All modules
CMVP Validated Module · FIPS 140-3 Security Policy

IBM® NVMe FlashCore™ Module 2

Certificate#5078StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip EmbeddedStatusActiveVendorIBM(R) Corporation
Medium review priority  ·  no TCB surface named  ·  last validated 9 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Embedded
StatusActive
Sunset date10/2/2030
CaveatWhen installed, initialized and configured as specified in Section 11.1 of the Security Policy. No operator authentication is enforced for executing security services that were unlocked by an authenticated service
VendorIBM(R) Corporation
Hardware versions02CL181 with TEL number 03JN363, 02CL183 with TEL number 03JN363, 02CL185 with TEL number 03JN363, 02CL187 with TEL number 03JN363

Approved Algorithms (15)

AlgorithmACVP Cert
AES-CBCA1884
AES-ECBA1884
AES-ECBAES 5897
AES-KWA1884
AES-XTSA1884
AES-XTSAES 5897
Conditioning Component AES-CBC-MAC SP800-90BA1884
Hash DRBGA1884
HMAC-SHA2-256A1884
KDF SP800-108A1884
KTS-IFCA1884
RSA KeyGen (FIPS186-4)A1884
SHA2-256A1884
SHA2-512A1884
SHA3-384A1883

Security Levels (Table 1)

Requirement areaLevel
Operational EnvironmentN/A
Physical Security7

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for IBM® NVMe FlashCore™ Module 2
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>2.2.0.99</i>"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Firmwar e load</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>User Data Read *<br/>Power On</i>"]
    C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>PCIe connector</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>library named: nss</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C1 --> I1 --> R1 --> E1
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C4 --> I4 --> R4 --> E4
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C1,C2,C3,C4,C5,C6 clue;
  class I1,I2,I3,I4,I5,I6 infer;
  class R1,R2,R3,R4,R5,R6 risk;
  class E1,E2,E3,E4,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for IBM® NVMe FlashCore™ Module 2
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>2.2.0.99</i><br/>src: certificate.firmwareVersions"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Firmwar e load</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>User Data Read *<br/>Power On</i><br/>src: securityPolicy.services"]
    C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>PCIe connector</i><br/>src: securityPolicy.portsAndInterfaces"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>library named: nss</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C1,C2,C3,C4 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

IBM® NVMe FlashCore™ Module 2 Security Level 2 Rev. 2.6

Page 2
Table of Contents
#SectionPage
1General5
1.1Scope5
1.2References5
1.3Acronyms used in this document5
1.4Security Levels6
2Cryptographic module specification7
2.1Overview7
2.2Approved Mode of Operation7
2.2.1Approved mode7
2.2.2SUM Locking Ranges (SLRs)8
2.3Hardware and Firmware Versions8
2.4Approved and Allowed Algorithms9
2.5FCM2 Drive Brick11
2.6FCM2 Block Diagram12
3Cryptographic module interfaces13
3.1Logical to Physical Port Mapping13
4Roles, services, and authentication14
4.1Crypto-Erase of User Data14
4.2Revert via OFS14
4.3Operator Roles14
4.3.1Cryptographic Officer (CO) Roles14
4.3.2LockingSP User214
4.3.3Unauthenticated Role15
4.4Authentication15
4.4.1Authentication Type15
4.4.2Authentication in approved mode15
4.4.3Authentication Mechanism, Data and Strength15
4.4.4Personalizing Authentication Data16
4.5Approved Mode Services16
5Software/Firmware security23
6Operational Environment24
7Physical Security25
7.1Mechanisms25
7.2TELs on ends of FCM226
8Non-invasive security28
9Sensitive security parameters management29
9.1Cryptographic Keys and CSPs29
9.2Temporary CSPs32
9.3Control Output Interface32
10Self-tests33
10.1Self-Tests33
11Life-cycle assurance35
11.1Establishing approved mode and exit conditions35
11.2Ongoing Policy Restrictions35
12Mitigation of Other Attacks Policy36
9Sensitive security parameter management2
Page 4

Table of Tables Table of Figures

Page 5
1 General
1.1 Scope

This is the security policy associated with the IBM NVMe FlashCore Module 2, a NVMe-connected self-encrypting non-volatile storage hardware module, a Cryptographic Module which is being validated per FIPS 140-3. This document is designed to meet the FIPS 140-3 standard (see Section 1.2 References 1) and Implementation Guidance (see Section 1.2 References 3) requirements. It is not intended to provide the type of interface details required to develop a compliant application. This document is non-proprietary. This document may be reproduced in its original entirety.

