All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module

Certificate#4739StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorOracle Corporation
Low review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 10212 CVEs since this module's initial validation  ·  last validated 3 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/24/2029
CaveatInterim validation. When operated in Approved mode. When installed, initialized and configured as specified in section 11 of the Security Policy.
VendorOracle Corporation

Approved Algorithms (492)

AlgorithmACVP Cert
AES-CBCA3862
AES-CBCA3869
AES-CBCA3876
AES-CBCA3879
AES-CBCA3889
AES-CBCA3891
AES-CBCA3894
AES-CBCA4162
AES-CBCA4169
AES-CBCA4176
AES-CBCA4178
AES-CBCA4179
AES-CBCA4183
AES-CBCA4191
AES-CBC-CS3A3866
AES-CBC-CS3A3874
AES-CBC-CS3A3884
AES-CBC-CS3A3889
AES-CBC-CS3A3891
AES-CBC-CS3A4166
AES-CBC-CS3A4174
AES-CBC-CS3A4176
AES-CBC-CS3A4178
AES-CBC-CS3A4188
AES-CCMA3862
AES-CCMA3869
AES-CCMA3879
AES-CCMA3889
AES-CCMA3891
AES-CCMA4162
AES-CCMA4169
AES-CCMA4176
AES-CCMA4178
AES-CCMA4183
AES-CFB128A3864
AES-CFB128A3872
AES-CFB128A3882
AES-CFB128A3891
AES-CFB128A4164
AES-CFB128A4172
AES-CFB128A4178
AES-CFB128A4186
AES-CMACA3862
AES-CMACA3869
AES-CMACA3879
AES-CMACA3889
AES-CMACA3891
AES-CMACA4162
AES-CMACA4169
AES-CMACA4176
AES-CMACA4178
AES-CMACA4183
AES-CTRA3862
AES-CTRA3869
AES-CTRA3876
AES-CTRA3879
AES-CTRA3889
AES-CTRA3891
AES-CTRA3894
AES-CTRA4162
AES-CTRA4169
AES-CTRA4176
AES-CTRA4178
AES-CTRA4179
AES-CTRA4183
AES-CTRA4191
AES-ECBA3860
AES-ECBA3861
AES-ECBA3862
AES-ECBA3867
AES-ECBA3868
AES-ECBA3869
AES-ECBA3870
AES-ECBA3871
AES-ECBA3876
AES-ECBA3877
AES-ECBA3878
AES-ECBA3879
AES-ECBA3880
AES-ECBA3881
AES-ECBA3889
AES-ECBA3891
AES-ECBA3892
AES-ECBA3893
AES-ECBA3894
AES-ECBA4160
AES-ECBA4161
AES-ECBA4162
AES-ECBA4167
AES-ECBA4168
AES-ECBA4169
AES-ECBA4170
AES-ECBA4171
AES-ECBA4176
AES-ECBA4178
AES-ECBA4179
AES-ECBA4181
AES-ECBA4182
AES-ECBA4183
AES-ECBA4184
AES-ECBA4185
AES-ECBA4191
AES-ECBA4196
AES-ECBA4197
AES-GCMA3862
AES-GCMA3867
AES-GCMA3868
AES-GCMA3869
AES-GCMA3870
AES-GCMA3871
AES-GCMA3876
AES-GCMA3877
AES-GCMA3878
AES-GCMA3879
AES-GCMA3880
AES-GCMA3881
AES-GCMA3891
AES-GCMA3892
AES-GCMA3893
AES-GCMA4162
AES-GCMA4167
AES-GCMA4168
AES-GCMA4169
AES-GCMA4170
AES-GCMA4171
AES-GCMA4178
AES-GCMA4181
AES-GCMA4182
AES-GCMA4183
AES-GCMA4184
AES-GCMA4185
AES-GCMA4191
AES-GCMA4196
AES-GCMA4197
AES-GMACA3862
AES-GMACA3869
AES-GMACA3879
AES-GMACA3891
AES-GMACA4162
AES-GMACA4169
AES-GMACA4178
AES-GMACA4183
AES-OFBA3865
AES-OFBA3873
AES-OFBA3883
AES-OFBA3891
AES-OFBA4165
AES-OFBA4173
AES-OFBA4178
AES-OFBA4187
AES-XTS Testing Revision 2.0A3862
AES-XTS Testing Revision 2.0A3869
AES-XTS Testing Revision 2.0A3876
AES-XTS Testing Revision 2.0A3879
AES-XTS Testing Revision 2.0A3889
AES-XTS Testing Revision 2.0A3891
AES-XTS Testing Revision 2.0A3894
AES-XTS Testing Revision 2.0A4162
AES-XTS Testing Revision 2.0A4169
AES-XTS Testing Revision 2.0A4176
AES-XTS Testing Revision 2.0A4178
AES-XTS Testing Revision 2.0A4179
AES-XTS Testing Revision 2.0A4183
AES-XTS Testing Revision 2.0A4191
Counter DRBGA3860
Counter DRBGA3861
Counter DRBGA3862
Counter DRBGA3867
Counter DRBGA3868
Counter DRBGA3869
Counter DRBGA3870
Counter DRBGA3871
Counter DRBGA3876
Counter DRBGA3877
Counter DRBGA3878
Counter DRBGA3879
Counter DRBGA3880
Counter DRBGA3881
Counter DRBGA3891
Counter DRBGA3892
Counter DRBGA3893
Counter DRBGA4160
Counter DRBGA4161
Counter DRBGA4162
Counter DRBGA4167
Counter DRBGA4168
Counter DRBGA4169
Counter DRBGA4170
Counter DRBGA4171
Counter DRBGA4178
Counter DRBGA4181
Counter DRBGA4182
Counter DRBGA4183
Counter DRBGA4184
Counter DRBGA4185
Counter DRBGA4191
Counter DRBGA4196
Counter DRBGA4197
ECDSA KeyGen (FIPS186-4)A3861
ECDSA KeyGen (FIPS186-4)A4161
Hash DRBGA3860
Hash DRBGA3861
Hash DRBGA3862
Hash DRBGA3867
Hash DRBGA3868
Hash DRBGA3869
Hash DRBGA3870
Hash DRBGA3871
Hash DRBGA3876
Hash DRBGA3877
Hash DRBGA3878
Hash DRBGA3879
Hash DRBGA3880
Hash DRBGA3881
Hash DRBGA3885
Hash DRBGA3886
Hash DRBGA3887
Hash DRBGA3892
Hash DRBGA3893
Hash DRBGA4160
Hash DRBGA4161
Hash DRBGA4162
Hash DRBGA4167
Hash DRBGA4168
Hash DRBGA4169
Hash DRBGA4170
Hash DRBGA4171
Hash DRBGA4181
Hash DRBGA4182
Hash DRBGA4183
Hash DRBGA4184
Hash DRBGA4185
Hash DRBGA4189
Hash DRBGA4190
Hash DRBGA4191
Hash DRBGA4192
Hash DRBGA4196
Hash DRBGA4197
HMAC DRBGA3860
HMAC DRBGA3861
HMAC DRBGA3862
HMAC DRBGA3867
HMAC DRBGA3868
HMAC DRBGA3869
HMAC DRBGA3870
HMAC DRBGA3871
HMAC DRBGA3876
HMAC DRBGA3877
HMAC DRBGA3878
HMAC DRBGA3879
HMAC DRBGA3880
HMAC DRBGA3881
HMAC DRBGA3885
HMAC DRBGA3886
HMAC DRBGA3887
HMAC DRBGA3892
HMAC DRBGA3893
HMAC DRBGA4160
HMAC DRBGA4161
HMAC DRBGA4162
HMAC DRBGA4167
HMAC DRBGA4168
HMAC DRBGA4169
HMAC DRBGA4170
HMAC DRBGA4171
HMAC DRBGA4181
HMAC DRBGA4182
HMAC DRBGA4183
HMAC DRBGA4184
HMAC DRBGA4185
HMAC DRBGA4189
HMAC DRBGA4190
HMAC DRBGA4191
HMAC DRBGA4192
HMAC DRBGA4196
HMAC DRBGA4197
HMAC-SHA-1A3860
HMAC-SHA-1A3861
HMAC-SHA-1A3862
HMAC-SHA-1A3885
HMAC-SHA-1A3886
HMAC-SHA-1A3887
HMAC-SHA-1A3888
HMAC-SHA-1A3889
HMAC-SHA-1A4160
HMAC-SHA-1A4161
HMAC-SHA-1A4162
HMAC-SHA-1A4176
HMAC-SHA-1A4189
HMAC-SHA-1A4190
HMAC-SHA-1A4192
HMAC-SHA-1A4193
HMAC-SHA-1A6709
HMAC-SHA2-224A3860
HMAC-SHA2-224A3861
HMAC-SHA2-224A3862
HMAC-SHA2-224A3885
HMAC-SHA2-224A3886
HMAC-SHA2-224A3887
HMAC-SHA2-224A3888
HMAC-SHA2-224A3889
HMAC-SHA2-224A3894
HMAC-SHA2-224A3895
HMAC-SHA2-224A4160
HMAC-SHA2-224A4161
HMAC-SHA2-224A4162
HMAC-SHA2-224A4176
HMAC-SHA2-224A4179
HMAC-SHA2-224A4180
HMAC-SHA2-224A4189
HMAC-SHA2-224A4190
HMAC-SHA2-224A4192
HMAC-SHA2-224A4193
HMAC-SHA2-224A6709
HMAC-SHA2-256A3860
HMAC-SHA2-256A3861
HMAC-SHA2-256A3862
HMAC-SHA2-256A3885
HMAC-SHA2-256A3886
HMAC-SHA2-256A3887
HMAC-SHA2-256A3888
HMAC-SHA2-256A3889
HMAC-SHA2-256A3894
HMAC-SHA2-256A3895
HMAC-SHA2-256A4160
HMAC-SHA2-256A4161
HMAC-SHA2-256A4162
HMAC-SHA2-256A4176
HMAC-SHA2-256A4179
HMAC-SHA2-256A4180
HMAC-SHA2-256A4189
HMAC-SHA2-256A4190
HMAC-SHA2-256A4192
HMAC-SHA2-256A4193
HMAC-SHA2-256A6709
HMAC-SHA2-384A3860
HMAC-SHA2-384A3861
HMAC-SHA2-384A3862
HMAC-SHA2-384A3885
HMAC-SHA2-384A3886
HMAC-SHA2-384A3887
HMAC-SHA2-384A3890
HMAC-SHA2-384A3895
HMAC-SHA2-384A4160
HMAC-SHA2-384A4161
HMAC-SHA2-384A4162
HMAC-SHA2-384A4177
HMAC-SHA2-384A4180
HMAC-SHA2-384A4189
HMAC-SHA2-384A4190
HMAC-SHA2-384A4192
HMAC-SHA2-384A6709
HMAC-SHA2-512A3860
HMAC-SHA2-512A3861
HMAC-SHA2-512A3862
HMAC-SHA2-512A3885
HMAC-SHA2-512A3886
HMAC-SHA2-512A3887
HMAC-SHA2-512A3890
HMAC-SHA2-512A3895
HMAC-SHA2-512A4160
HMAC-SHA2-512A4161
HMAC-SHA2-512A4162
HMAC-SHA2-512A4177
HMAC-SHA2-512A4180
HMAC-SHA2-512A4189
HMAC-SHA2-512A4190
HMAC-SHA2-512A4192
HMAC-SHA2-512A6709
HMAC-SHA3-224A3863
HMAC-SHA3-224A4163
HMAC-SHA3-256A3863
HMAC-SHA3-256A4163
HMAC-SHA3-384A3863
HMAC-SHA3-384A4163
HMAC-SHA3-512A3863
HMAC-SHA3-512A4163
KAS-ECC-SSC Sp800-56Ar3A3861
KAS-ECC-SSC Sp800-56Ar3A4161
KAS-FFC-SSC Sp800-56Ar3A3860
KAS-FFC-SSC Sp800-56Ar3A4160
RSA SigVer (FIPS186-4)A3862
RSA SigVer (FIPS186-4)A3885
RSA SigVer (FIPS186-4)A3886
RSA SigVer (FIPS186-4)A3887
RSA SigVer (FIPS186-4)A4162
RSA SigVer (FIPS186-4)A4189
RSA SigVer (FIPS186-4)A4190
RSA SigVer (FIPS186-4)A4192
Safe Primes Key GenerationA3860
Safe Primes Key GenerationA4160
SHA-1A3860
SHA-1A3861
SHA-1A3862
SHA-1A3885
SHA-1A3886
SHA-1A3887
SHA-1A3888
SHA-1A3889
SHA-1A4160
SHA-1A4161
SHA-1A4162
SHA-1A4176
SHA-1A4189
SHA-1A4190
SHA-1A4192
SHA-1A4193
SHA-1A6709
SHA2-224A3860
SHA2-224A3861
SHA2-224A3862
SHA2-224A3885
SHA2-224A3886
SHA2-224A3887
SHA2-224A3888
SHA2-224A3889
SHA2-224A3894
SHA2-224A3895
SHA2-224A4160
SHA2-224A4161
SHA2-224A4162
SHA2-224A4176
SHA2-224A4179
SHA2-224A4180
SHA2-224A4189
SHA2-224A4190
SHA2-224A4192
SHA2-224A4193
SHA2-224A6709
SHA2-256A3860
SHA2-256A3861
SHA2-256A3862
SHA2-256A3885
SHA2-256A3886
SHA2-256A3887
SHA2-256A3888
SHA2-256A3889
SHA2-256A3894
SHA2-256A3895
SHA2-256A4160
SHA2-256A4161
SHA2-256A4162
SHA2-256A4176
SHA2-256A4179
SHA2-256A4180
SHA2-256A4189
SHA2-256A4190
SHA2-256A4192
SHA2-256A4193
SHA2-256A6709
SHA2-384A3860
SHA2-384A3861
SHA2-384A3862
SHA2-384A3885
SHA2-384A3886
SHA2-384A3887
SHA2-384A3890
SHA2-384A3895
SHA2-384A4160
SHA2-384A4161
SHA2-384A4162
SHA2-384A4177
SHA2-384A4180
SHA2-384A4189
SHA2-384A4190
SHA2-384A4192
SHA2-384A6709
SHA2-512A3860
SHA2-512A3861
SHA2-512A3862
SHA2-512A3885
SHA2-512A3886
SHA2-512A3887
SHA2-512A3890
SHA2-512A3895
SHA2-512A4160
SHA2-512A4161
SHA2-512A4162
SHA2-512A4177
SHA2-512A4180
SHA2-512A4189
SHA2-512A4190
SHA2-512A4192
SHA2-512A6709
SHA3-224A3863
SHA3-224A4163
SHA3-256A3863
SHA3-256A4163
SHA3-384A3863
SHA3-384A4163
SHA3-512A3863
SHA3-512A4163

