| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Historical |
| Caveat | Interim validation. When operated in approved mode and installed, initialized and configured as specified in Section 11.1 of the Security Policy. |
| Vendor | Broadcom Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A4971 |
| AES-CBC-CS3 | A4971 |
| AES-CCM | |
| AES-CFB128 | A4971 |
| AES-CMAC | A4971 |
| AES-CTR | A4971 |
| AES-ECB | A4971 |
| AES-GCM | A4971 |
| AES-XTS Testing | A4971 |
| Counter DRBG | A4971 |
| ECDSA KeyGen | A4971 |
| ECDSA KeyVer (FIPS186-4) | A4971 |
| ECDSA SigVer (FIPS186-4) | A4971 |
| Hash DRBG | A4971 |
| HMAC DRBG | A4971 |
| Mode - SHA-1, SHA2-256, SHA2-512 | |
| HMAC-SHA-1 | A4971 |
| HMAC-SHA2-224 | A4971 |
| HMAC-SHA2-256 | A4971 |
| HMAC-SHA2-384 | A4971 |
| HMAC-SHA2-512 | A4971 |
| HMAC-SHA3-224 | A4971 |
| HMAC-SHA3-256 | A4971 |
| HMAC-SHA3-384 | A4971 |
| HMAC-SHA3-512 | A4971 |
| KAS-ECC-SSC Sp800-56Ar3 | A4971 |
| RSA SigGen (FIPS186-4) | A4971 |
| RSA SigVer | A4971 |
| SHA-1 | A4971 |
| SHA2-224 | A4971 |
| SHA2-256 | A4971 |
| SHA2-384 | A4971 |
| SHA2-512 | A4971 |
| SHA3-224 | A4971 |
| SHA3-256 | A4971 |
| SHA3-384 | A4971 |
| SHA3-512 | A4971 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Life-Cycle Assurance | 1 |
flowchart LR
%% Deterministic review-risk graph for VMware’s Linux Kernel Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Symmetric<br/>Ciphers<br/>Installation and initialization</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IPSEC<br/>HTTPS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for VMware’s Linux Kernel Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Symmetric<br/>Ciphers<br/>Installation and initialization</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IPSEC<br/>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;Broadcom Inc. VMware’s Linux Kernel Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
| # | Section | Page |
|---|---|---|
| 1 | General | 5 |
| 1.1 | Overview | 5 |
| 1.2 | Security Levels | 5 |
| 2 | Cryptographic Module Specification | 6 |
| 2.1 | Description | 6 |
| 2.2 | Tested and Vendor Affirmed Module Version and Identification | 7 |
| 2.3 | Excluded Components | 8 |
| 2.4 | Modes of Operation | 8 |
| 2.5 | Algorithms | 9 |
| 2.6 | Security Function Implementations | 11 |
| 2.7 | Algorithm Specific Information | 13 |
| 2.8 | RBG and Entropy | 13 |
| 2.9 | Key Generation | 14 |
| 2.10 | Key Establishment | 14 |
| 2.11 | Industry Protocols | 14 |
| 3 | Cryptographic Module Interfaces | 14 |
| 3.1 | Ports and Interfaces | 14 |
| 4 | Roles, Services, and Authentication | 15 |
| 4.1 | Authentication Methods | 15 |
| 4.2 | Roles | 15 |
| 4.3 | Approved Services | 15 |
| 4.4 | Non-Approved Services | 18 |
| 4.5 | External Software/Firmware Loaded | 19 |
| 5 | Software/Firmware Security | 19 |
| 5.1 | Integrity Techniques | 19 |
| 5.2 | Initiate on Demand | 19 |
| 6 | Operational Environment | 19 |
| 6.1 | Operational Environment Type and Requirements | 19 |
| 7 | Physical Security | 20 |
| 8 | Non-Invasive Security | 20 |
| 9 | Sensitive Security Parameters Management | 20 |
| 9.1 | Storage Areas | 20 |
| 9.2 | SSP Input-Output Methods | 20 |
| 9.3 | SSP Zeroization Methods | 20 |
| 9.4 | SSPs | 21 |
| 10 | Self-Tests | 24 |
| 10.1 | Pre-Operational Self-Tests | 24 |
| 10.2 | Conditional Self-Tests | 24 |
| 10.3 | Periodic Self-Test Information | 26 |
| 10.4 | Error States | 28 |
| 10.5 | Operator Initiation of Self-Tests | 28 |
| 11 | Life-Cycle Assurance | 28 |
| 11.1 | Installation, Initialization, and Startup Procedures | 28 |
| 11.2 | Administrator Guidance | 29 |
| 11.3 | Non-Administrator Guidance | 29 |
| 12 | Mitigation of Other Attacks | 29 |
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 7 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 8 |
| Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid | 8 |
| Table 5: Modes List and Description | 9 |
| Table 6: Approved Algorithms | 11 |
| Table 7: Non-Approved, Not Allowed Algorithms | 11 |
| Table 8: Security Function Implementations | 13 |
| Table 9: Entropy Certificates | 13 |
| Table 10: Entropy Sources | 14 |
| Table 11: Ports and Interfaces | 14 |
| Table 12: Roles | 15 |
| Table 13: Approved Services | 18 |
| Table 14: Non-Approved Services | 19 |
| Table 15: Storage Areas | 20 |
| Table 16: SSP Input-Output Methods | 20 |
| Table 17: SSP Zeroization Methods | 21 |
| Table 18: SSP Table 1 | 23 |
| Table 19: SSP Table 2 | 24 |
| Table 20: Pre-Operational Self-Tests | 24 |
| Table 21: Conditional Self-Tests | 26 |
| Table 22: Pre-Operational Periodic Information | 26 |
| Table 23: Conditional Periodic Information | 28 |
| Table 24: Error States | 28 |
| Figure 1: Block Diagram | 7 |
| Name | ISO Section | Requirement | Level | |||
|---|---|---|---|---|---|---|
| 2 | 2 | Cryptographic module specification | 1 | |||
| 3 | 3 | Cryptographic module interfaces | 1 | |||
| 4 | 4 | Roles, services, and authentication | 1 | |||
| 5 | 5 | Software/Firmware security | 1 | |||
| 6 | 6 | Operational environment | 1 | |||
| 7 | 7 | Physical security | N/A | |||
| 8 | 8 | Non-invasive security | N/A | |||
| 9 | 9 | Sensitive security parameter management | 1 | |||
| 10 | 10 | Self-tests | 1 | |||
| 11 | 11 | Life-cycle assurance | 1 | |||
| 12 | 12 | Mitigation of other attacks | N/A | |||
| Overall Level | Overall Level | 1 |
This is a non-proprietary Cryptographic Module Security Policy for the VMware's Linux Kernel Cryptographic Module 5.0.0 from Broadcom Inc. This Security Policy describes how the VMware's Linux Kernel Cryptographic Module 5.0.0 meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS), a branch of the Communications Security Establishment (CSE), Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program. This document also describes how to run the module in a secure Approved mode of operation. This policy was prepared as part of the Software Level 1 FIPS 140-3 validation of the module. The VMware's Linux Kernel Cryptographic Module 5.0.0 is also referred to in this document as the “Module.” It also provides instructions to individuals and organizations on how to deploy or operate the product in a secure approved mode. This document has been written for the following audiences:
The module has been validated at the FIPS 140-3 section levels shown in the table below. Table 1: Security Levels N/A N/A N/A © 2024 Broadcom Inc.
Purpose and Use: The VMware’s Linux Kernel Cryptographic Module is a software cryptographic module with a multiple-chip standalone embodiment. The overall security level of the module is 1. As a software module, the module must rely on the physical characteristics of the host system. The physical perimeter of the cryptographic module is defined by the hard enclosure around the host system on which it runs. The module supports the physical interfaces of the Dell PowerEdge R650 Server. These interfaces include the integrated circuits of the system board, processor, RAM, hard disk, device case, power supply, and fans. See Figure 1 below for a hardware block diagram of the Dell PowerEdge R650 Server. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: As a software module, the module must rely on the physical characteristics of the host system. The physical perimeter of the cryptographic module is defined by the hard enclosure around the host system on which it runs. The module supports the physical interfaces of the Dell PowerEdge R650 Server. These interfaces include the integrated circuits of the system board, processor, RAM, hard disk, device case, power supply, and fans. See Figure 1 below for a hardware block diagram of the Dell PowerEdge R650 Server. © 2024 Broadcom Inc.
| Name | Firmware Version | Features | Package | Integrity Test | |
|---|---|---|---|---|---|
| fips_canister.o | 5.0.0 | software cryptographic | fips_canister.o | HMAC-SHA2-256 | 5.0.0 |
Tested Module Identification
| Name | Operating System | Hardware Platform | ||
|---|---|---|---|---|
| Photon OS 5.0/ Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0 | Photon OS 5.0/ Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0 | Dell PowerEdge R740 with an Intel® Xeon® Gold 6230R with/without PAA | ||
| Photon OS 5.0/Photon OS 4.0 on VMware | Photon OS 5.0/Photon OS 4.0 on VMware | Dell PowerEdge R640 with an Intel(R) Xeon(R) Silver | ||
| ESXi 8.0/ VMware ESXi 7.0 | ESXi 8.0/ VMware ESXi 7.0 | 4214 with/without PAA | ||
| Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0 | Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0 | Dell PowerEdge R630 with an Intel(R) Xeon(R) CPU E5-2660 v4 with/without PAA | ||
| Photon OS 5.0/Photon OS 4.0 on VMware | Photon OS 5.0/Photon OS 4.0 on VMware | PowerEdge R6625 with an AMD EPYC 9124 | ||
| ESXi 8.0/ VMware ESXi 7.0 | ESXi 8.0/ VMware ESXi 7.0 | with/without PAA | ||
| Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0 | Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0 | ProLiant DL385 Gen10 Plus v2 with an AMD EPYC 7343 16-Core Processor with/without PAA | ||
| Cloud computing environment executing | Cloud computing environment executing | General-purpose computing platform with/without PAA |
| Name | Operating System | Hardware Platform | ||
|---|---|---|---|---|
| Photon OS 5.0/ Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0 | Photon OS 5.0/ Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0 | Dell PowerEdge R740 with an Intel® Xeon® Gold 6230R with/without PAA | ||
| Photon OS 5.0/Photon OS 4.0 on VMware | Photon OS 5.0/Photon OS 4.0 on VMware | Dell PowerEdge R640 with an Intel(R) Xeon(R) Silver | ||
| ESXi 8.0/ VMware ESXi 7.0 | ESXi 8.0/ VMware ESXi 7.0 | 4214 with/without PAA | ||
| Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0 | Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0 | Dell PowerEdge R630 with an Intel(R) Xeon(R) CPU E5-2660 v4 with/without PAA | ||
| Photon OS 5.0/Photon OS 4.0 on VMware | Photon OS 5.0/Photon OS 4.0 on VMware | PowerEdge R6625 with an AMD EPYC 9124 | ||
| ESXi 8.0/ VMware ESXi 7.0 | ESXi 8.0/ VMware ESXi 7.0 | with/without PAA | ||
| Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0 | Photon OS 5.0/Photon OS 4.0 on VMware ESXi 8.0/ VMware ESXi 7.0 | ProLiant DL385 Gen10 Plus v2 with an AMD EPYC 7343 16-Core Processor with/without PAA | ||
| Cloud computing environment executing | Cloud computing environment executing | General-purpose computing platform with/without PAA |
| Name | Description | Indicator | Type |
|---|---|---|---|
| Non- Approved | Non-Approved Mode of Operation | Non-Approved service log message and API return value | Non- Approved |
4.0 4.0 5.0 5.0 Table 3: Tested Operational Environments - Software, Firmware, Hybrid 8.0 8.0 8.0 8.0 5.0.0 5.0.0 5.0.0 5.0.0 Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.
