All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module

Certificate#4894StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorCanonical Ltd.
High review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 9165 CVEs since this module's initial validation  ·  last validated 20 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/20/2029
CaveatInterim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11.1 of the Security Policy.
VendorCanonical Ltd.

Approved Algorithms (482)

AlgorithmACVP Cert
AES-CBCA3814
AES-CBCA3814
AES-CBCA3822
AES-CBCA3822
AES-CBCA3829
AES-CBCA3829
AES-CBCA3832
AES-CBCA3832
AES-CBCA3840
AES-CBCA3840
AES-CBCA3843
AES-CBCA3843
AES-CBCA3853
AES-CBCA3853
AES-CBCA3854
AES-CBCA3854
AES-CBCA3857
AES-CBCA3857
AES-CBC-CS3A3819
AES-CBC-CS3A3828
AES-CBC-CS3A3838
AES-CBC-CS3A3849
AES-CBC-CS3A3853
AES-CBC-CS3A3854
AES-CCMA3814
AES-CCMA3822
AES-CCMA3829
AES-CCMA3832
AES-CCMA3843
AES-CCMA3853
AES-CCMA3854
AES-CFB128A3817
AES-CFB128A3826
AES-CFB128A3836
AES-CFB128A3847
AES-CFB128A3854
AES-CMACA3814
AES-CMACA3822
AES-CMACA3829
AES-CMACA3832
AES-CMACA3843
AES-CMACA3853
AES-CMACA3854
AES-CTRA3814
AES-CTRA3814
AES-CTRA3822
AES-CTRA3822
AES-CTRA3829
AES-CTRA3829
AES-CTRA3832
AES-CTRA3832
AES-CTRA3840
AES-CTRA3840
AES-CTRA3843
AES-CTRA3843
AES-CTRA3853
AES-CTRA3853
AES-CTRA3854
AES-CTRA3854
AES-CTRA3857
AES-CTRA3857
AES-ECBA3812
AES-ECBA3813
AES-ECBA3814
AES-ECBA3820
AES-ECBA3821
AES-ECBA3822
AES-ECBA3824
AES-ECBA3825
AES-ECBA3829
AES-ECBA3830
AES-ECBA3831
AES-ECBA3832
AES-ECBA3833
AES-ECBA3834
AES-ECBA3840
AES-ECBA3841
AES-ECBA3842
AES-ECBA3843
AES-ECBA3844
AES-ECBA3845
AES-ECBA3853
AES-ECBA3854
AES-ECBA3855
AES-ECBA3856
AES-ECBA3857
AES-GCMA3814
AES-GCMA3814
AES-GCMA3820
AES-GCMA3820
AES-GCMA3821
AES-GCMA3821
AES-GCMA3822
AES-GCMA3822
AES-GCMA3824
AES-GCMA3824
AES-GCMA3825
AES-GCMA3825
AES-GCMA3829
AES-GCMA3829
AES-GCMA3830
AES-GCMA3830
AES-GCMA3831
AES-GCMA3831
AES-GCMA3832
AES-GCMA3832
AES-GCMA3833
AES-GCMA3833
AES-GCMA3834
AES-GCMA3834
AES-GCMA3840
AES-GCMA3840
AES-GCMA3841
AES-GCMA3841
AES-GCMA3842
AES-GCMA3842
AES-GCMA3843
AES-GCMA3843
AES-GCMA3844
AES-GCMA3844
AES-GCMA3845
AES-GCMA3845
AES-GCMA3854
AES-GCMA3854
AES-GCMA3855
AES-GCMA3855
AES-GCMA3856
AES-GCMA3856
AES-GMACA3814
AES-GMACA3822
AES-GMACA3829
AES-GMACA3832
AES-GMACA3843
AES-GMACA3854
AES-KWA3815
AES-KWA3823
AES-KWA3835
AES-KWA3846
AES-KWA3854
AES-OFBA3818
AES-OFBA3827
AES-OFBA3837
AES-OFBA3848
AES-OFBA3854
AES-XTS Testing Revision 2.0A3814
AES-XTS Testing Revision 2.0A3822
AES-XTS Testing Revision 2.0A3829
AES-XTS Testing Revision 2.0A3832
AES-XTS Testing Revision 2.0A3840
AES-XTS Testing Revision 2.0A3843
AES-XTS Testing Revision 2.0A3853
AES-XTS Testing Revision 2.0A3854
AES-XTS Testing Revision 2.0A3857
Counter DRBGA3812
Counter DRBGA3813
Counter DRBGA3814
Counter DRBGA3820
Counter DRBGA3821
Counter DRBGA3822
Counter DRBGA3824
Counter DRBGA3825
Counter DRBGA3829
Counter DRBGA3830
Counter DRBGA3831
Counter DRBGA3832
Counter DRBGA3833
Counter DRBGA3834
Counter DRBGA3840
Counter DRBGA3841
Counter DRBGA3842
Counter DRBGA3843
Counter DRBGA3844
Counter DRBGA3845
Counter DRBGA3854
Counter DRBGA3855
Counter DRBGA3856
ECDSA KeyGen (FIPS186-4)A3813
Hash DRBGA3812
Hash DRBGA3813
Hash DRBGA3814
Hash DRBGA3820
Hash DRBGA3821
Hash DRBGA3822
Hash DRBGA3824
Hash DRBGA3825
Hash DRBGA3830
Hash DRBGA3831
Hash DRBGA3832
Hash DRBGA3833
Hash DRBGA3834
Hash DRBGA3840
Hash DRBGA3841
Hash DRBGA3842
Hash DRBGA3843
Hash DRBGA3844
Hash DRBGA3845
Hash DRBGA3850
Hash DRBGA3851
Hash DRBGA3852
Hash DRBGA3855
Hash DRBGA3856
HMAC DRBGA3812
HMAC DRBGA3813
HMAC DRBGA3814
HMAC DRBGA3820
HMAC DRBGA3821
HMAC DRBGA3822
HMAC DRBGA3824
HMAC DRBGA3825
HMAC DRBGA3830
HMAC DRBGA3831
HMAC DRBGA3832
HMAC DRBGA3833
HMAC DRBGA3834
HMAC DRBGA3840
HMAC DRBGA3841
HMAC DRBGA3842
HMAC DRBGA3843
HMAC DRBGA3844
HMAC DRBGA3845
HMAC DRBGA3850
HMAC DRBGA3851
HMAC DRBGA3852
HMAC DRBGA3855
HMAC DRBGA3856
HMAC-SHA-1A3812
HMAC-SHA-1A3812
HMAC-SHA-1A3813
HMAC-SHA-1A3813
HMAC-SHA-1A3814
HMAC-SHA-1A3814
HMAC-SHA-1A3832
HMAC-SHA-1A3832
HMAC-SHA-1A3850
HMAC-SHA-1A3850
HMAC-SHA-1A3851
HMAC-SHA-1A3851
HMAC-SHA-1A3852
HMAC-SHA-1A3852
HMAC-SHA-1A3853
HMAC-SHA-1A3853
HMAC-SHA2-224A3812
HMAC-SHA2-224A3813
HMAC-SHA2-224A3814
HMAC-SHA2-224A3832
HMAC-SHA2-224A3850
HMAC-SHA2-224A3851
HMAC-SHA2-224A3852
HMAC-SHA2-224A3853
HMAC-SHA2-224A3857
HMAC-SHA2-224A3858
HMAC-SHA2-256A3812
HMAC-SHA2-256A3812
HMAC-SHA2-256A3813
HMAC-SHA2-256A3813
HMAC-SHA2-256A3814
HMAC-SHA2-256A3814
HMAC-SHA2-256A3832
HMAC-SHA2-256A3832
HMAC-SHA2-256A3850
HMAC-SHA2-256A3850
HMAC-SHA2-256A3851
HMAC-SHA2-256A3851
HMAC-SHA2-256A3852
HMAC-SHA2-256A3852
HMAC-SHA2-256A3853
HMAC-SHA2-256A3853
HMAC-SHA2-256A3857
HMAC-SHA2-256A3857
HMAC-SHA2-256A3858
HMAC-SHA2-256A3858
HMAC-SHA2-384A3812
HMAC-SHA2-384A3812
HMAC-SHA2-384A3813
HMAC-SHA2-384A3813
HMAC-SHA2-384A3814
HMAC-SHA2-384A3814
HMAC-SHA2-384A3832
HMAC-SHA2-384A3832
HMAC-SHA2-384A3850
HMAC-SHA2-384A3850
HMAC-SHA2-384A3851
HMAC-SHA2-384A3851
HMAC-SHA2-384A3852
HMAC-SHA2-384A3852
HMAC-SHA2-384A3858
HMAC-SHA2-384A3858
HMAC-SHA2-512A3812
HMAC-SHA2-512A3812
HMAC-SHA2-512A3813
HMAC-SHA2-512A3813
HMAC-SHA2-512A3814
HMAC-SHA2-512A3814
HMAC-SHA2-512A3832
HMAC-SHA2-512A3832
HMAC-SHA2-512A3850
HMAC-SHA2-512A3850
HMAC-SHA2-512A3851
HMAC-SHA2-512A3851
HMAC-SHA2-512A3852
HMAC-SHA2-512A3852
HMAC-SHA2-512A3858
HMAC-SHA2-512A3858
HMAC-SHA3-224A3816
HMAC-SHA3-224A3839
HMAC-SHA3-256A3816
HMAC-SHA3-256A3839
HMAC-SHA3-384A3816
HMAC-SHA3-384A3839
HMAC-SHA3-512A3816
HMAC-SHA3-512A3839
KAS-ECC-SSC Sp800-56Ar3A3813
KAS-FFC-SSC Sp800-56Ar3A3812
RSA SigVer (FIPS186-4)A3814
RSA SigVer (FIPS186-4)A3832
RSA SigVer (FIPS186-4)A3850
RSA SigVer (FIPS186-4)A3851
RSA SigVer (FIPS186-4)A3852
Safe Primes Key GenerationA3812
SHA-1A3812
SHA-1A3812
SHA-1A3812
SHA-1A3813
SHA-1A3813
SHA-1A3813
SHA-1A3814
SHA-1A3814
SHA-1A3814
SHA-1A3814
SHA-1A3832
SHA-1A3832
SHA-1A3832
SHA-1A3832
SHA-1A3850
SHA-1A3850
SHA-1A3850
SHA-1A3850
SHA-1A3851
SHA-1A3851
SHA-1A3851
SHA-1A3851
SHA-1A3852
SHA-1A3852
SHA-1A3852
SHA-1A3852
SHA-1A3853
SHA-1A3853
SHA-1A3853
SHA2-224A3812
SHA2-224A3812
SHA2-224A3813
SHA2-224A3813
SHA2-224A3814
SHA2-224A3814
SHA2-224A3814
SHA2-224A3832
SHA2-224A3832
SHA2-224A3832
SHA2-224A3850
SHA2-224A3850
SHA2-224A3850
SHA2-224A3851
SHA2-224A3851
SHA2-224A3851
SHA2-224A3852
SHA2-224A3852
SHA2-224A3852
SHA2-224A3853
SHA2-224A3853
SHA2-224A3857
SHA2-224A3857
SHA2-224A3858
SHA2-224A3858
SHA2-256A3812
SHA2-256A3812
SHA2-256A3812
SHA2-256A3813
SHA2-256A3813
SHA2-256A3813
SHA2-256A3814
SHA2-256A3814
SHA2-256A3814
SHA2-256A3814
SHA2-256A3832
SHA2-256A3832
SHA2-256A3832
SHA2-256A3832
SHA2-256A3850
SHA2-256A3850
SHA2-256A3850
SHA2-256A3850
SHA2-256A3851
SHA2-256A3851
SHA2-256A3851
SHA2-256A3851
SHA2-256A3852
SHA2-256A3852
SHA2-256A3852
SHA2-256A3852
SHA2-256A3853
SHA2-256A3853
SHA2-256A3853
SHA2-256A3857
SHA2-256A3857
SHA2-256A3857
SHA2-256A3858
SHA2-256A3858
SHA2-256A3858
SHA2-384A3812
SHA2-384A3812
SHA2-384A3812
SHA2-384A3813
SHA2-384A3813
SHA2-384A3813
SHA2-384A3814
SHA2-384A3814
SHA2-384A3814
SHA2-384A3814
SHA2-384A3832
SHA2-384A3832
SHA2-384A3832
SHA2-384A3832
SHA2-384A3850
SHA2-384A3850
SHA2-384A3850
SHA2-384A3850
SHA2-384A3851
SHA2-384A3851
SHA2-384A3851
SHA2-384A3851
SHA2-384A3852
SHA2-384A3852
SHA2-384A3852
SHA2-384A3852
SHA2-384A3858
SHA2-384A3858
SHA2-384A3858
SHA2-512A3812
SHA2-512A3812
SHA2-512A3812
SHA2-512A3813
SHA2-512A3813
SHA2-512A3813
SHA2-512A3814
SHA2-512A3814
SHA2-512A3814
SHA2-512A3814
SHA2-512A3832
SHA2-512A3832
SHA2-512A3832
SHA2-512A3832
SHA2-512A3850
SHA2-512A3850
SHA2-512A3850
SHA2-512A3850
SHA2-512A3851
SHA2-512A3851
SHA2-512A3851
SHA2-512A3851
SHA2-512A3852
SHA2-512A3852
SHA2-512A3852
SHA2-512A3852
SHA2-512A3858
SHA2-512A3858
SHA2-512A3858
SHA3-224A3816
SHA3-224A3816
SHA3-224A3839
SHA3-224A3839
SHA3-256A3816
SHA3-256A3816
SHA3-256A3839
SHA3-256A3839
SHA3-256A3839
SHA3-384A3816
SHA3-384A3816
SHA3-384A3839
SHA3-512A3816
SHA3-512A3816
SHA3-512A3839
SHA3-512A3839

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Show Status</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Canonical Ltd. Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module Version 5.15.0-73-fips Version 1.2 Last update: 11-08-2024 Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 www.atsec.com © 2024 Canonical Ltd./ atsec information security.