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Sensitive Security Parameter Management1
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show status<br/>Self-test<br/>Error State</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show status<br/>Self-test<br/>Error State</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module FIPS 140-3 Level 1 Validation Software Versions: kernel: 5.15.0-303.171.5.2.2.el8uek and 5.15.0-303.171.5.2.2.el9uek libkcapi: 1.2.0-2.0.1.el8 and 1.3.1-3.0.1.el9 Date: February 26th, 2026 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com Document Version: 1.5 ©Oracle Corporation

Page 2

Title: Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy Date: February 26th, 2026 Contributing Authors: Oracle Linux Engineering Security Evaluations

2300 Oracle Way

Austin, TX 78741 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 www.oracle.com change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may reproduced or distributed whole and intact Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy i

Page 3
Table of Contents
#SectionPage
1General1
1.1Overview1
1.1.1How this Security Policy was prepared1
1.2Security Levels1
2Cryptographic Module Specification2
2.1Description2
2.2Version Information2
2.3Operating Environments3
2.4Excluded Components5
2.5Modes of Operation5
2.6Approved Algorithms5
2.7RNG and Entropy8
2.8SSP Generation8
2.9SSP Establishment8
2.10Industry Protocols9
2.11Design and Rules9
2.12Initialization9
3Cryptographic Module Interfaces10
3.1Description10
3.2Trusted Channel Specification10
3.3Control Interface Not Inhibited10
4Roles, Services, and Authentication11
4.1Authentication Methods11
4.2Roles11
4.3Approved Services11
4.4Non-Approved Services13
4.5External Software/Firmware Loaded13
4.6Bypass Actions and Status13
4.7Cryptographic Output Actions and Status13
5Software/Firmware Security14
5.1Integrity Techniques14
5.2Initiate on Demand14
6Operational Environment15
6.1Operational Environment Type and Requirements15
6.2Configurable Settings and Restrictions15
7Physical Security16
8Non-Invasive Security17
9Sensitive Security Parameters Management18
9.1Storage Areas18
9.2SSP Input-Output Methods18
9.3SSP Zeroization Methods18
9.4SSPs19
9.5Transitions20
10Self-Tests21
10.1Pre-Operational Self-Tests21
10.2Conditional Self-Tests21
10.2.1Conditional Cryptographic Algorithm Tests22
10.2.2Conditional Cryptographic Algorithm Tests23
10.3Periodic Self-Tests23
10.4Error States23
10.5Operator Initiation23
11Life-Cycle Assurance24
11.1Startup Procedures24
11.2Administrator Guidance25
11.2.1AES GCM IV25
11.2.2AES XTS25
11.2.3SP 800-56Arev3 Assurances25
11.2.4RSA25
11.2.5SHA-326
11.3Non-Administrator Guidance26
11.4Maintenance Requirements26
11.5End of Life26
12Mitigation of Other Attacks27
Appendix A. Glossary and Abbreviations28
Appendix B. References29
Page 4

9.4 9.5 10.1 10.2 10.3 10.4 10.5 11.1 11.2 11.3 11.4 11.5 Appendix A. Appendix B. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy iii

Page 5
List of Tables
ItemPage
Table 1 - Security Levels1
Table 2 - Software, Firmware, Hybrid Tested Operating Environments3
Table 3 - Executable Code Sets4
Table 4 - Vendor Affirmed Operational Environments5
Table 5 - Modes List and Description5
Table 6 - Approved Algorithms7
Table 7 - Non-Approved, Allowed Algorithms with No Security Claimed7
Table 8 – Non-Approved, Not Allowed Algorithms8
Table 9 – Entropy8
Table 10 - Key Generation8
Table 11 - Key Agreement8
Table 12 - Key Transport9
Table 13 - Ports and Interfaces10
Table 14 – Roles11
Table 15 – Approved Services12
Table 16 - Non-Approved Services13
Table 17 – Storage Areas18
Table 18 – SSP Input-Output18
Table 19 - SSP Zeroization Methods18
Table 20 - SSP Information First20
Table 21 - SSP Information Second20
Table 22 - Pre-Operational Self-Tests21
Table 23 - Conditional Self-Tests22
Table 24 - Error States23
Figure 1 – Block Diagram2
Page 6
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic Module Specification1
33Cryptographic Module Interfaces1
44Roles, Services, and Authentication1
55Software/Firmware Security1
66Operational Environment1
77Physical SecurityNot Applicable
88Non-invasive SecurityNot Applicable
99Sensitive Security Parameter Management1
1010Self-tests1
1111Life-cycle Assurance1
1212Mitigation of Other AttacksNot Applicable
Overall LevelOverall Level1
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module versions:

1.1.1 How this Security Policy was prepared

In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.

1.2 Security Levels

Table 1 describes the individual security areas of FIPS 140-3, as well as the security levels of those individual areas. [Number Below] Table 1 - Security Levels Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 7
2.1 Description

Purpose and Use: The Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a general-purpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: Multi-chip standalone Module Characteristics: N/A Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the loadable kernel crypto object files, the libkcapi library, and the sha512hmac binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. Figure 1

2.2 Version Information

Hardware Versions: N/A Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 8
Module configuration
NameOperating SystemHardware PlatformHardware VersionFirmware VersionProcessorFeaturesPackageIntegrity Test
Oracle Linux 8ORACLE SERVER X9-2cIntel(R) Xeon(R) Platinum 8358Yes: AES-NI and SHA ExtensionsOracle Linux 8KVM on Oracle Linux 8
ORACLE SERVER E4-2cORACLE SERVER E4-2cAMD EPYC 7J13Yes: AES-NI and SHA Extensions
ORACLE SERVER A1-2cORACLE SERVER A1-2cAmpere(R) Altra(R) Q80-30Yes: NEON and Cryptography Extensions
Oracle Linux 9ORACLE SERVER X9-2cIntel(R) Xeon(R) Platinum 8358Yes: AES-NI and SHA ExtensionsOracle Linux 9
ORACLE SERVER E4-2cORACLE SERVER E4-2cAMD EPYC 7J13Yes: AES-NI and SHA Extensions
ORACLE SERVER A1-2cORACLE SERVER A1-2cAmpere(R) Altra(R) Q80-30Yes: NEON and Cryptography Extensions
Marvell Liquid IO II (MIPS64) SmartNICMarvell Liquid IO II (MIPS64) SmartNICOCTEON IIINoN/A
Oracle Linux 8 Intel and AMD Platforms: /boot/vmlinuz-5.15.0- 303.171.5.2.2.el8uek.x86_64 *.ko and *.ko.xz files in /usr/lib/modules/5.15.0- 303.171.5.2.2.el8uek.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.15.0- 303.171.5.2.2.el8uek.x86_64/kernel/arch/x86/c rypto Oracle Linux 8 Ampere Platform: /boot/vmlinuz-5.15.0-303.171.5.2.2.el8uek. aarch64 *.ko and *.ko.xz files inN/A5.15.0-303.171.5.2.2.el8uekN/AOracle Linux 8 Intel and AMD Platforms: /boot/vmlinuz-5.15.0- 303.171.5.2.2.el8uek.x86_64 *.ko and *.ko.xz files in /usr/lib/modules/5.15.0- 303.171.5.2.2.el8uek.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.15.0- 303.171.5.2.2.el8uek.x86_64/kernel/arch/x86/c rypto Oracle Linux 8 Ampere Platform: /boot/vmlinuz-5.15.0-303.171.5.2.2.el8uek. aarch64 *.ko and *.ko.xz files inHMAC-SHA-5121 RSA 4096 bit signature verification2
Module configuration
NameOperating SystemHardware PlatformHardware VersionFirmware VersionProcessorFeaturesPackageIntegrity TestVirtual Platforms
Oracle Linux 8ORACLE SERVER X9-2cIntel(R) Xeon(R) Platinum 8358Yes: AES-NI and SHA ExtensionsOracle Linux 8KVM on Oracle Linux 8
ORACLE SERVER E4-2cORACLE SERVER E4-2cAMD EPYC 7J13Yes: AES-NI and SHA Extensions
ORACLE SERVER A1-2cORACLE SERVER A1-2cAmpere(R) Altra(R) Q80-30Yes: NEON and Cryptography Extensions
Oracle Linux 9ORACLE SERVER X9-2cIntel(R) Xeon(R) Platinum 8358Yes: AES-NI and SHA ExtensionsOracle Linux 9
ORACLE SERVER E4-2cORACLE SERVER E4-2cAMD EPYC 7J13Yes: AES-NI and SHA Extensions
ORACLE SERVER A1-2cORACLE SERVER A1-2cAmpere(R) Altra(R) Q80-30Yes: NEON and Cryptography Extensions
Marvell Liquid IO II (MIPS64) SmartNICMarvell Liquid IO II (MIPS64) SmartNICOCTEON IIINoN/A
Oracle Linux 8 Intel and AMD Platforms: /boot/vmlinuz-5.15.0- 303.171.5.2.2.el8uek.x86_64 *.ko and *.ko.xz files in /usr/lib/modules/5.15.0- 303.171.5.2.2.el8uek.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.15.0- 303.171.5.2.2.el8uek.x86_64/kernel/arch/x86/c rypto Oracle Linux 8 Ampere Platform: /boot/vmlinuz-5.15.0-303.171.5.2.2.el8uek. aarch64 *.ko and *.ko.xz files inN/A5.15.0-303.171.5.2.2.el8uekN/AOracle Linux 8 Intel and AMD Platforms: /boot/vmlinuz-5.15.0- 303.171.5.2.2.el8uek.x86_64 *.ko and *.ko.xz files in /usr/lib/modules/5.15.0- 303.171.5.2.2.el8uek.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.15.0- 303.171.5.2.2.el8uek.x86_64/kernel/arch/x86/c rypto Oracle Linux 8 Ampere Platform: /boot/vmlinuz-5.15.0-303.171.5.2.2.el8uek. aarch64 *.ko and *.ko.xz files inHMAC-SHA-5121 RSA 4096 bit signature verification2
Oracle Linux 8 Platforms: /usr/lib64/libkcapi.so.1.2.0 /usr/bin/sha512hmac Oracle Linux 9 Platforms: /usr/lib64/libkcapi.so.1.3.1 /usr/bin/sha512hmacN/A5.15.0-303.171.5.2.2.el9uekN/AOracle Linux 8 Platforms: /usr/lib64/libkcapi.so.1.2.0 /usr/bin/sha512hmac Oracle Linux 9 Platforms: /usr/lib64/libkcapi.so.1.3.1 /usr/bin/sha512hmacHMAC-SHA-512
Oracle Linux 8Oracle Linux 8Oracle X Series ServersOracle Linux KVM
2.3 Operating Environments

