All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series MG09ACP18TA and MG09ACP16TA

Certificate#4771StandardFIPS 140-3Level1TypeHardwareEmbodimentMulti-Chip EmbeddedStatusActiveVendorToshiba Electronic Devices & Storage Corporation
High review priority  ·  no TCB surface named  ·  last validated 23 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeHardware
EmbodimentMulti-Chip Embedded
StatusActive
Sunset date8/19/2029
CaveatNone
VendorToshiba Electronic Devices & Storage Corporation

Approved Algorithms (9)

AlgorithmACVP Cert
AES-CBCA1638
AES-ECBA1638
AES-XTS Testing Revision 2.0A1638
Hash DRBGA1645
HMAC-SHA2-256A1638
RSA SigVer (FIPS186-4)A1637
SHA2-256A1637
SHA2-256A1638
SHA2-256A1645

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series MG09ACP18TA and MG09ACP16TA
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>firmware load<br/>recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status output<br/>Show status</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C6 clue;
  class I2,I3,I6 infer;
  class R2,R3,R6 risk;
  class E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series MG09ACP18TA and MG09ACP16TA
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>firmware load<br/>recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status output<br/>Show status</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C6 clueLow;

Security Policy, page by page

Page 1

Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series MG09ACP18TA and MG09ACP16TA Prepared by: Rev 2.3.1

1 Apr. 26, 2024
Page 2
2 Apr. 26, 2024
Page 3
  1. General The Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series (MG09ACP18TA and MG09ACP16TA) is used for hard disk drive data security. The security levels for this Cryptographic Module (CM) are as follows: ISO/IEC 24759 Section
  2. FIPS 140-3 Section Title Security [Number Below] Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 2

6 Operational environment 1

7 Physical security 1

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels This document is non-proprietary and may be reproduced in its original entirety.

1.1 Acronyms

AES Advanced Encryption Standard CM Cryptographic Module CSP Critical Security Parameter DRBG Deterministic Random Bit Generator EBG Entropy Bit Generator FW Firmware HMAC Keyed-Hashing for Message Authentication code KAT Known Answer Test LBA Logical Block Address PCA Printed Circuit Assembly POST Power on Self-Test (pre-operational self-tests and conditional algorithm self-tests) SoC System on Chip SSC Security Subsystem Class SED Self-Encrypting Drive SHA Secure Hash Algorithm SID Security ID TCG SWG Trusted Computing Group Storage Work Group TOEPP Tested Operational Environment’s Physical Perimeter

3 Apr. 26, 2024
Page 4

2. Cryptographic Module Specification This CM provides various cryptographic services using approved algorithms. Services include hardware-based data encryption, cryptographic erase, independently protected user data LBA ranges, and FW Download. The CM always encrypts the user data, protects CSPs from unauthorized access, and provides secure sanitization methods by supporting TCG Opal SSC features. The operational rules described in this document adheres to TCG Opal. This CM is a multiple-chip-embedded hardware cryptographic module. The cryptographic boundary of the CM is the entire HDD. The physical interface for power-supply and for communication is one SATA connector. The CM is connected with host system by this SATA connector. The logical interface is the SATA, TCG SWG and Opal SSC. The CM has the non-volatile storage area for not only user data but also the keys, CSPs, and FW. The latter storage area is called the “system area”, which is not logically accessible / addressable by the host application. The CM has one approved mode of operation and CM is always in approved mode of operation. The CM provides only approved services defined in 4.2. Non-approved security functions are not implemented.