There are no excluded components. Modes List and Description: NonApproved NonApproved © 2024 Broadcom Inc.
| Name | CAVP Cert | Properties | Reference | CAVP Cert | |||
|---|---|---|---|---|---|---|---|
| AES-CBC | A4971 | SP 800-38A | A4971 | Direction - Decrypt, Encrypt | |||
| AES-CBC-CS3 | A4971 | Direction - decrypt, encrypt Key Length - 128, 192, 256 | SP 800-38A | ||||
| AES-CCM | A4971 | Key Length - 128, 192, 256 | AES-CCM | SP 800-38C | |||
| AES-CFB128 | A4971 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A | ||||
| AES-CMAC | A4971 | SP 800-38B | Direction - Generation, Verification | ||||
| AES-CTR | A4971 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A | ||||
| AES-ECB | A4971 | SP 800-38A | Direction - Decrypt, Encrypt | ||||
| AES-GCM | A4971 | Direction - Decrypt, Encrypt IV Generation - External IV Generation Mode - 8.2.2 Key Length - 128, 192, 256 | SP 800-38D | ||||
| AES-XTS Testing | A4971 | SP 800-38E | Direction - Decrypt, Encrypt | AES-XTS Testing | |||
| Revision 2.0 | Key Length - 128, 256 | Revision 2.0 | |||||
| Counter DRBG | A4971 | Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - Yes | SP 800-90A Rev. 1 | ||||
| ECDSA KeyGen | A4971 | FIPS 186-4 | Curve - P-256, P-384 | ECDSA KeyGen | |||
| (FIPS186-4) | Secret Generation Mode - Extra Bits | (FIPS186-4) | |||||
| ECDSA KeyVer (FIPS186-4) | A4971 | Curve - P-256, P-384 | FIPS 186-4 | ||||
| ECDSA SigVer (FIPS186-4) | A4971 | FIPS 186-4 | Curve - P-256, P-384 | ||||
| Hash DRBG | A4971 | Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512 | SP 800-90A Rev. 1 | ||||
| HMAC DRBG | A4971 | Prediction Resistance - No, Yes | SP 800-90A | ||||
| Mode - SHA-1, SHA2-256, SHA2-512 | Mode - SHA-1, SHA2-256, SHA2-512 | Rev. 1 | |||||
| HMAC-SHA-1 | A4971 | Key Length - Key Length: 128-2048 Increment 8 | FIPS 198-1 | ||||
| HMAC-SHA2-224 | A4971 | FIPS 198-1 | Key Length - Key Length: 128-2048 Increment | ||||
| HMAC-SHA2-256 | A4971 | Key Length - Key Length: 128-2048 Increment 8 | FIPS 198-1 | ||||
| HMAC-SHA2-384 | A4971 | FIPS 198-1 | Key Length - Key Length: 128-2048 Increment | ||||
| HMAC-SHA2-512 | A4971 | Key Length - Key Length: 128-2048 Increment 8 | FIPS 198-1 | ||||
| HMAC-SHA3-224 | A4971 | FIPS 198-1 | Key Length - Key Length: 128-2048 Increment | ||||
| HMAC-SHA3-256 | A4971 | Key Length - Key Length: 128-2048 Increment 8 | FIPS 198-1 | ||||
| HMAC-SHA3-384 | A4971 | FIPS 198-1 | Key Length - Key Length: 128-2048 Increment | ||||
| HMAC-SHA3-512 | A4971 | Key Length - Key Length: 128-2048 Increment 8 | FIPS 198-1 | ||||
| KAS-ECC-SSC Sp800-56Ar3 | A4971 | SP 800-56A Rev. 3 | Domain Parameter Generation Methods - P- | ||||
| RSA SigGen (FIPS186-4) | A4971 | Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 | FIPS 186-4 | ||||
| RSA SigVer | A4971 | FIPS 186-4 | Signature Type - PKCS 1.5 | RSA SigVer | |||
| (FIPS186-4) | Modulo - 2048, 3072, 4096 | (FIPS186-4) | |||||
| SHA-1 | A4971 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 | ||||
| SHA2-224 | A4971 | FIPS 180-4 | Message Length - Message Length: 0-65536 | ||||
| SHA2-256 | A4971 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 | ||||
| SHA2-384 | A4971 | FIPS 180-4 | Message Length - Message Length: 0-65536 | ||||
| SHA2-512 | A4971 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 | ||||
| SHA3-224 | A4971 | FIPS 202 | Message Length - Message Length: 0-65536 | ||||
| SHA3-256 | A4971 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 | ||||
| SHA3-384 | A4971 | FIPS 202 | Message Length - Message Length: 0-65536 | ||||
| SHA3-512 | A4971 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
Table 5: Modes List and Description The module supports an FIPS 140-3 Approved mode and non-Approved mode of operation. The module will be in Approved mode when all pre-operational self-tests have completed successfully, and only Approved services are invoked, and the success API return indicator is provided. The module implements non-Approved Algorithms Not Allowed in the Approved Mode of Operation. When a non-Approved security function is invoked, the module will no longer be in the Approved mode of operation. A status indicator in the form of an API return code and log entry indicating the service name and “non-approved” will be provided when the module enters and exits the non-Approved mode of operation.
Approved Algorithms: © 2024 Broadcom Inc.
| Name | CAVP Cert | Properties | Reference | |
|---|---|---|---|---|
| AES-GCM | A4972 | Direction - Decrypt, Encrypt | SP 800-38D | A4972 |
| Name | Approved Functions | ||
|---|---|---|---|
| AES CBC-MAC (SP 800-38C) | CBC-MAC as an authentication mode outside of | AES CBC-MAC (SP 800-38C) | |
| GHASH (SP 800-38D) | GHASH (SP 800-38D) | GHASH as a keyed hash function outside of GCM context | |
| AES GCM | Encryption (External IV) | ||
| RSA PKCS1v1.5 | RSA PKCS1v1.5 | Key Transport | |
| AES using modes using RFC 3686 (CTR) | Encryption and Decryption | ||
| AES using modes using RFC 4543 (GCM) and RFC 4309 (CCM) | AES using modes using RFC 4543 (GCM) and RFC 4309 (CCM) | Authenticated Encryption and Decryption |
Table 6: Approved Algorithms The module implements the approved algorithms listed in the table above. Vendor-Affirmed Algorithms: N/A for this module. The module does not implement any vendor-affirmed algorithms. Non-Approved, Allowed Algorithms: N/A for this module. The module does not implement any non-Approved Algorithms Allowed in the Approved Mode of Operation. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. The module does not implement any Non-Approved Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved, Not Allowed Algorithms: Table 7: Non-Approved, Not Allowed Algorithms The module does implement the non-approved algorithms listed in the table above.
