All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

Certificate#4757StandardFIPS 140-3Level2TypeHardwareEmbodimentSingle ChipStatusActiveVendorApple Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 23 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date8/8/2026
EntropyENT (P)
CaveatInterim validation. When operated in approved mode
VendorApple Inc.
Hardware versions2.0

Approved Algorithms (38)

AlgorithmACVP Cert
AES-CBCA510
AES-CBCA1342
AES-CBCA1343
AES-CBCA1344
AES-CBCA1345
AES-CBCA1469
AES-ECBA501
AES-ECBA510
AES-ECBA1362
AES-ECBA1469
AES-KWA1343
AES-KWA1345
Counter DRBGA501
Counter DRBGA1362
HMAC-SHA-1A1340
HMAC-SHA-1A1345
HMAC-SHA2-224A1340
HMAC-SHA2-224A1345
HMAC-SHA2-256A1340
HMAC-SHA2-256A1341
HMAC-SHA2-256A1345
HMAC-SHA2-384A1340
HMAC-SHA2-384A1345
HMAC-SHA2-512A1340
HMAC-SHA2-512A1345
HMAC-SHA2-512/256A1340
SHA-1A1340
SHA-1A1345
SHA2-224A1340
SHA2-224A1345
SHA2-256A1340
SHA2-256A1341
SHA2-256A1345
SHA2-384A1340
SHA2-384A1345
SHA2-512A1340
SHA2-512A1345
SHA2-512/256A1340

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces2
Roles, Services, and Authentication2
Software/Firmware Security2
Physical Security3
Sensitive Security Parameter Management2
Self-Tests1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>11.1</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C1 --> I1 --> R1 --> E1
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C1,C3,C5,C6 clue;
  class I1,I3,I5,I6 infer;
  class R1,R3,R5,R6 risk;
  class E1,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>11.1</i><br/>src: certificate.firmwareVersions"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C1,C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Apple Inc. Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] document version 1.1 July 2024 Prepared for: Apple One Apple Park Way Cupertino, CA 95014 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com

Page 2

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Trademarks Apple’s trademarks applicable to this document are listed in https://www.apple.com/legal/intellectual-property/trademark/appletmlist.html. Other company, product, and service names may be trademarks or service marks of others. This document may be reproduced and distributed only in its original entirely without revision.

2 of 33
Page 3

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Table of Contents 2.1 2.1.1 2.2 2.3 2.3.1 2.3.2 4.1 4.2 4.3 4.3.1 4.3.2 5.1 5.2 9.1 9.2 9.3 9.4 9.5 9.6 10.1 10.2 10.2.1 10.2.2 10.2.3 10.3 11.1 11.2 11.3 Appendix A. Appendix B. This document may be reproduced and distributed only in its original entirely without revision.

3 of 33
Page 4

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] List of Tables This document may be reproduced and distributed only in its original entirely without revision.

4 of 33
Page 5
Security level
NameISO SectionRequirementLevel
11General2
22Cryptographic Module Specification2
33Cryptographic Module Interfaces2
44Roles, Services, and Authentication2
55Software/Firmware Security2
66Operational EnvironmentNot Applicable
77Physical Security3
88Non-invasive SecurityNot Applicable
99Sensitive Security Parameter Management2
1010Self-tests2
1111Life-cycle Assurance2
1212Mitigation of Other AttacksNot Applicable

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] This document is the non-proprietary FIPS 140-3 Security Policy for Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] cryptographic module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 2 module. This document provides all tables and diagrams (when applicable) required by NIST SP 800-140B. The column names of the tables follow the template tables provided in NIST SP 800-140B. Table 1 describes the individual security areas of FIPS 140-3, as well as the Security Levels of those individual areas. Table 1 - Security Levels This document may be reproduced and distributed only in its original entirely without revision.

5 of 33
Page 6

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

2 Cryptographic Module Specification

The Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] cryptographic module (hereafter referred to as “the module”) is a Hardware module implemented as a sub-chip running on a single-chip processor. The version of module’s firmware is 11.1 and the Hardware version is 2.0. The sub-chip module is embedded in the hardware listed in Table 2. The sub-chip module’s firmware is bundled together with the underlying Device OS.

2.1 Module components

The module consists of both firmware and hardware components. The Secure Key Store (SKS) application is the module’s firmware which operates within the sepOS execution environment which is separate from the Device OS’s (iOS 14.2, iPadOS 14.2, and macOS 11.0.1) execution environment. The firmware boundary is defined as the API offered by the mailbox interface to callers from the Device OS execution environment. SKS has an API layer that provides consistent interfaces to the supported services and therefore the supported cryptographic algorithms. In addition, the module provides InterProcess Communication (IPC) interfaces to other applications executing within the sepOS execution environment. The sepOS execution environment is driven by its own SoC and operates from a dedicated region of the device’s memory. Both the Device’s and sepOS’ execution environments are physically separated on the SoC and thus execute independently of each other. The cryptographic module boundary includes the following hardware components:  Hardware Random Number Generator composed of an SP800-90ARev1 Approved CTR_DRBG and a compliant SP800-90B physical entropy source.  Hardware AES implementations using 128-bit to 256-bit keys.  Hardware Public Key Accelerator (PKA) used for generating non-approved P-224, P-256, P-384 or P-521 asymmetric key pairs.  A shared memory segment (called Mailbox) that can be accessed by both SKS and the Device OS’s XNU kernel, supported with an interrupt system and used by XNU to request services of the SKS module.  A volatile RAM for storing runtime SSPs.  A non-volatile Flash for storing Class D key and encrypted user keybag.

2.1.1 Photograph and Block Diagram

The module physical boundary is defined by the SoC perimeter. Figure 1 - Picture of the SoC tested (Apple A13 Bionic, Apple A14 Bionic and Apple M1) The block diagram below depicts the following information:  The location of the logical object of the firmware components of the hardware module with respect to the operating system, other supporting applications, and the cryptographic boundary so that all the logical and physical layers between the logical object and the cryptographic boundary are clearly defined.  The interactions of the logical object of the module with the operating system and other supporting applications resident within the cryptographic boundary. This document may be reproduced and distributed only in its original entirely without revision.

6 of 33
Page 7
Module configuration
NameModelHardware VersionFirmware VersionProcessorFeatures
iPad Air (4th generation) running sepOS distributed with iPadOS 14.2iPad Air (4th generation) running sepOS distributed with iPadOS 14.22.011.1Apple A14 BionicN/A
iPhone 11 Pro running sepOS distributed with iOS 14.2iPhone 11 Pro running sepOS distributed with iOS 14.22.011.1Apple A13 BionicN/A
iPhone 12 running sepOS distributed with iOS 14.2iPhone 12 running sepOS distributed with iOS 14.22.011.1Apple A14 BionicN/A
MacBook Air running sepOS distributed with macOS Big Sur 11.0.1MacBook Air running sepOS distributed with macOS Big Sur 11.0.12.011.1Apple M1N/A

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Figure 2 - Block diagram

2.2 Tested Platforms

The hardware module has been tested by atsec CST lab on the following platforms: 2.0 N/A 2.0 N/A 2.0 N/A 2.0 N/A Table 2 - Tested Operational Environments

2.3 Cryptographic Algorithms

The table below lists all Approved or Vendor-affirmed security functions of the module, including specific key size(s) employed for approved services, and implemented modes of operation. Some of the CAVP certificates, show testing for AES CTR, CCM or OFB modes but they are not used by the module. The module is in the Approved mode of operation when the module utilizes the services that use the security functions listed in the table below. This document may be reproduced and distributed only in its original entirely without revision.

