All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Crypto Module for Intel® Alder Point PCH Converged Security and Manageability Engine (CSME)

Certificate#4749StandardFIPS 140-3Level2TypeFirmware-hybridEmbodimentSingle ChipStatusHistoricalVendorIntel Corporation
Medium review priority  ·  no TCB surface named  ·  last validated 23 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeFirmware-hybrid
EmbodimentSingle Chip
StatusHistorical
CaveatInterim Validation. When operated in approved mode. When initialized and configured as specified in Section 11 of the Security Policy.
VendorIntel Corporation

Approved Algorithms (31)

AlgorithmACVP Cert
AES-CBCA3362
AES-CFB128A3362
AES-CMACA3362
AES-CTRA3362
AES-ECBA3362
AES-GCMA3362
AES-OFBA3362
Counter DRBGA3362
ECDSA KeyGen (FIPS186-4)A3362
ECDSA KeyVer (FIPS186-4)A3362
ECDSA SigGen (FIPS186-4)A3362
ECDSA SigVer (FIPS186-4)A3362
HMAC-SHA-1A3362
HMAC-SHA2-224A3362
HMAC-SHA2-256A3362
HMAC-SHA2-384A3362
HMAC-SHA2-512A3362
KAS-ECC Sp800-56Ar3A3362
KDF SP800-108A3362
KTS-IFCA3362
KTS-IFCA3362
RSA Decryption PrimitiveA3362
RSA KeyGen (FIPS186-4)A3362
RSA SigGen (FIPS186-4)A3362
RSA Signature PrimitiveA3362
RSA SigVer (FIPS186-4)A3362
SHA-1A3362
SHA2-224A3362
SHA2-256A3362
SHA2-384A3362
SHA2-512A3362

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Crypto Module for Intel® Alder Point PCH Converged Security and Manageability Engine (CSME)
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Firmware Load<br/>recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>Show Status<br/>Self-Test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Crypto Module for Intel® Alder Point PCH Converged Security and Manageability Engine (CSME)
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Firmware Load<br/>recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>Show Status<br/>Self-Test</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Crypto Module for Intel® Alder Point PCH Converged Security and Manageability Engine (CSME) Hardware Version 4.6.0.0 Firmware Version 5.2.0.0 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com © 2024 Intel® Corporation / atsec information security.

Page 2
Table of Contents
#SectionPage
Page 3
3 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 4

© 2024 Intel® Corporation / atsec information security corporation. This document can be

4 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 5
  1. General This document is the non-proprietary FIPS 140-3 Security Policy of the Crypto Module for Intel® Alder Point PCH Converged Security and Manageability Engine (CSME). It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 for a Hybrid Firmware module at an overall security level
  2. The table below shows the security level claimed for each of the security requirement area that comprise the FIPS 140-3 standard: ISO/IEC 24759 Section 6 FIPS 140-3 Section Title Security Level [Number Below]

1 General 2

2 Cryptographic Module Specification 2

3 Cryptographic Module Interfaces 2

4 Roles, Services and Authentication 2

5 Software/Firmware security 2

6 Operational environment N/A

7 Physical security 2

8 Non-invasive security N/A

9 Sensitive security parameter management 2

10 Self-tests 2

11 Life-cycle assurance 2

12 Mitigation of other attacks 2

Overall Level 2 Table 1 - Security Levels

5 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 6

2. Cryptographic Module Specification 2.1. Module Overview The Crypto Module for Intel® Alder Point PCH Converged Security and Manageability Engine (CSME) is classified as a Hybrid Firmware module operating in a single-chip environment. In this document, “CSME”, and “module” are used interchangeably. They all refer to the Crypto Module for Intel® Alder Point PCH Converged Security and Manageability Engine (CSME). The module consists of both hardware (AES, ECC, and HCU hardware cryptographic engines) and firmware providing interface to the engines. 2.2. Module Components The components of the hybrid cryptographic module are specified in the following table: Component Type Version Description Numbers Converged Security Firmware 5.2.0.0 Firmware running in CSME to interface with Management the hardware components of the module. Engine (CSME) Driver CSME ROM Hardware 4.6.0.0 Non-modifiable code which initiates and bootstraps the CSME firmware. Offload and Crypto Hardware 4.6.0.0 AES, ECC, and HCU hardware cryptographic Subsystem (OCS) engines embedded within the Intel PCH chipset. fips_hmac File N/A file containing the integrity check value of the module. Table 2 - Cryptographic Module Components

6 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 7

The module has been tested on the following single-chip platform: Operating System Hardware Platform Processor PAA/Acceleration CSME OS running Alder Point PCH-S Alder Lake S None firmware version 16.1.25.2124 CSME OS running Alder Point PCH-M/P Alder Lake M None firmware version 16.1.25.2124 CSME OS running Alder Point PCH-S Raptor Lake S None firmware version 16.1.25.2124 CSME OS running Alder Point PCH-S Raptor Lake HX None firmware version 16.1.25.2124 CSME OS running Alder Point PCH-M/P Raptor Lake P None firmware version 16.1.25.2124 Table 3 - Operational Environments Figure 1: Alder Point PCH-S with Alder Lake-S Figure 2: Alder Point PCH-M/P with Alder Lake M Figure 4: Alder Point PCH-M/P with Raptor Lake P Figure 3: Alder Point PCH-S with Raptor Lake S / Raptor Lake HX1 2.3. Cryptographic Boundary The module is a firmware hybrid module implemented in the physical embodiment of either a Alder Point PCH-S with Alder Lake S (referred to as ADL-S), Raptor Lake S (RPL-S) or Raptor Lake HX (RPL-

1 RPL-HX is the same exact HW as RPL-S but using a LGA socket.
7 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 8

HX) CPU or an Alder Point PCH-M/P with Alder Lake M (ADL-M) or Raptor Lake P (RPL-P) CPU. The Tested Operational Environment’s Physical Perimeter (TOEPP) is represented by the dashed purple lines in the block diagram shown below. The module provides cryptographic services to operators through an application program interface (API). The cryptographic boundary consists of the OCS ROM, CSME Driver FW, the AES, ECC, and HCU hardware cryptographic engines along with the fips_hmac integrity file. The cryptographic boundary is represented by the dashed red lines below. Figure 5

