All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2]

Certificate#5025StandardFIPS 140-3Level2TypeHardwareEmbodimentSingle ChipStatusActiveVendorApple Inc.
Low review priority  ·  no TCB surface named  ·  last validated 13 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date6/15/2030
CaveatWhen operated in approved mode
VendorApple Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2]
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Unauthenticated<br/>UnAuth</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2]
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Unauthenticated<br/>UnAuth</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Apple Inc. Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2] Prepared for: Apple Inc. One Apple Park Way Cupertino, CA 95014 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com

Page 2

This document may be reproduced and distributed only in its original entirely without revision.

Page 3
Table of Contents
#SectionPage
Page 4

This document may be reproduced and distributed only in its original entirely without revision.

Page 5

List of Tables Table 3: Tested Module Identification

Page 6

List of Figures This document may be reproduced and distributed only in its original entirely without revision.

Page 7

Trademarks Apple’s trademarks applicable to this document are listed in https://www.apple.com/legal/intellectual-property/trademark/appletmlist.html. Other company, product, and service names may be trademarks or service marks of others. This document may be reproduced and distributed only in its original entirely without revision.

Page 8
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2] cryptographic module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 2 module. This document provides all tables and diagrams (when applicable) required by NIST SP 800140Br1.

1.2 Security Levels

Section Title Security Level

1 General 2

2 Cryptographic module specification 2

3 Cryptographic module interfaces 2

4 Roles, services, and authentication 2

5 Software/Firmware security 2

6 Operational environment N/A

7 Physical security 2

8 Non-invasive security N/A

9 Sensitive security parameter management 2

10 Self-tests 2

11 Life-cycle assurance 2

12 Mitigation of other attacks N/A

Overall Level 2 Table 1: Security Levels This document may be reproduced and distributed only in its original entirely without revision.

Page 9
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2] cryptographic module (hereafter referred to as “the module”) consists of both firmware and hardware components. The Secure Key Store (SKS) application is the module’s firmware which operates within the sepOS execution environment which is separate from the Device OS’ (iPadOS 15, iOS 15, tvOS 15, watchOS 8) execution environment. The firmware interface is defined as the API offered by the module's mailbox interface to callers from the Device OS execution environment. SKS has an API layer that provides consistent interfaces to the supported services and therefore the supported cryptographic algorithms. In addition, the module provides Inter-Process Communication (IPC) interfaces to other applications executing within the sepOS execution environment. The sepOS execution environment is driven by its own CPU and operates from a dedicated region of the device’s memory. Both the Device’s and sepOS’ execution environments are physically separated on the SoC and thus execute independently of each other. Module Type: Hardware Module Embodiment: SingleChip Module Characteristics: SubChip Cryptographic Boundary: The module cryptographic boundary is delineated by the dotted blue rectangle in the Figure

  1. The cryptographic module boundary includes the following hardware components: • Hardware Random Number Generator composed of a SP800-90A Approved CTR_DRBG and a physical entropy source compliant to SP800-90B. • Hardware AES implementing AES-ECB and AES-CBC encryption and decryption. • Hardware Public Key Accelerator (PKA) used for generating asymmetric key pairs. • A volatile RAM for storing runtime SSPs. • A non-volatile Flash for storing an encrypted Class D key. The physical perimeter is represented by the most exterior black line in the block diagram Figure
  2. This document may be reproduced and distributed only in its original entirely without revision.
Page 10

Figure 1: Block Diagram Tested Operational Environment’s Physical Perimeter (TOEPP): A photograph of each hardware module is shown below: Figure 3: Apple Figure 4: Apple Figure 6: Apple Figure 2: Apple A9 Figure 5: Apple A9X A10 Fusion A11 Bionic A10X Fusion This document may be reproduced and distributed only in its original entirely without revision.

Page 11

Figure 9: Apple Figure 10: Apple Figure 7: Apple Figure 11: Apple Figure 8: Apple A12Z Bionic S3 A12 Bionic S4 A12X Bionic Figure 12: Apple Figure 13: Apple Figure 14: Apple S5 S6 S7

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 12

Model and/or Part Number Hardware Firmware Processors Features Version Version iPhone 7 Plus running sepOS 2.0 12.0 Apple A Series N/A distributed with iOS 15 A10 Fusion iPhone X running sepOS distributed 2.0 12.0 Apple A Series N/A with iOS 15 A11 Bionic iPhone XS Max running sepOS 2.0 12.0 Apple A Series N/A distributed with iOS 15 A12 Bionic Apple Watch Series S3 running sepOS 2.0 12.0 Apple S Series S3 N/A distributed with watchOS 8 Apple Watch Series S4 running sepOS 2.0 12.0 Apple S Series S4 N/A distributed with watchOS 8 Apple Watch Series S5 running sepOS 2.0 12.0 Apple S Series S5 N/A distributed with watchOS 8 Apple Watch Series S6 running sepOS 2.0 12.0 Apple S Series S6 N/A distributed with watchOS 8 Apple Watch Series S7 running sepOS 2.0 12.0 Apple S Series S7 N/A distributed with watchOS 8 Apple TV 4K running sepOS distributed 2.0 12.0 Apple A Series N/A with tvOS 15 A10X Fusion Table 2: Tested Module Identification

2.3 Excluded Components

None for this module

2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name Approved Approved mode of operation Approved return a '0' from mode is entered when the module fips_allowed_mode() for block cipher utilizes the services that use functions and fips_allowed() for all the security functions listed other services to indicate the in the Approved Algorithms executed cryptographic algorithm Table and the Vendor was approved Affirmed Algorithms Table. This document may be reproduced and distributed only in its original entirely without revision.

Page 13

Mode Description Type Status Indicator Name Non- Non-Approved mode of Non- return a non-zero value from Approved operation is entered when Approved fips_allowed_mode() for block cipher mode the module utilizes non- functions and fips_allowed() for all approved security functions other services to indicate the in the Table Non-Approved executed cryptographic algorithm Algorithms Not Allowed in was non- approved the Approved Mode of Operation. Table 3: Modes List and Description

2.5 Algorithms

Approved Algorithms: AES-CBC Algorithm CAVP Cert Properties Reference AES-CBC A2842 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A2843 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A2844 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A2845 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A510 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC C314 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-CBC C315 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-CBC C317 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-CBC C318 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-CBC C319 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 This document may be reproduced and distributed only in its original entirely without revision.

