| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Hardware |
| Embodiment | Multi-Chip Embedded |
| Status | Active |
| Sunset date | 1/26/2030 |
| Entropy | ENT (P) |
| Caveat | None |
| Vendor | Broadcom, Inc. |
| Hardware versions | G99-00139-01 |
| Algorithm | ACVP Cert |
|---|---|
| AES-ECB | A2693 |
| AES-GCM | A2695 |
| RSA SigVer (FIPS186-4) | A2691 |
| SHA2-256 | A2694 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | 1 |
| Non-Invasive Security | N/A |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | N/A |
flowchart LR
%% Deterministic review-risk graph for PrismPlus Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>14.2.338.0</i>"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Firmware Update</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status</i>"]
C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>PCIe Intf.(16 lane):<br/>SMBus Interface:<br/>I2C General Purpose(x1):</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IKEV<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
end
subgraph Inference["Derived inference"]
I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C1 --> I1 --> R1 --> E1
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C4 --> I4 --> R4 --> E4
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C1,C2,C3,C4,C5,C6 clue;
class I1,I2,I3,I4,I5,I6 infer;
class R1,R2,R3,R4,R5,R6 risk;
class E1,E2,E3,E4,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for PrismPlus Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>14.2.338.0</i><br/>src: certificate.firmwareVersions"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Firmware Update</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status</i><br/>src: securityPolicy.services"]
C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>PCIe Intf.(16 lane):<br/>SMBus Interface:<br/>I2C General Purpose(x1):</i><br/>src: securityPolicy.portsAndInterfaces"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IKEV<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C1,C2,C3,C4 clueHigh;
class C5,C6 clueLow;Broadcom, Inc. PrismPlus Cryptographic Module Broadcom, Inc. Non-Proprietary FIPS 140-3 Security Policy Document Version: 1.2 Date: January 17, 2025 Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
Broadcom, Inc. Table of Contents Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
Broadcom, Inc. List of Tables Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
Broadcom, Inc. List of Figures Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
| Appliance-Host | Storage Server (Initiator) or Storage Device (Target) with a PrismPlus Adaptor |
|---|---|
| AUTH_ELS | Fibre Channel Messaging Protocol that maps IKEv2 to the Fibre Channel ELS (Extended Link Service) Protocol. |
| Connection | Communication between a Host Initiator Entity on a Storage Server Appliance and a Remote Target Entity on Storage Device Appliances |
| Connection Table | The Connection Table (aka Remote Peer Information (RPI) Table) contains Encryption Parameters including Enable/Bypass Encryption, Algorithms to be used and Traffic Selectors (types of frames to be encrypted) for a connection. These RPI fields can be considered an extension to the SADB and are required by the Encrypt/Decrypt HW Engines |
| EDIF | Encrypted Data In Flight |
| Factory-Host | Factory Host system with PrismPlus Adaptor that runs the Factory Process to configure the Adaptor in Approved Mode. |
| Fibre Channel | Fibre Channel (FC) is a high-speed data transfer protocol providing in-order, lossless delivery of raw block data. Fibre Channel is primarily used to connect computer data storage to servers in storage area networks (FC-SAN) in commercial data centers. |
| Fibre Channel Frame | Frames are units of transfer in Fibre Channel akin to Packets in Ethernet. |
| Initiator | Entity (e.g., Driver) on a Storage Server Appliance that makes data requests on behalf of Applications from networked data resources. |
| Remote Peer Information (RPI) Table | This connection table contains Encryption Parameters including Enable/Bypass Encryption, Algorithms to be used and Traffic Selectors (types of frames to be encrypted) for a connection. These RPI fields can be considered an extension to the SADB and are required by the Encrypt/Decrypt HW Engines |
| Security Association Database (SADB) | Contains Encryption/Decryption Keys and other parameters required by the Encrypt/Decrypt HW Engines. The SADB contains CSPs (Encrypt/Decrypt Keys and other parameters) for EDIF |
