| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Firmware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 11/14/2026 |
| Caveat | Interim validation |
| Vendor | Broadcom Inc. |
flowchart LR
%% Deterministic review-risk graph for VMware’s VPN Crypto Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>self-test<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C5,C6 clue;
class I3,I5,I6 infer;
class R3,R5,R6 risk;
class E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for VMware’s VPN Crypto Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>self-test<br/>Show Status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3,C5,C6 clueLow;VMware’s VPN Crypto Module Firmware version: 21.11 Document version: 2.3
VMware’s VPN Crypto Module Security Policy Document Contents Security Levels 4 Overall security design and the rules of operation 7 Pre-Operational Self-Tests 12 Conditional Cryptographic Algorithm Tests 12 Distribution and Installation 13 Configuration 13 Initialization and Setup 13 Verification of the Module 13 Crypto Officer Guidance 13 Destruction and Zeroization 14 © 2024 Broadcom Inc.
VMware’s VPN Crypto Module Security Policy Document List of tables List of figures © 2024 Broadcom Inc.
VMware’s VPN Crypto Module Security Policy Document 1. General This is a non-proprietary Cryptographic Module Security Policy for VMware's VPN Cryptographic Module from Broadcom Inc. This Security Policy describes how VMware's VPN Cryptographic Module meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS), a branch of the Communications Security Establishment (CSE), Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program. This document has been written for the following audiences:
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security 1
8 Non-invasive Security N/A
9 Sensitive Security Parameters 1
VMware’s VPN Crypto Module Security Policy Document
10 Self-Tests 1
11 Life-Cycle Assurance 1
12 Mitigation of Other Attacks N/A
Overall Module validation level 1
1 Ubuntu 20.04 running on ESXi 8.0 Dell PowerEdge R650 Intel(R) Xeon(R) Gold 6330 Yes
2 Ubuntu 20.04 running on ESXi 8.0 Dell PowerEdge R650 Intel(R) Xeon(R) Gold 6330 No
Validation certificates for each Approved security function are listed in Table 3. Table 3 - Approved Algorithms CAVP Cert Algorithm and Mode/Method Description/Key Use / Function Standard Size/Strengths A4384 AES (FIPS PUB 197) CBC Key Size: 128, 192, 256 Symmetric key operation bits A4384 AES (SP800-38B) CMAC Key Size: 128 bits Symmetric key operation A4384 AES (SP800-38C) CCM Key Size: 128 bits Symmetric key operation A4384 AES (SP800-38D) GCM, GMAC Key Size: 128,192,256 bits Symmetric key operation A4385 HMAC (FIPS PUB 198-1) SHA2-256 Strength:256 bits Integrity test © 2024 Broadcom Inc.
VMware’s VPN Crypto Module Security Policy Document A4384 HMAC (FIPS PUB 198-1) HMAC-SHA-1, HMAC-SHA2- Strength:128 to 256 bits Authentication, Integrity 224, HMAC-SHA2-256, checks HMAC-SHA2-384, HMACSHA2-512 A4384 SHS (FIPS 180-4) SHA-1, SHA2-224, SHA2-256, N/A Hashing SHA2-384, SHA2-512 A4385 SHS (FIPS 180-4) SHA2-256 N/A Hashing The module does not use any allowed or non-approved algorithms and operates only in the Approved mode of operation. Figure 1
VMware’s VPN Crypto Module Security Policy Document Overall security design and the rules of operation When the operating system boots, the module is initialized by calling librte_crypto_post, which runs the firmware integrity test and the KATs. Once librte_crypto_post finishes the POST tests the module is loaded as a device driver in the operating system. Calling applications can access the application once it is loaded as a device driver.