Page 14

Algorithm CAVP Cert Properties Reference AES-CBC C320 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-CBC C322 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-CBC C326 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-CBC C358 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 Table 4: Approved Algorithms - AES-CBC AES-ECB Algorithm CAVP Cert Properties Reference AES-ECB A2842 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A2843 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A2845 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A2847 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A501 Direction - Encrypt SP 800-38A Key Length - 256 AES-ECB A510 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB AES 5261 Direction - Encrypt SP 800-38A Key Length - 256 AES-ECB AES 5272 Direction - Encrypt SP 800-38A Key Length - 256 AES-ECB AES 5273 Direction - Encrypt SP 800-38A Key Length - 256 AES-ECB AES 5274 Direction - Encrypt SP 800-38A Key Length - 256 AES-ECB AES 5275 Direction - Encrypt SP 800-38A Key Length - 256 AES-ECB AES 5278 Direction - Encrypt SP 800-38A Key Length - 256 This document may be reproduced and distributed only in its original entirely without revision.

Page 15

Algorithm CAVP Cert Properties Reference AES-ECB C314 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-ECB C315 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-ECB C317 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-ECB C318 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-ECB C319 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-ECB C320 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-ECB C322 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-ECB C323 Direction - Encrypt SP 800-38A Key Length - 256 AES-ECB C324 Direction - Encrypt SP 800-38A Key Length - 256 AES-ECB C326 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-ECB C331 Direction - Encrypt SP 800-38A Key Length - 256 AES-ECB C358 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 Table 5: Approved Algorithms - AES-ECB AES-KW Algorithm CAVP Cert Properties Reference AES-KW A2843 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KW A2845 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KW A2846 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 Table 6: Approved Algorithms - AES-KW This document may be reproduced and distributed only in its original entirely without revision.

Page 16

CTR_DRBG Algorithm CAVP Cert Properties Reference Counter DRBG A501 Prediction Resistance - Yes SP 800-90A Rev. 1 Mode - AES-256 Derivation Function Enabled - No Counter DRBG C323 Prediction Resistance - Yes SP 800-90A Rev. 1 Mode - AES-256 Derivation Function Enabled - No Counter DRBG C324 Prediction Resistance - Yes SP 800-90A Rev. 1 Mode - AES-256 Derivation Function Enabled - No Counter DRBG C331 Prediction Resistance - Yes SP 800-90A Rev. 1 Mode - AES-256 Derivation Function Enabled - No Counter DRBG DRBG 2014 Prediction Resistance - Yes SP 800-90A Rev. 1 Mode - AES-256 Derivation Function Enabled - No Counter DRBG DRBG 2022 Prediction Resistance - Yes SP 800-90A Rev. 1 Mode - AES-256 Derivation Function Enabled - No Counter DRBG DRBG 2023 Prediction Resistance - Yes SP 800-90A Rev. 1 Mode - AES-256 Derivation Function Enabled - No Counter DRBG DRBG 2024 Prediction Resistance - Yes SP 800-90A Rev. 1 Mode - AES-256 Derivation Function Enabled - No Counter DRBG DRBG 2025 Prediction Resistance - Yes SP 800-90A Rev. 1 Mode - AES-256 Derivation Function Enabled - No Counter DRBG DRBG 2028 Prediction Resistance - Yes SP 800-90A Rev. 1 Mode - AES-256 Derivation Function Enabled - No Table 7: Approved Algorithms - CTR_DRBG HMAC Algorithm CAVP Cert Properties Reference HMAC-SHA-1 A2845 Key Length - Key Length: 8-262144 FIPS 198-1 Increment 8 This document may be reproduced and distributed only in its original entirely without revision.

Page 17

Algorithm CAVP Cert Properties Reference HMAC-SHA-1 A2848 Key Length - Key Length: 8-262144 FIPS 198-1 Increment 8 HMAC-SHA2-224 A2845 Key Length - Key Length: 8-262144 FIPS 198-1 Increment 8 HMAC-SHA2-224 A2848 Key Length - Key Length: 8-262144 FIPS 198-1 Increment 8 HMAC-SHA2-256 A2845 Key Length - Key Length: 8-262144 FIPS 198-1 Increment 8 HMAC-SHA2-256 A2848 Key Length - Key Length: 8-262144 FIPS 198-1 Increment 8 HMAC-SHA2-256 A2849 Key Length - Key Length: 8-262144 FIPS 198-1 Increment 8 HMAC-SHA2-384 A2845 Key Length - Key Length: 8-262144 FIPS 198-1 Increment 8 HMAC-SHA2-384 A2848 Key Length - Key Length: 8-262144 FIPS 198-1 Increment 8 HMAC-SHA2-512 A2845 Key Length - Key Length: 8-262144 FIPS 198-1 Increment 8 HMAC-SHA2-512 A2848 Key Length - Key Length: 8-262144 FIPS 198-1 Increment 8 HMAC-SHA2- A2848 Key Length - Key Length: 8-262144 FIPS 198-1 512/256 Increment 8 Table 8: Approved Algorithms - HMAC Message-Digest Algorithm CAVP Cert Properties Reference SHA-1 A2845 Message Length - Message Length: 0-32768 FIPS 180-4 Increment 8 SHA-1 A2848 Message Length - Message Length: 0-32768 FIPS 180-4 Increment 8 SHA2-224 A2845 Message Length - Message Length: 0-32768 FIPS 180-4 Increment 8 SHA2-224 A2848 Message Length - Message Length: 0-32768 FIPS 180-4 Increment 8 SHA2-256 A2845 Message Length - Message Length: 0-32768 FIPS 180-4 Increment 8 This document may be reproduced and distributed only in its original entirely without revision.

Page 18

Algorithm CAVP Cert Properties Reference SHA2-256 A2848 Message Length - Message Length: 0-32768 FIPS 180-4 Increment 8 SHA2-256 A2849 Message Length - Message Length: 0-32768 FIPS 180-4 Increment 8 SHA2-384 A2845 Message Length - Message Length: 0-32768 FIPS 180-4 Increment 8 SHA2-384 A2848 Message Length - Message Length: 0-32768 FIPS 180-4 Increment 8 SHA2-512 A2845 Message Length - Message Length: 0-32768 FIPS 180-4 Increment 8 SHA2-512 A2848 Message Length - Message Length: 0-32768 FIPS 180-4 Increment 8 SHA2- A2848 Message Length - Message Length: 0-32768 FIPS 180-4 512/256 Increment 8 Table 9: Approved Algorithms - Message-Digest Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Key Type:Symmetric N/A SP800-133 Rev2 Section 4, example 1 Table 10: Vendor-Affirmed Algorithms Non-Approved, Not Allowed Algorithms: Name Use and Function Ed25519 Key generation EdDSA signature scheme Ed25519 shared secret generation EdDSA shared secret generation Curve 25519 key generation key generation Curve 25519 shared secret generation shared secret generation ECDH Key Pair Generation Elliptic Curve Integrated Encryption Scheme (ECIES) Key Generation ECDH Shared Secret Computation Elliptic Curve Integrated Encryption Scheme (ECIES) Encryption/Decryption ANSI X9.63 KDF Elliptic Curve Integrated Encryption Scheme (ECIES) Encryption/Decryption This document may be reproduced and distributed only in its original entirely without revision.