| Service Layer Interface (SLI) | The Service Level Interface (SLI) provides a standard set of control structures, commands, and responses to accomplish the transfer of data between a host system and an external network through a tightly coupled port. The SLI documents detail the control structures. |
| Storage Appliance | A Storage Server Appliance or a Storage Device Appliance |
| Storage Peer | The Remote Appliance with which connection has been established for data transactions |
| Storage Server Appliance | A type appliance on a network that accesses networked data resources for applications |
| Storage Device Appliance | A type of appliance that provides data to, or manages data for, other network- connected computing devices. |
| Support Processor (SP) | On chip Support Processor handling on-chip configuration and management and Management Control Messages (MailBox Commands) from the Host. |
| Target | Entity (e.g., Driver) on a Storage Device Appliance that services data requests received on network. |
Broadcom, Inc. Glossary Of Terms Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
| Name | Term | Definition |
|---|---|---|
| APT | APT | Adaptive Proportion Test |
| KAT | KAT | Know Answer Test |
| RCT | RCT | Repetition Count Test |
| RPI | RPI | Remote Peer Information |
| SADB | SADB | Security Association Database |
Broadcom, Inc. Acronyms and Definitions Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic Module Specification | 1 |
| 3 | 3 | Cryptographic Module Interfaces | 1 |
| 4 | 4 | Roles, Services and, Authentication | 1 |
| 5 | 5 | Software/Firmware Security | 1 |
| 6 | 6 | Operational Environment | 1 |
| 7 | 7 | Physical Security | 1 |
| 8 | 8 | Non-Invasive Security | N/A |
| 9 | 9 | Sensitive Security Parameter Management | 1 |
| 10 | 10 | Self-Tests | 1 |
| 11 | 11 | Life-Cycle Assurance | 1 |
| 12 | 12 | Mitigation of Other Attacks | N/A |
| Overall | Overall | 1 |
Broadcom, Inc. This document defines the Security Policy for the Broadcom Inc. PrismPlus Cryptographic Module, hereafter denoted the Module. The PrismPlus ASIC based module is implemented on a PCIe Host Bus Adapter (HBA) and is assumed to operate within a Storage Server Appliance or a Storage Device Appliance operating in a Fibre Channel Storage Area Network (FC-SAN) environment. The FIPS 140-3 security levels for the module are as follows: N/A N/A Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
| Name | Model | Hardware Version | Firmware Version | Features |
|---|---|---|---|---|
| PrismPlus Cryptographic Module | PrismPlus Cryptographic Module | G99-00139-01 | 14.2.338.0 | PrismPlus ASIC, Flash implemented on a PCIe Adapter |
Broadcom, Inc. The PrismPlus Cryptographic Module is a hardware module intended for use by US Federal agencies or other markets that require a FIPS 140-3 validated network encryption device. The module implemented on a PCIe Adapter is intended to be used in Fibre Channel based Storage Area Networks. The module allows a Connection to be established between one of the multiple Host Initiator Entities (e.g., 256 Virtual Machine Drivers running on multiple CPU cores) on a Storage Server Appliance and one of the multiple Remote Host Target Entities (e.g., 1000s of Storage LUNs) on multiple Storage Device Appliances via one of the multiple Physical Ports (e.g., 4x 64GFC ports). The Connection facilitates transfer of data between a Host Initiator Entity on a Storage Server Appliance and Host Target Entity on a Storage Server Appliance using the FC (Fibre Channel) Protocol. The module allows multiple (1000s) of connections between Host Initiator Entities on a Storage Server Appliance and Host Target Entities on Storage Device Appliances. The module can be used to support Data-in-Flight Encryption/Decryption between Storage Appliances in a FC-SAN environment. Encryption decisions are made on a connection basis, whereby only a subset of the connections could be enabled for Encryption. If a connection is enabled for Encryption, only a subset of the Frame Types (e.g., Data Frames only, not Command/Status/Control/etc. Frames) could be enabled for Encryption. Note: Frames are units of transfer in Fibre Channel akin to Packets in Ethernet. Please note that while the module includes an entropy source; the entropy source is not utilized in the current design and is reserved for future use. Table 2
