All modules
CMVP Validated Module · FIPS 140-3 Security Policy

VMware’s Linux Kernel Cryptographic Module

Certificate#4865StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusHistoricalVendorBroadcom Inc.
High review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 9165 CVEs since this module's initial validation  ·  last validated 20 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusHistorical
CaveatInterim validation. When operated in approved mode and installed, initialized and configured as specified in Section 11.1 of the Security Policy.
VendorBroadcom Inc.

Approved Algorithms (37)

AlgorithmACVP Cert
AES-CBCA4971
AES-CBC-CS3A4971
AES-CCM
AES-CFB128A4971
AES-CMACA4971
AES-CTRA4971
AES-ECBA4971
AES-GCMA4971
AES-XTS TestingA4971
Counter DRBGA4971
ECDSA KeyGenA4971
ECDSA KeyVer (FIPS186-4)A4971
ECDSA SigVer (FIPS186-4)A4971
Hash DRBGA4971
HMAC DRBGA4971
Mode - SHA-1, SHA2-256, SHA2-512
HMAC-SHA-1A4971
HMAC-SHA2-224A4971
HMAC-SHA2-256A4971
HMAC-SHA2-384A4971
HMAC-SHA2-512A4971
HMAC-SHA3-224A4971
HMAC-SHA3-256A4971
HMAC-SHA3-384A4971
HMAC-SHA3-512A4971
KAS-ECC-SSC Sp800-56Ar3A4971
RSA SigGen (FIPS186-4)A4971
RSA SigVerA4971
SHA-1A4971
SHA2-224A4971
SHA2-256A4971
SHA2-384A4971
SHA2-512A4971
SHA3-224A4971
SHA3-256A4971
SHA3-384A4971
SHA3-512A4971

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for VMware’s Linux Kernel Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Symmetric<br/>Ciphers<br/>Installation and initialization</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IPSEC<br/>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for VMware’s Linux Kernel Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Symmetric<br/>Ciphers<br/>Installation and initialization</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IPSEC<br/>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Broadcom Inc. VMware’s Linux Kernel Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy

Page 2
Table of Contents
#SectionPage
1General5
1.1Overview5
1.2Security Levels5
2Cryptographic Module Specification6
2.1Description6
2.2Tested and Vendor Affirmed Module Version and Identification7
2.3Excluded Components8
2.4Modes of Operation8
2.5Algorithms9
2.6Security Function Implementations11
2.7Algorithm Specific Information13
2.8RBG and Entropy13
2.9Key Generation14
2.10Key Establishment14
2.11Industry Protocols14
3Cryptographic Module Interfaces14
3.1Ports and Interfaces14
4Roles, Services, and Authentication15
4.1Authentication Methods15
4.2Roles15
4.3Approved Services15
4.4Non-Approved Services18
4.5External Software/Firmware Loaded19
5Software/Firmware Security19
5.1Integrity Techniques19
5.2Initiate on Demand19
6Operational Environment19
6.1Operational Environment Type and Requirements19
7Physical Security20
8Non-Invasive Security20
9Sensitive Security Parameters Management20
9.1Storage Areas20
9.2SSP Input-Output Methods20
9.3SSP Zeroization Methods20
9.4SSPs21
10Self-Tests24
10.1Pre-Operational Self-Tests24
10.2Conditional Self-Tests24
10.3Periodic Self-Test Information26
10.4Error States28
10.5Operator Initiation of Self-Tests28
11Life-Cycle Assurance28
11.1Installation, Initialization, and Startup Procedures28
11.2Administrator Guidance29
11.3Non-Administrator Guidance29
12Mitigation of Other Attacks29
Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)7
Table 3: Tested Operational Environments - Software, Firmware, Hybrid8
Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid8
Table 5: Modes List and Description9
Table 6: Approved Algorithms11
Table 7: Non-Approved, Not Allowed Algorithms11
Table 8: Security Function Implementations13
Table 9: Entropy Certificates13
Table 10: Entropy Sources14
Table 11: Ports and Interfaces14
Table 12: Roles15
Table 13: Approved Services18
Table 14: Non-Approved Services19
Table 15: Storage Areas20
Table 16: SSP Input-Output Methods20
Table 17: SSP Zeroization Methods21
Table 18: SSP Table 123
Table 19: SSP Table 224
Table 20: Pre-Operational Self-Tests24
Table 21: Conditional Self-Tests26
Table 22: Pre-Operational Periodic Information26
Table 23: Conditional Periodic Information28
Table 24: Error States28
Figure 1: Block Diagram7
Page 5
Security level
NameISO SectionRequirementLevel
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A
Overall LevelOverall Level1
1.1 Overview

This is a non-proprietary Cryptographic Module Security Policy for the VMware's Linux Kernel Cryptographic Module 5.0.0 from Broadcom Inc. This Security Policy describes how the VMware's Linux Kernel Cryptographic Module 5.0.0 meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS), a branch of the Communications Security Establishment (CSE), Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program. This document also describes how to run the module in a secure Approved mode of operation. This policy was prepared as part of the Software Level 1 FIPS 140-3 validation of the module. The VMware's Linux Kernel Cryptographic Module 5.0.0 is also referred to in this document as the “Module.” It also provides instructions to individuals and organizations on how to deploy or operate the product in a secure approved mode. This document has been written for the following audiences:

1.2 Security Levels

The module has been validated at the FIPS 140-3 section levels shown in the table below. Table 1: Security Levels N/A N/A N/A © 2024 Broadcom Inc.

