All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Oracle Linux 9 Kernel Crypto API Cryptographic Module

Certificate#5036StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorOracle Corporation
Medium review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 5358 CVEs since this module's initial validation  ·  last validated 12 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/2/2030
CaveatWhen operated in approved mode. The module generates random strings whose strengths are modified by available entropy.
VendorOracle Corporation

Approved Algorithms (178)

AlgorithmACVP Cert
AES-CBCA5278, A5285, A5288
AES-CBC-CS3A5282, A5293
AES-CCMA5278, A5288
AES-CFB128A5280, A5291
AES-CMACA5278, A5288
AES-CTRA5278, A5285, A5288
AES-ECBA5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290
AES-GCMA5278, A5284, A5285, A5287, A5288, A5290
AES-GMACA5278, A5288
AES-OFBA5281, A5292
AES-XTS Testing Revision 2.0A5278, A5285, A5288
Counter DRBGA5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290
Hash DRBGA5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290, A5294, A5295, A5296
HMAC DRBGA5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290, A5294, A5295, A5296
HMAC-SHA-1A5277, A5278, A5294, A5295, A5296, A5297
HMAC-SHA2-224A5277, A5278, A5294, A5295, A5296, A5297
HMAC-SHA2-256A5277, A5278, A5294, A5295, A5296, A5297
HMAC-SHA2-384A5277, A5278, A5294, A5295, A5296
HMAC-SHA2-512A5277, A5278, A5294, A5295, A5296
HMAC-SHA3-224A5279
HMAC-SHA3-256A5279
HMAC-SHA3-384A5279
HMAC-SHA3-512A5279
KAS-FFC-SSC Sp800- 56Ar3A5277
RSA SigVer (FIPS186-4)A5278, A5294, A5295, A5296
RSA SigVer (FIPS186-5)A5278, A5294, A5295, A5296
SHA-1A5277, A5278, A5294, A5295, A5296, A5297
SHA2-224A5277, A5278, A5294, A5295, A5296, A5297
SHA2-256A5277, A5278, A5294, A5295, A5296, A5297
SHA2-384A5277, A5278, A5294, A5295, A5296
SHA2-512A5277, A5278, A5294, A5295, A5296
SHA3-224A5279
SHA3-256A5279
SHA3-384A5279
SHA3-512A5279
SHA-1 (A5278)
SHA-1 (A5294)
SHA-1 (A5295)
SHA-1 (A5296)
SHA2-224 (A5278)
SHA2-224 (A5294)
SHA2-224 (A5295)
SHA2-224 (A5296)
SHA2-256 (A5278)
SHA2-256 (A5294)
SHA2-256 (A5295)
SHA2-256 (A5296)
SHA2-384 (A5278)
SHA2-384 (A5294)
SHA2-384 (A5295)
SHA2-384 (A5296)
SHA2-512 (A5278)
SHA2-512 (A5294)
SHA2-512 (A5295)
SHA2-512 (A5296)
SHA3-224 (A5279)
SHA3-256 (A5279)
SHA3-384 (A5279)
SHA3-512 (A5279)
AES-ECB (A5278)
AES-ECB (A5283)
AES-ECB (A5284)
AES-ECB (A5285)
AES-ECB (A5286)
AES-ECB (A5287)
AES-ECB (A5289)
AES-ECB (A5290)
AES-ECB (A5277)
AES-ECB (A5288)
AES-CBC (A5278)
AES-CBC (A5285)
AES-CBC-CS3 (A5293)
AES-OFB (A5292)
AES-CFB128 (A5291)
AES-CTR (A5278)
AES-CTR (A5288)
AES-CCM (A5288)
AES-GCM (A5278)
AES-GCM (A5283)
AES-GCM (A5284)
AES-GCM (A5285)
AES-GCM (A5286)
AES-GCM (A5287)
AES-GCM (A5288)
AES-GCM (A5289)
AES-GCM (A5290)
AES-XTS Testing Revision 2.0 (A5278)
AES-XTS Testing Revision 2.0 (A5288)
AES-CMAC (A5288)
HMAC-SHA-1 (A5278)
HMAC-SHA-1 (A5294)
HMAC-SHA-1 (A5295)
HMAC-SHA-1 (A5296)
HMAC-SHA2-224 (A5278)
HMAC-SHA2-224 (A5294)
HMAC-SHA2-224 (A5295)
HMAC-SHA2-224 (A5296)
HMAC-SHA2-256 (A5278)
HMAC-SHA2-256 (A5294)
HMAC-SHA2-256 (A5295)
HMAC-SHA2-256 (A5296)
HMAC-SHA2-384 (A5278)
HMAC-SHA2-384 (A5294)
HMAC-SHA2-384 (A5295)
HMAC-SHA2-384 (A5296)
HMAC-SHA2-512 (A5278)
HMAC-SHA2-512 (A5294)
HMAC-SHA3-224 (A5279)
HMAC-SHA2-512 (A5295)
HMAC-SHA2-512 (A5296)
HMAC-SHA3-256 (A5279)
HMAC-SHA3-384 (A5279)
HMAC-SHA3-512 (A5279)
KAS-FFC-SSC Sp800-56Ar3 (A5277)
Counter DRBG (A5278)
Counter DRBG (A5283)
Counter DRBG (A5284)
Counter DRBG (A5285)
Counter DRBG (A5286)
Counter DRBG (A5287)
Counter DRBG (A5288)
Counter DRBG (A5289)
Counter DRBG (A5290)
Hash DRBG (A5278)
Hash DRBG (A5283)
Hash DRBG (A5284)
Hash DRBG (A5285)
Hash DRBG (A5286)
Hash DRBG (A5287)
Hash DRBG (A5288)
Hash DRBG (A5289)
Hash DRBG (A5290)
Hash DRBG (A5294)
Hash DRBG (A5295)
Hash DRBG (A5296)
HMAC DRBG (A5278)
HMAC DRBG (A5283)
HMAC DRBG (A5284)
HMAC DRBG (A5285)
HMAC DRBG (A5286)
HMAC DRBG (A5287)
HMAC DRBG (A5288)
HMAC DRBG (A5289)
HMAC DRBG (A5290)
HMAC DRBG (A5294)
HMAC DRBG (A5295)
HMAC DRBG (A5296)
RSA SigVer (FIPS186-5) (A5278)
RSA SigVer (FIPS186-5) (A5294)
RSA SigVer (FIPS186-5) (A5295)
RSA SigVer (FIPS186-5) (A5296)
Entropy Source (RCT Start-Up)
Entropy Source (APT Start-Up)
Entropy Source (RCT Runtime)
Entropy Source (APT Runtime)
Counter DRBG (A5277)
Hash DRBG (A5277)
HMAC DRBG (A5277)
HMAC-SHA-1 (A5277)
HMAC-SHA-1 (A5297)
HMAC-SHA2-224 (A5277)
HMAC-SHA2-224 (A5297)
HMAC-SHA2-256 (A5277)
HMAC-SHA2-256 (A5297)
HMAC-SHA2-384 (A5277)
SHA-1 (A5277)
SHA-1 (A5297)
SHA2-224 (A5277)
SHA2-224 (A5297)
SHA2-256 (A5277)
SHA2-256 (A5297)
SHA2-384 (A5277)
SHA2-512 (A5277)
HMAC-SHA2-512 (A5277)
SP 800-56Ar3
SP 800-56Cr2
SP 800-90Ar1
SP 800-90B

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Oracle Linux 9 Kernel Crypto API Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Error State</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Encryption with AES<br/>Decryption with AES<br/>Show status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Oracle Linux 9 Kernel Crypto API Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Error State</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Encryption with AES<br/>Decryption with AES<br/>Show status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Oracle Corporation Oracle Linux 9 Kernel Crypto API Cryptographic Module Software Version: kernel: 5.14.0-362.24.1.0.4.el9_3 libkcapi: 1.3.1-3.0.1.el9 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com Document Version 1.1 ©Oracle Corporation

Page 2

Title: Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy Date: June 30th, 2025 Contributing Authors: Oracle Linux Engineering Security Evaluations

2300 Oracle Way

Austin, TX 78741 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 www.oracle.com hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy i

Page 3
Table of Contents
#SectionPage
1General1
1.1Overview1
1.1.1How This Security Policy was prepared1
1.2Security Levels1
2Cryptographic Module Specification2
2.1Description2
2.2Tested and Vendor Affirmed Module Version and Identification3
2.3Excluded Components3
2.4Modes of Operation3
2.5Algorithms4
2.6Security Function Implementations6
2.7Algorithm Specific Information8
2.7.1AES GCM IV8
2.7.2AES XTS9
2.7.3SP 800-56Arev3 Assurances9
2.7.4RSA9
2.8RBG and Entropy9
2.9Key Generation10
2.10Key Establishment10
2.11Industry Protocols10
3Cryptographic Module Interfaces11
3.1Ports and Interfaces11
4Roles, Services, and Authentication12
4.1Authentication Methods12
4.2Roles12
4.3Approved Services12
4.4Non-Approved Services14
4.5External Software/Firmware Loaded14
5Software/Firmware Security15
5.1Integrity Techniques15
5.2Initiate on Demand15
6Operational Environment16
6.1Operational Environment Type and Requirements16
6.2Configuration Settings and Restrictions16
7Physical Security17
8Non-Invasive Security18
9Sensitive Security Parameters Management19
9.1Storage Areas19
9.2SSP Input-Output Methods19
9.3SSP Zeroization Methods19
9.4SSPs19
9.5Transitions21
10Self-Tests22
10.1Pre-Operational Self-Tests22
10.2Conditional Self-Tests22
10.3Periodic Self-Test Information29
10.4Error States32
10.5Operator Initiation of Self-Tests32
11Life-Cycle Assurance33
11.1Installation, Initialization, and Startup Procedures33
11.2Administrator Guidance33
11.3Non-Administrator Guidance33
11.4End of Life33
12Mitigation of Other Attacks34
Appendix A. Glossary and Abbreviations35
Appendix B. References36
Page 4

