All modules
CMVP Validated Module · FIPS 140-3 Security Policy

VMware's BoringCrypto Module

Certificate#4973StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorBroadcom Inc.
High review priority  ·  exposes network crypto parser/protocol  ·  last validated 17 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/22/2029
CaveatNo assurance of the minimum strength of generated SSPs (e.g., keys). When operated in approved mode.
VendorBroadcom Inc.

Approved Algorithms (28)

AlgorithmACVP Cert
AES-CBCA2811
AES-CCMA2811
AES-CTRA2811
AES-ECBA2811
AES-GCMA2811
AES-KWA2811
AES-KWPA2811
Counter DRBGA2811
ECDSA KeyGen (FIPS186-4)A2811
ECDSA KeyVer (FIPS186-4)A2811
ECDSA SigGen (FIPS186-4)A2811
ECDSA SigVer (FIPS186-4)A2811
HMAC-SHA-1A2811
HMAC-SHA2-224A2811
HMAC-SHA2-256A2811
HMAC-SHA2-384A2811
HMAC-SHA2-512A2811
KAS-ECC-SSC Sp800-56Ar3A2811
KDF TLSA2811
RSA KeyGen (FIPS186-4)A2811
RSA SigGen (FIPS186-4)A2811
RSA SigVer (FIPS186-4)A2811
SHA-1A2811
SHA2-224A2811
SHA2-256A2811
SHA2-384A2811
SHA2-512A2811
SHA2-512/256A2811

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Physical SecurityN/A
Non-Invasive SecurityN/A
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other AttacksN/A

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for VMware's BoringCrypto Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>On-Demand Self-Test<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: boringssl</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for VMware's BoringCrypto Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>On-Demand Self-Test<br/>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: boringssl</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Broadcom Inc. VMware's BoringCrypto Module Software Version: 2022061300 Date: November 14, 2024 Prepared by: www.acumensecurity.net Broadcom Inc. 2024 Version 1.0 Public Material

Page 2

Introduction Federal Information Processing Standards Publication 140-3

Page 3
Table of Contents
#SectionPage
Introduction2
About this Document2
Disclaimer2
Notices2
1General5
2Cryptographic Module Specification6
2.1Overall Security Design and Rules of Operation10
2.1.1Usage of AES-GCM10
2.1.2RSA and ECDSA Keys10
2.1.3CSP Sharing10
2.1.4Modes of Operation10
3Cryptographic Module Interfaces11
4Roles, Services, and Authentication12
4.1Roles12
4.2Authentication12
4.3Services12
5Software/Firmware Security16
5.1Module Format16
6Operational Environment16
7Physical Security16
8Non-invasive Security16
9Sensitive Security Parameter Management17
10Self-Tests21
10.1Pre-Operational Self-Tests21
10.2Conditional Self-Tests21
11Life-Cycle Assurance23
11.1Installation Instructions23
11.1.1Building for Android23
11.1.2Building for Linux24
11.1.3Retrieving Module Name and Version25
12Mitigation of Other Attacks25
References and Standards26
Acronyms27
Page 4
List of Tables
ItemPage
Table 1 - Security Levels5
Table 2 - Tested Operational Environments6
Table 3 - Vendor Affirmed Operational Environments6
Table 4 - Approved Algorithms8
Table 6 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation9
Table 7 - Ports and Interfaces11
Table 8 - Roles, Service Commands, Input and Output12
Table 9 - Approved Services14
Table 10 - Non-Approved Services15
Table 11 – SSP20
Table 12 - Non-Deterministic Random Number Generation Specification21
Figure 1 - VMware's BoringCrypto Module boundary9
Page 5
Security level
NameISO SectionRequirementLevel
Section 6.Section 6.
11General1
22Cryptographic Module Specification1
33Cryptographic Module Interfaces1
44Roles, Services, and Authentication1
55Software/Firmware Security1
66Operational Environment1
77Physical SecurityN/A
88Non-Invasive SecurityN/A
99Sensitive Security Parameter Management1
1010Self-Tests1
1111Life-Cycle Assurance1
1212Mitigation of Other AttacksN/A