| Name | Description | Approved Functions | Type | Properties | |||||
|---|---|---|---|---|---|---|---|---|---|
| Symmetric | Symmetric | AES-CBC | BC-Auth | Strength:>= 128 | Symmetric Ciphers | BC-Auth BC-UnAuth | Symmetric Encrypt/Decrypt | Strength:>= 128 bits | |
| Ciphers | Encrypt/Decrypt | AES-CBC-CS3 | BC-UnAuth | bits | |||||
| Random Number Generation | Random Number Generation | DRBG | Deterministic Random Number Generation | Strength:>= 128 bits | Counter DRBG Hash DRBG HMAC DRBG | ||||
| Digital Signature | ECDSA SigVer | Digital Signature | DigSig-SigGen DigSig-SigVer | Generate or verify data integrity | Strength:=> 112 bits | ||||
| Message Authentication | Message Authentication | BC-Auth MAC | Generate or verify data integrity | Strength:=>112 | AES-CMAC HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-512 | ||||
| Key Agreement | Perform key | Key Agreement | KAS-SSC | Strength:=> 112 bits | KAS-ECC-SSC Sp800-56Ar3 | ||||
| Asymmetric Key Generation | Asymmetric Key Generation | AsymKeyPair- KeyGen | Generate an asymmetric keypair | Strength:>= 112 bits | ECDSA KeyGen (FIPS186-4) | ||||
| Message Digest | SHA-1 | Message Digest | SHA | Hashing | Strength: >= 112 bits | ||||
| Asymmetric Key Verification | Asymmetric Key Verification | AsymKeyPair- KeyVer | Verify an asymmetric keypair | Strength:>= 112 bits | ECDSA KeyVer (FIPS186-4) |
AsymKeyPairKeyGen AsymKeyPairKeyVer © 2024 Broadcom Inc.
| Cert | Vendor Name | |
|---|---|---|
| Number | ||
| E115 | Broadcom Inc. |
Table 8: Security Function Implementations The module implements the security functions listed in the table above.
IG Compliance:
The following entropy sources are available to the module and have been tested to NIST SP800-90B. 256 bits of entropy input are provided to the module's DRBG from the CPU Jitter entropy source certified by ESV #E115. The VMware CPU Jitter implementation generates an output that is considered to have full entropy. A request for 256 bits of entropy results in 256 bits of entropy per output sample, or full entropy. Table 9: Entropy Certificates
| Name | Type | Strength | Entropy per Sample | Conditioning Component | ||
|---|---|---|---|---|---|---|
| VMware’s Linux Kernel CPU Time Jitter RNG Entropy Source | Non- Physical | 64 bits | Photon OS 4.0 on VMware ESXi | 0.333 | 0.333 | A4658 |
| Name | Physical Port | Logical Interface | Data That Passes | |||
|---|---|---|---|---|---|---|
| Physical data input port(s) of the host platform | Physical data input port(s) of the host platform | Data Input | Data Input | Data to be encrypted, decrypted, signed, verified, or hashed. Keys | ||
| Physical data output port(s) of the host platform | Physical data output port(s) of the host platform | Data that has been encrypted, decrypted, or verified. Digital signatures, Hashes, Random values generated by the module’s DRBG. Keys established using module’s key establishment methods | Data Output | |||
| Physical control | API commands invoking cryptographic services. Modes, key sizes, etc. used with cryptographic services | Control Input | Physical control | |||
| Physical status output port(s) of the host platform | Physical status output port(s) of the host platform | Status Output API call return values | Status Output |
NonPhysical Table 10: Entropy Sources
The module implements asymmetric key generation using ECDSA as per FIPS 186-4. The module does perform key agreement primitives on behalf of the calling process but does not establish keys into the module.
The module does not implement any industry protocols.
Table 11: Ports and Interfaces © 2024 Broadcom Inc.
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output | Description | ||
|---|---|---|---|---|---|---|---|---|---|
| Installation and initialization | Installation | Crypto Officer | None | Status | N/A | Status | Status output | None | |
| and | and | output | |||||||
| Show Status | Crypto Officer | Command input | Status | Status output | None | Return module status | |||
| On demand self-test | Perform pre- | Crypto Officer | N/A | Status | Status output | None | |||
| Show version | Crypto Officer | Command input | Status output, | Status output, | None | Return module |
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output | Description | ||
|---|---|---|---|---|---|---|---|---|---|
| Installation and initialization | Installation | Crypto Officer | None | Status | N/A | Status | Status output | None | |
| and | and | output | |||||||
| Show Status | Crypto Officer | Command input | Status | Status output | None | Return module status | |||
| On demand self-test | Perform pre- | Crypto Officer | N/A | Status | Status output | None | |||
| Show version | Crypto Officer | Command input | Status output, | Status output, | None | Return module |
The table above lists the module's physical ports and logical interfaces.
N/A for this module. The module does not support an authentication mechanism.
Table 12: Roles There are two roles in the module that operators may assume: a Cryptographic Officer (CO) role and a User role. Roles are assumed implicitly through the execution of either a CO or User service. The module does not support an authentication mechanism. Each role and their corresponding services are detailed in the sections below. The CO and User roles share many services, including encryption, decryption, and random number generation services. The CO performs installation and initialization, show status, selftests on demand, and key zeroization services. Table 7 below describes the Approved CO and User roles.
Perform preoperational r N/A N/A © 2024 Broadcom Inc.
| Name | Description | Input | Output | Access | Indicato | Security | SSP Access | ||
|---|---|---|---|---|---|---|---|---|---|
| r | r | Functions | |||||||
| versioning information | versioning information | Module version | Module version | ||||||
| Symmetric Encryption | Encrypt plaintext data | API Parameters , plaintext data | Status, ciphertext data | API return value | Symmetric Ciphers | User - AES Key: W,E - AES XTS key: W,E | |||
| Symmetric Decryption | Decrypt ciphertext data | API Parameters , ciphertext data | Status, plaintext data | User | API return value | Symmetric Ciphers | |||
| Authenticate d Symmetric Encryption | Encrypt plaintext using AES GCM key | API Parameters , plaintext data | Status, ciphertext data | API return value | Symmetric Ciphers | User - GCM Key: W,E - GCM IV: W,E |
| Name | Description | Roles | Csps Accessed | Approved Functions | Indicator | Input | Output | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Authenticate d Symmetric Decryption | Decrypt ciphertext using AES GCM key with IV or CCM | API Parameters , ciphertext data | Status, plaintext data | API return value | Symmetric Ciphers | User | ||||||||
| Generate random number | Return random bits to the calling application | User - Entropy: W,E - DRBG Random Number: W,E - Hash_DRBG V value: G,E - Hash_DRBG C value: G,E - HMAC_DRB G V value: G,E - HMAC_DRB G Key value: G,E - CTR_DRBG V value: G,E - CTR_DRBG Key value: G,E | API Parameters | Status, random number | API return value | Random Number Generation | ||||||||
| Generate Symmetric Digest | Generate Symmetric Digest | User - AES CMAC Key: W,E | Symmetric | API Parameters | Status, Symmetric Digest | API return value | ||||||||
| Verify Symmetric Digest | Verify Symmetric Digest | User - AES CMAC Key: W,E | API Parameters | Status | API return value | Symmetric Ciphers Message Authenticatio n | ||||||||
| Perform Keyed Hash Operations | User - HMAC Key: W,E | API Parameters | API return value | Message Authenticatio n | Compute a | Status, | ||||||||
| message | message | Message | ||||||||||||
| authenticatio | authenticatio | Authenticatio | ||||||||||||
| n code | n code | n Code | ||||||||||||
| Perform hash operation | User | API return value | API Parameters | Message Digest | Compute a message digest | Status, Message Digest | ||||||||
| Generate asymmetric key pair | API return value | API Parameters | Asymmetric Key Generation | User | Generate a public/private key pair | Status | ||||||||
| Verify ECDSA public key | User - ECDSA Public Key: W | API return value | API Parameters | Asymmetric Key Verification | Verify an ECDSA public key | Status | ||||||||
| Generate | Generate | API | API Parameters | Generate | Digital Signature | User | Status | |||||||
| Digital | Digital | return | Digital | - RSA Private | ||||||||||
| Signature | Signature | value | Signature | Key: W,E | ||||||||||
| Verify digital signature | User - RSA Public Key: W,E - ECDSA Public Key: W,E | API return value | API Parameters | Digital Signature | Verify digital signature | Status | ||||||||
| Compute Shared Secret | API return value | API Parameters | Key Agreement | User | Compute ECDH shared secret | Status | ||||||||
| Perform authenticated symmetric | Encryption/decryption | User | AES CBC-MAC (SP 800-38C) | AES CBC-MAC (SP 800-38C) | Encryption/decryption | User |
| Name | Description | Roles | Csps Accessed | Approved Functions | Indicator | Input | Output | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Perform hash operation | User | API return value | API Parameters | Compute a message digest | Status, Message Digest | Message Digest | ||||||||
| Generate asymmetric key pair | API return value | API Parameters | Generate a public/private key pair | Status | Asymmetric Key Generation | User | ||||||||
| Verify ECDSA public key | User - ECDSA Public Key: W | API return value | API Parameters | Verify an ECDSA public key | Status | Asymmetric Key Verification | ||||||||
| Generate | Generate | API | API Parameters | Status | Digital Signature | User | Generate | |||||||
| Digital | Digital | return | - RSA Private | Digital | ||||||||||
| Signature | Signature | value | Key: W,E | Signature | ||||||||||
| Verify digital signature | User - RSA Public Key: W,E - ECDSA Public Key: W,E | API return value | API Parameters | Verify digital signature | Status | Digital Signature | ||||||||
| Compute Shared Secret | API return value | API Parameters | Compute ECDH shared secret | Status | Key Agreement | User | ||||||||
| Perform authenticated symmetric | Encryption/decryption | User | AES CBC-MAC (SP 800-38C) | AES CBC-MAC (SP 800-38C) | Encryption/decryption | User |
r G,R G,R W W,E W,E W,E Table 13: Approved Services The table above lists the approved services available to module operators. Access rights are indicated using the following notation:
| Name | Description | Roles | Approved Functions | |||
|---|---|---|---|---|---|---|
| Perform keyed hash function | User | Perform keyed hash function | Hashing | GHASH (SP 800-38D) | ||
| Perform authenticated symmetric | Encryption with External | User | AES GCM | |||
| encryption | IV | |||||
| RSA Key Transport | User | RSA Key Transport | Key padding / Key transport | RSA PKCS1v1.5 | ||
| Perform symmetric | User | AES using modes using RFC | Encryption/decryption | |||
| encryption/decryption | 3686 (CTR) | |||||
| Perform authenticated symmetric encryption/decryption | User | Perform authenticated symmetric encryption/decryption | Authenticated encryption/decryption | AES using modes using RFC 4543 (GCM) and RFC 4309 (CCM) |
Table 14: Non-Approved Services The module implements the non-approved services listed in the table above.
The module does not implement external software loading.
The integrity of the module’s cryptographic boundary is verified by a hash generated by HMACSHA2-256 digest. The software integrity test is performed by VMware’s Linux Kernel Cryptographic Module. The module automatically invokes separate KATs for the HMAC and SHA2-256 algorithms then the module will invoke the HMAC-SHA2-256 integrity test preoperationally during the boot sequence.
An operator can initiate the integrity test on-demand by rebooting the OS. If an integrity test fails, the module will enter the critical error state.
Type of Operational Environment: Modifiable How Requirements are Satisfied: The VMware’s Linux Kernel Cryptographic Module 5.0.0 comprises a software cryptographic library that executes in a modifiable operational environment. The cryptographic module has control over its own SSPs. The process and memory management functionality of the host © 2024 Broadcom Inc.
| Storage | Description | Persistence Type | ||
|---|---|---|---|---|
| Area | ||||
| Name | ||||
| RAM | Memory | Dynamic |
device’s OS prevents unauthorized access to plaintext, private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environments provide the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators.