N/A Table 2 - Software, Firmware, Hybrid Tested Operating Environments Executable Code Sets: N/A N/A verification 2 HMAC-SHA-512 integrity test is used for the kernel binary. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 9
Module configuration
NameOperating SystemHardware PlatformHardware VersionFirmware VersionFeaturesPackageIntegrity TestVirtual Platforms
Oracle Linux 8 Platforms: /usr/lib64/libkcapi.so.1.2.0 /usr/bin/sha512hmac Oracle Linux 9 Platforms: /usr/lib64/libkcapi.so.1.3.1 /usr/bin/sha512hmacN/A5.15.0-303.171.5.2.2.el9uekN/AOracle Linux 8 Platforms: /usr/lib64/libkcapi.so.1.2.0 /usr/bin/sha512hmac Oracle Linux 9 Platforms: /usr/lib64/libkcapi.so.1.3.1 /usr/bin/sha512hmacHMAC-SHA-512
Oracle Linux 8Oracle Linux 8Oracle X Series ServersOracle Linux KVM
Oracle Linux 9Oracle Linux 9Oracle E Series Servers Oracle A Series Servers Marvell T93 LiquidIO III (ARM v8.x) SmartNIC Pensando DSC-200-R (ARM v8.x) SmartNIC Nvidia Bluefield-3 (ARM v8.x) SmartNIC

N/A N/A Table 3 - Executable Code Sets Vendor Affirmed Operating Environments: Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 10
Service
NameDescriptionIndicatorType
Non-approved modeAutomatically entered whenever a non- approved service is requestedEquivalent to the indicator of the requested serviceNon-approved
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
SHA [FIPS 180-4]A3860 A3861 A3862SHA-1, SHA-224, SHA-256, SHA-N/AMessage digest
A3885 A3886 A3887A3885 A3886 A3887384, SHA-512
SHA-3 [FIPS 202]A3863 A4163SHA3-224, SHA3-256, SHA3-384,N/AMessage digest
AES [FIPS 197, SP 800-38A, SPA3860 A3861 A3862ECB, CBC, CBC-CS3, CFB128,128, 192, 256 bitsEncryption
800-38A Addendum]A3864 A3865 A3866OFB, CTRDecryption
AES [FIPS 197, SP 800-38C]A3862 A3869 A3879CCM128, 192, 256 bitsAuthenticated encryption
A3889 A3891 A4162A3889 A3891 A4162Authenticated decryption
AES [FIPS 197, SP 800-38D]A3867 A3870 A3877GCM (internal IV)128, 192, 256 bitsAuthenticated encryption
AES [FIPS 197, SP 800-38D]A3862 A3868 A3869GCM (external IV)128, 192, 256 bitsAuthenticated decryption
AES [FIPS 197, SP 800-38E]A3862 A3869 A3876XTS128, 256 bitsEncryption
A3879 A3889 A3891A3879 A3889 A3891Decryption
AES [FIPS 197, SP 800-38B, SPA3862 A3869 A3879CMAC, GMAC128, 192, 256 bitsMessage authentication
800-38D]A3889 A3891 A4162
HMAC [FIPS 198-1]A3860 A3861 A3862SHA-1, SHA-224, SHA-256, SHA-112-256 bitsMessage authentication
A3885 A3886 A3887A3885 A3886 A3887384, SHA-512
A3863 A4163A3863 A4163SHA3-224, SHA3-256, SHA3-384,
ECDSA [FIPS 186-4]A3861 A4161B.4.2 Testing candidatesP-256, P-384Key pair generation
KAS ECC-SSC [SP 800-A3861 A4161Ephemeral Unified ModelP-256, P-384Shared secret computation
56Arev3](initiator/responder)(128 and 192 bits)
KAS FFC-SSC [SP 800-56Arev3]A3860 A4160dhEphem (initiator/responder)ffdhe2048, ffdhe3072,Shared secret computation
Safe Primes [SP 800-56Arev3]A3860 A4160Section 5.6.1.1.4 Testingffdhe2048, ffdhe3072,Key pair generation
CandidatesCandidatesffdhe4096, ffdhe6144,
CTR_DRBG [SP 800-90Ar1]A3860 A3861 A3862AES-128, AES-192, AES-256, with128, 192, 256 bitsRandom number generation
A3867 A3868 A3869A3867 A3868 A3869derivation function,
A3870 A3871 A3876A3870 A3871 A3876with/without prediction
A3877 A3878 A3879A3877 A3878 A3879resistance
Hash_DRBG [SP 800-90Ar1]A3860 A3861 A3862SHA-1, SHA-256, SHA-512128, 256 bitsRandom number generation
A3867 A3868 A3869A3867 A3868 A3869with/without prediction
A3870 A3871 A3876A3870 A3871 A3876resistance
HMAC_DRBG [SP 800-90Ar1]A3877 A3878 A3879 A3880 A3881 A3885SHA-1, SHA-256, SHA-512128, 256 bitsRandom number generation
A3886 A3887 A3892A3886 A3887 A3892with/without prediction
A3893 A4160 A4161A3893 A4160 A4161resistance
RSA [FIPS 186-4]A3862 A3885 A3886PKCS#1 v1.5 with SHA1, SHA-2048, 3072, 4096 bits (112,Signature verification
A3887 A4162 A4189A3887 A4162 A4189224, SHA-256, SHA-384, SHA-128, 150 bits)
A4190 A4192A4190 A4192512

Table 4 - Vendor Affirmed Operational Environments Note: the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated SSPs when so ported if the specific operational environment is not listed on the validation certificate.

2.4 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.5 Modes of Operation

Modes List and Description: Table 5 - Modes List and Description After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically Mode change instructions and status indicators: The module automatically switches between the approved and non-approved modes depending on the services requested by The module does not implement a degraded mode of operation.