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy iii

Page 5
List of Tables
ItemPage
Table 1: Security Levels1
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)3
Table 3: Tested Operational Environments - Software, Firmware, Hybrid3
Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid3
Table 5: Modes List and Description3
Table 6: Approved Algorithms5
Table 7: Non-Approved, Not Allowed Algorithms6
Table 8: Security Function Implementations8
Table 9: Entropy Certificates9
Table 10: Entropy Sources9
Table 11: Ports and Interfaces11
Table 12: Roles12
Table 13: Approved Services14
Table 14: Non-Approved Services14
Table 15: Storage Areas19
Table 16: SSP Input-Output Methods19
Table 17: SSP Zeroization Methods19
Table 18: SSP Table 120
Table 19: SSP Table 221
Table 20: Pre-Operational Self-Tests22
Table 21: Conditional Self-Tests29
Table 22: Pre-Operational Periodic Information29
Table 23: Conditional Periodic Information32
Table 24: Error States32
Page 6
List of Figures
ItemPage
Figure 1: Block Diagram2
Page 7
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A
Overall LevelOverall Level1
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for Oracle Linux 9 Kernel Crypto API Cryptographic Module versions:

1.1.1 How This Security Policy was prepared

In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.

1.2 Security Levels

N/A N/A N/A Table 1: Security Levels Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 8
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Oracle Linux 9 Kernel Crypto API Cryptographic Module (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a general-purpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the loadable kernel crypto object files, the libkcapi library, and the sha512hmac binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. Figure 1: Block Diagram Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 9
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
/boot/vmlinuz-5.14.0-362.24.1.0.4.el9_3.x86_64; *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmac5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9N/A/boot/vmlinuz-5.14.0-362.24.1.0.4.el9_3.x86_64; *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmacHMAC-SHA-512; RSA signature verification
Oracle Linux 9Oracle Linux 9ORACLE SERVER X9-2c5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9Intel Xeon Platinum 8358YesKVM on Oracle Linux 8
Oracle Linux 9Oracle Linux 9ORACLE SERVER E4-2c5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9AMD EPYC 7J13YesKVM on Oracle Linux 8
Oracle Linux 9Oracle Linux 9Oracle X Series Servers
Oracle Linux 9Oracle Linux 9Oracle E Series Servers
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
/boot/vmlinuz-5.14.0-362.24.1.0.4.el9_3.x86_64; *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmac5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9N/A/boot/vmlinuz-5.14.0-362.24.1.0.4.el9_3.x86_64; *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmacHMAC-SHA-512; RSA signature verification
Oracle Linux 9Oracle Linux 9ORACLE SERVER X9-2c5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9Intel Xeon Platinum 8358YesKVM on Oracle Linux 8
Oracle Linux 9Oracle Linux 9ORACLE SERVER E4-2c5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9AMD EPYC 7J13YesKVM on Oracle Linux 8
Oracle Linux 9Oracle Linux 9Oracle X Series Servers
Oracle Linux 9Oracle Linux 9Oracle E Series Servers
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
/boot/vmlinuz-5.14.0-362.24.1.0.4.el9_3.x86_64; *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmac5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9N/A/boot/vmlinuz-5.14.0-362.24.1.0.4.el9_3.x86_64; *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmacHMAC-SHA-512; RSA signature verification
Oracle Linux 9Oracle Linux 9ORACLE SERVER X9-2c5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9Intel Xeon Platinum 8358YesKVM on Oracle Linux 8
Oracle Linux 9Oracle Linux 9ORACLE SERVER E4-2c5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9AMD EPYC 7J13YesKVM on Oracle Linux 8
Oracle Linux 9Oracle Linux 9Oracle X Series Servers
Oracle Linux 9Oracle Linux 9Oracle E Series Servers
Service
NameDescriptionIndicatorType
Non- approved modeAutomatically entered whenever a non-approved service is requested.No service indicator required for non-approved services per IG 2.4.CNon- Approved
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

2.3 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.4 Modes of Operation

Modes List and Description: Nonapproved Table 5: Modes List and Description Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 10
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA5278, A5285, A5288Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS3A5282, A5293Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA5278, A5288Key Length - 128, 192, 256SP 800-38C
AES-CFB128A5280, A5291Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA5278, A5288Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA5278, A5285, A5288Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-GCMA5278, A5284, A5285, A5287, A5288, A5290Direction - Decrypt, Encrypt IV Generation - External Key Length - 128, 192, 256SP 800-38D
AES-GCMA5283, A5286, A5289Direction - Encrypt IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GMACA5278, A5288Direction - Decrypt, Encrypt IV Generation - External Key Length - 128, 192, 256SP 800-38D
AES-OFBA5281, A5292Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A5278, A5285, A5288Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
Hash DRBGA5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290, A5294, A5295, A5296Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290, A5294, A5295, A5296Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A5277, A5278, A5294, A5295, A5296, A5297Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-224A5277, A5278, A5294, A5295, A5296, A5297Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-256A5277, A5278, A5294, A5295, A5296, A5297Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-384A5277, A5278, A5294, A5295, A5296Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-512A5277, A5278, A5294, A5295, A5296Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-224A5279Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-256A5279Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-384A5279Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-512A5279Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
KAS-FFC-SSC Sp800- 56Ar3A5277Domain Parameter Generation Methods - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 Scheme - dhEphem - KAS Role - initiator, responderSP 800-56A Rev. 3
RSA SigVer (FIPS186-4)A5278, A5294, A5295, A5296Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigVer (FIPS186-5)A5278, A5294, A5295, A5296Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5FIPS 186-5
Safe Primes Key GenerationA5277Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192SP 800-56A Rev. 3
SHA-1A5277, A5278, A5294, A5295, A5296, A5297Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2FIPS 180-4
SHA2-224A5277, A5278, A5294, A5295, A5296, A5297Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2FIPS 180-4
SHA2-256A5277, A5278, A5294, A5295, A5296, A5297Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2FIPS 180-4
SHA2-384A5277, A5278, A5294, A5295, A5296Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2FIPS 180-4
SHA2-512A5277, A5278, A5294, A5295, A5296Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2FIPS 180-4
SHA3-224A5279Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2FIPS 202
SHA3-256A5279Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2FIPS 202
SHA3-384A5279Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2FIPS 202
SHA3-512A5279Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2FIPS 202

After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description: The module does not implement a degraded mode of operation.