Page 6
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The VMware’s Linux Kernel Cryptographic Module is a software cryptographic module with a multiple-chip standalone embodiment. The overall security level of the module is 1. As a software module, the module must rely on the physical characteristics of the host system. The physical perimeter of the cryptographic module is defined by the hard enclosure around the host system on which it runs. The module supports the physical interfaces of the Dell PowerEdge R650 Server. These interfaces include the integrated circuits of the system board, processor, RAM, hard disk, device case, power supply, and fans. See Figure 1 below for a hardware block diagram of the Dell PowerEdge R650 Server. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: As a software module, the module must rely on the physical characteristics of the host system. The physical perimeter of the cryptographic module is defined by the hard enclosure around the host system on which it runs. The module supports the physical interfaces of the Dell PowerEdge R650 Server. These interfaces include the integrated circuits of the system board, processor, RAM, hard disk, device case, power supply, and fans. See Figure 1 below for a hardware block diagram of the Dell PowerEdge R650 Server. © 2024 Broadcom Inc.

Page 7
Module configuration
NameFirmware VersionFeaturesPackageIntegrity Test
fips_canister.o5.0.0software cryptographicfips_canister.oHMAC-SHA2-2565.0.0
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8
Module configuration
NameOperating SystemHardware Platform
Photon OS 5.0/ Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0Photon OS 5.0/ Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0Dell PowerEdge R740 with an Intel® Xeon® Gold 6230R with/without PAA
Photon OS 5.0/Photon OS 4.0 on VMwarePhoton OS 5.0/Photon OS 4.0 on VMwareDell PowerEdge R640 with an Intel(R) Xeon(R) Silver
ESXi 8.0/ VMware ESXi 7.0ESXi 8.0/ VMware ESXi 7.04214 with/without PAA
Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0Dell PowerEdge R630 with an Intel(R) Xeon(R) CPU E5-2660 v4 with/without PAA
Photon OS 5.0/Photon OS 4.0 on VMwarePhoton OS 5.0/Photon OS 4.0 on VMwarePowerEdge R6625 with an AMD EPYC 9124
ESXi 8.0/ VMware ESXi 7.0ESXi 8.0/ VMware ESXi 7.0with/without PAA
Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0ProLiant DL385 Gen10 Plus v2 with an AMD EPYC 7343 16-Core Processor with/without PAA
Cloud computing environment executingCloud computing environment executingGeneral-purpose computing platform with/without PAA
Module configuration
NameOperating SystemHardware Platform
Photon OS 5.0/ Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0Photon OS 5.0/ Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0Dell PowerEdge R740 with an Intel® Xeon® Gold 6230R with/without PAA
Photon OS 5.0/Photon OS 4.0 on VMwarePhoton OS 5.0/Photon OS 4.0 on VMwareDell PowerEdge R640 with an Intel(R) Xeon(R) Silver
ESXi 8.0/ VMware ESXi 7.0ESXi 8.0/ VMware ESXi 7.04214 with/without PAA
Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0Dell PowerEdge R630 with an Intel(R) Xeon(R) CPU E5-2660 v4 with/without PAA
Photon OS 5.0/Photon OS 4.0 on VMwarePhoton OS 5.0/Photon OS 4.0 on VMwarePowerEdge R6625 with an AMD EPYC 9124
ESXi 8.0/ VMware ESXi 7.0ESXi 8.0/ VMware ESXi 7.0with/without PAA
Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0ProLiant DL385 Gen10 Plus v2 with an AMD EPYC 7343 16-Core Processor with/without PAA
Cloud computing environment executingCloud computing environment executingGeneral-purpose computing platform with/without PAA
Service
NameDescriptionIndicatorType
Non- ApprovedNon-Approved Mode of OperationNon-Approved service log message and API return valueNon- Approved

4.0 4.0 5.0 5.0 Table 3: Tested Operational Environments - Software, Firmware, Hybrid 8.0 8.0 8.0 8.0 5.0.0 5.0.0 5.0.0 5.0.0 Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

There are no excluded components. Modes List and Description: NonApproved NonApproved © 2024 Broadcom Inc.

Page 9
Approved algorithm
NameCAVP CertPropertiesReferenceCAVP Cert
AES-CBCA4971SP 800-38AA4971Direction - Decrypt, Encrypt
AES-CBC-CS3A4971Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA4971Key Length - 128, 192, 256AES-CCMSP 800-38C
AES-CFB128A4971Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA4971SP 800-38BDirection - Generation, Verification
AES-CTRA4971Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4971SP 800-38ADirection - Decrypt, Encrypt
AES-GCMA4971Direction - Decrypt, Encrypt IV Generation - External IV Generation Mode - 8.2.2 Key Length - 128, 192, 256SP 800-38D
AES-XTS TestingA4971SP 800-38EDirection - Decrypt, EncryptAES-XTS Testing
Revision 2.0Key Length - 128, 256Revision 2.0
Counter DRBGA4971Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
ECDSA KeyGenA4971FIPS 186-4Curve - P-256, P-384ECDSA KeyGen
(FIPS186-4)Secret Generation Mode - Extra Bits(FIPS186-4)
ECDSA KeyVer (FIPS186-4)A4971Curve - P-256, P-384FIPS 186-4
ECDSA SigVer (FIPS186-4)A4971FIPS 186-4Curve - P-256, P-384
Hash DRBGA4971Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA4971Prediction Resistance - No, YesSP 800-90A
Mode - SHA-1, SHA2-256, SHA2-512Mode - SHA-1, SHA2-256, SHA2-512Rev. 1
HMAC-SHA-1A4971Key Length - Key Length: 128-2048 Increment 8FIPS 198-1
HMAC-SHA2-224A4971FIPS 198-1Key Length - Key Length: 128-2048 Increment
HMAC-SHA2-256A4971Key Length - Key Length: 128-2048 Increment 8FIPS 198-1
HMAC-SHA2-384A4971FIPS 198-1Key Length - Key Length: 128-2048 Increment
HMAC-SHA2-512A4971Key Length - Key Length: 128-2048 Increment 8FIPS 198-1
HMAC-SHA3-224A4971FIPS 198-1Key Length - Key Length: 128-2048 Increment
HMAC-SHA3-256A4971Key Length - Key Length: 128-2048 Increment 8FIPS 198-1
HMAC-SHA3-384A4971FIPS 198-1Key Length - Key Length: 128-2048 Increment
HMAC-SHA3-512A4971Key Length - Key Length: 128-2048 Increment 8FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3A4971SP 800-56A Rev. 3Domain Parameter Generation Methods - P-
RSA SigGen (FIPS186-4)A4971Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigVerA4971FIPS 186-4Signature Type - PKCS 1.5RSA SigVer
(FIPS186-4)Modulo - 2048, 3072, 4096(FIPS186-4)
SHA-1A4971Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-224A4971FIPS 180-4Message Length - Message Length: 0-65536
SHA2-256A4971Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-384A4971FIPS 180-4Message Length - Message Length: 0-65536
SHA2-512A4971Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA3-224A4971FIPS 202Message Length - Message Length: 0-65536
SHA3-256A4971Message Length - Message Length: 0-65536 Increment 8FIPS 202
SHA3-384A4971FIPS 202Message Length - Message Length: 0-65536
SHA3-512A4971Message Length - Message Length: 0-65536 Increment 8FIPS 202

Table 5: Modes List and Description The module supports an FIPS 140-3 Approved mode and non-Approved mode of operation. The module will be in Approved mode when all pre-operational self-tests have completed successfully, and only Approved services are invoked, and the success API return indicator is provided. The module implements non-Approved Algorithms Not Allowed in the Approved Mode of Operation. When a non-Approved security function is invoked, the module will no longer be in the Approved mode of operation. A status indicator in the form of an API return code and log entry indicating the service name and “non-approved” will be provided when the module enters and exits the non-Approved mode of operation.

2.5 Algorithms

Approved Algorithms: © 2024 Broadcom Inc.

Page 11
Approved algorithm
NameCAVP CertPropertiesReference
AES-GCMA4972Direction - Decrypt, EncryptSP 800-38DA4972
Service
NameApproved Functions
AES CBC-MAC (SP 800-38C)CBC-MAC as an authentication mode outside ofAES CBC-MAC (SP 800-38C)
GHASH (SP 800-38D)GHASH (SP 800-38D)GHASH as a keyed hash function outside of GCM context
AES GCMEncryption (External IV)
RSA PKCS1v1.5RSA PKCS1v1.5Key Transport
AES using modes using RFC 3686 (CTR)Encryption and Decryption
AES using modes using RFC 4543 (GCM) and RFC 4309 (CCM)AES using modes using RFC 4543 (GCM) and RFC 4309 (CCM)Authenticated Encryption and Decryption

Table 6: Approved Algorithms The module implements the approved algorithms listed in the table above. Vendor-Affirmed Algorithms: N/A for this module. The module does not implement any vendor-affirmed algorithms. Non-Approved, Allowed Algorithms: N/A for this module. The module does not implement any non-Approved Algorithms Allowed in the Approved Mode of Operation. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. The module does not implement any Non-Approved Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved, Not Allowed Algorithms: Table 7: Non-Approved, Not Allowed Algorithms The module does implement the non-approved algorithms listed in the table above.

2.6 Security Function Implementations
Page 12
Service
NameDescriptionApproved FunctionsTypeProperties
SymmetricSymmetricAES-CBCBC-AuthStrength:>= 128Symmetric CiphersBC-Auth BC-UnAuthSymmetric Encrypt/DecryptStrength:>= 128 bits
CiphersEncrypt/DecryptAES-CBC-CS3BC-UnAuthbits
Random Number GenerationRandom Number GenerationDRBGDeterministic Random Number GenerationStrength:>= 128 bitsCounter DRBG Hash DRBG HMAC DRBG
Digital SignatureECDSA SigVerDigital SignatureDigSig-SigGen DigSig-SigVerGenerate or verify data integrityStrength:=> 112 bits
Message AuthenticationMessage AuthenticationBC-Auth MACGenerate or verify data integrityStrength:=>112AES-CMAC HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-512
Key AgreementPerform keyKey AgreementKAS-SSCStrength:=> 112 bitsKAS-ECC-SSC Sp800-56Ar3
Asymmetric Key GenerationAsymmetric Key GenerationAsymKeyPair- KeyGenGenerate an asymmetric keypairStrength:>= 112 bitsECDSA KeyGen (FIPS186-4)
Message DigestSHA-1Message DigestSHAHashingStrength: >= 112 bits
Asymmetric Key VerificationAsymmetric Key VerificationAsymKeyPair- KeyVerVerify an asymmetric keypairStrength:>= 112 bitsECDSA KeyVer (FIPS186-4)

AsymKeyPairKeyGen AsymKeyPairKeyVer © 2024 Broadcom Inc.

