| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Hardware |
| Embodiment | Single Chip |
| Status | Historical |
| Caveat | Interim validation. When operated in approved mode |
| Vendor | Qualcomm Technologies, Inc. |
flowchart LR
%% Deterministic review-risk graph for Qualcomm® Inline Crypto Engine (UFS)
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5 clue;
class I2,I3,I5 infer;
class R2,R3,R5 risk;
class E2,E3,E5 evidence;flowchart LR
%% Deterministic clue tier for Qualcomm® Inline Crypto Engine (UFS)
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output<br/>Show Status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5 clueLow;Qualcomm® Inline Crypto Engine (UFS) Versions 3.2.0, 3.2.1, 4.0.1 and 4.0.2 Version 1.1 Last update: 2024-07-24 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com © 2024 Qualcomm Technologies, Inc. / atsec information security.
© 2024 Qualcomm Technologies, Inc. / atsec information security.
This Security Policy describes the features and design of the module named Qualcomm® Inline Crypto Engine (UFS) using the terminology contained in the FIPS 140-3 specification. The FIPS 140-
3 Security Requirements for Cryptographic Modules specifies the security requirements that will be
satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The NIST/CCCS Cryptographic Module Validation Program (CMVP) validates cryptographic modules to FIPS 140-3. Validated products are accepted by the Federal agencies of both the USA and Canada for the protection of sensitive or designated information. and including this notice. Other documentation is proprietary to their authors.
In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. This document is the non-proprietary FIPS 140-3 Security Policy for versions 3.2.0, 3.2.1, 4.0.1 and
4.0.2 of the Qualcomm Inline Crypto Engine (UFS). It has a one-to-one mapping to the [SP 800-
140B] starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document. ISO/IEC 24759 Section FIPS 140-3 Section Title Security Level 6. [Number Below]
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security N/A
6 Operational Environment N/A
7 Physical Security 2
8 Non-invasive Security N/A
9 Sensitive Security Parameter 1
Management © 2024 Qualcomm Technologies, Inc. / atsec information security.
10 Self-tests 1
11 Life-cycle Assurance 2
12 Mitigation of Other Attacks N/A
Table 1 - Security Levels © 2024 Qualcomm Technologies, Inc. / atsec information security.
The Qualcomm Inline Crypto Engine (UFS) is classified as a sub-chip hardware module in a single chip embodiment for the purpose of FIPS 140-3 validation. It provides AES-XTS encryption and decryption of block storage devices as defined in SP 800-38E. The underlying AES for AES-XTS is compliant to FIPS 197. The Qualcomm Inline Crypto Engine (UFS) has been tested on the following platforms with the corresponding module variants and configuration options: Model1 Hardware Firmware Distinguishing [Part Number and Version] Version Features Snapdragon®2 Qualcomm Inline Crypto Engine (UFS) with N/A N/A
Platform Snapdragon Qualcomm Inline Crypto Engine (UFS) with N/A N/A 8+ Gen 1 version 3.2.1 Mobile Platform Qualcomm® Qualcomm Inline Crypto Engine (UFS) with N/A N/A QCM64902 version 3.2.0 Qualcomm® Qualcomm Inline Crypto Engine (UFS) with N/A N/A QCS64902 version 3.2.0 Snapdragon 8 Qualcomm Inline Crypto Engine (UFS) with N/A N/A Gen 2 Mobile version 4.0.1 Platform Snapdragon Qualcomm Inline Crypto Engine (UFS) with N/A N/A
Platform Snapdragon 6 Qualcomm Inline Crypto Engine (UFS) with N/A N/A Gen 1 Mobile version 3.2.1 Platform Snapdragon 8 Qualcomm Inline Crypto Engine (UFS) with N/A N/A Gen 3 Mobile version 4.0.2 Platform Snapdragon 4 Qualcomm Inline Crypto Engine (UFS) with N/A N/A Gen 2 Mobile version 3.2.1 Platform Snapdragon 7 Qualcomm Inline Crypto Engine (UFS) with N/A N/A Gen 1 Mobile version 3.2.1 Platform Qualcomm® Qualcomm Inline Crypto Engine (UFS) with N/A N/A QCM44902 version 3.2.1 Qualcomm® Qualcomm Inline Crypto Engine (UFS) with N/A N/A QCS44902 version 3.2.1
Technologies, Inc. and/or its subsidiaries. © 2024 Qualcomm Technologies, Inc. / atsec information security.
Table 2 - Cryptographic Module Tested Configuration The table below lists all security functions of the module, including specific key strengths employed for approved services, and implemented modes of operation. CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Cert Key Strength(s) Standard A771, AES FIPS 197 ECB encryption 128 and 256 bits encryption A2116, AES-ECB SP 800A2886, 38A A4287 A772, ECB decryption decryption A2117, A2887, A4288 A771, AES-XTS SP 800- XTS encryption 128 and 256 bits encryption A2116, 38E A2886, A4287 A772, XTS decryption decryption A2117, A2887, A4288 Table 3 - Approved Algorithms Algorithm/Function Use/Function AES bitlocker encryption/decryption Table 4 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation NOTE: the module does not implement any non-approved but allowed, or non-approved but allowed with no security claimed algorithms.