2.1 Product Version

The Toshiba Secure TCG Opal SSC SED has been validated in the following versions: Model Hardware [Part Number and Firmware Distinguishing Features Version] Version MG09ACP18TA A0 PD82 SATA interface, 18TB MG09ACP16TA A0 PD82 SATA interface, 16TB The tested platform is Toshiba Cryptographic Hardware 88i1215-B1. The CM does not employ any operating system. Table 2: Cryptographic Module Tested Configuration

2.2 All Security Functions

The CM does not implement any non-approved algorithms allowed in the approved mode of operation. It does not implement any non-approved algorithms allowed in the approved mode of operation with no security claimed. It does not implement any non-approved algorithms not allowed in the approved mode of operation. CAVP Algorithm and Mode/Method Description / Key Size(s) / Use/Function Certs Standard Key Strength A1637 RSA, FIPS PUB RSASSA- Modulus: 3072bits, Digital signature verification 186-4 PKCS#1-v1_5 Key Strength: 128bits A1637 SHS, FIPS PUB SHA2-256 - Message digest for RSA 180-4 (BYTE-only)

4 Apr. 26, 2024
Page 5

CAVP Algorithm and Mode/Method Description / Key Size(s) / Use/Function Certs Standard Key Strength A1638 AES, FIPS PUB CBC Key Size: 256bits, Data encryption / decryption 197-upd1, Key Strength: 256bits SP800-38A A1638 AES, FIPS PUB ECB Key Size: 256bits, Data encryption / decryption 197-upd1 Key Strength: 256bits (used as a prerequisite for XTS mode) A1638 AES, FIPS PUB XTS Key Size (Key_1):256bits, Data encryption / decryption 197-upd1, Key Size (Key_2):256bits, SP800-38E Key Strength: 256bits A1638 HMAC, FIPS SHA2-256 Key Size: 256bits, Message authentication for PUB 198-1 Key Strength: 256bits, data integrity verification of KS < BS system area A1638 SHS, FIPS PUB SHA2-256 - Message digest for HMAC 180-4 (BYTE-only) A1645 Hash-DRBG, SHA2-256 Prediction Resistance: Deterministic random bit SP800-90A rev1 False generation A1645 SHS, FIPS PUB SHA2-256 - Message digest for DRBG 180-4 (BYTE-only) ENT (P) SP800-90B - - Seed generation for HashDRBG Vendor CKG, SP800- - An output of the hash- Key generation Affirmed 133rev2 DRBG is directly used. (Section 4 of SP800133rev2) There are algorithms, modes, and keys that have been CAVP tested but not used by the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by the module. Table 3: Approved Algorithms Figure 1: MG09ACP16TA Figure 2: MG09ACP18TA Figure 3: PCA side Figure 4 shows the CM's block diagram. In this diagram, the cryptographic boundary of the CM,

5 Apr. 26, 2024
Page 6

defined by the enclosure of the MG09ACP18TA and the MG09ACP16TA, is indicated by a dashed line. It includes the SATA connector, the SoC, the buffer DRAM, the flash ROM and the magnetic storage medium. Figure 4: Block Diagram

  1. Cryptographic Module Interfaces The CM does not implement any control output interface. Physical port Logical interface Data that passes over port / interface SATA connector Data input interface User data, FW data SATA connector Data output interface User data SATA connector Control input interface SATA control input data (ex. command frame, data frame) N/A Control output interface N/A SATA connector Status output interface SATA status output data (ex. response frame, data frame) SATA connector Power interface N/A All data, status, control, and power interfaces above use a single SATA connector that contains multiple pins for power supply, data transmission, and signal exchange. Table 4: Ports and Interfaces
  2. Roles, Services, and Authentication This section describes roles and services the CM supports. The CM supports 16 Crypto Officer roles listed in Table
  3. The roles listed in Table 5 are all Crypto Officer roles. The CM does not implement any Non-Approved Services.
6 Apr. 26, 2024
Page 7
4.1 Roles

Role1 Service Input Output LockingSP.Ad Enable / Disable LockingSP Trusted Send command Command min1 Admin/User response … Range Lock/Unlock LockingSP.Ad Set range position and size min4 TCG Reactivate TCG Cryptographic Erase (Erase) TCG Cryptographic Erase (GenKey) Zeroization (without RKey) Master Cryptographic erase ATA Security Erase Command command response Range Lock/Unlock ATA Security Unlock command Firmware Download2 ATA Security Unlock command and Download Microcode command with FW Enable ATA Role ATA Security Set Password command Exit ATA Mode ATA Security Disable Password command User Cryptographic erase ATA Security Erase Command command response Range Lock/Unlock ATA Security Unlock command Firmware Download ATA Security Unlock command and Download Microcode with FW Enable ATA Role ATA Security Set Password command Exit ATA Mode ATA Security Disable Password command LockingSP.Us Range Lock/Unlock Trusted Send command Command er1 Set range position and size response … TCG Cryptographic Erase LockingSP.Us (Erase) er9 TCG Cryptographic Erase (GenKey)3 AdminSP.SID TCG activate Trusted Send command Command Firmware Download Trusted Send command and response Download Microcode command with FW

