| Standard | FIPS 140-3 |
|---|---|
| Overall level | 3 |
| Module type | Hardware |
| Embodiment | Single Chip |
| Status | Active |
| Sunset date | 10/14/2029 |
| Caveat | When utilizing a Trusted Channel as specified in the Security Policy. |
| Vendor | NXP Semiconductors, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A2953 |
| AES-CCM | A2962 |
| AES-CMAC | A2954 |
| AES-ECB | A2953 |
| AES-GCM | A2964 |
| AES-GCM | A2964 |
| ECDSA KeyGen (FIPS186-4) | A2963 |
| ECDSA SigGen (FIPS186-4) | A2963 |
| ECDSA SigVer (FIPS186-4) | A2963 |
| Hash DRBG | A2955 |
| HMAC-SHA2-224 | A2961 |
| HMAC-SHA2-256 | A2961 |
| HMAC-SHA2-384 | A2961 |
| HMAC-SHA2-512 | A2961 |
| KAS-ECC-SSC Sp800-56Ar3 | A2972 |
| KDA OneStep Sp800-56Cr1 | A2965 |
| KDF SP800-108 | A2966 |
| KDF TLS | A2973 |
| RSA SigVer (FIPS186-4) | A2967 |
| SHA2-224 | A2956 |
| SHA2-256 | A2955 |
| SHA2-256 | A2956 |
| SHA2-384 | A2956 |
| SHA2-512 | A2956 |
| TLS v1.2 KDF RFC7627 | A2973 |
flowchart LR
%% Deterministic review-risk graph for i.MX8 DXL SECO HSM
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>firmware load<br/>load firmware<br/>update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>unauthenticated<br/>Status output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for i.MX8 DXL SECO HSM
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>firmware load<br/>load firmware<br/>update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>unauthenticated<br/>Status output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;i.MX8 DXL SECO HSM Document Version 1.2 March 27, 2024 Prepared for: Prepared by: NXP Semiconductors KeyPair Consulting Inc. MIKRONWEG 1 987 Osos Street
Austria USA NXP.com keypair.us
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy Table of Contents List of Tables List of Figures NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy References Ref. Full Specification Name Date Algorithm-Related References [107r1] NIST, SP 800-107 Rev. 1, Recommendation for Applications Using Approved Hash Algorithms 24-Aug-2012 [108r1] NIST, SP 800-108 Rev. 1, Recommendation for Key Derivation Using Pseudorandom Functions 17-Aug-2022 [131Ar2] NIST, SP 800-131A Rev. 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths 21-Mar-2019 [133r2] NIST, SP 800-133 Rev. 2, Recommendation for Cryptographic Key Generation 4-Jun-2020 [135r1] NIST, SP 800-135 Rev. 1, Recommendation for Existing Application-Specific Key Derivation Functions 23-Dec-2011 [180] NIST, FIPS 180-4, Secure Hash Standard (SHS) 4-Aug-2015 [186] NIST, FIPS 186-4, Digital Signature Standard (DSS) 19-Jul-2013 [197] NIST, FIPS 197, Advanced Encryption Standard (AES) 26-Nov-2001 [198] NIST, FIPS 198-1, The Keyed-Hash Message Authentication Code (HMAC) 16-Jul-2008 [38A] NIST, SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques 1-Dec-2001 [38B] NIST, SP 800-38B, Recommendation for Block Cipher Modes of Operation: the CMAC Mode for 6-Oct-2016 Authentication [38C] NIST, SP 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for 20-Jul-2007 Authentication and Confidentiality [38D] NIST, SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode 28-Nov-2007 (GCM) and GMAC [38F] NIST, SP 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping 13-Dec-2012 [56Ar3] NIST, SP 800-56A Rev. 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete 16-Apr-2018 Logarithm Cryptography [56Cr2] NIST, SP 800-56C Rev. 2, Recommendation for Key-Derivation Methods in Key-Establishment Schemes 18-Aug-2020 [57P1r5] NIST, SP 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 - General 4-May-2020 [90Ar1] NIST, SP 800-90A Rev. 1, Recommendation for Random Number Generation Using Deterministic 24-Jun-2015 Random Bit Generators [90B] NIST, SP 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation 10-Jan-2018 Other References [140] NIST, FIPS 140-3, Security Requirements for Cryptographic Modules 22-Mar-2019 [140DTR] NIST, SP 800-140, FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to 