7 of 33
Page 8
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES [FIPS 197] [SP 800-38 A]A1342 (asm_arm)CBCKey Length/ Key Strength: 256Symmetric Encryption and Decryption
AES [FIPS 197] [SP 800-38 A]A1343 (c_asm)CBCKey Length/ Key Strength: 256Symmetric Encryption and Decryption
AES [FIPS 197] [SP 800-38 A]A1344 (c_glad)CBCKey Length/ Key Strength: 256Symmetric Encryption and Decryption
AES [FIPS 197] [SP 800-38 A]A1345 (c_ltc )CBCKey Length/ Key Strength: 256Symmetric Encryption and Decryption
AES [FIPS 197] [SP 800-38 A]A510 (skg)CBCKey Length/ Key Strength: 256Symmetric Encryption and Decryption
AES [FIPS 197] [SP 800-38 A]A1469 (skg)CBCKey Length/ Key Strength: 256Symmetric Encryption and Decryption
AES [FIPS 197] [SP 800-38 A]A501 (trng)ECBKey Length/ Key Strength: 256Symmetric Encryption and Decryption
AES [FIPS 197] [SP 800-38 A]A1362 (trng)ECBKey Length/ Key Strength: 256Symmetric Encryption and Decryption
AES [FIPS 197] [SP 800-38 A]A510 (skg)ECBKey Length/ Key Strength: 256Symmetric Encryption and Decryption
AES [FIPS 197] [SP 800-38 A]A1469 (skg)ECBKey Length/ Key Strength: 256Symmetric Encryption and Decryption
CTR_DRBG [SP800- 90ARev1]A501 (trng)AES-256; No Derivation Function; Prediction Resistance EnabledKey Length/ Key Strength: 256Random Number Generation
CTR_DRBG [SP800- 90ARev1]A1362 (trng)AES-256; No Derivation Function; Prediction Resistance EnabledKey Length/ Key Strength: 256Random Number Generation
CKG [SP800- 133Rev2 section 4]vendor affirmedAES keyKey Length/ Key Strength: 256Key Generation
HMAC [FIPS 198]A1340 (vng_ltc)SHA-1Key Length/ Key Strength: 112 bits or greaterKeyed Hash
HMAC [FIPS 198]A1345 (c_ltc)SHA-1Key Length/ Key Strength: 112 bits or greaterKeyed Hash
HMAC [FIPS 198]A1340 (vng_ltc)SHA2-224Key Length/ Key Strength: 112 bits or greaterKeyed Hash
HMAC [FIPS 198]A1345 (c_ltc)SHA2-224Key Length/ Key Strength: 112 bits or greaterKeyed Hash
HMAC [FIPS 198]A1340 (vng_ltc)SHA2-256Key Length/ Key Strength: 112 bits or greaterKeyed Hash
HMAC [FIPS 198]A1345 (c_ltc)SHA2-256Key Length/ Key Strength: 112 bits or greaterKeyed Hash
HMAC [FIPS 198]A1341 (vng_neon)SHA2-256Key Length/ Key Strength: 112 bits or greaterKeyed Hash
HMAC [FIPS 198]A1340 (vng_ltc)SHA2-384Key Length/ Key Strength: 112 bits or greaterKeyed Hash
HMAC [FIPS 198]A1345 (c_ltc)SHA2-384Key Length/ Key Strength: 112 bits or greaterKeyed Hash
HMAC [FIPS 198]A1340 (vng_ltc)SHA2-512Key Length/ Key Strength: 112 bits or greaterKeyed Hash
HMAC [FIPS 198]A1345 (c_ltc)SHA2-512Key Length/ Key Strength: 112 bits or greaterKeyed Hash
HMAC [FIPS 198]A1340 (vng_ltc)SHA2-512/256Key Length/ Key Strength: 112 bits or greaterKeyed Hash
KTS [SP 800-38 F]A1343 (c_asm)AES-KWKey Length/ Key Strength: 256Key Wrapping
KTS [SP 800-38 F]A1345 (c_ltc )AES-KWKey Length/ Key Strength: 256Key Wrapping
SHS [FIPS 180-4]A1340 (vng_ltc)SHA-1N/AMessage Digest
SHS [FIPS 180-4]A1345 (c_ltc)SHA-1N/AMessage Digest
SHS [FIPS 180-4]A1340 (vng_ltc)SHA2-224N/AMessage Digest
SHS [FIPS 180-4]A1345 (c_ltc)SHA2-224N/AMessage Digest
SHS [FIPS 180-4]A1340 (vng_ltc)SHA2-256N/AMessage Digest
SHS [FIPS 180-4]A1345 (c_ltc)SHA2-256N/AMessage Digest
SHS [FIPS 180-4]A1341 (vng_neon)SHA2-256N/AMessage Digest
SHS [FIPS 180-4]A1340 (vng_ltc)SHA2-384N/AMessage Digest
SHS [FIPS 180-4]A1345 (c_ltc)SHA2-384N/AMessage Digest
SHS [FIPS 180-4]A1340 (vng_ltc)SHA2-512N/AMessage Digest
SHS [FIPS 180-4]A1345 (c_ltc)SHA2-512N/AMessage Digest
SHS [FIPS 180-4]A1340 (vng_ltc)SHA2-512/256N/AMessage Digest
Ed25519 Key GenerationEdDSA signature scheme
Ed25519 shared secret generationEdDSA shared secret generation
Curve 25519 key generationKey generation
Curve 25519 shared secret generationshared secret generation
ECDH Key Pair GenerationElliptic Curve Integrated Encryption Scheme (ECIES) key generation
ECDH Shared Secret ComputationElliptic Curve Integrated Encryption Scheme (ECIES) Encryption
ANSI X9.63 KDF
AES-GCM
ECDH Shared Secret ComputationElliptic Curve Integrated Encryption Scheme (ECIES) Decryption
ANSI X9.63 KDF
AES-GCM
HKDF RFC5869HMAC based Key Derivation Function
PBKDFKey Derivation
ECDSA implemented in FWKey generation as part of Ref key generation service and validation, Signature generation and verification as part of Device keybag service
ECDSA implemented in HW PKAKey generation as part of Ref key generation service Signature generation primitive
ECDH implemented in FWShared secret computation
ECDH implemented in HW PKAShared secret computation
AES KW using class D key, keys from Device keybag, keysKey wrapping and unwrapping

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

2.3.1 Approved Security Functions

This document may be reproduced and distributed only in its original entirely without revision.

8 of 33
Page 9
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
SHS [FIPS 180-4]A1340 (vng_ltc)SHA-1N/AMessage Digest
SHS [FIPS 180-4]A1345 (c_ltc)SHA-1N/AMessage Digest
SHS [FIPS 180-4]A1340 (vng_ltc)SHA2-224N/AMessage Digest
SHS [FIPS 180-4]A1345 (c_ltc)SHA2-224N/AMessage Digest
SHS [FIPS 180-4]A1340 (vng_ltc)SHA2-256N/AMessage Digest
SHS [FIPS 180-4]A1345 (c_ltc)SHA2-256N/AMessage Digest
SHS [FIPS 180-4]A1341 (vng_neon)SHA2-256N/AMessage Digest
SHS [FIPS 180-4]A1340 (vng_ltc)SHA2-384N/AMessage Digest
SHS [FIPS 180-4]A1345 (c_ltc)SHA2-384N/AMessage Digest
SHS [FIPS 180-4]A1340 (vng_ltc)SHA2-512N/AMessage Digest
SHS [FIPS 180-4]A1345 (c_ltc)SHA2-512N/AMessage Digest
SHS [FIPS 180-4]A1340 (vng_ltc)SHA2-512/256N/AMessage Digest
Ed25519 Key GenerationEdDSA signature scheme
Ed25519 shared secret generationEdDSA shared secret generation
Curve 25519 key generationKey generation
Curve 25519 shared secret generationshared secret generation
ECDH Key Pair GenerationElliptic Curve Integrated Encryption Scheme (ECIES) key generation
ECDH Shared Secret ComputationElliptic Curve Integrated Encryption Scheme (ECIES) Encryption
ANSI X9.63 KDF
AES-GCM
ECDH Shared Secret ComputationElliptic Curve Integrated Encryption Scheme (ECIES) Decryption
ANSI X9.63 KDF
AES-GCM
HKDF RFC5869HMAC based Key Derivation Function
PBKDFKey Derivation
ECDSA implemented in FWKey generation as part of Ref key generation service and validation, Signature generation and verification as part of Device keybag service
ECDSA implemented in HW PKAKey generation as part of Ref key generation service Signature generation primitive
ECDH implemented in FWShared secret computation
ECDH implemented in HW PKAShared secret computation
AES KW using class D key, keys from Device keybag, keysKey wrapping and unwrapping

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Table 3 - Approved Algorithms This module does not implement non-Approved algorithms Allowed in the Approved Mode of operation nor non-Approved algorithms used in the Approved mode of operation with no security claimed.

2.3.2 Non-Approved Security Functions

The table below lists Non-Approved security functions that are not Allowed in the Approved Mode of Operation: This document may be reproduced and distributed only in its original entirely without revision.

9 of 33
Page 10

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] from iCloud keybag, keys from Escrow keybag, keys from any keybag used with Class B Curve 25519 encrypt/decrypt, keys from Backup keybag used for wrapping Ed25519 keys, or NVM storage controller key Table 4 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation This document may be reproduced and distributed only in its original entirely without revision.

10 of 33
Page 11
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
Mailbox Memory, IPC channelMailbox Memory, IPC channelData InputData inputs are provided through the memory used for mailbox and IPC.
Mailbox Memory, IPC channelMailbox Memory, IPC channelData OutputData outputs are provided through the memory used for mailbox and IPC.
Mailbox Memory, IPC channelMailbox Memory, IPC channelControl InputControl input which controls the module’s operation is provided through the mailbox by the Device OS’ kernel and to applications located within the sepOS execution environment through IPC.
Mailbox Memory, IPC channelMailbox Memory, IPC channelStatus OutputStatus output is provided in return codes and through messages returned via the mailbox or the IPC. Documentation for each service invocation lists possible return codes. A complete list of all return codes returned by the C language APIs within the module is provided in the header files and the API documentation. Messages are also documented in the API documentation.
single chip's Power portsingle chip's Power portPower interfacePower

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

3 Cryptographic Module Interfaces

are described in (Table 5): Table 5 - Ports and Interfaces data from SSP information. The module communicates any error status synchronously through the use of its documented return codes, thus indicating Caller-induced or internal errors do not reveal any sensitive material to callers. Cryptographic bypass capability is not The module does not implement or support the use of a trusted channel. This document may be reproduced and distributed only in its original entirely without revision.

11 of 33
Page 12
Service
NameRolesInputOutput
User keybag Services via MailboxUserUser credential, reference to class C/A key from the user keybagstatus (success/error)
General Authentication serviceUser credential, reference to class C/A key from the user keybagstatus (success/error)
Generation of DEKreference to class C/A key from the user keybagwrapped DEK
Backup keybag generationN/Astatus (success/error)
Backup keybag servicewrapped DEK, reference to class C or A key from the user keybagwrapped DEK
Keychain DEK service using AK/ AKU/ AKPU/ CK/ CKU class keypointer to AK/AKU/ AKPU/ CK/ CKU class key, wrapped DEKunwrapped DEK
Escrow keybag creationN/Astatus (success/error)
Export keybagreference to a keybag to be exportedkeybag with HMAC tag
Device WipeCrypto Officer (CO)N/AN/A
Show StatusN/Astatus (success/error)
Show Module InformationN/AModule name and version
Class D File System Services to wrap or unwrap DEK (Non-approved)Pointer to Class D key from Backup keybag or Flash in SEP, wrapped or unwrapped DEKwrapped or unwrapped file DEK
Class D key service to encrypt or decrypt data (Non-approved)Pointer to Class D key from Device or iCloud Keybag, plaintext or ciphertext dataciphertext or plaintext data
Class DK/DKU File System Services to wrap or unwrap keychain (Non-approved)Pointer to Class DK/DKU key from Backup or User Keybag, wrapped or unwrapped keychainwrapped or unwrapped file keychain
Class DK/DKU key used for encrypting or decrypting of data (Non-approved)Pointer to Class DK/DKU key from Device or iCloud Keybag, plaintext or ciphertext dataciphertext or plaintext data
Generate Ref-Keys (Non-approved)N/Astatus success/error, ref-key
Signature generation using Ref-key (Non- approved)pointer to ref-key, datasigned data
Signature verification using Ref-key (Non- approved)pointer to ref-key, signed dataverification result pass/error
Encryption using Ref-key (Non-approved)Pointer to ref key, dataciphertext
Decryption using Ref-key (Non-approved)Ciphertext, Pointer to ref keyplaintext
Generate Shared Secret using Ref-key (Non- approved)pointer to ref-key, remote public keyshared secret

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] The module supports two authorized roles: the User and the Crypto Officer. No support is provided for multiple concurrent operators or a maintenance operator. The module authentication mechanism is defined by IG 4.4.A case 2 as follows. The User role is authenticated with the mechanism described in section 4.1. The User role can access the module via mailbox interface using the Device OS’s XNU Table 9 that do not affect the module’s security, per IG 4.1.A. The services are performed via mailbox interface using the Device OS’s XNU kernel or via IPC channel using the software applications running on sepOS. N/A N/A N/A N/A N/A N/A N/A This document may be reproduced and distributed only in its original entirely without revision.

12 of 33
Page 13
Device Keybag Services for data encrypt or decrypt (Non-approved)pointer to class key from device keybag, plaintext or ciphertext dataciphertext or plaintext data
iCloud Keybag services for data encrypt or decrypt (Non-approved)pointer to class key from device keybag, plaintext during encryption or ciphertext data during decryptionciphertext during encryption; plaintext data during decryption
Escrow keybag service for key wrapping and unwrapping (Non-approved)pointer to any key from Escrow keybag, plaintext key wrapping or wrapped key during unwrapping operationwrapped key during wrapping; plaintext key during unwrapping
Encrypt or Decrypt service using Class B Curve 25519 key from any keybag (Non-approved)Pointer to class B key from any keybag, plaintext or ciphertext dataciphertext and ephemeral public key during encryption; plaintext data during decryption
Wrap or unwrap service for DEK or keychain using D/C/A Curve 25519 key from asymmetric keybag (non-approved)Pointer to D/C/A key from asymmetric keybag, plaintext DEK or keychain during wrapping operation or wrapped DEK or keychain during unwrapping operationwrapped DEK or keychain during wrapping; plaintext DEK or keychain during unwrapping
Wrap and unwrap service for keychain using DK/DKU/CK/ CKU/AK/AKU/AKPU Ed25519 key from asymmetric keybag (Non-approved)Pointer to DK/ DKU/ CK/ CKU/AK/ AKU/ AKPU key from asymmetric keybag, plaintext keychain during wrapping operation or wrapped keychain during unwrapping operationwrapped keychain during wrapping; plaintext keychain during unwrapping
Asymmetric (Ed25519) backup keybag wrap and unwrap (Non-approved)Pointer to Ed 25519 key from backup keybag, plaintext or ciphertext dataciphertext or plaintext data
NVM Storage Controller Key Service (Non- approved)pointer to NVM storage controller key, DEKWrapped DEK
Elliptic Curve Integrated Encryption Scheme (ECIES) Encryption (Non-approved)data, public keyencrypted data
Elliptic Curve Integrated Encryption Scheme (ECIES) Decryption (Non-approved)data, private keydecrypted data
PBKDF Key Derivation (Non-approved)passwordderived key
Filesystem DEK services (Non-approved)wrapped DEK, class key reference from User keybag.Wrapped DEK or Error
Generation of DEK via IPC using class D key (Non-approved)N/ADEK wrapped with class D key
Requesting backup keybag service vi IPC using class D key (Non-approved)DEK wrapped with class D keyDEK wrapped with back up keybag key

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] N/A Table 6

4.1 Operator Authentication

Within the constraints of FIPS 140-3 level 2, the module implements a role-based authentication mechanism for authentication of the user role. The module implements authenticated encryption-based mechanism in the following way: to request an authenticated that is stored encrypted under SP800-38F AES Key Wrapping (AES-KW) within the module. The module performs obfuscation on the Operator provided credential and the resulting value -called REK (Root Encryption Key)- is used as the 256-bit AES key. Using this key, the module decrypts all the class C or A keys in the referenced user keybag with SP80038F AES Key Unwrapping function (i.e. AES-KW-AD3). As AES-KW is an authentication cipher, the decryption operation will only succeed if there is no authentication error. If the user keybag can be successfully decrypted, the user is authenticated A keybag is a data structure used to store a collection of class keys. Each type (User, device, escrow, backup, or iCloud) has the same format. Section 6.2 SP800-38F, Algorithm 4: KW-AD(C) This document may be reproduced and distributed only in its original entirely without revision.

13 of 33
Page 14
RoleAuthentication MethodAuthentication Strength
UserAES-KW unwrapping function256 bits
Crypto Officer (CO)No authenticationN/A

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] to the module and the requested crypto service will then be proceeded with the decrypted user key. The failure of decrypting the user keybag is also a user authentication failure and the Operator will be denied access to the module. The User keybags are configured in the module during factory install. Each User keybag consists of set of class C, A and D keys. Specifically, class C keys include C key, CK key, CKU keys and the class A keys include A key, AK key, AKU key and AKPU key. Only the class A or C keys are considered as approved. Any use of class D keys is considered as non-approved. The module maintains authenticated session from the time the User keybags are unwrapped until the power off. Upon power off, the unwrapped User keybags are zeroised and at the next power on the User credential needs to be provided again in order to unwrap the User keybag. All authentication data is provided electronically from the calling application/service and hence is not in visible form. The AES-KW 256 bit key unwrapping function provides 256 bits of strength. Therefore, the strength of the authentication mechanism in use is 1/ 2^256. Even using a rate of 1μs per failed authentication, which would allow 60,000,000 consecutive attempts per minute (60s / 0.000001s), only provides a probability of successfully authenticating that is less than or equal to 60,000,000 * 1 / 2^256. The SP 800-63B requirements are not applicable here based on the type of authentication mechanism deployed by the module because the authenticated decryption is not one of the methods listed in SP 800-63B. N/A Table 7– Roles and Authentication

4.3 Services

The Module has an Approved and non-Approved mode of operation. The Approved mode of Operation is assumed automatically without any specific configuration. If the device starts up successfully then the module has passed all selftests and is operating in the Approved mode. Any calls to the non-Approved security functions listed in Table 9 will cause the module to assume the non-Approved mode of operation. The module implements a dedicated API function to indicate if a requested service utilizes an approved security function. The approved service indicator utilizes one of two functions (fips_allowed and fips_allowed_mode) depending on the service in question. Calling fips_allowed_mode with AES-ECB, AES-CBC or AES-KW will return a zero to indicate it is an approved algorithm. Similarly, calling fips_allowed with any other approved algorithm will return zero. Calling either of these with an algorithm not listed in the Approved Algorithms Table will return a non-zero value, and as such indicates a non-approved service. The table below lists all approved services that can be used in the approved mode of operation to authorized operators of either the User or Crypto Officer Roles. The abbreviations of the access rights to keys and SSPs have the following interpretation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. N/A= Not Applicable: The service does not access any SSP during its operation

4.3.1 Approved Services

The table below includes the Approved Security Functions utilized by the service and Roles and access writes provided to the Keys and/or SSPs affected by the services. The last column provides a description of the service indicator reported by the service to show that the service utilizes an approved cryptographic algorithm, security function or process in an approved manner. This document may be reproduced and distributed only in its original entirely without revision.

