All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series MG09SCP18TA and MG09SCP16TA

Certificate#4813StandardFIPS 140-3Level1TypeHardwareEmbodimentMulti-Chip EmbeddedStatusActiveVendorToshiba Electronic Devices & Storage Corporation
High review priority  ·  no TCB surface named  ·  last validated 22 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeHardware
EmbodimentMulti-Chip Embedded
StatusActive
Sunset date9/23/2029
CaveatNone
VendorToshiba Electronic Devices & Storage Corporation

Approved Algorithms (9)

AlgorithmACVP Cert
AES-CBCA1638
AES-ECBA1638
AES-XTS Testing Revision 2.0A1638
Hash DRBGA1645
HMAC-SHA2-256A1638
RSA SigVer (FIPS186-4)A1637
SHA2-256A1637
SHA2-256A1638
SHA2-256A1645

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series MG09SCP18TA and MG09SCP16TA
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>firmware load<br/>recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status output<br/>Show status</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C6 clue;
  class I2,I3,I6 infer;
  class R2,R3,R6 risk;
  class E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series MG09SCP18TA and MG09SCP16TA
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>firmware load<br/>recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status output<br/>Show status</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C6 clueLow;

Security Policy, page by page

Page 1

Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series MG09SCP18TA and MG09SCP16TA Prepared by: Rev 2.4.0

1 Sep. 13, 2024
Page 2
2 Sep. 13, 2024
Page 3
  1. General The Toshiba Secure TCG Opal SSC Self-Encrypting Drive Series (MG09SCP18TA and MG09SCP16TA) is used for hard disk drive data security. The security levels for this Cryptographic Module (CM) are as follows: ISO/IEC 24759 Section
  2. FIPS 140-3 Section Title Security [Number Below] Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 2

6 Operational environment 1

7 Physical security 1

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels This document is non-proprietary and may be reproduced in its original entirety.

1.1 Acronyms

AES Advanced Encryption Standard CM Cryptographic Module CSP Critical Security Parameter DRBG Deterministic Random Bit Generator EBG Entropy Bit Generator FW Firmware HMAC Keyed-Hashing for Message Authentication code KAT Known Answer Test LBA Logical Block Address PCA Printed Circuit Assembly POST Power on Self-Test (pre-operational self-tests and conditional algorithm self-tests) SoC System on Chip SSC Security Subsystem Class SED Self-Encrypting Drive SHA Secure Hash Algorithm SID Security ID TCG SWG Trusted Computing Group Storage Work Group TOEPP Tested Operational Environment’s Physical Perimeter

3 Sep. 13, 2024
Page 4

2. Cryptographic Module Specification This CM provides various cryptographic services using approved algorithms. Services include hardware-based data encryption, cryptographic erase, independently protected user data LBA ranges, and FW Download. The CM always encrypts the user data, protects CSPs from unauthorized access, and provides secure sanitization methods by supporting TCG Opal SSC features. The operational rules described in this document adheres to TCG Opal. This CM is a multiple-chip-embedded hardware cryptographic module. The cryptographic boundary of the CM is the entire HDD. The physical interface for power-supply and for communication is one SAS connector. The CM is connected with host system by this SAS connector. The logical interface is the SAS, TCG SWG and Opal SSC. The CM has the non-volatile storage area for not only user data but also the keys, CSPs, and FW. The latter storage area is called the “system area”, which is not logically accessible / addressable by the host application. The CM has one approved mode of operation and CM is always in approved mode of operation. The CM provides only approved services defined in 4.2. Non-approved security functions are not implemented.

2.1 Product Version

The Toshiba Secure TCG Opal SSC SED has been validated in the following versions: Model Hardware [Part Number and Firmware Distinguishing Features Version] Version MG09SCP18TA A0 PC82 SAS interface, 18TB MG09SCP16TA A0 PC82 SAS interface, 16TB The tested platform is Toshiba Cryptographic Hardware 88i1215-B1. The CM does not employ any operating system. Table 2: Cryptographic Module Tested Configuration