Page 2
Table of Contents
#SectionPage
Page 3

© 2024 Canonical Ltd. / atsec information security.

3 of 103
Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)8
Table 3: Tested Operational Environments - Software, Firmware, Hybrid9
Table 4: Modes List and Description9
Table 5: Approved Algorithms15
Table 6: V endor-Affirmed Algorithms15
Table 7: Non-Approved , Not Allowed Algorithms16
Table 8: Security Function Implementations26
Table 9: Entrop y Certificates27
Table 10: Entropy Sources27
Table 11: Ports and Interfaces30
Table 12: Roles31
Table 13: Approved Services35
Table 14: Non-Approved Services36
Table 15: Storag e Areas41
Table 16: SSP Input-Output Methods41
Table 17: SSP Zeroization Methods41
Table 18: SSP Table 144
Table 19: SSP Table 245
Table 20: Pre-Operational Self-Tests47
Table 21: Conditional Self-Tests84
Table 22: Pre-Operational Period ic Information85
Table 23: Conditional Periodic Information96
Table 24: Error States96
Page 5
List of Figures
ItemPage
Figure 1: Block Diagram7
Page 6
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 5.15.0-73-fips of the Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice. Other documentation is proprietary to their authors.

1.2 Security Levels
1 1
2 1
3 1
4 1
5 1
6 1
7 N/A
8 N/A
9 1
10 1
11 1
12 N/A

Overall 1 Table 1: Security Levels

1.3 Additional Information

which was further consolidated into this document by atsec information security together with other vendor-supplied documentation. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2024 Canonical Ltd. / atsec information security.

6 of 103
Page 7
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a general-purpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the kernel crypto object files, the libkcapi library, and the sha512hmac binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. Figure 1: Block Diagram © 2024 Canonical Ltd. / atsec information security.

7 of 103
Page 8
2.2 Tested and Vendor Affirmed Module Version and

Identification Tested Module Identification

8 of 103
Page 9

Operating Hardware Platform Processors PAA/PAI Hypervisor Version(s) System or Host OS Ubuntu 22.04 LTS Amazon Web Services AWS Graviton2 No N/A 5.15.0-7364-bit (AWS) c6g.metal fips Ubuntu Core 22 Amazon Web Services AWS Graviton2 Yes N/A 5.15.0-7364-bit (AWS) c6g.metal fips Ubuntu Core 22 Amazon Web Services AWS Graviton2 No N/A 5.15.0-7364-bit (AWS) c6g.metal fips Ubuntu 22.04 LTS IBM z15 IBM z15 Yes N/A 5.15.0-7364-bit fips Ubuntu 22.04 LTS IBM z15 IBM z15 No N/A 5.15.0-7364-bit fips Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module. CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components
2.4 Modes of Operation

Modes List and Description: Mode Name Description Type Status Indicator Approved Automatically entered whenever an Approved Equivalent to the indicator of the mode approved service is requested requested service defined in section 4.3 Non-approved Automatically entered whenever a Non- Equivalent to the indicator of the mode non-approved service is requested Approved requested service defined in section 4.3 Table 4: Modes List and Description Mode Change Instructions and Status: After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description: Not applicable. © 2024 Canonical Ltd. / atsec information security.

9 of 103
Page 10
2.5 Algorithms

Approved Algorithms: Algorithm CAVP Cert Reference AES-ECB A3812 SP 800-38A Counter DRBG A3812 SP 800-90A Rev. 1 Hash DRBG A3812 SP 800-90A Rev. 1 HMAC DRBG A3812 SP 800-90A Rev. 1 HMAC-SHA-1 A3812 FIPS 198-1 HMAC-SHA2-224 A3812 FIPS 198-1 HMAC-SHA2-256 A3812 FIPS 198-1 HMAC-SHA2-384 A3812 FIPS 198-1 HMAC-SHA2-512 A3812 FIPS 198-1 KAS-FFC-SSC Sp800-56Ar3 A3812 SP 800-56A Rev. 3 Safe Primes Key Generation A3812 SP 800-56A Rev. 3 SHA-1 A3812 FIPS 180-4 SHA2-224 A3812 FIPS 180-4 SHA2-256 A3812 FIPS 180-4 SHA2-384 A3812 FIPS 180-4 SHA2-512 A3812 FIPS 180-4 AES-ECB A3813 SP 800-38A Counter DRBG A3813 SP 800-90A Rev. 1 ECDSA KeyGen (FIPS186-4) A3813 FIPS 186-4 Hash DRBG A3813 SP 800-90A Rev. 1 HMAC DRBG A3813 SP 800-90A Rev. 1 HMAC-SHA-1 A3813 FIPS 198-1 HMAC-SHA2-224 A3813 FIPS 198-1 HMAC-SHA2-256 A3813 FIPS 198-1 HMAC-SHA2-384 A3813 FIPS 198-1 HMAC-SHA2-512 A3813 FIPS 198-1 KAS-ECC-SSC Sp800-56Ar3 A3813 SP 800-56A Rev. 3 SHA-1 A3813 FIPS 180-4 SHA2-224 A3813 FIPS 180-4 SHA2-256 A3813 FIPS 180-4 SHA2-384 A3813 FIPS 180-4 SHA2-512 A3813 FIPS 180-4 AES-CBC A3814 SP 800-38A AES-CCM A3814 SP 800-38C AES-CMAC A3814 SP 800-38B AES-CTR A3814 SP 800-38A AES-ECB A3814 SP 800-38A AES-GCM A3814 SP 800-38D AES-GMAC A3814 SP 800-38D AES-XTS Testing Revision 2.0 A3814 SP 800-38E Counter DRBG A3814 SP 800-90A Rev. 1 Hash DRBG A3814 SP 800-90A Rev. 1 HMAC DRBG A3814 SP 800-90A Rev. 1 HMAC-SHA-1 A3814 FIPS 198-1 HMAC-SHA2-224 A3814 FIPS 198-1 HMAC-SHA2-256 A3814 FIPS 198-1 HMAC-SHA2-384 A3814 FIPS 198-1 HMAC-SHA2-512 A3814 FIPS 198-1 © 2024 Canonical Ltd. / atsec information security.

10 of 103
Page 11

Algorithm CAVP Cert Reference RSA SigVer (FIPS186-4) A3814 FIPS 186-4 SHA-1 A3814 FIPS 180-4 SHA2-224 A3814 FIPS 180-4 SHA2-256 A3814 FIPS 180-4 SHA2-384 A3814 FIPS 180-4 SHA2-512 A3814 FIPS 180-4 AES-KW A3815 SP 800-38F HMAC-SHA3-224 A3816 FIPS 198-1 HMAC-SHA3-256 A3816 FIPS 198-1 HMAC-SHA3-384 A3816 FIPS 198-1 HMAC-SHA3-512 A3816 FIPS 198-1 SHA3-224 A3816 FIPS 202 SHA3-256 A3816 FIPS 202 SHA3-384 A3816 FIPS 202 SHA3-512 A3816 FIPS 202 AES-CFB128 A3817 SP 800-38A AES-OFB A3818 SP 800-38A AES-CBC-CS3 A3819 SP 800-38A AES-ECB A3820 SP 800-38A AES-GCM A3820 SP 800-38D Counter DRBG A3820 SP 800-90A Rev. 1 Hash DRBG A3820 SP 800-90A Rev. 1 HMAC DRBG A3820 SP 800-90A Rev. 1 AES-ECB A3821 SP 800-38A AES-GCM A3821 SP 800-38D Counter DRBG A3821 SP 800-90A Rev. 1 Hash DRBG A3821 SP 800-90A Rev. 1 HMAC DRBG A3821 SP 800-90A Rev. 1 AES-CBC A3822 SP 800-38A AES-CCM A3822 SP 800-38C AES-CMAC A3822 SP 800-38B AES-CTR A3822 SP 800-38A AES-ECB A3822 SP 800-38A AES-GCM A3822 SP 800-38D AES-GMAC A3822 SP 800-38D AES-XTS Testing Revision 2.0 A3822 SP 800-38E Counter DRBG A3822 SP 800-90A Rev. 1 Hash DRBG A3822 SP 800-90A Rev. 1 HMAC DRBG A3822 SP 800-90A Rev. 1 AES-KW A3823 SP 800-38F AES-ECB A3824 SP 800-38A AES-GCM A3824 SP 800-38D Counter DRBG A3824 SP 800-90A Rev. 1 Hash DRBG A3824 SP 800-90A Rev. 1 HMAC DRBG A3824 SP 800-90A Rev. 1 AES-ECB A3825 SP 800-38A AES-GCM A3825 SP 800-38D Counter DRBG A3825 SP 800-90A Rev. 1 Hash DRBG A3825 SP 800-90A Rev. 1 HMAC DRBG A3825 SP 800-90A Rev. 1 AES-CFB128 A3826 SP 800-38A AES-OFB A3827 SP 800-38A © 2024 Canonical Ltd. / atsec information security.

11 of 103
Page 12

Algorithm CAVP Cert Reference AES-CBC-CS3 A3828 SP 800-38A AES-CBC A3829 SP 800-38A AES-CCM A3829 SP 800-38C AES-CMAC A3829 SP 800-38B AES-CTR A3829 SP 800-38A AES-ECB A3829 SP 800-38A AES-GCM A3829 SP 800-38D AES-GMAC A3829 SP 800-38D AES-XTS Testing Revision 2.0 A3829 SP 800-38E Counter DRBG A3829 SP 800-90A Rev. 1 AES-ECB A3830 SP 800-38A AES-GCM A3830 SP 800-38D Counter DRBG A3830 SP 800-90A Rev. 1 Hash DRBG A3830 SP 800-90A Rev. 1 HMAC DRBG A3830 SP 800-90A Rev. 1 AES-ECB A3831 SP 800-38A AES-GCM A3831 SP 800-38D Counter DRBG A3831 SP 800-90A Rev. 1 Hash DRBG A3831 SP 800-90A Rev. 1 HMAC DRBG A3831 SP 800-90A Rev. 1 AES-CBC A3832 SP 800-38A AES-CCM A3832 SP 800-38C AES-CMAC A3832 SP 800-38B AES-CTR A3832 SP 800-38A AES-ECB A3832 SP 800-38A AES-GCM A3832 SP 800-38D AES-GMAC A3832 SP 800-38D AES-XTS Testing Revision 2.0 A3832 SP 800-38E Counter DRBG A3832 SP 800-90A Rev. 1 Hash DRBG A3832 SP 800-90A Rev. 1 HMAC DRBG A3832 SP 800-90A Rev. 1 HMAC-SHA-1 A3832 FIPS 198-1 HMAC-SHA2-224 A3832 FIPS 198-1 HMAC-SHA2-256 A3832 FIPS 198-1 HMAC-SHA2-384 A3832 FIPS 198-1 HMAC-SHA2-512 A3832 FIPS 198-1 RSA SigVer (FIPS186-4) A3832 FIPS 186-4 SHA-1 A3832 FIPS 180-4 SHA2-224 A3832 FIPS 180-4 SHA2-256 A3832 FIPS 180-4 SHA2-384 A3832 FIPS 180-4 SHA2-512 A3832 FIPS 180-4 AES-ECB A3833 SP 800-38A AES-GCM A3833 SP 800-38D Counter DRBG A3833 SP 800-90A Rev. 1 Hash DRBG A3833 SP 800-90A Rev. 1 HMAC DRBG A3833 SP 800-90A Rev. 1 AES-ECB A3834 SP 800-38A AES-GCM A3834 SP 800-38D Counter DRBG A3834 SP 800-90A Rev. 1 Hash DRBG A3834 SP 800-90A Rev. 1 HMAC DRBG A3834 SP 800-90A Rev. 1 © 2024 Canonical Ltd. / atsec information security.

12 of 103
Page 13

Algorithm CAVP Cert Reference AES-KW A3835 SP 800-38F AES-CFB128 A3836 SP 800-38A AES-OFB A3837 SP 800-38A AES-CBC-CS3 A3838 SP 800-38A HMAC-SHA3-224 A3839 FIPS 198-1 HMAC-SHA3-256 A3839 FIPS 198-1 HMAC-SHA3-384 A3839 FIPS 198-1 HMAC-SHA3-512 A3839 FIPS 198-1 SHA3-224 A3839 FIPS 202 SHA3-256 A3839 FIPS 202 SHA3-384 A3839 FIPS 202 SHA3-512 A3839 FIPS 202 AES-CBC A3840 SP 800-38A AES-CTR A3840 SP 800-38A AES-ECB A3840 SP 800-38A AES-GCM A3840 SP 800-38D AES-XTS Testing Revision 2.0 A3840 SP 800-38E Counter DRBG A3840 SP 800-90A Rev. 1 Hash DRBG A3840 SP 800-90A Rev. 1 HMAC DRBG A3840 SP 800-90A Rev. 1 AES-ECB A3841 SP 800-38A AES-GCM A3841 SP 800-38D Counter DRBG A3841 SP 800-90A Rev. 1 Hash DRBG A3841 SP 800-90A Rev. 1 HMAC DRBG A3841 SP 800-90A Rev. 1 AES-ECB A3842 SP 800-38A AES-GCM A3842 SP 800-38D Counter DRBG A3842 SP 800-90A Rev. 1 Hash DRBG A3842 SP 800-90A Rev. 1 HMAC DRBG A3842 SP 800-90A Rev. 1 AES-CBC A3843 SP 800-38A AES-CCM A3843 SP 800-38C AES-CMAC A3843 SP 800-38B AES-CTR A3843 SP 800-38A AES-ECB A3843 SP 800-38A AES-GCM A3843 SP 800-38D AES-GMAC A3843 SP 800-38D AES-XTS Testing Revision 2.0 A3843 SP 800-38E Counter DRBG A3843 SP 800-90A Rev. 1 Hash DRBG A3843 SP 800-90A Rev. 1 HMAC DRBG A3843 SP 800-90A Rev. 1 AES-ECB A3844 SP 800-38A AES-GCM A3844 SP 800-38D Counter DRBG A3844 SP 800-90A Rev. 1 Hash DRBG A3844 SP 800-90A Rev. 1 HMAC DRBG A3844 SP 800-90A Rev. 1 AES-ECB A3845 SP 800-38A AES-GCM A3845 SP 800-38D Counter DRBG A3845 SP 800-90A Rev. 1 Hash DRBG A3845 SP 800-90A Rev. 1 HMAC DRBG A3845 SP 800-90A Rev. 1 AES-KW A3846 SP 800-38F © 2024 Canonical Ltd. / atsec information security.

13 of 103
Page 14

Algorithm CAVP Cert Reference AES-CFB128 A3847 SP 800-38A AES-OFB A3848 SP 800-38A AES-CBC-CS3 A3849 SP 800-38A Hash DRBG A3850 SP 800-90A Rev. 1 HMAC DRBG A3850 SP 800-90A Rev. 1 HMAC-SHA-1 A3850 FIPS 198-1 HMAC-SHA2-224 A3850 FIPS 198-1 HMAC-SHA2-256 A3850 FIPS 198-1 HMAC-SHA2-384 A3850 FIPS 198-1 HMAC-SHA2-512 A3850 FIPS 198-1 RSA SigVer (FIPS186-4) A3850 FIPS 186-4 SHA-1 A3850 FIPS 180-4 SHA2-224 A3850 FIPS 180-4 SHA2-256 A3850 FIPS 180-4 SHA2-384 A3850 FIPS 180-4 SHA2-512 A3850 FIPS 180-4 Hash DRBG A3851 SP 800-90A Rev. 1 HMAC DRBG A3851 SP 800-90A Rev. 1 HMAC-SHA-1 A3851 FIPS 198-1 HMAC-SHA2-224 A3851 FIPS 198-1 HMAC-SHA2-256 A3851 FIPS 198-1 HMAC-SHA2-384 A3851 FIPS 198-1 HMAC-SHA2-512 A3851 FIPS 198-1 RSA SigVer (FIPS186-4) A3851 FIPS 186-4 SHA-1 A3851 FIPS 180-4 SHA2-224 A3851 FIPS 180-4 SHA2-256 A3851 FIPS 180-4 SHA2-384 A3851 FIPS 180-4 SHA2-512 A3851 FIPS 180-4 Hash DRBG A3852 SP 800-90A Rev. 1 HMAC DRBG A3852 SP 800-90A Rev. 1 HMAC-SHA-1 A3852 FIPS 198-1 HMAC-SHA2-224 A3852 FIPS 198-1 HMAC-SHA2-256 A3852 FIPS 198-1 HMAC-SHA2-384 A3852 FIPS 198-1 HMAC-SHA2-512 A3852 FIPS 198-1 RSA SigVer (FIPS186-4) A3852 FIPS 186-4 SHA-1 A3852 FIPS 180-4 SHA2-224 A3852 FIPS 180-4 SHA2-256 A3852 FIPS 180-4 SHA2-384 A3852 FIPS 180-4 SHA2-512 A3852 FIPS 180-4 AES-CBC A3853 SP 800-38A AES-CBC-CS3 A3853 SP 800-38A AES-CCM A3853 SP 800-38C AES-CMAC A3853 SP 800-38B AES-CTR A3853 SP 800-38A AES-ECB A3853 SP 800-38A AES-XTS Testing Revision 2.0 A3853 SP 800-38E HMAC-SHA-1 A3853 FIPS 198-1 HMAC-SHA2-224 A3853 FIPS 198-1 HMAC-SHA2-256 A3853 FIPS 198-1 © 2024 Canonical Ltd. / atsec information security.

14 of 103
Page 15

Algorithm CAVP Cert Reference SHA-1 A3853 FIPS 180-4 SHA2-224 A3853 FIPS 180-4 SHA2-256 A3853 FIPS 180-4 AES-CBC A3854 SP 800-38A AES-CBC-CS3 A3854 SP 800-38A AES-CCM A3854 SP 800-38C AES-CFB128 A3854 SP 800-38A AES-CMAC A3854 SP 800-38B AES-CTR A3854 SP 800-38A AES-ECB A3854 SP 800-38A AES-GCM A3854 SP 800-38D AES-GMAC A3854 SP 800-38D AES-KW A3854 SP 800-38F AES-OFB A3854 SP 800-38A AES-XTS Testing Revision 2.0 A3854 SP 800-38E Counter DRBG A3854 SP 800-90A Rev. 1 AES-ECB A3855 SP 800-38A AES-GCM A3855 SP 800-38D Counter DRBG A3855 SP 800-90A Rev. 1 Hash DRBG A3855 SP 800-90A Rev. 1 HMAC DRBG A3855 SP 800-90A Rev. 1 AES-ECB A3856 SP 800-38A AES-GCM A3856 SP 800-38D Counter DRBG A3856 SP 800-90A Rev. 1 Hash DRBG A3856 SP 800-90A Rev. 1 HMAC DRBG A3856 SP 800-90A Rev. 1 AES-CBC A3857 SP 800-38A AES-CTR A3857 SP 800-38A AES-ECB A3857 SP 800-38A AES-XTS Testing Revision 2.0 A3857 SP 800-38E HMAC-SHA2-224 A3857 FIPS 198-1 HMAC-SHA2-256 A3857 FIPS 198-1 SHA2-224 A3857 FIPS 180-4 SHA2-256 A3857 FIPS 180-4 HMAC-SHA2-224 A3858 FIPS 198-1 HMAC-SHA2-256 A3858 FIPS 198-1 HMAC-SHA2-384 A3858 FIPS 198-1 HMAC-SHA2-512 A3858 FIPS 198-1 SHA2-224 A3858 FIPS 180-4 SHA2-256 A3858 FIPS 180-4 SHA2-384 A3858 FIPS 180-4 SHA2-512 A3858 FIPS 180-4 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference ECC and Key Type:Asymmetric N/A SP800-133r2, section DH CKG ECC Curves:P-256, P-384 (strength of 128, 192 4 (without XOR) bits) DH groups:ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 (strength of 112-200 bits) Table 6: Vendor-Affirmed Algorithms © 2024 Canonical Ltd. / atsec information security.

15 of 103
Page 16

Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function AES-GCM with Encryption external IV KBKDF (libkcapi) Key derivation HKDF (libkcapi) Key derivation PBKDF2 (libkcapi) Password-based key derivation RSA Encryption primitive; Decryption primitive RSA with PKCS#1 Signature generation (pre-hashed message); Signature verification (pre-hashed v1.5 padding message); Key encapsulation; Key un-encapsulation Table 7: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Encryption and BC-UnAuth SP800-38A. AES-ECB keys:128, AES-ECB Decryption with Encryption, 192, 256 bits with AES-ECB AES Decryption; SP800- 128, 192, 256 bits AES-ECB 38F. KTS (key of strength AES-ECB wrapping and key AES-CBC keys:128, AES-ECB unwrapping) per IG 192, 256 bits with AES-ECB D.G 128, 192, 256 bits AES-ECB of strength AES-ECB AES-CTR keys:128, AES-ECB 192, 256 bits with AES-ECB 128, 192, 256 bits AES-ECB of strength AES-ECB AES-XTS Testing AES-ECB Revision 2.0 AES-ECB keys:128, 256 bits AES-ECB with 128 and 256 AES-ECB bits of strength AES-ECB AES-KW keys:128, AES-ECB 192, 256 bits with AES-ECB 128, 192, 256 bits AES-ECB of strength AES-ECB AES-CFB128 AES-ECB keys:128, 192, 256 AES-ECB bits with 128, 192, AES-ECB

256 bits of strength AES-ECB

AES-OFB keys:128, AES-CBC 192, 256 bits with AES-CBC 128, 192, 256 bits AES-CBC of strength AES-CBC AES-CBC-CS3 AES-CBC © 2024 Canonical Ltd. / atsec information security.

16 of 103
Page 17

Name Type Description Properties Algorithms keys:128, 192, 256 AES-CBC bits with 128, 192, AES-CBC

256 bits of strength AES-CBC

AES-CBC AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-KW AES-KW AES-KW AES-KW AES-KW AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-OFB AES-OFB AES-OFB AES-OFB AES-OFB AES-CBC-CS3 AES-CBC-CS3 AES-CBC-CS3 AES-CBC-CS3 AES-CBC-CS3 AES-CBC-CS3 Random Number DRBG SP800-90Ar1. Counter DRBG:128, Counter DRBG Generation with Random number 192, 256 bits Counter DRBG HMAC DRBG, Hash generation HMAC DRBG:128, Counter DRBG © 2024 Canonical Ltd. / atsec information security.

17 of 103
Page 18

Name Type Description Properties Algorithms DRBG or Counter 256 bits Counter DRBG DRBG Hash DRBG:128, Counter DRBG

256 bits Counter DRBG

Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG © 2024 Canonical Ltd. / atsec information security.

18 of 103
Page 19

Name Type Description Properties Algorithms Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Message MAC SP800-38B, SP800- HMAC-SHA-1 HMAC-SHA-1 Authentication with 38D, FISP198-1. keys:112-524288 HMAC-SHA-1 AES or HMAC Message bits with 112-256 HMAC-SHA-1 authentication bits of strength HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA-1 keys:112-524288 HMAC-SHA-1 bits 112-256 bits HMAC-SHA-1 with 112-256 bits of HMAC-SHA-1 strength HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-224 keys:112-524288 HMAC-SHA2-224 bits with 112-256 HMAC-SHA2-224 bits of strength HMAC-SHA2-224 HMAC-SHA2-384 HMAC-SHA2-224 keys:112-524288 HMAC-SHA2-224 bits with 112-256 HMAC-SHA2-224 bits of strength HMAC-SHA2-224 HMAC-SHA2-512 HMAC-SHA2-224 keys:112-524288 HMAC-SHA2-256 bits with 112-256 HMAC-SHA2-256 bits of strength HMAC-SHA2-256 AES-CMAC HMAC-SHA2-256 keys:128, 192, 256 HMAC-SHA2-256 bits with 128, 192, HMAC-SHA2-256

256 bits of strength HMAC-SHA2-256

AES-GMAC HMAC-SHA2-256 keys:128, 192, 256 HMAC-SHA2-256 bits with 128, 192, HMAC-SHA2-256

256 bits of strength HMAC-SHA2-384

HMAC-SHA3-224 HMAC-SHA2-384 keys:112-524288 HMAC-SHA2-384 bits with 112-256 HMAC-SHA2-384 bits of strength HMAC-SHA2-384 HMAC-SHA3-256 HMAC-SHA2-384 keys:112-524288 HMAC-SHA2-384 bits with 112-256 HMAC-SHA2-384 bits of strength HMAC-SHA2-512 HMAC-SHA3-384 HMAC-SHA2-512 keys:112-524288 HMAC-SHA2-512 bits with 112-256 HMAC-SHA2-512 bits of strength HMAC-SHA2-512 HMAC-SHA3-512 HMAC-SHA2-512 © 2024 Canonical Ltd. / atsec information security.

19 of 103
Page 20

Name Type Description Properties Algorithms keys:112-524288 HMAC-SHA2-512 bits with 112-256 HMAC-SHA2-512 bits of strength AES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-GMAC AES-GMAC AES-GMAC AES-GMAC AES-GMAC AES-GMAC HMAC-SHA3-224 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-384 HMAC-SHA3-512 HMAC-SHA3-512 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 © 2024 Canonical Ltd. / atsec information security.

20 of 103
Page 21

Name Type Description Properties Algorithms SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA3-224 SHA3-224 SHA3-256 SHA3-256 SHA3-384 SHA3-256 SHA3-512 SHA3-512 Shared Secret KAS-SSC SP 800-56Ar3. KAS- KAS-FFC-SSC KAS-FFC-SSC Computation with ECC-SSC and KAS- Sp800-56Ar3 Sp800-56Ar3 KAS-FFC-SSC or FFC-SSC per IG D.F keys:ffdhe2048, KAS-ECC-SSC KAS-ECC-SSC Scenario 2 (1) ffdhe3072, Sp800-56Ar3 ffdhe4096, ffdhe6144, ffdhe8192 with 112-200 bits of strength KAS-ECC-SSC Sp800-56Ar3 curves:P-256, P-384 with 128, 192 bits of strength Message Digest SHA FIPS180-4, FIPS202. SHA-1:N/A SHA-1 with SHA Message digest SHA2-224:N/A SHA-1 SHA2-256:N/A SHA-1 SHA2-384:N/A SHA-1 SHA2-512:N/A SHA-1 SHA3-224:N/A SHA-1 SHA3-256:N/A SHA-1 SHA3-384:N/A SHA-1 SHA3-512:N/A SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 © 2024 Canonical Ltd. / atsec information security.

21 of 103
Page 22

Name Type Description Properties Algorithms SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA3-224 SHA3-224 SHA3-256 SHA3-256 SHA3-384 SHA3-384 SHA3-512 SHA3-512 Key Pair Generation AsymKeyPair- FIPS186-4, SP800- Safe Primes Key Safe Primes Key with ECDSA or Safe KeyGen 56Ar3. ECDSA Key Generation Generation Primes pair generation keys:ffdhe2048, ECDSA KeyGen according to ffdhe3072, (FIPS186-4) FIPS186-4, ffdhe4096, Appendix B.4.2 per ffdhe6144, IG D.H and SP800- ffdhe8192 with 133r2, section 4 112-200 bits of (without XOR) 5.1, strength 5.2; Safe Primes ECDSA KeyGen Key Generation (FIPS186-4) according to SP800- curves:P-256, P-384 56Ar3, Section with 128, 192 bits

5.6.1.1.4 per IG D.H of strength

and SP800-133r2, section 4 (without XOR), 5.2 Authenticated BC-Auth SP800-38C. AES-CCM keys:128, AES-CCM Encryption and KTS-Wrap Authenticated 192, 256 bits with AES-CCM Authenticated encryption, 128, 192, 256 bits AES-CCM Decryption with Authenticated of strength AES-CCM AES-CCM decryption, KTS AES-CCM (key wrapping and AES-CCM AES-CCM © 2024 Canonical Ltd. / atsec information security.

22 of 103
Page 23

Name Type Description Properties Algorithms key unwrapping) per IG D.G Authenticated BC-Auth SP800-38D. AES-GCM keys:128, AES-GCM Decryption with KTS-Wrap Authenticated 192, 256 bits with AES-GCM AES-GCM decryption, KTS 128, 192, 256 bits AES-GCM (key unwrapping) of strength AES-GCM per IG D.G Compliance: FIPS AES-GCM 140-3 IG D.G AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM Signature DigSig-SigVer FIPS186-4. RSA SigVer RSA SigVer Verification with Signature (FIPS186-4) (FIPS186-4) RSA verification keys:4096 bits with RSA SigVer

150 bits of strength (FIPS186-4)

RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA-1 SHA2-224 © 2024 Canonical Ltd. / atsec information security.

23 of 103
Page 24

Name Type Description Properties Algorithms SHA2-256 SHA2-384 SHA2-512 Authenticated BC-Auth SP800-38D. AES-GCM keys:128, AES-GCM Encryption with KTS-Wrap Authenticated 192, 256 bits with AES-GCM AES-GCM encryption KTS (key 128, 192, 256 bits AES-GCM wrapping) per IG of strength AES-GCM D.G AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM Authenticated BC-Auth SP800-38A, FIPS AES-CBC keys:128, HMAC-SHA-1 Encryption and KTS-Wrap 198-1. KTS (key 192, 256 bits with HMAC-SHA2-256 Authenticated wrapping and key 128, 192, 256 bits HMAC-SHA2-384 Decryption with unwrapping) per IG of security HMAC-SHA2-512 AES-CBC or AES- D.G AES-CTR keys:128, HMAC-SHA-1 CTR with HMAC 192, 256 bits with HMAC-SHA2-256 128, 192, 256 bits HMAC-SHA2-384 of security HMAC-SHA2-512 HMAC-SHA-1 HMAC-SHA-1 keys:112-524288 HMAC-SHA2-256 bits with 112-256 HMAC-SHA2-384 bits of security HMAC-SHA2-512 HMAC-SHA2-256 HMAC-SHA-1 keys:112-524288 HMAC-SHA2-256 bits with 112-256 HMAC-SHA2-384 bits of security HMAC-SHA2-512 HMAC-SHA2-384 HMAC-SHA-1 keys:112-524288 HMAC-SHA2-256 bits with 112-256 HMAC-SHA2-384 bits of security HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA-1 keys:112-524288 HMAC-SHA2-256 bits with 112-256 HMAC-SHA2-384 bits of security HMAC-SHA2-512 HMAC-SHA-1 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA-1 HMAC-SHA2-256 HMAC-SHA2-256 © 2024 Canonical Ltd. / atsec information security.

24 of 103
Page 25

Name Type Description Properties Algorithms HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 © 2024 Canonical Ltd. / atsec information security.

25 of 103
Page 26

Table 8: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES GCM IV

For IPsec, the module offers the AES GCM implementation and uses the context of Scenario 1 (b) of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. The module does not implement IPsec. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSE ED from which the AES GCM encryption keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES GCM handle. When this is the case, the API will not set an approved service indicator, as described in the Approved Services table.

2.7.2 AES XTS

The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical.

2.7.3 Diffie-Hellman and EC Diffie-Hellman

The module offers DH and ECDH shared secret computation services compliant to the SP 80056Ar3 and meeting IG D.F scenario 2 path (1). In order to meet the required assurances listed in Section 5.6 of SP 800-56Ar3, the module shall be used together with an application that implements the IPSec protocol and the following steps shall be performed: 1. The entity using the module, must use the module's "Key pair generation" service: the set_secret and generate_public_key API functions, to generate DH/ECDH ephemeral key pairs. This meets the assurances required by key pair owner defined in the section

5.6.2.1 of SP 800-56Ar3.

© 2024 Canonical Ltd. / atsec information security.

26 of 103
Page 27
  1. As part of the module's shared secret computation service, the module internally performs the public key validation on the peer's public key passed in as input to the API function. This meets the public key validity assurance required by the sections 5.6.2.2.1/5.6.2.2.2 of SP 800-56Ar3.
  2. The module does not support static keys, therefore the "assurance of peer's possession of private key" is not applicable.
2.7.4 SHA-3

The module implements HMAC with SHA3-224, SHA3-256, SHA3-384, SHA3-512. The CAVP certificates have been obtained for the HMAC algorithm as well as for all the SHA3 implementations. The CAVP certificates are listed in the Approved Algorithms table.

2.7.5 RSA

The module implements FIPS 186-4 RSA SigVer. All RSA modulus lengths (i.e., 2048, 3072,

4096 bits) have been CAVP tested. The CAVP certificates are listed in the Approved Algorithms

2.8 RBG and Entropy

Cert Vendor Number Name E59 Canonical Ltd. Table 9: Entropy Certificates Name Type Operational Environment Sample Entropy Conditioning Size per Component Sample Canonical Non- Ubuntu 22.04 LTS 64-bit on Intel(R) Xeon(R) 64 bits 59.43 LinearKernel CPU Physical Gold 6226 on Supermicro SYS-1019P-WTR; bits Feedback Shift Time Jitter Ubuntu Core 22 64-bit on Intel(R) Xeon(R) Register (LFSR) RNG Entropy Gold 6226 on Supermicro SYS-1019P-WTR; source Ubuntu 22.04 LTS 64-bit on AWS Graviton2 on Amazon Web Services (AWS) c6g.metal; Ubuntu Core 22 64-bit on AWS Graviton2 on Amazon Web Services (AWS) c6g.metal; Ubuntu 22.04 LTS 64-bit on IBM z15 on IBM z15 Table 10: Entropy Sources The module implements three different Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1: Counter DRBG, Hash DRBG, and HMAC DRBG. Each of these DRBG implementations can be instantiated by the operator of the module, using the parameters listed specified in the Security Function Implementations table. When instantiated, these DRBGs can be used to generate random numbers for external usage. Additionally, the module employs a specific HMAC SHA-512 DRBG implementation for internal purposes (e.g. to generate asymmetric key pairs). This DRBG is initially seeded with © 2024 Canonical Ltd. / atsec information security.

27 of 103
Page 28

448 output bits from the entropy source (416 bits of entropy) and reseeded with 320 output

bits from the entropy source (297 bits of entropy).

2.9 Key Generation

The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133r2. When random values are required, they are directly obtained as output from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2 (without XOR). The following methods are implemented:

2.10 Key Establishment

The module implements SSP agreement and SSP transport methods as listed in the Security Function Implementations table. The module implements the following SSP establishment methods: Key agreement:

28 of 103
Page 29

security strength, and 112-524288 bits HMAC keys with 112-256 bits of security strength.

2.11 Industry Protocols

AES-GCM with internal IV generation in the approved mode is compliant with RFC 4106 and shall only be used in conjunction with the IPsec protocol. For Diffie-Hellman, the module supports the use of the following safe primes:

29 of 103
Page 30
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Data Input API data input parameters, AF_ALG type sockets N/A Data Output API output parameters, AF_ALG type sockets N/A Control Input API function calls, API control input parameters, AF_ALG type sockets, kernel command line N/A Status API return values, AF_ALG type sockets, kernel logs Output Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. The module does not implement a control output interface. © 2024 Canonical Ltd. / atsec information security.

30 of 103
Page 31
4 Roles, Services, and Authentication
4.1 Authentication Methods
4.2 Roles

Name Type Operator Type Authentication Methods CO Role CO None Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators.

4.3 Approved Services

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Message Compute a crypto_shash_init returns 0 Message Digest Message CO Digest message Value Digest with digest SHA Encryption Encrypt a crypto_skcipher_setkey AES Key, Ciphertex Encryption CO plaintext returns 0 plaintext t and - AES Key: Decryption W,E with AES Decryption Decrypt a crypto_skcipher_setkey AES Key, Plaintext Encryption CO ciphertext returns 0 cipherte and - AES Key: xt Decryption W,E with AES Authenticat Encrypt a For all except AES GCM: AES Key, Ciphertex Authenticat CO ed plaintext crypto_aead_setkey returns 0; IV, t, MAC tag ed - AES Key: Encryption For AES GCM: plaintext Encryption W,E crypto_aead_get_flags(tfm) and has the Authenticat CRYPTO_ALG_FIPS140_COMP ed LIANT flag set Decryption with AESCCM Authenticat ed Encryption with AESGCM Authenticat ed Encryption and Authenticat ed © 2024 Canonical Ltd. / atsec information security.

31 of 103
Page 32

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Decryption with AESCBC or AESCTR with HMAC Authenticat Decrypt a For all except AES GCM: AES key, Plaintext Authenticat CO ed ciphertext crypto_aead_setkey returns 0; IV, MAC or failure ed - AES Key: Decryption For AES GCM: tag, Encryption W,E crypto_aead_get_flags(tfm) cipherte and has the xt Authenticat CRYPTO_ALG_FIPS140_COMP ed LIANT flag set Decryption with AESCCM Authenticat ed Decryption with AESGCM Authenticat ed Encryption and Authenticat ed Decryption with AESCBC or AESCTR with HMAC Message Compute a crypto_shash_init returns 0 AES Key MAC tag Message CO Authenticati MAC tag or HMAC Authenticati - AES Key: on key, on with AES W,E message or HMAC - HMAC Key: W,E Random Generate crypto_rng_get_bytes returns Output Random Random CO Number random 0 length bytes Number - Entropy Generation bytes Generation Input (IG with HMAC D.L): W,E DRBG, Hash - DRBG DRBG or Seed (IG Counter D.L): G,E DRBG - DRBG Internal State (V, Key) (IG D.L): G,W,E - DRBG Internal State (V, C) (IG D.L): G,W,E © 2024 Canonical Ltd. / atsec information security.

32 of 103
Page 33

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Shared Compute a crypto_kpp_compute_shared_ DH Shared Shared CO Secret shared secret returns 0 private secret Secret - DH Public Computatio secret key, DH Computatio Key: W,E n public n with KAS- - DH key or FFC-SSC or Private EC KAS-ECC- Key: W,E private SSC - EC Public key, EC Key: W,E public - EC key Private Key: W,E - Shared Secret: G,R Key Pair Generate a crypto_kpp_set_secret and Safe Safe Key Pair CO Generation key pair crypto_kpp_generate_public_ Primes: Primes: Generation key return 0 Group; DH with ECDSA Intermedia ECDSA: private or Safe te Key Curve key, DH Primes Generatio public n Value: key; G,E,Z ECDSA: EC - DH Public private Key: G,R key, EC - DH public key Private Key: G,R - EC Public Key: G,R - EC Private Key: G,R Error Compute None Message EDC None CO Detection an EDC Code (crc32, crct10dif) Compressio Compress None Data Compress None CO n data ed data (deflate, lz4, lz4hc, lzo, zlibdeflate, zstd) Generic Use the None Identifie Various None CO System Call kernel to r, various return perform argumen values various ts noncryptograp hic operations Show Return the None N/A Module None CO Version module name and name and version version © 2024 Canonical Ltd. / atsec information security.

33 of 103
Page 34

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access informatio n Show Status Return the None N/A Module None CO module status status Self-Test Perform None N/A Pass/fail Encryption CO the CASTs and and Decryption integrity with AES tests Random Number Generation with HMAC DRBG, Hash DRBG or Counter DRBG Message Authenticati on with AES or HMAC Shared Secret Computatio n with KASFFC-SSC or KAS-ECCSSC Message Digest with SHA Authenticat ed Encryption and Authenticat ed Decryption with AESCCM Authenticat ed Decryption with AESGCM Signature Verification with RSA Authenticat ed Encryption with AESGCM © 2024 Canonical Ltd. / atsec information security.

34 of 103
Page 35

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Zeroization Zeroize all None Any SSP N/A None CO SSPs - AES Key: Z - HMAC Key: Z - Shared Secret: Z - Entropy Input (IG D.L): Z - DRBG Seed (IG D.L): Z - DRBG Internal State (V, Key) (IG D.L): Z - DRBG Internal State (V, C) (IG D.L): Z - DH Public Key: Z - DH Private Key: Z - EC Public Key: Z - EC Private Key: Z Intermedia te Key Generatio n Value: Z Table 13: Approved Services The following convention is used to specify access rights to SSPs:

35 of 103
Page 36
4.4 Non-Approved Services

Name Description Algorithms Role AES-GCM with Encryption AES-GCM with CO external IV external IV KBKDF (libkcapi) Key derivation KBKDF (libkcapi) CO HKDF (libkcapi) Key derivation HKDF (libkcapi) CO PBKDF2 Password-based key derivation PBKDF2 (libkcapi) CO (libkcapi) RSA Encryption primitive; Decryption primitive RSA CO RSA with Signature generation (pre-hashed message); Signature RSA with PKCS#1 CO PKCS#1 v1.5 verification (pre-hashed message); Key encapsulation; Key v1.5 padding padding un-encapsulation Table 14: Non-Approved Services

4.5 External Software/Firmware Loaded

Not applicable. © 2024 Canonical Ltd. / atsec information security.

36 of 103
Page 37
5 Software/Firmware Security
5.1 Integrity Techniques

The Linux kernel binary is integrity tested using an HMAC SHA-512 calculation performed by the sha512hmac utility (which utilizes the module’s HMAC and SHA-512 implementations). The kernel crypto object files listed in the Tested Module Identification

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the software integrity tests. © 2024 Canonical Ltd. / atsec information security.

37 of 103
Page 38
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: the module executes as part of a general-purpose operating system (Canonical Ubuntu 22.04 and Canonical Ubuntu Core 22), which allows modification, loading, and execution of software that is not part of the validated module. The approved cryptographic algorithms of the module are part of the Linux kernel, which operates in Linux kernel space. This ensures that any SSPs contained within the module are protected by the process isolation and memory separation mechanisms provided by the Linux kernel, and only the module has control over these SSPs. The user space libkcapi and sha512hmac components, though not processing any SSPs, are similarly protected by the operating environment.

6.2 Configuration Settings and Restrictions

The module shall be installed as specified in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2024 Canonical Ltd. / atsec information security.

38 of 103
Page 39
7 Physical Security

The module is comprised of software only and therefore this section is not applicable. © 2024 Canonical Ltd. / atsec information security.

39 of 103
Page 40
8 Non-Invasive Security

This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2024 Canonical Ltd. / atsec information security.

40 of 103
Page 41
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the Dynamic module as part of service Dynamic execution Table 15: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operator calling Cryptographic Plaintext Manual Electronic parameters; application module AF_ALG_type (TOEPP) sockets (input) API output Cryptographic Operator calling Plaintext Manual Electronic parameters; module application AF_ALG type (TOEPP) sockets (output) Table 16: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Free cipher Zeroizes the SSPs Memory occupied by By calling the appropriate zeroization handle contained within SSPs is overwritten functions: AES key: crypto_free_skcipher and the cipher handle with zeroes, which crypto_free_aead; HMAC key: renders the SSP crypto_free_shash and crypto_free_ahash; values irretrievable Internal state: crypto_free_rng; DH public & private key: crypto_free_kpp; EC public & private key: crypto_free_kpp Automatic Automatically Memory occupied by N/A zeroized by the SSPs is overwritten module when no with zeroes, which longer needed renders the SSP values irretrievable. Remove De-allocates the Volatile memory By removing power power from volatile memory used by the module the module used to store SSPs is overwritten within nanoseconds when power is removed. Table 17: SSP Zeroization Methods © 2024 Canonical Ltd. / atsec information security.

41 of 103
Page 42

All data output is inhibited during zeroization.

9.4 SSPs

Name Description Size - Strength Type - Generated Established Used By Category By By AES Key AES key used XTS: 128, 256 Symmetric Encryption and for Encryption; bits; ECB, CBC, key - CSP Decryption Decryption; CTR, CFB128, with AES Authenticated CBC-CTS-CS3, Message encryption; KW, OFB, CCM, Authentication Authenticated GCM, CMAC, with AES or decryption; CMAC: 128, 192, HMAC Message 256 bits - XTS: authentication; 128, 256 bits; ECB, CBC, CTR, CFB128, CBCCTS-CS3, KW, OFB, CCM, GCM, CMAC, CMAC: 128, 192,

256 bits

HMAC Key HMAC key used 112-524288 bits Symmetric Message for Message - 112-256 bits key - CSP Authentication authentication with AES or code (MAC); HMAC Shared Shared secret KAS-FFC- Shared Shared Secret established SSC:ffdhe2048, secret - CSP Secret during Shared ffdhe3072, Computation Secret ffdhe4096, with KASComputation ffdhe6144, FFC-SSC or ffdhe8192; KAS- KAS-ECC-SSC ECC-SSC: P-256, P-384 bits KAS-FFC-SSC: 112-200 bits; KAS-ECC-SSC: 128, 192 bits Entropy Entropy input 128-448 bits - Entropy Random Input (IG D.L) used to seed 128-256 bits input - CSP Number the DRBGs Generation with HMAC DRBG, Hash DRBG or Counter DRBG DRBG Seed DRBG seed Counter DRBG: Seed - CSP Random Random (IG D.L) derived from 256, 320, 384 Number Number Entropy Input bits; Generation Generation Hash_DRBG: with HMAC with HMAC 440, 888 bits; DRBG, DRBG, Hash HMAC DRBG: Hash DRBG DRBG or 160, 256, 512 or Counter Counter DRBG bits - Counter DRBG DRBG: 128, 192, © 2024 Canonical Ltd. / atsec information security.

42 of 103
Page 43

Name Description Size - Strength Type - Generated Established Used By Category By By

256 bits; Hash

DRBG: 128, 256 bits; HMAC DRBG: 128, 256 bits DRBG Internal state Counter DRBG: Internal Random Random Internal of Counter 256, 320, 348 state - CSP Number Number State (V, DRBG and bits; HMAC Generation Generation Key) (IG D.L) HMAC DRBG DRBG: 320, 512, with HMAC with HMAC instances 1024 bits - DRBG, DRBG, Hash Counter DRBG: Hash DRBG DRBG or 128, 192, 256 or Counter Counter DRBG bits; HMAC DRBG DRBG: 128, 256 bits DRBG Internal state 440, 888 bits - Internal Random Random Internal of Hash DRBG 128, 256 bits state - CSP Number Number State (V, C) instance Generation Generation (IG D.L) with HMAC with HMAC DRBG, DRBG, Hash Hash DRBG DRBG or or Counter Counter DRBG DRBG DH Public Public key used ffdhe2048, Public key - Key Pair Shared Secret Key for KAS-FFC- ffdhe3072, PSP Generation Computation SSC ffdhe4096, with with KAS-FFCffdhe6144, ECDSA or SSC or KASffdhe8192 - Safe ECC-SSC 112-200 bits Primes DH Private DH private key ffdhe2048, Private key - Key Pair Shared Secret Key used for KAS- ffdhe3072, CSP Generation Computation FFC-SSC ffdhe4096, with with KAS-FFCffdhe6144, ECDSA or SSC or KASffdhe8192 - Safe ECC-SSC 112-200 bits Primes EC Public Public key used P-256, P-384 - Public key - Key Pair Shared Secret Key for KAS-ECC- 128, 192 bits PSP Generation Computation SSC with with KAS-FFCECDSA or SSC or KASSafe ECC-SSC Primes EC Private EC private key P-521, P-384 - Private key - Key Pair Shared Secret Key used for KAS- 128, 192 bits CSP Generation Computation ECC-SSC with with KAS-FFCECDSA or SSC or KASSafe ECC-SSC Primes Intermediate Intermediate 2048-8192 bits Intermediate Key Pair Key Pair Key value - 112-200 bits value - CSP Generation Generation Generation generated with with ECDSA or Value during Key Pair ECDSA or Safe Primes Generation Safe Primes © 2024 Canonical Ltd. / atsec information security.

43 of 103
Page 44

Table 18: SSP Table 1 Name Input - Output Storage Storage Zeroization Related SSPs Duration AES Key API input RAM:Plaintext From service Free cipher parameters; invocation to handle AF_ALG_type service Remove sockets (input) completion power from the module HMAC Key API input RAM:Plaintext From service Free cipher parameters; invocation to handle AF_ALG_type service Remove sockets (input) completion power from the module Shared Secret API output RAM:Plaintext From service Free cipher DH Public parameters; invocation to handle Key:Derived From AF_ALG type service Remove DH Private sockets (output) completion power from Key:Derived From the module EC Public Key:Derived From EC Private Key:Derived From Entropy Input RAM:Plaintext From service Automatic DRBG Seed (IG (IG D.L) invocation to Remove D.L):Derives service power from completion the module DRBG Seed (IG RAM:Plaintext From service Automatic Entropy Input (IG D.L) invocation to Remove D.L):Derived From service power from DRBG Internal State completion the module (V, Key) (IG D.L):Derives DRBG Internal State (V, C) (IG D.L):Derives DRBG Internal RAM:Plaintext From service Free cipher DRBG Seed (IG State (V, Key) invocation to handle D.L):Derived From (IG D.L) service Remove completion power from the module DRBG Internal RAM:Plaintext From service Free cipher DRBG Seed (IG State (V, C) (IG invocation to handle D.L):Derived From D.L) service Remove completion power from the module DH Public Key API input RAM:Plaintext From service Free cipher DH Private parameters; invocation to handle Key:Paired With AF_ALG_type service Remove Shared sockets (input) completion power from Secret:Derives API output the module Intermediate Key parameters; Generation AF_ALG type Value:Generated sockets (output) From DH Private Key API input RAM:Plaintext From service Free cipher DH Public Key:Paired parameters; invocation to handle With AF_ALG_type Remove Shared © 2024 Canonical Ltd. / atsec information security.

44 of 103
Page 45

Name Input - Output Storage Storage Zeroization Related SSPs Duration sockets (input) service power from Secret:Derives API output completion the module Intermediate Key parameters; Generation AF_ALG type Value:Generated sockets (output) From EC Public Key API input RAM:Plaintext From service Free cipher EC Private parameters; invocation to handle Key:Paired With AF_ALG_type service Remove Shared sockets (input) completion power from Secret:Derives API output the module Intermediate Key parameters; Generation AF_ALG type Value:Generated sockets (output) From EC Private Key API input RAM:Plaintext From service Free cipher EC Public Key:Paired parameters; invocation to handle With AF_ALG_type service Remove Shared sockets (input) completion power from Secret:Derives API output the module Intermediate Key parameters; Generation AF_ALG type Value:Generated sockets (output) From Intermediate RAM:Plaintext From service Automatic DH Public Key Generation invocation to Key:Generates Value service DH Private completion Key:Generates EC Public Key:Generates EC Private Key:Generates Table 19: SSP Table 2

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. The RSA algorithm as implemented by the module conforms to FIPS 186-4, which has been superseded by FIPS 186-5. FIPS 186-4 was withdrawn on February 3, 2024. © 2024 Canonical Ltd. / atsec information security.

45 of 103
Page 46
10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm or Test Test Method Test Indicator Details Test Properties Type HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi

256 (A3812) Authentication Integrity operational and

services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi

256 (A3813) Authentication Integrity operational and

services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi

256 (A3814) Authentication Integrity operational and

services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi

256 (A3832) Authentication Integrity operational and

services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi

256 (A3850) Authentication Integrity operational and

services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi

256 (A3851) Authentication Integrity operational and

services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi

256 (A3852) Authentication Integrity operational and

services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi

256 (A3853) Authentication Integrity operational and

services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi

256 (A3857) Authentication Integrity operational and

services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi

256 (A3858) Authentication Integrity operational and

services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel

512 (A3812) Authentication Integrity operational and and sha512hmac

services are available binaries for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel

512 (A3813) Authentication Integrity operational and and sha512hmac

binaries © 2024 Canonical Ltd. / atsec information security.

46 of 103
Page 47

Algorithm or Test Test Method Test Indicator Details Test Properties Type services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel

512 (A3814) Authentication Integrity operational and and sha512hmac

services are available binaries for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel

512 (A3832) Authentication Integrity operational and and sha512hmac

services are available binaries for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel

512 (A3850) Authentication Integrity operational and and sha512hmac

services are available binaries for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel

512 (A3851) Authentication Integrity operational and and sha512hmac

services are available binaries for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel

512 (A3852) Authentication Integrity operational and and sha512hmac

services are available binaries for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel

512 (A3858) Authentication Integrity operational and and sha512hmac

services are available binaries for use RSA SigVer 4096-bit key Signature SW/FW Module becomes Used for kernel (FIPS186-4) with SHA-512 Verification Integrity operational and crypto object files (A3814) services are available for use RSA SigVer 4096-bit key Signature SW/FW Module becomes Used for kernel (FIPS186-4) with SHA-512 Verification Integrity operational and crypto object files (A3832) services are available for use RSA SigVer 4096-bit key Signature SW/FW Module becomes Used for kernel (FIPS186-4) with SHA-512 Verification Integrity operational and crypto object files (A3850) services are available for use RSA SigVer 4096-bit key Signature SW/FW Module becomes Used for kernel (FIPS186-4) with SHA-512 Verification Integrity operational and crypto object files (A3851) services are available for use RSA SigVer 4096-bit key Signature SW/FW Module becomes Used for kernel (FIPS186-4) with SHA-512 Verification Integrity operational and crypto object files (A3852) services are available for use Table 20: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully. © 2024 Canonical Ltd. / atsec information security.

47 of 103
Page 48
10.2 Conditional Self-Tests

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3812) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3813) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3814) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3820) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3821) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3822) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3824) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3825) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3829) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3830) keys, encrypt becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

48 of 103
Page 49

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3831) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3832) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3833) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3834) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3840) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3841) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3842) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3843) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3844) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3845) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3853) keys, encrypt becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.

49 of 103
Page 50

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3854) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3855) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3856) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3857) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3812) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3813) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3814) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3820) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3821) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3822) keys, decrypt becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

50 of 103
Page 51

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3824) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3825) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3829) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3830) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3831) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3832) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3833) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3834) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3840) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3841) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3842) keys, decrypt becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.

51 of 103
Page 52

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3843) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3844) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3845) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3853) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3854) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3855) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3856) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3857) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3814) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3822) keys, encrypt becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

52 of 103
Page 53

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3829) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3832) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3840) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3843) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3853) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3854) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3857) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3814) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3822) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3829) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3832) keys, decrypt becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.

53 of 103
Page 54

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3840) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3843) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3853) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3854) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3857) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3819) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3828) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3838) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3849) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3853) becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

54 of 103
Page 55

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-CBC-CS3 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3854) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3819) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3828) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3838) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3849) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3853) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3854) becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3817) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3826) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3836) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3847) keys, encrypt becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.

55 of 103
Page 56

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-CFB128 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3854) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3817) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3826) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3836) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3847) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3854) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3814) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3822) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3829) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3832) keys, encrypt becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

56 of 103
Page 57

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3840) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3843) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3853) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3854) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3857) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3814) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3822) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3829) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3832) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3840) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3843) keys, decrypt becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.

57 of 103
Page 58

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3853) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3854) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3857) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3814) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3822) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3829) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3832) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3843) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3853) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3854) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

58 of 103
Page 59

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3814) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3822) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3829) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3832) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3843) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3853) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3854) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3814) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3820) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3821) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3822) keys, 96-bit (internal becomes power-on IV), encrypt operational and © 2024 Canonical Ltd. / atsec information security.

59 of 103
Page 60

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3824) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3825) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3829) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3830) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3831) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3832) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3833) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3834) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3840) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3841) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

60 of 103
Page 61

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3842) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3843) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3844) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3845) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3854) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3855) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3856) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3814) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3820) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3821) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3822) keys, 96-bit (internal becomes power-on IV), decrypt operational and © 2024 Canonical Ltd. / atsec information security.

61 of 103
Page 62

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3824) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3825) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3829) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3830) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3831) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3832) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3833) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3834) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3840) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3841) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

62 of 103
Page 63

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3842) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3843) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3844) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3845) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3854) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3855) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3856) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-OFB 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3818) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3827) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3837) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3848) becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.

63 of 103
Page 64

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-OFB 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3854) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3818) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3827) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3837) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3848) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3854) becomes power-on operational and before the services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3814) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3822) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3829) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3832) services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

64 of 103
Page 65

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3840) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3843) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3853) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3854) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3857) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3814) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3822) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3829) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3832) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3840) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.

65 of 103
Page 66

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type Revision 2.0 services are before the (A3843) available for use integrity test AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3853) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3854) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3857) services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3814) encrypt becomes authentication power-on operational and before the services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3822) encrypt becomes authentication power-on operational and before the services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3829) encrypt becomes authentication power-on operational and before the services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3832) encrypt becomes authentication power-on operational and before the services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3843) encrypt becomes authentication power-on operational and before the services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3853) encrypt becomes authentication power-on operational and before the services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3854) encrypt becomes authentication power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

66 of 103
Page 67

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3812) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3813) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3814) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3832) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3850) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3851) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3852) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3853) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3812) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3813) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3814) becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.

67 of 103
Page 68

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3832) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3850) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3851) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3852) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3853) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3857) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3858) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3812) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3813) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3814) becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

68 of 103
Page 69

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3832) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3850) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3851) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3852) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3853) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3857) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3858) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3812) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3813) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3814) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3832) becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.

69 of 103
Page 70

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3850) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3851) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3852) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3858) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3812) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3813) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3814) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3832) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3850) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3851) becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

70 of 103
Page 71

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3852) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3858) becomes power-on operational and before the services are integrity test available for use SHA3-224 SHA3-224 KAT CAST Module Message digest Test runs at (A3816) becomes power-on operational and before the services are integrity test available for use SHA3-224 SHA3-224 KAT CAST Module Message digest Test runs at (A3839) becomes power-on operational and before the services are integrity test available for use SHA3-256 SHA3-256 KAT CAST Module Message digest Test runs at (A3816) becomes power-on operational and before the services are integrity test available for use SHA3-256 SHA3-256 KAT CAST Module Message digest Test runs at (A3839) becomes power-on operational and before the services are integrity test available for use SHA3-384 SHA3-384 KAT CAST Module Message digest Test runs at (A3816) becomes power-on operational and before the services are integrity test available for use SHA3-384 SHA3-384 KAT CAST Module Message digest Test runs at (A3839) becomes power-on operational and before the services are integrity test available for use SHA3-512 SHA3-512 KAT CAST Module Message digest Test runs at (A3816) becomes power-on operational and before the services are integrity test available for use SHA3-512 SHA3-512 KAT CAST Module Message digest Test runs at (A3839) becomes power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3812) becomes authentication power-on operational and © 2024 Canonical Ltd. / atsec information security.

71 of 103
Page 72

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3813) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3814) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3832) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3850) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3851) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3852) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3853) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A3812) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A3813) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A3814) becomes authentication power-on

operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

72 of 103
Page 73

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A3832) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A3850) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A3851) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A3852) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A3853) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A3857) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A3858) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A3812) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A3813) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A3814) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A3832) becomes authentication power-on

operational and © 2024 Canonical Ltd. / atsec information security.

73 of 103
Page 74

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A3850) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A3851) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A3852) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A3853) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A3857) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A3858) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at

384 (A3812) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at

384 (A3813) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at

384 (A3814) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at

384 (A3832) becomes authentication power-on

operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

74 of 103
Page 75

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at

384 (A3850) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at

384 (A3851) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at

384 (A3852) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at

384 (A3858) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at

512 (A3812) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at

512 (A3813) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at

512 (A3814) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at

512 (A3832) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at

512 (A3850) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at

512 (A3851) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at

512 (A3852) becomes authentication power-on

operational and © 2024 Canonical Ltd. / atsec information security.

75 of 103
Page 76

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at

512 (A3858) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA3- SHA3-224 KAT CAST Module Message Test runs at

224 (A3816) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA3- SHA3-224 KAT CAST Module Message Test runs at

224 (A3839) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA3- SHA3-256 KAT CAST Module Message Test runs at

256 (A3816) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA3- SHA3-256 KAT CAST Module Message Test runs at

256 (A3839) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA3- SHA3-384 KAT CAST Module Message Test runs at

384 (A3816) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA3- SHA3-384 KAT CAST Module Message Test runs at

384 (A3839) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA3- SHA3-512 KAT CAST Module Message Test runs at

512 (A3816) becomes authentication power-on

operational and before the services are integrity test available for use HMAC-SHA3- SHA3-512 KAT CAST Module Message Test runs at

512 (A3839) becomes authentication power-on

operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3812) PR operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

76 of 103
Page 77

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3813) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3814) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3820) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3821) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3822) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3824) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3825) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3829) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3830) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3831) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3832) PR operational and © 2024 Canonical Ltd. / atsec information security.

77 of 103
Page 78

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3833) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3834) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3840) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3841) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3842) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3843) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3844) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3845) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3854) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3855) PR operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

78 of 103
Page 79

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3856) PR operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3812) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3813) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3814) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3820) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3821) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3822) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3824) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3825) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3830) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3831) With/without PR becomes health test power-on operational and © 2024 Canonical Ltd. / atsec information security.

79 of 103
Page 80

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3832) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3833) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3834) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3840) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3841) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3842) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3843) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3844) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3845) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3850) With/without PR becomes health test power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

80 of 103
Page 81

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3851) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3852) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3855) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3856) With/without PR becomes health test power-on operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3812) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3813) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3814) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3820) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3821) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3822) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3824) HMAC-SHA2-512, becomes health test power-on with/without PR operational and © 2024 Canonical Ltd. / atsec information security.

81 of 103
Page 82

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3825) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3830) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3831) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3832) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3833) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3834) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3840) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3841) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3842) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3843) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.

82 of 103
Page 83

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3844) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3845) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3850) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3851) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3852) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3855) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3856) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use KAS-ECC-SSC P-256, P-384 curves KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A3813) operational and before the services are integrity test available for use KAS-FFC-SSC ffdhe2048 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A3812) operational and before the services are integrity test available for use RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) 2048 bit key and becomes verification power-on (A3814) SHA2-256 operational and before the services are integrity test available for use RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) 2048 bit key and becomes verification power-on (A3832) SHA2-256 operational and © 2024 Canonical Ltd. / atsec information security.

83 of 103
Page 84

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) 2048 bit key and becomes verification power-on (A3850) SHA2-256 operational and before the services are integrity test available for use RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) 2048 bit key and becomes verification power-on (A3851) SHA2-256 operational and before the services are integrity test available for use RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) 2048 bit key and becomes verification power-on (A3852) SHA2-256 operational and before the services are integrity test available for use Safe Primes ffdhe2048, PCT PCT Successful key Signature Key pair Key ffdhe3072, pair generation generation & generation Generation ffdhe4096, verification (A3812) ffdhe6144, ffdhe8192, Section

5.6.1.1.4 Testing

Candidates ECDSA SHA2-256, P-256, P- PCT PCT Successful key Signature Key pair KeyGen 384 curves, Appendix pair generation generation & generation (FIPS186-4) B.4.2 Testing verification (A3813) Candidates Entropy 1024 samples RCT CAST Module Entropy source Entropy source Source becomes startup test initialization operational and services are available for use Entropy 1024 samples APT CAST Module Entropy source Entropy source Source becomes startup test initialization operational and services are available for use Entropy Continuously RCT CAST Entropy source Entropy source Continuously Source is operational continuous test Entropy Continuously APT CAST Entropy source Entropy source Continuously Source is operational continuous test Table 21: Conditional Self-Tests If any conditional self-test fails, the module enters the Error State.

10.3 Periodic Self-Test Information

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3812) Authentication © 2024 Canonical Ltd. / atsec information security.

84 of 103
Page 85

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3813) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3814) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3832) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3850) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3851) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3852) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3853) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3857) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3858) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3812) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3813) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3814) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3832) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3850) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3851) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3852) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3858) Authentication RSA SigVer Signature SW/FW Integrity On Demand Manually (FIPS186-4) (A3814) Verification RSA SigVer Signature SW/FW Integrity On Demand Manually (FIPS186-4) (A3832) Verification RSA SigVer Signature SW/FW Integrity On Demand Manually (FIPS186-4) (A3850) Verification RSA SigVer Signature SW/FW Integrity On Demand Manually (FIPS186-4) (A3851) Verification RSA SigVer Signature SW/FW Integrity On Demand Manually (FIPS186-4) (A3852) Verification Table 22: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-ECB (A3812) KAT CAST On Demand Manually AES-ECB (A3813) KAT CAST On Demand Manually AES-ECB (A3814) KAT CAST On Demand Manually AES-ECB (A3820) KAT CAST On Demand Manually AES-ECB (A3821) KAT CAST On Demand Manually © 2024 Canonical Ltd. / atsec information security.

85 of 103
Page 86

Algorithm or Test Test Method Test Type Period Periodic Method AES-ECB (A3822) KAT CAST On Demand Manually AES-ECB (A3824) KAT CAST On Demand Manually AES-ECB (A3825) KAT CAST On Demand Manually AES-ECB (A3829) KAT CAST On Demand Manually AES-ECB (A3830) KAT CAST On Demand Manually AES-ECB (A3831) KAT CAST On Demand Manually AES-ECB (A3832) KAT CAST On Demand Manually AES-ECB (A3833) KAT CAST On Demand Manually AES-ECB (A3834) KAT CAST On Demand Manually AES-ECB (A3840) KAT CAST On Demand Manually AES-ECB (A3841) KAT CAST On Demand Manually AES-ECB (A3842) KAT CAST On Demand Manually AES-ECB (A3843) KAT CAST On Demand Manually AES-ECB (A3844) KAT CAST On Demand Manually AES-ECB (A3845) KAT CAST On Demand Manually AES-ECB (A3853) KAT CAST On Demand Manually AES-ECB (A3854) KAT CAST On Demand Manually AES-ECB (A3855) KAT CAST On Demand Manually AES-ECB (A3856) KAT CAST On Demand Manually AES-ECB (A3857) KAT CAST On Demand Manually AES-ECB (A3812) KAT CAST On Demand Manually AES-ECB (A3813) KAT CAST On Demand Manually AES-ECB (A3814) KAT CAST On Demand Manually AES-ECB (A3820) KAT CAST On Demand Manually AES-ECB (A3821) KAT CAST On Demand Manually AES-ECB (A3822) KAT CAST On Demand Manually AES-ECB (A3824) KAT CAST On Demand Manually AES-ECB (A3825) KAT CAST On Demand Manually AES-ECB (A3829) KAT CAST On Demand Manually AES-ECB (A3830) KAT CAST On Demand Manually AES-ECB (A3831) KAT CAST On Demand Manually AES-ECB (A3832) KAT CAST On Demand Manually AES-ECB (A3833) KAT CAST On Demand Manually AES-ECB (A3834) KAT CAST On Demand Manually AES-ECB (A3840) KAT CAST On Demand Manually AES-ECB (A3841) KAT CAST On Demand Manually AES-ECB (A3842) KAT CAST On Demand Manually AES-ECB (A3843) KAT CAST On Demand Manually AES-ECB (A3844) KAT CAST On Demand Manually AES-ECB (A3845) KAT CAST On Demand Manually AES-ECB (A3853) KAT CAST On Demand Manually AES-ECB (A3854) KAT CAST On Demand Manually AES-ECB (A3855) KAT CAST On Demand Manually AES-ECB (A3856) KAT CAST On Demand Manually AES-ECB (A3857) KAT CAST On Demand Manually AES-CBC (A3814) KAT CAST On Demand Manually AES-CBC (A3822) KAT CAST On Demand Manually AES-CBC (A3829) KAT CAST On Demand Manually AES-CBC (A3832) KAT CAST On Demand Manually AES-CBC (A3840) KAT CAST On Demand Manually AES-CBC (A3843) KAT CAST On Demand Manually AES-CBC (A3853) KAT CAST On Demand Manually © 2024 Canonical Ltd. / atsec information security.

86 of 103
Page 87

Algorithm or Test Test Method Test Type Period Periodic Method AES-CBC (A3854) KAT CAST On Demand Manually AES-CBC (A3857) KAT CAST On Demand Manually AES-CBC (A3814) KAT CAST On Demand Manually AES-CBC (A3822) KAT CAST On Demand Manually AES-CBC (A3829) KAT CAST On Demand Manually AES-CBC (A3832) KAT CAST On Demand Manually AES-CBC (A3840) KAT CAST On Demand Manually AES-CBC (A3843) KAT CAST On Demand Manually AES-CBC (A3853) KAT CAST On Demand Manually AES-CBC (A3854) KAT CAST On Demand Manually AES-CBC (A3857) KAT CAST On Demand Manually AES-CBC-CS3 KAT CAST On Demand Manually (A3819) AES-CBC-CS3 KAT CAST On Demand Manually (A3828) AES-CBC-CS3 KAT CAST On Demand Manually (A3838) AES-CBC-CS3 KAT CAST On Demand Manually (A3849) AES-CBC-CS3 KAT CAST On Demand Manually (A3853) AES-CBC-CS3 KAT CAST On Demand Manually (A3854) AES-CBC-CS3 KAT CAST On Demand Manually (A3819) AES-CBC-CS3 KAT CAST On Demand Manually (A3828) AES-CBC-CS3 KAT CAST On Demand Manually (A3838) AES-CBC-CS3 KAT CAST On Demand Manually (A3849) AES-CBC-CS3 KAT CAST On Demand Manually (A3853) AES-CBC-CS3 KAT CAST On Demand Manually (A3854) AES-CFB128 KAT CAST On Demand Manually (A3817) AES-CFB128 KAT CAST On Demand Manually (A3826) AES-CFB128 KAT CAST On Demand Manually (A3836) AES-CFB128 KAT CAST On Demand Manually (A3847) AES-CFB128 KAT CAST On Demand Manually (A3854) AES-CFB128 KAT CAST On Demand Manually (A3817) AES-CFB128 KAT CAST On Demand Manually (A3826) AES-CFB128 KAT CAST On Demand Manually (A3836) AES-CFB128 KAT CAST On Demand Manually (A3847) © 2024 Canonical Ltd. / atsec information security.

87 of 103
Page 88

Algorithm or Test Test Method Test Type Period Periodic Method AES-CFB128 KAT CAST On Demand Manually (A3854) AES-CTR (A3814) KAT CAST On Demand Manually AES-CTR (A3822) KAT CAST On Demand Manually AES-CTR (A3829) KAT CAST On Demand Manually AES-CTR (A3832) KAT CAST On Demand Manually AES-CTR (A3840) KAT CAST On Demand Manually AES-CTR (A3843) KAT CAST On Demand Manually AES-CTR (A3853) KAT CAST On Demand Manually AES-CTR (A3854) KAT CAST On Demand Manually AES-CTR (A3857) KAT CAST On Demand Manually AES-CTR (A3814) KAT CAST On Demand Manually AES-CTR (A3822) KAT CAST On Demand Manually AES-CTR (A3829) KAT CAST On Demand Manually AES-CTR (A3832) KAT CAST On Demand Manually AES-CTR (A3840) KAT CAST On Demand Manually AES-CTR (A3843) KAT CAST On Demand Manually AES-CTR (A3853) KAT CAST On Demand Manually AES-CTR (A3854) KAT CAST On Demand Manually AES-CTR (A3857) KAT CAST On Demand Manually AES-CCM (A3814) KAT CAST On Demand Manually AES-CCM (A3822) KAT CAST On Demand Manually AES-CCM (A3829) KAT CAST On Demand Manually AES-CCM (A3832) KAT CAST On Demand Manually AES-CCM (A3843) KAT CAST On Demand Manually AES-CCM (A3853) KAT CAST On Demand Manually AES-CCM (A3854) KAT CAST On Demand Manually AES-CCM (A3814) KAT CAST On Demand Manually AES-CCM (A3822) KAT CAST On Demand Manually AES-CCM (A3829) KAT CAST On Demand Manually AES-CCM (A3832) KAT CAST On Demand Manually AES-CCM (A3843) KAT CAST On Demand Manually AES-CCM (A3853) KAT CAST On Demand Manually AES-CCM (A3854) KAT CAST On Demand Manually AES-GCM (A3814) KAT CAST On Demand Manually AES-GCM (A3820) KAT CAST On Demand Manually AES-GCM (A3821) KAT CAST On Demand Manually AES-GCM (A3822) KAT CAST On Demand Manually AES-GCM (A3824) KAT CAST On Demand Manually AES-GCM (A3825) KAT CAST On Demand Manually AES-GCM (A3829) KAT CAST On Demand Manually AES-GCM (A3830) KAT CAST On Demand Manually AES-GCM (A3831) KAT CAST On Demand Manually AES-GCM (A3832) KAT CAST On Demand Manually AES-GCM (A3833) KAT CAST On Demand Manually AES-GCM (A3834) KAT CAST On Demand Manually AES-GCM (A3840) KAT CAST On Demand Manually AES-GCM (A3841) KAT CAST On Demand Manually AES-GCM (A3842) KAT CAST On Demand Manually AES-GCM (A3843) KAT CAST On Demand Manually AES-GCM (A3844) KAT CAST On Demand Manually AES-GCM (A3845) KAT CAST On Demand Manually © 2024 Canonical Ltd. / atsec information security.

88 of 103
Page 89

Algorithm or Test Test Method Test Type Period Periodic Method AES-GCM (A3854) KAT CAST On Demand Manually AES-GCM (A3855) KAT CAST On Demand Manually AES-GCM (A3856) KAT CAST On Demand Manually AES-GCM (A3814) KAT CAST On Demand Manually AES-GCM (A3820) KAT CAST On Demand Manually AES-GCM (A3821) KAT CAST On Demand Manually AES-GCM (A3822) KAT CAST On Demand Manually AES-GCM (A3824) KAT CAST On Demand Manually AES-GCM (A3825) KAT CAST On Demand Manually AES-GCM (A3829) KAT CAST On Demand Manually AES-GCM (A3830) KAT CAST On Demand Manually AES-GCM (A3831) KAT CAST On Demand Manually AES-GCM (A3832) KAT CAST On Demand Manually AES-GCM (A3833) KAT CAST On Demand Manually AES-GCM (A3834) KAT CAST On Demand Manually AES-GCM (A3840) KAT CAST On Demand Manually AES-GCM (A3841) KAT CAST On Demand Manually AES-GCM (A3842) KAT CAST On Demand Manually AES-GCM (A3843) KAT CAST On Demand Manually AES-GCM (A3844) KAT CAST On Demand Manually AES-GCM (A3845) KAT CAST On Demand Manually AES-GCM (A3854) KAT CAST On Demand Manually AES-GCM (A3855) KAT CAST On Demand Manually AES-GCM (A3856) KAT CAST On Demand Manually AES-OFB (A3818) KAT CAST On Demand Manually AES-OFB (A3827) KAT CAST On Demand Manually AES-OFB (A3837) KAT CAST On Demand Manually AES-OFB (A3848) KAT CAST On Demand Manually AES-OFB (A3854) KAT CAST On Demand Manually AES-OFB (A3818) KAT CAST On Demand Manually AES-OFB (A3827) KAT CAST On Demand Manually AES-OFB (A3837) KAT CAST On Demand Manually AES-OFB (A3848) KAT CAST On Demand Manually AES-OFB (A3854) KAT CAST On Demand Manually AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3814) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3822) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3829) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3832) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3840) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3843) © 2024 Canonical Ltd. / atsec information security.

89 of 103
Page 90

Algorithm or Test Test Method Test Type Period Periodic Method AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3853) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3854) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3857) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3814) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3822) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3829) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3832) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3840) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3843) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3853) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3854) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3857) AES-CMAC (A3814) KAT CAST On Demand Manually AES-CMAC (A3822) KAT CAST On Demand Manually AES-CMAC (A3829) KAT CAST On Demand Manually AES-CMAC (A3832) KAT CAST On Demand Manually AES-CMAC (A3843) KAT CAST On Demand Manually AES-CMAC (A3853) KAT CAST On Demand Manually AES-CMAC (A3854) KAT CAST On Demand Manually SHA-1 (A3812) KAT CAST On Demand Manually SHA-1 (A3813) KAT CAST On Demand Manually SHA-1 (A3814) KAT CAST On Demand Manually SHA-1 (A3832) KAT CAST On Demand Manually SHA-1 (A3850) KAT CAST On Demand Manually SHA-1 (A3851) KAT CAST On Demand Manually SHA-1 (A3852) KAT CAST On Demand Manually SHA-1 (A3853) KAT CAST On Demand Manually SHA2-224 (A3812) KAT CAST On Demand Manually SHA2-224 (A3813) KAT CAST On Demand Manually © 2024 Canonical Ltd. / atsec information security.

90 of 103
Page 91

Algorithm or Test Test Method Test Type Period Periodic Method SHA2-224 (A3814) KAT CAST On Demand Manually SHA2-224 (A3832) KAT CAST On Demand Manually SHA2-224 (A3850) KAT CAST On Demand Manually SHA2-224 (A3851) KAT CAST On Demand Manually SHA2-224 (A3852) KAT CAST On Demand Manually SHA2-224 (A3853) KAT CAST On Demand Manually SHA2-224 (A3857) KAT CAST On Demand Manually SHA2-224 (A3858) KAT CAST On Demand Manually SHA2-256 (A3812) KAT CAST On Demand Manually SHA2-256 (A3813) KAT CAST On Demand Manually SHA2-256 (A3814) KAT CAST On Demand Manually SHA2-256 (A3832) KAT CAST On Demand Manually SHA2-256 (A3850) KAT CAST On Demand Manually SHA2-256 (A3851) KAT CAST On Demand Manually SHA2-256 (A3852) KAT CAST On Demand Manually SHA2-256 (A3853) KAT CAST On Demand Manually SHA2-256 (A3857) KAT CAST On Demand Manually SHA2-256 (A3858) KAT CAST On Demand Manually SHA2-384 (A3812) KAT CAST On Demand Manually SHA2-384 (A3813) KAT CAST On Demand Manually SHA2-384 (A3814) KAT CAST On Demand Manually SHA2-384 (A3832) KAT CAST On Demand Manually SHA2-384 (A3850) KAT CAST On Demand Manually SHA2-384 (A3851) KAT CAST On Demand Manually SHA2-384 (A3852) KAT CAST On Demand Manually SHA2-384 (A3858) KAT CAST On Demand Manually SHA2-512 (A3812) KAT CAST On Demand Manually SHA2-512 (A3813) KAT CAST On Demand Manually SHA2-512 (A3814) KAT CAST On Demand Manually SHA2-512 (A3832) KAT CAST On Demand Manually SHA2-512 (A3850) KAT CAST On Demand Manually SHA2-512 (A3851) KAT CAST On Demand Manually SHA2-512 (A3852) KAT CAST On Demand Manually SHA2-512 (A3858) KAT CAST On Demand Manually SHA3-224 (A3816) KAT CAST On Demand Manually SHA3-224 (A3839) KAT CAST On Demand Manually SHA3-256 (A3816) KAT CAST On Demand Manually SHA3-256 (A3839) KAT CAST On Demand Manually SHA3-384 (A3816) KAT CAST On Demand Manually SHA3-384 (A3839) KAT CAST On Demand Manually SHA3-512 (A3816) KAT CAST On Demand Manually SHA3-512 (A3839) KAT CAST On Demand Manually HMAC-SHA-1 KAT CAST On Demand Manually (A3812) HMAC-SHA-1 KAT CAST On Demand Manually (A3813) HMAC-SHA-1 KAT CAST On Demand Manually (A3814) HMAC-SHA-1 KAT CAST On Demand Manually (A3832) HMAC-SHA-1 KAT CAST On Demand Manually (A3850) © 2024 Canonical Ltd. / atsec information security.