14 of 33
Page 15
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator#
User Keybag Services via MailboxStep 1. The module receives User credential and the reference to the class C or A key from the User keybag Step 2. Obfuscation operation is performed on the User provided credential resulting into a value called REK. Step 3. REK is used as a key for the AES KW operation to unwrap the referenced class A or C keys in the user keybag stored in the module. Step 4. Status of unwrapping operation of class keys is returned via mailbox interface and the REK is zeroisedUserUser credential, REK, User keybag (Class A key, Class AK key, Class AKU key, Class AKPU key, Class C key, Class CK key, Class CKU key)Key Unwrapping: AES-KWW, E01
General Authentication serviceThe module invokes the User keybag Services via Mailbox (i.e. #1 above)UserUser credential, REK, User keybag (Class A key, Class AK key, Class AKU key, Class AKPU key, Class C key, Class CK key, Class CKU key)Key Unwrapping: AES-KWW, E02
Generation of Data Encryption Key (DEK)Step 1: The module receives the reference to the class C or A key from the user keybag Step 2: The module generates a new DEK using the DRBG Step 3: Referenced class C or A key is used to wrap the DEK using AES-KW Step 4: Wrapped DEK is sent out of the moduleUserEntropy input string, DRBG internal stateSymmetric Key Generation (CKG using method in Section 4 example 1 [SP 800- 133Rev2], AES- ECB, AES-CBC) Key Wrapping: AES-KWE03
User keybag (Class A key, Class AK key, Class AKU key, Class AKPU key, Class C key, Class CK key, Class CKU key)User keybag (Class A key, Class AK key, Class AKU key, Class AKPU key, Class C key, Class CK key, Class CKU key)W, E
DEKDEKG, E
Wrapped DEKWrapped DEKR
Keychain DEK service using AK/ AKU/ AKPU/ CK/ CKU class keyStep 1. The module receives wrapped DEK (that was sent as part of service 3 above) and the pointer to class key AK/ AKU/AKPU/CK/ CKU from the user keybag. Step 2. Using the referenced class key, the module unwraps the DEK using AES-KW. If the class key is not available, an error is returned. Step 3. plaintext DEK is sent out to the User.UserUser keybag (Class A key, Class AK key, Class AKU key, Class AKPU key, Class C key, Class CK key, Class CKU key)Key Wrapping: AES-KWE04
DEKDEKR, E
Wrapped DEKWrapped DEKW, E
Backup keybag generationThe module generates new set of back up keybags using the DRBGUserEntropy input string, DRBG internal stateSymmetric Key Generation (CKG using method in Section 4 example 1 [SP 800- 133Rev2], AES- ECB, AES-CBC)E05
Backup keybag (Class A key, Class AK key, Class C key, Class CK key)Backup keybag (Class A key, Class AK key, Class C key, Class CK key)G, E
Backup keybag serviceStep 1. The module receives wrapped DEK and the class key reference for C and A from the user keybag. Step 2. Using the referenced class key, the module unwraps the DEK using AES-KW. If the class key is not available, an error is returned. Step 3. The module generates a set of backup key bag using DRBG Step 4. Unwrapped DEK is re-wrapped withUserDEK, User keybag (Class A key, Class AK key, Class AKU key, Class AKPU key, Class C key, Class CK key, Class CKU key)Key Wrapping and Unwrapping: AES- KW Symmetric Key Generation (CKG using method in Section 4 example 1 [SP 800- 133Rev2], AES- ECB, AES-CBC)W, E06
Entropy input string, DRBG internal stateEntropy input string, DRBG internal stateE
backup key bag key using AES-KW Step 5. Wrapped DEK is sent out.backup key bag key using AES-KW Step 5. Wrapped DEK is sent out.Wrapped DEKR
Backup keybag (Class A key, Class AK key, Class C key, Class CK key) HMAC keyBackup keybag (Class A key, Class AK key, Class C key, Class CK key) HMAC keyG, E
Escrow keybag creationThe module generates new set of escrow key bag using the DRBGUserEntropy input string, DRBG internal stateSymmetric Key Generation (CKG using method in Section 4 example 1 [SP 800- 133Rev2], AES- ECB, AES-CBC)E07
Escrow keybag (Class A key, Class AK key, Class AKU key, Class AKPU key, Class C key)Escrow keybag (Class A key, Class AK key, Class AKU key, Class AKPU key, Class C key)G,E
Export KeybagStep 1. The module receives reference to a keybag. Step 2: A HMAC key is taken as input based on the hardware specific data for the SKS Step 3: HMAC value is calculated on the entire referenced keybag that includes encrypted4 keys. Step 4: HMAC is appended at the end of the keybag Step 5: Keybag with the appended HMAC is output to the UserUserHMAC keyMessage Authentication HMACW, E08
Keybag to be exported (User or Backup or Escrow keybag)Keybag to be exported (User or Backup or Escrow keybag)R, E
Device WipeErase all content (Factory Reset)COAll SSPsN/AZN/A9
Show StatusN/ACON/AN/AN/AN/A10
Show Module InformationN/ACON/AN/AN/AN/A11
Perform Self- TestPerform all pre-operational self-tests and cryptographic algorithm self-tests (CASTs)CON/AAllN/AN/A12
Class D File System Services to wrap or unwrap DEKWrapping of provided plaintext DEK or unwrapping of provided wrapped DEK using class D key from Backup keybag or secure storage in SEPCOAES-KWnon-zero value
Class D key service to encrypt or decrypt dataEncryption of provided plaintext or decryption of provided ciphertext using class D key from Device or iCloud KeybagCOAES-KWnon-zero value
Class DK/DKU File System Services to wrap or unwrap keychainWrapping of provided plaintext keychain or unwrapping of provided wrapped keychain using class DK/DKU key from Backup keybag or User keybagCOAES-KWnon-zero value
Class DK/DKU key service for data encrypt or decryptEncryption of provided plaintext or decryption of provided ciphertext using DK/DKU key from Device or iCloud keybagCOAES-KWnon-zero value

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] # ‍ ‍ ‍ ‍ ‍ W, E W, E E W, E G, E R E R, E W, E This document may be reproduced and distributed only in its original entirely without revision. E G, E W, E E