1 TCG Authority (LockingSP.Admin1-4, AdminSP.Admin1, LockingSP.User1-9 or AdminSP.SID)

can be assumed by using TCG Start Session method, while ATA Security role (Master or User) can be assumed by using ATA Security command.

2 When the Master password capability is set to “High” by User.
3 Available only when the CM uses TCG Single User Mode functionality.

The CM is always in 140-3 approved mode of operation regardless of this functionality.

7 Apr. 26, 2024
Page 8

Role1 Service Input Output None Reset (run POSTs) Power on reset command Command response Data read / write Read/Write commands with Command User data response, User data Random number generation Trusted Send command Command response, Random number Show status Read Status Register Command command response, Status Zeroization (with RKey) Trusted Send command Command (using PSID) response Cryptographic Sanitization Sanitize command Show versioning information Identify Device command Command response, Versioning information Non-security relevant HDD service ATA command Command response Table 5: Roles, Service Commands, Input and Output

4.2 Services

The CM supports two security modes: ATA security mode and TCG Opal security mode. A set of available services is different depending on the mode. The CM also supports the TCG Single User Mode functionality defined in the Single User Mode feature set of TCG Opal. A single role (LockingSP.Userx) is assigned to manage the associated range (range X) during the TCG single user mode. The LockingSP.Reactivate or LockingSP.Activate method enables this mode. Authorized roles of some services differ when the CM is in single user mode. About such services, the Role(s) column in Table 6 is divided into two rows. The upper row shows authorized roles in non-single user mode (normal mode), while the lower row shows authorized roles against range X in single user mode. The CM provides the following services to operators per Section 7.4.3.1 of ISO/IEC 19790_2012_2015:  Show module's versioning information: Show versioning information service  Show status: Show Status service  Perform self-test: Reset (run POSTs) service  Perform zeroization: Zeroization (with RKey) service, Zeroization (without RKey) services

8 Apr. 26, 2024
Page 9

 Perform approved security functions: Services indicated with Approved Security Functions in Table 6 The modes of access to SSPs shown in Table 6 are defined as: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs Cryptographic Erase user data (in Hash_DRBG MEK(s) Master G, Z Command Erase cryptographic means) by SHA2- RKey User E response changing the data encryption 256(A1645) key, disable Master/User roles AES256-CBC and transition to non-ATA HMAC security mode. SHA2Method: ATA SECURITY 256(A1638) ERASE PREPARE command ENT (P) and ATA SECURITY ERASE CKG UNIT command in ATA security mode Data Encryption / decryption of AES256-XTS MEK(s) None E Command read/write unlocked user data to/from response (decrypt/encry range pt) Method: ATA READ, WRITE commands in ATA security mode or TCG Opal security mode Enable Enable/Disable LockingSP HMAC N/A LockingSP.A N/A Command /Disable Admin/User (except for- SHA2- dminx response LockingSP Single-User-Data-Range 256(A1638) Admin/User User) Authority Method: TRUSTED SEND command (TCG Set Method) in TCG Opal security mode Random Provide a random number Hash_DRBG DRBG C None4 E Command Number generated by the CM SHA2- Vector response generation Method: TRUSTED SEND 256(A1645) DRBG V E command (TCG Random) in Vector TCG Opal security mode