2.5 Algorithms

Approved Algorithms: Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 11

Table 6: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 12
Service
NameDescriptionApproved FunctionsTypeProperties
AES GCM with external IVEncryption
KBKDF (libkcapi)Key derivation
HKDF (libkcapi)Key derivation
PBKDF2 (libkcapi)Password-based key derivation
RSAEncryption primitive; Decryption primitive
RSA with PKCS#1 v1.5 paddingSignature generation (pre-hashed message); Signature verification (pre-hashed message)
KAS-FFC-SSCShared Secret ComputationKAS-FFC-SSC Sp800-56Ar3: (A5277)KAS-SSCKeys:ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 bit keys with 112-200 bits of key strength Compliance:Compliant with IG D.F scenario 2(1)
Safe Primes Key GenerationKey GenerationSafe Primes Key Generation: (A5277)CKGGroups:ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
Encryption with AESEncrypt a plaintext with AESAES-CBC: (A5278, A5285, A5288) AES-CBC-CS3: (A5282, A5293) AES-CFB128: (A5280, A5291) AES-CTR: (A5278, A5285, A5288) AES-ECB: (A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290) AES-OFB: (A5281, A5292) AES-XTS Testing Revision 2.0: (A5278, A5285, A5288)BC-UnAuthKey size(s):128, 192, 256 bits (XTS mode 128 and 256 bits only)
Decryption with AESDecrypt a ciphertext with AESAES-CBC: (A5278, A5285, A5288) AES-CBC-CS3: (A5282, A5293) AES-CFB128: (A5280, A5291) AES-CTR: (A5278, A5285, A5288) AES-ECB: (A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290) AES-OFB: (A5281, A5292) AES-XTS Testing Revision 2.0: (A5278, A5285, A5288)BC-UnAuthKey size(s):128, 192, 256 bits (XTS mode 128 and 256 bits only)
HashingCompute a message digestSHA-1: (A5277, A5278, A5294, A5295, A5296, A5297) SHA2-224: (A5277, A5278, A5294, A5295, A5296, A5297) SHA2-256: (A5277, A5278, A5294, A5295, A5296, A5297) SHA2-384: (A5277, A5278,SHASHA-1:N/A SHA2-224:N/A SHA2-256:N/A SHA2-384:N/A SHA2-512:N/A SHA3-224:N/A SHA3-256:N/A SHA3-384:N/A SHA3-512:N/A
Service
NameDescriptionApproved FunctionsTypeProperties
AES GCM with external IVEncryption
KBKDF (libkcapi)Key derivation
HKDF (libkcapi)Key derivation
PBKDF2 (libkcapi)Password-based key derivation
RSAEncryption primitive; Decryption primitive
RSA with PKCS#1 v1.5 paddingSignature generation (pre-hashed message); Signature verification (pre-hashed message)
KAS-FFC-SSCShared Secret ComputationKAS-FFC-SSC Sp800-56Ar3: (A5277)KAS-SSCKeys:ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 bit keys with 112-200 bits of key strength Compliance:Compliant with IG D.F scenario 2(1)
Safe Primes Key GenerationKey GenerationSafe Primes Key Generation: (A5277)CKGGroups:ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
Encryption with AESEncrypt a plaintext with AESAES-CBC: (A5278, A5285, A5288) AES-CBC-CS3: (A5282, A5293) AES-CFB128: (A5280, A5291) AES-CTR: (A5278, A5285, A5288) AES-ECB: (A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290) AES-OFB: (A5281, A5292) AES-XTS Testing Revision 2.0: (A5278, A5285, A5288)BC-UnAuthKey size(s):128, 192, 256 bits (XTS mode 128 and 256 bits only)
Decryption with AESDecrypt a ciphertext with AESAES-CBC: (A5278, A5285, A5288) AES-CBC-CS3: (A5282, A5293) AES-CFB128: (A5280, A5291) AES-CTR: (A5278, A5285, A5288) AES-ECB: (A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290) AES-OFB: (A5281, A5292) AES-XTS Testing Revision 2.0: (A5278, A5285, A5288)BC-UnAuthKey size(s):128, 192, 256 bits (XTS mode 128 and 256 bits only)
HashingCompute a message digestSHA-1: (A5277, A5278, A5294, A5295, A5296, A5297) SHA2-224: (A5277, A5278, A5294, A5295, A5296, A5297) SHA2-256: (A5277, A5278, A5294, A5295, A5296, A5297) SHA2-384: (A5277, A5278,SHASHA-1:N/A SHA2-224:N/A SHA2-256:N/A SHA2-384:N/A SHA2-512:N/A SHA3-224:N/A SHA3-256:N/A SHA3-384:N/A SHA3-512:N/A
Message authenticationCompute a MAC tag for authenticationAES-CMAC: (A5278, A5288) AES-GMAC: (A5278, A5288) HMAC-SHA-1: (A5277, A5278, A5294, A5295, A5296, A5297) HMAC-SHA2-224: (A5277, A5278, A5294, A5295, A5296, A5297) HMAC-SHA2-256: (A5277, A5278, A5294, A5295, A5296, A5297) HMAC-SHA2-384: (A5277, A5278, A5294, A5295, A5296, A5297) HMAC-SHA2-512: (A5277, A5278, A5294, A5295, A5296, A5297) HMAC-SHA3-224: (A5279) HMAC-SHA3-256: (A5279) HMAC-SHA3-384: (A5279) HMAC-SHA3-512: (A5279)MACHMAC key size(s):112- 524288 bits (112-256 bits) AES key size(s):128, 192, 256 bits
Random number generation with DRBGsGenerate random numbers from DRBGsCounter DRBG: (A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290) Hash DRBG: (A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290, A5294, A5295, A5296) HMAC DRBG: (A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290, A5294, A5295, A5296)DRBGCounter DRBG:128, 192, 256 bits HMAC DRBG:128, 256 bits Hash DRBG:128, 256 bits
Signature verification with RSAVerify a signature with RSARSA SigVer (FIPS186-4): (A5278, A5294, A5295, A5296) RSA SigVer (FIPS186-5): (A5278, A5294, A5295, A5296)DigSig-SigVerPadding:PKCS#1 v1.5 Hashes:SHA1, SHA-224, SHA-256, SHA-384, SHA- 512 Key size(s):2048, 3072, 4096 bits (112, 128, 150 bits)
Authenticated encryption with AESEncrypt and authenticate a plaintext with AESAES-CCM: (A5278, A5288) AES-GCM: (A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290)BC-AuthKey size(s):128, 192, 256 bits
Authenticated decryption with AESDecrypt and authenticate a ciphertext with AESAES-CCM: (A5278, A5288) AES-GCM: (A5278, A5285, A5287, A5288, A5290, A5283, A5284, A5286, A5289)BC-AuthKey size(s):128, 192, 256 bits
Key wrappingKey wrappingAES-CCM: (A5278, A5288) AES-GCM: (A5283, A5285, A5286, A5289) AES-CBC: (A5278, A5285,KTS-WrapKey size(s):128, 192, 256 bits
Key unwrappingKey unwrappingAES-CCM: (A5278, A5288) AES-GCM: (A5278, A5284, A5287, A5288, A5290) AES-CBC: (A5278, A5285, A5288) HMAC-SHA-1: (A5277, A5295, A5296, A5278, A5294) HMAC-SHA2-256: (A5295, A5296, A5278, A5294) HMAC-SHA2-384: (A5295, A5296, A5278, A5294) HMAC-SHA2-512: (A5295, A5296, A5278, A5294) AES-CTR: (A5278, A5285, A5288)KTS-WrapKey sizes(s):128, 192, 256 bits

Table 7: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 13

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 14

Table 8: Security Function Implementations

2.7 Algorithm Specific Information

Legacy use: Digital Signature Verification with SHA-1 is allowed for legacy use only. The Crypto Officer shall consider the following requirements and restrictions when using the module. For IPsec, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. The module does not implement IPsec. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCM encryption keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES GCM handle. When this is the case, the API will not set an approved service indicator, as described in section 4.3. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 15
Sensitive security parameter
NameTypeStrengthOperational EnvironmentEntropy per SampleConditioning Component
Oracle Linux 9 Kernel CPU Time Jitter RNG Entropy SourceNon- Physical64 bitsOracle Linux 9 on KVM on Oracle Linux 8 on Oracle SERVER X9-2c; Oracle Linux 9 on KVM on Oracle Linux 8 on ORACLE SERVER E4-2c57.46 bitsLinear-Feedback Shift Register (LFSR)
CertVendor Name
Number
E151Oracle Corporation
2.7.2 AES XTS

The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.

2.7.3 SP 800-56Arev3 Assurances

To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use Diffie-Hellman shared secret computation algorithm with NVMe protocol. Additionally, the module’s approved key pair generation service (see section 2.9) must be used to generate ephemeral Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer DH public key, complying with Section 5.6.2.2.2 of SP 800-56Ar3. The module is compliant to IG D.F scenario 2 path (1).

2.7.4 RSA

For RSA signature verification, the module supports modulus sizes 2048, 3072, and 4096 bits compliant to IG C.F. All supported modulus sizes have been CAVP tested.

2.8 RBG and Entropy

Table 9: Entropy Certificates Table 10: Entropy Sources The module implements three different Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1: CTR_DRBG, Hash_DRBG, and HMAC_DRBG. Each of these DRBG implementations can be instantiated by the operator of the module. When instantiated, these DRBGs can be used to generate random numbers for external usage. Additionally, the module employs a specific HMAC-SHA2-512 DRBG implementation for internal purposes (e.g. to generate initialization vectors). This DRBG is initially seeded with 384 output bits from the entropy source (344 bits of entropy) and reseeded with 256 output bits from the entropy source (229 bits of entropy). Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 16
2.9 Key Generation

The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133r2. When random values are required, they are obtained from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2. The module implements safe primes key pair generation: compliant with SP 800-133r2, Section 5.2, which maps to SP 800-56Ar3. The method described in Section 5.6.1.1.4 of SP 800-56Ar3 (“Testing Candidates”) is used. Intermediate key generation values are not output from the module and are explicitly zeroized after processing the service.

2.10 Key Establishment

The module provides DH shared secret computation. Additionally, as permitted by IG D.G, the module provides key transport either by using an approved authenticated encryption mode or by a combination of any approved symmetric encryption mode and an approved authentication method.

