800- 56Arev3.Zeroized when freeing the cipher handlerUse: Diffie- Hellman shared secret computatio n Related keys: Diffie- Hellman public key, Diffie- Hellman private keyImport: N/A Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format.KAS FFC-SSC A3043, A3088RAM

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

9 Sensitive Security Parameter Management

Table 12 summarizes the Sensitive Security Parameters (SSPs) that are used by the cryptographic e N/A t N/A N/A © 2024 SUSE, LLC / atsec information security.

31 of 48
Page 32

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module e t N/A Modulegenerated EC DiffieHellman DiffieHellman Modulegenerated EC DiffieHellman © 2024 SUSE, LLC / atsec information security.

32 of 48
Page 33

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module e Modulegenerated EC DiffieHellman N/A t DiffieHellman EC DiffieHellman n Modulegenerated EC DiffieHellman EC DiffieHellman N/A N/A DiffieHellman EC DiffieHellman N/A N/A N/A DiffieHellman n DiffieHellman Modulegenerated DiffieHellman DiffieHellman n Modulegenerated DiffieHellman © 2024 SUSE, LLC / atsec information security.

33 of 48
Page 34

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module e Modulegenerated DiffieHellman DiffieHellman DiffieHellman EC DiffieHellman t N/A N/A N/A N/A Use: DiffieHellman n Modulegenerated DiffieHellman DiffieHellman Use: DiffieHellman n DiffieHellman DiffieHellman n DiffieHellman © 2024 SUSE, LLC / atsec information security.

34 of 48
Page 35
Approved algorithm
NameKey Size
DetailsEntropy SourcesMinimum number of bits of
The CPU jitter is used as a SP800-90B- compliant entropy source.At least 256 bits of entropy in the 384-bit outputESV certs. version 3.3: E19 version 3.4: E20

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module e t DiffieHellman N/A Use: DiffieHellman n DiffieHellman DiffieHellman Table 12 - SSPs 9.1 The module employs the Deterministic Random Bit Generator (DRBG) based on [SP800-90Arev1] for the random number generation. The DRBG supports the Hash_DRBG, HMAC_DRBG and CTR_DRBG mechanisms. The module performs the DRBG health tests as defined in section 11.3 of The entropy source is tested with RCT and APT Health tests as required by section 4 of [SP 80090B]. The DRBG is seeded with (DRBG_security_strength * 1.5) bits of random data from the CPU initialization (seed) and reseeding, the entropy source provides the required amount of entropy to meet the security strength of the respective DRBG methods. The module uses the entropy source specified in Table 13. Table 13 - Non-Deterministic Random Number Generation Specification 9.2 generated internally by the module using the ECDSA key generation method compliant with [FIPS186-4], [SP800-56Arev3] and section 4 and 5.1 of [SP800-133rev2]. The random value used in asymmetric key generation is directly obtained from the [SP800-90Arev1] DRBG. This key generation method is used exclusively by the EC Diffie-Hellman algorithm and provides support for compliant with [SP 800-56Arev3] and generates keys using safe primes defined in RFC7919 and RFC3526. In accordance with FIPS140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys per SP800-133rev2 section 4 and 5 (vendor affirmed). © 2024 SUSE, LLC / atsec information security.

35 of 48
Page 36

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module 9.3 Key Agreement The module provides Diffie-Hellman and EC Diffie-Hellman shared secret computation compliant with [SP800- 56Arev3] in accordance with scenario 2 (1) of IG D.F, CAVP-tested compliance with the derivation of a shared secret Z for Diffie-Hellman and EC Diffie-Hellman (section 6 of SP 80056Arev3).