2.6 Approved Algorithms

Approved Algorithms: Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 11

Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 12
Service
NameApproved Functions
ECDSA Signature Verification PrimitiveSignature Verification Primitive
AES GCM with external IVEncryption
KBKDF (libkcapi)Key derivation
HKDF (libkcapi)Key derivation
PBKDF2 (libkcapi)Password-based key derivation

Table 6 - Approved Algorithms Vendor Affirmed Algorithms: The module implements Cryptographic Key Generation (CKG), with vendor affirmed compliance to SP 800-133r2, Section 5.2. Non-Approved, Allowed Algorithms: The module does not implement non-approved algorithms allowed in the approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: Table 7 - Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms: Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 13
Approved algorithm
NameUse Function
RSAEncryption primitive Decryption primitive
RSA with PKCS#1 v1.5 paddingSignature generation (pre-hashed message) Signature verification (pre-hashed message)
Key encapsulation Key decapsulationKey encapsulation Key decapsulation
Sensitive security parameter
NameTypeStrengthOperational Environment
UEK7 CPU Time Jitter RNG Entropy Source (Cert. #E61)Non-physical64 bitsSee Table 259.41 bitsLinear-Feedback Shift Register (LFSR)
Service
NameTypeProperties
Safe primes key pair generationAsymmetricKey type: Diffie-Hellman key pair Groups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 Security strength: 112-200 bits Method: SP 800-56Ar3 (safe primes) Section 5.6.1.1.4 Testing Candidates Compliant to SP 800-133r2, Section 5.2
EC key pair generationKey type: EC key pair Curves: P-256, P-384 Security strength: 128, 192 bits Method: FIPS 186-4 Appendix B.4.2 Testing Candidates Compliant to SP 800-133r2, Section 5.2
Diffie-HellmanShared secret computationGroups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 Security strength: 112-200 bits Compliant with Scenario 2 (1) of FIPS 140-3 IG D.F
EC Diffie-HellmanShared secret computationCurves: P-256, P-384 Security strength: 128, 192 bits Compliant with Scenario 2 (1) of FIPS 140-3 IG D.F
Service
NameTypeProperties
Safe primes key pair generationAsymmetricKey type: Diffie-Hellman key pair Groups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 Security strength: 112-200 bits Method: SP 800-56Ar3 (safe primes) Section 5.6.1.1.4 Testing Candidates Compliant to SP 800-133r2, Section 5.2
EC key pair generationKey type: EC key pair Curves: P-256, P-384 Security strength: 128, 192 bits Method: FIPS 186-4 Appendix B.4.2 Testing Candidates Compliant to SP 800-133r2, Section 5.2
Diffie-HellmanShared secret computationGroups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 Security strength: 112-200 bits Compliant with Scenario 2 (1) of FIPS 140-3 IG D.F
EC Diffie-HellmanShared secret computationCurves: P-256, P-384 Security strength: 128, 192 bits Compliant with Scenario 2 (1) of FIPS 140-3 IG D.F

Table 8

2.8 SSP Generation
2.9 SSP Establishment

Table 11 - Key Agreement Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 14
Service
NameTypeProperties
AES CCMKey wrapping Key unwrappingSecurity strength: 128, 192, or 256 bits SP 800-38F
AES GCMKey wrappingIV generated internally Security strength: 128, 192, or 256 bits SP 800-38F
Key unwrappingKey unwrappingIV provided externally Security strength: 128, 192, or 256 bits SP 800-38F
AES CBC or CTR with HMAC SHA-1, HMAC SHA- 256, HMAC SHA-384, or HMAC SHA-512Key wrapping Key unwrappingSecurity strength: 112-256 bits SP 800-38F

Table 12 - Key Transport As permitted by IG D.G, the module provides key transport methods either by using an approved authenticated encryption mode or by a combination of any approved symmetric encryption mode and an approved authentication method.

2.10 Industry Protocols

AES GCM with internal IV generation in the approved mode is compliant with RFC 4106 and shall only be used in conjunction with the IPsec protocol. No parts of this protocol, other than the AES GCM implementation, have been tested by the CAVP and CMVP.

2.11 Design and Rules

Upon start-up, the module immediately performs the pre-operational integrity test using the integrity values stored in the .hmac files associated with the module’s software components (Table 23). When all those self-tests pass successfully, the module automatically performs all cryptographic algorithm self-tests (CASTs) as specified in Table 23. Only if these CASTs also passed successfully, the module transitions to the operational state. No operator intervention is required to reach this point. In the operational state, the module accepts service requests from calling applications through its logical interfaces. If the Linux kernel which contains the module is shut down, the module will end its operation.

2.12 Initialization

There are no specific initialization requirements. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 15
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runs.As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runs.Data InputAPI data input parameters, AF_ALG type sockets
Data OutputData OutputAPI output parameters, AF_ALG type sockets
Control InputControl InputAPI function calls, API control input parameters, AF_ALG type sockets, kernel command line
Status OutputStatus OutputAPI return values, AF_ALG type sockets, kernel logs
3.1 Description

Table 13 - Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design.

3.2 Trusted Channel Specification

The module does not implement a trusted channel. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 16
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutputAuthentication Methods
Crypto OfficerCORoleN/A
Message digestCompute a message digestN/ASHA-1, SHA-224, SHA- 256, SHA-384, SHA- 512, SHA3-224, SHA3- 256, SHA3-384, SHA3- 512crypto_shash_init returns 0MessageDigest value
EncryptionEncrypt a plaintextAES key: W, EAES ECB, CBC, CBC- CS3, OFB, CFB128, CTR, XTScrypto_skcipher_s etkey returns 0AES key, plaintextCiphertext
DecryptionDecrypt a ciphertextAES key, ciphertextPlaintext
Authenticated encryptionEncrypt a plaintextAES key: W, E HMAC key: W, EAES CCM, GCM (internal IV) AES CBC or CTR with HMAC SHA-1, HMAC SHA-256, HMAC SHA- 384, or HMAC SHA- 512For all modes except AES GCM: crypto_aead_setk ey returns 0 For AES GCM: crypto_aead_get_ flags(tfm) has the CRYPTO_TFM_FIP S_COMPLIANCE flag setAES key, plaintextCiphertext, MAC tag
Authenticated decryptionDecrypt a ciphertextAES CCM, GCM (external IV) AES CBC or CTR with HMAC SHA-1, HMAC SHA-256, HMAC SHA- 384, or HMAC SHA- 512AES key, ciphertext, MAC tagPlaintext
Message authenticationCompute a MAC tagAES key: W, EAES CMAC, GMACcrypto_shash_init returns 0AES key, messageMAC tag
HMAC key, messageHMAC key: W, EHMAC SHA-1, HMAC SHA-224, HMAC SHA- 256, HMAC SHA-384, HMAC SHA-512, HMAC SHA3-224, HMAC SHA3-256, HMAC SHA3-384, HMAC SHA3-512HMAC key, message
Signature verification primitivePerform ECDSA signature verification primitiveEC public key: W, EECDSA signature verification primitive with P-256 and P-384crypto_akcipher_v erify returns 0Hashed messagePass/fail
Shared secret computationCompute a shared secretDH private key: W, E DH public key: W, EKAS-FFC-SSCcrypto_kpp_comp ute_shared_secre t returns 0DH private key, DH public keyShared secret
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutputAuthentication Methods
Crypto OfficerCORoleN/A
Message digestCompute a message digestN/ASHA-1, SHA-224, SHA- 256, SHA-384, SHA- 512, SHA3-224, SHA3- 256, SHA3-384, SHA3- 512crypto_shash_init returns 0MessageDigest value
EncryptionEncrypt a plaintextAES key: W, EAES ECB, CBC, CBC- CS3, OFB, CFB128, CTR, XTScrypto_skcipher_s etkey returns 0AES key, plaintextCiphertext
DecryptionDecrypt a ciphertextAES key, ciphertextPlaintext
Authenticated encryptionEncrypt a plaintextAES key: W, E HMAC key: W, EAES CCM, GCM (internal IV) AES CBC or CTR with HMAC SHA-1, HMAC SHA-256, HMAC SHA- 384, or HMAC SHA- 512For all modes except AES GCM: crypto_aead_setk ey returns 0 For AES GCM: crypto_aead_get_ flags(tfm) has the CRYPTO_TFM_FIP S_COMPLIANCE flag setAES key, plaintextCiphertext, MAC tag
Authenticated decryptionDecrypt a ciphertextAES CCM, GCM (external IV) AES CBC or CTR with HMAC SHA-1, HMAC SHA-256, HMAC SHA- 384, or HMAC SHA- 512AES key, ciphertext, MAC tagPlaintext
Message authenticationCompute a MAC tagAES key: W, EAES CMAC, GMACcrypto_shash_init returns 0AES key, messageMAC tag
HMAC key, messageHMAC key: W, EHMAC SHA-1, HMAC SHA-224, HMAC SHA- 256, HMAC SHA-384, HMAC SHA-512, HMAC SHA3-224, HMAC SHA3-256, HMAC SHA3-384, HMAC SHA3-512HMAC key, message
Signature verification primitivePerform ECDSA signature verification primitiveEC public key: W, EECDSA signature verification primitive with P-256 and P-384crypto_akcipher_v erify returns 0Hashed messagePass/fail
Shared secret computationCompute a shared secretDH private key: W, E DH public key: W, EKAS-FFC-SSCcrypto_kpp_comp ute_shared_secre t returns 0DH private key, DH public keyShared secret
EC private key, EC public keyEC private key: W, E EC public key: W, E Shared secret: G, RKAS-ECC-SSCEC private key, EC public key
Key pair generationGenerate a key pairDH private key: G, R DH public key: G, R Intermediate key generation value: G, ZSafe primes key pair generationcrypto_kpp_set_s ecret and crypto_kpp_gener ate_public_key return 0GroupDH private key, DH public key
CurveEC private key: G, R EC public key: G, R Intermediate key generation value: G, ZEC key pair generationCurveEC private key, EC public key
Random number generationGenerate random bytesEntropy input: W, E DRBG seed: E, G DRBG internal state: E, GCTR_DRBG Hash_DRBG HMAC_DRBGcrypto_rng_get_b ytes returns 0Output lengthRandom bytes
Error detection codeCompute an EDC (crc32, crct10dif)N/AN/ANoneMessageEDC
CompressionCompress data (deflate, lz4, lz4hc, lzo, zlib-deflate, zstd)N/AN/ANoneDataCompressed data
Generic system callUse the kernel to perform various non-cryptographic operationsN/AN/ANoneIdentifier, various argumentsVarious return values
Show versionReturn the module name and version informationN/AN/ANoneN/AModule name and version
Show statusReturn the module statusN/AN/ANoneN/AModule status
Self-testPerform the CASTs and integrity testsN/ASHA SHA-3 AES HMAC KAS-FFC-SSC KAS-ECC-SSC CTR_DRBG Hash_DRBG HMAC_DRBG RSA See Table 23 for specificsNoneN/APass/fail