Page 19

Name Use and Function AES-GCM Elliptic Curve Integrated Encryption Scheme (ECIES) Encryption/Decryption HKDF RFC5869 HMAC based Key Derivation Function PBKDF Key Derivation ECDSA implemented in FW Key generation as part of Ref key generation service and validation, Signature generation and verification as part of Device keybag service ECDSA implemented in HW PKA Key generation as part of Ref key generation service Signature generation primitive ECDH implemented in FW Shared secret computation ECDH implemented in HW PKA Shared secret computation AES KW using class D key, keys from Key wrapping and unwrapping Device keybag, keys from iCloud keybag or NVM storage controller key Table 11: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Unauthenticated BC-UnAuth AES AES-CBC:128-, AES-CBC: Symmetric Encrypt/Decrypt 192-, 256-bit (A2842, A2843, Encryption and keys A2844, A2845, Decryption AES-ECB:128-, A510) 192-, 256-bit Key keys Size/Strength: 128, 192, 256 AES-ECB: (A2842, A2843, A2845, A2847, A510) Key Size/Strength: 128, 192, 256 AES-ECB: (A501, AES 5261, AES 5272, AES 5273, AES 5274, AES 5275, AES 5278) This document may be reproduced and distributed only in its original entirely without revision.

Page 20

Name Type Description Properties Algorithms Key Size/Strength: AES-ECB: (C314, C315, C317, C318, C319, C320, C322, C323, C324, C326, C331, C358) Key Size/Strength: 128, 256 AES-CBC: (C315, C317, C318, C319, C320, C322, C326, C358, C314) Key Size/Strength: 128, 256 key wrapping / KTS-Wrap AES Key KTS (AES) [SP AES-KW: (A2843, key unwrapping Wrapping 800-38F]:AES- A2845, A2846) KW Key Size/Strength: 128, 192, 256 Random DRBG Random number CTR_DRBG Counter DRBG: Number generator using [SP800- (DRBG 2014, Generation AES-256 90ARev1]:AES- DRBG 2022, 256; No DRBG 2023, Derivation DRBG 2024, Function; DRBG 2025, Prediction DRBG 2028, Resistance A501, C323, Enabled C324, C331) Key Size/Strength: HMAC Message MAC Key Length 8 - HMAC [FIPS HMAC-SHA-1: Authentication 262144 bits/ Key 198]:SHA-1, (A2845, A2848) This document may be reproduced and distributed only in its original entirely without revision.

Page 21

Name Type Description Properties Algorithms Strength: 112 to SHA-224, SHA- HMAC-SHA2-

256 bits 256, SHA-384, 224: (A2845,

SHA-512, SHA- A2848) 512/256 HMAC-SHA2256: (A2845, A2848) HMAC-SHA2256: (A2849) SHA2-256: (for all SoCs but S3 that doesn't implement vng_neon) HMAC-SHA2384: (A2845, A2848) HMAC-SHA2512: (A2845, A2848) HMAC-SHA2512/256: (A2848) Message Digest SHA Hash function SHS [FIPS 180- SHA-1: (A2845, 4]:SHA-1, SHA- A2848) 224, SHA-256, SHA2-224: SHA-384, SHA- (A2845, A2848) 512, SHA- SHA2-256: 512/256 (A2845, A2848) SHA2-256: (A2849) SHA2-256: (for all SoCs but S3 that doesn't implement vng_neon) SHA2-384: (A2845, A2848) SHA2-512: (A2845, A2848) SHA2-512/256: (A2848) This document may be reproduced and distributed only in its original entirely without revision.

Page 22

Name Type Description Properties Algorithms Symmetric Key CKG AES Key Key Length / Key CKG: () Generation Generation Strength:256- AES key: Key bits Length/ Key Strength: 256 Table 12: Security Function Implementations

2.7 Algorithm Specific Information

SHA-1: The SHA-1 algorithm as implemented by the module will be non-approved for all purposes except signature verification, starting January 1, 2030.

2.8 RBG and Entropy

Cert Vendor Number Name E113 Apple Table 13: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample Apple corecrypto Physical See Tested 256 bit 256 bit SHA-256 [ACVP physical entropy Operational cert. # C1223] source Environment Table Table 14: Entropy Sources Entropy sources : The internal physical noise source consisting of ring oscillators. RBGs: The NIST [SP 800-90ARev1] approved deterministic random bit generators (DRBG) used for random number generation is a CTR_DRBG using AES-256 without derivation function and with prediction resistance. The module performs DRBG health tests according to [SP800-90ARev1 section 11.3]. The deterministic random bit generators are seeded by the physical noise source. RBG Output: The output of hardware entropy source provides 256-bits of security strength in instantiating and reseeding the module approved DRBGs. This document may be reproduced and distributed only in its original entirely without revision.

Page 23
2.9 Key Generation

See vendor affirmed algorithms (CKG) in section 2.5.

2.10 Key Establishment

The Module implements AES key wrapping and unwrapping as part of KTS in accordance with IG D.G method 2 and SP800-38F.

2.11 Industry Protocols

None for this module This document may be reproduced and distributed only in its original entirely without revision.

Page 24
3 Cryptographic Module Interfaces

The cryptographic interfaces of the module are provided through the mailbox interface that is used between the module and the Device OS kernel, and the IPC channel used between the module and other sepOS applications.

3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) Mailbox Data Input Data inputs/outputs are provided through the memory used for Memory, Data mailbox and IPC IPC channel Output Mailbox Control Control input which controls the module's operation is provided Memory, Input through the mailbox by the Device OS' kernel and to applications IPC channel located within the sepOS execution environment through IPC. Mailbox Status Status output is provided in return codes and through messages Memory, Output returned via the mailbox or the IPC. Documentation for each IPC channel service invocation lists possible return codes. A complete list of all return codes returned by the C language APIs within the module is provided in the header files and the API documentation. Messages are also documented in the API documentation. Table 15: Ports and Interfaces The module’s logical interfaces used for input data and control information are logically disconnected from the logical paths used for the output of data and status information by virtue of the module's API. The module’s API distinguishes all output data from SSP information. The module does not implement a Control Output Logical Interface. This document may be reproduced and distributed only in its original entirely without revision.

Page 25
4 Roles, Services, and Authentication
4.1 Authentication Methods

Method Description Security Mechanism Strength Strength per Name Each Minute Attempt AES- Unwrapping function key wrapping / key 256-bits 60,000,000 * 1 / KW unwrapping 2^256 Implicit Implicit role assumption for None N/A N/A non-crypto services Table 16: Authentication Methods Within the constraints of FIPS 140-3 overall security level 2 (with physical security at security level 3), the module implements a role-based authentication mechanism for authentication of the user role. The module implements authenticated encryption-based mechanism in the following way: to request an authenticated service from the module the user must provide the credential and a reference to the class C or A keys of the user keybag that is stored encrypted under SP800-38F AES Key Wrapping (AES-KW) within the module. The module performs obfuscation on the Operator provided credential. The resulting value -called REK (Root Encryption Key)- is used as the 256-bit AES key. Using this key, the module decrypts all the class C or A keys in the referenced user keybag with SP800-38F AES Key Unwrapping function (i.e., AES-KW-AD). As AES-KW is an authentication cipher, the decryption operation will only succeed if there is no authentication error. If the user keybag can be successfully decrypted, the user is authenticated to the module and the requested crypto service will then be proceeded with the decrypted user key. The failure of decrypting the user keybag is also a user authentication failure and the Operator will be denied access to the module. The User keybags are configured in the module during factory install. Each User keybag consists of set of class C, A and D keys. Specifically, class C keys include C key, CK key, CKU keys and the class A keys include A key, AK key, AKU key and APKU key. Only the class A or C keys are considered as approved. Any use of class D keys is considered as non-approved. The module maintains authenticated session from the time the User keybags are unwrapped until the power off. Upon power off, the unwrapped User keybags are zeroized and at the next power on the User credential needs to be provided again in order to unwrap the User keybag. All authentication data is provided electronically from the calling application/service and hence is not in visible form. The module does not support concurrent operators. This document may be reproduced and distributed only in its original entirely without revision.

Page 26
4.2 Roles

Name Type Operator Type Authentication Methods User Role Authenticated AES-KW Crypto Officer Role Non- Implicit authenticated Table 17: Roles

4.3 Approved Services

Name Description Indicat Inputs Outputs Security SSP or Functions Access User Keybag Step 1: The Success User status Unauthenti User Services via module receives returne creden (success/e cated - Class A, Mailbox User credential d from tial, rror) Symmetric Class C, and the API referen Encryption Class AK, reference to the listed in ce to and Class class C or A key the class Decryption AKU, from the User custom C/A key Class CK, keybag; Step 2. er key wrapping / Class CKU Obfuscation is proprie from key in User performed on tary the unwrappin Keybag the User guidan user g (AES provided ce keybag keys): W,E credential docum - REK: W,E resulting into a ent value called Authentic REK.; Step 3. ation REK is used as a Credential key for the AES : W,E KW operation to unwrap the referenced class A or C keys in the user keybag stored in the module; Step 4. Status of unwrapping operation of class keys is returned via This document may be reproduced and distributed only in its original entirely without revision.

Page 27

Name Description Indicat Inputs Outputs Security SSP or Functions Access mailbox interface and the REK is zeroized. General The module Success User status key User Authentication invokes the returne creden (success/e wrapping / - Class A, service User Keybag d from tial, rror) key Class C, Services via API referen unwrappin Class AK, Mailbox (i.e. #1 listed in ce to g Class above) the class AKU, custom C/A Class CK, er key Class CKU proprie from in User tary the Keybag guidan user (AES ce keybag keys): W,E docum - REK: W,E ent Authentic ation Credential : W,E Generation of Step 1: The Success referen wrapped Symmetric User Data Encryption module receives returne ce to DEK Key - Class A, Key (DEK) the reference to d from class Generation Class C, the class C or A API C/A Class AK, key from the listed in key Class user keybag; the from AKU, Step 2: The custom the Class CK, module er User Class CKU generates a new proprie keybag in User DEK using the tary Keybag DRBG; Step 3: guidan (AES Referenced ce keys): W,E class C or A key docum - Entropy is used to wrap ent input the DEK using string: AES-KW; Step 4: W,E Wrapped DEK is - Data This document may be reproduced and distributed only in its original entirely without revision.

Page 28

Name Description Indicat Inputs Outputs Security SSP or Functions Access sent out of the Encryptio module n Key (DEK) (AES key): G,W,E Keychain DEK Step

  1. The Success pointer unwrappe key User service using module receives returne to d DEK wrapping / - Class A, AK/AKU/AKPU/ wrapped DEK d from AK/AK key Class C, CK/CKU class (that was sent API U/ unwrappin Class AK, key as part of listed in AKPU/ g Class service 3 above) the CK/ AKU, and the pointer custom CKU Class CK, to class key er class Class CKU AK/AKU/AKPU/ proprie key, in User CK/CKU from tary wrapp Keybag the user keybag; guidan ed DEK (AES Step
  2. Using ce keys): W,E the referenced docum - Data class key, the ent Encryptio module n Key unwraps the (DEK) DEK using AES- (AES key): KW. If the class W,E key is not available, an error is returned; Step 3. plaintext DEK is sent out to the User. (AS09.16) Backup keybag The module Success N/A status Random User generation generates new returne (success/e Number - Class A, set of back up d from rror) Generation Class C, keybags using API Class AK, the DRBG listed in Class the AKU, custom Class CK, er Class CKU This document may be reproduced and distributed only in its original entirely without revision.
Page 29

Name Description Indicat Inputs Outputs Security SSP or Functions Access proprie in Backup tary Keybag guidan (AES ce keys): G,E docum - Entropy ent input string: W,E - DRBG internal state: V vlaue, key, and seed material: W,E Backup keybag Step

  1. The Success wrapp wrapped key User service module receives returne ed DEK wrapping / - Class A, wrapped DEK d from DEK, key Class C, and the class API referen unwrappin Class AK, key reference listed in ce to g Class for C and A the class C AKU, from the user custom or A Class CK, keybag;
  2. Using er key Class CKU the referenced proprie from in User class key, the tary the Keybag module guidan user (AES unwraps the ce keybag keys): W,E DEK using AES- docum - Data KW. If the class ent Encryptio key is not n Key available, an (DEK) error is (AES key): returned;
  3. The W,E module - Entropy generates a set input of back up string: keybag using W,E DRBG; 4. - DRBG Unwrapped DEK internal is re-wrapped state: V This document may be reproduced and distributed only in its original entirely without revision.
Page 30

Name Description Indicat Inputs Outputs Security SSP or Functions Access with back up vlaue, key, keybag using and seed AES-KW; 5. material: Wrapped DEK is W,E sent out. - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Backup Keybag (AES keys): R,W,E Escrow keybag The module Success N/A status Random User creation generates new returne (success/e Number - Class A, set of escrow d from rror) Generation Class C, keybag using API Class AK, the DRBG listed in Class the AKU, custom Class CK, er Class CKU proprie in Escrow tary Keybag guidan (AES ce keys): G,E docum - Entropy ent input string: W,E - DRBG internal state: V vlaue, key, and seed material: W,E This document may be reproduced and distributed only in its original entirely without revision.