4 Except for User, Master
9 Apr. 26, 2024
Page 10

Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs Range Block or allow read (decrypt) HMAC RKey LockingSP.A E Command Lock/Unlock / write (encrypt) of user SHA2- MEK(s) dminx/Loc E response data in a range. Locking 256(A1638) kingSP.Use also requires read/write rx locking to be enabled (LockingSP Method: is active) -TRUSTED SEND command or (TCG Set Method) in TCG User/Master Opal security mode 5 (ATA -ATA SECURITY UNLOCK Security is command in ATA security enable) mode LocknigSP. Userx Set range Set the location and size of the Hash_DRBG MEK(s) LockingSP.A G Command position and LBA range SHA2- RKey dminx E response size Method: TRUSTED SEND 256(A1645) command (TCG Set Method) AES256-CBC in TCG Opal security mode HMAC LockingSP.A SHA2- dminx 256(A1638) or ENT (P) LockingSP. CKG Userx Reset Perform self-tests and delete RSASSA- DRBG C None G, Z Command (run POSTs) CSPs in SRAM PKCS#1-v1_5 Vector response Method: Power on reset SHA2- DRBG V G, Z command 256(A1637) Vector Seed G, E, Z RKey E TCG Switch from/to TCG Opal HMAC N/A LockingSP.A N/A Command reactivate single user mode SHA2- dminx response Method: 256(A1638) -TRUSTED SEND command (TCG Reactivate) in TCG Opal security mode Show Status Report status of the CM N/A N/A None N/A Command Method: response -Read STATUS REGISTER command (50/51h) TCG Activate Activate LockingSP and Hash_DRBG MEK(s) AdminSP.SI G Command transition to TCG Opal SHA2- (except D response security mode 256(A1645) for Method: TRUSTED SEND AES256-CBC Global command (AdminSP.activate) HMAC Range) before transitioning to TCG SHA2- RKey E Opal security mode 256(A1638) ENT (P) CKG

5 When the Master password capability is set to “High” by User.
10 Apr. 26, 2024
Page 11

Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs TCG Erase user data (in Hash_DRBG MEK(s) N/A G, Z Command Cryptographic cryptographic means) in an SHA2- RKey E response Erase (Erase) LBA range by changing the 256(A1645) data encryption key. This AES256-CBC method is available only in HMAC single user mode. SHA2- LocknigSP. Method: TRUSTED SEND 256(A1638) Userx command (TCG Erase) in ENT (P) LockingSP.A TCG Opal security mode CKG dminx TCG Erase user data (in Hash_DRBG MEK(s) LockingSP.A G, Z Command Cryptographic cryptographic means) in an SHA2- RKey dminx E response Erase LBA range by changing the 256(A1645) (GenKey) data encryption key. AES256-CBC Method: TRUSTED SEND HMAC LockingSP. command (TCG GenKey) in SHA2- Userx TCG Opal security mode 256(A1638) ENT (P) CKG Zeroization Initialize the CM by zeroizing Hash_DRBG MEK(s) None (using G, Z Command (with RKey) a root key (RKey), MEKs, and SHA2- RKey PSID7) G, E, Z response range configuration, and 256(A1645) transition to non-TCG Opal AES256-CBC security mode. HMAC Method: TRUSTED SEND SHA2command ( 256(A1638) - AdminSPObj.Revert6 ENT (P) ) in TCG Opal security mode CKG Zeroization Initialize the CM by zeroizing Hash_DRBG MEK(s) LockingSP.A G, Z Command (without MEKs, and range SHA2- RKey dminx E response Rkey) configuration, and transition 256(A1645) to non-TCG Opal security AES256-CBC mode. HMAC Method: TRUSTED SEND SHA2command ( 256(A1638) - LockingSP.RevertSP6 ENT (P) - LockingSPObj.Revert6 CKG ) in TCG Opal security mode

6 AdminSPObj.Revert, LockingSP.RevertSP, LockingSPObj.Revert are methods of TCG Opal SSC.

7 PSID (Printed SID) is public drive-unique value which is used for the TCG Revert AdminSP

method. PSID is printed on the HDD’s product label.

11 Apr. 26, 2024
Page 12

Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs Firmware Enable / Disable firmware RSASSA- PubKey AdminSP.SI E Command Download download and load a part of a PKCS#1-v1_5 D response firmware image. If the SHA2- User firmware load test passes, the 256(A1637) Master8 CM will run with the new HMAC code. SHA2Method: 256(A1638) -TRUSTED SEND command (TCG Set Method), DOWNLOAD MICROCODE command in TCG Opal security mode -ATA SECURITY UNLOCK command, DOWNLOAD MICROCODE command in ATA security mode Cryptographic Erase user data by changing Hash_DRBG MEK(s) None G, Z Command Sanitization the data encryption key. SHA2- RKey E response This service is available only 256(A1645) when all ranges are unlocked. AES256-CBC Method: SANITIZE CRYPTO HMAC SCRAMBLE EXT command SHA2in ATA security mode or TCG 256(A1638) Opal security mode ENT (P) CKG Show Output the model name, HW N/A N/A None N/A Command versioning version and FW version of the response information CM. Method: IDENTIFY DEVICE command with Word 23-26 (FW version), Word 135 (HW version) Non-security Provide a HDD general N/A N/A None N/A Command relevant HDD service response service Method: ATA commands Enable ATA Enable User/Master role and HMAC N/A User N/A Command role transition to ATA security SHA2- Master9 response mode. 256(A1638) Method: ATA SECURITY SET PASSWORD command before transitioning to ATA security mode

8 When the Master password capability is set to “High” by User.
9 Each role is enabled by itself.
12 Apr. 26, 2024
Page 13

Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs Exit ATA Disable User role and HMAC N/A User N/A Command mode transition to non-ATA SHA2- Master10 response security mode. 256(A1638) Method: ATA SECURITY DISABLE PASSWORD command in ATA security mode Table 6: Approved Services

  1. Software/Firmware Security FW integrity check is performed at power on. Signature verification using RSASSA-PKCS#1-v1_5 of the FW codes (in the flash ROM and in the disk media) and EDC verification of the FW code in the Mask ROM are done. The operator can initiate the on-demand FW integrity check by power cycling. All firmware components are in executable form, which cannot be dynamically modified.
  2. Operational Environment The CM is a hardware module and operates in a non-modifiable operational environment, that is its firmware cannot be modified and no code can be added or deleted. SSPs are controlled by the CM itself, and uncontrolled access to CSPs and uncontrolled modifications of SSPs are prevented. Although firmware can be updated by “Firmware Download” service, whole FW codes (in the flash ROM and in the disk media) are replaced by this service, and the module becomes another module which requires new 140-3 certification.
  3. Physical Security The CM has the following physical security: ⚫ Production-grade components with standard passivation ⚫ Exterior of the drive is opaque The operator is required to periodically inspect the enclosure condition of the CM.
  4. Non-Invasive Security The CM does not employ non-invasive mitigation techniques referenced in NIST SP800-140F.
10 When the Master password capability is set to “High” by User.
13 Apr. 26, 2024
Page 14

9. Sensitive Security Parameters Management The CM uses SSPs in the following tables: Security Key/SSP/Name/ Import/ Strength function and Generation Establishment Storage Zeroization Use & related keys Type export cert. number By After “Cryptograp “Cryptographic hic Erase”, Erase”,“Zeroizati “Zeroization on (with RKey / (with RKey / without RKey)”, without “TCG Encrypte RKey)”, Cryptographic d by “TCG Erase (Erase / By Hash- RKey / in Cryptograph GenKey)”, DRBG System ic Erase “Cryptographic (A1645) area (Erase / User data Sanitization”, /Static GenKey)”, encryption and “TCG Activate”, CKG, SP800- and decryption (only for MEKs/ CSP/ AES- and “Set range

256 133rev2 No “Cryptograp storage purpose)

Symmetric XTS(A1638) position and hic size” services. Compliant Sanitization” Encrypted and with IG C.I services decrypted by RKey In the factory (Key_1 ≠ (explicitly) Key_2) By “Range Lock/Unlock” Plain/ in service. SRAM (SoC By power-off By “Reset” register) (implicitly) service (when /Dynami the associated c range is unlocked) Obfuscat After ed (plain By “Zeroization in 140-3 “Zeroization (with Rkey)” means) / (with RKey)" service. in service System (explicitly) In the factory area /Static By HashBy DRBG “Cryptographic Rkey/ CSP/ AES- (A1645) Encryption and

256 No Erase”,“Zeroizati

Symmetric CBC(A1638) decryption of MEKs on (with RKey / CKG, SP800without RKey)”, 133rev2 “TCG Plain/ in Cryptographic SRAM After use Erase (Erase / /Dynami (implicitly) GenKey)”, c “Cryptographic Sanitization”, “TCG Activate”, “Set range position and

14 Apr. 26, 2024
Page 15

Security Key/SSP/Name/ Import/ Strength function and Generation Establishment Storage Zeroization Use & related keys Type export cert. number size”, and “Range Lock/Unlock” services. By “Reset” service (when the range is unlocked) Plain/ in HashSeed/ CSP/ DRBG By Entropy At instantiation SRAM By power-off Instantiation of N/A12 DRBG(A1645), No seed11 source (SP800-90Arev1) /Dynami (implicitly) Hash_DRBG Entropy source c Plain/ in DRBG C Vector/ Hash- At instantiation SRAM By power-off Random number CSP/ internal N/A12 By DRBG No DRBG(A1645) (SP800-90Arev1) /Dynami (implicitly) generation state c Plain/ in DRBG V Vector/ Hash- At instantiation SRAM By power-off Random number CSP/ internal N/A12 By DRBG No DRBG(A1645) (SP800-90Arev1) /Dynami (implicitly) generation state c Plain / Embedde By d in FW “Firmware Modulus: In the factory in Download”

3072 RSASSA- system service

PubKey/ PSP/ Manufacturi Signature Key PKCS#1- No area (explicitly) Public ng verification Strength: v1_5(A1637) /Static

128 Plain/ in

By “Firmware SRAM By power-off Download” /Dynami (implicitly) service c Table 8: SSPs Note that there is no security-relevant audit feature and audit data. Entropy sources Minimum number of bits of Details entropy Entropy source 0.6 / 1 Physical noise source used to seed the approved HashDRBG. The overall amount of generated entropy is 48 bytes. This entropy source meets NIST SP800-90B requirements. Table 9: Non-Deterministic Random Number Generation Specification If the source may deteriorate to the point when the generation of the sufficient amount of entropy can no longer be guaranteed, health test detects the source deterioration, enter an error state, and

11 Entropy input string and nonce.
12 The security strength of Hash_DRBG is 256 bits.
15 Apr. 26, 2024
Page 16

halts the CM. When the CM continuously enters in error state in spite of several trials of reboot, the CM shall be sent back to factory to recover from error state. 10. Self-Tests The CM runs self-tests in the following table. Function Self-test type Description Operator Failure behavior initiation Firmware Pre-operational EDC (32bits) Power-cycle Boot error state integrity check software/firmware verification of the The CM is not accessible integrity test firmware in the Mask via SATA interface ROM Signature verification Boot error state of the firmware in the The CM is not accessible flash ROM by via SATA interface RSASSA-PKCS#1v1_5 with a 3072-bit Modulus using “PubKey2” Signature verification Boot error state of the firmware in the The CM is not accessible disk media by via SATA interface RSASSA-PKCS#1v1_5 with a 3072-bit Modulus using “PubKey2” AES CBC Conditional Encrypt KAT with a Power-cycle Boot error state cryptographic 256-bit key The CM is not accessible algorithm test Decrypt KAT with a via SATA interface 256-bit key AES XTS Conditional Encrypt KAT with a Power-cycle cryptographic 256-bit key algorithm test Decrypt KAT with a 256-bit key SHA2- Conditional Digest KAT Power-cycle 256(A1637) cryptographic algorithm test SHA2- Conditional Digest KAT Power-cycle 256(A1638) cryptographic algorithm test SHA2- Conditional Digest KAT Power-cycle 256(A1645) cryptographic algorithm test Hash DRBG Conditional DRBG KAT Power-cycle cryptographic algorithm test HMAC Conditional Digest KAT Power-cycle cryptographic algorithm test RSASSA- Conditional Signature verification Power-cycle PKCS#1-v1_5 cryptographic KAT with a 3072-bit algorithm test Modulus