20-Mar-2020 ISO/IEC 24759 [140A] NIST, SP 800-140A, CMVP Documentation Requirements: CMVP Validation Authority Updates to 20-Mar-2020 ISO/IEC 24759 [140B] NIST, SP 800-140B, CMVP Security Policy Requirements: CMVP Validation Authority Updates to 20-Mar-2020 ISO/IEC 24759 and ISO/IEC 19790 Annex B [140Cr1] NIST, SP 800-140C Rev. 1, CMVP Approved Security Functions: CMVP Validation Authority Updates to 20-May-2022 ISO/IEC 24759 [140Dr1] NIST, SP 800-140D Rev. 1, CMVP Approved Sensitive Parameter Generation and Establishment 20-May-2022 Methods: CMVP Validation Authority Updates to ISO/IEC 24759 [140E] NIST, SP 800-140E, CMVP Approved Authentication Mechanisms: CMVP Validation Authority 20-Mar-2020 Requirements for ISO/IEC 19790 Annex E and ISO/IEC 24579 Section 6.17 [140F] NIST, SP 800-140F, CMVP Approved Non-Invasive Attack Mitigation Test Metrics: CMVP Validation 20-Mar-2020 Authority Updates to ISO/IEC 24759 [FIPS 140-3 NIST, Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program 7-Oct-2022 IG] [ISO 19790] ISO/IEC 19790:2012 Information technology -- Security techniques -- Security requirements for 1-Nov-2015 cryptographic modules NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy Ref. Full Specification Name Date [ISO 24759] ISO/IEC 24759:2017 Information technology -- Security techniques -- Test requirements for 1-Mar-2017 cryptographic modules [RFC5246] IETF RFC5246: The Transport Layer Security (TLS) Protocol Version 1.2 Aug-2008 [RFC5289] IETF RFC5289: TLS Elliptic Curve Cipher Suites with SHA2-256/384 and AES Galois Counter Mode Aug-2008 (GCM) [RFC5639] IETF RFC5639: Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation Mar-2010 [RFC7627] IETF RFC7627: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension Sept-2015 Acronyms and Definitions Term Meaning Term Meaning A35 ARM Cortex A35 array (on-chip, external to SECO) KAS Key Agreement Scheme AEAD Authenticated Encryption with Associated Data KAT Known Answer Test AES Advanced Encryption Standard KBKDF Key Based Key Derivation Function CAAM Cryptographic Acceleration and Assurance Module KDA Key Derivation Algorithm CAVP Cryptographic Algorithm Validation Program KDF Key Derivation Function CBC Cipher-Block Chaining KEK Key Encryption Key (generalization of SDS-KEK) CCM Counter with CBC-MAC KTS Key Transport Scheme CKG Cryptographic Key Generation M0+ ARM Cortex-M0+ core CMAC Cipher-based Message Authentication Code MAC Message Authentication Code CMVP Cryptographic Module Validation Program MU Messaging Unit CO Cryptographic Officer NIST National Institute of Standards and Technology CRNGT Continuous Random Number Generator Test OTP One Time Programmable CSP Critical Security Parameter PCT Pairwise Consistency Test CVL Component Validation List PRF Pseudorandom Function DRBG Deterministic Random Bit Generator PSP Public Security Parameter DTCP Digital Transport Content Protection RSA Rivest, Shamir, and Adleman Algorithm ECB Electronic Code Book SCU System Control Unit (on-chip CPU, external to SECO) ECC Elliptic Curve Cryptography SECO Security Controller ECDSA Elliptic Curve Digital Signature Algorithm SHA/SHS Secure Hash Algorithm / Standard ENT Entropy source compliant with [90B] SHE Secure Hardware Extension (automotive standard) FIPS Federal Information Processing Standard SNVS Secure Non-Volatile Storage GCM Galois/Counter Mode SoC System on Chip HMAC Keyed-Hash Message Authentication Code SP NIST Special Publication HSM Hardware Security Module SSC Shared Secret Computation IEE Inline Encryption Engine (external to SECO) SSP Sensitive Security Parameter IG Implementation Guidance; see [FIPS 140-3 IG] TLS Transport Layer Security (see [135]) IoT Internet of Things WDog Watchdog timer IV Initialization Vector NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
This document defines the Security Policy for the NXP Semiconductors i.MX8 DXL SECO HSM hardware sub-chip cryptographic subsystem with a single-chip embodiment, hereafter denoted the SECO, SECO HSM or the Module. The Module has a limited operational environment under the [FIPS 140-3] definitions. The Module includes a firmware load function. New firmware versions within the scope of this validation must be validated through the CMVP; any other firmware loaded into the Module is out of the scope of this validation and requires a separate [FIPS 140-3] validation. The Module is validated to FIPS 140-3 overall Security Level 3 requirements with security levels as follows: Table 1: Security Levels ISO/IEC 24759 FIPS 140-3 Section Title Security Level Section 6. [Number Below]
NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
The hardware Module is a sub-chip subsystem of a single-chip embodiment that provides cryptographic engine and secure storage functions, intended for use in automotive or IoT applications. The Module is available in the configurations shown in Table 2. Table 2: Cryptographic Module Tested Configuration Model Hardware [Part Number and Version] Firmware Version Distinguishing Features i.MX 8SoloXLite MIMX8SL3AVNFZAB SECO ROM: The mem_I.MX8_s28roml_w24576x032 MIM8SL3AVNFZA i.MX 8SoloXLite PIMX8SL3AVNFZAB m32B2_1Tlms_m0_1.7 B and SECO FW 5.9.0 PIM8SL3AVNFZA i.MX 8DualXLite MIMX8DL3AVNFZAB B parts feature one applications processor The leading P designates engineering sample parts i.MX 8DualXLite PIMX8DL3AVNFZAB The MIM8DL3AVNFZ AB and SoC Part Number SOC_iMX8DualXL_28FDSOI_1.75 PIM8DL3AVNFZA B parts feature Module Subsystem DA_SSL_iMX8DXL_SCU_SUBSYS_LN28FDSOI_1.56 two applications Version processors
The Module implements the Approved and allowed cryptographic functions listed below. [57P1r5] notation is used throughout this document to describe key sizes and security strength. All references to the algorithm standards cited below can be found in the References section of this document. Table 3: Approved Algorithms CAVP Algorithm Mode/Method Description / Key Size(s) Use / Function Cert and Standard / Key Strength(s) A2953 AES [197], [38A] ECB, CBC 128, 192, 256 bits Encrypt, decrypt A2962 AES [38C] AES CCM 128, 192, 256 bits Authenticated encrypt, decrypt A2954 AES [38B] AES CMAC 128, 192, 256 bits Generate, verify A2964 AES [38D] AES GCM 128, 192, 256 bits Authenticated encrypt, decrypt Vendor CKG [133r2] Section 4: Using the Output of a Random Bit Cryptographic key generation per [FIPS 140-3 IG] Affirmed Generator D.H, applicable to Module generated symmetric Section 5.1: Key Pairs for Digital Signature keys and seeds for generating asymmetric keys Schemes Section 5.2: Key Pairs for Key Establishment Section 6.1: Direct Generation of Symmetric Keys Section 6.2.1: Symmetric Keys Generated Using Key-Agreement Schemes Section 6.2.2: Symmetric Keys Derived from a Pre-existing Key NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy A2955 DRBG [90Ar1] Hash SHA2-256 Random number generation A2963 ECDSA [186] P-256, P-384 ECC key generation P-256 (SHA2-256); ECC signature generation P-384 (SHA2-384) P-256 (SHA2-256, SHA2-384, SHA2-512); ECC signature verification P-384 (SHA2-256, SHA2-384, SHA2-512); Note that P-521 is used only by the Authenticate P-521 (SHA2-256, SHA2-384, SHA2-512) service, hence no P-521 key or signature generation N/A ENT (P) [90B] Provide entropy input to the DRBG Used only to seed the approved DRBG A2961 HMAC [198] SHA2-224, SHA2-256, Key lengths 224, 256, Keyed MAC used with TLS SHA2-384, SHA2-512 384, 5121 A2973 CVL [135r1r] TLS v1.2 KDF HMAC-SHA2-256; Key derivation for TLS (v1.2); TLS v1.2 KDF RFC7627 HMAC-SHA2-384 also supports [RFC7627] Extended Master Secret A2972 KAS-ECC-SSC KAS-ECC-SSC Key agreement used for TLS support and for [56Ar3] Schemes: Ephemeral Unified, One-Pass DH sensitive data communications Roles: Initiator, Responder ECC curves: P-256, P-384 A2966 KBKDF [1081] CTR KBKDF AES CMAC 256-bit Key derivation used for SDS-BEK A2965 KDA [56Cr2] One-Step Hash KDF SHA2-256 Key derivation for sensitive data communications A2964 KTS-1 [38F] Key wrapping in the context of Sensitive data AES GCM 256-bit SP 800-38D and SP storage 800-38F. KTS (key wrapping) per IG D.G. 256- bit keys providing
strength A2967 RSA [186] n=2048 (SHA2-256, SHA2-384, SHA2-512); PKCS 1.5 signature verification n=3072 (SHA2-256, SHA2-384, SHA2-512); n=4096 (SHA2-256, SHA2-384, SHA2-512) A2955 SHS [180] SHA2-256 Message digest used exclusively by the DRBG A2956 SHS [180] SHA2-224, SHA2-256, SHA2-384, SHA2-512 Message digest for all purposes other than DRBG A2972, KAS-1 Schemes: Ephemeral SP 800-56Arev3. KAS- Key agreement to establish an SDS-KEK A2965 Unified, One-Pass DH ECC per IG D.F Scenario Roles: Initiator, 2 path (2) option 2 Responder KAS-ECC-SSC curves: P- P-256 and P-384 curves 256, P-384 providing 128 or 192 KDA One-Step Hash bits of encryption KDF strength A2972, KAS-2 Schemes: Ephemeral SP 800-56Arev3. KAS- Key agreement to establish TLSv1.2 session keys and A2973 Unified, One-Pass DH ECC per IG D.F Scenario the corresponding intermediate values for preRoles: Initiator, 2 path (2) option 2 master secret TLS-PMS and master secret TLS-MS Responder KAS-ECC-SSC curves: P- P-256 and P-384 curves 256, P-384 providing 128 or 192 TLS v1.2 KDF bits of encryption TLS v1.2 KDF RFC7627 strength The Module facilitates the use of truncated MACing but enforces a minimum of 32 bits
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy AES GCM is used by the Sensitive Data Storage service. In accordance with [FIPS 140-3 IG] C.H Scenario 2, the 96-bit IV is generated randomly in its entirety using the Approved DRBG within the Module' boundary and maintained within the Module boundary by the Symmetric Cipher service. Due to the excessive length of time taken for the counter to wrap, the counter cannot practically wrap within the lifetime of the module. The DRBG seed is generated inside the Module boundary, and the Module’s entropy source has been assessed in accordance with [FIPS 140-3 IG] D.K for conformance to [90B]. AES GCM is also used to support TLS primitives and adheres to the [FIPS 140-3 IG] C.H Resolution 1a TLS 1.2 protocol IV generation requirements. The Module uses the KAS-ECC-SSC function as follows (without support for key confirmation): 1. KEK KAS: To establish an SDS-KEK compliant to [FIPS 140-3 IG] D.F Scenario 2 Path 2, option 2 (KAS-ECC-SSC using curve P-256 or BrainpoolP256R1 and One-Step Hash KDF)2; TLS KAS: To establish TLSv1.2 session keys and the corresponding intermediate values for pre-master secret TLS-PMS and master secret TLS-MS, compliant to [FIPS 140-3 IG] D.F Scenario 2 Path 2, option 2 (KAS-ECC-SSC using curve P-256, P-384, BrainpoolP256R1 or BrainpoolP384R1 and TLS v1.2 KDF or TLS v1.2 KDF RFC7627)3. KAS (KAS-SSC Cert. #A2972, KDA Cert. #A2965); provides 128 bits of strength KAS (KAS-SSC Cert. #A2972, CVL Cert. #A2973); provides 128 or 192 bits of strength NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy The Module supports the following ciphersuites used in TLS primitives:
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy Table 4: Non-Approved Algorithms Allowed in the Approved Mode of Operation Algorithm Caveat Use / Function ECDSA Provides 128 or 192 bits of Use of Brainpool curves, allowed for use per [FIPS 140-3 with non-NIST recommended encryption strength); Per IG C.A IG] C.A: curves - BrainpoolP256R1 (128-bit security strength) - BrainpoolP384R1 (192-bit security strength) EC Diffie-Hellman with non-NIST Provides 128 or 192 bits of Use of Brainpool curves in KAS, allowed for use per [FIPS recommended curves encryption strength); Per IGs D.F and 140-3 IG] C.A and [FIPS 140-3 IG] D.F Scenario 3: C.A - BrainpoolP256R1 (available for both KEK and TLS use cases; 128-bit security strength) - BrainpoolP384R1 (available only for TLS use case; 192-bit security strength) Table 5: Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed Algorithm Caveat Use / Function AES CCM no security Hardware implementation of AES CCM (no security claimed - [FIPS 140-3 IG] 2.4.A), used by Generic claimed Data Storage service The Module does not implement the following:
The Module is a dedicated security controller subsystem of the i.MX8 DXL SoC, compliant to [FIPS 140-3 IG] 2.3.B Sub-Chip Cryptographic Subsystems:
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy The physical form of the Module (i.e. the Tested Operational Environment’s Physical Perimeter (TOEPP) of CM) is depicted in Figure 1 (represents all models and P/Ns listed in Table 2). The physical cryptographic boundary is the surface, edges, and solder bump connections of the chip package. Figure 1: Module Physical Form NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy Figure 2 depicts the Module sub-chip functions, with the sub-chip cryptographic boundary depicted as the dashed red line, and the chip physical boundary depicted as the outer solid black line. SoC functions outside the sub-chip boundary are simplified. Figure 2: Module Block Diagram
The Module as defined above will always be in an Approved mode of operation by default. No configuration is necessary for the Module to operate and remain in the Approved mode. The Module does not support a non-Approved mode or a degraded mode of operation. The Management service Get Info message response includes the information shown next; chip lifecycle and Approved mode constitute the indicator of the Approved mode: • 32-bit SECO FW version: 0x50090 (corresponding to SECO FW 5.9.0). • 32-bit Extended version, SECO FW commit ID: 0x80649c52. • 8-bit chip lifecycle state: 0x80. • Approved mode: 8-bit field, only the last two bits are used; 0x3 indicates a validated part in the Approved mode. The Module implementation enforces the following security rules:
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
3 requirements with security levels as listed in Table 1 above in this document. No initialization requirements apply to the
Module. NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
The Module’s ports and interfaces are listed in Table 6 below, including the designation of [FIPS 140-3] logical interface types. DC in the Table 6 Physical port column refers to Device Connection:
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy Tamper input: accept external tamper detection signals Tamper output: indicate tamper condition to external circuits Osc out Control output Oscillator output DC: Yes Description: SNVS oscillator output VSNVS-LP Power input Power input DC: Yes Description: SNVS Low Power section power supply connection, also called LP Battery VSS, VDD Power input Power input DC: Yes Description: Supply voltage The 32-bit Authentication Token used for the User role authentication enters in plaintext over the Trusted Channel (i.e. over the corresponding port). This restriction/port separation from other ports/interfaces is implemented in the Module design as bus transactions are restricted to the specific domain (User) and the SECO HSM processor. No physical tools are required (the path is within the integrated circuit) and no operator instructions are required (the access control mechanism is built into the bus control hardware). NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
The Module supports two distinct operator roles and identity-based authentication is required for each role as follows:
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy Operators in the User role are authenticated by use of a 32-bit token (SDS-AT) as AES GCM Additional Authenticated Data (AAD) when opening the sensitive data store corresponding to the service for the designated operator. The attempt to open a Sensitive Data Storage service key store fails if the SDS-AT does not match the registered value, and the Module enters the Locked error state, requiring a reboot to clear (at least 2 milliseconds to reach the Sensitive Data Storage service for another attempt).
Table 9 below describes all Module services and service access to SSPs. The modes of access shown in the table are defined as: E = Execute: The module uses the SSP in performing a R = Read: The SSP is read from the module (e.g. the SSP is cryptographic operation. output). G = Generate: The module generates or derives the SSP. Z = Zeroise: The module zeroises the SSP. W = Write: The SSP is updated, imported, or written to the -- = No access. The service does not access the SSP. module. Table 9: Approved Services Service Description Approved Security Roles Keys Access Indicator Functions and/or rights to SSPs Keys and/or SSPs Initialize Authenticate and load firmware; perform pre- ECDSA Sig Ver (#A2963) CO SRK-NXP W,E OK / (self-test) operational self-tests SHS (#A2956) SRKH- E error KBKDF (#A2966) NXP E MASTER- G NXP G SDS-BEK OTP-KEK Management Subsystem control and status. Get mode, status and (No crypto function) CO None N/A OK / (status) version information; configure or manage the error subsystem. Self-test Perform conditional CASTs as needed, on demand or See Section 10 N/A None N/A OK / periodically. error Authenticate Authenticate (verify a digital signature) command ECDSA Sig Ver (#A2963) N/A SRK-NXP W,E OK / content or firmware images (for SoC cores on behalf of RSA Sig Ver (#A2967) SRK- W,E error the SCU). OEM W,E SRKH- E NXP E SRKHOEM Generic Data Management of generic (non-sensitive) data, media Non-approved AES CCM N/A SDRBG- E OK / Storage parameter storage. uses DRBG Generate State error (#A2955) SDRBGSeed Hash Generate or verify message digest. SHS (#A2956) N/A None N/A OK / error Management SECO device control and status. Get mode, status and (No crypto function) N/A None N/A OK / (Approved version information; configure or manage the SECO error mode status) device. NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy Service Description Approved Security Roles Keys Access Indicator Functions and/or rights to SSPs Keys and/or SSPs Random DRBG generation of random bits. DRBG Generate N/A SDRBG- E,Z OK / (#A2955) EI E error SDRBGState SDRBGSeed Session Initialize session communications. (No crypto function) N/A None N/A OK / error Generate Generate a digital signature. ECDSA Sig Gen (#A2963) User SDRBG- E OK / Signature CKG State W,E error SDRBG- E Seed DSPrivate SDS-BEK Key Perform the KAS-ECC-SSC and One-Step Hash KDF in an KAS-ECC-SSC (#A2972) User SDRBG- E OK / Agreement: atomic command to establish an SDS-KEK instance. ECDSA Key Gen State G,E error KEK use case (#A2963) SDRBG- G,E,Z DRBG Generate Seed G,R (#A2955) KEK-SS W,E KDA Derivation KEK- G (#A2965) Local- E CKG Private KEKLocalPublic KMHostPublic SDS-KEK SDS-BEK Key Perform the KAS-ECC-SSC and TLS KDF in an atomic KAS-ECC-SSC (#A2972) User SDRBG- E OK / Agreement: command to establish TLS session keys (instances of ECDSA Key Gen State G,E error TLS use case SC-EDK, MAC-AK). (#A2963) SDRBG- G,E,Z DRBG Generate Seed G,R (#A2955) SC-EDK W,E TLS v1.2 KDF (#A2973) MAC-AK G TLS v1.2 KDF RFC7627 SDS-BEK G (#A2973) TLS- E CKG Local- G,E,Z Private G,R TLS- W,E LocalG,E,Z Public G,E,Z TLSPeer- G,E,Z Public TLS-MS TLS-PS NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy Service Description Approved Security Roles Keys Access Indicator Functions and/or rights to SSPs Keys and/or SSPs TLS-KB Key Generate key or key pair; manage (invalidate, import, ECDSA Key Gen User SDRBG- E OK / Management update) key or key group. Invalidate refers to marking (#A2963) State G, W, R error keys invalid
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy Service Description Approved Security Roles Keys Access Indicator Functions and/or rights to SSPs Keys and/or SSPs The list of SSPs at right includes SSPs that may be saved in persistent secure storage. Symmetric Encrypt or decrypt data (including authenticated AES Enc, Dec (#A2953, User SC-EDK W,E OK / Cipher encrypt/decrypt). A2962, A2964) SDS-BEK E error Zeroise Destroy Master-NXP; renders other CSPs unusable. (No crypto function) User SDRBG- Z OK / EI Z error SDRBG- Z State Z SDRBG- Z Seed Z DS- Z Private Z MAC-AK Z SC-EDK Z SDS-BEK Z SDS-KEK Z SRK-NXP Z OTP-KEK Z OEM- Z RKEK Z KEK-SS Z KEKZ LocalZ Private Z KEKLocalPublic KMHostPublic TLSLocalPrivate TLSLocalPublic TLSPeerPublic TLS-MS TLS-PS TLS-KB The Module does not provide any Non-Approved Services. NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
The Module uses ECDSA signature verification (P-384, SHA2-384) as the firmware integrity technique. The operator can initiate the integrity test on demand by invoking the Self-test service. In addition, each time the CAST retest timer expires the Module automatically performs one of the CASTs listed in Section 10 of this document (with the exception of the firmware integrity test), cycling through all CASTs periodically. The Module has a sleep mode (i.e. a quiescent state) that will halt the CAST retest timer; prior to entering the sleep mode, the next CAST in the sequence is executed. The module supports loading of firmware from an external source (partial update), the ROM code is immutable and thus unaffected by the loading. ROM endurance has been proven to be more than 10 years after manufactured date. Therefore, per FIPS 140-3 IG 5.A, no pre-operational ROM integrity self-test has been implemented. The module’s end-of-life procedures must be applied prior to the degradation of the ROM. NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
The Module is classified in [FIPS 140-3] terms as a limited operational environment. The tested platforms have been specified in Table 2 above in this document. The Module meets Physical Security Level 3 requirements and thus the requirements per this section do not apply to the Module. No security rules, settings or restrictions to the configuration of the operational environment apply in addition to those specified in Section 2.3 Modes of Operation, Overall security design and the rules of operation in this document. NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
The Module has a single-chip embodiment that meets commercial-grade specifications for power, temperature, reliability, and shock/vibration. The Module is packaged in standard integrated circuit packaging that provides protection from probing and direct visual observation of circuit detail in the visible spectrum, as well as passivation. The module is coated with a hard tamper evident coating. Table 10: Physical Security Inspection Guidelines Physical Security Mechanism Recommended Frequency of Inspection/Test Inspection/Test Guidance Details Single-chip packaging The Module is intended to be mounted in additional packaging; N/A physical inspection of the die is typically not practical after packaging. The Module also includes Environmental Failure Protection (EFP) features. Table 11 specifies the temperature and voltage parameters and corresponding Module behavior. Table 11: EFP/EFT Temperature or voltage measurement Specify EFP Specify if this condition results in a or EFT shutdown or zeroisation Low Temperature -40C EFP Shutdown High Temperature +105C EFP Shutdown Low Voltage 0.95 V EFP Shutdown High Voltage 1.1 V EFP Shutdown Table 12: Hardness testing temperature ranges Hardness tested temperature measurement Low Temperature -40C High Temperature +105C NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
The non-invasive security measures supported by the module are specified in Section 12 “Mitigation of Other Attacks”, per FIPS 140-3 IG 12.A. NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
Table 13 specifies the Module’s SSPs, which include CSPs (critical security parameters) and PSPs (public security parameters, e.g., public keys). Table 13: SSPs Generation Import/Export Establishment Zeroisation Security Key/SSP Function Storage Name/Type Strength and Cert. Number Use & related keys SDRBG-EI 256 ENT G1 -- -- S1 Z1 Hash_DRBG entropy input
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy TLS v1.2 KDF RFC7627 (#A2973) CKG TLS-PS 128 or 192 KAS-ECC-SSC G9 -- -- S2 Z4 TLS pre_master_secret: TLS KDF intermediate value (used to derive TLS-MS). CSP #A2972 CKG TLS-KB 128 or 192 KAS #A2972 G10 -- -- S2 Z4 TLS key_block: TLS KDF intermediate value used to form a TLS SC-EDK instance; CSP TLS v1.2 KDF depending on key exchange call flags, will derive either TLS MAC-AK instance or GCM #A2973 or CCM IVs. TLS v1.2 KDF RFC7627 #A2973 CKG -- = not applicable. The following Module parameters are non-SSPs:
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy MASTER-NXP: 256-bit Master key used to derive (KBKDF) SDS-BEK. Generated during factory configuration by DRBG seeded by on-chip TRNG and written to SECO-only OTP in plaintext. OTP-KEK: 256-bit key used for AES GCM authenticated encryption and decryption of sensitive data stored in OTP. Derived each time the Module is restarted (following power on or reset) from MASTER-NXP using KBKDF. OEM-RKEK: 256 bits used to derive Module Secure Data Storage service Root Key Encryption Key, the latter is used for AES GCM authenticated decrypt (import) of externally generated keys. Injected during the process of configuring the Module. SDS-KEK: The Module Secure Data Storage service Key Encryption Key. Used for AES GCM authenticated decrypt (import) of externally generated keys. Established in either of two ways:
2
Stored in Secure RAM and persisted to external secure storage encrypted by SECO-SDS-BEK. Secure RAM copy is destroyed by overwriting with 0x00 values on Module termination; external secure storage is unreadable following destruction of MASTER-NXP, since SECO-SDS-BEK can no longer be derived. SRK-NXP and SRK-OEM are public keys from key pairs generated by systems external to the chip, managed by NXP and the OEM (Module integrator). The corresponding private keys are used by these external provisioning systems to sign firmware, certificates or commands by NXP or the OEM. SRKH-NXP and SRKH-OEM are SHA2-512 hashes of the corresponding public key used as a root of trust, established onto the Module in a factory setting prior to deployment. SDS-BEK is derived from MASTER-NXP on the Module on every restart. SDS-KEK are key encryption keys generated external to the Module, or via the Key Agreement: KEK use case service. SDS-KEK must be imported into the Module encrypted by an SDS-KEK instance. SDS-BEK and SDS-KEK are used by the Sensitive Data Storage and Key Management services to import or export AES GCM encrypted blobs for storage in external NVM:
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy o TLS-PS is used within the [135r1] TLS v1.2 KDF to derive the [RFC5246] TLS master_secret or the [RFC7627] TLS extended_master_secret. The master secret variants are considered variations on the same CSP (TLS-MS), as they are the same size and purpose, and differ only in the input provided to the TLS PRF. o TLS-MS is used within the [135r1] TLS v1.2 KDF to derive the TLS key_block (TLS-KB); o The TLS-KB is partitioned into the session keying material dependent on the key agreement call parameters (corresponding to ciphersuites): this will include SC-EDK and may include MAC-AK. These resulting key instances are retained within the Module – only key identifiers (handles) are returned to the caller. o TLS-Local-Private, TLS-PS, and TLS-KB are destroyed prior to return of the call to the KDF; TLS-MS and the cipher and MAC keys are retained within the Module; TLS-Local-Public and the call status are returned to the caller. The TLS-MS is retained to support the TLS Finish operation which uses the master secret; TLS Finish destroys TLS-MS. o Note
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
The on-chip System Control Unit (SCU; outside the SECO boundary) copies the SECO firmware container into the SECO M0+ RAM, raising an interrupt when firmware is available. The Module initializes, performing the self-tests listed in this section. As allowed by [FIPS 140-3 IG] 5.A, the masked ROM is not integrity tested. The Module verifies the hash of the SECO firmware image within the container and verifies the signature of the container inclusive of the SECO firmware hash. The NXP public key used for SECO FW image verification (SRK-NXP) is provided in the firmware container; the Module assures the correctness of the public key values by comparing the SHA2-512 hash of SRKs to the OTP reference value SRKH. In case of a failure in the pre-operational firmware integrity test, the module enters the Locked error state (error code 0x0000FF29). All cryptographic algorithm self-tests (CASTs) must complete successfully prior to any other use of cryptography by the Module. If one of the CASTs fails, the Module enters the ABORT state (error code 0x471EED29). The error state is persistent, and only Status services are available. All attempts to use the Module’s services result in the return of an error code (HSM_SELF_TEST_FAILURE). To recover from an error state, the Module must be power-cycled or reset. The Module maintains a CAST retest timer: each time the CAST retest timer expires the Module automatically performs one of the CASTs listed in this section, cycling through all CASTs periodically. The Module has a sleep mode (i.e. a quiescent state) that will halt the CAST retest timer; prior to entering sleep mode, the next CAST in the sequence is executed. The operator can also initiate the firmware integrity on demand by invoking the Self-test service and the CASTs by rebooting the module. NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy Pre-Operational Self-tests:
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
The Module is configured in the factory for the Approved mode of operation only. No procedures for secure installation, initialization, startup and operation of the Module are required. No maintenance requirements apply to the Module. Administrator and non-Administrator guidance is provided as a separate document, i.MX8 DXL SECO HSM FIPS 140-3 CO and User Guidance. The Module can be securely sanitized by zeroising it. NXP Semiconductors Public Material
NXP Semiconductors i.MX8 DXL SECO HSM FIPS 140-3 Security Policy
The Module incorporates a clock frequency sensor that generates an out-of-range signal. This condition results in CO authentication reset, preventing use of Module security functions, and blocking access to sensitive information. The Module also includes side channel resistance and fault injection countermeasures. Until the requirements of SP 800140F are defined, non-invasive mechanisms fall under ISO/IEC 19790:2012 Section 7.12 Mitigation of other attacks, thus the non-invasive security measures supported by the module are as follows: The side channel mitigations include random data moving, blinding techniques, and continuously generating noise on the power line. Fault injection mitigations include double calculations, parameter integrity protections, parameter checking and clearing memory areas after usage. Confidence in the effectiveness of each of these mitigations was achieved through a combination of fault attack simulations and internal vulnerability assessment testing. The countermeasures were shown to be effective against common fault injection and side channel attacks. NXP Semiconductors Public Material