1.2 References

1. 2. 3. 4. 5. 6. 7. 8. FIPS PUB 140-3, issued Mar 22, 2019 FIPS 140-3 Derived Test Requirements, issued Mar, 2020 Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program, last updated May 4, 2021 TCG Storage Architecture Core Specification, Specification Version 2.01 TCG Storage Security Subsystem Class: Opal, Specification Version 2.01 TCG Storage Opal SSC Feature Set: PSID Version 1.00 TCG Storage Opal SSC Feature Set: Single User Mode, Specification Version 1.00 NVM Express Revision 1.2.1

1.3 Acronyms used in this document

AdminSP AES APT ARM CAVP CBC CKG CLiC CO CPLD CPU CRNGT CSP DDR4 DRBG ECB ENT FCM2 FIPS FKM FPGA HMAC IC IG LBA KAT KDF KEK Administrative security partition, a TCG term Advanced Encryption Standard (FIPS 197) Adaptive Proportion Test Advanced RISC Machine Cryptographic Algorithm Validation Program Cipher Block Chaining, an encryption mode Cooperative Key Generation CryptoLite in C Crypto-Officer Complex Programmable Logic Device Central Processing Unit Continuous Random Number Generator Test Critical Security Parameter Double Data Rate 4 memory Deterministic Random Bit Generator Electronic Codebook Mode Entropy FlashCore Module 2 Federal Information Processing Standard Flash Key Management Field Programmable Gate Array Hash-based Message Authentication Code Integrated Circuit Implementation Guide Logical Block Address Known Answer Test Key Derivation Function Key Encryption Key

Page 6
Security level
NameISO SectionRequirementLevel
11General2
22Cryptographic module specification2
33Cryptographic module interfaces2
44Roles, services, and authentication2
55Software/Firmware security2
66Operational environmentN/A
77Physical security2
88Non-invasive securityN/A
99Sensitive security parameter management2
1010Self-tests2
1111Life-cycle assurance2
1212Mitigation of other attacksN/A

LockingSP MEK MSID NAND NOR NSSR NVMe OFS PIN POST PSID RAM RCT RSA SHA SID SLR SP SSC SSP SUM SWG TCG TEL XTS Locking Range security partition, a TCG term Media Encryption Key Manufactured SID, TCG term for a unique per FCM2 public value used as the default Not AND (a type of flash memory) A type of flash memory NVMe SubSystem Reset Nonvolatile memory express Original Factory State Personal Identification Number Power on Self-Test Physical SID, TCG term for a unique per FM value public value Random Access Memory Repetition Count Test Rivest Shamir Adleman algorithm Secure Hash Algorithm Security ID, TCG term for Drive Owner CO role’s PIN SUM Locking Range Security Subsystem Class Single User Mode Storage Work Group Trusted Computing Group Tamper Evident Label XEX-based tweaked-codebook mode with ciphertext stealing, an encryption mode

1.4 Security Levels
Page 7
2 Cryptographic module specification
2.1 Overview

The cryptographic module is the IBM NVMe FlashCore Module 2 (FCM2) in its entirety. The cryptographic module will be referred to as the FCM2 throughout this document. This FCM2 uses approved algorithms to provide a number of cryptographic services. Those services include encryption and decryption of user data in hardware, support for cryptographic erase, support for multiple user data Locking Ranges (each of which can be configured for independent access control and protection), and authentication checking of code downloads. The services are provided via FCM2 support of the TCG Opal SSC interface. The FCM2 is a multiple-chip embedded cryptographic module implementation. The outside surfaces of the FlashCore Module 2 Assembly are the physical cryptographic boundary. The module’s logical boundary is comprised of all hardware and firmware components contained within the module’s physical boundary. The host interface to the FCM2 is physically a PCIe connector, over which the industry-standard NVMe protocol (see Section 1.2 References 8) is supported. Through the NVMe logical interface the FCM2 supports the TCG SWG Core (see Section 1.2 References 4) and TCG Opal SSC (see Section 1.2 References 5) protocols. All control of the FCM2 via its interfaces is typically through an application on a host system. All human control of an FCM2 is assumed to be through such an application. The primary cryptographic service supported by the FCM2 is encryption of user data at rest: encrypting user data written to the FCM2 before the resultant ciphertext is written to the FCM2’s non-volatile solid-state memory. The FCM2 also supports the complementary decryption function, decrypting that ciphertext from solid-state memory when it is read back. Storing user data in encrypted form enables another cryptographic service the FCM2 supports: cryptographic erase, which nearly instantly renders all previously encrypted user data to be effectively destroyed. The FCM2 supports TCG Opal access controls, which restrict access to use of, and administration of, the encryption and cryptographic erase services.

2.2 Approved Mode of Operation

The FCM2 will operate in a non-compliant state until the Secure Initialization steps detailed in Section 11.1 are performed. From this non-compliant state, the FCM2 may be securely initialized so that it operates in FIPS 140-3 Mode of operation (hereafter “approved mode”). After the FCM2 has been Securely Initialized and operated per the Security Rules detailed in Section 11.1, the FCM2 will remain in approved mode of operation until either an important error or failure has been detected or a “Revert via OFS” service is performed. An operator controlling the FCM2 can use the “FIPSmode?” service, if it does not return the expected status (see Section 4.5), then the FCM2 is not operating in approved mode. An operator can cause an FCM2 operating in approved mode to quit approved mode by use of the FCM2’s “Revert via OFS” service. This service will zeroize the FCM2’s keys and CSPs and transition it through its Original Factory State (OFS) to its noncompliant state. The operator can then cause that FCM2 to return to approved mode by following the Secure Initialization procedure detailed in Section 11.1 again. To operate the FCM2 is in its, it must be configured properly and it must be operated in accordance with the associated policy restrictions (detailed in Section 11.2). Violating the ongoing policy restrictions would mean that the FCM2 is no longer being operated in its approved mode of operation.