The cryptographic boundary of the Qualcomm Inline Crypto Engine (UFS) is the sub chip component shown with blue box. The module has been tested on the platforms listed in Table 2 which form the physical perimeter for the module. Consequently, the embodiment of the Qualcomm Inline Crypto Engine (UFS) is a single-chip cryptographic module. © 2024 Qualcomm Technologies, Inc. / atsec information security.
Below is an illustrative diagram. Figure 1
Figure 3 - Snapdragon 8+ Gen 1 Mobile Platform Figure 4
Figure 6
Figure 9
Figure 12
The Qualcomm Inline Crypto Engine (UFS) supports two modes of operation; (1) the approved mode in which the approved services are available; and (2) the non-approved mode, in which the non-approved services are available. When the Qualcomm Inline Crypto Engine (UFS) starts up successfully, after passing all the selftests, the module is operating in the approved mode of operation by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table 8. Section 4 provides details on the service indicator implemented by the module. The service indicator identifies when an approved service is called. The Qualcomm Inline Crypto Engine (UFS) can be configured to operate in one of the following two settings where the settings can be changed prior to each service request:
Physical port Logical Interface Data that passes over port/interface Data In FIFO/DMA Data Input Plaintext data that should be encrypted by the cryptographic module and ciphertext data that should be decrypted by the cryptographic module Registers Data Input Cryptographic keys Data Out FIFO/DMA Data Output Plaintext data that has been decrypted by the cryptographic module and ciphertext data that has been encrypted by the cryptographic module Registers, Control Input Commands input logically Interrupts Registers, Status Output Status information Interrupts Physical power Power Input Power from SoC power port connector Table 5 - Ports and Interfaces As indicated in Table 5, all status output and control input are directed through the interface of the cryptographic boundary, which is the registers and interrupts of the Qualcomm Inline Crypto Engine (UFS). For data input, the Data In FIFO/DMA provides the interface. For data output, the Data Out FIFO/DMA provides the interface. The module does not implement a control output interface. © 2024 Qualcomm Technologies, Inc. / atsec information security.
The Crypto Officer role is assumed implicitly. Concurrent operators are not allowed. Role Service Input Output Crypto ECB/XTS encryption AES key, Plaintext Ciphertext Officer ECB/XTS decryption AES key, Ciphertext Plaintext (CO) Bitlocker Encryption AES key, Plaintext Ciphertext Bitlocker Decryption AES key, Ciphertext Plaintext Self-test Module reset Success/Fail Zeroization Reset request None Configuration of Key index None parameters for key Show Status None Return code read from register UFS_MEM_ICE_BIST_STATUS Show Version None Name and Version information read from register UFS_MEM_ICE_VERSION Setting encryption and AES key None decryption keys Table 6 - Roles, Service Commands, Input and Output
The following table describes the approved services: Service Description Approved Security Keys and/or Roles Access Indicator Functions SSPs rights to Keys and/or SSPs ECB/XTS Perform data AES-ECB 128/256 AES key CO E, W “UFS_MEM_ICE Encryption encryption _PARAMETERS _4” register AES-XTS 128/256 bits 0 and 1 ECB/XTS Perform data AES-ECB 128/256 indicating Decryption decryption value 00 AES-XTS 128/256 Self-Test Self-Test is None N/A N/A None executed automatically when device is booted or restarted Show Version Show the None N/A N/A None version and name of the module © 2024 Qualcomm Technologies, Inc. / atsec information security.
Service Description Approved Security Keys and/or Roles Access Indicator Functions SSPs rights to Keys and/or SSPs Zeroization Zeroizes the None AES key Z None SSP Configuration Configures the None N/A N/A None of parameters registers to for key hold parameters such as index of the key Status output Show status of None N/A N/A None the module state Setting Configuring None AES key W None encryption the keys to be and used by decryption module keys Table 7 - Approved Services G = Generate: The module generates or derives the SSP. E = Execute: The module uses the SSP in performing a cryptographic operation. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. Z = Zeroize: The module zeroizes the SSP. Service Description Algorithms Accessed Role Indicator Bitlocker Perform data AES bitlocker CO “UFS_MEM_ICE Encryption/Decryption encryption/decryption _PARAMETERS _5” register bit
value 0 Table 8 - Non-Approved Services
There is no operator authentication; assumption of role is implicit by the used service(s). © 2024 Qualcomm Technologies, Inc. / atsec information security.
The Qualcomm Inline Crypto Engine (UFS) does not support any software or firmware component. Therefore, this section is not applicable. © 2024 Qualcomm Technologies, Inc. / atsec information security.
The Qualcomm Inline Crypto Engine (UFS) is a single chip hardware module. The procurement, build and configuring procedure are controlled. Therefore, the operational environment is considered non-modifiable. © 2024 Qualcomm Technologies, Inc. / atsec information security.
The Qualcomm Inline Crypto Engine (UFS) is a sub-chip enclosed in the platforms that are listed in Table 2 that are made up of production grade component and conform to the Level 2 requirements for physical security. At the time of manufacturing, the die is embedded within a printed circuit board (PCB), which prevents visibility into the internal circuity of the Qualcomm Inline Crypto Engine (UFS). The layering process which is used to embed the die into the PCB also prevents tampering of the physical components without leaving tamper evidence. The Qualcomm Inline Crypto Engine (UFS) is further protected by being enclosed in commercial off the shelf mobile device utilizing production grade commercially available components and that the mobile device enclosure that completely surrounds the Qualcomm Inline Crypto Engine (UFS). There are no steps required to ensure that physical security is maintained. © 2024 Qualcomm Technologies, Inc. / atsec information security.
The Qualcomm Inline Crypto Engine (UFS) does not support any non-invasive security techniques. Therefore, this section is not applicable. © 2024 Qualcomm Technologies, Inc. / atsec information security.
These keys are generated outside the boundary and set up by the Crypto Officer in the registers of the Qualcomm Inline Crypto Engine (UFS). The following table lists the key/CSP used by the : Key/SSP Strength Security Generation Import Establish- Storage Zero- Use and Name Function /Export ment ization related /Type and Cert. keys Number AES key 128 and AES N/A MD/EE N/A Hardware Zeroized Encryption
Certs. Import: module decryption #A771, Provided reset #A772, by caller. #A2116, Export: #A2117, N/A #A2886, #A2887, #A4287, #A4288 Table 9 - SSPs
The Qualcomm Inline Crypto Engine (UFS) does not provide any SSP generation or SSP establishment methods.
The caller provides the AES keys for encryption and/or decryption. These keys are input to the module in plaintext form by the entity residing within the same physical perimeter of the SoC on which the Qualcomm Inline Crypto Engine (UFS) runs. The module does not output any SSPs.
The module does not provide persistent storage of SSPs. The SSP i.e., the AES keys are provided by the caller are set up by the CO and are temporarily stored in hardware registers. Once the keys are written to the registers, they are not readable from outside the Qualcomm Inline Crypto Engine (UFS).
When the Qualcomm Inline Crypto Engine (UFS) performs a module reset, it will zeroize all SSPs contained within itself. The registers for the SSPs will implicitly be set to zero upon the reset, indicating the zeroization was successful. © 2024 Qualcomm Technologies, Inc. / atsec information security.
The integrity test is not applicable since the Qualcomm Inline Crypto Engine (UFS) is implemented in hardware and is non-modifiable. There are no bypass or critical function tests.
Algorithm Test AES-256 Encryption (ECB) KAT AES-256 Decryption (ECB) KAT Table 10
On demand self-tests can be invoked by powering-off and reloading the module or when a reset event is received. This test performs the same conditional tests that are performed during powerup. During the execution of the on-demand self-tests, cryptographic services are not available, and no data output or input is possible.
If any of the conditional self-tests or on-demand test fails, the Qualcomm Inline Crypto Engine (UFS) will enter the error state. Data output is prohibited, and no further cryptographic operation is allowed in the error state. This is performed by the control logic that and prevents external usage when an error is detected. To recover from the error state, re-initialization is possible by successful execution of the power up tests, which can be triggered by either a power-off/power-on cycle or the receipt of a reset event. Once locked, the Qualcomm Inline Crypto Engine (UFS) will only respond to a reset which will cause it to re-execute the power up tests. If the error persists, the Qualcomm Inline Crypto Engine (UFS) will remain unavailable. Error State Cause of Error Status Indicator Error Known Answer test failure BIST_FAILURE indicator is set Table 11 - Error States © 2024 Qualcomm Technologies, Inc. / atsec information security.
The Qualcomm Inline Crypto Engine (UFS) is a sub-chip module that runs on the platforms listed in Table
As stated in section 9.4, the module does not perform persistent storage of SSPs. SSP values only exists in volatile memory and these values are zeroized when the module is reset. The procedure for secure sanitization of the module at the end of life is simply to power it off, which is the action of zeroization of the SSPs. As a result of this sanitization via power-off, the SSPs are removed from the module, so that the module may either be distributed to other operators or disposed.
There is no specific crypto officer guidance required for the module. Note: AES XTS The module does not support AES-XTS with data unit lengths greater than 2^20 AES blocks. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.
ClearCase, a version control system from IBM/Rational, is used to manage the revision control of the hardware code (Verilog code) and hardware documentation. The ClearCase version control system provides version control, workspace management, parallel development support and build auditing. The Verilog code is maintained within the ClearCase database used by Qualcomm Technologies, Inc. © 2024 Qualcomm Technologies, Inc. / atsec information security.
The Qualcomm Inline Crypto Engine (UFS) does not implement security mechanisms to mitigate other attacks. © 2024 Qualcomm Technologies, Inc. / atsec information security.
Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard CAVP Cryptographic Algorithm Validation Program CMVP Cryptographic Module Validation Program CSP Critical Security Parameter FIPS Federal Information Processing Standards Publication FSM Finite State Model KAT Known Answer Test NIST National Institute of Science and Technology SoC System on a Chip XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 Qualcomm Technologies, Inc. / atsec information security.
Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program September 2020 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-1403-ig-announcements FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 Qualcomm Technologies, Inc. / atsec information security.