Broadcom, Inc. 2.1 Cryptographic Boundary The module is a multiple-chip embedded embodiment. The cryptographic boundary is defined as a subregion of the PCB depicted by the red dotted line in Figure 1, which encompasses the PrismPlus ASIC and Flash. FC SAN FABRIC Remote Peer FC Switch FC Switch Flash QSPI SFF/SFP I2C Prism+ SFF/SFP Pro cesso r Pro cesso r I2C EEPROM/ uCtrlr Power Regulator Me mory PCIe HOST Storage Device Appliance, Target OR Storage Server Appliance, Initiator Me mory SFF/SFP Me mory Me mory Me mory Power Regulator SFF/SFP Me mory M emory M emory M emory Processor Processor Local Terminal M emory M emory M emory PCIe HOST Storage Server Appliance, Initiator OR Storage Device Appliance, Target Figure 1
| Name | CAVP Cert | Mode Method | Key Size | Use Function | |
|---|---|---|---|---|---|
| AES [197] (Specification for AES) | #A2693 | ECB [38A] | Key Sizes: 256 | Supports GCM | A2693 |
| AES [197] (Specification for AES) | #A2695 | GCM [38D] | Key Sizes:256 Tag Len: 128 | Authenticated Encrypt, Authenticated Decrypt | |
| RSA [186-4] (Digital Signature Standard) RSA Cryptographic Standard | #A2691 | PKCS1_v1.5 | n = 2048 SHA2-256 | SigVer | |
| SHS [180-4] SHS (Secure Hash Standard) | #A2694 | SHA2-256 | SHA2-256 | Message Digest Generation |
Broadcom, Inc. 2.2 Modes of Operation The module supports an Approved mode of operation and assumes the Approved mode as soon as it is powered-on. The module does not support a non-Approved mode. Approved mode of operation requires FW Load, FW Integrity and Pre-Operational Self Tests to pass. All services are offered only in Approved mode of operation. If Firmware Integrity Tests or the Pre-Operational Self tests fail, the module will halt all operations and will need to be reset, unless the module has automatically done so. The module does not support a degraded mode of operation. To verify that the module is in the Approved mode of operation, the operator may invoke the “Show Status” service. The Approved Security Service Indicator is provided by the successful completion of each service, as an implicit indicator for the use of an Approved service per IG 2.4.C, Example Scenario 2. 2.3 Security Functions The module implements the approved cryptographic functions listed in Table 3 below, which were tested on the ARM Cortex R4 processor internal to the module. The module does not support any non-Approved algorithms or non-Approved algorithms allowed in the approved mode. There are algorithms, modes, and keys that have been CAVP tested, but not used by the module; such unused algorithms, modes/methods, and key lengths are shown in this table with “Tested, but not used” specified in the Use/Function column. Table 3 – Approved Algorithms The module does not implement any KAS or KTS Security Function Implementations. 2.4 Overall Security Design
Broadcom, Inc.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| PCIe Intf.(16 lane): | PCIe Intf.(16 lane): | Control In; Data In; Data Out; Status Out; Control Out | Control In: IO Commands, Management Control Messages, PCIE_RESET_N; Data In: Plaintext Data, Status Information from Host; Data Out: Plaintext Data to Host; Status Out: Good or Error Status Response from Adapter to Host; Control Out: I/O Commands from received from connection peers |
| SMBus Interface: | SMBus Interface: | Control In; Status Out | Used for connection to BMC (Baseboard Management Controller) on server. Control In: MCTP Control Messages, NCSI and PLDM Server Management commands are received. Adapter status queries and config commands received from Server Management software; Status Out: Response to MCTP Control Messages, NCSI and PLDM Server Management commands. Adapter sends out status via response to MCTP, NCSI and PLDM Status commands. |
| I2C General Purpose(x1): | I2C General Purpose(x1): | Control Out; Data In | 1x Connect to External uController. Always Enabled. Control Out: Reset uController, Download uController Firmware update from external Flash to the EEPROM; Data In: Check current uController Firmware version, Get uController EEPROM Slot details where uController Firmware can be installed, Get Power Consumption details |
| I2C General Purpose(x2): | I2C General Purpose(x2): | N/A | Disabled |
| Fibre Channel (4x): | Fibre Channel (4x): | Control In; Data In; Data Out; Status Out; Control Out | Control In: I/O Commands from connection peers; Data In: Plaintext data, ciphertext data, encrypted cryptographic keys and CSPs, authentication data from connection peer. IO Command Status information in from connection peer; Data Out: Plaintext data, ciphertext data, encrypted cryptographic keys and CSPs; Status Out: IO Command Status information out to connection peer; Control Out: I/O Commands to connection peers |
| I2C SFP Master (x4): | I2C SFP Master (x4): | Data In; Control Out | The I2C SFF/SFP interface is used to control and monitor the Fibre Channel Link Transceivers. Data In: SFP performance data, temperature status, SFP Revision Number, SFP Vendor Specific Data etc. are read over the I2C interface; Control Out: Control Commands to control SFP operational parameters. |
| GPIO (x73): | GPIO (x73): | Data In; Status Out; Control In; Control Out | GPIO pins are normally used for misc. controls and status inputs. Control Out: SFP, Misc Control Signals; Status Out: Status LEDs; Control In: Config Control Signals; Data In: SFP, Misc Status Signals |
| Proc. UARTs (Qty. 2): | Proc. UARTs (Qty. 2): | N/A | Disabled. |
| Test and Debug IOs | Test and Debug IOs | N/A | Disabled. |
| JTAG Interface: | JTAG Interface: | N/A | Disabled. |
| Power | Power | Power; Control Out | Power: Power in from PCIe interface via Power Regulators; Control Out: SVS signal to Control ASIC core Voltage based on process corner |
Broadcom, Inc. Cryptographic Module Interfaces The module’s ports and associated FIPS defined logical interface categories are listed in Table 4. The ports are defined as the PCB traces crossing the perimeter of the physical cryptographic boundary. The module inhibits all control output upon entry into the error state. Table 4
Broadcom, Inc. N/A N/A N/A Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
Broadcom, Inc. Roles, Services and Authentication 4.1 Assumption of Roles and Related Services The module supports a single operator role, the Cryptographic Officer (CO) Role. The services that are available to the Cryptographic Officer are described later in the document. Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
Broadcom, Inc. Table 5 lists all services supported by the module in the CO Role. The module does not support authentication; the CO role is implicitly assumed. The module does not support a maintenance role. The module supports a Bypass Capability. The module does not support concurrent operators. The module does not support a self-initiated cryptographic output capability. Bypass On a connection between a Host Initiator Entity on a Storage Server Appliance and Host Target Entity on a Storage Device Appliance, encryption can be enabled or disabled. A Bypass capability is defined. A connection could be established to start operating in a non-protected mode with Encrypted Data In Flight (EDIF) disabled. It could then transition to operating in a protected mode with EDIF, once encryption parameters and traffic selectors have been negotiated with the peer entity by the host. The following conditions need to be met in the transition to encrypted mode of operation for a connection: a. The module receives a command with encryption parameters and Traffic Selectors, to enable a connection to move to an encrypted mode of operation. b. The module will verify the integrity of the governing bypass information in the connection table aka Remote Peer Information (RPI) table through an approved integrity technique (SHA2-256) immediately preceding modification of the governing information and generates a new integrity value using the Approved integrity technique immediately following the modification. A failure in this test is considered fatal for the adapter. The adapter is internally reset by the FW triggering a restart that includes reloading the FW and re-running all the pre-operational self-tests. c. The module performs a conditional Bypass SP-to-SP internal loopback self-test to check that the module is in a valid operational state for the connection. Check that specific types of frames targeted for encryption for the connection are correctly encrypted and decrypted after the SADB requested in the command for the connection is installed. A failure in this test is considered fatal for the adapter. The adapter is internally reset by the FW triggering a restart that includes reloading the FW and rerunning all the pre-operational self-tests. As a result of configuration changes, a connection can transition to outputting data in a non-protected form with EDIF disabled. The following conditions need to be met in the transition to non-encrypted mode of operation for a connection that prevents the inadvertent bypass of plaintext data due to a single error: a. The module receives a command for the connection, in order for the connection to move to a nonencrypted mode of operation. b. The module will verify the integrity of the governing bypass information in the connection table aka Remote Peer Information (RPI) table through an approved integrity technique (SHA2-256) immediately preceding modification of the governing information and generate a new integrity value using the Approved integrity technique immediately following the modification. A failure in this test is considered fatal for the adapter. The adapter is internally reset by the FW triggering a restart that includes reloading the FW and re-running all the pre-operational self-tests. Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
Broadcom, Inc. c. The module performs a conditional Bypass SP-to-SP internal loopback self-test to check that the module is in valid operational state for the connection. Check that frames targeted for the connection are no longer encrypted and decrypted using the deactivated SADB. A failure in this test is considered fatal for the adapter. The adapter is internally reset by the FW triggering a restart that includes reloading the FW and re-running all the pre-operational self-tests. Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
| Name | Roles | Input | Output |
|---|---|---|---|
| Firmware Update | CO | Firmware package and signature | Return Status: Success or Error |
| Data-In-Flight Encryption | CO | Plaintext Commands from Host, Plaintext FC Frame Data from Host | Encrypted FC Frames to FC links, Return Status: Success or Error |
| Data-In-Flight Decryption | CO | Plaintext Commands from Host, Encrypted FC Frames from FC Links | Plaintext FC Frame Data to Host, Return Status: Success or Error |
| Self-Tests | CO | Self-Tests are executed after Power On; Certain Self Tests are run on a continuous basis; Certain Self Tests are run on a conditional basis; Certain Self Tests are run on a periodic basis; Self-Tests can be run On-Demand by power cycling or resetting | Return Status: Success or Error, Self-Tests are executed after Power On |
| Zeroize | CO | Zeroizes SSPs, except SSP1 (RSA Public Key In ROM) on Reset, UnReg_SADB Command, UnReg RPI Command, Function reset | Return Status: Success or Error |
| Host-based Storage Peer Key Management | CO | Pass-Through Auth-ELS frames from Host; Pass-Through Auth-ELS frames from FC Links from Storage Peer | Pass-Through Auth-ELS frames to FC Links to Storage Peer; Pass-Through Auth-ELS frames to Host from Storage Peer |
| Importing SADB from Host | CO | Security Association Data Base with Plaintext Tx 256b key, Plaintext Rx 256b key, Plaintext 32b Tx Salt, Plaintext 32b Rx Salt | Return Status: Success or Error |
| Link, Connection Management | CO | Establishing and Monitoring connection between peers. See SLI Doc: FC Command Reference | Return Status: Success or Error |
| Chip Management | CO | Adapter Resource Provisioning; Configuration and Management of shared device resources: Functions, Queues, Exchanges, Connections etc. See SLI Doc: Adapter Management Commands. | Return Status: Success or Error |
| Show Version | CO | Command to Show Version | Return Adapter Version; Return Cryptographic Module Version; Return ASIC Part Number; Return FW Version |
| Show Status | CO | Read current Global Status: Approved Mode or Error State | Return Global Status |
| Diagnostic Dump | CO | Command to send Diagnostic Dump to Host | Diagnostic Dump - No SSPs dumped. |
Broadcom, Inc. May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Firmware Update | The Adapter can download FW, signed using RSA 2048, from Host to update existing Flash code. The downloaded FW is only enabled for execution after the next reset cycle, if signature verification passes. Signature generation is a factory process that is authorized to release FW Updates. | CO | SSP1: RSA Public Key stored in ROM | RSA Signature Verification | E | Status Indicator: Success, Error |
| Data in Flight Encryption | The Module has capability to Encrypt Transmitted FC Frames based on Security Association parameters (Keys, Traffic Selectors) that have been negotiated for a connection | CO | SSP2: Child_SA Tx key stored in Memory in SADB data structure; SSP4: Child_SA Tx Salt stored in Memory in SADB data structure | AES-GCM | E, Z | Status Indicator: Success, Error |
| Data in Flight Decryption | The module has capability to Decrypt Received FC Frames, and enforce encryption requirements based on Security Association parameters (Keys, Traffic Selectors) that have been negotiated for a connection. | CO | SSP3: Child_SA Rx key stored in Memory in SADB data structure; SSP5: Child_SA Rx Salt stored in Memory in SADB data structure | AES-GCM | E, Z | Status Indicator: Success, Error |
| Self-Tests | Self-Tests are executed after Power On Certain Self Tests are run on a continuous basis Certain Self Tests are run on a conditional basis Certain Self Tests are run on a periodic basis | CO | N/A | AES-GCM; DRBG; ENT - RCT, APT RSA2048; SHA2-256 | N/A | Status Indicator: Success, Error |
| Zeroize | Zeroizes SSPs, except SSP1 (RSA Public Key, In ROM) | CO | SSP2: Child_SA Tx key stored in Memory in SADB data structure; SSP3: Child_SA Rx key stored in Memory in SADB data structure; SSP4: Child_SA Tx Salt stored in Memory in SADB data structure; SSP5: Child_SA Rx Salt stored in Memory in SADB data structure | Zeroization process | Z | Status Indicator: Success, Error |
| Host-based Storage Peer Key Management | The Host executes protocol (typically AUTH_ELS) for establishing Security Association with a Storage Peer that it wants to establish a connection with EDIF capability. The module provides pass- through facility for AUTH_ELS frames from Host to Peer. The module provides pass- through facility for Auth_ELS frames from Peer to Host. | CO | N/A | No security functions on module used | N/A | Status Indicator: Success, Error |
| Importing SADB from Host | The Host sends SADB parameters to module. | CO | SSP2: Child_SA Tx key stored in Memory in SADB data structure; SSP3: Child_SA Rx key stored in Memory in SADB data structure; SSP4: Child_SA Tx Salt stored in Memory in SADB data structure; SSP5: Child_SA Rx Salt stored in Memory in SADB data structure | No security functions on module used | Write | Status Indicator: Success, Error |
| Link, Connection Management | Establishing and Monitoring connection between peers. See SLI Doc: FC Command Reference | CO | N/A | No security functions on module used | N/A | Status Indicator: Success, Error |
| Chip Management | Adapter Resource Provisioning Configuration and Management of shared device resources: Functions, Queues, Exchanges, Connections etc. See SLI Doc: Adapter Management Commands. | CO | N/A | No security functions on module used | N/A | Status Indicator: Success, Error |
| Show Version | Provides the version ID of the running firmware. See SLI Doc: Adapter Management Commands. | CO | N/A | No security functions on module used | N/A | Status Indicator: Version Numbers |
| Show Status | Read current Global Status: Approved Mode or Error State. | CO | N/A | No security functions on module used | N/A | Status Indicator: Global Mode of Operation |
| Diagnostic Dump | Command to send Diagnostic Dump to Host. No SSPs are included in the dump. | CO | N/A | No security functions on module used | N/A | Status Indicator: Success, Error |
Broadcom, Inc. 4.2 Services All Approved services implemented by the module are listed in Table 6 below. The module does not support any non-Approved services. The following SSPs are declared: SSP3: SSP5: The SSPs modes of access shown in Table 6 are defined as: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Table 6
Broadcom, Inc. E, Z N/A N/A Z N/A N/A Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
Broadcom, Inc. N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
Broadcom, Inc. Software/Firmware Security The module is composed of the following major firmware components:
| Method | Description | ||
|---|---|---|---|
| G1 | Generated external to the module and installed during manufacturing | ||
| G2 | Unmodified output of the internal ENT (P) during power-up | ||
| G3 | Derived from the DRBG input per [90Ar1] | ||
| G4 | Generated external to the module on the host | ||
| S1 | Stored in plaintext in volatile memory (RAM) | ||
| S2 | Stored in ROM in plaintext | ||
| E1 | Input in plaintext from the host | ||
| Z1 | Zeroized by module power cycle or hard reset | ||
| Z2 | Zeroized by overwriting with a fixed pattern when no longer required and by the zeroize command |
Broadcom, Inc. Sensitive Security Parameter (SSP) Management The SSPs access methods are described in Table 7 below: Table 7