2.2 All Security Functions

The CM does not implement any non-approved algorithms allowed in the approved mode of operation. It does not implement any non-approved algorithms allowed in the approved mode of operation with no security claimed. It does not implement any non-approved algorithms not allowed in the approved mode of operation. CAVP Certs Algorithm and Mode/Method Description / Key Size(s) / Use/Function Standard Key Strength A1637 RSA, FIPS RSASSA- Modulus: 3072bits, Digital signature PUB 186-4 PKCS#1-v1_5 Key Strength: 128bits verification A1637 SHS, FIPS SHA2-256 - Message digest for RSA PUB 180-4 (BYTE-only) A1638 AES, FIPS CBC Key Size: 256bits, Data encryption / PUB 197- Key Strength: 256bits decryption

4 Sep. 13, 2024
Page 5

CAVP Certs Algorithm and Mode/Method Description / Key Size(s) / Use/Function Standard Key Strength upd1, SP80038A A1638 AES, FIPS XTS Key Size (Key_1): 256bits, Data encryption / PUB 197- Key Size (Key_2): 256bits, decryption upd1, SP800- Key Strength: 256bits 38E A1638 HMAC, FIPS SHA2-256 Key Size: 256bits, Message authentication PUB 198-1 Key Strength: 256bits, for data integrity KS < BS verification of system area A1638 SHS, FIPS SHA2-256 - Message digest for HMAC PUB 180-4 (BYTE-only) A1645 Hash-DRBG, SHA2-256 Prediction Resistance: Deterministic random bit SP800-90A False generation rev1 A1645 SHS, FIPS SHA2-256 - Message digest for DRBG PUB 180-4 (BYTE-only) ENT (P) SP800-90B - - Seed generation for HashDRBG Vendor Affirmed CKG, SP800- - An output of the hash- Key generation 133rev2 DRBG is directly used. (Section 4 of SP800133rev2) There are algorithms, modes, and keys that have been CAVP tested but not used by the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by the module. Table 3: Approved Algorithms Figure 1: MG09SCP16TA Figure 2: MG09SCP18TA Figure 3: PCA side

5 Sep. 13, 2024
Page 6

Figure 4: Side of the device Figure 5: SAS port Figure 6: Side of the device Figure 7 shows the CM's block diagram. In this diagram, the cryptographic boundary of the CM, defined by the enclosure of the MG09SCP18TA and the MG09SCP16TA, is indicated by a dashed line. It includes the SAS connector, the SoC, the buffer DRAM, the flash ROM and the magnetic storage medium. Figure 7: Block Diagram 3. Cryptographic Module Interfaces The CM does not implement any control output interface. Physical port Logical interface Data that passes over port / interface SAS connector Data input interface User data, FW data SAS connector Data output interface User data SAS connector Control input interface SAS control input data (ex. command frame, data frame) N/A Control output interface N/A SAS connector Status output interface SAS status output data (ex. response frame, data frame) SAS connector Power interface N/A All data, status, control, and power interfaces above use a single SAS connector that contains multiple pins for power supply, data transmission, and signal exchange. Table 4: Ports and Interfaces

6 Sep. 13, 2024
Page 7
  1. Roles, Services, and Authentication This section describes roles and services the CM supports. The CM supports 14 Crypto Officer roles listed in Table
  2. The roles listed in Table 5 are all Crypto Officer roles. The CM does not implement any Non-Approved Services.
4.1 Roles

Role1 Service Input Output LockingSP.Ad Enable / Disable LockingSP Security Protocol Out command Command min1 Admin/User response … Range Lock/Unlock LockingSP.Ad min4 Set range position and size TCG Reactivate TCG Cryptographic Erase (Erase) TCG Cryptographic Erase (GenKey) Zeroization (without RKey) LockingSP.Us Range Lock/Unlock Security Protocol Out command Command er1 response … Set range position and size LockingSP.Us er9 TCG Cryptographic Erase (Erase) TCG Cryptographic Erase (GenKey)2 AdminSP.SID TCG activate Security Protocol Out command Command Firmware Download Security Protocol Out command response and Write Buffer command with FW None Reset (run POSTs) Power on reset command Command response Data read / write Read/Write commands with User Command data response, User data Random number generation Security Protocol Out command Command response, Random number Show status Request Sense command Command response, Status Zeroization (with RKey) Security Protocol Out command Command (using PSID) response Cryptographic Sanitization Sanitize command Show versioning information Inquiry command Command response, Versioning

1 TCG Authority (LockingSP.Admin1-4, AdminSP.Admin1, LockingSP.User1-9 or AdminSP.SID)

can be assumed by using TCG Start Session method.

2 Available only when the CM uses TCG Single User Mode functionality.

The CM is always in 140-3 approved mode of operation regardless of this functionality.

7 Sep. 13, 2024
Page 8

Role1 Service Input Output information Non-security relevant HDD SCSI command Command service response Table 5: Roles, Service Commands, Input and Output

4.2 Services

The CM supports the TCG Single User Mode functionality defined in the Single User Mode feature set of TCG Opal. A single role (LockingSP.Userx) is assigned to manage the associated range (range X) during the TCG single user mode. The LockingSP.Reactivate or LockingSP.Activate method enables this mode. Authorized roles of some services differ when the CM is in single user mode. About such services, the Role(s) column in Table 6 is divided into two rows. The upper row shows authorized roles in non-single user mode (normal mode), while the lower row shows authorized roles against range X in single user mode. The CM provides the following services to operators per Section 7.4.3.1 of ISO/IEC 19790_2012_2015:  Show module's versioning information: Show versioning information service  Show status: Show Status service  Perform self-test: Reset (run POSTs) service  Perform zeroization: Zeroization (with RKey) service, Zeroization (without RKey) services  Perform approved security functions: Services indicated with Approved Security Functions in Table 6 The modes of access to SSPs shown in Table 6 are defined as: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs Data Encryption / decryption of AES256-XTS MEK(s) None E Command read/write unlocked user data to/from response (decrypt/encry range pt) Method: SCSI READ, WRITE commands

8 Sep. 13, 2024
Page 9

Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs Enable Enable/Disable LockingSP HMAC N/A LockingSP.A N/A Command /Disable Admin/User (except for- SHA2- dminx response LockingSP Single-User-Data-Range 256(A1638) Admin/User User) Authority Method: SECURITY PROTOCOL OUT command (TCG Set Method) Random Provide a random number Hash_DRBG DRBG C None E Command Number generated by the CM SHA2- Vector response generation Method: SECURITY 256(A1645) DRBG V E PROTOCOL OUT command Vector (TCG Random) Range Block or allow read (decrypt) HMAC RKey LockingSP.A E Command Lock/Unlock / write (encrypt) of user SHA2- MEK(s) dminx/Locki E response data in a range. Locking 256(A1638) ngSP.Userx also requires read/write (LockingSP locking to be enabled is active) Method: LocknigSP. -SECURITY PROTOCOL Userx OUT command (TCG Set Method) Set range Set the location and size of the Hash_DRBG MEK(s) LockingSP.A G Command position and LBA range SHA2- RKey dminx E response size Method: SECURITY 256(A1645) PROTOCOL OUT command AES256-CBC (TCG Set Method) HMAC LockingSP.A SHA2- dminx 256(A1638) or ENT (P) LockingSP. CKG Userx Reset Perform self-tests and delete RSASSA- DRBG C None G, Z Command (run POSTs) CSPs in SRAM PKCS#1-v1_5 Vector response Method: Power on reset SHA2- DRBG V G, Z command 256(A1637) Vector Seed G, E, Z RKey E TCG Switch from/to TCG Opal HMAC N/A LockingSP.A N/A Command reactivate single user mode SHA2- dminx response Method: SECURITY 256(A1638) PROTOCOL OUT command (TCG Reactivate) Show Status Report status of the CM N/A N/A None N/A Command Method: REQUEST SENSE response command

9 Sep. 13, 2024
Page 10

Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs TCG Activate Activate LockingSP Hash_DRBG MEK(s) AdminSP.SI G Command Method: SECURITY SHA2- (except D response PROTOCOL OUT command 256(A1645) for (AdminSP.activate) AES256-CBC Global HMAC Range) SHA2- RKey E 256(A1638) TCG Erase user data (in Hash_DRBG MEK(s) N/A G, Z Command Cryptographic cryptographic means) in an SHA2- RKey E response Erase (Erase) LBA range by changing the 256(A1645) data encryption key. This AES256-CBC method is available only in HMAC LocknigSP. single user mode. SHA2- Userx Method: SECURITY 256(A1638) LockingSP.A PROTOCOL OUT command ENT (P) dminx (TCG Erase) CKG TCG Erase user data (in Hash_DRBG MEK(s) LockingSP.A G, Z Command Cryptographic cryptographic means) in an SHA2- RKey dminx E response Erase LBA range by changing the 256(A1645) (GenKey) data encryption key. AES256-CBC Method: SECURITY HMAC LockingSP. PROTOCOL OUT command SHA2Userx (TCG GenKey) 256(A1638) ENT (P) CKG Zeroization Initialize the CM by zeroizing Hash_DRBG MEK(s) None (using G, Z Command (with RKey) RKey, MEKs, and range SHA2- RKey PSID4) G, E, Z response configuration. 256(A1645) Method: SECURITY AES256-CBC PROTOCOL OUT command ( HMAC - AdminSPObj.Revert3 SHA2) 256(A1638) ENT (P) CKG Zeroization Initialize the CM by zeroizing Hash_DRBG MEK(s) LockingSP.A G, Z Command (without MEKs, and range SHA2- RKey dminx E response RKey) configuration. 256(A1645) Method: SECURITY AES256-CBC PROTOCOL OUT command ( HMAC - LockingSP.RevertSP3 SHA2- LockingSPObj.Revert3 256(A1638) ) ENT (P) CKG 3AdminSPObj.Revert, LockingSP.RevertSP, LockingSPObj.Revert are methods of TCG Opal SSC. 4PSID (Printed SID) is public drive-unique value which is used for the TCG Revert AdminSP method. PSID is printed on the HDD’s product label.

10 Sep. 13, 2024
Page 11

Service Description Approved Keys Role(s) Access Indicator Security and/or rights Functions SSPs to Keys and/or SSPs Firmware Enable / Disable firmware RSASSA- PubKey AdminSP.SI E Command Download download and load a part of a PKCS#1-v1_5 D response firmware image. If the SHA2firmware load test passes, the 256(A1637) CM will run with the new HMAC code. SHA2Method: SECURITY 256(A1638) PROTOCOL OUT command (TCG Set Method), WRITE BUFFER command Cryptographic Erase user data by changing Hash_DRBG MEK(s) None G, Z Command Sanitization the data encryption key. SHA2- RKey E response This service is available only 256(A1645) when all ranges are unlocked. AES256-CBC Method: SANITIZE HMAC CRYPTOGRAPHIC ERASE SHA2command 256(A1638) ENT (P) CKG Show Output the model name, HW N/A N/A None N/A Command versioning version and FW version of the response information CM. Method: INQUIRY Standard Inquiry data command with Byte 32-35 (FW version), VPD Page C2, Byte 4-5 (HW version) Non-security Provide a HDD general N/A N/A None N/A Command relevant HDD service response service Method: SCSI commands Table 6: Approved Services

  1. Software/Firmware Security FW integrity check is performed at power on. Signature verification using RSASSA-PKCS#1-v1_5 of the FW codes (in the flash ROM and in the disk media) and EDC verification of the FW code in the Mask ROM are done. The operator can initiate the on-demand FW integrity check by power cycling. All firmware components are in executable form, which cannot be dynamically modified.
  2. Operational Environment The CM is a hardware module and operates in a non-modifiable operational environment, that is its firmware cannot be modified and no code can be added or deleted. SSPs are controlled by the CM itself, and uncontrolled access to CSPs and uncontrolled modifications of SSPs are prevented. Although firmware can be updated by “Firmware Download” service, whole FW codes (in the flash ROM and in the disk media) are replaced by this service, and the module becomes another module
11 Sep. 13, 2024
Page 12

which requires new 140-3 certification.