Page 31

Name Description Indicat Inputs Outputs Security SSP or Functions Access Export Keybag Step 1. The Success referen keybag HMAC User module receives returne ce to a with Message - HMAC reference to a d from keybag HMAC Authenticat key: W,E keybag; Step 2: API to be tag ion - Class A, A HMAC key is listed in export Message Class C, taken as input the ed Digest Class AK, based on the custom Class hardware er AKU, specific data for proprie Class CK, the SKS; Step 3: tary Class CKU HMAC value is guidan in User calculated on ce Keybag the entire docum (AES referenced ent keys): R,E keybag that - Class A, includes Class C, encrypted keys; Class AK, Step 4: HMAC is Class appended at AKU, the end of the Class CK, keybag; Step 5: Class CKU keybag with the in Backup appended Keybag HMAC is output (AES to the User keys): R,E - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Escrow Keybag (AES keys): R,E Device Wipe Erase all content Success N/A N/A None Crypto (Factory Reset) returne Officer d from - Class A, This document may be reproduced and distributed only in its original entirely without revision.

Page 32

Name Description Indicat Inputs Outputs Security SSP or Functions Access API Class C, listed in Class AK, the Class custom AKU, er Class CK, proprie Class CKU tary in User guidan Keybag ce (AES docum keys): Z ent - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Backup Keybag (AES keys): Z - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Escrow Keybag (AES keys): Z - Data Encryptio n Key (DEK) (AES key): Z - Entropy input This document may be reproduced and distributed only in its original entirely without revision.

Page 33

Name Description Indicat Inputs Outputs Security SSP or Functions Access string: Z - DRBG internal state: V vlaue, key, and seed material: Z - HMAC key: Z Authentic ation Credential :Z - REK: Z Perform self test Initiate pre- N/A modul results of Unauthenti Crypto operational self- e self-test cated Officer test and CASTs power- Symmetric by powering off/on Encryption off/on and Decryption key wrapping / key unwrappin g Random Number Generation HMAC Message Authenticat ion Message Digest Show Status N/A N/A N/A status None Crypto Officer This document may be reproduced and distributed only in its original entirely without revision.

Page 34

Name Description Indicat Inputs Outputs Security SSP or Functions Access Show Module N/A N/A N/A Module None Crypto Version name and Officer Information version Table 18: Approved Services The abbreviations of the access rights to SSPs have the following interpretation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. N/A = The service does not access any SSP during its operation

4.4 Non-Approved Services

Name Description Algorithms Role Class D key File Wrapping of provided plaintext DEK or AES KW using Crypto System Services to unwrapping of provided wrapped DEK class D key, keys Officer wrap or unwrap DEK using class D key from Backup keybag or from Device Flash in SEP keybag, keys from iCloud keybag or NVM storage controller key Class D key service to Encryption of provided plaintext or AES KW using Crypto encrypt or decrypt decryption of provided ciphertext using class D key, keys Officer data class D key from Device or iCloud from Device Keybag keybag, keys from iCloud keybag or NVM storage controller key Class DK/DKU File Wrapping of provided plaintext keychain AES KW using Crypto System Services to or unwrapping of provided wrapped class D key, keys Officer wrap or unwrap keychain using class DK/DKU key from from Device keychain Backup keybag or User keybag keybag, keys from iCloud keybag or NVM This document may be reproduced and distributed only in its original entirely without revision.

Page 35

Name Description Algorithms Role storage controller key Class DK/DKU key Encryption of provided plaintext or AES KW using Crypto service for data decryption of provided ciphertext using class D key, keys Officer encrypt or decrypt DK/DKU key from Device or iCloud from Device keybag keybag, keys from iCloud keybag or NVM storage controller key Generate Ref-Key Key Generation Ed25519 Key Crypto generation Officer Curve 25519 key generation ECDH Key Pair Generation Sign and verify using Signature Generation and Verification ECDSA Crypto Ref-key implemented in Officer FW ECDSA implemented in HW PKA Encryption and shared secret is generated using user AES-GCM Crypto decryption using Ref- provided key and existing ref key HKDF RFC5869 Officer key followed by HKDF is applied to derived a ECDSA key which is used to encrypt the implemented in provided plaintext or decrypt the FW provided ciphertext ECDSA implemented in HW PKA AES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key Generate Shared Shared secret generation Ed25519 shared Crypto Secret using Ref-key secret Officer This document may be reproduced and distributed only in its original entirely without revision.

Page 36

Name Description Algorithms Role generation Curve 25519 shared secret generation ECDH Shared Secret Computation ECDH implemented in FW ECDH implemented in HW PKA Device Keybag service Encryption of provided plaintext or AES KW using Crypto for data encrypt or decryption of provided ciphertext using class D key, keys Officer decrypt any key from Device Keybag from Device keybag, keys from iCloud keybag or NVM storage controller key iCloud Keybag service Encryption of provided plaintext or AES KW using Crypto for data encrypt or decryption of provided ciphertext using class D key, keys Officer decrypt any key from iCloud Keybag from Device keybag, keys from iCloud keybag or NVM storage controller key Escrow keybag service Wrapping of provided plaintext key or AES KW using Crypto for key wrapping and unwrapping of provided wrapped key class D key, keys Officer unwrapping using any key from Escrow Keybag from Device keybag, keys from iCloud keybag or NVM storage controller key Encrypt or Decrypt shared secret is computed by generating Curve 25519 key Crypto service using Class B new ephemeral keypair and existing generation Officer Curve25519 key followed by HKDF is Curve 25519 This document may be reproduced and distributed only in its original entirely without revision.

Page 37

Name Description Algorithms Role Curve 22519 key from applied to derived a key which is used shared secret any keybag doe data encryption or decryption. generation During encryption operations, the HKDF RFC5869 wrapped key and the ephemeral public AES KW using key is sent to the user class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key Wrap or unwrap shared secret is computed by generating Curve 25519 key Crypto service for DEK or new ephemeral keypair and existing generation Officer keychain using any Curve25519 key followed by HKDF is Curve 25519 Curve 22519 key from applied to derived a key which is used shared secret asymmetric keybag to wrap and unwrap DEK or keychain. generation During wrapping operation, the wrapped HKDF RFC5869 key and the ephemeral public key is sent AES KW using to the user class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key Asymmetric (Ed25519) Pointer to Ed25519 Key Crypto backup keybag wrap DK/DKU/CK/CKU/AK/AKU/AKPU key generation Officer and unwrap from asymmetric keybag, plaintext Ed25519 shared keychain during wrapping operation or secret wrapped keychain during unwrapping generation operation HKDF RFC5869 AES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key This document may be reproduced and distributed only in its original entirely without revision.

