All modules
CMVP Validated Module · FIPS 140-3 Security Policy

VMware’s VPN Crypto Module

Certificate#4881StandardFIPS 140-3Level1TypeFirmwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorBroadcom Inc.
High review priority  ·  no TCB surface named  ·  last validated 20 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeFirmware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/14/2026
CaveatInterim validation
VendorBroadcom Inc.

Approved Algorithms (17)

AlgorithmACVP Cert
AES-CBCA4384
AES-CCMA4384
AES-CMACA4384
AES-GCMA4384
AES-GMACA4384
HMAC-SHA-1A4384
HMAC-SHA2-224A4384
HMAC-SHA2-256A4384
HMAC-SHA2-256A4385
HMAC-SHA2-384A4384
HMAC-SHA2-512A4384
SHA-1A4384
SHA2-224A4384
SHA2-256A4384
SHA2-256A4385
SHA2-384A4384
SHA2-512A4384

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for VMware’s VPN Crypto Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>self-test<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for VMware’s VPN Crypto Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>self-test<br/>Show Status</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

VMware’s VPN Crypto Module Firmware version: 21.11 Document version: 2.3

Page 2

VMware’s VPN Crypto Module Security Policy Document Contents Security Levels 4 Overall security design and the rules of operation 7 Pre-Operational Self-Tests 12 Conditional Cryptographic Algorithm Tests 12 Distribution and Installation 13 Configuration 13 Initialization and Setup 13 Verification of the Module 13 Crypto Officer Guidance 13 Destruction and Zeroization 14 © 2024 Broadcom Inc.

Page 3

VMware’s VPN Crypto Module Security Policy Document List of tables List of figures © 2024 Broadcom Inc.

Page 4

VMware’s VPN Crypto Module Security Policy Document 1. General This is a non-proprietary Cryptographic Module Security Policy for VMware's VPN Cryptographic Module from Broadcom Inc. This Security Policy describes how VMware's VPN Cryptographic Module meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS), a branch of the Communications Security Establishment (CSE), Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program. This document has been written for the following audiences:

1 General 1

2 Cryptographic Module Specification 1

3 Cryptographic Module Interfaces 1

4 Roles, Services, and Authentication 1

5 Software/Firmware Security 1

6 Operational Environment 1

7 Physical Security 1

8 Non-invasive Security N/A

9 Sensitive Security Parameters 1

Page 5

VMware’s VPN Crypto Module Security Policy Document

10 Self-Tests 1

11 Life-Cycle Assurance 1

12 Mitigation of Other Attacks N/A

Overall Module validation level 1

  1. Cryptographic Module Specification VMware's VPN Crypto Module is a firmware cryptographic module whose purpose is to provide FIPS 140-3 validated cryptographic functions to various applications utilizing VPN capabilities. The module was tested and found to be compliant with FIPS 140-3 security level 1 requirements on the operational environments (OE) listed in Table
  2. Table 2 - Tested Operational Environments # Operating System Hardware Platform Processor PAA/Acceleration

1 Ubuntu 20.04 running on ESXi 8.0 Dell PowerEdge R650 Intel(R) Xeon(R) Gold 6330 Yes

2 Ubuntu 20.04 running on ESXi 8.0 Dell PowerEdge R650 Intel(R) Xeon(R) Gold 6330 No

Validation certificates for each Approved security function are listed in Table 3. Table 3 - Approved Algorithms CAVP Cert Algorithm and Mode/Method Description/Key Use / Function Standard Size/Strengths A4384 AES (FIPS PUB 197) CBC Key Size: 128, 192, 256 Symmetric key operation bits A4384 AES (SP800-38B) CMAC Key Size: 128 bits Symmetric key operation A4384 AES (SP800-38C) CCM Key Size: 128 bits Symmetric key operation A4384 AES (SP800-38D) GCM, GMAC Key Size: 128,192,256 bits Symmetric key operation A4385 HMAC (FIPS PUB 198-1) SHA2-256 Strength:256 bits Integrity test © 2024 Broadcom Inc.