36 of 48
Page 37
AlgorithmConditionTest
AESPower upKATs for AES in ECB, CBC, CTR, GCM, CCM and XTS modes using 128- 192- and 256-bit key size; encryption and decryption are performed separately.
CMACPower upKATs AES CMAC with 128-, 192- and 256-bits keys, MAC generation.
SHSPower upKATs SHA-1, SHA2-224, SHA2-256, SHA2-384 and SHA2-512.
SHA-3Power upKATs SHA3-224, SHA3-256, SHA3-384 and SHA3-512.
HMACPower upKATs HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC- SHA2-384, HMAC2-SHA-512. KATs HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC- SHA3-512.
DRBGPower upKAT CTR_DRBG with AES with 128-bit key with DF, with and without PR. KAT CTR_DRBG with AES with 192, 256-bit key with DF, without PR. KAT Hash_DRBG with SHA-256 with and without PR. KAT HMAC_DRBG with SHA-256 with and without PR. KAT HMAC_DRBG with SHA-512 without PR.

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

10 Self-tests

The module performs the pre-operational and conditional cryptographic algorithms self-tests automatically when the module is loaded into memory. These self-tests ensure that the module is not corrupted and that the cryptographic algorithms work as expected. While the module is executing the pre-operational and the conditional cryptographic algorithms self-tests, services are not available, and input and output are inhibited. The module is not available for use by the calling application until the self-tests are completed successfully. If any of the self-tests fails, an error message is returned and the module transitions to error state.

10.1 Pre-Operational Tests

The module performs a pre-operational software integrity test automatically when the module is powered on before the module transitions into the operational state. The details on the integrity

10.2 Conditional Tests

Table 14 lists the cryptographic algorithm self-tests (CASTs). The CASTs include the KATs for the integrity mechanism that is run prior to performing the integrity test. The details of the integrity Each KAT includes comparison of the calculated output with the expected known answer, hard coded as part of the test vectors used in the test. If the values do not match, the KAT fails. After the pre-operational and conditional cryptographic algorithms self-tests succeed, a success message is recorded in the dmesg log, and the module becomes operational. © 2024 SUSE, LLC / atsec information security.

37 of 48
Page 38
AlgorithmConditionTest
EC Diffie- HellmanPower upKAT EC Diffie-Hellman primitive “Z” computation with P-256 curve.
Diffie- HellmanPower upKAT Diffie-Hellman primitive “Z” computation with MODP-2048 and ffdhe3072.
RSAPower upKAT RSA signature verification with 2048-bit key and SHA-256
DRBGPower upDRBG health tests as specified in Section 11.3 of SP 800-90Arev1.
Error StateCause of ErrorStatus Indicator
Error stateFailure of pre-operational tests or conditional tests. Failure of Entropy source Health Tests Failure of PCT tests.Kernel panic

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module EC DiffieHellman DiffieHellman Table 14

10.2.1 Pairwise Consistency Test

Conditional pair-wise consistency tests are performed during operational state of the module when the respective cryptographic functions are used. If any of the conditional Pair-Wise Consistency (PCT) tests fails, the module transitions to the error state. The module performs PCT tests for

10.3 Periodic/On-Demand Self-Test

On-demand self-tests can be invoked by powering-off and reloading the module which cause the module to run the pre-operational and conditional cryptographic algorithms self-tests. On-demand self-tests can also be invoked by calling kernel_restart() function which effectively powers off the module and then reloads the module. During the execution of the on-demand self-tests, services are not available, and no data output or input is possible.

10.4 Error States

When the module fails any pre-operational self-test or conditional test, the module will indicate an error has occurred and will enter the Error state. Any further cryptographic operation is inhibited. In the Error state, all data output is inhibited, and no cryptographic operations are allowed. The error can be recovered by a restart (i.e., powering off and powering on) of the module. The following table shows the error codes and the corresponding condition: Table 15 - Error States © 2024 SUSE, LLC / atsec information security.

38 of 48
Page 39

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

11 Life-cycle assurance
11.1 Delivery and Operation
11.1.1 Module Installation

The Crypto Officer can install the RPM packages containing the module as listed in Table 17 using the zypper tool. The integrity of the RPM package is automatically verified during the installation, and the Crypto Officer shall not install the RPM package if there is any integrity error.

11.1.2 Operating Environment Configuration

The operating environment needs to be configured to support FIPS, so the following steps shall be performed with the root privilege:

  1. Install the dracut-fips RPM package: # zypper install dracut-fips
  2. Recreate the INITRAMFS image: # dracut -f
  3. After regenerating the initrd, the Crypto Officer must append the following parameter in the /etc/default/grub configuration file in the GRUB_CMDLINE_LINUX_DEFAULT line: fips=1
  4. After editing the configuration file, please run the following command to change the setting in the boot loader depending on if the system being used uses UEFI boot or legacy boot: # grub2-mkconfig -o /boot/efi/EFI/sles/grub.cfg # grub2-mkconfig -o /boot/grub2/grub.cfg If /boot or /boot/efi resides on a separate partition, the kernel parameter boot=<partition of /boot or /boot/efi> must be supplied. The partition can be identified with the command "df /boot" or "df /boot/efi" respectively. For example: # df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 233191 30454 190296 14% /boot The partition of /boot is located on /dev/sda1 in this example. Therefore, the following string needs to be appended in the aforementioned grub file: "boot=/dev/sda1"
  5. Reboot to apply these settings. Now, the operating environment is configured to support FIPS operation. The Crypto Officer should check the existence of the file /proc/sys/crypto/fips_enabled, and verify it contains a numeric value “1”. If the file does not exist or does not contain “1”, the operating environment is not configured to support FIPS and the module will not operate as a FIPS validated module properly.
11.1.3 Crypto Officer Guidance for Vendor Affirmed Operational

Environments Table 16 below includes the installation process for the Vendor Affirmed Operational Environments found in section 2.4.1 and section 2.4.2 above. © 2024 SUSE, LLC / atsec information security.

39 of 48
Page 40
Module configuration
NameProcessorPackage
ArchitectureArchitecture
x86_64x86_64dracut-fips-055+suse.252.g4988b0bf-150400.1.8.rpm kernel-default-5.14.21-150400.24.46.1.rpm kernel-rt-5.14.21-150400.15.11.1.rpm (for x86_64 processors architecture) libkcapi-tools-0.13.0-1.114.rpm
aarch64aarch64
z15z15
Power10Power10
Operating SystemProduct Link
SUSE Linux Enterprise Micro 5.3https://documentation.suse.com/sle-micro/5.3/single-html/SLE- Micro-security/#sec-fips-slemicro-install
SUSE Linux Enterprise Server for SAP 15SP4https://documentation.suse.com/sles/15-SP4/html/SLES-all/book- security.html
SUSE Linux Enterprise Desktop 15SP4https://documentation.suse.com/sled/15-SP4/html/SLED-all/book- security.html
SUSE Linux Enterprise Real Time 15SP4https://documentation.suse.com/sle-rt/15-SP4/

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module 5.3 Table 16 - Installation Process for Vendor Affirmed Operational Environments Note: Per section 7.9 in the FIPS 140-3 Management Manual [FIPS140-3_MM], the Cryptographic Module Validation Program (CMVP) makes no statement as to the correct operation of the module or the security strengths of the generated keys when this module is ported and executed in an operational environment not listed on the validation certificate.

11.2 Crypto Officer Guidance

The binaries of the module are contained in the RPM packages for delivery. The Crypto Officer shall follow sections 11.1.1 and 11.1.2 to configure the operational environment and install the module to be operated as a FIPS 140-3 validated module. The following RPM packages contain the FIPS validated module: Table 17

11.2.1 AES XTS

The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specified in [SP800-38E]. The length of a single data unit encrypted with the XTS-AES shall not exceed 2²⁰ AES blocks, that is 16MB of data. To meet the requirement stated in IG C.I, the module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical. Note: AES-XTS shall be used with 128 and 256-bit keys only. AES-XTS with 192-bit keys is not an Approved service.

11.2.2 AES GCM IV

In case the module's power is lost and then restored, the key used for the AES GCM encryption or decryption shall be redistributed. © 2024 SUSE, LLC / atsec information security.

40 of 48
Page 41

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module The GCM with internal IV generation in the approved mode is in compliance with RFC4106 and shall only be used in conjunction with the IPsec stack of the kernel to be compliant with IG C.H scenario 1. Any other usage of GCM encryption is considered as non-Approved. The nonce_explicit part of the IV does not exhaust the maximum number of possible values for a given session key. The design of the IPsec protocol ensures that the nonce_explicit, or counter portion, of the IV will not exhaust all of its possible values. When a GCM IV is used for decryption, the responsibility for the IV generation lies with the party that performs the AES-GCM encryption. The module merely receives the GCM IV and performs the operation. It is not responsible for generating the IV.

11.2.3 Handling Self-Test Errors

Self test failure within the kernel crypto API module will panic the kernel and the operating system will not load and/or halt immediately. Error recovery and return to operational state can be accomplished by rebooting the system. If the failure continues, the Crypto Officer must re-install the software package and make sure to follow all instructions. If the software was downloaded, the package hash value must be verified to confirm a proper download. Please contact SUSE if these steps do not resolve the problem. The kernel dumps self-test success and failure messages into the kernel message ring buffer. Post boot, the messages are moved to /var/log/messages. Use dmesg to read the contents of the kernel ring buffer. The format of the ringbuffer (dmesg) output is: alg: self-tests for %s (%s) passed Typical messages are similar to "alg: self-tests for xts(aes) (xts(aes)) passed" for each algorithm/sub-algorithm type.

11.2.4 SP 800-56Ar3 Assurances

To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use the Diffie-Hellman and Elliptic Curve Diffie-Hellman shared secret computation algorithms in the context of IETF protocols. Additionally, the module’s approved key pair generation service must be used to generate ephemeral Diffie-Hellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer DH public key, and the partial public key validation of the peer EC public key, complying with Section 5.6.2.2.2 of SP 800-56Ar3.

11.2.5 End of Life Procedure

As a first step for the secure sanitization, the module needs to be powered off which will erase the SSPs in the volatile memory. Then, the files listed in Table 2 must be deleted using the command “shred -zu <file_name>”. Then, for the actual deprecation, the module will be upgraded to a newer version that is approved. © 2024 SUSE, LLC / atsec information security.

41 of 48
Page 42

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module

12 Mitigation of other attacks

The module does not offer mitigation of other attacks. © 2024 SUSE, LLC / atsec information security.

42 of 48
Page 43

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CPACF Central Processor Assist for Cryptographic Function CSP Critical Security Parameter CTR Counter Mode DF Derivation Function DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication FSM Finite State Model GCM Galois Counter Mode HMAC Hash Message Authentication Code ISA Instruction Set Architecture KAS Key Agreement Schema KAT Known Answer Test KW AES Key Wrap KWP AES Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback PAA Processor Algorithm Acceleration PR Prediction Resistance RNG Random Number Generator RSA Rivest, Shamir, Adleman SSC Shared Secret Computation SHA Secure Hash Algorithm SHS Secure Hash Standard © 2024 SUSE, LLC / atsec information security.

43 of 48
Page 44

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 SUSE, LLC / atsec information security.

44 of 48
Page 45

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program October 2022 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS140-3_MM FIPS 140-3 Cryptographic Module Validation Program - Management Manual April 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS-140-3CMVP%20Management%20Manual.pdf FIPS180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 https://www.ietf.org/rfc/rfc3394.txt © 2024 SUSE, LLC / atsec information security.

45 of 48
Page 46

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 https://www.ietf.org/rfc/rfc5649.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038d.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038e.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800-56Arev3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf © 2024 SUSE, LLC / atsec information security.

46 of 48
Page 47

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module SP800-56B Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography March 2019 https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final SP800-56Crev2 Recommendation for Key Derivation through Extraction-thenExpansion August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP800-57rev5 NIST Special Publication 800-57 Part 1 Revision 5 Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80057pt1r5.pdf SP800-90Arev1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP800-108 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions (Revised) October 2009 https://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf SP800-131Arev2 NIST Special Publication 800-131A Revision 1- Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for PasswordBased Key Derivation - Part 1: Storage Applications December 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800132.pdf SP800-133rev2 NIST Special Publication 800-133 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf © 2024 SUSE, LLC / atsec information security.

47 of 48
Page 48

SUSE Linux Enterprise Kernel Crypto API Cryptographic Module SP800-135rev1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800135r1.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 SUSE, LLC / atsec information security.

48 of 48

Referenced URLs