2.11 Industry Protocols

AES GCM with internal IV generation in the approved mode is compliant with RFC 4106 and shall only be used in conjunction with the IPsec protocol. No parts of this protocol, other than the AES GCM implementation, have been tested by the CAVP and CMVP. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 17
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputAPI data input parameters, AF_ALG type sockets
N/AN/AData OutputAPI output parameters, AF_ALG type sockets
N/AN/AControl InputAPI function calls, API control input parameters, AF_ALG type sockets, kernel command line
N/AN/AStatus OutputAPI return values, AF_ALG type sockets, kernel logs
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. The module does not implement a control output interface. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 18
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutputAuthentication Methods
Crypto OfficerCORoleNone
Message digestCompute a message digestCrypto OfficerHashingcrypto_shash_init returns 0MessageDigest value
Key wrappingWrap a keyCrypto Officer - AES key: W,E - HMAC key: W,EKey wrappingcrypto_skcipher_setkey returns 0; crypto_shash_init returns 0AES key, key to be wrappedwrapped key
Key unwrappingUnwrap a keyCrypto Officer - AES key: W,E - HMAC key: W,EKey unwrappingcrypto_skcipher_setkey returns 0; crypto_shash_init returns 0AES key, key to be unwrappedunwrapped key
EncryptionEncrypt a plaintextCrypto Officer - AES key: W,EEncryption with AEScrypto_skcipher_setkey returns 0AES key, plaintextCiphertext
DecryptionDecrypt a ciphertextCrypto Officer - AES key: W,EDecryption with AEScrypto_skcipher_setkey returns 0AES key, ciphertextPlaintext
Authenticated encryptionEncrypt and authenticate a plaintextCrypto Officer - AES key: W,EAuthenticated encryption with AESFor all modes except AES GCM: crypto_aead_setkey returns 0; For AES GCM: crypto_aead_get_flags(tfm) has the CRYPTO_TFM_ FIPS_COMPLIANCE flag setAES key, plaintextCiphertext, MAC tag
Authenticated decryptionEncrypt and authenticate a ciphertextCrypto Officer - AES key: W,EAuthenticated decryption with AESFor all modes except AES GCM: crypto_aead_setkey returns 0; For AES GCM: crypto_aead_get_flags(tfm) has the CRYPTO_TFM_ FIPS_COMPLIANCE flag setAES key, ciphertext, MAC tagPlaintext or failure
Message authenticationCompute a MAC tagCrypto Officer - AES key: W,E - HMAC key: W,EMessage authenticationcrypto_shash_init returns 0AES: AES key, message; HMAC: HMAC key, messageMAC tag
Shared Secret ComputationCompute a shared secretCrypto Officer - DH private key: W,E - DH remote public key: W,E - Shared secret: G,RKAS-FFC-SSCcrypto_kpp_compute_shared_secret returns 0DH private key, DH remote public keyShared secret
Key Pair GenerationKey Pair GenerationCrypto Officer - DH private key: G,R - DH remote public key: G,R - IntermediateSafe Primes Key Generationcrypto_kpp_set_secret and crypto_kpp_generate_public_key return 0GroupDH private key, DH remote public key
Service
NameDescriptionRolesRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutputAuthentication Methods
Crypto OfficerCORoleNone
Message digestCompute a message digestCrypto OfficerHashingcrypto_shash_init returns 0MessageDigest value
Key wrappingWrap a keyCrypto Officer - AES key: W,E - HMAC key: W,EKey wrappingcrypto_skcipher_setkey returns 0; crypto_shash_init returns 0AES key, key to be wrappedwrapped key
Key unwrappingUnwrap a keyCrypto Officer - AES key: W,E - HMAC key: W,EKey unwrappingcrypto_skcipher_setkey returns 0; crypto_shash_init returns 0AES key, key to be unwrappedunwrapped key
EncryptionEncrypt a plaintextCrypto Officer - AES key: W,EEncryption with AEScrypto_skcipher_setkey returns 0AES key, plaintextCiphertext
DecryptionDecrypt a ciphertextCrypto Officer - AES key: W,EDecryption with AEScrypto_skcipher_setkey returns 0AES key, ciphertextPlaintext
Authenticated encryptionEncrypt and authenticate a plaintextCrypto Officer - AES key: W,EAuthenticated encryption with AESFor all modes except AES GCM: crypto_aead_setkey returns 0; For AES GCM: crypto_aead_get_flags(tfm) has the CRYPTO_TFM_ FIPS_COMPLIANCE flag setAES key, plaintextCiphertext, MAC tag
Authenticated decryptionEncrypt and authenticate a ciphertextCrypto Officer - AES key: W,EAuthenticated decryption with AESFor all modes except AES GCM: crypto_aead_setkey returns 0; For AES GCM: crypto_aead_get_flags(tfm) has the CRYPTO_TFM_ FIPS_COMPLIANCE flag setAES key, ciphertext, MAC tagPlaintext or failure
Message authenticationCompute a MAC tagCrypto Officer - AES key: W,E - HMAC key: W,EMessage authenticationcrypto_shash_init returns 0AES: AES key, message; HMAC: HMAC key, messageMAC tag
Shared Secret ComputationCompute a shared secretCrypto Officer - DH private key: W,E - DH remote public key: W,E - Shared secret: G,RKAS-FFC-SSCcrypto_kpp_compute_shared_secret returns 0DH private key, DH remote public keyShared secret
Key Pair GenerationKey Pair GenerationCrypto Officer - DH private key: G,R - DH remote public key: G,R - IntermediateSafe Primes Key Generationcrypto_kpp_set_secret and crypto_kpp_generate_public_key return 0GroupDH private key, DH remote public key
Random number generationGenerate random bytesCrypto Officer - Entropy input: W,E - DRBG seed: G,E - DRBG Internal state (V, Key): G,E - DRBG Internal state (V, C): G,ERandom number generation with DRBGscrypto_rng_get_bytes returns 0Output lengthRandom bytes
Error detection codeCompute an EDC (crc32, crct10dif)Crypto OfficerNoneNoneMessageEDC
CompressionCompress data (deflate, lz4, lz4hc, lzo, zlibdeflate, zstd)Crypto OfficerNoneNoneDataCompressed data
Generic system callUse the kernel to perform various non- cryptographic operationsCrypto OfficerNoneNoneIdentifier, various argumentsVarious return values
Show versionReturn the module name and version informationCrypto OfficerNoneNoneN/AModule name and version
Show statusReturn the module statusCrypto OfficerNoneNoneN/AModule status
Self-testPerform the CASTs and integrity testsCrypto OfficerEncryption with AES Decryption with AES Hashing Message authentication Random number generation with DRBGs Signature verification with RSA Authenticated encryption with AES Authenticated decryption with AES KAS-FFC-SSCNoneN/APass/fail
AES GCM external IV encryptionEncrypt a plaintext using AES GCM with an external IVCOAES GCM with external IV
Key derivationDerive a key from a key-derivation key or a shared secretCOKBKDF (libkcapi) HKDF (libkcapi)
Password-based key derivationDerive a key from a passwordCOPBKDF2 (libkcapi)
RSA encryption primitiveCompute the raw RSA encryption of a plaintextCORSA
RSA decryption primitiveCompute the raw RSA decryption of a cipertextCORSA
RSA signature generation (pre-hashed message)Generate a digital signature for a pre-hashed messageCORSA with PKCS#1 v1.5 padding
RSA signature verification (pre-hashed message)Verify a digital signature for a pre-hashed messageCORSA with PKCS#1 v1.5 padding
4 Roles, Services, and Authentication

The module does not implement authentication.

4.2 Roles

Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. The module does not support multiple concurrent operators.

4.3 Approved Services

W,E W,E W,E W,E Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 19

G,E (V, C): G,E noncryptographic N/A N/A N/A N/A Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 20
Service
NameDescriptionRolesApproved Functions
AES GCM external IV encryptionEncrypt a plaintext using AES GCM with an external IVCOAES GCM with external IV
Key derivationDerive a key from a key-derivation key or a shared secretCOKBKDF (libkcapi) HKDF (libkcapi)
Password-based key derivationDerive a key from a passwordCOPBKDF2 (libkcapi)
RSA encryption primitiveCompute the raw RSA encryption of a plaintextCORSA
RSA decryption primitiveCompute the raw RSA decryption of a cipertextCORSA
RSA signature generation (pre-hashed message)Generate a digital signature for a pre-hashed messageCORSA with PKCS#1 v1.5 padding
RSA signature verification (pre-hashed message)Verify a digital signature for a pre-hashed messageCORSA with PKCS#1 v1.5 padding

(V, C): Z Table 13: Approved Services The table above lists the approved services. The following convention is used to specify access rights to SSPs:

4.4 Non-Approved Services

Table 14: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not load external software or firmware. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 21
5 Software/Firmware Security
5.1 Integrity Techniques

The Linux kernel binary is integrity tested using an HMAC-SHA2-512 calculation performed by the sha512hmac utility (which utilizes the module’s HMAC and SHA-512 implementations). An HMAC-SHA2-512 calculation is also performed on the sha512hmac utility and the libkcapi library to verify their integrity. The kernel crypto object files listed in section 2.2 are loaded on start-up by the module and verified using RSA signature verification with PKCS#1 v1.5 padding, SHA-256, and a 3072-bit key.

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the software integrity tests. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 22
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.2 Configuration Settings and Restrictions

The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 23
7 Physical Security

The module is comprised of software only, and therefore this section is not applicable. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 24
8 Non-Invasive Security

This module does not implement any non-invasive security mechanism and therefore this section is not applicable. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 25
Service
NameApproved FunctionsTypeFromToDistribution Type
API input parameters; AF_ALG_type sockets (input)ElectronicPlaintextOperator calling application (TOEPP)Cryptographic moduleManual
API output parameters; AF_ALG type sockets (output)ElectronicPlaintextCryptographic moduleOperator calling application (TOEPP)Manual
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentStorageZeroizationUseInputStorage DurationRelated SSPs
AES keySymmetric Key - CSPAES key used for encryption, decryption, and computing MAC tags.128, 192, 256 bits - 128, 192, 256 bitsEncryption with AES Decryption with AES Authenticated encryption with AES
HMAC keyAuthentication key - CSPHMAC key.112-524288 bits - 112-256 bitsMessage authentication Key wrapping Key unwrapping
Entropy inputEntropy input - CSPEntropy input used to seed the DRBGs. Compliant with IG D.L.128-384 bits - 117-357 bitsRandom number generation with DRBGs
DRBG seedSeed - CSPDRBG seed derived from entropy input. Compliant with IG D.L.CTR_DRBG: 128, 192, 256 bits; Hash_DRBG: 128, 256 bits; HMAC_DRBG: 128, 256 bits - CTR_DRBG: 128, 192, 256 bits; Hash_DRBG: 128, 256 bits; HMAC_DRBG: 128, 256 bitsRandom number generation with DRBGsRandom number generation with DRBGs
DRBG Internal state (V, Key)Internal state - CSPInternal state of CTR_DRBG and HMAC_DRBG instances. Compliant with IG D.L.CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bits - CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bitsRandom number generation with DRBGsRandom number generation with DRBGs
DRBG Internal state (V, C)Internal state - CSPInternal state of Hash_DRBG instances. Compliant with IG D.L.Hash_DRBG: 128, 256 bits - Hash_DRBG: 128, 256 bitsRandom number generation with DRBGsRandom number generation with DRBGs
Intermediate Key Generation ValueIntermediate value - CSPTemporary value generated during Key Pair Generation services.ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, P-256, P-384 - 112- 200 bitsSafe Primes Key GenerationSafe Primes Key Generation
DH remote public keyPublic key - PSPPublic key used for Diffie-Hellman.ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - 112-200 bitsSafe Primes Key GenerationKAS-FFC-SSC Safe Primes Key Generation
DH private keyPrivate key - CSPPrivate key used for Diffie-Hellman.ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - 112-200 bitsSafe Primes Key GenerationKAS-FFC-SSC Safe Primes Key Generation
Shared secretShared secret - CSPShared secret generated by DH.ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - 112-200 bitsKAS-FFC-SSC
AES keyRAM:PlaintextFree cipher handle Power offAPI input parameters; AF_ALG_type sockets (input)Until cipher handled is freed or module powered off
HMAC keyRAM:PlaintextFree cipher handle Power offAPI input parameters; AF_ALG_type sockets (input)Until cipher handled is freed or module powered off
Entropy inputRAM:PlaintextFree cipher handle Power offFrom generation until DRBG seed/reseedDRBG seed:Derives
DRBG seedRAM:PlaintextFree cipher handle Power offWhile the DRBG is being instantiatedEntropy input:Derived From DRBG Internal state (V, Key):Derives DRBG Internal state (V, C):Derives
DRBG Internal state (V, Key)RAM:PlaintextFree cipher handle Power offFrom DRBG instantiation until DRBG terminationDRBG seed:Derived From
StorageDescriptionPersistence
AreaType
Name
RAMTemporary storage for SSPs used by the module as part of service executionDynamic
ZeroizationDescriptionRationaleOperator Initiation
Method
Free cipher handleZeroizes the SSPs contained within the cipher handleMemory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. The completion of the zeroization routine indicates that the zeroization procedure succeeded.By calling the appropriate zeroization functions: AES key: crypto_free_skcipher and crypto_free_aead; HMAC key: crypto_free_shash and crypto_free_ahash; DRBG internal state: crypto_free_rng; DRBG seed: crypto_free_rng; Entropy input string: crypto_free_rng; DH remote public & private key: crypto_free_kpp
Power offDe-allocates the volatile memory used to store SSPsVolatile memory used by the module is overwritten within nanoseconds when power is removed. Module power off indicates that the zeroization procedure succeeded. The successful removal of power implicitly indicates that the zeroization is complete.By removing power
9 Sensitive Security Parameters Management
9.1 Storage Areas

Table 15: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext zeroization function calls. Table 16: SSP Input-Output Methods Table 17: SSP Zeroization Methods All data output is inhibited during zeroization. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 26
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentStorageZeroizationUseInputStorage DurationRelated SSPs
HMAC keyAuthentication key - CSPHMAC key.112-524288 bits - 112-256 bitsMessage authentication Key wrapping Key unwrapping
Entropy inputEntropy input - CSPEntropy input used to seed the DRBGs. Compliant with IG D.L.128-384 bits - 117-357 bitsRandom number generation with DRBGs
DRBG seedSeed - CSPDRBG seed derived from entropy input. Compliant with IG D.L.CTR_DRBG: 128, 192, 256 bits; Hash_DRBG: 128, 256 bits; HMAC_DRBG: 128, 256 bits - CTR_DRBG: 128, 192, 256 bits; Hash_DRBG: 128, 256 bits; HMAC_DRBG: 128, 256 bitsRandom number generation with DRBGsRandom number generation with DRBGs
DRBG Internal state (V, Key)Internal state - CSPInternal state of CTR_DRBG and HMAC_DRBG instances. Compliant with IG D.L.CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bits - CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bitsRandom number generation with DRBGsRandom number generation with DRBGs
DRBG Internal state (V, C)Internal state - CSPInternal state of Hash_DRBG instances. Compliant with IG D.L.Hash_DRBG: 128, 256 bits - Hash_DRBG: 128, 256 bitsRandom number generation with DRBGsRandom number generation with DRBGs
Intermediate Key Generation ValueIntermediate value - CSPTemporary value generated during Key Pair Generation services.ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, P-256, P-384 - 112- 200 bitsSafe Primes Key GenerationSafe Primes Key Generation
DH remote public keyPublic key - PSPPublic key used for Diffie-Hellman.ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - 112-200 bitsSafe Primes Key GenerationKAS-FFC-SSC Safe Primes Key Generation
DH private keyPrivate key - CSPPrivate key used for Diffie-Hellman.ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - 112-200 bitsSafe Primes Key GenerationKAS-FFC-SSC Safe Primes Key Generation
Shared secretShared secret - CSPShared secret generated by DH.ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - 112-200 bitsKAS-FFC-SSC
AES keyRAM:PlaintextFree cipher handle Power offAPI input parameters; AF_ALG_type sockets (input)Until cipher handled is freed or module powered off
HMAC keyRAM:PlaintextFree cipher handle Power offAPI input parameters; AF_ALG_type sockets (input)Until cipher handled is freed or module powered off
Entropy inputRAM:PlaintextFree cipher handle Power offFrom generation until DRBG seed/reseedDRBG seed:Derives
DRBG seedRAM:PlaintextFree cipher handle Power offWhile the DRBG is being instantiatedEntropy input:Derived From DRBG Internal state (V, Key):Derives DRBG Internal state (V, C):Derives
DRBG Internal state (V, Key)RAM:PlaintextFree cipher handle Power offFrom DRBG instantiation until DRBG terminationDRBG seed:Derived From
DRBG Internal state (V, C)RAM:PlaintextFree cipher handle Power offFrom DRBG instantiation until DRBG terminationDRBG seed:Derived From
Intermediate Key Generation ValueRAM:PlaintextFree cipher handle Power offUntil key pair generation service completes.DH private key:Derived From DH remote public key:Derived From
DH remote public keyRAM:PlaintextFree cipher handle Power offAPI input parameters; AF_ALG_type sockets (input) API output parameters; AF_ALG type sockets (output)Until cipher handled is freed or module powered offDH private key:Used With
DH private keyRAM:PlaintextFree cipher handle Power offAPI input parameters; AF_ALG_type sockets (input) API output parameters; AF_ALG type sockets (output)Until cipher handled is freed or module powered offDH remote public key:Used With
Shared secretRAM:PlaintextFree cipher handle Power offAPI input parameters; AF_ALG_type sockets (input) API output parameters; AF_ALG type sockets (output)Until cipher handled is freed or module powered offDH private key:Used With DH remote public key:Used With