Page 13
CertVendor Name
Number
E115Broadcom Inc.

Table 8: Security Function Implementations The module implements the security functions listed in the table above.

2.7 Algorithm Specific Information

IG Compliance:

2.8 RBG and Entropy

The following entropy sources are available to the module and have been tested to NIST SP800-90B. 256 bits of entropy input are provided to the module's DRBG from the CPU Jitter entropy source certified by ESV #E115. The VMware CPU Jitter implementation generates an output that is considered to have full entropy. A request for 256 bits of entropy results in 256 bits of entropy per output sample, or full entropy. Table 9: Entropy Certificates

Page 14
Sensitive security parameter
NameTypeStrengthEntropy per SampleConditioning Component
VMware’s Linux Kernel CPU Time Jitter RNG Entropy SourceNon- Physical64 bitsPhoton OS 4.0 on VMware ESXi0.3330.333A4658
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
Physical data input port(s) of the host platformPhysical data input port(s) of the host platformData InputData InputData to be encrypted, decrypted, signed, verified, or hashed. Keys
Physical data output port(s) of the host platformPhysical data output port(s) of the host platformData that has been encrypted, decrypted, or verified. Digital signatures, Hashes, Random values generated by the module’s DRBG. Keys established using module’s key establishment methodsData Output
Physical controlAPI commands invoking cryptographic services. Modes, key sizes, etc. used with cryptographic servicesControl InputPhysical control
Physical status output port(s) of the host platformPhysical status output port(s) of the host platformStatus Output API call return valuesStatus Output

NonPhysical Table 10: Entropy Sources

2.9 Key Generation

The module implements asymmetric key generation using ECDSA as per FIPS 186-4. The module does perform key agreement primitives on behalf of the calling process but does not establish keys into the module.

2.11 Industry Protocols

The module does not implement any industry protocols.

3.1 Ports and Interfaces

Table 11: Ports and Interfaces © 2024 Broadcom Inc.

Page 15
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutputDescription
Installation and initializationInstallationCrypto OfficerNoneStatusN/AStatusStatus outputNone
andandoutput
Show StatusCrypto OfficerCommand inputStatusStatus outputNoneReturn module status
On demand self-testPerform pre-Crypto OfficerN/AStatusStatus outputNone
Show versionCrypto OfficerCommand inputStatus output,Status output,NoneReturn module
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutputDescription
Installation and initializationInstallationCrypto OfficerNoneStatusN/AStatusStatus outputNone
andandoutput
Show StatusCrypto OfficerCommand inputStatusStatus outputNoneReturn module status
On demand self-testPerform pre-Crypto OfficerN/AStatusStatus outputNone
Show versionCrypto OfficerCommand inputStatus output,Status output,NoneReturn module

The table above lists the module's physical ports and logical interfaces.

4 Roles, Services, and Authentication

N/A for this module. The module does not support an authentication mechanism.

4.2 Roles

Table 12: Roles There are two roles in the module that operators may assume: a Cryptographic Officer (CO) role and a User role. Roles are assumed implicitly through the execution of either a CO or User service. The module does not support an authentication mechanism. Each role and their corresponding services are detailed in the sections below. The CO and User roles share many services, including encryption, decryption, and random number generation services. The CO performs installation and initialization, show status, selftests on demand, and key zeroization services. Table 7 below describes the Approved CO and User roles.

4.3 Approved Services

Perform preoperational r N/A N/A © 2024 Broadcom Inc.

Page 16
Sensitive security parameter
NameDescriptionInputOutputAccessIndicatoSecuritySSP Access
rrFunctions
versioning informationversioning informationModule versionModule version
Symmetric EncryptionEncrypt plaintext dataAPI Parameters , plaintext dataStatus, ciphertext dataAPI return valueSymmetric CiphersUser - AES Key: W,E - AES XTS key: W,E
Symmetric DecryptionDecrypt ciphertext dataAPI Parameters , ciphertext dataStatus, plaintext dataUserAPI return valueSymmetric Ciphers
Authenticate d Symmetric EncryptionEncrypt plaintext using AES GCM keyAPI Parameters , plaintext dataStatus, ciphertext dataAPI return valueSymmetric CiphersUser - GCM Key: W,E - GCM IV: W,E
Page 17
Service
NameDescriptionRolesCsps AccessedApproved FunctionsIndicatorInputOutput
Authenticate d Symmetric DecryptionDecrypt ciphertext using AES GCM key with IV or CCMAPI Parameters , ciphertext dataStatus, plaintext dataAPI return valueSymmetric CiphersUser
Generate random numberReturn random bits to the calling applicationUser - Entropy: W,E - DRBG Random Number: W,E - Hash_DRBG V value: G,E - Hash_DRBG C value: G,E - HMAC_DRB G V value: G,E - HMAC_DRB G Key value: G,E - CTR_DRBG V value: G,E - CTR_DRBG Key value: G,EAPI ParametersStatus, random numberAPI return valueRandom Number Generation
Generate Symmetric DigestGenerate Symmetric DigestUser - AES CMAC Key: W,ESymmetricAPI ParametersStatus, Symmetric DigestAPI return value
Verify Symmetric DigestVerify Symmetric DigestUser - AES CMAC Key: W,EAPI ParametersStatusAPI return valueSymmetric Ciphers Message Authenticatio n
Perform Keyed Hash OperationsUser - HMAC Key: W,EAPI ParametersAPI return valueMessage Authenticatio nCompute aStatus,
messagemessageMessage
authenticatioauthenticatioAuthenticatio
n coden coden Code
Perform hash operationUserAPI return valueAPI ParametersMessage DigestCompute a message digestStatus, Message Digest
Generate asymmetric key pairAPI return valueAPI ParametersAsymmetric Key GenerationUserGenerate a public/private key pairStatus
Verify ECDSA public keyUser - ECDSA Public Key: WAPI return valueAPI ParametersAsymmetric Key VerificationVerify an ECDSA public keyStatus
GenerateGenerateAPIAPI ParametersGenerateDigital SignatureUserStatus
DigitalDigitalreturnDigital- RSA Private
SignatureSignaturevalueSignatureKey: W,E
Verify digital signatureUser - RSA Public Key: W,E - ECDSA Public Key: W,EAPI return valueAPI ParametersDigital SignatureVerify digital signatureStatus
Compute Shared SecretAPI return valueAPI ParametersKey AgreementUserCompute ECDH shared secretStatus
Perform authenticated symmetricEncryption/decryptionUserAES CBC-MAC (SP 800-38C)AES CBC-MAC (SP 800-38C)Encryption/decryptionUser
Page 18
Service
NameDescriptionRolesCsps AccessedApproved FunctionsIndicatorInputOutput
Perform hash operationUserAPI return valueAPI ParametersCompute a message digestStatus, Message DigestMessage Digest
Generate asymmetric key pairAPI return valueAPI ParametersGenerate a public/private key pairStatusAsymmetric Key GenerationUser
Verify ECDSA public keyUser - ECDSA Public Key: WAPI return valueAPI ParametersVerify an ECDSA public keyStatusAsymmetric Key Verification
GenerateGenerateAPIAPI ParametersStatusDigital SignatureUserGenerate
DigitalDigitalreturn- RSA PrivateDigital
SignatureSignaturevalueKey: W,ESignature
Verify digital signatureUser - RSA Public Key: W,E - ECDSA Public Key: W,EAPI return valueAPI ParametersVerify digital signatureStatusDigital Signature
Compute Shared SecretAPI return valueAPI ParametersCompute ECDH shared secretStatusKey AgreementUser
Perform authenticated symmetricEncryption/decryptionUserAES CBC-MAC (SP 800-38C)AES CBC-MAC (SP 800-38C)Encryption/decryptionUser

r G,R G,R W W,E W,E W,E Table 13: Approved Services The table above lists the approved services available to module operators. Access rights are indicated using the following notation:

4.4 Non-Approved Services
Page 19
Service
NameDescriptionRolesApproved Functions
Perform keyed hash functionUserPerform keyed hash functionHashingGHASH (SP 800-38D)
Perform authenticated symmetricEncryption with ExternalUserAES GCM
encryptionIV
RSA Key TransportUserRSA Key TransportKey padding / Key transportRSA PKCS1v1.5
Perform symmetricUserAES using modes using RFCEncryption/decryption
encryption/decryption3686 (CTR)
Perform authenticated symmetric encryption/decryptionUserPerform authenticated symmetric encryption/decryptionAuthenticated encryption/decryptionAES using modes using RFC 4543 (GCM) and RFC 4309 (CCM)

Table 14: Non-Approved Services The module implements the non-approved services listed in the table above.

4.5 External Software/Firmware Loaded

The module does not implement external software loading.

5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module’s cryptographic boundary is verified by a hash generated by HMACSHA2-256 digest. The software integrity test is performed by VMware’s Linux Kernel Cryptographic Module. The module automatically invokes separate KATs for the HMAC and SHA2-256 algorithms then the module will invoke the HMAC-SHA2-256 integrity test preoperationally during the boot sequence.

5.2 Initiate on Demand

An operator can initiate the integrity test on-demand by rebooting the OS. If an integrity test fails, the module will enter the critical error state.

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The VMware’s Linux Kernel Cryptographic Module 5.0.0 comprises a software cryptographic library that executes in a modifiable operational environment. The cryptographic module has control over its own SSPs. The process and memory management functionality of the host © 2024 Broadcom Inc.

Page 20
StorageDescriptionPersistence Type
Area
Name
RAMMemoryDynamic

device’s OS prevents unauthorized access to plaintext, private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environments provide the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators.

7 Physical Security

The cryptographic module is a software module and does not include physical security mechanisms. Therefore, per ISO/IEC 19790:2021 section 7.7.1, requirements for physical security are not applicable.

8 Non-Invasive Security

This section is not applicable. There are currently no approved non-invasive mitigation metrics defined at the time of writing. (Ref: ISO/IEC 19790:2012 Annex F).

9 Sensitive Security Parameters Management
9.1 Storage Areas

Table 15: Storage Areas All SSPs are only stored in memory.

9.2 SSP Input-Output Methods

Table 16: SSP Input-Output Methods All SSPs are passed to the module via a well-defined API.

