| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Hardware |
| Embodiment | Multi-Chip Embedded |
| Status | Active |
| Sunset date | 9/23/2029 |
| Caveat | None |
| Vendor | Toshiba Electronic Devices & Storage Corporation |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A1638 |
| AES-ECB | A1638 |
| AES-XTS Testing Revision 2.0 | A1638 |
| Hash DRBG | A1645 |
| HMAC-SHA2-256 | A1638 |
| RSA SigVer (FIPS186-4) | A1637 |
| SHA2-256 | A1637 |
| SHA2-256 | A1638 |
| SHA2-256 | A1645 |
flowchart LR
%% Deterministic review-risk graph for Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series MG09SCP18TA and MG09SCP16TA
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>firmware load<br/>recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status output<br/>Show status</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C6 clue;
class I2,I3,I6 infer;
class R2,R3,R6 risk;
class E2,E3,E6 evidence;flowchart LR
%% Deterministic clue tier for Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series MG09SCP18TA and MG09SCP16TA
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>firmware load<br/>recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status output<br/>Show status</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C6 clueLow;Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series MG09SCP18TA and MG09SCP16TA Prepared by: Rev 2.4.0
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 2
6 Operational environment 1
7 Physical security 1
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A
Overall Level 1 Table 1: Security Levels This document is non-proprietary and may be reproduced in its original entirety.
AES Advanced Encryption Standard CM Cryptographic Module CSP Critical Security Parameter DRBG Deterministic Random Bit Generator EBG Entropy Bit Generator FW Firmware HMAC Keyed-Hashing for Message Authentication code KAT Known Answer Test LBA Logical Block Address PCA Printed Circuit Assembly POST Power on Self-Test (pre-operational self-tests and conditional algorithm self-tests) SoC System on Chip SSC Security Subsystem Class SED Self-Encrypting Drive SHA Secure Hash Algorithm SID Security ID TCG SWG Trusted Computing Group Storage Work Group TOEPP Tested Operational Environment’s Physical Perimeter
2. Cryptographic Module Specification This CM provides various cryptographic services using approved algorithms. Services include hardware-based data encryption, cryptographic erase, independently protected user data LBA ranges, and FW Download. The CM always encrypts the user data, protects CSPs from unauthorized access, and provides secure sanitization methods by supporting TCG Opal SSC features. The operational rules described in this document adheres to TCG Opal. This CM is a multiple-chip-embedded hardware cryptographic module. The cryptographic boundary of the CM is the entire HDD. The physical interface for power-supply and for communication is one SAS connector. The CM is connected with host system by this SAS connector. The logical interface is the SAS, TCG SWG and Opal SSC. The CM has the non-volatile storage area for not only user data but also the keys, CSPs, and FW. The latter storage area is called the “system area”, which is not logically accessible / addressable by the host application. The CM has one approved mode of operation and CM is always in approved mode of operation. The CM provides only approved services defined in 4.2. Non-approved security functions are not implemented.
The Toshiba Secure TCG Opal SSC SED has been validated in the following versions: Model Hardware [Part Number and Firmware Distinguishing Features Version] Version MG09SCP18TA A0 PC82 SAS interface, 18TB MG09SCP16TA A0 PC82 SAS interface, 16TB The tested platform is Toshiba Cryptographic Hardware 88i1215-B1. The CM does not employ any operating system. Table 2: Cryptographic Module Tested Configuration
The CM does not implement any non-approved algorithms allowed in the approved mode of operation. It does not implement any non-approved algorithms allowed in the approved mode of operation with no security claimed. It does not implement any non-approved algorithms not allowed in the approved mode of operation. CAVP Certs Algorithm and Mode/Method Description / Key Size(s) / Use/Function Standard Key Strength A1637 RSA, FIPS RSASSA- Modulus: 3072bits, Digital signature PUB 186-4 PKCS#1-v1_5 Key Strength: 128bits verification A1637 SHS, FIPS SHA2-256 - Message digest for RSA PUB 180-4 (BYTE-only) A1638 AES, FIPS CBC Key Size: 256bits, Data encryption / PUB 197- Key Strength: 256bits decryption
CAVP Certs Algorithm and Mode/Method Description / Key Size(s) / Use/Function Standard Key Strength upd1, SP80038A A1638 AES, FIPS XTS Key Size (Key_1): 256bits, Data encryption / PUB 197- Key Size (Key_2): 256bits, decryption upd1, SP800- Key Strength: 256bits 38E A1638 HMAC, FIPS SHA2-256 Key Size: 256bits, Message authentication PUB 198-1 Key Strength: 256bits, for data integrity KS < BS verification of system area A1638 SHS, FIPS SHA2-256 - Message digest for HMAC PUB 180-4 (BYTE-only) A1645 Hash-DRBG, SHA2-256 Prediction Resistance: Deterministic random bit SP800-90A False generation rev1 A1645 SHS, FIPS SHA2-256 - Message digest for DRBG PUB 180-4 (BYTE-only) ENT (P) SP800-90B - - Seed generation for HashDRBG Vendor Affirmed CKG, SP800- - An output of the hash- Key generation 133rev2 DRBG is directly used. (Section 4 of SP800133rev2) There are algorithms, modes, and keys that have been CAVP tested but not used by the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by the module. Table 3: Approved Algorithms Figure 1: MG09SCP16TA Figure 2: MG09SCP18TA Figure 3: PCA side
Figure 4: Side of the device Figure 5: SAS port Figure 6: Side of the device Figure 7 shows the CM's block diagram. In this diagram, the cryptographic boundary of the CM, defined by the enclosure of the MG09SCP18TA and the MG09SCP16TA, is indicated by a dashed line. It includes the SAS connector, the SoC, the buffer DRAM, the flash ROM and the magnetic storage medium. Figure 7: Block Diagram 3. Cryptographic Module Interfaces The CM does not implement any control output interface. Physical port Logical interface Data that passes over port / interface SAS connector Data input interface User data, FW data SAS connector Data output interface User data SAS connector Control input interface SAS control input data (ex. command frame, data frame) N/A Control output interface N/A SAS connector Status output interface SAS status output data (ex. response frame, data frame) SAS connector Power interface N/A All data, status, control, and power interfaces above use a single SAS connector that contains multiple pins for power supply, data transmission, and signal exchange. Table 4: Ports and Interfaces
Role1 Service Input Output LockingSP.Ad Enable / Disable LockingSP Security Protocol Out command Command min1 Admin/User response … Range Lock/Unlock LockingSP.Ad min4 Set range position and size TCG Reactivate TCG Cryptographic Erase (Erase) TCG Cryptographic Erase (GenKey) Zeroization (without RKey) LockingSP.Us Range Lock/Unlock Security Protocol Out command Command er1 response … Set range position and size LockingSP.Us er9 TCG Cryptographic Erase (Erase) TCG Cryptographic Erase (GenKey)2 AdminSP.SID TCG activate Security Protocol Out command Command Firmware Download Security Protocol Out command response and Write Buffer command with FW None Reset (run POSTs) Power on reset command Command response Data read / write Read/Write commands with User Command data response, User data Random number generation Security Protocol Out command Command response, Random number Show status Request Sense command Command response, Status Zeroization (with RKey) Security Protocol Out command Command (using PSID) response Cryptographic Sanitization Sanitize command Show versioning information Inquiry command Command response, Versioning
1 TCG Authority (LockingSP.Admin1-4, AdminSP.Admin1, LockingSP.User1-9 or AdminSP.SID)
can be assumed by using TCG Start Session method.
The CM is always in 140-3 approved mode of operation regardless of this functionality.