8 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 9

CAVP Cert Algorithm and Mode / Description / Key Size(s) / Use / Standard Method Key Strength(s) Function A3362 AES CBC, Description: Data Encryption AES CFB128, and Decryption using AES Encryption / [FIPS 197] CTR, with CBC, CFB128, CTR, AES [SP800-38A] ECB, ECB and OFB modes Decryption OFB Key Size(s): 128, 256 bits Strength: 128 and 256 bits A3362 AES [FIPS 197] GCM Description: Authenticated AES Internal IV Encryption and Decryption Encryption / [SP800-38D] (Mode using AES with GCM mode AES 8.2.2) and internally generated IV Decryption Key Size(s): 128, 256 bits Strength: 128 and 256 bits A3362 AES CMAC Description: Message AES Message Authentication Code using Authentication [FIPS 197] AES with CMAC mode Code [SP800-38B] Key Size(s): 128, 256 bits Generation Strength: 128 and 256 bits and Verification A3362 HMAC SHA-1 Description: Message HMAC SHA-224 Authentication Code using Message [FIPS 198-1] SHA-256 HMAC with SHS Authentication SHA-384 Key Size(s): 112 bits or Code SHA-512 greater Generation Strength: 112 bits or greater A3362 CTR_DRBG AES-256 Description: No Prediction Random Resistance, With Derivation Number [SP800Function Enabled Generation 90Arev1] Key Size(s): 256 bits Strength: 256-bits A3362 ECDSA KeyGen Testing Description: ECDSA Key ECDSA keyCandidates Generation using Testing pair [FIPS 186-4] Candidates generation Generation [ANSI X9.62] mode Key Size(s): Curves P-256, PStrength: 128 or 192 bits A3362 ECDSA KeyVer N/A Description: ECDSA public ECDSA publickey verification key [FIPS 186-4] Key Size(s): Curves P-256, P- verification [ANSI X9.62] 384 Strength: 128 or 192 bits A3362 ECDSA SigGen N/A Description: ECDSA Digital ECDSA digital Signature Generation with signature [FIPS 186-4] SHA-256 or SHA-384 generation [ANSI X9.62] message digest Key Size(s): Curves P-256, PStrength: 128 or 192 bits

9 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 10

CAVP Cert Algorithm and Mode / Description / Key Size(s) / Use / Standard Method Key Strength(s) Function A3362 ECDSA SigVer N/A Description: ECDSA Digital ECDSA digital Signature Verification with signature [FIPS 186-4] SHA-256 or SHA-384 verification [ANSI X9.62] message digest Key Size(s): Curves P-256, PStrength: 128 or 192 bits A3362 KAS-ECC Ephemeral Description: ECDH Key ECDH key Unified Agreement with Full agreement [SP 800 Validation, Key Pair 56Arev3] Generation; KAS Role: Initiator, Responder; KDF Methods: One Step KDF; Auxiliary Function Methods: SHA-224, SHA-256, SHA384, SHA-512 Key Size(s): Curves P-256, PStrength: 128 or 192 bits A3362 KBKDF Counter Description: Key Based Key Key Derivation Derivation with Counter [SP 800Length: 32-bits; MAC Mode: 108rev1] HMAC-SHA-1, HMAC-SHA224, HMAC-SHA-256, HMAC-SHA-384, HMACSHA-512; Fixed Data Order: Before Fixed Data Key Size(s): 112-bits or greater Strength: Min 112 bits A3362 KTS-RSA (KTS- KTS-OAEP- Description: Key RSA Key IFC) basic Encapsulation using 2048-, Transport 3072- or 4096-bit modulus (key [SP 800with SHA-224, SHA-256, encapsulation) 56Brev2] SHA-384 or SHA-512 message digest Key Sizes: 2048, 3072, 4096 bits Strength: 112 to 150 bits A3362 KTS-RSA (KTS- KTS-OAEP- Description: Key Un- RSA Key IFC) basic encapsulation using 2048- Transport bit modulus with SHA-224, (key un[SP 800SHA-256, SHA-384 or SHA- encapsulation) 56Brev2]

512 message digest

Key Size(s): 20483 bits Strength: 112 bits

3 Although other sizes were validated by CAVP, only modulus size 2048 is considered approved for key un-encapsulation.

See Section 6.3.1 for more details.

10 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 11

CAVP Cert Algorithm and Mode / Description / Key Size(s) / Use / Standard Method Key Strength(s) Function A3362 RSA KeyGen B.3.3 Description: RSA Key RSA key-pair Generation Generation with 2048-bit generation [FIPS 186-4] of Random modulus using random Primes probable prime generation that are method Probably Key Size(s): 2048 bits Prime Strength: 112 bits A3362 RSA SigGen PKCS#1 Description: RSA Digital RSA digital v1.5 Signature Generation using signature [FIPS 186-4] PKCS#1 v1.5 or RSA-PSS generation RSA-PSS scheme with SHA-224, SHA-256, SHA-384 or SHA-

512 message digest
4096 bits

Strength: 112 to 150 bits A3362 RSA SigVer PKCS#1 Description: RSA Digital RSA digital v1.5 Signature Generation using signature [FIPS 186-4] PKCS#1 v1.5 or RSA-PSS verification RSA-PSS scheme with 2048-, 3072or 4096-bit modulus and SHA-1, SHA-224, SHA-256, SHA-384 or SHA-512 message digest Key Size(s): 1024, 2048, 3072, 4096 bits Strength: 80 to 150 bits A3362 (CVL) RSA (Signature PKCS#1 Description: RSA Digital RSA digital Primitive) v1.5 Signature Generation using signature PKCS#1 v1.5 or RSA-PSS generation [FIPS 186-4] RSA-PSS scheme with 2048-bit primitive modulus on a pre-hashed message digest Key Size(s): 2048 bits Strength: 112 bits A3362 (CVL) RSA Decryption N/A Description: RSA Un- RSA Primitive encapsulation Primitive decryption decryption using 2048-bit primitive [SP 80056Brev2] modulus Key Size(s): 2048 bits Strength: 112 bits A3362 SHS SHA-1, Description: Message Digest SHS message SHA-224, Generation using SHA-1, digest [FIPS 180-4] SHA-256, SHA-224, SHA-256, SHA- generation SHA-384, 384 or SHA-512 SHA-512 Key Size(s): N/A Strength: N/A

11 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 12

CAVP Cert Algorithm and Mode / Description / Key Size(s) / Use / Standard Method Key Strength(s) Function Vendor Affirmed Cryptographic SP800- Description: Vendor Affirmed ECDSA keyKey Generation 133rev2 Asymmetric Key pair (CKG) for section 5.1 Generation for RSA and generation / asymmetric for ECDSA ECDSA RSA key-pair keys and RSA Key Size(s): generation key pairs, RSA: 2048 bits [SP800SP800- ECC: Curves P-256, P-384 133rev2] 133rev2 Strength: section 5.2 RSA: 112 bits for ECDH ECC: 128 or 192 bits N/A ENT (P) N/A Description: Random Random Number Generation from a Number [SP800-90B] Physical Entropy Source Generation Key Size(s): N/A Strength: 256 Table 4