The cryptographic module is a software module and does not include physical security mechanisms. Therefore, per ISO/IEC 19790:2021 section 7.7.1, requirements for physical security are not applicable.
This section is not applicable. There are currently no approved non-invasive mitigation metrics defined at the time of writing. (Ref: ISO/IEC 19790:2012 Annex F).
Table 15: Storage Areas All SSPs are only stored in memory.
Table 16: SSP Input-Output Methods All SSPs are passed to the module via a well-defined API.
| Name | Type | Description | Strength | Generation | Use | ||||
|---|---|---|---|---|---|---|---|---|---|
| AES Key | Symmetric | AES Key | 128, 192, | Symmetric Ciphers | AES Key | Symmetric Key - CSP | |||
| 256-bit key - | Key - CSP | 256-bit key - | |||||||
| Entropy | Random Number Generation | Externally generated entropy used to seed the DRBG | Entropy - CSP | 256 bits - 256 bits | |||||
| Hash_DRBG V value | DRBG | Random Number Generation | Internal state for DRBG | 440 bits - 256 bits | Random Number Generation | ||||
| Hash_DRBG C value | Random Number Generation | Internal state for DRBG | DRBG Internal State - CSP | 440 bits - 256 bits | Random Number Generation | ||||
| HMAC_DRB G V value | DRBG | Random Number Generation | Internal state for DRBG | 256 bits - 256 bits | Random Number Generation | ||||
| HMAC_DRB G Key value | Random Number Generation | Internal state for DRBG | DRBG Internal State - CSP | 256 bits - 256 bits | Random Number Generation | ||||
| CTR_DRBG V value | DRBG | Random Number Generation | Internal state for DRBG | 128 bits - 128 bits | Random Number Generation | ||||
| CTR_DRBG Key value | Random Number Generation | Internal state for DRBG | DRBG Internal State - CSP | 128, 192, 256 bits - 128 to 256 bits | Random Number Generation | ||||
| RSA Public Key | RSA | ≥ 2048 bits - | Asymmetri | Digital Signature | Key used for RSA | ||||
| 112 to 150 | Keypair - | 112 to 150 | c Key | ||||||
| bits | PSP | bits | Generation |
| Zeroization | Description | Rationale | Operator | |
|---|---|---|---|---|
| Method | Initiation | |||
| Reboot OS | Reboot Operating System | Memory is zeroized upon reboot | Operator Initiated |
Table 17: SSP Zeroization Methods There is no mechanism within the module boundary for the persistent storage of keys and CSPs. Maintenance, including protection and zeroization, of any keys and CSPs that exist outside the module’s boundary are the responsibility of the end-user. For the zeroization of keys in volatile memory, module operators can reboot the OS.
| Name | Description | Strength | Use | |||||
|---|---|---|---|---|---|---|---|---|
| RSA Private Key | Digital Signature | Key used for RSA Signature Generation | ≥ 2048 bits - 112 to 150 bits | RSA Keypair - CSP | Asymmetri c Key Generation | |||
| ECDSA Public Key | Key used | Digital Signature | P-256, P-384 - 128 or 256 bits | ECDSA Keypair - PSP | Asymmetri c Key Generation | |||
| ECDSA Private Key | Digital Signature | Key used for ECDSA Signature Generation | P-256, P-384 - 128 or 256 bits | ECDSA Keypair - CSP | Asymmetri c Key Generation | |||
| HMAC Key | Key used | ≥ 112 bits - ≥ 112 bits | HMAC Key - CSP | Message | ||||
| for HMAC | for HMAC | Authenticatio | ||||||
| Operations | Operations | n | ||||||
| AES CCM Key | Symmetric Ciphers | CCM Key | 128, 192, 256 bits - 128 to 256 bits | CCM Key - CSP | ||||
| GCM Key | 128, 192, 256 | Symmetric Ciphers | GCM Key | GCM Key - CSP | ||||
| GCM IV | Symmetric Ciphers | GCM IV | 96 bits - 96 bits | GCM IV - CSP | ||||
| AES XTS key | 128, 256-bit | Symmetric Ciphers | AES XTS Key | AES XTS Key - CSP | ||||
| AES CMAC Key | Symmetric Ciphers | AES CMAC Key | 128, 192, 256 bits - 128 to 256 bits | AES CMAC Key - CSP | ||||
| DRBG Random Number | CTR_DRBG: | Symmetric Ciphers Message Authenticatio n Asymmetric Key Generation | DRBG Random Number | DRBG Random Number - CSP | Random Number Generation |
n SHA2256,SHA2512 n n © 2024 Broadcom Inc.
| Name | Type | Description | Storage | Zeroization | Use | Input | Storage Duration | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| ECDH Private Component | Key Agreement | ECDH Private Component | P-256, P-384 - 128 or 256 bits | ECDH Private Componen t - CSP | Key Agreement | ||||||
| ECDH public component | ECDH | ECDH | Key Agreement | ECDH public component | P-256, P-384 - 128 or 256 bits | Key Agreement | |||||
| public | public | public | |||||||||
| component | component | component | |||||||||
| AES Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | Until Reboot | ||||||
| Entropy | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| Hash_DRBG V value | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| Hash_DRBG C value | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| HMAC_DRBG V value | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| HMAC_DRBG Key value | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| CTR_DRBG V value | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| CTR_DRBG Key value | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| RSA Public Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| RSA Private Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| ECDSA Public Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| ECDSA Private Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| HMAC Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| AES CCM Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| GCM Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| GCM IV | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| AES XTS key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| AES CMAC Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot |
| Name | Type | Description | Storage | Zeroization | Use | Input | Storage Duration | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| ECDH Private Component | Key Agreement | ECDH Private Component | P-256, P-384 - 128 or 256 bits | ECDH Private Componen t - CSP | Key Agreement | ||||||
| ECDH public component | ECDH | ECDH | Key Agreement | ECDH public component | P-256, P-384 - 128 or 256 bits | Key Agreement | |||||
| public | public | public | |||||||||
| component | component | component | |||||||||
| AES Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | Until Reboot | ||||||
| Entropy | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| Hash_DRBG V value | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| Hash_DRBG C value | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| HMAC_DRBG V value | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| HMAC_DRBG Key value | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| CTR_DRBG V value | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| CTR_DRBG Key value | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| RSA Public Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| RSA Private Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| ECDSA Public Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| ECDSA Private Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| HMAC Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| AES CCM Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| GCM Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| GCM IV | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| AES XTS key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | |||||||
| AES CMAC Key | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot |
n Table 18: SSP Table 1 © 2024 Broadcom Inc.
| Name | Storage | Zeroization | Input | Storage Duration | ||
|---|---|---|---|---|---|---|
| DRBG Random Number | RAM:Plaintext | Reboot OS | External to RAM | Until Reboot | Until Reboot | |
| ECDH Private Component | RAM:Plaintext | Reboot OS | External to RAM RAM to External | Until Reboot | ||
| ECDH public component | RAM:Plaintext | Reboot OS | External to RAM | Until Reboot |
| Name | Algorithm Or Test | Test Method | Test Type | Details | |
|---|---|---|---|---|---|
| HMAC-SHA2-256 | HMAC-SHA2-256 | HMAC-SHA2- | Software Integrity | Status | SW/FW |
| (A4971) | (A4971) | 256 | Test | Output | Integrity |
Table 19: SSP Table 2 The module manages the SSPs, and keys listed in the table above.
The Module performs both pre-operational and conditional self-tests. Once invoked, the Module will not perform functions or services until the self-test(s) has been completed. The following sections list the self-tests performed by the Module, their expected error status, and any error resolutions.
Table 20: Pre-Operational Self-Tests If any of the pre-operational self-tests fail, the module enters the critical error state, and an error message is logged. In this state, cryptographic operations are halted, and the module inhibits all data output from the module as the API interface is disabled. In order to attempt to exit the error state, the module must be restarted by rebooting the OS. If the error persists, the module must be reinitialized. Pre-operational self-tests are automatically performed by the module at module initialization or when the module powers on. The list of pre-operational self-tests that follows may also be run on-demand when the CO reboots the Operating System. The Module performs the required HMAC and SHS Cryptographic Algorithm Self-Tests (CASTs) that are required for the subsequent software integrity tests. During the execution of self-tests, cryptographic functions and data output from the module are inhibited. The VMware’s Linux Kernel Cryptographic Module performs a software integrity check (HMAC with SHA2-256 Integrity Test) preoperationally.
| Name | Algorithm Or Test | Test Method | Test Type | Details | Test Properties | Indicator | Conditions | Module Initialization | |
|---|---|---|---|---|---|---|---|---|---|
| ECDSA | ECDSA | PCT | PCT | Key Generation / Key Verification | P-256, P-384 | Status Output | After key pair generation | ||
| generate, and | generate, and | generate, and | |||||||
| reseed | reseed | reseed |
AES-CBCCS3 AESCFB128 © 2024 Broadcom Inc.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Test Properties | Indicator | Conditions | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| KAS-ECC- SSC Sp800- 56Ar3 (A4971) | Shared Secret Computation | KAS-ECC- SSC Sp800- 56Ar3 (A4971) | P-256, P-384 | KAT | CAST | Status Output | Module Initialization | ||||||
| KAS-ECC- | KAS-ECC- | Shared Secret Computation | P-256, P-384 | PCT | PCT | Status Output | After Key pair generation | ||||||
| RSA SigGen (FIPS186-4) (A4971) | Signature Generation | RSA SigGen (FIPS186-4) (A4971) | PKCS1v1.5 Mod (2048, 3072, 4096) Hash (SHA2-224, SHA2-256, SHA2- 384, SHA2-512) | KAT | CAST | Status Output | Module Initialization | ||||||
| RSA SigVer (FIPS186-4) (A4971) | Signature Verification | RSA SigVer (FIPS186-4) (A4971) | KAT | CAST | Status Output | Module Initialization | PKCS1v1.5 Mod | ||||||
| SHS | Message Digest | SHS | SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512 SHA3-224, SHA3- 256, SHA3-384, SHA3-512 | KAT | CAST | Status Output | Module Initialization | ||||||
| SP800- | SP800- | Message Digest | DRBG health tests | CAST | Status Output | Continuously while the Module is loaded | Hash_DRBG, | ||||||
| 90Ar1 | 90Ar1 | HMAC_DRBG and | |||||||||||
| Continual | Continual | CTR_DRBG SP | |||||||||||
| Health | Health | 800-90Ar1 Health | |||||||||||
| Tests | Tests | Tests | |||||||||||
| HMAC-SHA2-256 | HMAC-SHA2-256 | Software Integrity | SW/FW Integrity | User initiated | On demand self- | ||||||||
| (A4971) | (A4971) | Test | module reboot | test service |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Test Properties | Indicator | Conditions | Test Method | Period | Periodic Method | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| KAS-ECC- SSC Sp800- 56Ar3 (A4971) | Shared Secret Computation | KAS-ECC- SSC Sp800- 56Ar3 (A4971) | P-256, P-384 | KAT | CAST | Status Output | Module Initialization | |||||||||
| KAS-ECC- | KAS-ECC- | Shared Secret Computation | P-256, P-384 | PCT | PCT | Status Output | After Key pair generation | |||||||||
| RSA SigGen (FIPS186-4) (A4971) | Signature Generation | RSA SigGen (FIPS186-4) (A4971) | PKCS1v1.5 Mod (2048, 3072, 4096) Hash (SHA2-224, SHA2-256, SHA2- 384, SHA2-512) | KAT | CAST | Status Output | Module Initialization | |||||||||
| RSA SigVer (FIPS186-4) (A4971) | Signature Verification | RSA SigVer (FIPS186-4) (A4971) | KAT | CAST | Status Output | Module Initialization | PKCS1v1.5 Mod | |||||||||
| SHS | Message Digest | SHS | SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512 SHA3-224, SHA3- 256, SHA3-384, SHA3-512 | KAT | CAST | Status Output | Module Initialization | |||||||||
| SP800- | SP800- | Message Digest | DRBG health tests | CAST | Status Output | Continuously while the Module is loaded | Hash_DRBG, | |||||||||
| 90Ar1 | 90Ar1 | HMAC_DRBG and | ||||||||||||||
| Continual | Continual | CTR_DRBG SP | ||||||||||||||
| Health | Health | 800-90Ar1 Health | ||||||||||||||
| Tests | Tests | Tests | ||||||||||||||