Roles, Services, and Authentication The module does not implement authentication.

4.2 Roles

N/A Table 14

4.3 Approved Services

SHA-1, SHA-224, SHA256, SHA-384, SHA512, SHA3-224, SHA3256, SHA3-384, SHA3512 N/A W, E W, E E Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 17

N/A R W, E E R G, R G, R W, E N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Table 15

Page 18
Sensitive security parameter
NameDescriptionSecurity Function
AES GCM external IV encryptionEncrypt a plaintext using AES GCM with an external IVAES GCM (external IV)CO
Key derivationDerive a key from a key-derivation key or a shared secretKBKDF (libkcapi) HKDF (libkcapi)
Password-based key derivationDerive a key from a passwordPBKDF2 (libkcapi)
RSA encryption primitiveCompute the raw RSA encryption of a plaintext/ciphertextRSA
RSA decryption primitiveCompute the raw RSA decryption of a plaintext/ciphertext
RSA signature generation (pre- hashed message)Generate a digital signature for a pre-hashed messageRSA with PKCS#1 v1.5 padding (pre-hashed message)
RSA signature verification (pre- hashed message)Verify a digital signature for a pre-hashed message
Key encapsulationEncapsulate a secret key using RSA with PKCS#1 v1.5 padding
Key decapsulationDecapsulate a secret key using RSA with PKCS#1 v1.5 padding
4.4 Non-Approved Services

Table 16 - Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not load external software or firmware.

4.6 Bypass Actions and Status

The module does not implement a bypass capability.

4.7 Cryptographic Output Actions and Status

The module does not implement a self-initiated cryptographic output capability. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 19
5.1 Integrity Techniques

The Linux kernel binary is integrity tested using an HMAC SHA-512 calculation performed by the sha512hmac utility (which utilizes the module’s HMAC and SHA-512 implementations) which compares the computed HMAC value with a precomputed HMAC value. An HMAC SHA-512 calculation is also performed on the sha512hmac utility and the libkcapi library to verify their integrity by comparing the computed HMAC value with a precomputed HMAC value. The kernel crypto object files listed in Table

3 are loaded on start-up by the module and verified using RSA signature verification with PKCS#1 v1.5 padding, SHA-512, and a

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the software integrity tests. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 20
6.1 Operational Environment Type and Requirements

Type of Operating Environment: modifiable: the module executes as part of a general-purpose operating system (Oracle Linux 8 and Oracle Linux 9), which allows modification, loading, and execution of software that is not part of the validated module. How Requirements are Satisfied: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.2 Configurable Settings and Restrictions

The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 21

Physical Security The module is comprised of software only and therefore this section is not applicable. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 22

Non-Invasive Security This module does not implement any non-invasive security mechanism and therefore this section is not applicable. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 23
Sensitive security parameter
NameTypeDescription
RAMDynamicTemporary storage for SSPs used by the module as part of service execution
Service
NameFromTo
API input parametersOperator calling application (TOEPP)Cryptographic modulePlaintextManualElectronicN/A
API output parametersCryptographic moduleOperator calling application (TOEPP)
Zeroization MethodDescriptionRationaleOperator Initiation
Free cipher handleZeroizes the SSPs contained within the cipher handleMemory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievableBy calling the appropriate zeroization functions: AES key: crypto_free_skcipher and crypto_free_aead HMAC key: crypto_free_shash and crypto_free_ahash DRBG internal state: crypto_free_rng Intermediate key generation value: automatically zeroized DH public & private key: crypto_free_kpp EC public & private key: crypto_free_kpp and crypto_free_akcipher
DH public & private key: crypto_free_kpp
EC public & private key: crypto_free_kpp and
crypto_free_akcipher
Remove power from the moduleDe-allocates the volatile memory used to store SSPsVolatile memory used by the module is overwritten within nanoseconds when power is removedBy removing power

Sensitive Security Parameters Management

9.1 Storage Areas

Table 17

Page 24
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentUse
AES keySymmetric KeyAES key used for encryption, decryption, and computing MAC tags128, 192, 256 bitsN/AN/AEncryption Decryption Authenticated encryption Authenticated decryption Message authentication
HMAC keyAuthentication keyHMAC key112-256 bitsN/AN/AMessage authentication code (MAC)
Shared secretShared secretShared secret generated by (EC) Diffie- HellmanEC Diffie-Hellman 128 and 192 bitsN/ASP 800-56Ar3 (DH and ECDH shared secret computation)Shared secret computation
Entropy inputEntropy inputEntropy input used to seed the DRBGs. Compliant with IG D.L.128-448 bits (128-256 bits)ENT (NP) See Table 9N/ARandom number generation
DRBG seedSeedDRBG seed derived from entropy input. Compliant with IG D.L.CTR_DRBG: 128, 192, 256 bits Hash_DRBG: 128, 256 bits HMAC_DRBG: 128, 256 bitsDerived from the entropy input as defined in SP800- 90Arev1N/ARandom number generation
DRBG internal state (V, Key)DRBG Internal stateInternal state of CTR_DRBG and HMAC_DRBG instances. Compliant with IG D.L.Derived from DRBG seed as defined in SP800- 90Arev1N/ARandom number generation
DRBG internal state (V, C)DRBG Internal stateInternal state of Hash_DRBG instances. Compliant with IG D.L.N/ARandom number generation
Intermediate Key Generation ValueIntermediate valueTemporary value generated during Key Pair Generation servicesffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, P- 256, P-384 (112- 200 bits)CKGN/AKey pair generation
DH public keyPublic keyPublic key used for Diffie- Hellmanffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 (112- 200 bits)SP 800-56Ar3 (safe primes) Section 5.6.1.1.4 Testing Candidates random values used are generated by SP 8000-90ADRBGN/AShared secret computation Key pair generation
DH private keyPrivate keyPrivate key used for Diffie- Hellman
EC public keyPublic keyPublic key used for EC Diffie- HellmanP-256, P-384 (128, 192 bits)FIPS 186-4 Appendix B.4.2 Testing Candidates random values used are generated by SPN/AShared secret computation Key pair generation
EC private keyPrivate keyPrivate key used for EC Diffie- HellmanShared secret computation Key pair generation
9.4 SSPs