Table 18: SSP Table 1 Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 27
9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes except signature verification, starting January 1, 2031. The RSA algorithm with SHA-1 as implemented by the module conforms to FIPS 186-4. FIPS 186-4 was withdrawn on February 3, 2024 but FIPS 140-3 IG C.K allows RSA signature verification with SHA-1 under FIPS 186-4 to still be approved. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 28
Self test
NameAlgorithm Or TestTest MethodDetailsTestIndicator
TestTestType
HMAC-SHA2-512 (A5296)HMAC-SHA2-512 (A5296)Message AuthenticationIntegrity test for vmlinuz, libkcapi components and sha512hmac binarySW/FW IntegrityModule becomes operational and services are available for use.
RSA SigVer (FIPS186-4) (A5278)RSA SigVer (FIPS186-4) (A5278)Signature VerificationIntegrity test for kernel object filesSW/FW IntegrityModule becomes operational and services are available for use.
Approved algorithm
NamePropertiesTestIndicatorDetailsConditions
TestType
Safe Primes Key Generation (A5277)N/APCTcrypto_kpp_g enerate_publi c_key returns 0SP 800-56Ar3 Section 5.6.2.1.4Key pair generation
SHA-1 (A5278)0, 24, 448, 512, 1304 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA-1 (A5294)0, 24, 448, 512, 1304 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA-1 (A5295)0, 24, 448, 512, 1304 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA-1 (A5296)0, 24, 448, 512, 1304 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-224 (A5278)0, 24, 448, 512 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-224 (A5294)0, 24, 448, 512 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-224 (A5295)0, 24, 448, 512 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-224 (A5296)0, 24, 448, 512 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-256 (A5278)0, 24, 448, 512 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-256 (A5294)0, 24, 448, 512 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
TestType
SHA2-256 (A5295)0, 24, 448, 512 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-256 (A5296)0, 24, 448, 512 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-384 (A5278)0, 24, 448, 832, 896 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-384 (A5294)0, 24, 448, 832, 896 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-384 (A5295)0, 24, 448, 832, 896 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-384 (A5296)0, 24, 448, 832, 896 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-512 (A5278)0, 24, 448, 832, 896 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-512 (A5294)0, 24, 448, 832, 896 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-512 (A5295)0, 24, 448, 832, 896 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-512 (A5296)0, 24, 448, 832, 896 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA3-224 (A5279)0, 8, 448 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA3-256 (A5279)0, 8, 448 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA3-384 (A5279)0, 8, 448 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA3-512 (A5279)0, 8, 448 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
AES-ECB (A5278)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-ECB (A5283)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-ECB (A5284)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-ECB (A5285)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-ECB (A5286)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-ECB (A5287)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
TestType
AES-ECB (A5289)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-ECB (A5290)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-ECB (A5277)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-ECB (A5288)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-CBC (A5278)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-CBC (A5285)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-CBC-CS3 (A5293)128 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-OFB (A5292)128 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-CFB128 (A5291)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-CTR (A5278)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-CTR (A5288)128, 192, 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-CCM (A5288)128, 192, 256 bit keys; 128-bit IVsCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-GCM (A5278)128, 192, 256 bit keys, 96-bit IVsCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-GCM (A5283)128, 192, 256 bit keys, 96-bit IVsCASTModule becomes operational and services are available for use.EncryptionModule initialization
AES-GCM (A5284)128, 192, 256 bit keys, 96-bit IVsCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-GCM (A5285)128, 192, 256 bit keys, 96-bit IVsCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-GCM (A5286)128, 192, 256 bit keys, 96-bit IVsCASTModule becomes operational and services are available for use.EncryptionModule initialization
AES-GCM (A5287)128, 192, 256 bit keys, 96-bit IVsCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-GCM (A5288)128, 192, 256 bit keys, 96-bit IVsCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-GCM (A5289)128, 192, 256 bit keys, 96-bit IVsCASTModule becomes operational and services are available for use.EncryptionModule initialization
TestType
AES-GCM (A5290)128, 192, 256 bit keys, 96-bit IVsCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-XTS Testing Revision 2.0 (A5278)128 and 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-XTS Testing Revision 2.0 (A5288)128 and 256 bit keysCASTModule becomes operational and services are available for use.Encryption, DecryptionModule initialization
AES-CMAC (A5288)128 and 256 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA-1 (A5278)160, 200 and 640 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA-1 (A5294)160, 200 and 640 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA-1 (A5295)160, 200 and 640 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA-1 (A5296)160, 200 and 640 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-224 (A5278)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-224 (A5294)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-224 (A5295)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-224 (A5296)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-256 (A5278)256, 296 and 640 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-256 (A5294)256, 296 and 640 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-256 (A5295)256, 296 and 640 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-256 (A5296)256, 296 and 640 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-384 (A5278)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-384 (A5294)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-384 (A5295)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-384 (A5296)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
TestType
HMAC-SHA2-512 (A5278)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization. Before integrity test.
HMAC-SHA2-512 (A5294)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization. Before integrity test.
HMAC-SHA3-224 (A5279)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-512 (A5295)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization. Before integrity test.
HMAC-SHA2-512 (A5296)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization. Before integrity test.
HMAC-SHA3-256 (A5279)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA3-384 (A5279)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA3-512 (A5279)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
KAS-FFC-SSC Sp800-56Ar3 (A5277)ffdhe2048CASTModule becomes operational and services are available for use.Shared secret computationModule initialization
Counter DRBG (A5278)128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Counter DRBG (A5283)128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Counter DRBG (A5284)128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Counter DRBG (A5285)128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Counter DRBG (A5286)128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Counter DRBG (A5287)128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Counter DRBG (A5288)128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Counter DRBG (A5289)128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Counter DRBG (A5290)128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Hash DRBG (A5278)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Hash DRBG (A5283)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
TestType
Hash DRBG (A5284)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Hash DRBG (A5285)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Hash DRBG (A5286)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Hash DRBG (A5287)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Hash DRBG (A5288)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Hash DRBG (A5289)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Hash DRBG (A5290)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Hash DRBG (A5294)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Hash DRBG (A5295)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Hash DRBG (A5296)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC DRBG (A5278)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC DRBG (A5283)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC DRBG (A5284)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC DRBG (A5285)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC DRBG (A5286)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC DRBG (A5287)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC DRBG (A5288)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC DRBG (A5289)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC DRBG (A5290)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC DRBG (A5294)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
TestType
HMAC DRBG (A5295)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC DRBG (A5296)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
RSA SigVer (FIPS186-5) (A5278)4096-bit key with SHA-256CASTModule becomes operational and services are available for use.VerifyModule initialization. Before integrity test.
RSA SigVer (FIPS186-5) (A5294)4096-bit key with SHA-256CASTModule becomes operational and services are available for use.VerifyModule initialization. Before integrity test.
RSA SigVer (FIPS186-5) (A5295)4096-bit key with SHA-256CASTModule becomes operational and services are available for use.VerifyModule initialization. Before integrity test.
RSA SigVer (FIPS186-5) (A5296)4096-bit key with SHA-256CASTModule becomes operational and services are available for use.VerifyModule initialization. Before integrity test.
Entropy Source (RCT Start-Up)1024 samplesCASTModule becomes operational and services are available for use.Entropy source start-up testEntropy source initialization
Entropy Source (APT Start-Up)1024 samplesCASTModule becomes operational and services are available for use.Entropy source start-up testEntropy source initialization
Entropy Source (RCT Runtime)Cutoff C = 61CASTEntropy source is operationalEntropy source continuous testContinuously
Entropy Source (APT Runtime)Cutoff C = 355CASTEntropy source is operationalEntropy source continuous testContinuously
Counter DRBG (A5277)128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
Hash DRBG (A5277)SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC DRBG (A5277)SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1CASTModule becomes operational and services are available for use.Seed, GenerateModule initialization
HMAC-SHA-1 (A5277)160, 200 and 640 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA-1 (A5297)160, 200 and 640 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-224 (A5277)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-224 (A5297)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-256 (A5277)256, 296 and 640 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-256 (A5297)256, 296 and 640 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
HMAC-SHA2-384 (A5277)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
SHA-1 (A5277)0, 24, 448, 512, 1304 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
TestType
SHA-1 (A5297)0, 24, 448, 512, 1304 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-224 (A5277)0, 24, 448, 512, 1304 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-224 (A5297)0, 24, 448, 512 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-256 (A5277)0, 24, 448, 512 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-256 (A5297)0, 24, 448, 512 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-384 (A5277)0, 24, 448, 832, 896 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
SHA2-512 (A5277)0, 24, 448, 832, 896 and 8184 bit messagesCASTModule becomes operational and services are available for use.Message digestModule initialization
HMAC-SHA2-512 (A5277)160 and 1048 bit keysCASTModule becomes operational and services are available for use.Message authenticationModule initialization
10 Self-Tests
10.1 Pre-Operational Self-Tests

Table 20: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. The algorithms used for the integrity test (i.e., HMAC-SHA2-512 and RSA SigVer with 3072 bit key) run their CASTs before the integrity test is performed. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the pre-operational software integrity self-tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully.

10.2 Conditional Self-Tests

N/A Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 29

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 30

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 31

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 32

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 33

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 34

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 35
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
HMAC-SHA2-512 (A5296)HMAC-SHA2-512 (A5296)Message AuthenticationSW/FW IntegrityOn demandManually
RSA SigVer (FIPS186-4) (A5278)RSA SigVer (FIPS186-4) (A5278)Signature VerificationSW/FW IntegrityOn demandManually
Safe Primes Key Generation (A5277)Safe Primes Key Generation (A5277)PCTPCTOn demandManually
SHA-1 (A5278)SHA-1 (A5278)KATCASTOn demandManually
SHA-1 (A5294)SHA-1 (A5294)KATCASTOn demandManually
SHA-1 (A5295)SHA-1 (A5295)KATCASTOn demandManually
SHA-1 (A5296)SHA-1 (A5296)KATCASTOn demandManually
SHA2-224 (A5278)SHA2-224 (A5278)KATCASTOn demandManually
SHA2-224 (A5294)SHA2-224 (A5294)KATCASTOn demandManually
SHA2-224 (A5295)SHA2-224 (A5295)KATCASTOn demandManually
SHA2-224 (A5296)SHA2-224 (A5296)KATCASTOn demandManually
SHA2-256 (A5278)SHA2-256 (A5278)KATCASTOn demandManually
SHA2-256 (A5294)SHA2-256 (A5294)KATCASTOn demandManually
SHA2-256 (A5295)SHA2-256 (A5295)KATCASTOn demandManually
SHA2-256 (A5296)SHA2-256 (A5296)KATCASTOn demandManually
SHA2-384 (A5278)SHA2-384 (A5278)KATCASTOn demandManually
SHA2-384 (A5294)SHA2-384 (A5294)KATCASTOn demandManually
SHA2-384 (A5295)SHA2-384 (A5295)KATCASTOn demandManually
SHA2-384 (A5296)SHA2-384 (A5296)KATCASTOn demandManually
SHA2-512 (A5278)SHA2-512 (A5278)KATCASTOn demandManually
SHA2-512 (A5294)SHA2-512 (A5294)KATCASTOn demandManually
SHA2-512 (A5295)SHA2-512 (A5295)KATCASTOn demandManually
SHA2-512 (A5296)SHA2-512 (A5296)KATCASTOn demandManually
SHA3-224 (A5279)SHA3-224 (A5279)KATCASTOn demandManually
SHA3-256 (A5279)SHA3-256 (A5279)KATCASTOn demandManually
SHA3-384 (A5279)SHA3-384 (A5279)KATCASTOn demandManually
SHA3-512 (A5279)SHA3-512 (A5279)KATCASTOn demandManually
AES-ECB (A5278)AES-ECB (A5278)KATCASTOn demandManually
AES-ECB (A5283)AES-ECB (A5283)KATCASTOn demandManually
AES-ECB (A5284)AES-ECB (A5284)KATCASTOn demandManually
AES-ECB (A5285)AES-ECB (A5285)KATCASTOn demandManually
AES-ECB (A5286)AES-ECB (A5286)KATCASTOn demandManually
AES-ECB (A5287)AES-ECB (A5287)KATCASTOn demandManually
AES-ECB (A5289)AES-ECB (A5289)KATCASTOn demandManually
AES-ECB (A5290)AES-ECB (A5290)KATCASTOn demandManually
AES-ECB (A5277)AES-ECB (A5277)KATCASTOn demandManually
AES-ECB (A5288)AES-ECB (A5288)KATCASTOn demandManually
AES-CBC (A5278)AES-CBC (A5278)KATCASTOn demandManually
AES-CBC (A5285)AES-CBC (A5285)KATCASTOn demandManually
AES-CBC-CS3 (A5293)AES-CBC-CS3 (A5293)KATCASTOn demandManually
AES-OFB (A5292)AES-OFB (A5292)KATCASTOn demandManually
AES-CFB128 (A5291)AES-CFB128 (A5291)KATCASTOn demandManually
AES-CTR (A5278)AES-CTR (A5278)KATCASTOn demandManually
AES-CTR (A5288)AES-CTR (A5288)KATCASTOn demandManually
AES-CCM (A5288)AES-CCM (A5288)KATCASTOn demandManually
AES-GCM (A5278)AES-GCM (A5278)KATCASTOn demandManually
AES-GCM (A5283)AES-GCM (A5283)KATCASTOn demandManually
AES-GCM (A5284)AES-GCM (A5284)KATCASTOn demandManually
AES-GCM (A5285)AES-GCM (A5285)KATCASTOn demandManually
AES-GCM (A5286)AES-GCM (A5286)KATCASTOn demandManually
AES-GCM (A5287)AES-GCM (A5287)KATCASTOn demandManually
AES-GCM (A5288)AES-GCM (A5288)KATCASTOn demandManually
AES-GCM (A5289)AES-GCM (A5289)KATCASTOn demandManually
AES-GCM (A5290)AES-GCM (A5290)KATCASTOn demandManually
AES-XTS Testing Revision 2.0 (A5278)AES-XTS Testing Revision 2.0 (A5278)KATCASTOn demandManually
AES-XTS Testing Revision 2.0 (A5288)AES-XTS Testing Revision 2.0 (A5288)KATCASTOn demandManually
AES-CMAC (A5288)AES-CMAC (A5288)KATCASTOn demandManually
HMAC-SHA-1 (A5278)HMAC-SHA-1 (A5278)KATCASTOn demandManually
HMAC-SHA-1 (A5294)HMAC-SHA-1 (A5294)KATCASTOn demandManually
HMAC-SHA-1 (A5295)HMAC-SHA-1 (A5295)KATCASTOn demandManually
HMAC-SHA-1 (A5296)HMAC-SHA-1 (A5296)KATCASTOn demandManually
HMAC-SHA2-224 (A5278)HMAC-SHA2-224 (A5278)KATCASTOn demandManually
HMAC-SHA2-224 (A5294)HMAC-SHA2-224 (A5294)KATCASTOn demandManually
HMAC-SHA2-224 (A5295)HMAC-SHA2-224 (A5295)KATCASTOn demandManually
HMAC-SHA2-224 (A5296)HMAC-SHA2-224 (A5296)KATCASTOn demandManually
HMAC-SHA2-256 (A5278)HMAC-SHA2-256 (A5278)KATCASTOn demandManually
HMAC-SHA2-256 (A5294)HMAC-SHA2-256 (A5294)KATCASTOn demandManually
HMAC-SHA2-256 (A5295)HMAC-SHA2-256 (A5295)KATCASTOn demandManually
HMAC-SHA2-256 (A5296)HMAC-SHA2-256 (A5296)KATCASTOn demandManually
HMAC-SHA2-384 (A5278)HMAC-SHA2-384 (A5278)KATCASTOn demandManually
HMAC-SHA2-384 (A5294)HMAC-SHA2-384 (A5294)KATCASTOn demandManually
HMAC-SHA2-384 (A5295)HMAC-SHA2-384 (A5295)KATCASTOn demandManually
HMAC-SHA2-384 (A5296)HMAC-SHA2-384 (A5296)KATCASTOn demandManually
HMAC-SHA2-512 (A5278)HMAC-SHA2-512 (A5278)KATCASTOn demandManually
HMAC-SHA2-512 (A5294)HMAC-SHA2-512 (A5294)KATCASTOn demandManually
HMAC-SHA3-224 (A5279)HMAC-SHA3-224 (A5279)KATCASTOn demandManually
HMAC-SHA2-512 (A5295)HMAC-SHA2-512 (A5295)KATCASTOn demandManually
HMAC-SHA2-512 (A5296)HMAC-SHA2-512 (A5296)KATCASTOn demandManually
HMAC-SHA3-256 (A5279)HMAC-SHA3-256 (A5279)KATCASTOn demandManually
HMAC-SHA3-384 (A5279)HMAC-SHA3-384 (A5279)KATCASTOn demandManually
HMAC-SHA3-512 (A5279)HMAC-SHA3-512 (A5279)KATCASTOn demandManually
KAS-FFC-SSC Sp800-56Ar3 (A5277)KAS-FFC-SSC Sp800-56Ar3 (A5277)KATCASTOn demandManually
Counter DRBG (A5278)Counter DRBG (A5278)KATCASTOn demandManually
Counter DRBG (A5283)Counter DRBG (A5283)KATCASTOn demandManually
Counter DRBG (A5284)Counter DRBG (A5284)KATCASTOn demandManually
Counter DRBG (A5285)Counter DRBG (A5285)KATCASTOn demandManually
Counter DRBG (A5286)Counter DRBG (A5286)KATCASTOn demandManually
Counter DRBG (A5287)Counter DRBG (A5287)KATCASTOn demandManually
Counter DRBG (A5288)Counter DRBG (A5288)KATCASTOn demandManually
Counter DRBG (A5289)Counter DRBG (A5289)KATCASTOn demandManually
Counter DRBG (A5290)Counter DRBG (A5290)KATCASTOn demandManually
Hash DRBG (A5278)Hash DRBG (A5278)KATCASTOn demandManually
Hash DRBG (A5283)Hash DRBG (A5283)KATCASTOn demandManually
Hash DRBG (A5284)Hash DRBG (A5284)KATCASTOn demandManually
Hash DRBG (A5285)Hash DRBG (A5285)KATCASTOn demandManually
Hash DRBG (A5286)Hash DRBG (A5286)KATCASTOn demandManually
Hash DRBG (A5287)Hash DRBG (A5287)KATCASTOn demandManually
Hash DRBG (A5288)Hash DRBG (A5288)KATCASTOn demandManually
Hash DRBG (A5289)Hash DRBG (A5289)KATCASTOn demandManually
Hash DRBG (A5290)Hash DRBG (A5290)KATCASTOn demandManually
Hash DRBG (A5294)Hash DRBG (A5294)KATCASTOn demandManually
Hash DRBG (A5295)Hash DRBG (A5295)KATCASTOn demandManually
Hash DRBG (A5296)Hash DRBG (A5296)KATCASTOn demandManually
HMAC DRBG (A5278)HMAC DRBG (A5278)KATCASTOn demandManually
HMAC DRBG (A5283)HMAC DRBG (A5283)KATCASTOn demandManually
HMAC DRBG (A5284)HMAC DRBG (A5284)KATCASTOn demandManually
HMAC DRBG (A5285)HMAC DRBG (A5285)KATCASTOn demandManually
HMAC DRBG (A5286)HMAC DRBG (A5286)KATCASTOn demandManually
HMAC DRBG (A5287)HMAC DRBG (A5287)KATCASTOn demandManually
HMAC DRBG (A5288)HMAC DRBG (A5288)KATCASTOn demandManually
HMAC DRBG (A5289)HMAC DRBG (A5289)KATCASTOn demandManually
HMAC DRBG (A5290)HMAC DRBG (A5290)KATCASTOn demandManually
HMAC DRBG (A5294)HMAC DRBG (A5294)KATCASTOn demandManually
HMAC DRBG (A5295)HMAC DRBG (A5295)KATCASTOn demandManually
HMAC DRBG (A5296)HMAC DRBG (A5296)KATCASTOn demandManually
RSA SigVer (FIPS186-5) (A5278)RSA SigVer (FIPS186-5) (A5278)KATCASTOn demandManually
RSA SigVer (FIPS186-5) (A5294)RSA SigVer (FIPS186-5) (A5294)KATCASTOn demandManually
RSA SigVer (FIPS186-5) (A5295)RSA SigVer (FIPS186-5) (A5295)KATCASTOn demandManually
RSA SigVer (FIPS186-5) (A5296)RSA SigVer (FIPS186-5) (A5296)KATCASTOn demandManually
Entropy Source (RCT Start- Up)Entropy Source (RCT Start- Up)RCTCASTOn demandManually
Entropy Source (APT Start- Up)Entropy Source (APT Start- Up)APTCASTOn demandManually
Entropy Source (RCT Runtime)Entropy Source (RCT Runtime)RCTCASTOn demandManually
Entropy Source (APT Runtime)Entropy Source (APT Runtime)APTCASTOn demandManually
Counter DRBG (A5277)Counter DRBG (A5277)KATCASTOn demandManually
Hash DRBG (A5277)Hash DRBG (A5277)KATCASTOn demandManually
HMAC DRBG (A5277)HMAC DRBG (A5277)KATCASTOn demandManually
HMAC-SHA-1 (A5277)HMAC-SHA-1 (A5277)KATCASTOn demandManually
HMAC-SHA-1 (A5297)HMAC-SHA-1 (A5297)KATCASTOn demandManually
HMAC-SHA2-224 (A5277)HMAC-SHA2-224 (A5277)KATCASTOn demandManually
HMAC-SHA2-224 (A5297)HMAC-SHA2-224 (A5297)KATCASTOn demandManually
HMAC-SHA2-256 (A5277)HMAC-SHA2-256 (A5277)KATCASTOn demandManually
HMAC-SHA2-256 (A5297)HMAC-SHA2-256 (A5297)KATCASTOn demandManually
HMAC-SHA2-384 (A5277)HMAC-SHA2-384 (A5277)KATCASTOn demandManually
SHA-1 (A5277)SHA-1 (A5277)KATCASTOn demandManually
SHA-1 (A5297)SHA-1 (A5297)KATCASTOn demandManually
SHA2-224 (A5277)SHA2-224 (A5277)KATCASTOn demandManually
SHA2-224 (A5297)SHA2-224 (A5297)KATCASTOn demandManually
SHA2-256 (A5277)SHA2-256 (A5277)KATCASTOn demandManually
SHA2-256 (A5297)SHA2-256 (A5297)KATCASTOn demandManually
SHA2-384 (A5277)SHA2-384 (A5277)KATCASTOn demandManually
SHA2-512 (A5277)SHA2-512 (A5277)KATCASTOn demandManually
HMAC-SHA2-512 (A5277)HMAC-SHA2-512 (A5277)KATCASTOn demandManually