12 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 13

RSA RSA key-pair generation using 1024 bits modulus size RSA digital signature generation using MD5, SM3 or SHA-1 hash algorithm RSA digital signature verification using MD5 or SM3 hash algorithm RSA RSA key encapsulation and un-encapsulation using MD5 or SHA-1 RSA key encapsulation and un-encapsulation using 1024-bit modulus RSA key un-encapsulation using 3072 or 4096-bit modulus Table 5 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation

13 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 14

3. Cryptographic Module Ports and Interfaces The cryptographic module is defined as a Firmware-Hybrid module. The logical interfaces are the application program interface (API) through which operators request services from the module (i.e., CSME Crypto Driver). All data and control inputs to the module, and data and status outputs from the module are provided through the module’s API (i.e., logical interface). The SRAM and power interfaces are provided by the computing platform on which it runs. The module does not implement a control output interface. The following table summarizes the four logical interfaces: Physical Port Logical Interface4 Data that passes over port/interface SRAM Data Input All data (except control data entered via the control input interface) that is input to and processed by a cryptographic module SRAM Data Output All data (except status data output via the status output interface and control data output via the control output interface) that is output from a cryptographic module SRAM Control Input Control data used to control the operation of a cryptographic module SRAM Status Output All status data used to indicate the status of a cryptographic module Provided by Power Input external electrical power that is input the underlying to a cryptographic module SoC/PCH. Table 6 - Ports and Interfaces

4 Control Output Interface is not implemented in the module and thus omitted from this table.

14 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 15

4. Roles, Services and Authentication 4.1. Roles The module supports the following roles:

2048 bits)

User ECDSA key pair EC curve ECDSA Key Pair generation User ECDSA public key ECDSA Public Key True or False verification User ECDSA signature ECDSA Private Key Digital Signature generation and Message

15 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 16

User ECDSA signature ECDSA Public Key and True or False verification Digital Signature User ECDH key agreement EC Curve, Party U’s Derived Key ephemeral private key, and Party V’s ephemeral public key User SHS Message digest Message Message Digest generation User Random Number Entropy input string Random Numbers Generation and nonce User Key Derivation Key Derivation Key Derived Key User Show Module Version None Module Base Name + Module Version Number User Show Status None Operational/Error status User On Demand Self-Test None Pass/Fail status (Pre-operational Integrity Test and Conditional Algorithm Self-Test) User Zeroization None None Crypto Officer Module Initialization BIOS settings None User (Non-Approved) Data Key and Plaintext Ciphertext Data Encryption using AES- Data GCM with externally generated IV User (Non-Approved) Data Key and Plaintext Ciphertext Data for Encryption and Data for Encryption; Encryption; Plaintext Decryption using SM4 Key and Ciphertext Data for Decryption Data for Decryption User (Non-Approved) Message Message Digest Message digests using MD5 or SM3 User (Non-Approved) MAC Key and Message Message generation using Authentication Code HMAC-MD5 User (Non-Approved) MAC Key and Message Message generation using less Authentication Code than 112 bits HMAC key User (Non-Approved) Key Key Size RSA Key Pair generation using RSA with 1024 bits modulus size User (Non-Approved) Key EC curve RSA Key Pair generation using ECDSA using secp256k1 curve

16 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 17

User (Non-Approved) Digital Private Key and Digital Signature signature generation Message using RSA with MD5, SM3 or SHA-1 for any modulus size User (Non-Approved) Digital Public Key and Digital True or False signature verification Signature using RSA with MD5, or SM3 for any modulus size User (Non-Approved) Digital Private Key and Digital Signature signature generation Message using ECSCHNORR, ECDAA, or SM2 algorithm User (Non-Approved) Digital Public Key and Digital True or False signature verification Signature using ECSCHNORR, ECDAA, or SM2 algorithm User (Non-Approved) Key Public Key and Encrypted Key for Transport (key Plaintext Key for encapsulation; encapsulation and un- encapsulation; Private Plaintext Key for unencapsulation) using Key and Encrypted encapsulation RSA-OAEP with MD5 or Key for unSHA-1 encapsulation User (Non-Approved) Key Public Key and Encrypted Key for Transport (key Plaintext Key for encapsulation; encapsulation and un- encapsulation; Private Plaintext Key for unencapsulation) using Key and Encrypted encapsulation RSA-OAEP with 1024- Key for unbit modulus encapsulation User (Non-Approved) Key Private Key and Plaintext Key Transport (key un- Encrypted Key encapsulation) using RSA-OAEP with 3072 or 4096-bit modulus User (Non-Approved) Party U’s ephemeral Shared Secret Shared secret private key, and Party computation using V’s ephemeral public ECDHE with key brainpoolp384r1 curve User (Non-Approved) ECC EC Curve, Hash ECC Commit Commit Computation function, public and Computation using ECSCHNORR and private keys ECDAA (used in ECSCHNORR and ECDAA Signature Generation) Table 7 - Roles, Service Commands, Input and Output 4.2. Services The module provides services to the operator that assumes one of the authorized roles, User role after operator is authenticated or CO role which is not authenticated but can only perform

17 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 18

initialization service. All services are described in detail in the user documentation. For Approved services, a fips_indicator flag is enabled in the crypto_ioctl_status_t structure and is set to FIPS_APPROVED_SEC_FUN when a function is an approved service. After the module completes the requested service, it will report the status as an output parameter indicating whether the service was Approved (i.e., set to “1”). The following table lists the Approved services and the non-Approved but allowed services in approved mode of operation, the roles that can perform the service, the Critical Security Parameters involved and how they are accessed: The access rights to keys and SSPs have the following interpretation: Generate: The module generates or derives the SSP. Read: The SSP is read from the module (e.g., the SSP is output). Write: The SSP is updated, imported, or written to the module. Execute: The module uses the SSP in performing a cryptographic operation. Zeroise: The module zeroises the SSP. Service Description Approved Keys and/or Role Access Indicat Security SSPs rights to or Functions Keys and/or SSPs AES data Data AES-CBC, AES keys User Write, 1 encryption Encryption AES-CFB128, Execute, using AES-CTR, Zeroise Advanced AES-ECB, Encryption AES-OFB, Standard AES-GCM algorithm AES data Data AES-CBC, AES key User Write, 1 decryption Decryption AES-CFB128, Execute, using AES-CTR, Zeroise Advanced AES-ECB, Encryption AES-OFB, Standard AES-GCM algorithm AES message Message AES-CMAC AES key User Write, 1 authentication Authenticatio Execute, code generation n Code Zeroise Generation using Advanced Encryption Standard algorithm

18 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 19

Service Description Approved Keys and/or Role Access Indicat Security SSPs rights to or Functions Keys and/or SSPs AES message Message AES-CMAC AES key User Write, 1 authentication Authenticatio Execute, code verification n Code Zeroise Verification using Advanced Encryption Standard algorithm HMAC message Message HMAC-SHA-1 HMAC key User Write, 1 authentication Authenticatio HMAC-SHA-224 Execute, code generation n Code HMAC-SHA-256 Zeroise Generation HMAC-SHA-384 using Hashed HMAC-SHA-512 Message Authenticatio n Code algorithm RSA key-pair Asymmetric RSA Key Module User Generate, 1 generation Key Pair Generation, (CKG Generated Read Generation Vendor Affirmed), RSA public DRBG key / Module Generated RSA private key RSA public key Public Key RSA Key Module User Write, 1 validation Validation of Validation Generated Zeroize RSA public RSA public key key/RSA public key RSA digital Digital PKCS#1 v1.5 Module User Write, 1 signature Signature RSASSA-PSS, Generated Execute, generation Generation DRBG, SHA RSA private Zeroise using RSA key/RSA private key RSA digital Digital PKCS#1 v1.5 Module User Write, 1 signature Signature RSASSA-PSS, Generated Execute, generation Generation DRBG RSA private Zeroise primitive on a pre- key/RSA hashed private key message using RSA RSA digital Digital PKCS#1 v1.5 Module User Write, 1 signature Signature RSASSA-PSS, SHA Generated Execute, verification Verification RSA public Zeroise using RSA key/RSA public key

19 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 20

Service Description Approved Keys and/or Role Access Indicat Security SSPs rights to or Functions Keys and/or SSPs RSA key transport Plaintext Key KTS-OAEP-basic, RSA public User Write, 1 (key Encryption DRBG key Execute, encapsulation) (encapsulatio Zeroise n) using KTSRSA RSA key transport Encrypted KTS-OAEP-basic Module User Write, 15 (key un- Key Generated Execute, encapsulation) Decryption RSA private Zeroise (un- key encapsulatio n) using KTSRSA with a key size of

2048 bits

RSA decryption RSA RSADP Module User Write, 1 primitive decryption Generated Execute, primitive as RSA private Zeroise defined in key/RSA SP800- private key 56BRev2 Section 7.1.2.1 ECDSA key-pair Asymmetric ECDSA Key ECDSA public User Generate, 1 generation Key Pair Generation (CKG key, ECDSA Read Generation Vendor Affirmed), private key DRBG ECDSA public key Public Key ECDSA Public Key ECDSA public Write, 1 validation Validation of Validation key Zeroise ECDSA public key ECDSA digital Digital ECDSA Digital ECDSA Write, 1 signature Signature Signature private key Execute, generation Generation Generation, Zeroise using ECDSA DRBG, SHA ECDSA digital Digital ECDSA Digital ECDSA public Write, 1 signature Signature Signature key Execute, verification Verification Verification, SHA Zeroise using ECDSA ECDH key Diffie- KAS-ECC ECDH private User Write, 1 agreement Hellman Key key and Execute, Agreement remote public using Elliptic key Curve shared secret Generate

5 RSA key pair generation service shall also return “1”.
20 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 21

Service Description Approved Keys and/or Role Access Indicat Security SSPs rights to or Functions Keys and/or SSPs Cryptograph SP 800-56C Generate, y KDF derived Read key SHS message Message SHA-1 None User None 1 digest generation Digest SHA-224 Generation SHA-256 using Secure SHA-384 Hash SHA-512 Standard algorithm Random Number Deterministic CTR_DRBG Entropy Input User Write, 1 Generation Random String Execute Number DRBG Seed Write, Read, Generation Zeroize DRBG internal Write, Read, states (V and Zeroize Key) Key Derivation Derive key KBKDF KBKDF key User Write, 1 using KBKDF derivation key Execute, in counter Zeroise mode KBKDF Generate, derived key Execute Show Module Output None None User None N/A Version Module Name and Module Hardware and Firmware Version Numbers Show Status Outputs None None User None N/A Operational / Error Status of the Module On Demand Self- Performs On See Section 10 None User None N/A Test (Pre- Demand Selfoperational Test Integrity Test and Conditional Algorithm SelfTest) Zeroization Zeroizes all See Section 9.6 All CSPs User Zeroize N/A CSPs

21 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 22

Service Description Approved Keys and/or Role Access Indicat Security SSPs rights to or Functions Keys and/or SSPs Module Configure None None Crypt None N/A Initialization BIOS to

22 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 23

Service Description Algorithms Role Indicator Accessed Key Transport (key Key Transport (key RSA User N/A encapsulation and un- encapsulation and unencapsulation) using RSA- encapsulation) using RSAOAEP with 1024-bit modulus OAEP with 1024-bit modulus Key Transport (key un- Key Transport (key un- RSA User N/A encapsulation) using RSA- encapsulation) using RSAOAEP with 3072 or 4096-bit OAEP with 3072 or 4096-bit modulus modulus Shared secret computation Shared secret computation KAS-ECC User N/A using ECDHE with using ECDHE with brainpoolp384r1 curve brainpoolp384r1 curve ECC Commit Computation ECC Commit Computation ECSCHNORR User N/A using ECSCHNORR and using ECSCHNORR and ECDAA and ECDAA ECDAA (used in ECSCHNORR (used in ECSCHNORR and and ECDAA Signature ECDAA Signature Generation) Generation) Table 9

23 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 24

If attempts are made to authenticate an operator by guessing the private key and presenting the corresponding signature of the CSME firmware, we may suppose a rate of 1μs per attempted authentication (i.e., per guess of the private key and respective signature). This rate would allow 60,000,000 consecutive attempts per minute. The probability of successfully authenticating at this rate is less than or equal to 60,000,000 * 1/2128 (≤1.7632e-31). Role Authentication Method Authentication Strength Crypto Officer N/A (IG 4.1.A) N/A User Role-based 128-bits Table 10 - Roles and Authentication

24 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 25

5. Software/Firmware Security 5.1. Integrity Techniques A firmware integrity test is performed on the runtime image of the module. The HMAC-SHA256 implemented in the module is used as an approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided, and data output is prohibited i.e., the module is not operational. The OCS ROM component of the module is a non-reconfigurable memory (specifically masked ROM), which is exempt from the requirements of integrity test. The vendor performed memory degradation testing to assert that the memory will not degrade before 10 (ten) years of manufacture date, thus complying with the requirements of IG 5.A. 5.2. On-Demand Integrity Test The on-demand integrity self-tests can be invoked by the user performing reboot, the device which will cause pre-operational and conditional self-tests to run. 5.3. Executable Code The Converged Security Management Engine (CSME) Driver i.e., module’s firmware, is made up of a single component, provided in the form of binary executable code. The firmware wholly contains the executable form without further compilation.

