| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Firmware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 12/17/2026 |
| Caveat | Interim validation |
| Vendor | Hewlett Packard Enterprise |
| Algorithm | ACVP Cert |
|---|---|
| RSA SigVer (FIPS186-4) | A2688 |
| SHA2-256 | A2688 |
flowchart LR
%% Deterministic review-risk graph for Bootloader Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Firmware Load<br/>Update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>Self-Test<br/>show status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IPSEC<br/>HTTPS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>bootloader</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Bootloader Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Firmware Load<br/>Update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>Self-Test<br/>show status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IPSEC<br/>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>bootloader</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Non-Proprietary Bootloader Module Firmware Version 1.0 FIPS 140-3 Level 1 Document Version 1.0 November 2024 1| Hewlett Packard Enterprise Bootloader Module Firmware Version 1.0 FIPS 140-3 Level 1 Security Policy
Non-Proprietary © 2024 Hewlett Packard Enterprise Company. Hewlett Packard Enterprise Company trademarks include , HPE Wireless Networks, HPE Networking, the registered HPE Networking the Mobile Edge Company logo, HPE Networking Mobility Management System®, Mobile Edge Architecture®, People Move. their respective owners. HPE Networking is a Hewlett Packard Enterprise company. The resource assets in this firmware may include abbreviated and/or legacy terminology for HPE Networking products. See https://www.hpe.com/us/en/networking/ for current and complete HPE Networking product lines and names. Open Source Code Certain Hewlett Packard Enterprise Company products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. The Open Source code used can be found at this site: https://myenterpriselicense.hpe.com/cwp-ui/software Legal Notice The use of Hewlett Packard Enterprise Company switching platforms and software or firmware, by all individuals or corporations, to terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Hewlett Packard Enterprise Company, from vendors. https://www.hpe.com/us/en/networking/
Spring, TX, USA 77389 Phone: 1-888-342-2156 2| Hewlett Packard Enterprise Bootloader Module Firmware Version 1.0 FIPS 140-3 Level 1 Security Policy
11.1.1 Setting Up the Hewlett Packard Enterprise Controller, Gateway, Conductor, or Controller-managed
Figures 3| Hewlett Packard Enterprise Bootloader Module Firmware Version 1.0 FIPS 140-3 Level 1 Security Policy
Non-Proprietary Tables Preface notice. Products identified herein contain confidential commercial firmware. Valid license required. Document Revision History The following table lists the history of the revisions of this document by version number and date of revision. Table 1
1.0 November 2024 firmware version 1.0 that boots verified ArubaOS firmware versions on Hewlett
Packard Enterprise hardware and virtual appliances. 4| Hewlett Packard Enterprise Bootloader Module Firmware Version 1.0 FIPS 140-3 Level 1 Security Policy
This section describes:
This release supplement provides information regarding the Hewlett Packard Enterprise Bootloader Module firmware version 1.0 FIPS 140-3 Level 1 validation from Hewlett Packard Enterprise (HPE). Throughout this document, references to HPE Networking are to the Hewlett Packard Enterprise division. The material in this supplement modifies the general Hewlett Packard Enterprise firmware documentation included with this product and should be kept with your Hewlett Packard Enterprise product documentation. This supplement primarily covers the non-proprietary Cryptographic Module Security Policy for the Hewlett Packard Enterprise Bootloader Module firmware version 1.0. This security policy describes how the module meets the security requirements of FIPS 140-3 Level 1 and how to place and maintain the module in the secure FIPS 140-3 mode. This policy was prepared as part of the FIPS 140-3 Level 1 validation of the product. FIPS 140-3 (Federal Information Processing Standards Publication 140-3, Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. FIPS 140-3 aligns with ISO/IEC 19790:2012(E) and includes modifications of the Annexes that are allowed to the Cryptographic Module Validation Program (CMVP), as a validation authority. The testing for these requirements will be in accordance with ISO/IEC 24759:2017(E), with the modifications, additions or deletions of vendor evidence and testing allowed as a validation authority under paragraph 5.2. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program In addition, in this document, the Hewlett Packard Enterprise Bootloader Module is referred to as the module, the cryptographic module, or the bootloader.
More information is available from the following sources:
AES Advanced Encryption Standard AP Access Point BIOS Basic Input/Output System CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCCS Canadian Centre for Cyber Security, a branch of CSE CLI Command Line Interface CMVP Cryptographic Module Validation Program CO Crypto Officer CPSec Control Plane Security protected CSE Communications Security Establishment CSP Critical Security Parameter ECO External Crypto Officer EMC Electromagnetic Compatibility EMI Electromagnetic Interference ESV Entropy Source Validation FE Fast Ethernet GE Gigabit Ethernet GHz Gigahertz HMAC Hashed Message Authentication Code Hz Hertz IKE Internet Key Exchange IPsec Internet Protocol security KAT Known Answer Test KEK Key Encryption Key L2TP Layer-2 Tunnelling Protocol LAN Local Area Network LED Light Emitting Diode NTP Network Time Protocol OCSP Online Certificate Status Protocol PCT Pairwise Consistency Test PSP Public Security Parameter SFTP Secure File Transfer Protocol SHA Secure Hash Algorithm SNMP Simple Network Management Protocol SSP Sensitive Security Parameter SPOE Serial & Power Over Ethernet TEL Tamper-Evident Label TFTP Trivial File Transfer Protocol TPM Trusted Platform Module UEFI Unified Extensible Firmware Interface WLAN Wireless Local Area Network 6| Hewlett Packard Enterprise Bootloader Module Firmware Version 1.0 FIPS 140-3 Level 1 Security Policy
The Hewlett Packard Enterprise Bootloader Module is intended to meet overall FIPS 140-3 Level 1 requirements as shown in the following table. Table 2
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security 1
8 Non-Invasive Security N/A
9 Sensitive Security Parameter Management 1
10 Self-Tests 1
11 Life-Cycle Assurance 1
12 Mitigation of Other Attacks N/A
Overall Overall Security Rating of the Module 1 7| Hewlett Packard Enterprise Bootloader Module Firmware Version 1.0 FIPS 140-3 Level 1 Security Policy
Purpose and Use: The Hewlett Packard Enterprise Bootloader Module (also referred to as ‘the module’) is a firmware type cryptographic module and was validated under FIPS 140-3 Level 1 requirements. The Hewlett Packard Enterprise Bootloader Module (firmware) is booted by the hardware BIOS process (out of the scope of this validation) and provides basic cryptographic services before booting the ArubaOS operating system on the Hewlett Packard Enterprise hardware-based equipment or Hewlett Packard Enterprise virtual appliances. ArubaOS is the operating system for Hewlett Packard Enterprise Mobility Conductors, Mobility Controllers/Gateways, and controller-managed Hewlett Packard Enterprise Access Points (APs)
The Hewlett Packard Enterprise Bootloader Module (firmware) is preloaded during Hewlett Packard Enterprise device manufacturing with the appropriate Hewlett Packard Enterprise bootloader image for the Hewlett Packard Enterprise device, the Factory CA Public Key, and the ArubaOS image (both the Factory CA Public Key and ArubaOS are out of scope of this validation). Refer to Figure 2 block diagram below and the following section 2.2, Version Information. Once booted by the hardware BIOS process (out of the scope of this validation) from the bootloader partition storage, the Hewlett Packard Enterprise Bootloader Module (firmware) boots the ArubaOS operating system from the ArubaOS image partition after confirming the OS has been properly signed and performing the firmware integrity test (see section 5, Software/Firmware Security). The cryptographic boundary for the module firmware is defined as the preloaded Hewlett Packard Enterprise Bootloader Module (see Figure 2). The Tested Operational Environment’s Physical Perimeter (TOEPP) is the production-grade enclosure of the hardware chassis of the Hewlett Packard Enterprise hardware device or Hewlett Packard Enterprise virtual appliance host (see Figure 2). Figure 2
The Hewlett Packard Enterprise Bootloader Module (firmware) version 1.0 was validated against FIPS 140-3 Level 1 requirements. The CMVP makes no claim as to the correct operation of the module when operating a version that is not listed on the validation certificate. Table 3
Hewlett Packard Enterprise Bootloader Module version 1.0 is preloaded during Hewlett Packard Enterprise device manufacturing with the appropriate Hewlett Packard Enterprise bootloader image for the Hewlett Packard Enterprise device (see section 2.2, Version Information, in the Hewlett Packard Enterprise Bootloader Module version 1.0 Administrator Guidance document). The module operates in a limited operational environment. The module runs on the host hardware and boots the verified and integrity tested ArubaOS firmware. See the following tables of Tested Operational Environments and Vendor Affirmed Operational Environments for details. Table 4
1 ArubaOS 8.10 7220 Mobility Controller None
(MIPS64) Intel Atom C3508 None
(Denverton) Broadcom BCM (64-bit None
ARMv8) Qualcomm IPQ (64-bit None
ARM Cortex A53) Qualcomm IPQ (64-bit None
ARM Cortex A53) Qualcomm IPQ (64-bit None
ARM Cortex A53) MCR-HW-5K Mobility Conductor Intel Xeon E5-2620v4
7 ArubaOS 8.10 with PAA
Hardware Appliance (Broadwell) MC-VA-50 Mobility Controller ArubaOS 8.10 on Intel Xeon Silver 4210
8 Virtual Appliance on HPE with / without PAA
VMWare ESXi 7.0 (Cascade Lake) ProLiant ML110 Gen10 10| Hewlett Packard Enterprise Bootloader Module Firmware Version 1.0 FIPS 140-3 Level 1 Security Policy
Non-Proprietary Table 5
5 ArubaOS 8.10 and 8.13 AP-51x and AP-57x Wireless Access Points
6 ArubaOS 8.10 and 8.13 AP-50x and AP-56x Wireless Access Points
7 ArubaOS 8.10 and 8.13 AP-53x, AP-55x, AP-58x, and AP-63x Wireless Access Points
8 ArubaOS 8.10 and 8.13 MCR-HW-xxx Mobility Conductor Hardware Appliances
ArubaOS 8.10 and 8.13 MC-VA-xxx Mobility Controller Virtual Appliances on HPE on VMWare ESXi 7.0 ProLiant ML110 Gen10 ArubaOS 8.10 and 8.13 MCR-VA-xxx Mobility Conductor Virtual Appliances on HPE on VMWare ESXi 7.0 ProLiant ML110 Gen10 ArubaOS 8.10 and 8.13 Virtual Appliances on HPE EdgeLine 20 on VMWare ESXi 7.0 ArubaOS 8.10 and 8.13 Virtual Appliances on PacStar PS451-1258 Series on VMWare ESXi 7.0 ArubaOS 8.10 and 8.13 Virtual Appliances on device running an equivalent Intel on VMWare ESXi 7.0 processor (Intel Atom, i5, i7, or Xeon)
There are no excluded components for the module.
Table 6
Non-Proprietary When the module starts up successfully, after passing all the Cryptographic Algorithm Self-Tests (CASTs), Pre-Operational Self-Tests (POSTs), and Conditional self-tests, and following the guidance in section 11.1, Start-up Procedures, the module is operating in the Approved mode of operation. The module cannot be transitioned into any other mode. Section 4.3, Services, provides details on the service indicator implemented by the module.
The firmware in the Hewlett Packard Enterprise Bootloader Module contains the following cryptographic algorithm implementations that will be used for the corresponding security services supported by the module in the Approved mode. Table 7
2.7 Non-Approved Cryptographic Algorithms Allowed in the Approved Mode of Operation
The cryptographic module does not implement any non-Approved algorithms that are allowed for use in the Approved mode of operation.
Security Claimed The cryptographic module does not implement any non-Approved algorithms in the Approved mode of operation with no security claimed.
The cryptographic module does not implement any non-Approved algorithms that are not permitted for use in the Approved mode of operations.
Cryptographic bypass is not supported by the Hewlett Packard Enterprise Bootloader Module. 12| Hewlett Packard Enterprise Bootloader Module Firmware Version 1.0 FIPS 140-3 Level 1 Security Policy
As a firmware module, the module interfaces are defined as Software or Firmware Module Interfaces (SFMI), and there are no physical ports. The logical interfaces are listed in the table below. All data output via data output interface is inhibited when the module is performing pre-operational tests or zeroization or when the module enters error state. Table 8
The following section lists the roles supported by the module, authentication mechanisms used by the module, and services (both security and non-security) available from the module.
The Hewlett Packard Enterprise Bootloader Module does not provide any identification or authentication methods.
The module supports the Crypto Officer role only. This sole role is implicitly assumed by the operator of the module when performing a service. The module does not support multiple concurrent operators, a maintenance role, nor bypass capability. Table 9
Non-Proprietary Table 10
The module provides various services depending on role. These are described in the sections below. The meaning of the letters used to describe the ‘Access Rights to Keys and/or SSPs’ are:
See the tables below for descriptions of the services, Approved security functions, keys and/or SSPs available to the module’s roles. Table 11
Non-Proprietary Table 12
Since the module always operates in the Approved mode, there are no non-approved services. 15| Hewlett Packard Enterprise Bootloader Module Firmware Version 1.0 FIPS 140-3 Level 1 Security Policy
The Hewlett Packard Enterprise Bootloader Module (firmware version 1.0) is an Hewlett Packard Enterprise cryptographic module that provides basic cryptographic services for the Hewlett Packard Enterprise bootloader function. The module is preloaded and shipped with each Hewlett Packard Enterprise device and is booted by the hardware BIOS process (out of the scope of this validation) when power is applied to the device. After the cryptographic algorithm, pre-operational firmware integrity test, and conditional self-tests are successfully passed, the module will boot the ArubaOS operating system from the image partition. The module only allows the booting of trusted and verified firmware that is signed by Hewlett Packard Enterprise. The module performs a firmware integrity test when powered on and conditionally whenever a firmware load request is received (refer to Self-Tests for details). All cryptographic algorithm self-tests are run when the module is powered on, prior to the first operational use of the cryptographic algorithm. Both the Firmware Integrity Test and Firmware Load Test use RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA2-256. The operator can initiate the firmware integrity test on demand by rebooting the host. All data output via the data output interface is inhibited until the cryptographic algorithm self-tests and firmware integrity test have completed successfully. If the firmware integrity test fails, the module enters the error state (while in this state, the module provides no functionality). The temporary values generated during the firmware integrity test are zeroized upon completion of the integrity test. After the ArubaOS firmware boot, the operator can determine the version of the loaded firmware through reviewing the log and by using the show status ArubaOS CLI command (use the link in the section Full Documentation to refer to ArubaOS
The operational environment is limited. The Hewlett Packard Enterprise Bootloader Module (firmware) is booted by the hardware BIOS process and provides basic cryptographic services before booting the ArubaOS operating system on the Hewlett Packard Enterprise hardware-based equipment or Hewlett Packard Enterprise virtual appliances. ArubaOS, Hewlett Packard Enterprise devices, and the hardware BIOS process are out of scope of this validation. Once ArubaOS is booted, control of the Hewlett Packard Enterprise device passes to ArubaOS and the module is not executed again until the next hardware boot of the Hewlett Packard Enterprise device. The module was tested on the platforms listed above in section 2.3, Table 4, Tested Operational Environments.
The Hewlett Packard Enterprise Bootloader Module is a firmware type module and obtains its physical security from the host platform. As per FIPS 140-3 for multiple-chip standalone cryptographic modules at Security Level 1, the host platform consists of production-grade components within a production-grade enclosure. All the platforms listed above in section 2.3 meet these requirements.
Since the module has not been purposely designed, built and publicly documented to include non-invasive mitigation techniques, the Non-Invasive Security requirements are not applicable. 16| Hewlett Packard Enterprise Bootloader Module Firmware Version 1.0 FIPS 140-3 Level 1 Security Policy
The following are the Sensitive Security Parameters (SSPs) and Keys used in the module. Table 13
1 Factory CA 2048 bits RSA Public N/A Import: from N/A Stored in TPM Since this public This is a RSA public
Public Key Key Loaded into the TPM key is stored and key. -PSP TPM during protected in the Used for Hewlett Cert. #A2688 Export: N/A TPM, the manufacturing (i.e. Packard Enterprise out of scope of zeroization firmware verification. module). requirements do not apply. Note:
The module performs at power-on the Cryptographic Algorithm Self-Tests (CASTs) and Pre-Operational Self-Tests (POSTs). After the cryptographic algorithm, pre-operational, and conditional self-tests are successfully passed, the module automatically transitions to the operational state and is operating in the Approved mode of operation by default. While the module is executing the cryptographic algorithm and pre-operational self-tests, services are not available, and input and output are inhibited. In addition, the module also performs Conditional self-tests. All cryptographic algorithm self-tests are run when the module is powered on, prior to the first operational use of the cryptographic algorithm. The Hewlett Packard Enterprise Bootloader Module performs the following Pre-Operational Self-Tests (POSTs): Table 14
Non-Proprietary Upon successful completion of the power-up self-tests, the module displays results on the host device console:
The Hewlett Packard Enterprise Bootloader Module is a firmware type module, and must run on an Hewlett Packard Enterprise hardware unit (e.g., Controller, Gateway, Conductor, or Access Point) or virtual appliance (e.g., VMWare ESXi or open source KVM hypervisor running on a hardware server unit (e.g., HPE ProLiant ML110 Gen10 or HPE EdgeLine 20)). ArubaOS is the operating system for Hewlett Packard Enterprise Mobility Conductors, Mobility Controllers/Gateways, and controller-managed Hewlett Packard Enterprise Access Points (APs). The Hewlett Packard Enterprise Bootloader Module (firmware) is an Hewlett Packard Enterprise cryptographic module that provides basic cryptographic services for the Hewlett Packard Enterprise bootloader function that boots the ArubaOS operating system running on the Hewlett Packard Enterprise hardware-based equipment or Hewlett Packard Enterprise virtual appliances. The Hewlett Packard Enterprise Bootloader Module is preloaded on shipped Hewlett Packard Enterprise equipment. The module boots the ArubaOS operating system (for either Hewlett Packard Enterprise hardware-based equipment or Hewlett Packard Enterprise virtual appliances) from the image partition after performing the firmware integrity test. The module performs a firmware integrity test when powered on and conditionally whenever a firmware load request is received (refer to Software / Firmware Security and SelfTests for details). Once ArubaOS is booted, control of the Hewlett Packard Enterprise device passes to ArubaOS and the module is not executed again until the next hardware boot of the Hewlett Packard Enterprise device. ArubaOS and Hewlett Packard Enterprise devices are out of scope of this validation.
The Hewlett Packard Enterprise Bootloader Module firmware is preloaded into the Hewlett Packard Enterprise equipment that is ordered by the Crypto Officer. The Hewlett Packard Enterprise equipment is shipped to the Crypto Officer in factory-sealed boxes using trusted commercial carrier shipping companies. The Crypto Officer should examine the carton for evidence of tampering. Tamper-evidence includes tears, scratches, and other irregularities in the packaging. Inform your supplier if there are any incorrect, missing, or damaged parts. If possible, retain the carton, including the original packing materials. Use these materials to repack and return the Hewlett Packard Enterprise unit to the supplier if needed. All Hewlett Packard Enterprise hardware units and virtual appliances should be professionally installed by an Hewlett Packard Enterprise-Certified Mobility Professional (ACMP). Do not disassemble Hewlett Packard Enterprise hardware unit chassis or components. They have no internal user-serviceable parts. When service or repair is needed, contact Hewlett Packard Enterprise.
11.1.1 Setting Up the Hewlett Packard Enterprise Controller, Gateway, Conductor, or
Controller-managed Access Point (AP) and Running Bootloader Module Automatically The Crypto Officer shall perform the following steps to set-up the Hewlett Packard Enterprise Controller, Gateway, Conductor, or controller-managed Access Point (AP) whether a hardware unit or a virtual appliance:
Non-Proprietary a. Refer to the appropriate boot console messages listed above in the Self-Tests section. For more details, refer to the Hewlett Packard Enterprise Bootloader Module version 1.0 Administrator Guidance document. b. Successful boot sequences automatically include: i. Cryptographic Algorithm Self-Tests (CASTs) and Pre-Operational Self-Tests (POSTs) are performed at power-up (refer to the Self-Tests section above). ii. The verification of the Hewlett Packard Enterprise bootloader image with a checksum operation is performed. iii. A bootloader firmware integrity check with RSA verify is completed to ensure the bootloader firmware is signed by Hewlett Packard Enterprise. iv. The Hewlett Packard Enterprise bootloader function appropriate for the Hewlett Packard Enterprise device is executed. For more details, refer to the Hewlett Packard Enterprise Bootloader Module version 1.0 Administrator Guidance document. v. The Hewlett Packard Enterprise bootloader name, firmware version, and build information is displayed on the host device console. vi. When the Hewlett Packard Enterprise Bootloader Module starts up successfully, after passing all the cryptographic algorithm self-tests, pre-operational self-tests and power-on conditional tests, the module is operating in the Approved mode of operation by default. vii. A verification of the ArubaOS image with a checksum operation is performed. viii. An ArubaOS firmware load integrity check with RSA verify is completed to ensure the ArubaOS firmware is signed by Hewlett Packard Enterprise. ix. ArubaOS is booted on the Hewlett Packard Enterprise device from the default image partition. x. Cryptographic Algorithm Self-Tests (CASTs) and Pre-Operational Self-Tests (POSTs) are performed for the ArubaOS components at start-up. xi. ArubaOS is loaded successfully and operating normally on the Hewlett Packard Enterprise device. xii. Once ArubaOS is booted successfully, control of the Hewlett Packard Enterprise device passes to ArubaOS and the module is not executed again until the next hardware boot of the Hewlett Packard Enterprise device or host. xiii. Follow the procedures as described in the ArubaOS 8.10 Getting Started Guide, ArubaOS 8.10.0.x AP Software Quick Start Guide, and ArubaOS 8.10 Virtual Appliance Installation Guide, as appropriate to the Hewlett Packard Enterprise device’s deployment. xiv. As specified in the Self-Tests section, if any of the checks fail, error messages will be displayed on the host device console. If the errors persist after the Hewlett Packard Enterprise device is rebooted, contact Hewlett Packard Enterprise. For more details, refer to the Hewlett Packard Enterprise Bootloader Module version 1.0 Administrator Guidance document.
Documentation for any Hewlett Packard Enterprise product can be found on the HPE Networking Support Portal (NSP). Filters can be used to limit the displayed results by Product(s), Product Series, Version(s), and File Category. For example,
The following Hewlett Packard Enterprise documents can be referenced to ensure that ArubaOS and the Hewlett Packard Enterprise hardware-based equipment or Hewlett Packard Enterprise virtual appliances that run ArubaOS are installed and operated correctly in Approved mode:
To keep the module in Approved mode, abide by section 11.1, Start-up Procedures. Also, refer to the Hewlett Packard Enterprise Bootloader Module version 1.0 Administrator Guidance document.
To determine if an Hewlett Packard Enterprise product is considered end of life, refer to the Hewlett Packard Enterprise end-of life information at https://networkingsupport.hpe.com/end-of-life. If an Hewlett Packard Enterprise product is deemed end-of-life, the CO should work with their Hewlett Packard Enterprise representative to determine the appropriate Hewlett Packard Enterprise product upgrade path to use a newer Approved version. The Hewlett Packard Enterprise Bootloader Module does not implement a zeroization service. The only key used by the module is the Factory CA Public Key which is stored and protected in the TPM during Hewlett Packard Enterprise device manufacturing, so it is not possible to modify and is exempt from zeroization requirements. For secure sanitization, reboot the module. If the module is deprecated, the CO should work with an Hewlett Packard Enterprise representative to determine the appropriate Hewlett Packard Enterprise product upgrade path to a newer Approved version. With the help of an Hewlett Packard Enterprise-Certified Mobility Professional (ACMP), they can assist in the loading and booting of a newer approved version of the module on the Hewlett Packard Enterprise device.
The module has not been purposely designed, built and publicly documented to mitigate one or more specific attacks. The Mitigation of Other Attacks requirements are not applicable, per FIPS 140-3 IG 12.A. 22| Hewlett Packard Enterprise Bootloader Module Firmware Version 1.0 FIPS 140-3 Level 1 Security Policy