| Name | Strength | Security Function | Generation | Establishment | Storage | Use | Import Export | Zeroisation | ||
|---|---|---|---|---|---|---|---|---|---|---|
| SSP2: Child_SA Tx | 256 | AES-GCM [38D] | G4 Generated External to the Module on the Host | N/A | S1 Stored in plaintext in volatile memory (RAM) | Data in Flight Encryption. 256b key stored in memory in SADB data structure | E1 Input in Plaintext from the Host | AES-GCM [38D] /#A2695 | Z1 Zeroized by Module power cycle or hard reset Z2 Zeroized by overwriting with a fixed pattern, when no longer required, on UNREG_SADB command or UNREG_RPI command or PCIe Function Reset | |
| /# | /# | A2695 | ||||||||
| SSP3: Child_SA Rx | 256 | G4 Generated External to the Module on the Host | N/A | S1 Stored in plaintext in volatile memory (RAM) | Data in Flight Decryption. 256b key stored in memory in SADB data structure | E1 Input in Plaintext from the Host | AES-GCM [38D] /#A2695 | Z1 Zeroized by Module power cycle or hard reset Z2 Zeroized by overwriting with a fixed pattern, when no longer required, on UNREG_SADB command or UNRE G_RPI command or PCIe Function Reset | ||
| SSP4: Child_SA Tx Salt | 32 | G4 Generated External to the Module on the Host | N/A | S1 Stored in plaintext in volatile memory (RAM) | Data in Flight Encryption Tx 32b salt stored in memory in SADB data structure | E1 Input in Plaintext from the Host | AES-GCM [38D] /#A2695 | Z1 Zeroized by Module power cycle or hard reset Z2 Zeroized by overwriting with a fixed pattern, when no longer required, on UNREG_SADB command or UNRE G_RPI command or PCIe Function Reset | ||
| SSP5: Child_SA Rx Salt | 32 | G4 Generated External to the Module on the Host | N/A | S1 Stored in plaintext in volatile memory (RAM) | Data in Flight Decryption Rx 32b salt stored in memory in SADB data structure | E1 Input in Plaintext from the Host | AES-GCM [38D] /#A2695 | Z1 Zeroized by Module power cycle or hard reset Z2 Zeroized by overwriting with a fixed pattern, when no longer required, on UNREG_SADB command or UNRE G_RPI command or PCIe Function Reset | ||
| SSP1: RSA Public Key | 112 | RSA | N/A | N/A | S2 Stored in RO M in plaintext | RSA 2048 Public Key for firmware signature verification | N/A | N/A | ||
| /# | /# | A2691 | ||||||||
| /# | /# | A2694 |
Broadcom, Inc. 9.1 Sensitive Security Parameters (SSP) All SSPs used by the module are described in this section. All usage of these SSPs by the module is described in the services detailed in Section 4.2 Services. Table 8
| Name | Key Size | ||||
|---|---|---|---|---|---|
| ES0 | On Error: Error indication in SECURITY_ERROR register | ES0 | ES0 | The module fails the RSA KAT OR | |
| ES1 | ES1 | The module fails SP processor FW Integrity Test or | On Error: | ||
| The module fails bypass conditional self-test or The DRBG fails [90Ar1] Health Tests or The ENT fails the RCT and APT Continuous Health Tests. ------------------------ On any failure, the Module will indicate an error and reset. | On Error: READY bit set to 0 in PORT STATUS register with error details further provided in PORT ERROR1 and ERROR2 registers | ES2 |
Broadcom, Inc. The module performs self-tests to ensure the proper operation of the module. Per FIPS 140-3, these are Table 10
| Name | Call | Description | Method | Error state | ||||
|---|---|---|---|---|---|---|---|---|
| SRB Firmware integrity | SRB Firmware | The SRB processor module performs the SRB Firmware | SRB Firmware integrity | SigVer, RSA2048, SHA2-256 | SigVer, RSA2048, | The SRB processor module performs the SRB Firmware Integrity Test using RSA 2048 (CAVP Cert. #A2691) and SHA2-256 (CAVP Cert. #A2694). | ES0 | ES0 |
| integrity | integrity | Integrity Test using RSA 2048 (CAVP Cert. #A2691) and | SHA2-256 | |||||
| SP FW Integrity | The SP processor module performs the SP Firmware | SP FW Integrity | SigVer, RSA2048, SHA2-256 | ES1 | ||||
| ULP FW Integrity | The SP processor module performs the ULP Firmware | ULP FW Integrity | SigVer, RSA2048, SHA2-256 | ES1 | ||||
| Bypass | As a part of Pre-Operation Self-Test, the module verifies | Bypass | Activation switch testing | ES1 | ||||
| RSA (CAVP Cert. #A2691) | RSA (CAVP Cert. | Before executing the FW Integrity Test, the ROM based | RSA (CAVP Cert. #A2691) | KAT | KAT | ES0 | ES0 | |
| SHS (CAVP Cert. | SHS (CAVP Cert. | Before executing the FW Integrity Test, the ROM based | KAT | Before executing the FW Integrity Test, the ROM based FW boot code executes the FIPS180-4 SHA2-256 KAT. | ES0 | |||