Page 38

Name Description Algorithms Role Wrap or unwrap shared secret is computed by generating Ed25519 Key Crypto service for keychain new ephemeral keypair and existing generation Officer using DK/DKU/CK/ Curve25519 key followed by HKDF is Ed25519 shared CKU/AK/AKU/AKPU applied to derived a key which is used secret Ed25519 key from to wrap and unwrap. The wrapped key generation asymmetric keybag and the ephemeral public key is sent to HKDF RFC5869 the user AES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key NVM Storage wrapping DEK using NVM storage AES KW using Crypto Controller Key Service controller key class D key, keys Officer from Device keybag, keys from iCloud keybag or NVM storage controller key Elliptic Curve Encryption ECDH Shared Crypto Integrated Encryption Secret Officer Scheme (ECIES) Computation Encryption ANSI X9.63 KDF AES-GCM Elliptic Curve Decryption ECDH Shared Crypto Integrated Encryption Secret Officer Scheme (ECIES) Computation Decryption ANSI X9.63 KDF AES-GCM PBKDF Key Derivation Hash-based Key Derivation PBKDF Crypto Officer File system DEK Unwrap the DEK using referenced class AES KW using Crypto service key and re-wrap using NVM storage class D key, keys Officer controller key from Device keybag, keys from iCloud keybag or NVM This document may be reproduced and distributed only in its original entirely without revision.

Page 39

Name Description Algorithms Role storage controller key Generation of DEK via Requesting generate DEK service via IPC AES KW using Crypto IPC using class D key Channel using class D keys class D key, keys Officer from Device keybag, keys from iCloud keybag or NVM storage controller key Requesting backup Requesting backup keybag service via AES KW using Crypto keybag service via IPC IPC Channel using class D keys class D key, keys Officer using class D key from Device keybag, keys from iCloud keybag or NVM storage controller key Table 19: Non-Approved Services

4.5 External Software/Firmware Loaded

N/A This document may be reproduced and distributed only in its original entirely without revision.

Page 40
5 Software/Firmware Security
5.1 Integrity Techniques

The Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware SL2] is in the form of binary executable code. A firmware integrity test is performed on the runtime image of the module. The HMAC-SHA256 implemented in the module is used as the approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided, and data output is prohibited i.e. the module is not operational. As the module is delivered built with the Device OS, there is no standalone delivery of the module. The vendor’s internal development process guarantees that the correct version of module goes with its intended Device OS version

5.2 Initiate on Demand

The module’s integrity test can be performed on demand by powering-off and reloading the module. The integrity test on demand is performed as part of the Pre-Operational Self-Tests, automatically executed at power-on. This document may be reproduced and distributed only in its original entirely without revision.

Page 41
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Non-Modifiable

6.2 Configuration Settings and Restrictions

The module operates within the sepOS execution environment which is separate from the Device OS execution environment. The SEP operating system provides memory isolation between all applications executing on it. The Device OS is unable to access the module's memory or observe the module's operation. This document may be reproduced and distributed only in its original entirely without revision.

Page 42
7 Physical Security

The defined physical boundary of the Apple corecrypto Module v12 [Apple silicon, Secure Key Store, Hardware, SL2] is the entire System-on-Chip (SoC) listed in the Tested Module Identification table. Consequently, the physical embodiment of each SoC is considered to be that of a single-chip cryptographic module. The hardware module conforms to the Level 2 requirements for physical security. The physical components that comprise the module are of production grade components with industry standard passivation applied. The module is covered with tamper-evident coating that deter direct observation, probing, or manipulation of the single-chip as detailed in the Physical Security Mechanisms and Actions Required table.

7.1 Mechanisms and Actions Required

Mechanism Inspection Inspection Frequency Guidance Production Grade Components that include standard No operator- N/A passivation performed testing is recommended Tamper-Evident Coating or black hard coated material or No operator- N/A metal coating, SoC is soldered in logic board from the performed testing is Ball Grid Array (BGA) or SIP is embedded in hardened recommended resin. The components listed above are opaque within the visible spectrum. Table 20: Mechanisms and Actions Required This document may be reproduced and distributed only in its original entirely without revision.

Page 43
8 Non-Invasive Security
8.1 Mitigation Techniques

Per IG 12.A, until the requirements of NIST SP 800-140F are defined, non-invasive mechanisms fall under ISO/IEC 19790:2012 Section 7.12 Mitigation of other attacks. The requirements of this area are not applicable to the module. This document may be reproduced and distributed only in its original entirely without revision.

Page 44
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name Flash Preloaded at factory Static RAM Volatile memory Dynamic Table 21: Storage Areas

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm User Input User RAM Plaintext Manual Direct Export Keybag Flash Operating Encrypted Automated Electronic key from Flash calling wrapping / application key (TOEPP) unwrapping Export Keybag RAM Operating Encrypted Automated Electronic key from RAM calling wrapping / application key (TOEPP) unwrapping Obfuscation of User RAM Plaintext Manual Direct User Input Authentication Credential Obtained from ENT (P) RAM Plaintext Automated Electronic Random ENT (P) Number Generation Pre-loaded from Factory Flash Plaintext Automated Electronic Factory install Table 22: SSP Input-Output Methods This document may be reproduced and distributed only in its original entirely without revision.

Page 45
9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Method Initiation Context object SSPs are zeroised when the Zeroization when N/A destruction appropriate context object structure is deallocated is destroyed Power Down SSPs are zeroised when the Powering down forces Operator can system is powered down context object destruction initiate a power down Device Wipe Erase all content (factory Factory reset zeroizes all Operator can reset) SSPs, including those initiate a device stored in Flash wipe Table 23: SSP Zeroization Methods Data output interfaces are inhibited while zeroisation is performed.

9.4 SSPs

Name Descriptio Size - Type - Generate Establishe Used By n Strengt Category d By d By h Class A, Class AES keys 256- Symmetric - Unauthenticat C, Class AK, in user bits - CSP ed Symmetric Class AKU, keybag 256- Encryption and Class CK, bits Decryption Class CKU in key wrapping / User Keybag key (AES keys) unwrapping Class A, Class AES keys 256- Symmetric - Symmetri key wrapping / C, Class AK, in backup bits - CSP c Key key Class AKU, keybag 256- Generatio unwrapping Class CK, bits n Class CKU in Backup Keybag (AES keys) Class A, Class AES keys 256- Symmetric - Symmetri key wrapping / C, Class AK, in escrow bits - CSP c Key key Class AKU, keybag 256- Generatio unwrapping Class CK, bits n Class CKU in This document may be reproduced and distributed only in its original entirely without revision.

Page 46

Name Descriptio Size - Type - Generate Establishe Used By n Strengt Category d By d By h Escrow Keybag (AES keys) Data AES keys 256- Symmetric - Symmetri key wrapping / Encryption in user bits - CSP c Key key Key (DEK) keybag 256- Generatio unwrapping (AES key) bits n Random Number Generation Entropy Entropy 256- Entropy - Random Random input string input bits - CSP Number Number string 256- Generatio Generation bits n DRBG Internal 256- DRBG - CSP Random Random internal state bits - Number Number state: V values 256- Generatio Generation vlaue, key, associate bits n and seed d with material CTR_DRB G HMAC key HMAC 112- Message Symmetri Random key bits - Authenticatio c Key Number 112- n Key - CSP Generatio Generation bits n Authenticatio User- N/A - User- key wrapping / n Credential provided N/A generated - key credential CSP unwrapping s REK Root 256- Symmetric - key wrapping / Encryptio bits - CSP key n Key 256- unwrapping bits Table 24: SSP Table 1 This document may be reproduced and distributed only in its original entirely without revision.

Page 47

Name Input - Storage Storage Zeroizatio Related SSPs Output Duration n Class A, Class Export Flash:Encrypte From Device C, Class AK, Keybag from d factory Wipe Class AKU, Flash install to Class CK, Pre-loaded deviceClass CKU in from Factory wipe User Keybag (AES keys) Class A, Class Export RAM:Encrypte From Context C, Class AK, Keybag from d service object Class AKU, RAM invocatio destructio Class CK, n to n Class CKU in service Power Backup completio Down Keybag (AES n keys) Class A, Class Export RAM:Encrypte From Context C, Class AK, Keybag from d service object Class AKU, RAM invocatio destructio Class CK, n to n Class CKU in service Power Escrow completio Down Keybag (AES n keys) Data Export RAM:Encrypte From Context Encryption Keybag from d service object Key (DEK) RAM invocatio destructio (AES key) n to n service Power completio Down n Entropy Obtained RAM:Encrypte From Context DRBG internal state: input string from ENT (P) d service object V vlaue, key, and invocatio destructio seed material:Used n to n With service Power completio Down n This document may be reproduced and distributed only in its original entirely without revision.

Page 48

Name Input - Storage Storage Zeroizatio Related SSPs Output Duration n DRBG RAM:Encrypte From Context Entropy input internal d service object string:Derived From state: V invocatio destructio vlaue, key, n to n and seed service Power material completio Down n HMAC key RAM:Encrypte From Context d service object invocatio destructio n to n service Power completio Down n Authenticati User Input RAM:Obfuscat From Context REK:Derives on ed service object Credential invocatio destructio n to n service Power completio Down n REK Obfuscation RAM:Plaintext From Context Authentication of User Input service object Credential:Obfuscati Authenticati invocatio destructio on from on n to n Credential service Power completio Down n Table 25: SSP Table 2 This document may be reproduced and distributed only in its original entirely without revision.

Page 49
10 Self-Tests

While the module is executing the self-tests, services are not available, and input and output are inhibited.

10.1 Pre-Operational Self-Tests

The module performs a pre-operational firmware integrity automatically when the module is loaded into memory (i.e., at power on) before the module transitions to the operational state. A firmware integrity test is performed on the firmware component of the module. The module’s HMAC-SHA256 is used as an approved integrity technique. Prior to using HMAC-SHA-256, a Conditional Cryptographic Algorithm Self-Tests (CAST) KAT is performed on the HMAC algorithm. Algorithm Test Test Method Test Indicator Details or Test Properties Type HMAC- 112-bit Message SW/FW If the test The HMAC value is preSHA2-256 key Authentication Integrity fails, then computed at build time (A2845) the module and stored in the enters an module. The HMAC Error State. value is recalculated during runtime and compared with the stored value. Table 26: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

Algorithm Test Test Test Indicator Details Condition or Test Properties Method Type s HMAC- SHA2-256 KAT CAS Module Message Test runs SHA2-512 T becomes authentication at Power(A2845) operationa on before l the integrity test AES-CBC 128-bit KAT CAS Module Encryption Test runs (A2842) key T becomes at Poweroperationa on before l the integrity test This document may be reproduced and distributed only in its original entirely without revision.

Page 50

Algorithm Test Test Test Indicator Details Condition or Test Properties Method Type s AES-ECB 128-bit KAT CAS Module Decryption Test runs (A2842) key T becomes at Poweroperationa on before l the integrity test AES-KW 128-bit KAT CAS Module Wrapping/Unwrappin Test runs (A2843) key T becomes g at Poweroperationa on before l the integrity test Counter AES 128- KAT CAS Module Health test per Test runs DRBG bit key T becomes SP800- 90ARev1 at Power(DRBG operationa section 11.3 on before 2014) l the integrity test ESV-RCT Repetition fault- CAS successful SP 800-90B 4.4.1 upon (Startup) Count detectio T seeding of Repetition Count Test startup of Test n test SP 800- entropy performe 90A DRBG source d at entropy source startup ESV-RCT Repetition fault- CAS successful SP 800-90B 4.4.1 upon (Continuous Count detectio T seeding of Repetition Count Test seeding ) Test n test SP 800- or performe 90A DRBG reseeding d every SP 800invocation 90A DRBG of entropy source after startup This document may be reproduced and distributed only in its original entirely without revision.

Page 51

Algorithm Test Test Test Indicator Details Condition or Test Properties Method Type s ESV-APT Adaptive fault- CAS successful SP 800-90B 4.4.2 upon (Startup) Proportio detectio T seeding of Adaptive Proportion startup of n Test n test SP 800- Test entropy performe 90A DRBG source d at etnropy source startup ESV-APT Adaptive fault- CAS successful SP 800-90B 4.4.2 upon (Continuous Proportio detectio T seeding of Adaptive Proportion seeding ) n Test n test SP 800- Test or performe 90A DRBG reseeding d at every SP 800invocation 90A DRBG of entropy source every invocation after startup Table 27: Conditional Self-Tests

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Method Test HMAC-SHA2- Message SW/FW Integrity Whenever Upon every

256 (A2845) Authentication module is power-on

powered on Table 28: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Method Test HMAC-SHA2- KAT CAST On Demand Manually

512 (A2845)

This document may be reproduced and distributed only in its original entirely without revision.

Page 52

Algorithm or Test Method Test Type Period Periodic Method Test AES-CBC KAT CAST On Demand Manually (A2842) AES-ECB (A2842) KAT CAST On Demand Manually AES-KW (A2843) KAT CAST On Demand Manually Counter DRBG KAT CAST On Demand Manually (DRBG 2014) ESV-RCT fault-detection CAST On demand Manually (Startup) test ESV-RCT fault-detection CAST On demand Manually (Continuous) test ESV-APT fault-detection CAST On demand Manually (Startup) test ESV-APT fault-detection CAST On demand Manually (Continuous) test Table 29: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Error The HMAC-SHA-256 Pre- Power for Integrity: print statement state value computed over the operational off/on "FAILED: module did not match Firmware fipspost_post_integrity" to the pre- computed value, Integrity Test stdout; OR the computed value failure OR in the invoked Conditional for CAST: sprint statement Conditional CAST did not CAST failure "FAILED:<event>" to stdout match the known value. (<event> refers to any of the No cryptographic cryptographic functions services are provided, listed in the Conditional Selfand data output is test Table) prohibited Table 30: Error States This document may be reproduced and distributed only in its original entirely without revision.

Page 53
10.5 Operator Initiation of Self-Tests

The module permits operators to initiate the pre-operational or conditional self-tests on demand for periodic testing of the module by reloading the module. This document may be reproduced and distributed only in its original entirely without revision.

Page 54
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Startup Procedures: As the module is delivered built with the Device OS, there is no standalone delivery of the module. Installation Process and Authentication Mechanisms: The vendor’s internal development process guarantees that the correct version of module goes with its intended Device OS version. For additional assurance, the module is digitally signed by vendor, and it is verified during the integration into Host Device OS. This digital signature-based integrity protection used during the delivery/integration process is not to be confused with the HMAC-256 based integrity check performed by the module itself as part of its pre-operational self- tests.

11.2 Administrator Guidance

The biometric authentication option provided by the underlying test platform shall be disabled in order to run the module in the FIPS validated manner. The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table - Non-Approved Services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. The ESV Public Use Document (PUD) reference for physical entropy source is: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropyvalidations/certificate/113 Apple Platform Certifications guide [platform certifications] and Apple Platform Security guide [SEC] are provided by Apple which offers IT System Administrators with the necessary technical information to ensure FIPS 140-3 Compliance of the deployed systems. This guide walks the reader through the system’s assertion of cryptographic module integrity and the steps necessary if module integrity requires remediation.

11.3 Non-Administrator Guidance

The User role is authenticated with the mechanism described in section 4. The User role can access the module via mailbox interface using the Device OS’s XNU kernel. The User role can perform subset of services from Table - Approved Algorithms. As stated in the Administrator Guidance section above, the Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services. This transition cannot be made by the User directly, as all non-approved services require an implicit transition into the Crypto-Officer role. Any calling of such services is therefore implicitly performed by the Crypto Officer. This document may be reproduced and distributed only in its original entirely without revision.

Page 55
11.4 End of Life

The Device Wipe service erases the module content. When performing a Device Wipe service to erase all content of the module, the procedure must be performed under the control of the Operator. This document may be reproduced and distributed only in its original entirely without revision.

Page 56
12 Mitigation of Other Attacks

The module does not claim mitigation of other attacks. This document may be reproduced and distributed only in its original entirely without revision.

Page 57

Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interfaces APT Adaptive Proportion Test (SP800-90B health test) BGA Ball Grid Array (Physical Security) CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CMVP Cryptographic Module Validation Program CST Cryptographic and Security Testing CTR Counter Mode DEK Data Encryption Key DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECDSA DSA (Digital Signature Algorithm) based on Elliptic Curve Cryptography (ECC) EMI Electromagnetic Interference (Physical Security) ESV NIST entropy source validation program providing SP 800-90B compliant entropy validation certificate FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code IPC Inter-Process Communication IHS Integrated Heat Spreader (Physical Security) KAT Known Answer Test KDF Key Derivation Function KEK Key Encryption Key KW AES Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology NVM Non-Volatile Memory OFB Output Feedback OS Operating System PBKDF Password Based Key Derivation Function RCT Repetition Count Test (SP800-90B health test) SEP Secure Enclave Processor SHA Secure Hash Algorithm This document may be reproduced and distributed only in its original entirely without revision.

Page 58

Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 SP 800-140x CMVP FIPS 140-3 Related Reference https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-standards FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program January 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS140-3_MM CMVP FIPS 140-3 Management Manual February 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS-140-3-CMVP%20Management%20Manual%20v2.1%5B02-292024%5D.pdf SP 800-140 FIPS 140-3 Derived Test Requirements (DTR) March 2020 https://csrc.nist.gov/publications/detail/sp/800-140/final SP 800-140A CMVP Documentation Requirements March 2020 https://csrc.nist.gov/publications/detail/sp/800-140a/final SP 800-140Br1 CMVP Security Policy Requirements November 2023 https://doi.org/10.6028/NIST.SP.800-140Br1 SP 800-140C CMVP Approved Security Functions July 2023 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140Cr2.pdf SP 800-140D CMVP Approved Sensitive Security Parameter Generation and Establishment Methods July 2023 https://doi.org/10.6028/NIST.SP.800-140Dr2 SP 800-140E CMVP Approved Authentication Mechanisms March 2020 https://csrc.nist.gov/publications/detail/sp/800-140e/final SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics March 2020 https://csrc.nist.gov/publications/detail/sp/800-140f/final This document may be reproduced and distributed only in its original entirely without revision.

Page 59

FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-5 Digital Signature Standard (DSS) F3b 2023 https://doi.org/10.6028/NIST.FIPS.186-5 FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf This document may be reproduced and distributed only in its original entirely without revision.

Page 60

SP800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://doi.org/10.6028/NIST.SP.800-56Cr2 SP800-57 NIST Special Publication 800-57 Part 1 Revision 5 - Recommendation for Key Management Part 1: General May 2020 https://doi.org/10.6028/NIST.SP.800-57pt1r5 SP800-67r2 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 (withdrawn January 2014) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf SP800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://dx.doi.org/10.6028/NIST.SP.800-90Ar1 SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP800-108r1 NIST Special Publication 800-108r1 - Recommendation for Key Derivation Using Pseudorandom Functions Aug 2022 https://doi.org/10.6028/NIST.SP.800-108r1 SP800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SEC Apple Platform Security https://support.apple.com/guide/security/welcome/web https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf platform certifications Apple Platform Certifications https://support.apple.com/guide/certifications/welcome/web This document may be reproduced and distributed only in its original entirely without revision.