  1. Physical Security The CM has the following physical security: ⚫ Production-grade components with standard passivation ⚫ Exterior of the drive is opaque The operator is required to periodically inspect the enclosure condition of the CM.
  2. Non-Invasive Security The CM does not employ non-invasive mitigation techniques referenced in NIST SP800-140F.
  3. Sensitive Security Parameters Management The CM uses SSPs in the following tables: Security Key/SSP/Name/ Import/ Strength function and Generation Establishment Storage Zeroization Use & related keys Type export cert. number After By “Zeroization “Zeroization (with RKey (with RKey /without RKey)”, /without “TCG RKey)”, Cryptographic Encrypte “TCG Erase (Erase/ d by Cryptograph By Hash- GenKey)”, RKey / in ic Erase DRBG “Cryptographic System (Erase / (A1645) Sanitization”, area GenKey)”, User data “TCG Activate”, /Static and encryption and CKG, SP800- and “Set range “Cryptograp decryption (only for MEKs/ CSP/ AES-

256 133rev2 No position and hic storage purpose)

Symmetric XTS(A1638) size” services. Sanitization” Compliant services Encrypted and with IG C.I In the factory (explicitly) decrypted by RKey (Key_1 ≠ By “Range Key_2) Lock/Unlock” Plain/ in service. SRAM (SoC By power-off By “Reset” register) (implicitly) service (when /Dynami the associated c range is unlocked) Obfuscat By Hash- After ed (plain By DRBG “Zeroization in 140-3 “Zeroization RKey/ CSP/ AES- (A1645) (with RKey)” means) / Encryption and

256 No (with RKey)”

Symmetric CBC(A1638) service. in decryption of MEKs service CKG, SP800- System (explicitly) 133rev2 In the factory area /Static

12 Sep. 13, 2024
Page 13

Security Key/SSP/Name/ Import/ Strength function and Generation Establishment Storage Zeroization Use & related keys Type export cert. number By “Zeroization (with RKey /without RKey)”, “TCG Cryptographic Erase (Erase/ GenKey)”, “Cryptographic Sanitization”, Plain/ in “TCG Activate”, SRAM After use “Set range /Dynami (implicitly) position and c size”, and “Range Lock/Unlock” services. By “Reset” service (when the range is unlocked) Plain/ in HashSeed/ CSP/ DRBG By Entropy At instantiation SRAM By power-off Instantiation of N/A6 DRBG(A1645), No seed5 source (SP800-90Arev1) /Dynami (implicitly) Hash_DRBG Entropy source c Plain/ in DRBG C Vector Hash- At instantiation SRAM By power-off Random number /CSP /internal N/A6 By DRBG No DRBG(A1645) (SP800-90Arev1) /Dynami (implicitly) generation state c Plain/ in DRBG V Vector / Hash- At instantiation SRAM By power-off Random number CSP/ internal N/A6 By DRBG No DRBG(A1645) (SP800-90Arev1) /Dynami (implicitly) generation state c Plain / Embedde By d in FW "Firmware Modulus: In the factory in Download”

3072 RSASSA- system service

PubKey/ PSP/ Manufacturi Signature Key PKCS#1- No area (explicitly) Public ng verification Strength v1_5(A1637) /Static :128 Plain/ in By “Firmware SRAM By power-off Download” /Dynami (implicitly) service c Table 8: SSPs Note that there is no security-relevant audit feature and audit data.

5 Entropy input string and nonce.
6 The security strength of Hash_DRBG is 256 bits.
13 Sep. 13, 2024
Page 14

Entropy sources Minimum number of bits of Details entropy Entropy source 0.6 / 1 Physical noise source used to seed the approved HashDRBG. The overall amount of generated entropy is 48 bytes. This entropy source meets NIST SP800-90B requirements. Table 9: Non-Deterministic Random Number Generation Specification If the source may deteriorate to the point when the generation of the sufficient amount of entropy can no longer be guaranteed, health test detects the source deterioration, enter an error state, and halts the CM. When the CM continuously enters in error state in spite of several trials of reboot, the CM shall be sent back to factory to recover from error state. 10. Self-Tests The CM runs self-tests in the following table. Function Self-test type Description Operator Failure behavior initiation Firmware Pre-operational EDC (32bits) Power-cycle Boot error state integrity check software/firmware verification of the The CM is not accessible integrity test firmware in the Mask via SAS interface ROM Signature verification Boot error state of the firmware in the The CM is not accessible flash ROM by via SAS interface RSASSA-PKCS#1v1_5 with a 3072-bit Modulus using “PubKey2” Signature verification Boot error state of the firmware in the Status: CHECK disk media by CONDITION(02h), Sense RSASSA-PKCS#1- Data: 04 4C 9F v1_5 with a 3072-bit Modulus using “PubKey2” AES CBC Conditional Encrypt KAT with a Power-cycle Boot error state cryptographic 256-bit key Status: CHECK algorithm test Decrypt KAT with a CONDITION(02h), Sense 256-bit key Data: 04 44 92 AES XTS Conditional Encrypt KAT with a Power-cycle cryptographic 256-bit key algorithm test Decrypt KAT with a 256-bit key SHA2- Conditional Digest KAT Power-cycle 256(A1637) cryptographic algorithm test SHA2- Conditional Digest KAT Power-cycle 256(A1638) cryptographic algorithm test SHA2- Conditional Digest KAT Power-cycle 256(A1645) cryptographic