9.3 SSP Zeroization Methods
Page 21
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
AES KeySymmetricAES Key128, 192,Symmetric CiphersAES KeySymmetric Key - CSP
256-bit key -Key - CSP256-bit key -
EntropyRandom Number GenerationExternally generated entropy used to seed the DRBGEntropy - CSP256 bits - 256 bits
Hash_DRBG V valueDRBGRandom Number GenerationInternal state for DRBG440 bits - 256 bitsRandom Number Generation
Hash_DRBG C valueRandom Number GenerationInternal state for DRBGDRBG Internal State - CSP440 bits - 256 bitsRandom Number Generation
HMAC_DRB G V valueDRBGRandom Number GenerationInternal state for DRBG256 bits - 256 bitsRandom Number Generation
HMAC_DRB G Key valueRandom Number GenerationInternal state for DRBGDRBG Internal State - CSP256 bits - 256 bitsRandom Number Generation
CTR_DRBG V valueDRBGRandom Number GenerationInternal state for DRBG128 bits - 128 bitsRandom Number Generation
CTR_DRBG Key valueRandom Number GenerationInternal state for DRBGDRBG Internal State - CSP128, 192, 256 bits - 128 to 256 bitsRandom Number Generation
RSA Public KeyRSA≥ 2048 bits -AsymmetriDigital SignatureKey used for RSA
112 to 150Keypair -112 to 150c Key
bitsPSPbitsGeneration
ZeroizationDescriptionRationaleOperator
MethodInitiation
Reboot OSReboot Operating SystemMemory is zeroized upon rebootOperator Initiated

Table 17: SSP Zeroization Methods There is no mechanism within the module boundary for the persistent storage of keys and CSPs. Maintenance, including protection and zeroization, of any keys and CSPs that exist outside the module’s boundary are the responsibility of the end-user. For the zeroization of keys in volatile memory, module operators can reboot the OS.

9.4 SSPs
Page 22
Sensitive security parameter
NameDescriptionStrengthUse
RSA Private KeyDigital SignatureKey used for RSA Signature Generation≥ 2048 bits - 112 to 150 bitsRSA Keypair - CSPAsymmetri c Key Generation
ECDSA Public KeyKey usedDigital SignatureP-256, P-384 - 128 or 256 bitsECDSA Keypair - PSPAsymmetri c Key Generation
ECDSA Private KeyDigital SignatureKey used for ECDSA Signature GenerationP-256, P-384 - 128 or 256 bitsECDSA Keypair - CSPAsymmetri c Key Generation
HMAC KeyKey used≥ 112 bits - ≥ 112 bitsHMAC Key - CSPMessage
for HMACfor HMACAuthenticatio
OperationsOperationsn
AES CCM KeySymmetric CiphersCCM Key128, 192, 256 bits - 128 to 256 bitsCCM Key - CSP
GCM Key128, 192, 256Symmetric CiphersGCM KeyGCM Key - CSP
GCM IVSymmetric CiphersGCM IV96 bits - 96 bitsGCM IV - CSP
AES XTS key128, 256-bitSymmetric CiphersAES XTS KeyAES XTS Key - CSP
AES CMAC KeySymmetric CiphersAES CMAC Key128, 192, 256 bits - 128 to 256 bitsAES CMAC Key - CSP
DRBG Random NumberCTR_DRBG:Symmetric Ciphers Message Authenticatio n Asymmetric Key GenerationDRBG Random NumberDRBG Random Number - CSPRandom Number Generation

n SHA2256,SHA2512 n n © 2024 Broadcom Inc.

Page 23
Sensitive security parameter
NameTypeDescriptionStorageZeroizationUseInputStorage Duration
ECDH Private ComponentKey AgreementECDH Private ComponentP-256, P-384 - 128 or 256 bitsECDH Private Componen t - CSPKey Agreement
ECDH public componentECDHECDHKey AgreementECDH public componentP-256, P-384 - 128 or 256 bitsKey Agreement
publicpublicpublic
componentcomponentcomponent
AES KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil RebootUntil Reboot
EntropyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
Hash_DRBG V valueRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
Hash_DRBG C valueRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
HMAC_DRBG V valueRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
HMAC_DRBG Key valueRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
CTR_DRBG V valueRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
CTR_DRBG Key valueRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
RSA Public KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
RSA Private KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
ECDSA Public KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
ECDSA Private KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
HMAC KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
AES CCM KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
GCM KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
GCM IVRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
AES XTS keyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
AES CMAC KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
Sensitive security parameter
NameTypeDescriptionStorageZeroizationUseInputStorage Duration
ECDH Private ComponentKey AgreementECDH Private ComponentP-256, P-384 - 128 or 256 bitsECDH Private Componen t - CSPKey Agreement
ECDH public componentECDHECDHKey AgreementECDH public componentP-256, P-384 - 128 or 256 bitsKey Agreement
publicpublicpublic
componentcomponentcomponent
AES KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil RebootUntil Reboot
EntropyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
Hash_DRBG V valueRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
Hash_DRBG C valueRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
HMAC_DRBG V valueRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
HMAC_DRBG Key valueRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
CTR_DRBG V valueRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
CTR_DRBG Key valueRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
RSA Public KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
RSA Private KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
ECDSA Public KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
ECDSA Private KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
HMAC KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
AES CCM KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
GCM KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
GCM IVRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
AES XTS keyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
AES CMAC KeyRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot

n Table 18: SSP Table 1 © 2024 Broadcom Inc.

Page 24
Sensitive security parameter
NameStorageZeroizationInputStorage Duration
DRBG Random NumberRAM:PlaintextReboot OSExternal to RAMUntil RebootUntil Reboot
ECDH Private ComponentRAM:PlaintextReboot OSExternal to RAM RAM to ExternalUntil Reboot
ECDH public componentRAM:PlaintextReboot OSExternal to RAMUntil Reboot
Self test
NameAlgorithm Or TestTest MethodTest TypeDetails
HMAC-SHA2-256HMAC-SHA2-256HMAC-SHA2-Software IntegrityStatusSW/FW
(A4971)(A4971)256TestOutputIntegrity

Table 19: SSP Table 2 The module manages the SSPs, and keys listed in the table above.

