| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Hardware |
| Embodiment | Multi-Chip Embedded |
| Status | Active |
| Sunset date | 3/5/2030 |
| Caveat | None |
| Vendor | Samsung Electronics Co., Ltd. |
| Algorithm | ACVP Cert |
|---|---|
| AES-ECB | A2108 |
| AES-XTS | A2108 |
| Hash DRBG | A2107 |
| RSA SigVer (FIPS186-4) | A2110 |
| SHA2-256 | A2109 |
flowchart LR
%% Deterministic review-risk graph for Samsung SATA TCG Opal SSC SEDs PM893 Series
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update<br/>firmware load</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Show Status<br/>Status Output</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>bootloader</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C6 clue;
class I2,I3,I6 infer;
class R2,R3,R6 risk;
class E2,E3,E6 evidence;flowchart LR
%% Deterministic clue tier for Samsung SATA TCG Opal SSC SEDs PM893 Series
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update<br/>firmware load</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Show Status<br/>Status Output</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>bootloader</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C6 clueLow;Samsung SATA TCG Opal SSC SEDs PM893 Series Document Version: 1.0 Hardware Version: MZ7L3480HCHQ-00AMV, MZ7L3960HCJR-00AMV Firmware Version: JXTC1M8Q
Revision History Version Change
Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
| # | Section | Page |
|---|
I. Introduction I.1. Scope referred to as a “cryptographic module” or “module”. The SSD (Solid State Drive) satisfies all applicable FIPS 140-3 Security Level 1 requirements, supporting TCG Opal SSC based SED (Self-Encrypting Drive) features. It is designed to protect unauthorized access to the user data stored in its NAND flash memories. The built-in AES hardware engines in the cryptographic module’s controller provide on-the-fly encryption and decryption of the user data without performance loss. The SED’s nature also provides instantaneous sanitization of the user data via cryptographic erase. I.2. Acronyms Acronym Description CTRL Controller CPU Central Processing Unit (ARM-based) DRAM Dynamic Random Access Memory DRAM I/F Dynamic Random Access Memory Interface ECC Error Correcting Code KAT Known Answer Test LBA Logical Block Address MEK Media Encryption Key PSID Physical Presence SID (Security Identifier) NAND NAND Flash Memory NAND I/F NAND Flash Interface SATA Serial ATA(Advanced Technology Attachment) ROM Read-Only Memory Table 1. Acronyms Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
Table 2. Security Levels Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
The firmware utilizes a single-chip controller with a SATA interface on the system side, as well as Samsung NAND flash. The following figure depicts the module’s operational environment. The firmware version included within the scope of this validation must be validated through the FIPS 140-3 CMVP. Any firmware loaded onto this module that is not shown on the module certificate, is out of the scope of this validation and requires a separate FIPS 140-3 validation. Figure
2.3. Cryptographic Functionality The module does not implement any "Non-Approved Algorithms Not Allowed in the Approved Mode of Operation". 2.3.1. Approved Algorithm The cryptographic module supports the following approved algorithms for secure data storage: Description / CAVP Cert Algorithm and Standard Mode / Method Key Size(s) / Use / Function Key Strength(s) A2107 Hash DRBG / Hash_ DRBG Prediction Resistance: No Deterministic Random Bit SP 800-90A Rev. 1 (SHA2-256) Supports Reseed Generation A2108 AES-ECB / ECB 256-bit keys with 256-bit Prerequisite for AES-XTS FIPS 197, SP 800-38A key strength (A2108) A2108 AES-XTS / XTS 256-bit keys with 256-bit Data Encryption and FIPS 197, SP 800-38E key strength Decryption A2109 SHA2-256 / SHA2-256 SHA2-256 Message Digest FIPS 180-4 A2110 RSA SigVer / PSS SigVer (SHA2- 2048 bits Digital Signature Verification FIPS 186-4 256) Vendor Affirmed CKG / N/A N/A Cryptographic Key Generation SP 800-133 Rev. 2 using DRBG. (Section 4, 5.1, 6.3) N/A ENT (P) / N/A N/A Non-deterministic Random SP 800-90B Number Generator (only used for generating seed materials for the DRBG). Provides a minimum of 256 bits of entropy for DRBG seed. Table 4. Approved Algorithms Note that not all algorithms/modes that appear on the module’s CAVP certificates are utilized by the module. Table 4 lists only the algorithms/modes that are utilized by the module. 2.3.2. Non-Approved Algorithm Algorithm Caveat Use / Function AES-CCM / No Security Claimed; Non-approved Key obfuscation and removal FIPS 197, SP 800-38C algorithm here is only used for of obfuscation obfuscation and removal of obfuscation the CSP. (IG 2.4.A Scenario #1) AES-XTS / No security claimed; AES-XTS is only Firmware obfuscation removal FIPS 197, SP 800-38E used to remove obfuscation from the firmware during ROM initialized. HMAC-SHA2-256 / Non-approved algorithm here are only Store authentication data FIPS 198-1 used as pre-requisite algorithms for (non-compliant) PBKDF2 which is used for storing authentication data. (IG 2.4.A Scenario #1) PBKDF2 / Non-approved algorithms here are only Store authentication data SP 800-132 used for storing authentication data using PBKDF2 (IG 2.4.A Scenario #1) SHA2-256 / Non-approved algorithm here are only Store authentication data FIPS 180-4 used as pre-requisite algorithms for (non-compliant) PBKDF2 which is used for storing authentication data. (IG 2.4.A Scenario #1) Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