Page 6

VMware’s VPN Crypto Module Security Policy Document A4384 HMAC (FIPS PUB 198-1) HMAC-SHA-1, HMAC-SHA2- Strength:128 to 256 bits Authentication, Integrity 224, HMAC-SHA2-256, checks HMAC-SHA2-384, HMACSHA2-512 A4384 SHS (FIPS 180-4) SHA-1, SHA2-224, SHA2-256, N/A Hashing SHA2-384, SHA2-512 A4385 SHS (FIPS 180-4) SHA2-256 N/A Hashing The module does not use any allowed or non-approved algorithms and operates only in the Approved mode of operation. Figure 1

Page 7

VMware’s VPN Crypto Module Security Policy Document Overall security design and the rules of operation When the operating system boots, the module is initialized by calling librte_crypto_post, which runs the firmware integrity test and the KATs. Once librte_crypto_post finishes the POST tests the module is loaded as a device driver in the operating system. Calling applications can access the application once it is loaded as a device driver.

  1. Cryptographic Module Interfaces Table 4 - Ports and Interfaces Physical Port Logical Interface Data that Passes over port/interface Host computer Network Port, USB Data Input The module accepts data input through the input port, serial port arguments of the API functions. Host computer Network Port, USB Data Output The module produces data output through the port, serial port parameters of the API functions. Host computer Network Port, USB Control Input The module accepts control input through the input port, serial port, Power button arguments of the API functions used to control the module. Host computer Network Port, USB Status Output The module produces status output through the port, serial port, LED status light return values for function calls and error messages. Host computer Power Port Power interface N/A The module does not implement a control output interface.
  2. Roles, Services, and Authentication Table 5 – Roles, Services and Command Input and Output Role Services Input Output Crypto Officer Initialization of the module None None Crypto Officer Run self-tests The self-tests may be run on demand Results of each self-test by rebooting the OS or cycling host power. © 2024 Broadcom Inc.
Page 8

VMware’s VPN Crypto Module Security Policy Document Crypto Officer Show version API command The module version will be output to the log (“DPDK v21.11.2") Crypto Officer Encryption Key and plaintext input via API Encrypted data Crypto Officer Decryption Key and ciphertext input via API Plaintext data Crypto Officer Hashing Data input via API Hash of the input data Crypto Officer Message Authentication Code (MAC) Key input via API MAC of the input data Data input via API Generation Crypto Officer Zeroize None None Crypto Officer Show Status None Success: “Finished Self-test successfully” Error State: “Failed dpdk_init” The module is a Level 1 firmware module and does not implement any authentication. The calling application implicitly assumes the Crypto Officer role when accessing the module. G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroizes the SSP. Table 6

Page 9

VMware’s VPN Crypto Module Security Policy Document Run self-tests The self-tests - - - The self-test results are output may be run on in the log demand by rebooting the OS or cycling host power. Show version Show the - - - The module name and version module name are output in the log and version Show Status Show the - - - In log messages: module is Success: “Finished Self-test either successfully” operational or Error State: “Failed dpdk_init” in an error state Zeroization Zeroize - All SSPs All SSPs: Z The module reboot and startup unprotected will be shown in the log. SSPs and key components Encryption Encrypt AES modes: AES keys All SSPs: WE Return values indicate success. and IVs: plaintext using CBC, CCM, 128-bit, Null values or void pointers supplied key CMAC, 192-bit, together with error logs 256-bit and algorithm GCM/GMAC indicate failures. specification Decryption Decrypt AES modes: AES keys All SSPs: WE Return values indicate success. and IVs: ciphertext CBC, CCM, 128-bit, Null values or void pointers using supplied CMAC, 192-bit, together with error logs 256-bit key and GCM/GMAC indicate failures. algorithm specification © 2024 Broadcom Inc.

Page 10

VMware’s VPN Crypto Module Security Policy Document Hashing Compute and SHA-1, SHA2- N/A N/A Return values indicate success. return a 224, SHA2-256, Null values or void pointers message digest SHA2-384, together with error logs using SHA SHA2-512 indicate failures. algorithm Message Compute and HMAC-SHA-1, HMAC All SSPs: WE Return values indicate success. Authentication return a HMAC-SHA2- key, 128 Null values or void pointers Code (MAC) hashed 224, HMAC- to 256- together with error logs Generation message SHA2-256, bits indicate failures. authentication HMAC-SHA2code 384, HMACSHA2-512 There are no non-approved services for the Crypto Officer.

  1. Software/Firmware Security For the purposes of a FIPS 140-3 level 1 validation, the cryptographic module is a set of files, listed here: • librte_crypto_post.so.22.0 • librte_cryptodev.so.22.0 • libipsec_MB.so.1.3.0 • librte_crypto_ipsec_mb.so.22.0 The object code in the object module file is incorporated into the runtime executable application at the time the binary executable is generated. The module performs no communications other than with the consuming host application (the process that invokes the module services via the module’s API), which can be considered as the host for the module. The module runs a HMAC SHA2-256 integrity verification during initialization by the host application. The module also runs the self-test for HMAC SHA2-256 prior to running the integrity test. The temporary values generated during the integrity test of the module are zeroized upon the completion of the integrity test. The CO can reboot the OS or cycle host power to run the integrity test on demand.
  2. Operational Environment The operational environment is non-modifiable. The control plane Operating System (OS) is Linux, a multi-threaded operating system that supports memory protection between processes. Access to the underlying Linux implementation is not provided directly. © 2024 Broadcom Inc.
Page 11

VMware’s VPN Crypto Module Security Policy Document

  1. Physical Security The module is a firmware module with a multi-chip standalone cryptographic embodiment. The module's host platform provides production-grade components and chassis using standard passivation.
  2. Non-invasive Security The module does not implement any non-invasive security measures, so this section is not applicable.
  3. Sensitive Security Parameter Management Table 7 – Sensitive Security Parameters SSPs Mode and Generation Import/ Establishment Storage Zeroisation Use and Strength Export Related Keys AES Key 128, 192, N/A, the key is Imported N/A Random Reboot OS; Encryption, only. 256-bit keys imported. Access Cycle host The key is Decryption Memory power not (RAM) in exported plaintext from the module. AES 128, 192, N/A, the key is Imported N/A Random Reboot OS; Encryption, only. GCM/GMAC 256-bit keys imported. The key is Access Cycle host Key not Memory power Decryption exported (RAM) in from the module. plaintext AES 96-bit IV N/A, the key is Imported N/A Random Reboot OS; Encryption, GCM/GMAC imported. only. Access Cycle host IV The key is Memory power Decryption not (RAM) in exported from the plaintext module. AES CCM 128-bit key N/A, the key is Imported N/A Random Reboot OS; Encryption, Key imported. only. Access Cycle host The key is Memory power Decryption not (RAM) in exported from the plaintext module. © 2024 Broadcom Inc.
Page 12

VMware’s VPN Crypto Module Security Policy Document AES CMAC 128-bit key N/A, the key is Imported N/A Random Reboot OS; Authenticat key imported. only. Access Cycle host ion The key is Memory power not (RAM) in exported plaintext from the module. HMAC Key 128-256 bits N/A, the key is Imported N/A RAM in Reboot OS; Message only. imported. plaintext Cycle host Authenticat The key is power ion not exported from the module. Firmware 256-bit key N/A Does not N/A Hardcoded No zeroization Verifies Integrity Key enter or exit in the integrity of

Page 13

VMware’s VPN Crypto Module Security Policy Document

Page 14

VMware’s VPN Crypto Module Security Policy Document Destruction and Zeroization The module will remain installed for the lifetime of the operating system. When the operating system is removed, the module will be erased. Any SSPs in the module will be erased at that time. 12. Mitigation of other attacks The module does not implement mitigation of other attacks. © 2024 Broadcom Inc.

Page 15

VMware’s VPN Crypto Module Security Policy Document Acronyms Table 8 - Acronyms AES Advanced Encryption Standard API Application Program Interface CAST Cryptographic Algorithm Self-Test CBC Cipher Block Chaining CFB Cipher Feedback CO Crypto-Officer CSP Critical Security Parameter CTR Counter CVL Component Validation List DRBG Deterministic Random Bit Generation FIPS Federal Information Processing Standard HMAC (Keyed-)Hash Messages Authentication Code KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Standards and Technology OE Operational Environment OS Operation System POST Power-On Self-Test SHA Secure hash Standard SSP Sensitive Security Parameter SP Special Publication © 2024 Broadcom Inc.

Page 16

VMware’s VPN Crypto Module Security Policy Document © 2024 Broadcom Inc.