Table 21: Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in table above. Services are not available, and data output (via the data output interface) is inhibited during the self-tests. If any of these tests fails, the module transitions to the Error state.

10.3 Periodic Self-Test Information

Table 22: Pre-Operational Periodic Information Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 36

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 37

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 38
Service
NameDescriptionRole AccessIndicatorRecovery Method
Error StateThe Linux kernel immediately stops executingAny self-test failureKernel PanicRestart of the module

Table 23: Conditional Periodic Information

10.4 Error States

Table 24: Error States In the Error State, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).

10.5 Operator Initiation of Self-Tests

The software integrity tests, cryptographic algorithm self-tests, and entropy source start-up tests can be invoked on demand by unloading and subsequently re-initializing the module. The pair-wise consistency tests can be invoked on demand by requesting the key pair generation service. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 39
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is distributed as part of the Oracle Linux 9 (OL9) RPM packages in the form of kernel-5.14.0362.24.1.0.4.el9_3, libkcapi-1.3.1-3.0.1.el9 and libkcapi-hmaccalc-1.3.1-3.0.1.el9 packages that is located in the “Oracle Linux 9 Security Validation (Update 3)” yum repository (ol9_u3_security_validation). The operational environment needs to be set up in the FIPS validated configuration by installing the module as follows:

11.2 Administrator Guidance

After installation of the kernel-5.14.0-362.24.1.0.4.el9_3, libkcapi-1.3.1-3.0.1.el9 and libkcapi-hmaccalc-1.3.13.0.1.el9 RPM packages, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_name” command. The Crypto Officer must ensure that the proper name is listed in the output as follows: Oracle Linux 9 Kernel Crypto API Cryptographic Module Then, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_version” and “rpm -q libkcapi” commands. These commands must output the following (one line per output): 5.14.0-362.24.1.0.4.el9_3.x86_64 libkcapi-1.3.1-3.0.1.el9.x86_64

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the kernel-5.14.0-362.24.1.0.4.el9_3, libkcapi-1.3.1-3.0.1.el9 and libkcapi-hmaccalc-1.3.1-3.0.1.el9 RPM packages can be uninstalled from the Oracle Linux 9 systems. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 40
12 Mitigation of Other Attacks

The module does not offer mitigation of other attacks and therefore this section is not applicable. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 41
AESAdvanced Encryption Standard
AES-NIAdvanced Encryption Standard New Instructions
APIApplication Programming Interface
CASTCryptographic Algorithm Self-Test
CAVPCryptographic Algorithm Validation Program
CBCCipher Block Chaining
CCMCounter with Cipher Block Chaining-Message Authentication Code
CFBCipher Feedback
CMACCipher-based Message Authentication Code
CMVPCryptographic Module Validation Program
CSPCritical Security Parameter
CTRCounter
DHDiffie-Hellman
DRBGDeterministic Random Bit Generator
ECBElectronic Code Book
ECDHElliptic Curve Diffie-Hellman
ECDHElliptic Curve Diffie-Hellman
ENT (NP)Non-physical Entropy Source
FIPSFederal Information Processing Standards
GCMGalois Counter Mode
GMACGalois Counter Mode Message Authentication Code
HKDFHMAC-based Key Derivation Function
HMACKeyed-Hash Message Authentication Code
IPsecInternet Protocol Security
KATKnown Answer Test
KBKDFKey-based Key Derivation Function
MACMessage Authentication Code
NISTNational Institute of Science and Technology
PAAProcessor Algorithm Acceleration
PBKDF2Password-based Key Derivation Function v2
PKCSPublic-Key Cryptography Standards
RSARivest, Shamir, Adleman
SHASecure Hash Algorithm
SSCShared Secret Computation
SSPSensitive Security Parameter
XTSXEX-based Tweaked-codebook mode with cipher text Stealing

Appendix A. Glossary and Abbreviations Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 42
ANS X9.42-2001Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001
ANS X9.63-2001Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001
FIPS 140-3FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf
FIPS 140-3 IGImplementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig- announcements
FIPS 180-4Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
FIPS 186-4Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
FIPS 197Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
FIPS 198-1The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
FIPS 202SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
PKCS#1Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt
RFC 3526More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt
RFC 5288AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt
RFC 7919Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt

Appendix B. References Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 43
Approved algorithm
NameKey Size
RFC 8446The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt
SP 800-38ARecommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
SP 800-38A AddendumRecommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a-add.pdf
SP 800-38BRecommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
SP 800-38CRecommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf
SP 800-38DRecommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
SP 800-38ERecommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf
SP 800-38FRecommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
SP 800-52r2Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
SP 800-56Ar3Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
SP 800-56Cr2Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
SP 800-90Ar1Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
SP 800-90BRecommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf
SP 800-108r1NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
SP 800-131Ar2Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
SP 800-132Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
SP 800-133r2Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf
SP 800-135r1Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf
SP 800-140Br1CMVP Security Policy Requirements November 2023 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140Br1.pdf

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Page 44

Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy

Referenced URLs