1. This document describes Broadcom Inc. cryptographic module Security Policy (SP) for the VMware's BoringCrypto Module (Software version: 2022061300) cryptographic module (also referred to as the “module” hereafter). It contains specification of the security rules under which the cryptographic module operates, including the security rules derived from the requirements of the FIPS 140-3 standard. The module is a software module and has a Multi-Chip Stand Alone embodiment. The module meets the overall Level 1 security requirements of FIPS 140-3. The following table lists the level of validation for each area in FIPS 140-3: N/A N/A N/A Table 1 - Security Levels Broadcom Inc. 2024 Version 1.0 Public Material

Page 6
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1Debian Linux 5.17.11 (Rodete)n2dAMD EPYC 7B12With PAA1
2Debian Linux 5.17.11 (Rodete)n2dAMD EPYC 7B12Without PAA2
3Google Prodimage with Linux 4.15.0n1Intel Xeon E5 2696 v4With PAA3
4Google Prodimage with Linux 4.15.0n1Intel Xeon E5 2696 v4Without PAA4
1Linux 4.Xx86_64 architecture ARMv7 architecture ARMv8 architecture1
2Linux 5.XX86_64 architecture ARMv7 architecture ARMv8 architecture2
3Linux 6.Xx86_64 architecture ARMv7 architecture ARMv8 architecture3
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1Debian Linux 5.17.11 (Rodete)n2dAMD EPYC 7B12With PAA1
2Debian Linux 5.17.11 (Rodete)n2dAMD EPYC 7B12Without PAA2
3Google Prodimage with Linux 4.15.0n1Intel Xeon E5 2696 v4With PAA3
4Google Prodimage with Linux 4.15.0n1Intel Xeon E5 2696 v4Without PAA4
1Linux 4.Xx86_64 architecture ARMv7 architecture ARMv8 architecture1
2Linux 5.XX86_64 architecture ARMv7 architecture ARMv8 architecture2
3Linux 6.Xx86_64 architecture ARMv7 architecture ARMv8 architecture3

2. Cryptographic Module Specification VMware's BoringCrypto Module by Broadcom Inc. is an open-source, general-purpose cryptographic library which provides approved cryptographic algorithms to serve BoringSSL and other user-space applications. The module is intended for use in environments specified in Table 2 below and any generalpurpose environment that requires cryptographic primitives. The Tested Operational Environment’s Physical Perimeter (TOEPP) of the module is the physical perimeter of the tested environment, which is listed in Table 2 below. The module is a software module and has a Multi-Chip Stand Alone embodiment. The installation instructions are provided in Section 11 of this document. The boundary of the module is defined as a single object file, bcm.o. The module version is: 2022061300. The module was tested on the following operational environments: # Table 2 - Tested Operational Environments The cryptographic module is also supported on the following operational environments for which operational testing and algorithm testing was not performed. The CMVP makes no statement as to the correct operation of the module on the operational environments for which operational testing was not performed. # Table 3 - Vendor Affirmed Operational Environments Table 4 below lists all the approved algorithms implemented in the module: Broadcom Inc. 2024 Version 1.0 Public Material