(EC) DiffieHellman for DiffieHellman for DiffieHellman N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 25
Sensitive security parameter
NameTypeStorageInputStorage DurationRelated SSPs
AES keyCSPRAMAPI input parameters AF_ALG type sockets (input)Until cipher handled is freed or module powered offNone
Shared secretAPI output parameters AF_ALG type sockets (output)DH public & private key EC public & private key
Entropy inputN/AFrom generation until DRBG seed is createdDRBG seed
DRBG seedN/AWhile the DRBG is being instantiatedEntropy input DRBG internal state
DRBG internal state (V, Key)N/AFrom DRBG instantiation until DRBG terminationDRBG seed
DRBG Internal state (V, C)N/ADRBG seed
Intermediate Key Generation ValueNo input No outputUntil key pair generation service completes.DH Private Key, DH Public Key, EC Private Key, EC Public Key
DH public keyPSPAPI input parameters AF_ALG type sockets (input) API output parameters AF_ALG type sockets (output)Until cipher handled is freed or module powered offDH private key, shared secret
DH private keyCSPDH public key, shared secret
EC public keyPSPEC private key, shared secret
EC private keyCSPEC public key, shared secret
Sensitive security parameter
NameTypeStorageInputStorage DurationRelated SSPs
AES keyCSPRAMAPI input parameters AF_ALG type sockets (input)Until cipher handled is freed or module powered offNone
Shared secretAPI output parameters AF_ALG type sockets (output)DH public & private key EC public & private key
Entropy inputN/AFrom generation until DRBG seed is createdDRBG seed
DRBG seedN/AWhile the DRBG is being instantiatedEntropy input DRBG internal state
DRBG internal state (V, Key)N/AFrom DRBG instantiation until DRBG terminationDRBG seed
DRBG Internal state (V, C)N/ADRBG seed
Intermediate Key Generation ValueNo input No outputUntil key pair generation service completes.DH Private Key, DH Public Key, EC Private Key, EC Public Key
DH public keyPSPAPI input parameters AF_ALG type sockets (input) API output parameters AF_ALG type sockets (output)Until cipher handled is freed or module powered offDH private key, shared secret
DH private keyCSPDH public key, shared secret
EC public keyPSPEC private key, shared secret
EC private keyCSPEC public key, shared secret

Table 20 - SSP Information First N/A N/A N/A N/A Table 21 - SSP Information Second

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. The RSA algorithm as implemented by the module conforms to FIPS 186-4, which has been superseded by FIPS 186-5. FIPS 186-4 will be withdrawn on February 3, 2024. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 26
Self test
NameAlgorithm Or TestTest MethodDetailsImplementationIndicatorImplementa tionConditions
HMAC SHA-512HMAC SHA-512Message AuthenticationIntegrity test for vmlinuz, libkcapi components and sha512hmac binaryGeneric C, ARM64128-bit keySoftware integrityModule becomes operational
RSA PKCS#1 v1.5RSA PKCS#1 v1.5Signature VerificationIntegrity test for kernel object filesGeneric C4096-bit key with SHA-512
Safe primes CKGSafe primes CKGSP 800-56Ar3 Section 5.6.2.1.4N/Acrypto_kpp_g enerate_publi c_key returns 0Generic CPCTPCTKey pair generation
SHA-1SHA-1Message digest0-8184 bit messagesModule is operationalGeneric C, SSSE3, AVX, AVX2, SHA_NI, CEKATCASTModule initialization
SHA-224SHA-224Generic C, SSSE3, AVX, AVX2, SHA_NI, CE, ARM64, ARM64-NEON
SHA-384SHA-384Generic C, SSSE3, AVX, AVX2, SHA_NI, ARM64,
SHA3-224SHA3-224Generic C
AES ECBAES ECBEncryption Decryption (separately)128, 192, 256 bit keysGeneric C, AESNI, CE, ARM64
AES CBC-CS3AES CBC-CS3128 bit keysAESNI, CE, ARM64
AES OFBAES OFBAESNI, ARM64
AES CFB128AES CFB128128, 192, 256 bit keysAESNI ARM64
AES CTRAES CTRGeneric C, AESNI, CE, ARM64
AES CCMAES CCM128, 192, 256 bitAESNI, ARM64
Self test
NameAlgorithm Or TestTest MethodDetailsImplementationIndicatorImplementa tionConditionsTest Properties
HMAC SHA-512HMAC SHA-512Message AuthenticationIntegrity test for vmlinuz, libkcapi components and sha512hmac binaryGeneric C, ARM64128-bit keySoftware integrityModule becomes operational
RSA PKCS#1 v1.5RSA PKCS#1 v1.5Signature VerificationIntegrity test for kernel object filesGeneric C4096-bit key with SHA-512
Safe primes CKGSafe primes CKGSP 800-56Ar3 Section 5.6.2.1.4N/Acrypto_kpp_g enerate_publi c_key returns 0Generic CPCTPCTKey pair generation
SHA-1SHA-1Message digest0-8184 bit messagesModule is operationalGeneric C, SSSE3, AVX, AVX2, SHA_NI, CEKATCASTModule initialization
SHA-224SHA-224Generic C, SSSE3, AVX, AVX2, SHA_NI, CE, ARM64, ARM64-NEON
SHA-384SHA-384Generic C, SSSE3, AVX, AVX2, SHA_NI, ARM64,
SHA3-224SHA3-224Generic C
AES ECBAES ECBEncryption Decryption (separately)128, 192, 256 bit keysGeneric C, AESNI, CE, ARM64
AES CBC-CS3AES CBC-CS3128 bit keysAESNI, CE, ARM64
AES OFBAES OFBAESNI, ARM64
AES CFB128AES CFB128128, 192, 256 bit keysAESNI ARM64
AES CTRAES CTRGeneric C, AESNI, CE, ARM64
AES CCMAES CCM128, 192, 256 bitAESNI, ARM64
AES GCM (internal IV)AES GCM (internal IV)EncryptionAESNI, CE128, 192, 256 bit keys 96-bit IVs
AES GCM (external IV)AES GCM (external IV)Decryption128, 192, 256 bit keys
AES XTSAES XTSEncryption Decryption (separately)AESNI, CE, ARM64128 and 256 bit keys
AES CMACAES CMACMessage authentication128 and 256 bit keys
HMAC SHA-1HMAC SHA-1SHA_NI, CE32-64 bit keys
HMAC SHA-224HMAC SHA-22432-1048 bit keys
HMAC SHA-256HMAC SHA-256Generic C, SHA_NI, CE32-64 bit keys
HMAC SHA-384HMAC SHA-384AVX2, ARM6432-1048 bit keys
HMAC SHA-512HMAC SHA-512Generic C, ARM6432-1048 bit keys
HMAC SHA3-224HMAC SHA3-224Generic C32-1048 bit keys
HMAC SHA3-256HMAC SHA3-25632-1048 bit keys
HMAC SHA3-384HMAC SHA3-38432-1048 bit keys
HMAC SHA3-512HMAC SHA3-51232-1048 bit keys
KAS-FFC-SSCKAS-FFC-SSCShared secret computationffdhe2048
KAS-ECC-SSCKAS-ECC-SSCP-256, P-384
CTR_DRBGCTR_DRBGSeed Generate128, 192, 256 bit keys With/without PR Health test per section 11.3 of SP 800-90A
Hash_DRBGHash_DRBGSHA-256 With/without PR Health test per section 11.3 of SP 800-90A
HMAC_DRBGHMAC_DRBGSHA-256, SHA-512 With/without PR Health test per section 11.3 of SP 800-90A
RSA PKCS#1 v1.5RSA PKCS#1 v1.5Verify4096-bit key with SHA-256
ENT (NP)ENT (NP)RCTEntropy source start-up testEntropy source initialization1024 samples
1024 samplesAPT1024 samples
N/ARCTEntropy source continuous testEntropy source is operationalContinuouslyN/A
N/AAPTN/A
10 Self-Tests
10.1 Pre-Operational Self-Tests

Table 22 - Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. The algorithms used for the integrity test (i.e., HMAC-SHA2-512 and RSA SigVer with 4096 bit key) run their CASTs before the integrity test is performed. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the pre-operational software integrity self-tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully

10.2 Conditional Self-Tests

N/A 5.6.2.1.4 Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 27

N/A N/A Table 23 - Conditional Self-Tests

10.2.1 Conditional Cryptographic Algorithm Tests

The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in Table 23. Services are not available, and data output (via the data output interface) is inhibited during the conditional self-tests. If any of these tests fails, the module transitions to the Error state. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 28
Service
NameDescriptionRole AccessIndicator
Error StateThe Linux kernel immediately stops executingAny self-test failureKernel PanicRestart of the module
10.2.2 Conditional Cryptographic Algorithm Tests

Upon generation of a DH or EC key pair, the module will perform a pair-wise consistency test (PCT) as shown in Table 23, which provides some assurance that the generated key pair is well formed. This test consists of the PCT described in Section 5.6.2.1.4 of SP 800-56Ar3. Services are not available, and data output (via the data output interface) is inhibited during execution of the PCT. If the test fails, the module transitions to the error state.

10.3 Periodic Self-Tests

The module does not implement any periodic self-tests.

10.4 Error States

Table 24 - Error States In the error state, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).

10.5 Operator Initiation

The software integrity tests, cryptographic algorithm self-tests, and entropy source start-up tests can be invoked on demand by unloading and subsequently re-initializing the module. The pair-wise consistency tests can be invoked on demand by requesting the key pair generation service. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 29
11 Life-Cycle Assurance
11.1 Startup Procedures

The module is distributed as a part of the Oracle Linux 8 (OL8) and Oracle Linux 9 (OL9) RPM packages kernel-uek-5.15.0303.171.5.2.2.el8uek and kernel-uek-5.15.0-303.171.5.2.2.el9uek, libkcapi-1.2.0-2.0.1.el8 and libkcapi-1.3.1-3.0.1.el9, libkcapihmaccalc-1.2.0-2.0.1.el8 and libkcapi-hmaccalc-1.3.1-3.0.1.el9. The modules can achieve the approved mode by:

Page 30
11.2 Administrator Guidance
11.2.1 AES GCM IV

The Crypto Officer shall consider the following requirements and restrictions when using the module. For IPsec, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. The module does not implement IPsec. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCM encryption keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES GCM handle. When this is the case, the API will not set an approved service indicator, as described in Table 15.

11.2.2 AES XTS

The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.

11.2.3 SP 800-56Arev3 Assurances

To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use elliptic curve Diffie-Hellman shared secret computation algorithm with Bluetooth protocol. Additionally, the module’s approved key pair generation service (see section 2.8) must be used to generate ephemeral Diffie-Hellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer DH public key, and the partial public key validation of the peer EC public key, complying with Section 5.6.2.2.2 of SP 800-56Ar3. The module is compliant to IG D.F scenario 2 path (1).

11.2.4 RSA

For RSA signature verification, the module supports modulus sizes 2048, 3072, and 4096 bits compliant to IG C.F. All supported modulus sizes have been CAVP tested. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 31
11.2.5 SHA-3

The module provides SHA-3 hash functions compliant with IG C.C. Every implementation of each SHA-3 function was tested and validated on all of the module’s operating environments. SHAKE functions are not implemented. SHA-3 hash functions are also used as part of a higher-level algorithm for HMAC.

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 Maintenance Requirements

There are no maintenance requirements.

11.5 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the kernel-uek-5.15.0-303.171.5.2.2.el8uek and kernel-uek-5.15.0303.171.5.2.2.el9uek, libkcapi-1.2.0-2.0.1.el8 and libkcapi-1.3.1-3.0.1.el9, libkcapi-hmaccalc-1.2.0-2.0.1.el8 and libkcapihmaccalc-1.3.1-3.0.1.el9 RPM packages can be uninstalled from the Oracle Linux 8 and Oracle Linux 9 systems. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 32
12 Mitigation of Other Attacks

The module does not offer mitigation of other attacks and therefore this section is not applicable. Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 33
AESAdvanced Encryption Standard
AES-NIAdvanced Encryption Standard New Instructions
APIApplication Programming Interface
CASTCryptographic Algorithm Self-Test
CAVPCryptographic Algorithm Validation Program
CBCCipher Block Chaining
CCMCounter with Cipher Block Chaining-Message Authentication Code
CFBCipher Feedback
CMACCipher-based Message Authentication Code
CMVPCryptographic Module Validation Program
CSPCritical Security Parameter
CTRCounter
DHDiffie-Hellman
DRBGDeterministic Random Bit Generator
ECBElectronic Code Book
ECDHElliptic Curve Diffie-Hellman
ECDHElliptic Curve Diffie-Hellman
ECDSAElliiptic Curve Digital Signature Algorithm
ENT (NP)Non-physical Entropy Source
FIPSFederal Information Processing Standards
GCMGalois Counter Mode
GMACGalois Counter Mode Message Authentication Code
HKDFHMAC-based Key Derivation Function
HMACKeyed-Hash Message Authentication Code
IPsecInternet Protocol Security
KATKnown Answer Test
KBKDFKey-based Key Derivation Function
MACMessage Authentication Code
NISTNational Institute of Science and Technology
PAAProcessor Algorithm Acceleration
PBKDF2Password-based Key Derivation Function v2
PKCSPublic-Key Cryptography Standards
RSARivest, Shamir, Adleman
SHASecure Hash Algorithm
SSCShared Secret Computation
SSPSensitive Security Parameter
XTSXEX-based Tweaked-codebook mode with cipher text Stealing

Appendix A.Glossary and Abbreviations Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 34
Approved algorithm
NameKey Size
ANS X9.42-2001Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001
ANS X9.63-2001Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001
FIPS 140-3FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf
FIPS 140-3 IGImplementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig-announcements
FIPS 180-4Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
FIPS 186-4Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
FIPS 197Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
FIPS 198-1The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
FIPS 202SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
PKCS#1Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt
RFC 3526More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt
SP 800-38ARecommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
SP 800-38A AddendumRecommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a-add.pdf
SP 800-38BRecommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
SP 800-38CRecommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf
SP 800-38DRecommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
SP 800-38ERecommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf
SP 800-38FRecommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
SP 800-56Ar3Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
SP 800-56Cr2Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
SP 800-90Ar1Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
SP 800-90BRecommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf
SP 800-108r1NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
SP 800-131Ar2Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
SP 800-132Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
SP 800-133r2Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf
SP 800-135r1Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf
SP 800-140BCMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf

Appendix B. References Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module Security Policy

Page 35

Oracle Linux 8 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module and Oracle Linux 9 Unbreakable Enterprise Kernel (UEK7) Cryptographic Module

Referenced URLs