10 Self-Tests

The Module performs both pre-operational and conditional self-tests. Once invoked, the Module will not perform functions or services until the self-test(s) has been completed. The following sections list the self-tests performed by the Module, their expected error status, and any error resolutions.

10.1 Pre-Operational Self-Tests

Table 20: Pre-Operational Self-Tests If any of the pre-operational self-tests fail, the module enters the critical error state, and an error message is logged. In this state, cryptographic operations are halted, and the module inhibits all data output from the module as the API interface is disabled. In order to attempt to exit the error state, the module must be restarted by rebooting the OS. If the error persists, the module must be reinitialized. Pre-operational self-tests are automatically performed by the module at module initialization or when the module powers on. The list of pre-operational self-tests that follows may also be run on-demand when the CO reboots the Operating System. The Module performs the required HMAC and SHS Cryptographic Algorithm Self-Tests (CASTs) that are required for the subsequent software integrity tests. During the execution of self-tests, cryptographic functions and data output from the module are inhibited. The VMware’s Linux Kernel Cryptographic Module performs a software integrity check (HMAC with SHA2-256 Integrity Test) preoperationally.

10.2 Conditional Self-Tests
Page 25
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIndicatorConditionsModule Initialization
ECDSAECDSAPCTPCTKey Generation / Key VerificationP-256, P-384Status OutputAfter key pair generation
generate, andgenerate, andgenerate, and
reseedreseedreseed

AES-CBCCS3 AESCFB128 © 2024 Broadcom Inc.

Page 26
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsTest PropertiesIndicatorConditions
KAS-ECC- SSC Sp800- 56Ar3 (A4971)Shared Secret ComputationKAS-ECC- SSC Sp800- 56Ar3 (A4971)P-256, P-384KATCASTStatus OutputModule Initialization
KAS-ECC-KAS-ECC-Shared Secret ComputationP-256, P-384PCTPCTStatus OutputAfter Key pair generation
RSA SigGen (FIPS186-4) (A4971)Signature GenerationRSA SigGen (FIPS186-4) (A4971)PKCS1v1.5 Mod (2048, 3072, 4096) Hash (SHA2-224, SHA2-256, SHA2- 384, SHA2-512)KATCASTStatus OutputModule Initialization
RSA SigVer (FIPS186-4) (A4971)Signature VerificationRSA SigVer (FIPS186-4) (A4971)KATCASTStatus OutputModule InitializationPKCS1v1.5 Mod
SHSMessage DigestSHSSHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512 SHA3-224, SHA3- 256, SHA3-384, SHA3-512KATCASTStatus OutputModule Initialization
SP800-SP800-Message DigestDRBG health testsCASTStatus OutputContinuously while the Module is loadedHash_DRBG,
90Ar190Ar1HMAC_DRBG and
ContinualContinualCTR_DRBG SP
HealthHealth800-90Ar1 Health
TestsTestsTests
HMAC-SHA2-256HMAC-SHA2-256Software IntegritySW/FW IntegrityUser initiatedOn demand self-
(A4971)(A4971)Testmodule reboottest service
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsTest PropertiesIndicatorConditionsTest MethodPeriodPeriodic Method
KAS-ECC- SSC Sp800- 56Ar3 (A4971)Shared Secret ComputationKAS-ECC- SSC Sp800- 56Ar3 (A4971)P-256, P-384KATCASTStatus OutputModule Initialization
KAS-ECC-KAS-ECC-Shared Secret ComputationP-256, P-384PCTPCTStatus OutputAfter Key pair generation
RSA SigGen (FIPS186-4) (A4971)Signature GenerationRSA SigGen (FIPS186-4) (A4971)PKCS1v1.5 Mod (2048, 3072, 4096) Hash (SHA2-224, SHA2-256, SHA2- 384, SHA2-512)KATCASTStatus OutputModule Initialization
RSA SigVer (FIPS186-4) (A4971)Signature VerificationRSA SigVer (FIPS186-4) (A4971)KATCASTStatus OutputModule InitializationPKCS1v1.5 Mod
SHSMessage DigestSHSSHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512 SHA3-224, SHA3- 256, SHA3-384, SHA3-512KATCASTStatus OutputModule Initialization
SP800-SP800-Message DigestDRBG health testsCASTStatus OutputContinuously while the Module is loadedHash_DRBG,
90Ar190Ar1HMAC_DRBG and
ContinualContinualCTR_DRBG SP
HealthHealth800-90Ar1 Health
TestsTestsTests
HMAC-SHA2-256HMAC-SHA2-256Software IntegritySW/FW IntegrityUser initiatedOn demand self-
(A4971)(A4971)Testmodule reboottest service
AES-CBCKATCASTUser initiatedOn demand self-AES-CBC
(A4971)module reboottest service(A4971)
AES-CBC-CS3 (A4971)AES-CBC-CS3 (A4971)KATCASTUser initiated module rebootOn demand self- test service
AES-CCMKATCASTUser initiatedOn demand self-AES-CCM
(A4971)module reboottest service(A4971)
AES-CFB128 (A4971)AES-CFB128 (A4971)KATCASTUser initiated module rebootOn demand self- test service
AES-CTR (A4971)AES-CTR (A4971)KATCASTUser initiatedOn demand self-
module rebootmodule reboottest service
AES-ECB (A4971)AES-ECB (A4971)KATCASTUser initiated module rebootOn demand self- test service
AES-GCMKATCASTUser initiatedOn demand self-AES-GCM
(A4972)module reboottest service(A4972)
AES-GCM (A4971)AES-GCM (A4971)KATCASTUser initiated module rebootOn demand self- test service
AES-CMACKATCASTUser initiatedOn demand self-AES-CMAC
(A4971)module reboottest service(A4971)
AES-XTS Testing Revision 2.0 (A4971)AES-XTS Testing Revision 2.0 (A4971)KATCASTUser initiated module rebootOn demand self- test service
AES-CMACKATCASTUser initiatedOn demand self-AES-CMAC
(A4971)module reboottest service(A4971)
Counter DRBG (A4971)Counter DRBG (A4971)KATCASTUser initiated module rebootOn demand self- test service
ECDSA KeyGen (FIPS186-4) (A4971)ECDSA KeyGen (FIPS186-4) (A4971)PCTPCTAfter key pairAfter key pair generation
ECDSA SigVer (FIPS186-4) (A4971)ECDSA SigVer (FIPS186-4) (A4971)KATCASTAfter Signature VerificationAfter Signature Verification/ On demand self-test service
Hash DRBGKATCASTUser initiatedOn demand self-Hash DRBG
(A4971)module reboottest service(A4971)
HMAC DRBG (A4971)HMAC DRBG (A4971)KATCASTUser initiated module rebootOn demand self- test service
HMACHMACKATCASTUser initiatedOn demand self-
module rebootmodule reboottest service
KAS-ECC-SSC Sp800-56Ar3 (A4971)KAS-ECC-SSC Sp800-56Ar3 (A4971)KATCASTUser initiated module rebootOn demand self- test service
KAS-ECC-SSC Sp800-56Ar3 (A4971)KAS-ECC-SSC Sp800-56Ar3 (A4971)PCTPCTAfter Key pairAfter Key pair generation
RSA SigGen (FIPS186-4) (A4971)RSA SigGen (FIPS186-4) (A4971)KATCASTUser initiated module rebootOn demand self- test service