Page 7
Approved algorithm
NameCAVP CertMode MethodKey SizeUse FunctionUse / Function
AES FIPS 197 SP800-38AA2811CBC, ECB, CTRKey sizes: 128, 192, 256 bits; Strength: 128, 192, 256 bitsEncryption, Decryption
AES FIPS 197 SP800-38DA2811GCMKey sizes: 128, 192, 256 bits; Strength: 128, 192, 256 bitsAuthenticated Encryption, Authenticated Decryption
AES FIPS 197 SP800-38CA2811CCMKey size: 128 bits; Strength: 128 bitsAuthenticated Encryption, Authenticated Decryption
AES, KTS FIPS 197 SP800-38FA2811KW, KWPKey sizes: 128, 192, 256 bits; Strength: 128, 192, 256 bitsKey Transport per IG D.G Key establishment methodology provides between 128 and 256 bits of encryption strength
TLS v1.0/1.1 and v1.2 KDF2 SP800-135rev1CVL A2811N/ASHA2-256, SHA2- 384, SHA2-512; Strength: 256, 384, 512 bitsKey Derivation
CKGVendor AffirmedSP800-133rev2Cryptographic Key Generation: Section 5: Generation of Key Pairs for Asymmetric-Key Algorithms, Section 6.1: The “Direct Generation” of Symmetric KeysKey Generation Symmetric keys and seeds are generated as the direct output of the DRBG
DRBG SP800-90Arev1A2811CTR_DRBGAES-256; Key size: 256 bits; Strength: 256 bitsRandom Bit Generation
ECDSA FIPS 186-4A2811Key Pair Generation, Signature Generation, Signature Verification, Public Key ValidationP-224, P-256, P-384, P-521; Strength: 112, 128, 192, 256 bitsDigital Signature Services
HMAC FIPS 198-1A2811Generate, VerifyHMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512; Strength: 128, 192, 256, 384, 512 bitsGeneration, Authentication
RSA FIPS 186-4A2811Key Generation, Signature Generation, Signature Verification PKCS 1.5 and PSS1024, 2048, 3072, 4096; Strength: 80, 112, 128, 152 bits; Note: Key size 1024 should be only used for Signature VerificationDigital Signature Services
SHA FIPS 180-4A2811HashingSHA-13, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/256; Strength: 80, 112, 128, 192, 256, 128 bitsDigital Signature Generation, Digital Signature Verification, Non-Digital Signature Applications
KAS-SSC SP800-56Arev3A2811KAS-ECC-SSC ephemeralUnifiedECC: P-224, P-256, P- 384 and P-521; Strength: 112, 128, 192, 256 bitsKey Agreement Scheme Shared Secret Computation per SP800-56Arev3; Key establishment methodology provides between 112 and 256 bits of security strength
MD5As allowed per SP800-135rev1 (No security claimed)When used with the TLS protocol version 1.0 and 1.1

N/A There are algorithms that have been CAVP-tested on the same certificate but are not used by any approved service of the module Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module. No parts of this protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the Broadcom Inc. 2024 Version 1.0 Public Material

Page 8
Approved algorithm
NameCAVP CertMode MethodKey SizeUse FunctionUse / Function
HMAC FIPS 198-1A2811Generate, VerifyHMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512; Strength: 128, 192, 256, 384, 512 bitsGeneration, Authentication
RSA FIPS 186-4A2811Key Generation, Signature Generation, Signature Verification PKCS 1.5 and PSS1024, 2048, 3072, 4096; Strength: 80, 112, 128, 152 bits; Note: Key size 1024 should be only used for Signature VerificationDigital Signature Services
SHA FIPS 180-4A2811HashingSHA-13, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/256; Strength: 80, 112, 128, 192, 256, 128 bitsDigital Signature Generation, Digital Signature Verification, Non-Digital Signature Applications
KAS-SSC SP800-56Arev3A2811KAS-ECC-SSC ephemeralUnifiedECC: P-224, P-256, P- 384 and P-521; Strength: 112, 128, 192, 256 bitsKey Agreement Scheme Shared Secret Computation per SP800-56Arev3; Key establishment methodology provides between 112 and 256 bits of security strength
MD5As allowed per SP800-135rev1 (No security claimed)When used with the TLS protocol version 1.0 and 1.1

Table 4 - Approved Algorithms Broadcom Inc. 2024 Public Material

Page 9
Approved algorithm
NameUse Function
MD5, MD4Non-Approved hashing
POLYVALNon-Approved authenticated encryption
DES, Triple-DES (non-compliant)Non-Approved encryption/decryption
AES-GCM-SIV (non-compliant)Non-Approved encryption/decryption
DH (non-compliant)Non-Approved key agreement

Table 6 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Figure 1 - VMware's BoringCrypto Module boundary Broadcom Inc. 2024 Version 1.0 Public Material

Page 10
2.1 Overall Security Design and Rules of Operation
2.1.1 Usage of AES-GCM

AES GCM encryption and decryption are used in the context of the TLS protocol version 1.2 (compliant to Scenario 1a in FIPS 140-3 IG C.H). The module is compliant with NIST SP 800-52 and the mechanism for IV generation is compliant with RFC 5288. The module ensures that it is strictly increasing and thus cannot repeat. When the IV exhausts the maximum number of possible values for a given session key, the first party (client or server) to encounter this condition may either trigger a handshake to establish a new encryption key in accordance with RFC 5246 or fail. In either case, the module prevents any IV duplication and thus enforces the security property. The module’s IV is generated internally by the module’s Approved DRBG, which is internal to the module’s boundary. The IV is 96 bits in length per NIST SP 800-38D, Section 8.2.2 and FIPS 140-3 IG C.H scenario 2. The selection of the IV construction method is the responsibility of the user of this cryptographic module. In approved mode, users of the module must not utilize GCM with an externally generated IV. Per IG C.H, in the event module power is lost and restored, the consuming application must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed. The module implements the KDF TLS 1.2, and other cryptographic primitives used in TLS 1.2, but does not implement the TLS 1.2 protocol itself.

2.1.2 RSA and ECDSA Keys

The module allows the use of 1024-bit RSA keys for legacy purposes including signature generation, which is disallowed in Approved mode as per NIST SP800-131Arev2. Therefore, cryptographic operations with the Non-Approved key sizes will result in the module operating in Non-Approved mode. The elliptic curves utilized shall be the validated NIST-recommended curves and shall provide a minimum of 112 bits of encryption strength.

2.1.3 CSP Sharing

Non-Approved cryptographic algorithms shall not share the same key or CSP as an approved algorithm. As such, Approved algorithms shall not use the keys generated by the module’s Non-Approved key generation methods or the converse.

2.1.4 Modes of Operation

The module supports two modes of operation: Approved and Non-approved. The module will be in approved mode when all self-tests have completed successfully, and only Approved algorithms are invoked. See Table 4 above for a list of the supported Approved algorithms. The non-Approved mode is entered when a non-Approved algorithm is invoked. See Table 6 for a list of non-Approved algorithms. Broadcom Inc. 2024 Version 1.0 Public Material

Page 11
Ports and interfaces
NamePhysical PortLogical Interface
Data InputAPI input parametersData Input
Data OutputAPI output parameters and return valuesData Output
Control InputAPI input parametersControl Input
Status OutputAPI return valuesStatus Output

3. Cryptographic Module Interfaces functions. Table 7 - Ports and Interfaces The module does not implement a power input interface or a control output interface. As a software module, control of the physical ports is outside the module scope. However, when the module is performing self-tests, or is in an error state, all output on the module’s logical data output interfaces is inhibited. Broadcom Inc. 2024 Version 1.0 Public Material

Page 12
Service
NameRolesInputOutput
Symmetric EncryptionCOPlaintext, encryption keyReturn code, ciphertext
Symmetric DecryptionCOCiphertext, decryption keyReturn code, plaintext
Keyed HashingCOMessage, keyReturn code, Message Authentication Code
HashingCOMessageReturn code, hash
Random Bit GenerationCOAPI call parametersReturn code, random bits
Signature GenerationCOMessage, signing keyReturn code, signature
Signature VerificationCOSignature, verification keyReturn code
Key TransportCOAPI call parameters, wrapping keyReturn code, wrapped key
Key AgreementCOAPI call parametersReturn code, shared secret
TLS Key DerivationCOAPI call parameters, TLS pre- master secretReturn code, TLS Key
Key VerificationCOAPI call parameters, key pairReturn code
On-Demand Self-TestCON/AReturn code
Show StatusCOAPI call parametersReturn code, status
  1. Roles, Services, and Authentication 4.1 Roles The cryptographic module only implements a Crypto Officer (CO) role. The CO role is implicitly assumed by the entity accessing services implemented by the module. An operator is considered the owner of the thread that instantiates the module and, therefore, only one operator is allowed, and no concurrent operators are allowed. 4.2 The module does not support operator authentication. 4.3 Services The Approved services supported by the module and access rights within services accessible over the module’s public interface are listed in the table below: N/A N/A N/A Table 8 - Roles, Service Commands, Input and Output Approved services are listed in Table
  2. The SSPs listed in the table indicate the access required using below notation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroize: The module zeroizes the SSP. Broadcom Inc. 2024 Version 1.0 Public Material – May be reproduced only in its original entirety (without revision).
Page 13
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Symmetric EncryptionPerform symmetric encryption operationsCOAES Key, AES-GCM KeyAES CBC, ECB, CTR, CCM (Cert. #A2811) CKGW, E1
Symmetric DecryptionPerform symmetric decryption operationsCOAES Key, AES-GCM Key, AES-GCM IVAES CBC, ECB, CTR, GCM, CCM (Cert. #A2811) CKGW, E1
Keyed HashingPerform keyed hashing operationsCOHMAC KeyHMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512 (Cert. #A2811)W, E1
HashingPerform hashing operationsCON/ASHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/256 (Cert. #A2811)N/A1
Random Bit GenerationGenerate random numbersCODRBG Seed, CTR_DRBG V, CTR_DRBG KeyCTR_DRBG (Cert. #A2811) CKGG, E1
DRBG outputCODRBG outputG, R
CTR_DRBG Entropy InputCOCTR_DRBG Entropy InputW, E
Signature GenerationPerform signing operationsCORSA Signature Generation Key, ECDSA Signing KeyCTR_DRBG, RSA SigGen, ECDSA SigGen (Cert. #A2811)G, W, E1
Signature VerificationPerform verification operationsCORSA Signature Verification Key, ECDSA Verification KeyRSA SigVer, ECDSA SigVer (Cert. #A2811)G, W, E1
Key TransportPerform key encryption operations; KTS using AES-KW, AES-KWP per IG D.GCOAES Wrapping KeyAES KW, KWP (Cert. #A2811) CKGW, E1
Key AgreementPerform key agreement operationsCOEC DH Private Key, EC DH Public KeyKAS-ECC-SSC (Cert. #A2811)G, W, E1
Shared SecretShared SecretG
TLS Key DerivationPerform key derivation operationsCOTLS Pre-Master SecretTLS KDF (Cert. #A2811)W, E1
TLS Master SecretTLS Master SecretG, E
Key VerificationPerform key pair verification operationsCOECDSA Signing Key, ECDSA Verification KeyECDSA KeyVer (Cert. #A2811)G, W, E1
On-Demand Self-TestExecute self-tests on demandCON/AN/AN/A1
Show StatusObtain the module status and versioning informationCON/AN/AN/AN/A

Broadcom Inc. 2024 W, E W, E W, E N/A N/A G, E G, R W, E G, W, E G, W, E Version 1.0 Public Material

Page 14

D.G W, E G, W, E G W, E G, E G, W, E G, W, E N/A N/A N/A N/A N/A N/A Z N/A N/A N/A Table 9 - Approved Services Broadcom Inc. 2024 Version 1.0 Public Material

Page 15
Service
NameDescriptionRolesApproved FunctionsIndicator
Hashing (as allowed per SP800-135rev1)Perform hashing operations when used with the TLS protocol version 1.0 and 1.1COMD50
HashingPerform hashing operationsCOMD40
HashingUsed as part of AES-GCM-SIVCOPOLYVAL0
Symmetric encryption/decryptionPerform symmetric encryption and/or decryption operationsCODES Triple-DES AES0
RSA Primitives (RSADP, RSAEP, RSASP, RSAVP)Perform RSA related primitive operations (decrypt, encrypt, sign, verify)CORSA0

Non-Approved Services are listed in the Table 10 below: Table 10 - Non-Approved Services Broadcom Inc. 2024 Public Material

Page 16
  1. Software/Firmware Security The pre-operational integrity test is performed using HMAC-SHA2-256. The integrity test can be executed on demand by power-cycling the host platform and reloading the module. The module does not support software loading. Please refer to Section 11.1 for instructions on compiling the source code into executable. 5.1 Module Format The form of the module is a single object file, bcm.o.
  2. Operational Environment The module runs on a GPC, which is a modifiable operational environment, running one of the operating systems specified in Table
  3. Each approved operating system manages processes and threads in a logically separated manner. The module’s user is considered the owner of the calling application that instantiates the module. No specific security rules, settings or restrictions to the configuration of the operational environment applies to the module. The module is designed to ensure that all the self-tests are initiated automatically when the module is loaded.
  4. Physical Security As a software module, the physical security requirements are not applicable.
  5. Non-invasive Security The module does not claim any non-invasive security measures. Broadcom Inc. 2024 Version 1.0 Public Material – May be reproduced only in its original entirety (without revision).
Page 17
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportKey/SSP Name/TypeZeroisation
AES encrypt / decrypt128/192/256 bitsAES-CBC, ECB, CTR, CCM A2811ExternalN/APlaintext in RAMInput via API in plaintext (Electronic Entry)AES Key (CSP)Power-cycle host
AES decrypt / verify128/192/256 bitsAES-GCM A2811ExternalN/APlaintext in RAMInput via API in plaintext (Electronic Entry)AES-GCM Key (CSP)Power-cycle host
AES decrypt / verify96 bitsAES-GCM A2811ExternalN/APlaintext in RAMInput via API in plaintext (Electronic Entry)AES-GCM IV4 (CSP)Power-cycle host
AES key wrapping128/192/256 bitsAES-KW, AES-KWP A2811ExternalN/APlaintext in RAMInput via API in plaintext (Electronic Entry)AES Wrapping Key (CSP)Power-cycle Host
ECDSA signature generation112/128/192/256 bitsECDSA SigGen A2811Internally GeneratedN/APlaintext in RAMInput via API in plaintext (Electronic Entry); Output via API in plaintext (Electronic Entry)ECDSA Signing Key (CSP)Power-cycle host
ECDSA signature verification112/128/192/256 bitsECDSA SigVer A2811Internally GeneratedN/APlaintext in RAMInput via API in plaintext (Electronic Entry); Output via API in plaintext (Electronic Entry)ECDSA Verification Key (PSP)Power-cycle Host
Key Agreement112/128/192/256 bitsECDSA KeyGen A2811Internally GeneratedN/APlaintext in RAMInput via API in plaintext (Electronic Entry); Output via API in plaintext (Electronic Entry)EC DH Private Key (CSP)Power-cycle host
Key Agreement112/128/192/256 bitsECDSA KeyGen A2811Internally GeneratedN/APlaintext in RAMInput via API in plaintext (Electronic Entry); Output via API in plaintext (Electronic Entry)EC DH Public Key (PSP)Power-cycle host
Keyed hashing128/192/256/384 /512 bitsHMAC-SHA-1, HMAC-SHA2- 224, HMAC- SHA2-256, HMAC-SHA2- 384, HMAC-ExternalN/APlaintext in RAMInput via API in plaintext (Electronic Entry)HMAC Key (CSP)Power-cycle host
Key Agreement112/128/192/256 bitsKAS-ECC-SSC A2811Internally GeneratedSP800-56Arev3Plaintext in RAMN/AShared Secret (CSP)Power-cycle host
RSA signature generation112, 128, 152 bitsRSA SigGen A2811Internally GeneratedN/APlaintext in RAMInput via API in plaintext (Electronic Entry); Output via API in plaintext (Electronic Entry)RSA Signature Generation Key (CSP)Power-cycle host
RSA signature verification80, 112, 128, 152 bitsRSA SigVer A2811Internally GeneratedN/APlaintext in RAMInput via API in plaintext (Electronic Entry); Output via API in plaintext (Electronic Entry)RSA Signature Verification Key (PSP)Power-cycle host
TLS key derivation384 bitsTLS KDF A2811Internally Derived via key derivation function defined in SP800-135rev1 KDF (TLS)N/APlaintext in RAMN/ATLS Master Secret (CSP)Power-cycle host
TLS key derivation112-256 bitsTLS KDF A2811ExternalN/APlaintext in RAMInput via API in plaintext (Electronic Entry)TLS Pre-Master Secret (CSP)Power-cycle host
DRBG Seeding material384 bitsCTR_DRBG A2811Internally GeneratedN/APlaintext in RAMN/ADRBG Seed (CSP)Power-cycle host
DRBG internal state128 bitsCTR_DRBG A2811Internally GeneratedN/APlaintext in RAMN/ACTR_DRBG V (CSP)Power-cycle host
DRBG internal state256 bitsCTR_DRBG A2811Internally GeneratedN/APlaintext in RAMN/ACTR_DRBG Key (CSP)Power-cycle host
DRBG entropy384 bits used as seed, quality of entropy at least 112 bitsCTR_DRBG A2811ExternalN/APlaintext in RAMInput via API in plaintext (Electronic Entry)CTR_DRBG Entropy Input (CSP)Power- cycle host
Random bits provided for the calling application2048 bitsCTR_DRBG A2811Internally GeneratedN/APlaintext in RAMN/ADRBG outputPower- cycle host

9. Sensitive Security Parameter Management All the SSPs are zeroized implicitly when host platform is restarted. The various SSPs used by the module are listed in Table 11 below: As specified in Section 2.1.1, usage of externally generated IV is only allowed for AES-GCM decryption in the approved mode of operation. Broadcom Inc. 2024 Version 1.0 Public Material

Page 18

HMAC-SHA2224, HMACSHA2-256, HMAC-SHA2384, HMACBroadcom Inc. 2024 Version 1.0 Public Material