16 Apr. 26, 2024
Page 17

Entropy source Conditional SP800-90B Start-up Power-cycle Boot error state cryptographic health test (repetition The CM is not accessible algorithm test count test, adaptive via SATA interface proportion test) SP800-90B Power-cycle Error state (conditional Continuous health test) test (repetition count Status Field: 0x53, Error test, adaptive Field: 0x04 proportion test) Firmware load Conditional Signature verification N/A Error state (FW Load Test) test software/firmware of firmware image by Status Field: 0x53, Error load test RSASSA-PKCS#1- Field: 0x04 v1_5 with a 3072-bit The CM discards the new Modulus firmware image, then enters the Idle state The public verification key “PubKey2” used in firmware integrity check resides within the MaskROM code and is not a SSP. SHA2-256(A1637) is embedded in RSASSA-PKCS#1-v1_5, while SHA2-256(A1638) is used in HMAC, and SHA2-256(A1645) is employed in Hash DRBG. Table 10: Self-Tests If the CM fails the self-test, it enters one of three error states: Error State (Conditional Test), Error State (FW Load Test), or Boot Error State. If the SP800-90B continuous health test fails, it enters Error State (Conditional Test); if the firmware load test fails, it goes to Error State (FW Load Test); and for other self-tests, it transitions to Boot Error State. The status indicator for each error state is specified in Table 10 (e.g., The “Random Number Generation” service resulting in “Status Field: 0x53, Error Field: 0x04” indicates that the CM is currently in Error State (Conditional Test)). When in the error state, the CM does not perform any cryptographic operations or output data. A power cycle is required to clear the error state. When the CM continuously enters the error state despite several reboot attempts, the CM should be returned to the factory for recovery from the error state. The CM does not support any degraded operation. 11. Life-Cycle Assurance The following are the secure initialization procedure for the CM. The CM is always in approved mode of operation in a deployed environment. In addition to this, the following procedure of initial settings will allow further secure operation during power cycling. Initialization in TCG Opal security mode: Please refer to TCG Opal specification (TCG Storage Security Subsystem Class: Opal Version

2.01 Revision 1.00) for the details.

(1) Activate LockingSP by “TCG Activate” service.

17 Apr. 26, 2024
Page 18

(2) Set LockOnReset in Download port to “Power Cycle”.13 (3) Set ReadLockEnabled and WriteLockEnabled to 1(true) and LockOnReset to “Power Cycle”.14 (4) Do a power-on reset. Initialization in ATA security mode: (1) Enable ATA role (Master) with “Enable ATA role” service. (2) Enable ATA role (User) with “Enable ATA role” service and set Master Password Capability to “Maximum”. (3) Disable Software Settings Preservation (SSP) feature set. 13,14 (4) Do a power-on reset. The longest service life of the CM under suitable conditions and treatment is 5 years. By the end of this period the operator is required to follow the CM’s end of life procedures below. (1) Initialize internal sensitive data in the host system. (2) Initialize parameters and user information in the CM by “Zeroization (with RKey)” service. For additional details, refer to the guidance documents provided with the CM: ⚫ 3.5 type SATA Hard Disk Drives Product Specification ⚫ 3.5 type SATA Hard Disk Drives Interface Specification ⚫ 3.5 type Hard Disk Drives SED Specification ⚫ Toshiba SED HDD FIPS140-2/3 Use case Rev.6.0 12. Mitigation of Other Attacks The CM does not mitigate other attacks beyond the scope of 140-3 requirements.

13 This procedure configures the CM to disable Firmware Download feature after power-cycling.

14 This procedure configures the CM to lock all range(s) after power-cycling.
18 Apr. 26, 2024