KAS-ECCSSC Sp80056Ar3 KAS-ECCSSC Sp80056Ar3 SP800Hash_DRBG, Table 21: Conditional Self-Tests Conditional self-tests are performed by the Module during operation when specific conditions occur. The Module performs the conditional self-tests listed in the table above. Table 22: Pre-Operational Periodic Information © 2024 Broadcom Inc.

Page 28
Self test
NameAlgorithm Or Test
Continual HealthContinual Healthwhile the Module
TestsTestsis loaded
Service
NameIndicator
Critical ErrorReboot OSCritical ErrorThe module's error state.Any Self-test failureStatus Return Code

Table 23: Conditional Periodic Information Periodic Self-Tests can be executed by rebooting the OS.

10.4 Error States

Table 24: Error States If any of the power-up self-tests fail, the module enters the critical error state, and an error message is logged. In this state, cryptographic operations are halted, and the module inhibits all data output from the module as the API interface is disabled. In order to attempt to exit the error state, the module must be restarted by rebooting OS. If the error persists, the module must be reinitialized.

10.5 Operator Initiation of Self-Tests

Operator initiated Self-Tests can be executed by rebooting the OS.

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Prior to the secure installation of Photon OS, the CO shall prepare the virtual environment required to securely operate it. This includes installing VMware vSphere Hypervisor (ESXi) 8.0 (see vSphere Installation and Setup). Both virtual environments require the Dell PowerEdge R650 server to run the installation. The tar archive containing VMware's Linux Kernel Cryptographic Module prior to build time, contains the HMAC-SHA2-256 digest:

Page 29

The cryptographic functionality of VMware’s Linux Kernel Cryptographic Module comes installed with Photon OS and cannot be “unloaded”. To run Photon OS kernel in an Approved mode, the Crypto Officer shall perform following actions using root access on kernel command line interface:

  1. Edit the “/boot/photon.cfg” kernel file and append ‘fips=1’ to the “photon_cmdline” line
  2. Reboot the OS using the “reboot” command.
  3. To check the Approved mode, run “cat /proc/sys/crypto/fips_enabled”, which will show ‘1’ when Approved mode is enabled or ‘0’ when Approved mode is not enabled.
  4. To verify that the OS is running certified version of VMware’s Linux Kernel Cryptographic Module run command “dmesg | grep canister”. It should print following output: • FIPS (fips_integrity_init): canister 5.0.0 found (based on 6.1.75-2.ph5-secure) • FIPS canister HMAC: o • ea4629447ae187005ca7a12a75220f283cde801c160aa6bfc74f63e9f9409119 FIPS canister verification passed!
11.2 Administrator Guidance

Installation and operation of the VMware’s Linux Kernel Cryptographic Module requires the proper installation of Photon OS. There are no additional steps that must be performed to use the module correctly. There are no known CVEs with this module. The CO should ensure that the operating environment is patched and updated in a timely fashion to reduce exposure to security vulnerabilities.

11.3 Non-Administrator Guidance

There is no additional guidance for non-administrators.

12 Mitigation of Other Attacks

This section is not applicable. The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation. © 2024 Broadcom Inc.

Referenced URLs