Table
3 Specified type of access of Lock/Unlock an LBA Range service to MEK was limited to only RAM.
Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
CKG TCG Method: GenKey DRBG Entropy O O Result: TCG status code Input String ENT(P) MEK O O O Firmware Admin Command: Update the Update the RSA SigVer / Verification O DOWNLOAD MICROCODE Firmware firmware A2110 Key Result : Status Code Hash_ DRBG DRBG “V” O O / A2107 Value DRBG “C” Provide a O O SHA2-256 / Value UID: ThisSP Get Random random number A2109 DRBG Seed O O TCG Method: Random Number generated by the Result: TCG status code CM CKG DRBG Entropy O O Input String ENT(P) ATA Command: Read / Write AES-XTS / IO Command MEK O Read / Write user data A2108 Result : Status Code Hash_ DRBG DRBG “V” O O / A2107 Value DRBG “C” Erase user data O O Admin Command: SHA2-256 / Value by changing the SANITIZE DEVICE / Sanitize A2109 DRBG Seed O O data encryption SECURITY ERASE UNIT key DRBG Entropy Result : Status Code CKG O O Input String ENT(P) MEK O O O Hash_ DRBG DRBG “V” O O / A2107 Value DRBG “C” Erase user data O O SHA2-256 / Value UID: SPObj (Admin SP) in all Range by Revert A2109 DRBG Seed O O TCG Method: Revert changing the DRBG Entropy Result: TCG status code data O O CKG Input String ENT(P) MEK O O O Power cycling Level 0 Discovery CMD Perform the the module to N/A N/A return a failure as a failure Self-tests perform selfindicator tests No Security Claimed
5. Software/Firmware Security - The LDPC (Low-density parity-check) code is applied for integrity test to firmware components of cryptographic module. - When firmware is downloaded into the module, 1024 bytes LDPC parity data per each 8KB data size is generated and integrity test is performed by verifying it every time it is loaded to initiate. - The firmware integrity test is performed when power on reset. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
6. Operational Environment - The cryptographic module operates in a limited operational environment, consisting of the module’s firmware. This limited operational environment does not require any specific security rules, settings, configurations, or restrictions to be set. - The cryptographic module does not provide any general-purpose operating system to the operator. - Firmware download is only available for CMVP validated firmware versions. Unauthorized modification of the firmware is prevented by the pre-operational firmware integrity test and conditional firmware load test. - Since the cryptographic module is zeroized through the maintenance role procedure, it is restricted to prevent uncontrolled access to CSPs and unauthorized modifications to SSPs. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
8. Non-Invasive Security The module does not implement any non-invasive attack mitigation techniques. Therefore, this section is not applicable. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
9. Sensitive Security Parameter Management - Temporary SSPs and SSPs stored in volatile memory are automatically zeroized upon power-on reset. - The module performs zeroization by overwriting the target SSP with random values generated by the DRBG. - The module does not import or export SSPs. Key / Security Function Import / Establish Zeroisatio Use & SSP Name Strength Generation Storage and Cert. Number Export -ment n Related Keys / Type SP 800-90A Hash_ DRBG / Implicitly Hash_ DRBG / A2107 DRBG “C” A2107 Plaintext in zeroised Generates 440-bit N/A N/A Value / CSP RAM by Power the MEK SHA2-256 / A2109 SHA2-256 / on reset A2109 SP 800-90A Hash_ DRBG / Implicitly Hash_ DRBG / A2107 DRBG “V” A2107 Plaintext in zeroised Generates 440-bit N/A N/A Value / CSP RAM by Power the MEK SHA2-256 / A2109 SHA2-256 / on reset A2109 Entropy Implicitly input: Hash_ DRBG / A2107 DRBG Seed Plaintext in zeroised Generates 512-bit ENT (P) N/A N/A / CSP RAM by Power the MEK Nonce SHA2-256 / A2109 on reset 256-bit Hash_ DRBG / A2107 DRBG Implicitly Entropy 512-bit / Plaintext in zeroised Generates SHA2-256 / A2109 ENT (P) N/A N/A Input 256-bit RAM by Power the MEK String / CSP on reset ENT (P) Implicitly zeroised by Power on reset / Explicitly zeroised Plain Text via “Lock in RAM an LBA Range” and SP 800-90A indicate Data Hash_ DRBG / with its AES-XTS / A2108 encryption A2107 indicator MEK / CSP 256-bit N/A N/A and Explicitly CKG decryption SHA2-256 / zeroised of user data A2109 via “Erase an LBA Range’s Plaintext in Data”, Flash “Revert” and “Sanitize” services and indicate Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
with their indicator Implicitly zeroised by Power on reset / Explicitly zeroised Plaintext in by after Hardware Firmware completio RSA SigVer / A2110 SFR4 Verification Entered during n of Firmware 112-bit N/A N/A “Update Key / Non- manufacturing Load Test SHA2-256 / A2109 the SSP firmware” with its indicator Plaintext in N/A ROM Table
5 Estimated amount of entropy per the source’s output bit is 0.72595 and Samsung conservatively claims to be set at 0.5 per bit.
Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
10.3. Error States Name Description Conditions Recovery Method Indicator The module Any conditional Power Cycle The firmware rejects Error State does not known answer test all subsequent SATA provide any failure. commands by crypto When the Integrity responding with Download Mode operation. Test for the 'Abort,' as specified in Bootloader fails. the SATA specification, When the Integrity and sets the device Hang Test for the Main status to 'Device Fault.' Firmware fails. Table 14: Error States Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
11. Life-Cycle Assurance The cryptographic module operates in the Approved mode of operation by default upon shipment from the vendor’s manufacturing site and does not support a non-approved mode of operation. Section 11.1 provides guidance on the rules for secure installation and operation. Operators must follow this guidance to ensure the cryptographic module operates in compliance with FIPS 140-3 security level 1 requirements. 11.1. Secure Installation
12. Mitigation of Other Attacks The cryptographic module has not been designed to mitigate any specific attacks beyond the scope of FIPS 140-3. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy