All modules
CMVP Validated Module · FIPS 140-3 Security Policy

BCM58202B0

Certificate#5007StandardFIPS 140-3Level3TypeHardwareEmbodimentSingle ChipStatusActiveVendorBroadcom, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 15 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level3
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date4/20/2030
CaveatNone
VendorBroadcom, Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for BCM58202B0
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Firmware Load<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>status output<br/>UnAuth</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C6 clue;
  class I2,I3,I6 infer;
  class R2,R3,R6 risk;
  class E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for BCM58202B0
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Firmware Load<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>status output<br/>UnAuth</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C6 clueLow;

Security Policy, page by page

Page 1

Broadcom, Inc. BCM58202B0 Document Version: 1.2 Date: April 09, 2025 Broadcom Public Material

Page 2
Table of Contents
#SectionPage
Page 3

Broadcom Public Material

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Hardware7
Table 3: Modes List and Description7
Table 4: Approved Algorithms9
Table 5: Vendor-Affirmed Algorithms10
Table 6: Security Function Implementations13
Table 7: Entropy Certificates13
Table 8: Entropy Sources13
Table 9: Ports and Interfaces15
Table 10: Authentication Methods17
Table 11: Roles18
Table 12: Approved Services23
Table 13: Mechanisms and Actions Required26
Table 14: EFP/EFT Information26
Table 15: Hardness Testing Temperatures27
Table 16: Storage Areas29
Table 17: SSP Input-Output Methods29
Table 18: SSP Zeroization Methods29
Table 19: SSP Table 131
Table 20: SSP Table 232
Table 21: Pre-Operational Self-Tests33
Table 22: Conditional Self-Tests36
Table 23: Pre-Operational Periodic Information37
Table 24: Conditional Periodic Information38
Table 25: Error States39
Figure 1 – [Model 1]6
Page 5

this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 3 module.

1.2 Security Levels

The FIPS 140-3 security levels for the Module are as follows from Table 1: Section Title Security Level

1 General 3

2 Cryptographic module specification 3

3 Cryptographic module interfaces 3

4 Roles, services, and authentication 3

5 Software/Firmware security 3

6 Operational environment N/A

7 Physical security 3

8 Non-invasive security N/A

9 Sensitive security parameter management 3

10 Self-tests 3

11 Life-cycle assurance 3

12 Mitigation of other attacks N/A

Overall Level 3 Table 1: Security Levels

1.3 Additional Information

The Module is a highly integrated SoC (System on a Chip). It is marketed with part number BCM58202PB0KFBG10 and is ideally suited for end point security protection applications. Broadcom Public Material

Page 6
2 – Cryptographic Module Specification
2.1 Description

Purpose and Use: The Module is intended for use by US Federal agencies or other markets that require FIPS 140-3 validated cryptographic based security systems to protect sensitive information, access, usage, of computer, telecommunication systems, and property. The Module is intended to be used in commercial personal computers, point of sales terminals, access control devices in physically or electronically access restricted areas. Module Type: Hardware Module Embodiment: SingleChip Cryptographic Boundary: The physical form of the Module is depicted in Figure 1. The Module is a single-chip embodiment. The cryptographic module is encapsulated in an opaque and tamper resistant package material. The cryptographic boundary is the outer perimeter of the IC packaging. Figure 1

Page 7
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

1.1 SBI

BCM58202B0 BCM58202B0 BCM58202PB0KFBG10 Version: 1.0 BCM58202B0 single-chip SoC AAI Version: 2.1 Table 2: Tested Module Identification

2.3 Excluded Components

There were no components that were excluded from the cryptographic boundary.

2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name The module only RESET_OUT_L is high and UART prints Approved supports an Approved Approved the message, “The Device is running in Mode mode of operation. FIPS operational mode: 0xFFFF Table 3: Modes List and Description The BCM58202B0 cryptographic module only supports an Approved mode of operation and does not support a non-Approved mode of operation. The module cannot be configured to operate in a non-compliant state. The Cryptographic Officer (CO) can confirm the Approved mode of operation when the status output RESET_OUT_L is high and UART prints the message, “The Device is running in FIPS operational mode: 0xFFFF”. Broadcom Public Material

Page 8

In addition, the CO can confirm they are using the appropriate version of the module by consulting the output of the “Get info” service: Global Indicator (4) Global Indicator: 00 00 ff ff SBL Version (2) SBL Version: 01 01 SBI Version (2) SBI Version: 01 00 AAI Version (2) AAI Version: 02 01 CHIP Version: BCM58202PB0KFBG10 BCM58202B0 is configured during manufacturing to operate in the Approved mode. The CO is responsible for confirming the appropriate versions of the SBI and AAI are loaded; no additional configuration is required.

2.5 Algorithms

Approved Algorithms: The Module implements the Approved cryptographic algorithms listed in the table below. CAVP Algorithm Properties Reference Cert AES Direction - Decrypt, Encrypt AES-CBC SP 800-38A

5895 Key Length - 128, 192, 256

AES AES-CCM Key Length - 128, 192, 256 SP 800-38C 5896 AES AES-CTR Key Length - 128, 192, 256 SP 800-38A 5895 AES Direction - Decrypt, Encrypt AES-ECB SP 800-38A

5895 Key Length - 128, 192, 256

Prediction Resistance - Yes SP 800-90A Counter DRBG A3753 Mode - AES-256 Rev. 1 Derivation Function Enabled - Yes L - 2048 DSA SigGen (FIPS186-4) A4437 N - 256 FIPS 186-4 Hash Algorithm - SHA2-256 L - 2048 DSA SigVer (FIPS186-4) A4437 N - 256 FIPS 186-4 Hash Algorithm - SHA2-256 Curve - P-256 ECDSA KeyGen (FIPS186A3751 Secret Generation Mode - Extra FIPS 186-4 4) Bits Broadcom Public Material

Page 9

CAVP Algorithm Properties Reference Cert ECDSA KeyVer (FIPS186A3751 Curve - P-256 FIPS 186-4

  1. Component - No ECDSA SigGen (FIPS186A3751 Curve - P-256, P-384 FIPS 186-4
  2. Hash Algorithm - SHA2-256 Component - No ECDSA SigVer (FIPS186A3751 Curve - P-256, P-384 FIPS 186-4
  3. Hash Algorithm - SHA2-256 HMAC HMAC-SHA2-256 - FIPS 198-1 3870 Domain Parameter Generation Methods - P-256 KAS-ECC-SSC Sp800- SP 800-56A A3751 Scheme 56Ar3 Rev. 3 ephemeralUnified KAS Role - responder KDA OneStepNoCounter SP 800-56C A3752 Key Length - Key Length: 256 SP800-56Cr2 Rev. 2 Signature Type - PKCS 1.5 RSA SigGen (FIPS186-4) A3750 FIPS 186-4 Modulo - 2048, 4096 Signature Type - PKCS 1.5 RSA SigVer (FIPS186-4) A3750 FIPS 186-4 Modulo - 2048, 4096 SHS Message Length - Message SHA2-256 FIPS 180-4
4646 Length: 0-51200 Increment 8

SHA-3 SHA3-224 - FIPS 202 SHA-3 SHA3-256 - FIPS 202 SHA-3 SHA3-384 - FIPS 202 SHA-3 SHA3-512 - FIPS 202 Table 4: Approved Algorithms KAS [56Ar3] - Per [IG] D.F Scenario 2 path (2), compliant key agreement scheme where testing is performed end-to-end for the shared secret computation and a KDA compliant with SP80056Cr2 without key confirmation. Vendor-Affirmed Algorithms: The Module implements the Vendor Affirmed cryptographic algorithms listed. Broadcom Public Material

Page 10

Name Properties Implementation Reference Capabilities:Sections 4 and 6.1 Direct symmetric SP800CKG- key generation using unmodified DRBG output; DRBG (A3753) 133r2, IG Sym Section 6.2.1 Derivation of symmetric keys from [D.H] a key agreement shared secret Capabilities:Sections 4 and 5.1 Asymmetric signature key generation using unmodified SP800CKG- ECDSA KeyGen DRBG output; Sections 4 and 5.2 Asymmetric 133r2, IG Asym (A3751) key establishment key generation using [D.H] unmodified DRBG output Table 5: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: N/A for this module.

2.6 Security Function Implementations

Name Type Description Properties Algorithms CKG-Asym Asymmetric Publications:FIPS Curve: P-256 AsymKeyPairAKG Key-Pair 186-4, SP800-90A, ECDSA KeyGen KeyGen Generation IG C.A, IG C.E (FIPS186-4) Counter DRBG Asymmetric Publications:FIPS ECDSA KeyVer AsymKeyPairAKV Key-Pair 186-4, SP800-90A, (FIPS186-4) KeyVer Verification IG C.A, IG C.E Curve: P-256 KAS-ECC-SSC AsymKeyPair- Domain Publication:SP800- Sp800-56Ar3 DPG DomPar Parameters 56Ar3 Curve: P-256 Counter DRBG Broadcom Public Material

Page 11

Name Type Description Properties Algorithms Counter DRBG Random Publication:SP800- Capabilities: AESDRBG DRBG Number 90A 256 w/ Derivation Generation Function AES-CBC Key Size: 128, 192, 256 AES-CTR Publication:FIPS ENC BC-UnAuth Block Cipher Key Size: 128, 197, SP800-38A 192, 256 AES-ECB Key Size: 128, 192, 256 AES-CCM Authenticated Publication:FIPS ENC-AUTH BC-Auth Key Size: 128, Block Cipher 197, SP800-38C 192, 256 Publication:IG D.H, FIPS 197, SP800-133r2 Symmetric Counter DRBG CKG- Sections 4 and 6.1 CKG Key Key Size: 128, Symmetric Direct symmetric Generation 192, 256 key generation using unmodified DRBG output DSA SigGen (FIPS186-4) Key Size: 2048 ECDSA SigGen (FIPS186-4) Digital Publication:FIPS Curve: P-256, PSigGen DigSig-SigGen Signature 186-4, SP800-90A, 384 Generation FIPS 180-4 RSA SigGen (FIPS186-4) Key Size: 2048, 4096 SHA2-256 Counter DRBG DSA SigVer (FIPS186-4) Key Size: 2048 Digital Publication:FIPS ECDSA SigVer SigVer DigSig-SigVer Signature 186-4, SP800-90A, (FIPS186-4) Verification FIPS 180-4 Curve: P-256, PRSA SigVer Broadcom Public Material

Page 12

Name Type Description PropertiesAlgorithms (FIPS186-4) Key Size: 2048, 4096 SHA2-256 Counter DRBG Publication:SP800- Counter DRBG ESV ENT-ESV Entropy Source 90B, IG 9.3.A, IG Security Strength: D.J, IG D.O 256 KAS-ECC-SSC Sp800-56Ar3 Scheme: Publication:SP800- Ephemeral Unified 56Ar3, SP800- (Responder) 56Cr2 Curve: P-256 Key Caveat:Key KDA KAS KAS-Full Agreement establishment OneStepNoCounter method provides SP800-56Cr2

128 bits of Auxiliary

encryption strength Function: SHA2Key Length: 128 Counter DRBG Publication:FIPS 197, SP800-38F, IG D.G Caveat:Key Key Transport AES-CCM KTS KTS-Wrap establishment - Wrapping Key Size: 128 methodology provides 128 bits of encryption strength Message Publication:FIPS HMAC-SHA2-256 MAC MAC Authentication 198-1, FIPS 180-4, Capabilities: Key Code IG C.B size < Block size SHA2-256 Message Length: 0 - 51200 Increment Publication:FIPS SHA3-224 Secure Hash SHS SHA 180-4, FIPS 202, Message Length: 0 Standard IG C.B, IG C.C - 51200 Increment SHA3-256 Message Length: 0 - 51200 Increment Broadcom Public Material

Page 13

Name Type Description Properties Algorithms SHA3-384 Message Length: 0 - 51200 Increment SHA3-512 Message Length: 0 - 51200 Increment Table 6: Security Function Implementations

2.7 Algorithm Specific Information

The module does not have any algorithm specific information.

2.8 RBG and Entropy

Cert Vendor Number Name E35 broadcom Table 7: Entropy Certificates The Module uses the following entropy sources: Operational Sample Entropy per Conditioning Name Type Environment Size Sample Component E35 Physical BCM58202B0 32 bits Minimum of 4 bits N/A Table 8: Entropy Sources The entropy source produces 4 bits of entropy per 32 bit sample. When instantiating the DRBG, the module will collect a total of 3072 bits from the entropy source, which has a total of 384 bits of entropy. Per SP800-90Arev1, the module must provide security_strength bits of entropy (i.e., 256-bits) plus another security_strength/2 (i.e., 128-bits) to instantiate a CTR_DRBG to a security strength of 256 bits.

2.9 Key Generation

For Key Generation methods, see Section 2.6 Security Function Implementations above. Broadcom Public Material

Page 14
2.10 Key Establishment

Key Agreement Information For Key Establishment methods, see Section 2.6 Security Function Implementations above. The module supports KAS-ECC per SP800-56Ar3 using the Ephemeral Unified scheme with the NISTrecommended curve P-256, as tested under CAVP Cert. #A3751. The module employs the SP 800-56Cr2 OneStepKDF, which was validated under CAVP Cert. #A3752. No key confirmation is supported. Key and seed generation is performed in compliance with NIST SP 800-133r2, Section 4, per 140-3 IG D.H without any post-processing. ECDSA Key Generation was tested under CAVP Cert. #A3751 using extra random bits, whereby an extra 64 bits are generated from the Approved DRBG (CAVP Cert. #A3753. Full public key validation is performed according to SP 800-56Ar3, Section 5.6.2.3.3, on both the generated public key, as well as any received public key. All temporary values used during the key agreement process are zeroized after the shared key is established. Key Transport Information For Key Transport methods, see Section 2.6 Security Function Implementations above.

2.11 Industry Protocols

The module does not implement any Industry Protocols> Broadcom Public Material

Page 15
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

The Module’s ports and associated defined logical interface categories are listed below. The BCM58202B0 chip has a total of 141 signal pins. Each BCM58202B0 Interface Group listed below contains several BCM58202B0 pins. Unused Interface Groups will be marked as “Disabled” because they are disabled by the cryptographic module. The Module does not provide control output to other cryptographic modules or peripherals performing any cryptographic operations. Physical Logical Data That Passes Port Interface(s) Control Clock Input Clock - 26MHz clock - 32KHz clock; Clock output - 26MHz group Status clock output Output Control Reset Input One reset input; Reset output: Indicates that system power supply group Status is stable. Output Control Input Zeroisation Zeroisation request input (MANU_DEBUG) Status Output Code and data from SPI flash (clock, device select, and four data SPI group Data Input I/O). All Code/Data Input is authenticated by the module. Data Input Data Output Service request input; Service response output; (USB differential Control USB group data bus); Device interface used by the CO to make service Input requests. Requests are authenticated via the KAS secure session. Status Output UART Status Status output (Four UART ports of four signals each.) group Output Over 50 power and ground pins. Power is distributed to the chip Power using designated IO and core power pins that are completely Power group separated from any signal pin groups. Power pins are only connected to the internal power planes of the silicon chip. Alert Data Input Tamper, Voltage, or Temperature event Table 9: Ports and Interfaces Broadcom Public Material

Page 16

Note: The module does not support Control Output. Broadcom Public Material

Page 17
4 Roles, Services, and Authentication
4.1 Authentication Methods

Authentication is accomplished via a 256-bit ECDSA-based signature verification process using KOP-PUB. During the manufacturing process, the ECDSA private key, KDI-EC-PRIV, is loaded into SOTP of the Module and the corresponding public key, KDI-EC-PUB, resides in SRAM. KDI-ECPUB is used to authenticate the module to the operator during the establishment of a secure session. After an operator is authenticated successfully, the operator assumes the CO role. A secure session does not persist across power cycles. The Cryptographic Officer must be authenticated to establish a secure session before any cryptographic services are rendered. In addition to the CO, the Module supports services which do not require authentication, listed as UA in Approved Services table. The Module does not support a maintenance role or bypass capability. The Module does not support concurrent operators. The role of the CO is authenticated via the establishment of a mutually authenticated KAS session with ECDSA-based signatures. CO authentication is not carried over a terminated secure session or power cycle. A new secure session requires a complete CO authentication process. Method Security Strength Each Description Strength per Minute Name Mechanism Attempt Based on performance limitations, the probability of successfully The probability authenticating to the The CO role is that a random module within one minute authenticated by attempt will is 3,750/2^128 which is the verification succeed or a Signature less than 1/100,000. The of an ECDSA SigVer false acceptance Verification module will only allow digital signature will occur is one attempt to verify the using a P-256 1/2^128 which is CO

4.2 Roles

The Module supports a single distinct operator role, the Cryptographic Officer (CO). Broadcom Public Material

Page 18

The Roles Table below lists all operator roles supported by the Module. The Module does not support concurrent operators. The CO’s Public Key is installed in the SBI. It is protected with the SBI signature. SBI is also integrity protected with a CRC32 checksum. Only one CO public key is present in the SBI. The BCM58202B0 Cryptographic Module supports a single operator role: Cryptographic Officer. Only the authorized operator can establish a secure session with the cryptographic module. The cryptographic module implements identity-based operator authentication to allow only the authorized operator to access cryptographic services. Authentication is accomplished via a 256-bit ECDSA-based signature verification process. A single 256-bit ECDSA public key is embedded in the SBI. The 256-bit ECDSA public key is used to authenticate the CO during the establishment of a secure session between the module and the CO on the external host system. Name Type Operator Type Authentication Methods Cryptographic Officer Identity CO Signature Verification Table 11: Roles

4.3 Approved Services

All approved services implemented by the Module are listed in the table below: The SSPs modes of access shown in the table below are defined as:

Page 19

Securi Descrip Indicato ty SSP Name Inputs Outputs tion r Functi Access ons tion and Global Indicator: - KDI-ECStatus 00 00 ff ff SBL PUB: R Version: (2) SBL Version: 01 01 SBI Version: (2) SBI Version: 01

00 AAI Version:
02 01 CHIP

Version: BCM58202PB0 KFBG10 Input data, input size, key, key size, mode of Symmet operation ric Cryptogra Input : encrypti “Succee Return the phic Symmetric_encr 128 bit on of ded”; ciphertext or an ENC Officer ypt blocks of plaintex “Failed” error status - KAPPplaintext t AES: E Key size: message 128, 192,

256 bit

Modes: ECB, CBC, CTR Encrypte d input data, Symmet input Cryptogra ric size, key, “Succee Return the phic Symmetric_decr decrypti key size, ded”; plaintext or an ENC Officer ypt on of mode of “Failed” error status - KAPPcipherte operation AES: E xt Input :

128 bit

blocks of ciphertex Broadcom Public Material

Page 20

Securi Descrip Indicato ty SSP Name Inputs Outputs tion r Functi Access ons t Key size : 128, 192,

256 bit

Modes : ECB, CBC, CTR Cryptogra phic Officer Generat Selection - DRBGe AES of AES DRBG EI and or “Succee or CKGSymmetric_key_ Key generation Seed: G,E HMAC ded”; HMAC Symm gen complete status - DRBGkey in “Failed” key slot etric State: G,E selected for key ESV - KAPPkey slot gen AES: G - KAPPHMAC: G Cryptogra Selection phic Load of AES Officer AES or “Succee or - KAPPSymmetric_key_ HMAC ded”; HMAC Load status KTS AES: W import key in “Failed” key slot - KAPPselected for key HMAC: W key slot import - KKASSS: E Key/Cur Cryptogra Generat ve size, “Succee phic Asymmetric_sig e private Digital signature ded”; SigGen Officer _gen signatur key, of message “Failed” - KAPPe plaintext PRIV: E message Key/Cur Cryptogra Signatur “Succee ve size, Status of phic Asymmetric_sig e ded”; public signature SigVer Officer _ver verificat “Failed” key, verification - KAPPion signature PUB: E Broadcom Public Material

Page 21

Securi Descrip Indicato ty SSP Name Inputs Outputs tion r Functi Access ons Cryptogra phic Officer Generat - DRBGAKG e EI and “Succee AKV Asymmetric_key ECDSA Key generation Seed: G,E ded”; Key slot DPG _gen P-256 complete status - DRBG“Failed” DRBG Key State: G,E ESV Pair - KAPPPRIV: G,E - KAPPPUB: G,E Cryptogra phic Load Asymmet Officer RSA, “Succee ric - KAPPAsymmetric_key ECDSA ded”; Public/Pr Load status KTS PRIV: W _import , DSA “Failed” ivate - KAPPkeys Keys PUB: W - KKASSS: E Cryptogra phic Officer - KDI-ECPRIV: E Establis - KKASAKG ha PRIV: G,E AKV secure - KOPDPG session PUB: E “Succee DRBG with the Public Module’s KAS - KKASSecure_session ded”; ENCCO by Keys public key PUB: G,R “Failed” AUTH generati - KKASSigGen ng a OP-PUB: SigVer shared W,E KAS key - KSS: G,E - KKASSS: G,E - DRBGState: G,E - DRBGBroadcom Public Material

Page 22

Securi Descrip Indicato ty SSP Name Inputs Outputs tion r Functi Access ons EI and Seed: G,E Cryptogra Device phic Destroy Device Zeroise Inoperati None None Officer all CSPs Inoperative ve - KDI-ECPRIV: Z Cryptogra Generat HMAC “Succee phic HMAC-SHA2- es MAC key, ded”; MAC of message MAC Officer

256 of input plaintext

“Failed” - KAPPmessage message HMAC: E Digest Generat size: 224, “Succee Cryptogra es 256, 384, Digest of SHA3 hashing ded”; SHS phic SHA3 512 bit message “Failed” Officer digest Plaintext message Generat Digest es “Succee size: 256 Cryptogra SHA2-256 Digest of SHA2- ded”; bit SHS phic hashing message

256 “Failed” Plaintext Officer

digest message Cryptogra phic Request Officer “Succee Get Random a DRBG - DRBGded”; None Random number Number random ESV EI and “Failed” number Seed: G,E - DRBGState: G,E Three latest Error Log: the Get self-test last three Cryptogra self-test errors Get Error Log None detected errors None phic error and CRC and the CRC Officer log checksu checksum m of error log Broadcom Public Material

Page 23

Securi Descrip Indicato ty SSP Name Inputs Outputs tion r Functi Access ons No error Load reported firmwar on Unauthenti e from service Firmware cated an Self-test results executio images, - KSBI: Firmware Load external from SBI SigVer n; signature W,E source execution. Module s - KAAI: at accepts W,E powerCO on requests Table 12: Approved Services

4.4 Non-Approved Services

All approved services implemented by the Module are listed in the table below: NOTE: There are no Non-Approved services available.

4.5 External Software/Firmware Loaded

The module supports external firmware loads per IG 10.3.F, Additional Comment #3A. Both the Secure Boot Image (SBI) and Authenticated Application Image (AAI) are externally loaded into the module during initialization at every power-on. Each externally loaded image must have a valid ECDSA or RSA signature verified before the image is accepted. The hash of the public keys used to validate the candidate images are loaded prior to the firmware images themselves. The public keys are embedded in the SBI and AAI headers respectively. The hash of the embedded keys are validated against the preloaded hash values. Broadcom Public Material

Page 24
5 Software/Firmware Security
5.1 Integrity Techniques

The Module is composed of the following firmware components:

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by power cycling the Module. Broadcom Public Material

Page 25
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Limited How Requirements are Satisfied: The Module has a limited operational environment under the FIPS 140-3 definitions. The Module includes a firmware load service using ECDSA and RSA to support necessary updates. Firmware versions validated to FIPS 140-3 will be explicitly identified on a validation certificate issued by the CMVP. Any firmware not identified in this Security Policy does not constitute the Module defined by this Security Policy or covered by this validation. Broadcom Public Material

Page 26
7 Physical Security
7.1 Mechanisms and Actions Required

The BCM58202B0 Cryptographic Module is a single chip device offering the following physical security mechanisms:

6 months

packaging observed, zeroise the module. Table 13: Mechanisms and Actions Required

7.5 EFP/EFT Information

The nominal operating temperature of the module is 0C to 70C. The nominal voltage range is 3.0V to 3.6V. EFP Temp/Voltage Temperature or Result Type or Voltage EFT LowTemperature -50C EFT Shutdown HighTemperature 130C EFT Shutdown LowVoltage 1.5V EFT Shutdown HighVoltage 3.8V EFT Shutdown Table 14: EFP/EFT Information

7.6 Hardness Testing Temperature Ranges

Broadcom Public Material

Page 27

Temperature Temperature Type LowTemperature 0C HighTemperature 70C Table 15: Hardness Testing Temperatures Broadcom Public Material

Page 28
8 Non-Invasive Security

At present, SP800-140F does not define any non-invasive attack mitigation methods and as such, this section is not applicable. Broadcom Public Material

Page 29
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Persistence Area Description Type Name RAM Only stored in volatile memory (RAM). Dynamic OTP Stored in One-Time Programmable memory Static Table 16: Storage Areas

9.2 SSP Input-Output Methods

Format Distribution Entry SFI or Name From To Type Type Type Algorithm KAS-Entry Outside RAM Plaintext Automated Electronic KAS KTS Outside RAM Encrypted Automated Electronic KTS PT-Entry Outside RAM Plaintext Manual Electronic PT-Output RAM Outside Plaintext Manual Electronic Table 17: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Zeroisation Service Permanently remove Asserting the (MANU_DEBUG pin). sensitive parameters by Z1 MANU_DEBUG Contents of OTP are writing all ‘1’. No new signal overwritten with all ‘1’ data can be loaded. Remove temporary or generated sensitive data Zeroised by Power cycle or Z2 from being carried over Power cycle hard reset. to the next operating session. No operator Zeroise after Secure Session To prevent leakage of Z3 intervention is is established. Secure Session secrets. needed. Table 18: SSP Zeroization Methods Broadcom Public Material

Page 30
9.4 SSPs

All usage of these SSPs by the Module are described in the services detailed in Section 4.3 Type - Established Used Name Description Size - Strength Generated By Category By By DRBG-EI CTR_DRBG entropy input 3072 - 256 DRBG - CSP ESV DRBG and Seed DRBG- CTR_DRBG internal state (V

256 - 256 DRBG - CSP DRBG DRBG

State and Key) KKAS- Private key for share secret Asymmetric P-256 - 128 AKG KAS PRIV generation CSP KDI-EC- Signing key of messages during Asymmetric - Installed during P-256 - 128 SigGen PRIV secure session establishmen CSP manufacturing. KAPP- Encryption/decryption 128, 192, 256 - 128, Symmetric CKG-Symmetric ENC AES operations 192, 256 CSP KAPP- Symmetric Integrity operations 256 - 256 CKG-Symmetric MAC HMAC CSP DSA: 2048, RSA KAPP- 2048, 4096; Asymmetric General purpose key for sig-gen AKG SigGen PRIV ECDSA: P-256, P- CSP

384 - 112-192

ENCKKAS- Symmetric AES-CCM secure session key. 128 - 128 KAS AUTH SS CSP KTS Shared secret for session key Symmetric KSS 256 - 256 KAS KAS derivation. CSP KDI-EC- Used by the CO to mutually Asymmetric P-256 - 128 AKG PUB authenticate the secure session. PSP Ephemeral public key from KKAS- Asymmetric Module for shared secret P-256 - 128 AKG KAS PUB PSP establishment Broadcom Public Material

Page 31

Type - Established Used Name Description Size - Strength Generated By Category By By Ephemeral KAS public key of KKAS- Asymmetric the CO used to establish a secure P-256 - 128 KAS OP-PUB PSP session. DSA: 2048, RSA KAPP- 2048, 4096; Asymmetric General purpose key for sig-ver. AKG SigVer PUB ECDSA: P-256, P- PSP

384 - 112-192

Public key to authenticate the KOP- Asymmetric CO during secure session P-256 - 128 SigVer PUB PSP establishment Public Key. SBI signature Asymmetric KSBI P-384 - 192 SigVer verification Neither Public Key. AAI signature Asymmetric KAAI 2048 - 112 SigVer verification Neither Table 19: SSP Table 1 Input Name Storage Storage Duration Zeroization Related SSPs Output DRBG-EI and Seed RAM:Plaintext Until use completes Z2 DRBG-State:Initializes DRBG-EI and Seed:Derived From KKAS-PRIV:Generates KKAS-PUB:Generates DRBG-State RAM:Plaintext Until use completes Z2 KAPP-AES:Generates KAPP-HMAC:Generates KAPP-PRIV:Generates KAPP-PUB:Generates Broadcom Public Material

Page 32

Input Name Storage Storage Duration Zeroization Related SSPs Output KKAS-SS:Derives Z2 KKAS-PRIV RAM:Plaintext Until use completes KKAS-PUB:Paired With Z3 DRBG-State:Generated from RAM:Plaintext KDI-EC-PRIV Until use completes Z1 KDI-EC-PUB:Paired With OTP:Plaintext KAPP-AES KTS RAM:Plaintext Until use completes Z2 DRBG-State:Generated from KAPP-HMAC KTS RAM:Plaintext Until use completes Z2 DRBG-State:Generated from KAPP-PUB:Paired With KAPP-PRIV KTS RAM:Plaintext Until use completes Z2 DRBG-State:Generated from KKAS-SS RAM:Plaintext Until use completes Z2 KSS:Derived From KKAS-PRIV:Derived From Z2 KKAS-PUB:Derived From KSS RAM:Plaintext Until use completes Z3 KKAS-OP-PUB:Derived From KKAS-SS:Derives KDI-EC-PRIV:Paired With KDI-EC-PUB PT-Output RAM:Plaintext Until use completes Z2 DRBG-State:Generated from KKAS-PRIV:Paired With Z2 KKAS-PUB PT-Output RAM:Plaintext Until use completes KKAS-SS:Derives Z3 DRBG-State:Generated from Z2 KKAS-OP-PUB KAS-Entry RAM:Plaintext Until use completes KSS:Derives Z3 KAPP-PRIV:Paired With KAPP-PUB KTS RAM:Plaintext Until use completes Z2 DRBG-State:Generated from KOP-PUB PT-Entry RAM:Plaintext Until use completes N/A KSBI PT-Entry RAM:Plaintext Until use completes N/A KAAI PT-Entry RAM:Plaintext Until use completes N/A Table 20: SSP Table 2 Broadcom Public Material

Page 33
10 Self-Tests
10.1 Pre-Operational Self-Tests

The Module performs self-tests to ensure the proper operation of the Module. Per FIPS 140-3 these are categorized as either preoperational self-tests or conditional self-tests. Conditional self–tests are periodically performed by the Module every 10 minutes or by power cycling the Module. The Module accepts one service request at a time. The Module will postpone periodic self-testing while critical operations are in progress. The Module will process a service request after the periodic self-test in progress. The Module logs the latest three (3) self-test errors in the Module’s persistent registers, preserved across reset cycles. The CO can consult the error log by invoking Get Error Log service. The Module performs the following pre-operational self-tests in table below Algorithm or Test Test Test Type Indicator Details Test Properties Method Firmware SW/FW Module has not A CRC-32 is checked on SBI and AAI CRC-32 EDC Integrity Integrity entered error state. respectively before SBI and AAI executes. Table 21: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

The Module performs the following conditional self-tests in the table below Test Test Algorithm or Test Test Properties Indicator Details Conditions Method Type Test name displayed Encryption AES-CBC (AES AES-128, 192 and KAT CAST and module does not Forward cipher Power-On 5895) 256

Page 34

Test Test Algorithm or Test Test Properties Indicator Details Conditions Method Type Test name displayed AES-CCM (AES AES-128 - CCM Authenticated KAT CAST and module does not Power-On 5896) Encrypt encryption enter ES1 AES-256 Test name displayed Counter DRBG AES-256 CTR_DRBG KAT CAST and module does not Power-On (A3753) CTR_DRBG instantiate, generate, enter ES1 and reseed KATs. 2048-bit Signature Test name displayed DSA SigGen Signature Generation with KAT CAST and module does not Power-On (FIPS186-4) (A4437) Generation SHA2-256 enter ES1 2048-bit Signature Test name displayed DSA SigVer Signature Verification with KAT CAST and module does not Power-On (FIPS186-4) (A4437) Verification SHA2-256 enter ES1 P-256 SHA2-256 Test name displayed ECDSA SigGen Signature and P-384 SHA2- KAT CAST and module does not Power-On (FIPS186-4) (A3751) Generation

256 enter ES1

P-256 SHA2-256 Test name displayed ECDSA SigVer Signature and P-384 SHA2- KAT CAST and module does not Power-On (FIPS186-4) (A3751) Verification

256 enter ES1

KAS-SSC KAS-ECC-SSC Test name displayed KAS-SSC Shared Ephemeral Unified Sp800-56Ar3 KAT CAST and module does not Secret generation Power-On Model, C(2,0, ECC (A3751) enter ES1 with P-256 CDH). P-256 Test name displayed and module does not ECDSA Key ECDSA ECDSA KeyGen enter ES1ECDSA Generation P-256 PCT PCT Key (FIPS186-4) (A3751) P-521 Key Sign/Verify Pairwise Generation Generation Pairwise Consistency Test Consistency Test Broadcom Public Material

Page 35

Test Test Algorithm or Test Test Properties Indicator Details Conditions Method Type An RCT and APT as specified in [90B] Test name displayed SP800-90B Health APT and section 4.4 are ENT CAST and module does not Continuous Test RCT executed before enter ES1 generation of the DRBG entropy input ECDSA P-384 with Signature Module does not Upon SHA2-256 or RSA Signature SW/FW Verification using Firmware Loading enter ES1. Self- firmware

4096 with SHA2- Verification Load ECDSA P-384 (SBI)

256 or RSA 4096 (AAI)

HMAC-SHA256 Test name displayed HMAC-SHA2-256 HMAC-SHA2-256 Key Sizes: λ = 32 KAT CAST and module does not KAT

Page 36

Test Test Algorithm or Test Test Properties Indicator Details Conditions Method Type Test name displayed SHA2-256 (SHS SHA2-256 KAT CAST and module does not SHA2-256 Power-On 4646) enter ES1 Test name displayed SHA3-224 (SHA-3 SHA3-224 KAT CAST and module does not SHA3-224 Power-On 60) enter ES1 Test name displayed SHA3-256 (SHA-3 SHA3-256 KAT CAST and module does not SHA3-256 Power-On 60) enter ES1 Test name displayed SHA3-384 (SHA-3 SHA3-384 KAT CAST and module does not SHA3-384 Power-On 60) enter ES1 Test name displayed SHA3-512 (SHA-3 SHA3-512 KAT CAST and module does not SHA3-512 Power-On 60) enter ES1 Secure session Pairwise establishment KAC-ECC P-256. Consistency Test as KAS Key KAS Key Generation PCT PCT proceeds and Ephemeral Unified defined by SP800- Generation module does not 56Ar3. enter ES1 Test name displayed AES-CBC (AES AES-128, 192 and Decryption - Inverse KAT CAST and module does not Power-On 5895) 256

Page 37
10.3 Periodic Self-Test Information

Algorithm or Test Test Method Test Type Period Periodic Method Firmware Integrity EDC SW/FW Integrity Ponwer-On Automatically Table 23: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-CBC (AES 5895) KAT CAST 10 minutes Automatically AES-CCM (AES 5896) KAT CAST 10 minutes Automatically Counter DRBG (A3753) KAT CAST 10 minutes Automtically DSA SigGen (FIPS186KAT CAST 10 minutes Automatically

  1. (A4437) DSA SigVer (FIPS186KAT CAST 10 minutes Automatically
  2. (A4437) ECDSA SigGen KAT CAST 10 minutes Automatically (FIPS186-4) (A3751) ECDSA SigVer KAT CAST 10 minutes Automatically (FIPS186-4) (A3751) KAS-ECC-SSC Sp800KAT CAST 10 minutes Automatically 56Ar3 (A3751) ECDSA KeyGen PCT PCT N/A N/A (FIPS186-4) (A3751) ENT APT and RCT CAST Continuous Automatically Firmware Loading Signature Verification SW/FW Load N/A N/A HMAC-SHA2-256 KAT CAST 10 minutes Automtically (HMAC 3870) KDA OneStepNoCounter KAT CAST 10 minutes Automatically SP800-56Cr2 (A3752) Broadcom Public Material – May be reproduced only in its original entirety (without revision).
Page 38

Algorithm or Test Test Method Test Type Period Periodic Method RSA SigGen (FIPS186KAT CAST 10 minutes Automatically

  1. (A3750) RSA SigVer (FIPS186KAT CAST 10 minutes Automatically
  2. (A3750) SHA2-256 (SHS 4646) KAT CAST 10 minutes Automatically SHA3-224 (SHA-3
  3. KAT CAST 10 minutes Automatically SHA3-256 (SHA-3
  4. KAT CAST 10 minutes Automatically SHA3-384 (SHA-3
  5. KAT CAST 10 minutes Automatically SHA3-512 (SHA-3
  6. KAT CAST 10 minutes Automatically KAS Key Generation PCT PCT N/A N/A AES-CBC (AES 5895) KAT CAST 10 minutes Automatically AES-CCM (AES 5896) KAT CAST 10 minutes Automatically Table 24: Conditional Periodic Information Conditional self–tests are periodically performed by the Module every 10 minutes. Broadcom Public Material – May be reproduced only in its original entirety (without revision).
Page 39
10.4 Error States

Recovery Name Description Conditions Indicator Method The Module fails a The Module enters the KAT, PCT, conditional The Module FIPS error state and Reboot/Power or periodic self-test, FW enters the SBL fails to boot or ESI cycle the integrity, critical FIPS error continue operation, and module function tests, DRBG state enters a continuous self-tests. reset loop. Table 25: Error States

10.5 Operator Initiation of Self-Tests

Self-tests can be initiated by power cycling or issuing a reset to the Module.

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The Module is manufactured and fully tested in secure environments under authorized access control. The Module is installed in the final product with the companion external flash device in the manufacturing facility. The CO must ensure the appropriate versions of the SBI and AAI are loaded in the companion external flash device upon first power up of the Module using the “Get Info” service. The CO should also visually inspect the Module for tamper evidence. The Module is a single chip device that does not provide any maintenance service access. At the end of life of the Module, all CSPs shall be zeroised by setting MANU_DEBUG pin high and power cycling the Module. Installation and Initialization: The following steps must be performed in order to securely install, initialize, and start up the BCM58202B0 cryptographic module in the FIPS 140-3 Approved mode of operation: The Module should be installed in the final product with the companion external flash device in the manufacturing facility. The manufacturing process includes a Module customization step which installs SBI and AAI in the module, initializes the Module with per device unique AES and HMAC keys, binding the Module and the flash device. Broadcom Public Material

Page 40

The CO must ensure the appropriate versions of the SBI and AAI are loaded in the companion external flash device upon first power up of the Module using the “Get Info” service. The CO should also visually inspect the Module for tamper evidence. Delivery: The CO must ensure the appropriate versions of the SBI and AAI are loaded in the companion external flash device upon first power up of the Module using the “Get Info” service. The CO should also visually inspect the Module for tamper evidence.

11.2 Administrator Guidance

Before the Module is installed in the end product, the module package should be inspected for integrity and to be free of any tamper evidence. The Module should be installed in the final product with the companion external flash device in a secure manufacturing facility. The manufacturing process includes a Module customization step which installs SBI and AAI in the module. To ensure the appropriate versions of the SBI and AAI are loaded in the companion external flash device, execute the “Get Info” service upon first power up of the Module. Verify the expected versions are reported. While the Module is in service in the end product, it is recommended to perform a visual inspection of the Module at least every 6 months to ensure that the Module package is still intact and void of any tamper evidence. “Get Info” service should be run to ensure that the correct SBI and AAI versions are in operation. Upon the termination of service of the Module, all critically sensitive parameters in the Module should be zeroized by setting the MANU_DEBUG pin high and power cycling the Module. Then, the Module can be disposed of responsibly.

11.3 Non-Administrator Guidance

Same as above for Administration Guidance.

11.4 Design and Rules

Rules of Operation

  1. The Module provides one distinct operator roles: Cryptographic Officer.
  2. The Module provides identity-based authentication.
  3. The Module clears previous authentications on power cycle. Broadcom Public Material – May be reproduced only in its original entirety (without revision).
Page 41
  1. An operator does not have access to any cryptographic services prior to assuming an authorized role.
  2. The Module allows the operator to initiate power-up self-tests by power cycling power or resetting the Module.
  3. All self-tests do not require any operator action.
  4. Data output is inhibited during key generation, self-tests, zeroization, and error states.
  5. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the Module.
  6. There are no restrictions on which keys or SSPs are zeroized by the zeroization service.
  7. The Module does not support concurrent operators.
  8. The Module does not support a maintenance interface or role.
  9. The Module does not support manual SSP establishment method.
  10. The Module does not have any proprietary external input/output devices used for entry/output of data.
  11. The Module does not enter or output plaintext CSPs.
  12. The Module does not output intermediate key values.
  13. The Module does not provide bypass services or ports/interfaces.
11.5 Maintenance Requirements

The Module is a single chip device that does not provide any maintenance service access.

11.6 End of Life

At the end of life of the Module, all CSPs shall be zeroised by setting MANU_DEBUG pin high and power cycling the Module.

12 Mitigation of Other Attacks

The Module does not implement any mitigation method against other attacks. References and Definitions The following standards are referred to in this Security Policy. Broadcom Public Material

Page 42

Abbreviation* Full Specification Name [FIPS140-3] Security Requirements for Cryptographic Modules, March 22, 2019 [ISO19790] International Standard, ISO/IEC 19790, Information technology

Page 43

Acronym* Definition APT Adaptive Proportion Test KAT Know Answer Test RCT Repetition Count Test SSP Sensitive Security Parameter Acronyms and Definitions Broadcom Public Material