Page 19

N/A N/A N/A Broadcom Inc. 2024 Version 1.0 Public Material

Page 20

N/A N/A N/A N/A N/A N/A N/A N/A Powercycle N/A N/A Powercycle Table 11

Page 21
Approved algorithm
NameKey Size
DetailsEntropy sourcesMinimum number of bits of
Use of a [SP800-90B] compliant entropy source with at least 256 bits of security strength. Entropy is supplied to the Module via callback functions. The callback functions shall return an error if the minimum entropy strength cannot be met. The caveat “No assurance of the minimum strength of generated SSPs (e.g., keys)” is applicable112 bits and abovePassive Entropy

Table 12 - Non-Deterministic Random Number Generation Specification 10. Self-Tests ISO/IEC 19790 requires the module to perform self-tests to ensure the integrity of the module and the correctness of the cryptographic functionality. Some functions also require conditional tests during normal operation of the module. The self-tests can be requested on demand by power cycling the host platform. The module has a single error state, which is called the error state. This state is entered upon failure of a self-test. The module indicates this error state by providing the output status “*** KAT failed” where *** is the algorithm name (example: ECDSA-sign KAT failed). The module can be recovered by terminating execution of the host program and reclamation by the host operating system. The supported tests are listed and described in this section.

10.1 Pre-Operational Self-Tests

Pre-operational self-tests are run upon the initialization of the module and further reboots of the host platform. The CAST (Cryptographic Algorithm Self-Test) for HMAC-SHA2-256 is performed before the integrity test. Self-tests do not require operator intervention to run. If any of the tests fail, the module will not initialize and enter an error state where no services can be accessed. The module implements the following pre-operational self-tests:

10.2 Conditional Self-Tests

Conditional Cryptographic Algorithm Self-Tests (CAST) are run prior to the first use of the cryptographic algorithm. CASTs do not require operator intervention to run. If any of the tests fail, the module will enter an error state and no services can be accessed. Broadcom Inc. 2024 Version 1.0 Public Material

Page 22

The module implements the following CASTs:

Page 23

11. Life-Cycle Assurance The cryptographic module is initialized by loading the module before any cryptographic functionality is available. In User Space, the operating system is responsible for the initialization process and loading of the library. There are no maintenance requirements applicable. General guidance about the module can be found at https://boringssl.googlesource.com/boringssl. This includes information about the APIs, building and specific information related to FIPS can be found at https://boringssl.googlesource.com/boringssl.git/+/refs/heads/fips20220613/crypto/fipsmodule/FIPS.md (note this still mentions 140-2, but the information there is the same).

11.1 Installation Instructions

The module is open source. A Linux workstation with the following tools is required to build and compile the module: Android 13 git 2.23 or later (https://git-scm.com/download/linux) base64, curl, sha256sum (these should come with the Linux installation) Linux Clang compiler version 14.0.0 (http://releases.llvm.org/download.html) Go programming language version 1.18.1 (https://golang.org/dl/) Ninja build system version 1.10.2 (https://github.com/ninjabuild/ninja/releases) Cmake version 3.22.1 (https://cmake.org/download/)

11.1.1 Building for Android

Once a Linux workstation with the above tools has been obtained, issue the following commands to download and verify repo: curl 'https://gerrit.googlesource.com/git-repo/+/e778e57f11/repo?format=TEXT' | base64 -d > ~/repo chmod u+x ~/repo gpg --recv-key 8BB9AD793E8E6153AF0F9A4416530D5E920F5C65 curl https://storage.googleapis.com/git-repo-downloads/repo.asc | gpg --verify - ~/repo Download the manifest from https://ci.android.com/builds/submitted/8918218/aosp_arm64userdebug/latest/manifest_8918218.xml by clicking the Download button. Verify the manifest using the following command: Sha256sum ~/manifest_8918218.xml Manually validate that the output from the final command indicates the following expected hash values for this file: fae7a587167b3b3ebdf5b2c53335a1d1827beddcf23d2788d07f3bbbe9ff7182 manifest_8918218.xml Broadcom Inc. 2024 Version 1.0 Public Material

Page 24

The module can be obtained by issuing the following commands: mkdir aosp cd aosp ~/repo init -u https://android.googlesource.com/platform/manifest --depth 1 ~/repo init -m ~/manifest_8918218.xml ~/repo sync -q -c -j 20 Once downloaded, the module can be built using the following command: . build/envsetup.sh lunch aosp_arm64-eng m clean m test_fips