25 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 26

6. Operational Environment 6.1. Applicability The module operates in a non-modifiable operational environment per FIPS 140-3 security level 2 specifications. The operator cannot modify the firmware component of the module. The module runs on an internal customized proprietary OS (i.e., CSME OS) within the Intel SoC.

26 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 27

7. Physical Security The module is a hybrid firmware module that operates on a single-chip standalone platform which conforms to the Level 2 requirements for physical security. The single chip cryptographic module is a production grade component that include standard passivation (e.g., a sealing coat applied over the chip circuitry to protect it against environmental and other physical damage). The layering process which is used to embed the die into the PCB of the single chip computing platform also provides opacity that prevents viewing internal construction within the visible spectrum. The single chip enclosure prevents accessing of the module’s hardware components without leaving physical tamper evidence.

27 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 28

8. Non-invasive Security This module does not implement any non-invasive security mechanism, and therefore this section is not applicable.

28 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 29

9. Sensitive Security Parameter Management Keys residing in internal storage can only be accessed using the defined API. Memory and process space is protected from unauthorized access by the operating system. Only the process that creates or imports keys can use or export them. According to FIPS 140-3, Sensitive Security Parameters (SSPs) consist of Critical Security Parameters (CSPs) and Public Security Parameters (PSPs). The following table summarizes all CSPs, and PSPs employed by the cryptographic module: SSP Name Strength Security Generati Import / Establish Storag Zeroizatio Use & Function on Export ment e n related Cert Number keys AES keys 128-bits AES-ECB N/A Input: API N/A Store Keys in Use: and AES-CMAC input d as RAM are Symmetric 256-bits AES-CBC, parameters plaint automatic encryption AES- Output: ext in ally and CFB128, N/A, the the zeroized decryption AES-CTR, module RAM. at the ; AES-GCM does not conclusio Message AES-OFB output any n of every authentica AES keys; service or tion A3362 by power- code MD/EE cycling (MAC) (e.g., generation reset, and power- verification off). Related keys: N/A HMAC keys Minimu HMAC N/A Input: API N/A Store Keys in Use: m of A3362 input d as RAM are Message 112-bits parameters plaint automatic authentica ext in ally tion Output: the zeroized code N/A, the RAM. at the (MAC) module conclusio generation does not n of every and output any service or verification HMAC by power- Related keys; cycling keys: N/A MD/EE (e.g., reset, poweroff). Module 112-bits RSA The RSA Input: N/A N/A Store Keys in Use: RSA generated CTR_DRBG public Output: API d as RAM are key RSA public A3362 key can output plaint automatic generation key be parameters ext in ally , RSA (Including generate ; MD/EE the zeroized public key intermediat d using RAM. at the validation e keygen FIPS conclusio Related values) 186-4 n of every keys: RSA Key service or DRBG Generati by power- internal on cycling state, method. (e.g., Module The reset, generated prime power- RSA number off). private used in key

29 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 30

SSP Name Strength Security Generati Import / Establish Storag Zeroizatio Use & Function on Export ment e n related Cert Number keys the RSA (Including Key intermedia Generati te keygen on is values) generate d using SP 80090Arev1 DRBG. Module 112-bits RSA The RSA Input: N/A N/A Store Keys in Use:RSA generated CTR_DRBG public Output: d as RAM are key RSA private A3362 key can N/A plaint automatic generation key be ext in ally , RSA (Including generate the zeroized digital intermediat d using RAM. at the signature e keygen FIPS conclusio generation values) 186-4 n of every , RSA Key RSA Key service or Transport, Generati by power- RSA on cycling Decryption method. (e.g., Primitive The reset, Related prime power- keys: number off). DRBG used in internal the RSA state, Key Module Generati generated on is RSA public generate key d using (Including SP 800- intermedia 90Arev1 te keygen DRBG. values) RSA public 80- RSA N/A Input: API N/A Store Keys in Use: RSA key bits6, A3362 input d as RAM are digital (including 112- parameters plaint automatic signature intermediat bits, Output: ext in ally verification e keygen 128-bits N/A; MD/EE the zeroized , RSA Key values) and RAM. at the Transport, 150-bits conclusio RSA public n of every key service or validation. by power- Related cycling keys: RSA (e.g., private reset, key power- (including off). intermedia te keygen values)

6 Only for RSA Signature Verification.
30 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 31

SSP Name Strength Security Generati Import / Establish Storag Zeroizatio Use & Function on Export ment e n related Cert Number keys RSA private 112- RSA N/A Input: API N/A Store Keys in Use: RSA key bits, A3362 input d as RAM are digital (including 128-bits parameters plaint automatic signature intermediat and Output: ext in ally generation e keygen 150-bits N/A; MD/EE the zeroized Related values) RAM. at the keys: RSA conclusio public key n of every (including service or intermedia by power- te keygen cycling values) (e.g., reset, poweroff). ECDSA/ 128-bits ECDSA, The ECC Input: API N/A Store Keys in Use: ECDH and KAS-ECC- public input d as RAM are ECDSA (ECC) 192-bits SSC key can parameters plaint automatic digital public key CTR_DRBG be Output: API ext in ally signature (including A3362 generate output the zeroized verification inter- d using parameters RAM. at the , ECDSA mediate FIPS ; MD/EE conclusio key keygen 186-4 n of every generation values) ECDSA service or , ECDSA Key by power- public key Generati cycling validation, on (e.g., Shared method reset, secret and the power- computati random off). on value Related used in SSPs: key DRBG generati internal on is state, generate EC Diffied using Hellman SP 800- Shared 90Arev1 Secret, DRBG. ECDSA/ ECDH (ECC) private key (including intermediate keygen values) ECDSA/ 128-bits ECDSA, The ECC Input: API N/A Store Keys in Use: ECDH and KAS-ECC- private input d as RAM are ECDSA (ECC) 192-bits SSC key can parameters plaint automatic digital private key CTR_DRBG be Output: API ext in ally signature (including A3362 generate output the zeroized generation inter- d using parameters RAM. at the , ECDSA mediate FIPS ; MD/EE conclusio key 186-4 n of every generation

31 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 32

SSP Name Strength Security Generati Import / Establish Storag Zeroizatio Use & Function on Export ment e n related Cert Number keys keygen ECDSA service or , Shared values) Key by power- secret Generati cycling computati on (e.g., on method reset, Related and the power- SSPs: random off). DRBG value internal used in state, key EC Diffiegenerati Hellman on is Shared generate Secret, d using ECDSA/ SP 800- ECDH 90Arev1 (ECC) DRBG. public key (including intermediate keygen values) Shared 128- KAS-ECC- N/A Input: N/A The Store Keys in Use: Secret bits and SSC Output: shared d as RAM are Shared 192- A3362 N/A secret is plaint automatic Secret bits generate ext in ally Computati d in the the zeroized on EC Diffie- RAM. at the Related Hellman conclusio SSPs: key n of every ECDSA/ agreeme service or ECDH nt by power- (ECC) function. cycling public key (e.g., (including reset, interpower- mediate off). keygen values), ECDSA/ ECDH (ECC) private key (including intermediate keygen values), SP 800-56C KDF derived key SP 800-56C Conting Key Derived Input: N/A N/A Store Use: Key KDF ent on Agreement using Output: API d as Derivation derived key key Key 800-56C output plaint Related derivati Derivation KDF ext in SSPs: on key A3362 algorith

32 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 33

SSP Name Strength Security Generati Import / Establish Storag Zeroizatio Use & Function on Export ment e n related Cert Number keys and m in the parameters the Shared length EC ; MD/EE RAM. Secret of Diffieoutput Hellman key agreeme nt function KBKDF key Conting Key-Based N/A Input: API N/A Store Keys in Use: Key derivation ent on Key input d as RAM are Derivation key key Derivation parameters plaint automatic Related derivati A3362 Output: ext in ally SSPs: on key N/A; MD/EE the zeroized KBKDF and RAM. at the derived length conclusio key of n of every output service or by powerKBKDF Conting Key-Based Derived Input: N/A N/A Store cycling Use: Key derived key ent on Key using Output: API d as (e.g., Derivation key Derivation KBKDF output plaint reset, Related derivati A3362 algorith parameters ext in power- SSPs: on key m ; MD/EE the off). KBKDF key and RAM. derivation length key of output Entropy 256-bits CTR_DRBG N/A Input: N/A Store Zeroized Use: Input String A3362 Obtained d as during Random from the plaint the power number hardware ext in cycle of generation ENT (P) the the Related outside of RAM. module. SSPs: the Entropy cryptograp Input, hic DRBG boundary Seed but within its TOEPP Output: N/A DRBG Seed 256-bits CTR_DRBG Derived Input: N/A N/A Store Zeroized Use: A3362 from the Output: d as during Random entropy N/A plaint the power number string as ext in cycle of generation defined the the Related by SP RAM. module. SSPs: 800- Entropy 90ARev1 input, DRBG internal state: (V and Key values)

33 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 34

SSP Name Strength Security Generati Import / Establish Storag Zeroizatio Use & Function on Export ment e n related Cert Number keys DRBG 256-bits CTR_DRBG Generat Input: N/A N/A Store Zeroized Use: internal A3362 ed Output: d as during Random state: (V internall N/A plaint the power number and Key y in the ext in cycle of generation values) DRBG. the the Related RAM. module. SSPs: DRBG Seed Table 11 - Life cycle of Sensitive Security Parameters (SSP) 9.1. Random Bit Generation The module provides a SP800-90Arev1 compliant CTR_DRBG (Cert. #A3362) with AES-256 with derivation function and without prediction resistance as the approved Random Number Generator. The CTR_DRBG is implemented in the firmware (i.e., CSME Crypto Driver) and provides between 128 and 65536 bits of output data per each request. In accordance with FIPS 140-3 IG D.L, the 'Entropy input string', 'DRBG Seed', 'DRBG internal state (V and key values)' are considered CSPs by the module. Non-DRBG functions cannot access the DRBG internal state. The module uses the output of the SP 800-90B and IG D.J compliant ENT (P) as the entropy source for seeding the CTR_DRBG inside the module. The entropy source provides a 128-bit output. At the output of the entropy source, the available entropy is 128 bits per 128 bits, thus full entropy. The module collects 384 bits of entropy input from the entropy source to seed the DRBG providing at least 256 bits of entropy. Entropy Source Minimum number of bits Details of entropy SP800-90B ENT (P) 128-bits per 128-bits Hardware entropy source with CBC-MAC Physical conditioning component (Cert. #A2542) located within the tested execution environment’s physical perimeter. Table 12 - Non-Deterministic Random Number Generation (Entropy Source) Specification 9.2. SSP Generation The module implements asymmetric key generation services for RSA7, ECDSA and EC Diffie-Hellman keys, compliant to SP800-133rev2 Cryptographic Key Generation (CKG, vendor affirmed) in accordance with IG D.H. For generating RSA and ECDSA keys, a seed (i.e., random value) used in asymmetric key generation obtained directly from the module’s approved SP800-90Arev1 DRBG (i.e., CTR_DRBG, Cert. #A3362). This follows asymmetric key generation method compliant with FIPS186-4 and defined in Section 5.1 of SP 800-133rev2 . The EC Diffie-Hellman keys are generated internally by the module using the ECDSA key generation method compliant with FIPS186-4 and SP800-56Arev3 as defined in section 5.2 of SP800-133rev2. The module does not offer a dedicated service for generating symmetric keys.

7 Approved RSA Key Generation will only use public key exponent e = 2 16 + 1
34 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 35

9.3. SSP Establishment The module provides an approved [SP800-56Arev3] EC Diffie-Hellman Key Agreement Scheme. The key agreement scheme is compliant with IG D.F scenario 2 path (2). The CAVP testing was performed end-to-end, using the Ephemeral Unified Model with approved domain parameters (i.e., P-256 and P-384 curves and SHA-224, SHA-256, SHA-384, and SHA-512 auxiliary function) resulting in a KASECC Cert. #A3362. The module provides key derivation service using SP800-108 KBKDF. The module supports SP800-56Brev2 Key Transport using KTS-OAEP-basic8. RSA-KTS encapsulation is approved with the key sizes of 2048, 3072 and 4096 bits in approved mode while RSA-KTS unencapsulation is approved only with a key size of 2048 bits in the approved mode. 9.3.1. Assurances The following statements explain the SP800-56Brev2 assurances found in its Section 5:

6.4.1.1 of the SP 800-56BRev2. Additionally the entity shall renew these assurances

over time by using any method described in section 6.4.1.5 of the SP 800-56BRev2. 2) For use of an RSA key wrapping (encapsulation) service in the context of key transport per IG D.G,

8 KTS-OAEP-basic is the basic scheme without key confirmation defined in section 9.2.3 of SP800-56Brev2.

35 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 36

9.4. SSP Entry / Output The module does not support manual key entry or intermediate key generation key output. SSPs entered into the module are electronically entered in plain text form. SSPs are output from the module in plain text form if required by the calling application. 9.5. SSP Storage The symmetric keys and HMAC keys are provided to the module via API input parameters and are zeroized by the module before they are released in the memory. Asymmetric public and private keys are provided to the module via API input parameters and are destroyed by the module before they are released in the memory. 9.6. SSP Zeroization The memory occupied by SSPs is stored in RAM during runtime, allocated by regular memory allocation operating system calls. Every service of the module performs a zeroization operation as the last step before exiting from the function. The zeroization operation overwrites the memory occupied by keys with “zeros” before de-allocating the memory with the regular memory deallocation operating system call. In addition, the RAM is volatile so zeroization of all SSPs can be performed by power-cycling (i.e., reset) or power-off the computing platform. Additionally, while zeroization is in progress, data output is inhibited. Once a SSP is zeroized, it is no longer retrievable. The module uses an implicit indicator to express the completion of the zeroization operation. Zeroization is performed by the module through the course of executing its services. The module implicitly indicates the success of the zeroization by accepting the proceeding request. If the module accepts the next service request, this implicitly indicates that the zeroization of the previous service request successfully completed. Lastly, temporary SSPs are zeroized when they are no longer needed.

36 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 37

10. Self-Tests The module performs pre-operational firmware integrity test and conditional algorithm self-tests to ensure the correctness of the cryptographic algorithm implementations within the module boundary. The pre-operational and conditional cryptographic algorithm self-tests (CAST) are performed automatically at power-up or reset without any user interaction and must successfully pass all tests prior to providing any services to the caller. While the module is performing self-test, all access through data input, data output, control input and status output are inhibited. The module executes functions sequentially. While the self-tests are executing, no interaction is possible. The module does not implement a Software/Firmware Load Test, Manual Entry Test, Conditional Bypass Test nor Conditional Critical Functions Test, as the related functions are not implemented. If any test fails, the module reports an error message through the status interface and enters the Error State. No data output and cryptographic operation are performed while the module is in the Error State. To recover from the Error State, the module must transition to the power off state, then to the power on state by a power cycle and must successfully pass both pre-operational integrity test and conditional algorithm self-tests. That is to say, when an error condition is detected and the error state is entered, all data output via the data output interface is inhibited, until error recovery occurs. 10.1. Pre-operational Firmware Integrity Test The module performs pre-operational firmware integrity tests automatically when the computing platform is powered on, and the module is loaded into memory. The module’s OCS ROM first performs an HMAC-SHA-256 conditional cryptographic algorithm self-test (CAST) and after successfully passing, the module performs an integrity test of the module’s firmware component (Converged Security Management Engine (CSME) Driver) by computing an HMAC-SHA-256 value of the binary and comparing it with the value stored in the module that was computed at build time. If the HMAC values do not match, the test fails, and the module enters the Error state. While the module is performing pre-operational firmware integrity test, the module’s data output is inhibited. 10.2. Conditional Cryptographic Algorithm Self-Tests The module performs a conditional cryptographic algorithm self-test (CAST) on all FIPS-Approved cryptographic algorithms supported in the approved mode of operation and per IG 10.3.A. The conditional cryptographic algorithm self-tests are performed before the first use of the related algorithm: First the AES ECB, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-512,and KAS-SSC are selftested in hardware, prior to the integrity test of the firmware component, and then the rest of the CASTs are automatically performed after the integrity test completes successfully (and before the module enters the operational state 9). If any of the cryptographic algorithm self-test fails, the module will enter the Error State, wherein all data output is inhibited. The pre-operational and conditional algorithm tests performed are shown in the following table: Algorithm Conditional CAST Performed AES

9 Operational State is the state where the operator can request services of the module.

37 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 38

Algorithm Conditional CAST Performed SHS • SHA-1 KAT • SHA-256 KAT • SHA-512 KAT ECDSA • ECDSA Signature Generation KAT using P-256 curve and SHA-256 message d • Signature Verification KAT using P-256 curve and SHA-256 message digest DRBG • CTR_DRBG KAT RSA • RSA PKCS#1 v1.5 Signature Generation KAT with 2048 modulus and SHA-256 message digest • RSA PKCS#1 v1.5 Signature Verification KAT with 2048 modulus and SHA-256 message digest • KTS-OAEP Encryption KAT with 2048 modulus • KTS-OAEP Decryption KAT with 2048 modulus SP800-108rev1 KDF • KBKDF KAT using HMAC-SHA-384 KAS-SSC • KAS-ECC Shared Secret Computation KAT using P-256 curve • One-Step KDF KAT using HMAC-SHA-384 OHT • Health Test for ENT (P) Table 13 - Conditional Cryptographic Algorithm Self-Tests 10.2.1. Entropy Related Health Tests Intel has designed a proprietary Online Health Test (OHT) for the ENT (P) that can detect when:

  1. Some value is consecutively repeated more times than expected, given the assessed entropy per sample of the source.
  2. Some value becomes much more common in the sequence of noise source outputs than expected, given the assessed entropy per sample of the source. After each reset, the OHT is automatically started and runs continuously until power-off or the next reset. A constant stream of 256-bit samples is outputted from the noise source into the OHT where it tracks the entropy health. The OHT is designed to have the same functionality and health coverage as the following health tests required by NIST SP 800-90B: • Start-Up Tests • Repetitive Counter Test (RCT) • Adaptive Proportion Test (APT) The OHT was designed to detect repeating patterns from the ENT (P). The OHT accomplishes this by continuously monitoring the statistical arrival rate of short bit patterns. As the bit patterns arrive, they are counted and then tested to see if the total pattern number lay within the expected binomial distribution. 10.2.2. Conditional Pair-wise Consistency Tests The module performs a Conditional Pair-wise Consistency Tests upon generating RSA and ECDSA/ECDH asymmetric key pairs. The test is implemented by calculating a signature on a
38 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 39

predetermined data and subsequently performing a verification of the signature. If the signature cannot be verified, the generated key-pair is discarded, and the module enters the Error State. 10.3. On-Demand and Periodic Self-Tests The on-demand and periodic self-tests can be invoked by the user performing reboot, the device which will cause pre-operational and conditional self-tests to run. 10.4. Error State The module implements one error state. If any of the self-tests described in sections above fails, the module indicates the error indicator associated with the specific error by invoking the crypto_fips_error_handler() function and causes the module to enter the error state. In the error state, no cryptographic services are provided, and data output is prohibited. When the module is in the error state, the only method to recover is to reset the computing platform which results in the module reperforming the pre-operational firmware integrity test and the conditional cryptographic algorithm self-tests. The module will only enter the operational state after successfully passing both.

39 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 40
  1. Life-cycle Assurance 11.1. Operator’s Guidance The following security guidance for Crypto Officer role is described below: • To enable the module for use in a FIPS validated configuration, the Crypto Officer must first perform initialization of the module. If FIPS operations are not enabled within the BIOS settings, then the module is not a 140-3 validated module and cannot enter the approved mode which means no FIPS services will be available. The Crypto Officer shall perform the following steps to initialize the module. o Power on the Host Platform and enter the BIOS menu setting. o Enter “FIPS mode” submenu. o Set “FIPS Mode Select” to <Enabled>. o Save and exit the BIOS menu. The Host Platform will the power-cycle (i.e., reset) and proceed to boot. Once “FIPS Mode Select” is Enabled, the CSME OS will set the crypto_fips_en file which serves the control input the module and initializing it as a FIPS 140-3 validated module following power-on. The following security guidance for User role is described below: • The User of the module can call the API function crypto_drv_fips_mode_status() to check if the module is an FIPS 140-3 validated module. If the call returns 1, the module is an FIPS 140-3 validated module; it returns 0 if the module is not an FIPS 140-3 validated module. Note, this is not the service indicator; the service indicator is provided as described in Section 4.2. Services. 11.2. Delivery Procedure The firmware component of the module is distributed as part of the CSME Device Driver firmware. Firmware is released on VIP site https://platformsw.intel.com. Only Original Equipment Manufacturers (OEM) with signed Intel agreements can download this firmware. The module is contained within one of the platforms listed in Table
  2. These Intel platforms are a tightly coupled component of 12th Generation Intel® Core™ chipsets. These platforms can be bundled with CPU as a kit, or outside the CPU packages as a discreet component mounted on the Printed Circuit Board (PCB). Intel requires their Original Equipment Manufacturer (OEM) partners that create, market, and sell these systems to meet the brand validation requirements and testing to ensure they have been designed and constructed with the proper components including CPU and Intel chipsets. Intel’s brand validation tool would detect any mismatch of CPU and chipset for any system being designed. Intel manages and implements security best practices throughout every step of their supply chain and works closely with their partners (i.e., Original Design Manufacturer and Original Equipment Manufacturer) to ensure that they meet Intel’s requirements for secure supply chain processes as specified in partner contract agreements. Therefore, end customers can be assured that any system had been designed and tested to conform to Intel’s requirements will always have an Intel PCH that contains the module. 11.3. AES GCM IV The User shall consider the following requirements and restrictions when using the module. AESGCM IV is constructed in accordance with SP800-38D in compliance with IG C.H scenario
  3. GCM IV generation uses an approved CTR_DRBG that is internal to the module’s boundary and the IV length is at least 96 bits (per SP 800-38D).
40 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 41

11.4. End of Life The module automatically performs secure sanitization at the conclusion of any service performed by the module. Since the module does not retain any persistent SSPs, the procedures for secure sanitization of the cryptographic module are inherently met.

41 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 42

12. Mitigation of Other Attacks The module provides mechanism to protect against RSA timing attacks. The OCS's (i.e., module’s hardware component) big-number arithmetic can perform the modular exponentiation operations in constant time. This means, the time taken is only dependent on the size of operands and not dependent on the value of the operands. During modular exponentiation, an extra mathematical step is needed when the processed bit of the key is 1 compared to a zero bit. The OCS’s big-number arithmetic implements a “dummy” step when processing a zero bit from the key such that this processing time is identical to the processing time of a set bit. Using this approach, an observer is unable to determine the number of set and unset bits from observing the timing behavior of the modular exponentiation operation. The CSME Crypto Driver takes advantage of this feature by enabling the functionality in the OCS for private key operations. This implies that the computation time using the private key is constant, hence mitigating timing attacks. The OCS’s AES block cipher in OCS supports an implementation that is resistant to DPA (Differential Power Analysis) attacks. The mechanism implemented is based on masking AES inputs at every stage with a pseudo-random mask. The seed for the pseudorandom mask generator is programmable. The OCS’s ECC has protection against known DPA Attacks. This is achieved by randomizing the inputs so there is no correlation to the power consumed and ECC operations. This is done by transforming inputs from one coordinate system (Affine) to another coordinate system (Randomized Jacobian).

42 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 43

Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard ADL-P Alder Lake P ADL-S Alder Lake S API Application Program Interface CBC Cipher Block Chaining CMVP Cryptographic Module Validation Program CSME Converged Security and Manageability Engine CSP Critical Security Parameter CTR Counter Mode CVL Component Validation List DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDAA Elliptic Curve Direct Anonymous Attestation ECSCHNORR Schnorr-type Digital Signature Scheme over Elliptic Curve FIPS Federal Information Processing Standards Publication HMAC Hash Message Authentication Code HCU Hash Computation Unit KAS Key Agreement Scheme KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology OAEP Optimal Asymmetric Encryption Padding PCH Platform Controller Hub PCT Pair-wise Consistency Test PSS Probabilistic Signature Scheme RPL-M Raptor Lake M RPL-P Raptor Lake P RPL-S Raptor Lake S RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm

43 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 44

Appendix B. References FIPS140-3 FIPS 140-3 - Derived Test Requirements (DTR) March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140.pdf FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program October 7, 2022 https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS180-4 Secure Hash Standard (SHS) March 2012 http://csrc.nist.gov/publications/fips/fips180-4/fips 180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198 1/FIPS-198 1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques May 2005 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf SP800-56Arev3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP800-56Brev2 NIST Special Publication 800-56B Revision 2 - Recommendation for Pair Wise Key Establishment Using Integer Factorization Cryptography March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf

44 of 45

© 2024 Intel® Corporation / atsec information security corporation.

Page 45

SP800-90Arev1 NIST Special Publication 800-90A Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP800-90B NIST Draft Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP800- NIST Special Publication 800-131A - Transitions: Recommendation 131Arev2 for Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP800-133rev2 NIST Special Publication 800-133 Revision 2 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf

45 of 45

© 2024 Intel® Corporation / atsec information security corporation.