Role1 Service Input Output information Non-security relevant HDD SCSI command Command service response Table 5: Roles, Service Commands, Input and Output
The CM supports the TCG Single User Mode functionality defined in the Single User Mode feature set of TCG Opal. A single role (LockingSP.Userx) is assigned to manage the associated range (range X) during the TCG single user mode. The LockingSP.Reactivate or LockingSP.Activate method enables this mode. Authorized roles of some services differ when the CM is in single user mode. About such services, the Role(s) column in Table 6 is divided into two rows. The upper row shows authorized roles in non-single user mode (normal mode), while the lower row shows authorized roles against range X in single user mode. The CM provides the following services to operators per Section 7.4.3.1 of ISO/IEC 19790_2012_2015: Show module's versioning information: Show versioning information service Show status: Show Status service Perform self-test: Reset (run POSTs) service Perform zeroization: Zeroization (with RKey) service, Zeroization (without RKey) services Perform approved security functions: Services indicated with Approved Security Functions in Table 6 The modes of access to SSPs shown in Table 6 are defined as: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs Data Encryption / decryption of AES256-XTS MEK(s) None E Command read/write unlocked user data to/from response (decrypt/encry range pt) Method: SCSI READ, WRITE commands
Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs Enable Enable/Disable LockingSP HMAC N/A LockingSP.A N/A Command /Disable Admin/User (except for- SHA2- dminx response LockingSP Single-User-Data-Range 256(A1638) Admin/User User) Authority Method: SECURITY PROTOCOL OUT command (TCG Set Method) Random Provide a random number Hash_DRBG DRBG C None E Command Number generated by the CM SHA2- Vector response generation Method: SECURITY 256(A1645) DRBG V E PROTOCOL OUT command Vector (TCG Random) Range Block or allow read (decrypt) HMAC RKey LockingSP.A E Command Lock/Unlock / write (encrypt) of user SHA2- MEK(s) dminx/Locki E response data in a range. Locking 256(A1638) ngSP.Userx also requires read/write (LockingSP locking to be enabled is active) Method: LocknigSP. -SECURITY PROTOCOL Userx OUT command (TCG Set Method) Set range Set the location and size of the Hash_DRBG MEK(s) LockingSP.A G Command position and LBA range SHA2- RKey dminx E response size Method: SECURITY 256(A1645) PROTOCOL OUT command AES256-CBC (TCG Set Method) HMAC LockingSP.A SHA2- dminx 256(A1638) or ENT (P) LockingSP. CKG Userx Reset Perform self-tests and delete RSASSA- DRBG C None G, Z Command (run POSTs) CSPs in SRAM PKCS#1-v1_5 Vector response Method: Power on reset SHA2- DRBG V G, Z command 256(A1637) Vector Seed G, E, Z RKey E TCG Switch from/to TCG Opal HMAC N/A LockingSP.A N/A Command reactivate single user mode SHA2- dminx response Method: SECURITY 256(A1638) PROTOCOL OUT command (TCG Reactivate) Show Status Report status of the CM N/A N/A None N/A Command Method: REQUEST SENSE response command
Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs TCG Activate Activate LockingSP Hash_DRBG MEK(s) AdminSP.SI G Command Method: SECURITY SHA2- (except D response PROTOCOL OUT command 256(A1645) for (AdminSP.activate) AES256-CBC Global HMAC Range) SHA2- RKey E 256(A1638) TCG Erase user data (in Hash_DRBG MEK(s) N/A G, Z Command Cryptographic cryptographic means) in an SHA2- RKey E response Erase (Erase) LBA range by changing the 256(A1645) data encryption key. This AES256-CBC method is available only in HMAC LocknigSP. single user mode. SHA2- Userx Method: SECURITY 256(A1638) LockingSP.A PROTOCOL OUT command ENT (P) dminx (TCG Erase) CKG TCG Erase user data (in Hash_DRBG MEK(s) LockingSP.A G, Z Command Cryptographic cryptographic means) in an SHA2- RKey dminx E response Erase LBA range by changing the 256(A1645) (GenKey) data encryption key. AES256-CBC Method: SECURITY HMAC LockingSP. PROTOCOL OUT command SHA2Userx (TCG GenKey) 256(A1638) ENT (P) CKG Zeroization Initialize the CM by zeroizing Hash_DRBG MEK(s) None (using G, Z Command (with RKey) RKey, MEKs, and range SHA2- RKey PSID4) G, E, Z response configuration. 256(A1645) Method: SECURITY AES256-CBC PROTOCOL OUT command ( HMAC - AdminSPObj.Revert3 SHA2) 256(A1638) ENT (P) CKG Zeroization Initialize the CM by zeroizing Hash_DRBG MEK(s) LockingSP.A G, Z Command (without MEKs, and range SHA2- RKey dminx E response RKey) configuration. 256(A1645) Method: SECURITY AES256-CBC PROTOCOL OUT command ( HMAC - LockingSP.RevertSP3 SHA2- LockingSPObj.Revert3 256(A1638) ) ENT (P) CKG 3AdminSPObj.Revert, LockingSP.RevertSP, LockingSPObj.Revert are methods of TCG Opal SSC. 4PSID (Printed SID) is public drive-unique value which is used for the TCG Revert AdminSP method. PSID is printed on the HDD’s product label.
Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs Firmware Enable / Disable firmware RSASSA- PubKey AdminSP.SI E Command Download download and load a part of a PKCS#1-v1_5 D response firmware image. If the SHA2firmware load test passes, the 256(A1637) CM will run with the new HMAC code. SHA2Method: SECURITY 256(A1638) PROTOCOL OUT command (TCG Set Method), WRITE BUFFER command Cryptographic Erase user data by changing Hash_DRBG MEK(s) None G, Z Command Sanitization the data encryption key. SHA2- RKey E response This service is available only 256(A1645) when all ranges are unlocked. AES256-CBC Method: SANITIZE HMAC CRYPTOGRAPHIC ERASE SHA2command 256(A1638) ENT (P) CKG Show Output the model name, HW N/A N/A None N/A Command versioning version and FW version of the response information CM. Method: INQUIRY Standard Inquiry data command with Byte 32-35 (FW version), VPD Page C2, Byte 4-5 (HW version) Non-security Provide a HDD general N/A N/A None N/A Command relevant HDD service response service Method: SCSI commands Table 6: Approved Services
which requires new 140-3 certification.
256 133rev2 No position and hic storage purpose)
Symmetric XTS(A1638) size” services. Sanitization” Compliant services Encrypted and with IG C.I In the factory (explicitly) decrypted by RKey (Key_1 ≠ By “Range Key_2) Lock/Unlock” Plain/ in service. SRAM (SoC By power-off By “Reset” register) (implicitly) service (when /Dynami the associated c range is unlocked) Obfuscat By Hash- After ed (plain By DRBG “Zeroization in 140-3 “Zeroization RKey/ CSP/ AES- (A1645) (with RKey)” means) / Encryption and
256 No (with RKey)”
Symmetric CBC(A1638) service. in decryption of MEKs service CKG, SP800- System (explicitly) 133rev2 In the factory area /Static
Security Key/SSP/Name/ Import/ Strength function and Generation Establishment Storage Zeroization Use & related keys Type export cert. number By “Zeroization (with RKey /without RKey)”, “TCG Cryptographic Erase (Erase/ GenKey)”, “Cryptographic Sanitization”, Plain/ in “TCG Activate”, SRAM After use “Set range /Dynami (implicitly) position and c size”, and “Range Lock/Unlock” services. By “Reset” service (when the range is unlocked) Plain/ in HashSeed/ CSP/ DRBG By Entropy At instantiation SRAM By power-off Instantiation of N/A6 DRBG(A1645), No seed5 source (SP800-90Arev1) /Dynami (implicitly) Hash_DRBG Entropy source c Plain/ in DRBG C Vector Hash- At instantiation SRAM By power-off Random number /CSP /internal N/A6 By DRBG No DRBG(A1645) (SP800-90Arev1) /Dynami (implicitly) generation state c Plain/ in DRBG V Vector / Hash- At instantiation SRAM By power-off Random number CSP/ internal N/A6 By DRBG No DRBG(A1645) (SP800-90Arev1) /Dynami (implicitly) generation state c Plain / Embedde By d in FW "Firmware Modulus: In the factory in Download”
PubKey/ PSP/ Manufacturi Signature Key PKCS#1- No area (explicitly) Public ng verification Strength v1_5(A1637) /Static :128 Plain/ in By “Firmware SRAM By power-off Download” /Dynami (implicitly) service c Table 8: SSPs Note that there is no security-relevant audit feature and audit data.
Entropy sources Minimum number of bits of Details entropy Entropy source 0.6 / 1 Physical noise source used to seed the approved HashDRBG. The overall amount of generated entropy is 48 bytes. This entropy source meets NIST SP800-90B requirements. Table 9: Non-Deterministic Random Number Generation Specification If the source may deteriorate to the point when the generation of the sufficient amount of entropy can no longer be guaranteed, health test detects the source deterioration, enter an error state, and halts the CM. When the CM continuously enters in error state in spite of several trials of reboot, the CM shall be sent back to factory to recover from error state. 10. Self-Tests The CM runs self-tests in the following table. Function Self-test type Description Operator Failure behavior initiation Firmware Pre-operational EDC (32bits) Power-cycle Boot error state integrity check software/firmware verification of the The CM is not accessible integrity test firmware in the Mask via SAS interface ROM Signature verification Boot error state of the firmware in the The CM is not accessible flash ROM by via SAS interface RSASSA-PKCS#1v1_5 with a 3072-bit Modulus using “PubKey2” Signature verification Boot error state of the firmware in the Status: CHECK disk media by CONDITION(02h), Sense RSASSA-PKCS#1- Data: 04 4C 9F v1_5 with a 3072-bit Modulus using “PubKey2” AES CBC Conditional Encrypt KAT with a Power-cycle Boot error state cryptographic 256-bit key Status: CHECK algorithm test Decrypt KAT with a CONDITION(02h), Sense 256-bit key Data: 04 44 92 AES XTS Conditional Encrypt KAT with a Power-cycle cryptographic 256-bit key algorithm test Decrypt KAT with a 256-bit key SHA2- Conditional Digest KAT Power-cycle 256(A1637) cryptographic algorithm test SHA2- Conditional Digest KAT Power-cycle 256(A1638) cryptographic algorithm test SHA2- Conditional Digest KAT Power-cycle 256(A1645) cryptographic
algorithm test Hash DRBG Conditional DRBG KAT for Power-cycle cryptographic instantiate and algorithm test generate functions HMAC Conditional Digest KAT Power-cycle cryptographic algorithm test RSASSA- Conditional Signature verification Power-cycle PKCS#1-v1_5 cryptographic KAT with a 3072-bit algorithm test Modulus Entropy source Conditional SP800-90B Start-up Power-cycle Boot error state cryptographic health test (repetition Status: CHECK algorithm test count test, adaptive CONDITION(02h), Sense proportion test) Data: 04 40 91 SP800-90B Power-cycle Error state (conditional Continuous health test) test (repetition count Status: CHECK test, adaptive CONDITION(02h), Sense proportion test) Data: 04 44 92 Firmware Conditional Signature verification N/A Error state (FW Load Test) load test software/firmware of firmware image by Status: CHECK load test RSASSA-PKCS#1- CONDITION(02h), Sense v1_5 with a 3072-bit Data: 0B 74 08 Modulus The CM discards the new firmware image, then enters the Idle state The public verification key “PubKey2” used in firmware integrity check resides within the MaskROM code and is not a SSP. SHA2-256(A1637) is embedded in RSASSA-PKCS#1-v1_5, while SHA2-256(A1638) is used in HMAC, and SHA2-256(A1645) is employed in Hash DRBG. The CM does not implement reseed function of Hash DRBG. Table 10: Self-Tests If the CM fails the self-test, it enters one of three error states: Error State (Conditional Test), Error State (FW Load Test), or Boot Error State. If the SP800-90B continuous health test fails, it enters Error State (Conditional Test); if the firmware load test fails, it goes to Error State (FW Load Test); and for other self-tests, it transitions to Boot Error State. Status indicator for each error state is specified in Table 10 (e.g. “Status: CHECK CONDITION(02h), Sense Data: 04 40 91” indicates the CM is currently in Boot Error State). When in the error state, the CM does not perform any cryptographic operations or output data. A power cycle is required to clear the error state. When the CM continuously enters the error state despite several reboot attempts, the CM should be returned to the factory for recovery from the error state. The CM does not support any degraded operation.