91 of 103
Page 92

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA-1 KAT CAST On Demand Manually (A3851) HMAC-SHA-1 KAT CAST On Demand Manually (A3852) HMAC-SHA-1 KAT CAST On Demand Manually (A3853) HMAC-SHA2-224 KAT CAST On Demand Manually (A3812) HMAC-SHA2-224 KAT CAST On Demand Manually (A3813) HMAC-SHA2-224 KAT CAST On Demand Manually (A3814) HMAC-SHA2-224 KAT CAST On Demand Manually (A3832) HMAC-SHA2-224 KAT CAST On Demand Manually (A3850) HMAC-SHA2-224 KAT CAST On Demand Manually (A3851) HMAC-SHA2-224 KAT CAST On Demand Manually (A3852) HMAC-SHA2-224 KAT CAST On Demand Manually (A3853) HMAC-SHA2-224 KAT CAST On Demand Manually (A3857) HMAC-SHA2-224 KAT CAST On Demand Manually (A3858) HMAC-SHA2-256 KAT CAST On Demand Manually (A3812) HMAC-SHA2-256 KAT CAST On Demand Manually (A3813) HMAC-SHA2-256 KAT CAST On Demand Manually (A3814) HMAC-SHA2-256 KAT CAST On Demand Manually (A3832) HMAC-SHA2-256 KAT CAST On Demand Manually (A3850) HMAC-SHA2-256 KAT CAST On Demand Manually (A3851) HMAC-SHA2-256 KAT CAST On Demand Manually (A3852) HMAC-SHA2-256 KAT CAST On Demand Manually (A3853) HMAC-SHA2-256 KAT CAST On Demand Manually (A3857) HMAC-SHA2-256 KAT CAST On Demand Manually (A3858) HMAC-SHA2-384 KAT CAST On Demand Manually (A3812) HMAC-SHA2-384 KAT CAST On Demand Manually (A3813) HMAC-SHA2-384 KAT CAST On Demand Manually (A3814) HMAC-SHA2-384 KAT CAST On Demand Manually (A3832) © 2024 Canonical Ltd. / atsec information security.

92 of 103
Page 93

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-384 KAT CAST On Demand Manually (A3850) HMAC-SHA2-384 KAT CAST On Demand Manually (A3851) HMAC-SHA2-384 KAT CAST On Demand Manually (A3852) HMAC-SHA2-384 KAT CAST On Demand Manually (A3858) HMAC-SHA2-512 KAT CAST On Demand Manually (A3812) HMAC-SHA2-512 KAT CAST On Demand Manually (A3813) HMAC-SHA2-512 KAT CAST On Demand Manually (A3814) HMAC-SHA2-512 KAT CAST On Demand Manually (A3832) HMAC-SHA2-512 KAT CAST On Demand Manually (A3850) HMAC-SHA2-512 KAT CAST On Demand Manually (A3851) HMAC-SHA2-512 KAT CAST On Demand Manually (A3852) HMAC-SHA2-512 KAT CAST On Demand Manually (A3858) HMAC-SHA3-224 KAT CAST On Demand Manually (A3816) HMAC-SHA3-224 KAT CAST On Demand Manually (A3839) HMAC-SHA3-256 KAT CAST On Demand Manually (A3816) HMAC-SHA3-256 KAT CAST On Demand Manually (A3839) HMAC-SHA3-384 KAT CAST On Demand Manually (A3816) HMAC-SHA3-384 KAT CAST On Demand Manually (A3839) HMAC-SHA3-512 KAT CAST On Demand Manually (A3816) HMAC-SHA3-512 KAT CAST On Demand Manually (A3839) Counter DRBG KAT CAST On Demand Manually (A3812) Counter DRBG KAT CAST On Demand Manually (A3813) Counter DRBG KAT CAST On Demand Manually (A3814) Counter DRBG KAT CAST On Demand Manually (A3820) Counter DRBG KAT CAST On Demand Manually (A3821) Counter DRBG KAT CAST On Demand Manually (A3822) Counter DRBG KAT CAST On Demand Manually (A3824) © 2024 Canonical Ltd. / atsec information security.

93 of 103
Page 94

Algorithm or Test Test Method Test Type Period Periodic Method Counter DRBG KAT CAST On Demand Manually (A3825) Counter DRBG KAT CAST On Demand Manually (A3829) Counter DRBG KAT CAST On Demand Manually (A3830) Counter DRBG KAT CAST On Demand Manually (A3831) Counter DRBG KAT CAST On Demand Manually (A3832) Counter DRBG KAT CAST On Demand Manually (A3833) Counter DRBG KAT CAST On Demand Manually (A3834) Counter DRBG KAT CAST On Demand Manually (A3840) Counter DRBG KAT CAST On Demand Manually (A3841) Counter DRBG KAT CAST On Demand Manually (A3842) Counter DRBG KAT CAST On Demand Manually (A3843) Counter DRBG KAT CAST On Demand Manually (A3844) Counter DRBG KAT CAST On Demand Manually (A3845) Counter DRBG KAT CAST On Demand Manually (A3854) Counter DRBG KAT CAST On Demand Manually (A3855) Counter DRBG KAT CAST On Demand Manually (A3856) Hash DRBG (A3812) KAT CAST On Demand Manually Hash DRBG (A3813) KAT CAST On Demand Manually Hash DRBG (A3814) KAT CAST On Demand Manually Hash DRBG (A3820) KAT CAST On Demand Manually Hash DRBG (A3821) KAT CAST On Demand Manually Hash DRBG (A3822) KAT CAST On Demand Manually Hash DRBG (A3824) KAT CAST On Demand Manually Hash DRBG (A3825) KAT CAST On Demand Manually Hash DRBG (A3830) KAT CAST On Demand Manually Hash DRBG (A3831) KAT CAST On Demand Manually Hash DRBG (A3832) KAT CAST On Demand Manually Hash DRBG (A3833) KAT CAST On Demand Manually Hash DRBG (A3834) KAT CAST On Demand Manually Hash DRBG (A3840) KAT CAST On Demand Manually Hash DRBG (A3841) KAT CAST On Demand Manually Hash DRBG (A3842) KAT CAST On Demand Manually Hash DRBG (A3843) KAT CAST On Demand Manually Hash DRBG (A3844) KAT CAST On Demand Manually Hash DRBG (A3845) KAT CAST On Demand Manually Hash DRBG (A3850) KAT CAST On Demand Manually Hash DRBG (A3851) KAT CAST On Demand Manually © 2024 Canonical Ltd. / atsec information security.

94 of 103
Page 95

Algorithm or Test Test Method Test Type Period Periodic Method Hash DRBG (A3852) KAT CAST On Demand Manually Hash DRBG (A3855) KAT CAST On Demand Manually Hash DRBG (A3856) KAT CAST On Demand Manually HMAC DRBG KAT CAST On Demand Manually (A3812) HMAC DRBG KAT CAST On Demand Manually (A3813) HMAC DRBG KAT CAST On Demand Manually (A3814) HMAC DRBG KAT CAST On Demand Manually (A3820) HMAC DRBG KAT CAST On Demand Manually (A3821) HMAC DRBG KAT CAST On Demand Manually (A3822) HMAC DRBG KAT CAST On Demand Manually (A3824) HMAC DRBG KAT CAST On Demand Manually (A3825) HMAC DRBG KAT CAST On Demand Manually (A3830) HMAC DRBG KAT CAST On Demand Manually (A3831) HMAC DRBG KAT CAST On Demand Manually (A3832) HMAC DRBG KAT CAST On Demand Manually (A3833) HMAC DRBG KAT CAST On Demand Manually (A3834) HMAC DRBG KAT CAST On Demand Manually (A3840) HMAC DRBG KAT CAST On Demand Manually (A3841) HMAC DRBG KAT CAST On Demand Manually (A3842) HMAC DRBG KAT CAST On Demand Manually (A3843) HMAC DRBG KAT CAST On Demand Manually (A3844) HMAC DRBG KAT CAST On Demand Manually (A3845) HMAC DRBG KAT CAST On Demand Manually (A3850) HMAC DRBG KAT CAST On Demand Manually (A3851) HMAC DRBG KAT CAST On Demand Manually (A3852) HMAC DRBG KAT CAST On Demand Manually (A3855) HMAC DRBG KAT CAST On Demand Manually (A3856) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3813) © 2024 Canonical Ltd. / atsec information security.

95 of 103
Page 96

Algorithm or Test Test Method Test Type Period Periodic Method KAS-FFC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3812) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3814) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3832) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3850) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3851) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3852) Safe Primes Key PCT PCT On Demand Manually Generation (A3812) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3813) Entropy Source RCT CAST On Demand Manually Entropy Source APT CAST On Demand Manually Entropy Source RCT CAST On Demand Manually Entropy Source APT CAST On Demand Manually Table 23: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Method Indicator Error The Linux kernel immediately stops Any self-test Restart of the Kernel State executing failure module Panic Table 24: Error States In the Error State, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).

10.5 Operator Initiation of Self-Tests

The software integrity tests, cryptographic algorithm self-tests, and entropy source start-up tests can be invoked on demand by unloading and subsequently re-initializing the module. The pair-wise consistency tests can be invoked on demand by requesting the key pair generation service. © 2024 Canonical Ltd. / atsec information security.

96 of 103
Page 97
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

On the Ubuntu 22.04 LTS operational environments, the module is distributed in the form of the following deb packages:

97 of 103
Page 98

On the Ubuntu 22.04 LTS operational environments, versions of the installed packages can be verified using the following command: $ dpkg-query -W linux-image-5.15.0-73-fips linux-modules-5.15.0-73-fips linux-image-hmac5.15.0-73-fips libkcapi1 kcapi-tools On the Ubuntu Core 22 operational environments, revisions of the installed snaps can be verified using the following command: $ snap list fips-kernel

11.2 Administrator Guidance

The Approved and non-Approved modes of operation are specified in section 2.4. The administrative functions are specified in the Approved Services table. All the physical ports and logical interfaces are specified in section 3.1.

11.3 Non-Administrator Guidance

The approved and non-approved security functions available to users are listed in section 2, the physical ports, and logical interfaces available to users are specified in section 3.1. The Approved and non-Approved modes of operation are specified in section 2.4. The algorithmspecific information is listed in section 2.7.

11.4 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. If desired, the linux-image-5.15.0-73-fips, linux-modules-5.15.0-73-fips, linux-image-hmac5.15.0-73-fips, libkcapi1, and kcapi-tools deb packages can be uninstalled from the Ubuntu

22.04 LTS system.

The Ubuntu Core 22 system is distributed as an operating system image, so removing this image will also uninstall the module. Alternatively, the “snap remodel” command can be used to switch to a generic model with a different kernel. © 2024 Canonical Ltd. / atsec information security.

98 of 103
Page 99
12 Mitigation of Other Attacks

The module does not offer mitigation of other attacks and therefore this section is not applicable. © 2024 Canonical Ltd. / atsec information security.

99 of 103
Page 100

Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter CTS Ciphertext Stealing DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Keyed-Hash Message Authentication Code IPsec Internet Protocol Security KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-based Key Derivation Function KW Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PCT Pair-wise Consistency Test PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 Canonical Ltd. / atsec information security.

100 of 103
Page 101

Appendix B. References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validationprogram/fips-140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) June 2005 https://datatracker.ietf.org/doc/html/rfc4106 RFC 7296 Internet Key Exchange Protocol Version 2 (IKEv2) October 2014 https://datatracker.ietf.org/doc/html/rfc7296 © 2024 Canonical Ltd. / atsec information security.

101 of 103
Page 102

SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Addendum Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038a-add.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80038F.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80056Ar3.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80090Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80090B.pdf © 2024 Canonical Ltd. / atsec information security.

102 of 103
Page 103

SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800133r2.pdf SP 800-140Br1 CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800140Br1.pdf © 2024 Canonical Ltd. / atsec information security.

103 of 103