15 of 33
Page 16
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator#
backup key bag key using AES-KW Step 5. Wrapped DEK is sent out.backup key bag key using AES-KW Step 5. Wrapped DEK is sent out.Wrapped DEKR
Backup keybag (Class A key, Class AK key, Class C key, Class CK key) HMAC keyBackup keybag (Class A key, Class AK key, Class C key, Class CK key) HMAC keyG, E
Escrow keybag creationThe module generates new set of escrow key bag using the DRBGUserEntropy input string, DRBG internal stateSymmetric Key Generation (CKG using method in Section 4 example 1 [SP 800- 133Rev2], AES- ECB, AES-CBC)E07
Escrow keybag (Class A key, Class AK key, Class AKU key, Class AKPU key, Class C key)Escrow keybag (Class A key, Class AK key, Class AKU key, Class AKPU key, Class C key)G,E
Export KeybagStep 1. The module receives reference to a keybag. Step 2: A HMAC key is taken as input based on the hardware specific data for the SKS Step 3: HMAC value is calculated on the entire referenced keybag that includes encrypted4 keys. Step 4: HMAC is appended at the end of the keybag Step 5: Keybag with the appended HMAC is output to the UserUserHMAC keyMessage Authentication HMACW, E08
Keybag to be exported (User or Backup or Escrow keybag)Keybag to be exported (User or Backup or Escrow keybag)R, E
Device WipeErase all content (Factory Reset)COAll SSPsN/AZN/A9
Show StatusN/ACON/AN/AN/AN/A10
Show Module InformationN/ACON/AN/AN/AN/A11
Perform Self- TestPerform all pre-operational self-tests and cryptographic algorithm self-tests (CASTs)CON/AAllN/AN/A12
Class D File System Services to wrap or unwrap DEKWrapping of provided plaintext DEK or unwrapping of provided wrapped DEK using class D key from Backup keybag or secure storage in SEPCOAES-KWnon-zero value
Class D key service to encrypt or decrypt dataEncryption of provided plaintext or decryption of provided ciphertext using class D key from Device or iCloud KeybagCOAES-KWnon-zero value
Class DK/DKU File System Services to wrap or unwrap keychainWrapping of provided plaintext keychain or unwrapping of provided wrapped keychain using class DK/DKU key from Backup keybag or User keybagCOAES-KWnon-zero value
Class DK/DKU key service for data encrypt or decryptEncryption of provided plaintext or decryption of provided ciphertext using DK/DKU key from Device or iCloud keybagCOAES-KWnon-zero value
Generate Ref-KeysKey GenerationCOECDSA KeyGennon-zero value
Sign and verify using Ref-keySignature Generation and VerificationCOECDSA SigGen, ECDSA SigVernon-zero value
Encryption and decryption using Ref-keyshared secret is generated using user provided key and existing ref key followed by HKDF is applied to derive a key which is used to encrypt the provided plaintext or decrypt the provided ciphertextCOECDSA HKDF AES-GCM AES-KWnon-zero value
Generate Shared Secret using Ref-keyShared secret generationCOECDHnon-zero value
Device keybag service for data encrypt or decryptEncryption of provided plaintext or decryption of provided ciphertext using any key from Device keybagCOAES-KWnon-zero value
iCloud keybag service for data encrypt or decryptEncryption of provided plaintext or decryption of provided ciphertext using any key from iCloud keybagCOAES-KWnon-zero value
Escrow keybag service for key wrapping and unwrappingWrapping of provided plaintext key or unwrapping of provided wrapped key using any key from Escrow keybagCOAES-KWnon-zero value
Encrypt or Decrypt service using Class B Curve 22519 key from any key bagshared secret is computed by generating new ephemeral keypair and existing Curve25519 key followed by HKDF is applied to derive a key which is used for data encryption or decryption. During encryption operations, the wrapped key and the ephemeral public key are sent to the userCOAES-KW HKDF Curve 25519non-zero value
Wrap or unwrap service for DEK or keychain using any Curve 22519 key from asymmetric key bagshared secret is computed by generating new ephemeral keypair and existing Curve25519 key followed by HKDF is applied to derive a key which is used to wrap and unwrap DEK or keychain. During wrapping operation, the wrapped key and the ephemeral public key are sent to the userCOAES-KW HKDF Curve 25519non-zero value
Asymmetric (Ed25519) backup keybag wrap and unwrapshared secret is computed by generating new ephemeral keypair and existing Curve25519 key followed by HKDF is applied to derive a key which is used to wrap and unwrap. The wrapped key and the ephemeral public key are sent to the userCOAES-KW HKDF Ed25519non-zero value
Wrap or unwrap service for keychain using DK/DKU/CK/ CKU/AK/AKU/AKPU Ed25519 key from asymmetric key bag (Non-approved)Pointer to DK/DKU/CK/CKU/AK/AKU/AKPU key from asymmetric keybag, plaintext keychain during wrapping operation or wrapped keychain during unwrapping operationCOAES-KW HKDF Ed25519non-zero value
NVM Storage Controller Keywrapping DEK using NVM storage controller keyCOAES KWnon-zero value
Elliptic Curve Integrated Encryption Scheme (ECIES) EncryptionEncryptionCOECDH AES-GCM ANSI X9.63 Key Derivationnon-zero value
Elliptic Curve Integrated Encryption Scheme (ECIES) DecryptionDecryptionCOECDH AES-GCM ANSI X9.63 Key Derivationnon-zero value
PBKDF Key DerivationHash-based Key DerivationCOPBKDFnon-zero value
File system DEK serviceUnwrap the DEK using referenced class key and re-wrap using NVM storage controller keyCOAES KWnon-zero value
Generation of DEK via IPC using class D keyRequesting generate DEK service via IPC Channel using class D keysCOAES KW DRBGnon-zero value
Requesting backup keybag service via IPC using class D keyRequesting backup keybag service via IPC Channel using class D keysCOAES KW DRBGnon-zero value

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] # R G, E G,E N/A Z N/A N/A N/A N/A N/A N/A Perform SelfTest N/A N/A N/A N/A N/A N/A N/A N/A E W, E R, E The table below lists all non-Approved services that can only be used in the non-Approved mode of operation and the services are non-authenticated. Note: only class A and C keys in the keybag are encrypted with REK whereas class D keys are in plaintext as they are non-approved and not considered as CSP This document may be reproduced and distributed only in its original entirely without revision.

16 of 33
Page 17

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] This document may be reproduced and distributed only in its original entirely without revision.

17 of 33
Page 18

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Table 9 - Non-Approved and non-authenticated Services This document may be reproduced and distributed only in its original entirely without revision.

18 of 33
Page 19

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

5 Software/Firmware security
5.1 Integrity Techniques

The Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] is in the form of binary executable code. A firmware integrity test is performed on the runtime image of the module. The HMAC-SHA256 implemented in the module is used as an approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided, and data output is prohibited i.e., the module is not operational.

5.2 On-Demand Integrity Test

The Integrity tests are performed as part of the Pre-Operational Self-Tests. It is automatically executed at power-on. This document may be reproduced and distributed only in its original entirely without revision.

19 of 33
Page 20

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

6 Operational Environment

The Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] operates in a limited operational environment per FIPS 140-3 security level 2 specifications. The module operates within the sepOS execution environment which is separate from the Device OS execution environment. The SEP operating system provides memory isolation between all applications executing on it. The Device OS is unable to access the module's memory or observe the module's operation. This document may be reproduced and distributed only in its original entirely without revision.

20 of 33
Page 21
Physical Security MechanismRecommended Frequency of Inspection/TextInspection/Test Guidance Details
Production Grade Components that include standard passivationNo operator-performed testing is recommendedN/A
- Tamper-Evident coating or black hard coated material or metal coating, - The Ball Grid Array (BGA back side of the SoC soldered on the logic board.) The components listed above are opaque within the visible spectrum.No operator-performed testing is recommendedN/A
Hardness of the coating tested in the module's intended temperature range of operationNo operator-performed testing is recommendedN/A
Environmental Failure Protection (EFP) forces the module to shut downNo operator-performed testing is recommendedN/A
Temperature or voltage measurementSpecify EFP or EFTSpecify if this condition results in a shutdown or zeroisation
Low Temperature, High TemperatureValues found in Apple proprietary documentEFPshutdown
Low Voltage, High VoltageValues found in Apple proprietary documentEFPshutdown
Hardness tested temperature measurement
Low Temperature (˚C)-25˚C
High Temperature (˚C)+ 51˚C

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] The defined physical boundary of the Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] is the entire System-on-Chip (SoC) listed in Table

  1. Consequently, the physical embodiment of each SoC is a single-chip cryptographic module. The hardware module conforms to the Level 3 requirements for physical security as detailed in Table
  2. N/A N/A N/A N/A Table 10 – Physical Security Inspection Guidelines The module correctly implements the Environmental Failure Protection (EFP) features as detailed in Table
  3. Table 11 – EFP/EFT Table 12 – Hardness testing temperature ranges This document may be reproduced and distributed only in its original entirely without revision.
21 of 33
Page 22

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

8 Non-invasive Security

Currently, the non-invasive security is not required by FIPS 140-3 (see NIST SP 800-140F). The requirements of this area are not applicable to the module. This document may be reproduced and distributed only in its original entirely without revision.

22 of 33
Page 23
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportKey / SSP Name / TypeZeroisation
1,2,3,4,6,8128, 192, 256-bitsAES-KW with CAVP Certs. # A1343, A1345 (for services 1,2,3,4, 6)N/A: Preloaded at factoryN/AFlashEntry: N/A Output: encrypted using AES-KW for service #8 onlyClass A, Class C, Class AK, Class AKU, Class CK, Class CKU in User Keybag (AES keys)Device Wipe;
5,6,8128, 192, 256-bitsCTR_DRBG with CAVP Certs. # A501, A1362 (for services 3, 5, 6, 7) AES-KW with CAVP Certs. # A1343, A1345 (for services 1,2,3,4, 6)Generated using direct output of CTR DRBG compliant to section 4 example 1 of SP800-133r2. CKG (vendor affirmed)N/ARAMEntry: N/A Output: encrypted using AES-KW for service #8 onlyClass A, Class C, Class AK, Class AKU, Class CK, Class CKU keys in backup keybag (AES keys)Context object destruction; Device Wipe
7,8128, 192, 256-bitsGenerated using direct output of CTR DRBG compliant to section 4 example 1 of SP800-133r2. CKG (vendor affirmed)N/ARAMEntry: N/A Output: encrypted using AES-KW for service #8 onlyClass A, Class C, Class AK, Class AKU, Class CK, Class CKU keys in escrow keybag (AES keys)Context object destruction; Device Wipe
3,4, 6128, 192, 256-bitsSymmetric key generation services of the module using DRBG compliant to section 4 example 1 of SP800-133r2. CKG (vendor affirmed)N/ARAMEntry: In encrypted form Output in encrypted form via service 3/6, or plaintext via service 4Data Encryption Key (DEK) (AES key)Context object destruction; Device Wipe
3,5,6,7256-bitsRandom Number Generation ESV E#113Obtained from the physical entropy sourceN/ARAMNo import No exportEntropy input stringDevice Wipe
3,5,6,7256-bitsRandom Number Generation CTR_DRBG with CAVP Certs. # A501, A1362Updated during DRBG initializationN/ARAMNo import No exportDRBG internal state: V value, key, and seed materialDevice Wipe
8112 bits or greaterHMAC-SHA-256 CAVP Certs. # A1340, A1341, A1345N/AN/ARAMEntry: taken as input based on the hardware specific data Output: N/AHMAC Key (Message Authentication Key)Context object destruction; Device Wipe
1,2N/AN/AN/AN/ARAMEntry: input by User Output: N/AUser CredentialDevice Wipe
1,2256-bitsN/AN/AN/ARAMEntry: N/A Output: N/AREKDevice Wipe

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

9 Sensitive Security Parameter Management

The following table summarizes the keys and Sensitive Security Parameters (SSPs) that are used by the cryptographic 1,2,3,4, 6) 9.3 4.3.1) N/A N/A 5,6,8 N/A 7,8 N/A 3,4, 6 6) N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Table 13 - SSPs This document may be reproduced and distributed only in its original entirely without revision.

23 of 33
Page 24
Approved algorithm
NameKey Size
DetailsMinimum number of bits of entropyEntropy Source
The entropy source consists of twenty-four Free Ring Oscillator (FROs). The entropy source has been shown to provide full 256-bits of entropy at the output of the vetted conditioning function, SHA2-256 (#C1223).256ESV #E113 (physical entropy source)

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

9.1 Random Number Generation

A [SP800-90ARev1] approved deterministic random bit generator based on block cipher is used: CTR_DRBG using AES-256 without derivation function and with prediction resistance. The random numbers used for key generation are all generated by CTR_DRBG in this module. Per section 10.2.1.1 of [SP 800-90ARev1], the internal state of CTR_DRBG consists of the V, Key and a seed. The module also performs DRBG health tests according to section 11.3 of [SP800-90ARev1]. In accordance with FIPS 140-3 IG D.L, the 'Entropy input string', 'seed', 'DRBG internal state (V and key values)' are considered CSPs by the module. No non-DRBG functions or instances are able to access the DRBG internal state. The deterministic random bit generators are seeded by an internal physical noise source. The hardware based entropy source provides 256-bits of security strength in instantiating and reseeding the module approved DRBGs. Table 14 - Non-Deterministic Random Number Generation Specification

9.2 Key / SSP Generation

The module provides a key generation service for symmetric cipher i.e. AES in accordance with FIPS 140-3 IG D.H. The cryptographic module performs Cryptographic Key Generation (CKG) for symmetric keys as per section 4 [SP800-133r2]. The implementation follows example 1 from Section 4 whereby V is a string of binary zeroes, such that B = U (i.e., the output of an approved RBG). The symmetric keys are generated directly output from an approved DRBG compliant with [SP80090ARev1].

9.3 Keys/SSPs Establishment

The module provides the following key/SSP establishment service in the Approved mode:  AES-Key Wrapping: The module implements a Key Transport Scheme (KTS) using AES-KW compliant to [SP80038F], per IG D.G. The SSP establishment methodology provides between 128 and 256 bits of encryption strength.

9.4 Keys/SSPs Import/Export

Per the definition in IG 2.3.B, "Transferring SSPs including the entropy input between a sub-chip cryptographic subsystem and an intervening functional subsystem for Security Levels 1 and 2 on the same single chip is considered as not having Sensitive Security Parameter Establishment crossing the HMI". As such, the import or export Keys/SSP as defined in Table 1 of IG 9.5.A do not apply. Within the TOEPP, keys and SSPs can either be entered into, or output from the Apple Secure Key Store Cryptographic Module to/from intervening functional subsystems in plaintext.

9.5 Keys/SSPs Storage

During runtime operation, the Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] module stores keys/SSPs in volatile memory, except for the user keybag that is stored in Flash. The module protects all keys/SSPs through the memory separation and protection mechanisms provided by the operating system while the Flash component only provides exclusive access to the module. No process other than the module itself can access the keys/SSPs in its process memory or Flash component. This document may be reproduced and distributed only in its original entirely without revision.

24 of 33
Page 25

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

9.6 Keys/SSPs Zeroization

Keys and SSPs (including temporary SSPs) are zeroised when the appropriate context object is destroyed by overwriting the entire context object with all zeros. Zeroization occurs at the end of an API function that uses the CSPs. Zeroization is also performed by calling the "Device Wipe" service. The "Device Wipe" service performs end of life of the device. Input and output interfaces are inhibited while zeroisation is performed. Zeroisation is immediate and uninterruptible, preventing the retrieval and reuse of the zeroised values. The module provides an implicit indication that the zeroisation has successfully completed by returning access to the User, ready to service the next request. This document may be reproduced and distributed only in its original entirely without revision.

25 of 33
Page 26
Approved algorithm
NameUse Function
Cryptographic AlgorithmNotes
HMAC-SHA256CAST (KAT) performed prior to module’s firmware integrity test at power-up
Pre-operational Integrity Test using HMAC-SHA-256Integrity Test of module’s firmware
AES Implementations AES-KW, AES-CBC, AES-ECB using 128-bit keySeparate encryption / decryption CAST (KAT) performed for each mode
CTR_DRBG with 256-bit keyCAST (KAT) performed CAST: Health test per SP800-90ARev1 section 11.3
HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-512CAST (KAT) performed
SHA-1, SHA-256, SHA-512Covered by HMAC CAST
Physical entropy sourceSP800-90B health test (APT and RCT) classified as CAST: - at start-up: performed on 1,024 consecutive samples. - during runtime.
Cause of ErrorError Indicator
Failed Pre-operational Software Integrity TestError message “FAILED: fipspost_post_integrity” sent to caller
Failed CASTError message “FAILED:<event>” sent to caller (<event> refers to any of the cryptographic functions listed in Table 15)

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

10 Self-tests

The module performs pre-operational self-tests automatically when the module is loaded into memory; the pre-operational self-tests triggered at power-on ensure that the module is not corrupted and that the cryptographic algorithms work as expected. The module transitions to approved Mode upon successful completion of the pre-operational self-tests and CASTs. FIPS 140-3 only requires that software/firmware integrity test(s) and the requisite cryptographic algorithm(s) be tested during power-up, but the Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] runs all The following tests (Table 15) are performed each time the Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] starts. If any of the following tests fail the device fails to startup. While the module is executing the self-tests, services are not available, and input and output are inhibited. Table 15 - Self-Tests A pre-operational integrity test is performed on the firmware component of the Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]. The module’s HMAC-SHA2-256 is used as an approved algorithm for the integrity pre-operational integrity test. If the test fails, then the module enters an Error State. The HMAC value is pre-computed at build time and stored in the module. The HMAC value is recalculated during runtime and compared with the stored value.

10.2 Conditional Self-Tests

The following sub-sections describe the conditional self-tests supported by the Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]. 10.2.1 Cryptographic algorithm self-tests The Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] runs all Cryptographic Algorithm Self-Tests during power-up. These tests are detailed in Table 15. 10.2.2 Pairwise Consistency Test The Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] does not provide asymmetric key generation service in the approved mode. Therefore, this section is not applicable. This document may be reproduced and distributed only in its original entirely without revision.

26 of 33
Page 27

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] 10.2.3 On-Demand Self-Test On demand and periodic self-tests are performed by powering off the module and powering it on again. This service performs the same cryptographic algorithm tests executed during pre-operational self-tests and CASTs. During the execution of the periodic and on-demand self-tests, crypto services are not available and no data output or input is possible.

10.3 Error Handling

If any of the self-tests described in Sections 10.1, 10.2.1 or 10.2.2 fail, the module reports the cause of the error and enters an error state. In the Error State, no cryptographic services are provided, and data output is prohibited. The only method to recover from the error state is to power cycle the device which results in the module restarting and re-performing the preoperational firmware integrity test and the Conditional Self-Test CASTs. The module will only enter into the operational state after successfully passing the pre-operational firmware integrity test and the CASTs. The table below shows the different causes that lead to the Error State and the status indicators reported. Table 16

27 of 33
Page 28

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

11 Life-cycle assurance
11.1 Delivery and Operation

The module’s firmware with the sepOS is delivered as part of the Device OS image. The vendor’s internal development process guarantees that the correct version of module goes with its intended Device OS version. For additional assurance, the module is digitally signed by the vendor, and it is verified during the integration into Device OS. This digital signature-based integrity protection during the delivery/ integration process is not to be confused with the HMAC-SHA-256 based integrity check performed by the module itself as part of its pre-operational self-tests. The biometric authentication option provided by the underlying test platform shall be disabled in order to run the module in the FIPS validated manner.

11.2 Crypto Officer Guidance

The ESV Public Use Document (PUD) reference for physical entropy source is published at https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropy-validations/certificate/113 The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table - Non-Approved and non-authenticated Services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. A Crypto Officer Role Guide is provided by Apple which offers IT System Administrators with the necessary technical information to ensure FIPS 140-3 Compliance of the deployed systems. This guide walks the reader through the system’s assertion of cryptographic module integrity and the steps necessary if module integrity requires remediation. A link to the Guide can be found on the Product security, validations, and guidance page found in [Device OS].

11.3 User Guidance

The User role is authenticated with the mechanism described in section 4.1. The User role can access the module via mailbox interface using the Device OS’s XNU kernel. The User role can perform subset of services from Table 8. As stated in the Crypto Officer Guidance, the Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table - NonApproved and non-authenticated Services. This transition cannot be made by the User directly, as all non-approved services require an implicit transition into the Crypto-Officer role. Any calling of such services is therefore implicitly performed by the Crypto Officer. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. When performing a Device Wipe service to erase all content of the module, the procedure must be performed under the control of the Operator. This document may be reproduced and distributed only in its original entirely without revision.

28 of 33
Page 29

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

12 Mitigation of other attacks

The module does not claim mitigation of other attacks. This document may be reproduced and distributed only in its original entirely without revision.

29 of 33
Page 30

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interfaces APT Adaptive Proportion Test (SP800-90B health test) BGA Ball Grid Array (Physical Security) CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CMVP Cryptographic Module Validation Program CST Cryptographic and Security Testing CTR Counter Mode DEK Data Encryption Key DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECDSA DSA (Digital Signature Algorithm) based on Elliptic Curve Cryptography (ECC) EMI Electromagnetic Interference (Physical Security) ESV Entropy Source Validation FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code IPC Inter-Process Communication IHS Integrated Heat Spreader (Physical Security) KAT Known Answer Test KDF Key Derivation Function KEK Key Encryption Key KW AES Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology NVM Non-Volatile Memory OFB Output Feedback OS Operating System PBKDF Password Based Key Derivation Function RCT Repetition Count Test (SP800-90B health test) SEP Secure Enclave Processor SHA Secure Hash Algorithm SHS Secure Hash Standard SKS Secure Key Store SoC System on Chip SSP Sensitive Security Parameters This document may be reproduced and distributed only in its original entirely without revision.

30 of 33
Page 31

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Appendix B. FIPS140-3 References FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 SP 800-140x CMVP FIPS 140-3 Related Reference FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-standards September 2020 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig-announcements FIPS140-3_MM CMVP FIPS 140-3 Draft Management Manual SP 800-140 FIPS 140-3 Derived Test Requirements (DTR) SP 800-140A CMVP Documentation Requirements https://csrc.nist.gov/publications/detail/sp/800-140a/final SP 800-140B CMVP Security Policy Requirements SP 800-140C CMVP Approved Security Functions SP 800-140D CMVP Approved Sensitive Security Parameter Generation and Establishment Methods SP 800-140E CMVP Approved Authentication Mechanisms https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%201403/Draft%20FIPS-140-3-CMVP%20Management%20Manual%2009-18-2020.pdf https://csrc.nist.gov/publications/detail/sp/800-140/final https://csrc.nist.gov/publications/detail/sp/800-140b/final https://csrc.nist.gov/publications/detail/sp/800-140c/final https://csrc.nist.gov/publications/detail/sp/800-140d/final https://csrc.nist.gov/publications/detail/sp/800-140e/final SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics https://csrc.nist.gov/publications/detail/sp/800-140f/final FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt This document may be reproduced and distributed only in its original entirely without revision.

31 of 33
Page 32

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP800-57 NIST Special Publication 800-57 Part 1 Revision 5 - Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf SP800-67 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf SP800-90ARev1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP800-108 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions (Revised) October 2009 http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf SP800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf This document may be reproduced and distributed only in its original entirely without revision.

32 of 33
Page 33

Apple corecrypto Module v11.1 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] SP800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf Developer Device OS Technical Overview https://developer.apple.com SEC Apple Platform Security https://support.apple.com/guide/security/welcome/web https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf Device OS Product security certifications for Device OS https://support.apple.com/en-gw/guide/certifications/welcome/web This document may be reproduced and distributed only in its original entirely without revision.

33 of 33

Referenced URLs