| #A2694) | #A2694) | FW boot code executes the FIPS180-4 SHA2-256 KAT. | ||||||
| AES – GCM (CAVP | AES – GCM (CAVP | SP800-38D GCM Encrypt KAT with 256-bit key. Please | KAT | ES1 | ||||
| Cert. #A2695) | Cert. #A2695) | note the module does not employ the inverse function. | ||||||
| Bypass | Bypass | The module will verify the integrity of the governing | Bypass | Switch integrity | ES2 | |||
| ENT (ESV Cert. #E6) | ESV Cert. #E6. "Startup" Tests (RCT, APT) as specified in | ENT (ESV Cert. #E6) | RCT, APT | ES1 | ||||
| DRBG (CAVP Cert. #A2696) | CTR_DRBG KAT with AES 256 | DRBG (CAVP Cert. #A2696) | KAT | ES1 | ||||
| DRBG Health Test | The Instantiation, Generate, and Reseed KAT is run | DRBG Health Test | KAT | ES2 | ||||
| ENT Health Test | RCT and APT tests as specified in [90B] Section 4.4 | ENT Health Test | RCT, APT | ES2 | ||||
| Firmware Update | RSA Signature Verification (CAVP Cert. #A2691) of | Firmware Update | Signature Verification | RSA Signature Verification (CAVP Cert. #A2691) of firmware update packages using SSP1. | Transient | |||
| firmware update packages using SSP1. | firmware update packages using SSP1. | error. |
Broadcom, Inc. Table 11
Broadcom, Inc. Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
Broadcom, Inc. Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
11.1 Procedures for Secure Installation, Initialization, Startup and Operation of the Module.
The cryptographic module does not require any installation activities as it is delivered to the customer installed on a PCIe Host Bus Adapter. The PCIe Host Bus Adapter can be plugged into an appropriate PCIe slot on a server and is ready for operation on Power-On. All required configuration details are programmed at the factory. The module will offer the declared services only in the Approved mode of operation. The module status can be determined by reading the READY status in the PORT_STATUS PCIe config register. If the module does not come up in the Approved mode of operation, it will have to be returned to the factory.
The module Approved mode status can be monitored regularly by reading the READY status in the PORT_STATUS PCIe config register, which will be set to ‘1’ for Approved Mode. All ephemeral keys used by the module are zeroized on reboot, loss of power, connection termination or by the supported Zeroize command.
The module does not implement any mitigation method against other attacks. Version 1.2 May only be distributed in its entirety without modification. The term “Broadcom” refers to Broadcom and/or its subsidiaries
| Name | Term | Definition |
|---|---|---|
| [FIPS140-3] | [FIPS140-3] | Security Requirements for Cryptographic Modules, March 22, 2019 |
| [ISO19790] | [ISO19790] | International Standard, ISO/IEC 19790, Information technology — Security techniques — Test requirements for cryptographic modules, Third edition, March 2017 |
| [ISO24759] | [ISO24759] | International Standard, ISO/IEC 24759, Information technology — Security techniques — Test requirements for cryptographic modules, Second and Corrected version, 15 December 2015 |
| [IG] | [IG] | Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program, October 7, 2022 |
| [131A] | [131A] | Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, Revision 2, March 2019 |
| [133] | [133] | NIST Special Publication 800-133, Recommendation for Cryptographic Key Generation, Revision 2, June 2020 |
| [186] | [186] | National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4, July 2013. |
| [197] | [197] | National Institute of Standards and Technology, Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197, November 26, 2001 |
| [180] | [180] | National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180-4, August, 2015 |
| [38A] | [38A] | National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation, Methods and Techniques, Special Publication 800-38A, December 2001 |
| [38D] | [38D] | National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, Special Publication 800- 38D, November 2007 |
| [90Ar1] | [90Ar1] | National Institute of Standards and Technology, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, Special Publication 800-90A, Revision 1, June 2015. |
| [90B] | [90B] | National Institute of Standards and Technology, Recommendation for the Entropy Sources Used for Random Bit Generation, Special Publication 800-90B, January 2018. |
The following standards are referred to in this Security Policy. Table 13