14 Sep. 13, 2024
Page 15

algorithm test Hash DRBG Conditional DRBG KAT for Power-cycle cryptographic instantiate and algorithm test generate functions HMAC Conditional Digest KAT Power-cycle cryptographic algorithm test RSASSA- Conditional Signature verification Power-cycle PKCS#1-v1_5 cryptographic KAT with a 3072-bit algorithm test Modulus Entropy source Conditional SP800-90B Start-up Power-cycle Boot error state cryptographic health test (repetition Status: CHECK algorithm test count test, adaptive CONDITION(02h), Sense proportion test) Data: 04 40 91 SP800-90B Power-cycle Error state (conditional Continuous health test) test (repetition count Status: CHECK test, adaptive CONDITION(02h), Sense proportion test) Data: 04 44 92 Firmware Conditional Signature verification N/A Error state (FW Load Test) load test software/firmware of firmware image by Status: CHECK load test RSASSA-PKCS#1- CONDITION(02h), Sense v1_5 with a 3072-bit Data: 0B 74 08 Modulus The CM discards the new firmware image, then enters the Idle state The public verification key “PubKey2” used in firmware integrity check resides within the MaskROM code and is not a SSP. SHA2-256(A1637) is embedded in RSASSA-PKCS#1-v1_5, while SHA2-256(A1638) is used in HMAC, and SHA2-256(A1645) is employed in Hash DRBG. The CM does not implement reseed function of Hash DRBG. Table 10: Self-Tests If the CM fails the self-test, it enters one of three error states: Error State (Conditional Test), Error State (FW Load Test), or Boot Error State. If the SP800-90B continuous health test fails, it enters Error State (Conditional Test); if the firmware load test fails, it goes to Error State (FW Load Test); and for other self-tests, it transitions to Boot Error State. Status indicator for each error state is specified in Table 10 (e.g. “Status: CHECK CONDITION(02h), Sense Data: 04 40 91” indicates the CM is currently in Boot Error State). When in the error state, the CM does not perform any cryptographic operations or output data. A power cycle is required to clear the error state. When the CM continuously enters the error state despite several reboot attempts, the CM should be returned to the factory for recovery from the error state. The CM does not support any degraded operation.

15 Sep. 13, 2024
Page 16
  1. Life-Cycle Assurance The following are the secure initialization procedure for the CM. The CM is always in approved mode of operation in a deployed environment. In addition to this, the following procedure of initial settings will allow further secure operation during power cycling. Please refer to TCG Opal specification (TCG Storage Security Subsystem Class: Opal Version 2.01 Revision 1.00) for the details. (1) Activate LockingSP by “TCG Activate” service. (2) Set LockOnReset in Download port to “Power Cycle”. (3) Set ReadLockEnabled and WriteLockEnabled to 1(true) and LockOnReset to “Power Cycle”. (4) Do a power-on-reset. The longest service life of the CM under suitable conditions and treatment is 5 years. By the end of this period the operator is required to follow the CM’s end of life procedures below. (1) Initialize internal sensitive data in the host system. (2) Initialize parameters and user information in the CM by “Zeroization (with RKey)” service. For additional details, refer to the guidance documents provided with the CM: ⚫ 3.5 type SAS Hard Disk Drives Product Specification ⚫ 3.5 type SAS Hard Disk Drives Interface Specification ⚫ 3.5 type Hard Disk Drives SED Specification ⚫ Toshiba SED HDD FIPS140-2/3 Use case Rev.6.0
  2. Mitigation of Other Attacks The CM does not mitigate other attacks beyond the scope of 140-3 requirements.
16 Sep. 13, 2024