| HMAC-SHA2-256 | HMAC-SHA2-256 | Software Integrity | SW/FW Integrity | User initiated | On demand self- | |||||||||||
| (A4971) | (A4971) | Test | module reboot | test service | ||||||||||||
| AES-CBC | KAT | CAST | User initiated | On demand self- | AES-CBC | |||||||||||
| (A4971) | module reboot | test service | (A4971) | |||||||||||||
| AES-CBC-CS3 (A4971) | AES-CBC-CS3 (A4971) | KAT | CAST | User initiated module reboot | On demand self- test service | |||||||||||
| AES-CCM | KAT | CAST | User initiated | On demand self- | AES-CCM | |||||||||||
| (A4971) | module reboot | test service | (A4971) | |||||||||||||
| AES-CFB128 (A4971) | AES-CFB128 (A4971) | KAT | CAST | User initiated module reboot | On demand self- test service | |||||||||||
| AES-CTR (A4971) | AES-CTR (A4971) | KAT | CAST | User initiated | On demand self- | |||||||||||
| module reboot | module reboot | test service | ||||||||||||||
| AES-ECB (A4971) | AES-ECB (A4971) | KAT | CAST | User initiated module reboot | On demand self- test service | |||||||||||
| AES-GCM | KAT | CAST | User initiated | On demand self- | AES-GCM | |||||||||||
| (A4972) | module reboot | test service | (A4972) | |||||||||||||
| AES-GCM (A4971) | AES-GCM (A4971) | KAT | CAST | User initiated module reboot | On demand self- test service | |||||||||||
| AES-CMAC | KAT | CAST | User initiated | On demand self- | AES-CMAC | |||||||||||
| (A4971) | module reboot | test service | (A4971) | |||||||||||||
| AES-XTS Testing Revision 2.0 (A4971) | AES-XTS Testing Revision 2.0 (A4971) | KAT | CAST | User initiated module reboot | On demand self- test service | |||||||||||
| AES-CMAC | KAT | CAST | User initiated | On demand self- | AES-CMAC | |||||||||||
| (A4971) | module reboot | test service | (A4971) | |||||||||||||
| Counter DRBG (A4971) | Counter DRBG (A4971) | KAT | CAST | User initiated module reboot | On demand self- test service | |||||||||||
| ECDSA KeyGen (FIPS186-4) (A4971) | ECDSA KeyGen (FIPS186-4) (A4971) | PCT | PCT | After key pair | After key pair generation | |||||||||||
| ECDSA SigVer (FIPS186-4) (A4971) | ECDSA SigVer (FIPS186-4) (A4971) | KAT | CAST | After Signature Verification | After Signature Verification/ On demand self-test service | |||||||||||
| Hash DRBG | KAT | CAST | User initiated | On demand self- | Hash DRBG | |||||||||||
| (A4971) | module reboot | test service | (A4971) | |||||||||||||
| HMAC DRBG (A4971) | HMAC DRBG (A4971) | KAT | CAST | User initiated module reboot | On demand self- test service | |||||||||||
| HMAC | HMAC | KAT | CAST | User initiated | On demand self- | |||||||||||
| module reboot | module reboot | test service | ||||||||||||||
| KAS-ECC-SSC Sp800-56Ar3 (A4971) | KAS-ECC-SSC Sp800-56Ar3 (A4971) | KAT | CAST | User initiated module reboot | On demand self- test service | |||||||||||
| KAS-ECC-SSC Sp800-56Ar3 (A4971) | KAS-ECC-SSC Sp800-56Ar3 (A4971) | PCT | PCT | After Key pair | After Key pair generation | |||||||||||
| RSA SigGen (FIPS186-4) (A4971) | RSA SigGen (FIPS186-4) (A4971) | KAT | CAST | User initiated module reboot | On demand self- test service |
KAS-ECCSSC Sp80056Ar3 KAS-ECCSSC Sp80056Ar3 SP800Hash_DRBG, Table 21: Conditional Self-Tests Conditional self-tests are performed by the Module during operation when specific conditions occur. The Module performs the conditional self-tests listed in the table above. Table 22: Pre-Operational Periodic Information © 2024 Broadcom Inc.
| Name | Algorithm Or Test | |
|---|---|---|
| Continual Health | Continual Health | while the Module |
| Tests | Tests | is loaded |
| Name | Indicator | ||||
|---|---|---|---|---|---|
| Critical Error | Reboot OS | Critical Error | The module's error state. | Any Self-test failure | Status Return Code |
Table 23: Conditional Periodic Information Periodic Self-Tests can be executed by rebooting the OS.
Table 24: Error States If any of the power-up self-tests fail, the module enters the critical error state, and an error message is logged. In this state, cryptographic operations are halted, and the module inhibits all data output from the module as the API interface is disabled. In order to attempt to exit the error state, the module must be restarted by rebooting OS. If the error persists, the module must be reinitialized.
Operator initiated Self-Tests can be executed by rebooting the OS.
Prior to the secure installation of Photon OS, the CO shall prepare the virtual environment required to securely operate it. This includes installing VMware vSphere Hypervisor (ESXi) 8.0 (see vSphere Installation and Setup). Both virtual environments require the Dell PowerEdge R650 server to run the installation. The tar archive containing VMware's Linux Kernel Cryptographic Module prior to build time, contains the HMAC-SHA2-256 digest:
The cryptographic functionality of VMware’s Linux Kernel Cryptographic Module comes installed with Photon OS and cannot be “unloaded”. To run Photon OS kernel in an Approved mode, the Crypto Officer shall perform following actions using root access on kernel command line interface:
Installation and operation of the VMware’s Linux Kernel Cryptographic Module requires the proper installation of Photon OS. There are no additional steps that must be performed to use the module correctly. There are no known CVEs with this module. The CO should ensure that the operating environment is patched and updated in a timely fashion to reduce exposure to security vulnerabilities.
There is no additional guidance for non-administrators.
This section is not applicable. The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation. © 2024 Broadcom Inc.