VMware’s VPN Crypto Module Security Policy Document Crypto Officer Show version API command The module version will be output to the log (“DPDK v21.11.2") Crypto Officer Encryption Key and plaintext input via API Encrypted data Crypto Officer Decryption Key and ciphertext input via API Plaintext data Crypto Officer Hashing Data input via API Hash of the input data Crypto Officer Message Authentication Code (MAC) Key input via API MAC of the input data Data input via API Generation Crypto Officer Zeroize None None Crypto Officer Show Status None Success: “Finished Self-test successfully” Error State: “Failed dpdk_init” The module is a Level 1 firmware module and does not implement any authentication. The calling application implicitly assumes the Crypto Officer role when accessing the module. G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroizes the SSP. Table 6
VMware’s VPN Crypto Module Security Policy Document Run self-tests The self-tests - - - The self-test results are output may be run on in the log demand by rebooting the OS or cycling host power. Show version Show the - - - The module name and version module name are output in the log and version Show Status Show the - - - In log messages: module is Success: “Finished Self-test either successfully” operational or Error State: “Failed dpdk_init” in an error state Zeroization Zeroize - All SSPs All SSPs: Z The module reboot and startup unprotected will be shown in the log. SSPs and key components Encryption Encrypt AES modes: AES keys All SSPs: WE Return values indicate success. and IVs: plaintext using CBC, CCM, 128-bit, Null values or void pointers supplied key CMAC, 192-bit, together with error logs 256-bit and algorithm GCM/GMAC indicate failures. specification Decryption Decrypt AES modes: AES keys All SSPs: WE Return values indicate success. and IVs: ciphertext CBC, CCM, 128-bit, Null values or void pointers using supplied CMAC, 192-bit, together with error logs 256-bit key and GCM/GMAC indicate failures. algorithm specification © 2024 Broadcom Inc.
VMware’s VPN Crypto Module Security Policy Document Hashing Compute and SHA-1, SHA2- N/A N/A Return values indicate success. return a 224, SHA2-256, Null values or void pointers message digest SHA2-384, together with error logs using SHA SHA2-512 indicate failures. algorithm Message Compute and HMAC-SHA-1, HMAC All SSPs: WE Return values indicate success. Authentication return a HMAC-SHA2- key, 128 Null values or void pointers Code (MAC) hashed 224, HMAC- to 256- together with error logs Generation message SHA2-256, bits indicate failures. authentication HMAC-SHA2code 384, HMACSHA2-512 There are no non-approved services for the Crypto Officer.
VMware’s VPN Crypto Module Security Policy Document
VMware’s VPN Crypto Module Security Policy Document AES CMAC 128-bit key N/A, the key is Imported N/A Random Reboot OS; Authenticat key imported. only. Access Cycle host ion The key is Memory power not (RAM) in exported plaintext from the module. HMAC Key 128-256 bits N/A, the key is Imported N/A RAM in Reboot OS; Message only. imported. plaintext Cycle host Authenticat The key is power ion not exported from the module. Firmware 256-bit key N/A Does not N/A Hardcoded No zeroization Verifies Integrity Key enter or exit in the integrity of
VMware’s VPN Crypto Module Security Policy Document
VMware’s VPN Crypto Module Security Policy Document Destruction and Zeroization The module will remain installed for the lifetime of the operating system. When the operating system is removed, the module will be erased. Any SSPs in the module will be erased at that time. 12. Mitigation of other attacks The module does not implement mitigation of other attacks. © 2024 Broadcom Inc.
VMware’s VPN Crypto Module Security Policy Document Acronyms Table 8 - Acronyms AES Advanced Encryption Standard API Application Program Interface CAST Cryptographic Algorithm Self-Test CBC Cipher Block Chaining CFB Cipher Feedback CO Crypto-Officer CSP Critical Security Parameter CTR Counter CVL Component Validation List DRBG Deterministic Random Bit Generation FIPS Federal Information Processing Standard HMAC (Keyed-)Hash Messages Authentication Code KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Standards and Technology OE Operational Environment OS Operation System POST Power-On Self-Test SHA Secure hash Standard SSP Sensitive Security Parameter SP Special Publication © 2024 Broadcom Inc.
VMware’s VPN Crypto Module Security Policy Document © 2024 Broadcom Inc.