11.1.2 Building for Linux

Once the above tools have been obtained, issue the following command to create a Cmake toolchain file to specify the use of Clang: printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain The FIPS 140-3 validated release of the module can be obtained by downloading the tarball containing the source code at the following location: https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl0c6f40132b828e92ba365c6b7680e32820c63fa7.tar.xz or by issuing the following command: wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl0c6f40132b828e92ba365c6b7680e32820c63fa7.tar.xz The set of files specified in the archive constitutes the complete set of source files of the validated module. There shall be no additions, deletions, or alterations of this set as used during module build. The downloaded tarball file can be verified using the below SHA2-256 digest value: 62f733289f2d677c2723f556aa58034c438f3a7bbca6c12b156538a88e38da8a By issuing the following command: sha256sum boringssl-0c6f40132b828e92ba365c6b7680e32820c63fa7.tar.xz The tarball can be extracted using the following command: tar xJ < boringssl-0c6f40132b828e92ba365c6b7680e32820c63fa7.tar.xz After the tarball has been extracted, the following commands will compile the module: cd boringssl mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 DCMAKE_BUILD_TYPE=Release .. ninja && ninja run_tests Broadcom Inc. 2024 Version 1.0 Public Material

Page 25
11.1.3 Retrieving Module Name and Version

The following methods will provide the module name and versions:

Page 26

References and Standards The following Standards are referenced in this Security Policy: Abbreviation FIPS 140-3 FIPS 180-4 FIPS 186-4 FIPS 197 FIPS 198-1 IG SP 800-38A SP 800-38C SP 800-38D SP 800-38F SP 800-52 SP 800-56A SP 800-90A SP 800-131A SP 800-133 SP 800-135 Broadcom Inc. 2024 Full Specification Name Security Requirements for Cryptographic modules Secure Hash Standard (SHS) Digital Signature Standard (DSS) Advanced Encryption Standard The Keyed-Hash Message Authentication Code (HMAC) Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography Recommendation for Random Number Generation Using Deterministic Random Bit Generators Transitioning the Use of Cryptographic Algorithms and Key Lengths Recommendation for Cryptographic Key Generation Recommendation for Existing Application-Specific Key Derivation Functions Version 1.0 Public Material

Page 27

Acronyms Acronym AES API CAVP CBC CCCS CFB CKG CMVP CO CRNGT CSP CTR DES DH DRBG DSS EC ECB ECC EC DH ECDSA FIPS GCM GMAC GPC HMAC IG IV KAS KAT KDF KW KWP LLC MAC MD4 MD5 N/A NIST Definition Advanced Encryption Standard Application Programming Interface Cryptographic Algorithm Validation Program Cipher-Block Chaining Canadian Centre for Cyber Security Cipher Feedback Cooperative Key Generation Crypto Module Validation Program Cryptographic Officer Continuous Random Number Generator Test Critical Security Parameter Counter-mode Data Encryption Standard Diffie-Hellman Deterministic Random Bit Generator Digital Signature Standard Elliptic Curve Electronic Code Book Elliptic Curve Cryptography Elliptic Curve Diffie-Hellman Elliptic Curve Digital Signature Authority Federal Information Processing Standards Galois/Counter Mode Galois Message Authentication Code General Purpose Computer Key-Hashed Message Authentication Code Implementation Guidance Initialization Vector Key Agreement Scheme Known Answer Test Key Derivation Function Key Wrap Key Wrap with Padding Limited Liability Company Message Authentication Code Message Digest algorithm MD4 Message Digest algorithm MD5 Not-Applicable National Institute of Standards and Technology NVLAP National Voluntary Lab Accreditation Program Broadcom Inc. 2024 Version 1.0 Public Material

Page 28

OFB PAA RAM RFC RSA SHA SHS SP SSL TLS Triple-DES Broadcom Inc. 2024 Output Feedback Processor Algorithm Accelerator Random Access Memory Request For Comment Rivest Shamir Adleman Secure Hash Algorithm Secure Hash Standard Special Publication Secure Socket Layer Transport Layer Security Triple Data Encryption Standard Version 1.0 Public Material

Referenced URLs