All modules
CMVP Validated Module · FIPS 140-3 Security Policy

VMware VMkernel Cryptographic Module 2.0

Certificate#4815StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorVMware, Inc.
High review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 10212 CVEs since this module's initial validation  ·  last validated 22 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date9/25/2029
CaveatNone
VendorVMware, Inc.

Approved Algorithms (13)

AlgorithmACVP Cert
AES-CBCA2792
AES-CBC-CS3A2792
AES-CTRA2792
AES-ECBA2792
AES-GCMA2792
AES-XTS Testing Revision 2.0A2792
Counter DRBGA2792
HMAC-SHA-1A2792
HMAC-SHA2-256A2792
HMAC-SHA2-512A2792
SHA-1A2792
SHA2-256A2792
SHA2-512A2792

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for VMware VMkernel Cryptographic Module 2.0
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>self-test<br/>Show Status</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C6 clue;
  class I3,I6 infer;
  class R3,R6 risk;
  class E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for VMware VMkernel Cryptographic Module 2.0
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>self-test<br/>Show Status</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3,C6 clueLow;

Security Policy, page by page

Page 1

VMware VMkernel Cryptographic Module 2.0 Document Version: 1.2

Page 2

VMware VMkernel Cryptographic Module 2.0

Page 3

VMware VMkernel Cryptographic Module 2.0

1 General 1

2 Cryptographic Module Specification 1

3 Cryptographic Module Interfaces 1

4 Roles, Services, and Authentication 1

5 Software/Firmware Security 1

6 Operational Environment 1

7 Physical Security N/A

8 Non-invasive Security N/A

9 Sensitive Security Parameters Management 1

10 Self-tests 1

11 Life-Cycle Assurance 1

12 Mitigation of Other Attacks N/A

Page 4

VMware VMkernel Cryptographic Module 2.0

1 ESXi 8.0 Dell EMC PowerEdge R650 Intel Xeon Gold 6330 Without PAA

2.00GHz The module, a set of object files/libraries, is intended to provide cryptographic services to Vmware’s ESXi platform. Table 3 below lists all security functions in the module for use in approved services. Vendor Affirmed Operational Environments have not been claimed. Table 3

Page 5

VMware VMkernel Cryptographic Module 2.0

Page 6

VMware VMkernel Cryptographic Module 2.0

Page 7

VMware VMkernel Cryptographic Module 2.0

Page 8

VMware VMkernel Cryptographic Module 2.0

Page 9

VMware VMkernel Cryptographic Module 2.0

Page 10

VMware VMkernel Cryptographic Module 2.0

Page 11

VMware VMkernel Cryptographic Module 2.0

Page 12

VMware VMkernel Cryptographic Module 2.0

Page 13

VMware VMkernel Cryptographic Module 2.0

Page 14

VMware VMkernel Cryptographic Module 2.0

Page 15

VMware VMkernel Cryptographic Module 2.0

Page 16

VMware VMkernel Cryptographic Module 2.0

256 bits is not call

strength exported from the module MD/EE HMAC key 160-bit, SHA-1, N/A Imported N/A RAM in Reboot OS; Message (CSP) 256-bit, SHA2-256, only, plaintext Cycle host Authentication 512-bit 512, The key power; API CAVP Cert. is not call #A2792 exported from the module MD/EE

Page 17

VMware VMkernel Cryptographic Module 2.0

Page 18

VMware VMkernel Cryptographic Module 2.0

Page 19

VMware VMkernel Cryptographic Module 2.0

Page 20

VMware VMkernel Cryptographic Module 2.0

Page 21

VMware VMkernel Cryptographic Module 2.0

Page 22

VMware VMkernel Cryptographic Module 2.0

Page 23

VMware VMkernel Cryptographic Module 2.0

Page 24

END OF DOCUMENT VMware and the VMware logo are registered trademarks or trademarks of VMware, Inc. and its subsidiaries in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. VMware products are covered by one or more patents listed at vmware.com/go/patents. Item No: vmw-wp-tech-temp-uslet-word-2021 8/21