2.2.1 Approved mode

When operated in this mode the FCM2 provides cryptographic services via industry-standard NVMe commands, TCG Opal commands addressed to the TCG AdminSP, and TCG Opal commands addressed to the TCG LockingSP. To operate in approved mode, the Drive Owner must invoke the Activate method on the LockingSP starting from a non-compliant state which itself must start afresh from an OFS state. Keys and CSPs established in approved mode cannot be used in non-compliant state. This is accomplished by the key zeroization which performed as part of the “Revert via OFS” service.

Page 8
Module configuration
NameModelHardware VersionFirmware VersionFeatures
IBM NVMe FlashCore Module 2 XlargeIBM NVMe FlashCore Module 2 Xlarge02CL181 TEL part number: 03JN3632.2.0.9938.4TB physical capacity
IBM NVMe FlashCore Module 2 LargeIBM NVMe FlashCore Module 2 Large02CL183 TEL part number: 03JN3632.2.0.9919.2TB physical capacity
IBM NVMe FlashCore Module 2 MediumIBM NVMe FlashCore Module 2 Medium02CL185 TEL part number: 03JN3632.2.0.999.6TB physical capacity
IBM NVMe FlashCore Module 2 SmallIBM NVMe FlashCore Module 2 Small02CL187 TEL part number: 03JN3632.2.0.994.8TB physical capacity

Similarly, Keys and CSPs established in non-compliant state cannot be used in approved mode. If an FCM2 had been previously operated with a non-FIPS code load, a Locking Range may have been established, though that FCM2 would not have been in approved mode because of the non-FIPS code load. In this case some keys (e.g. the Locking Range’s MEK) would have been established with a non-FIPS code load and they cannot be used in approved mode. If the code on that FCM2 is then updated to the FIPS code load, then the FCM2 must be put back into the OFS state by use of one of the Opal methods specified in the “Revert via OFS” service. This service will cause cryptographic erase of all data written to those Locking Ranges as the Locking Range’s MEKs are zeroized. Then the drives can be put back into approved mode if all requirements are met. The FCM2 only supports Single User Mode (SUM), so only a single User has independent access control to read/write/erase a given Locking Range. By default, there is a single “Global Range” that encompasses the whole user data area. “Locking Ranges”, when established, are configured to be subsets of the LBA range initially established as a Global Range.

2.2.2 SUM Locking Ranges (SLRs)

When invoking the Activate method to enter approved mode, the Drive Owner creates a Locking Range (LR). All LRs created within the FCM2 must be of the Single User Mode (SUM) type. The FCM2 does not support creation of non-SUM LRs, or reclassification of SUM LRs into non-SUM LRs, and any TCG Opal methods attempting either of those will fail with the appropriate error code returned. So, all LRs created in an FCM2 will be, and will remain, “SUM Locking Ranges” (SLRs). SLRs conform to the SUM feature set (see Section 1.2 References 7). Each SLR is controlled and administered solely by the single User role it is associated with per Section 1.2 References 5 and see Section 1.2 References 7, e.g. SLR1 by User2. TCG Opal implements multiple Cryptographic Officer (CO) roles which operate cooperatively to establish, configure, and administer these SLRs. These roles include, at a minimum, the Drive Owner, the User(s), and the LockingSP Admin(s). While in approved mode, this cooperative operation includes: 1. 2. 3. 4. 5. Creating one or more SLRs (by the Drive Owner)

2.3 Hardware and Firmware Versions

The following FCM2 configurations have been validated: Table 2-1 Cryptographic Module Tested Configuration

Page 9
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
SHA3-384 (H/W) FIPS 202A1883SHA3384bits digestAs part of verification of a code load’s digital signature (4 byte aligned only *2)
AES-CBC SP 800-38AA1884AES CBC mode128bits keyA primitive used by the AES-CBC- MAC conditioning component for whitening performed as part of entropy processing
AES-ECB-256 (F/W) FIPS 197A1884AES ECB mode256bits keyA primitive used by XTS-AES-256 Encrypt, and by AES key wrap & unwrap
AES-KEY-UNWRAP (F/W) SP 800-38FA1884AES-KEY- UNWRAP256bits keyIt’s used in the context of TCG authentication
AES-KEY-WRAP (F/W) SP 800-38FA1884AES-KEY-WRAP256bits keyStore the encryption key in ciphertext mode

The configurations vary with respect to the memory integrated circuits (ICs) used. The number of parts, part numbers, and storage capacity of those ICs varies between configurations, but these ICs have no cryptographic capability and do not alter the approved services provided. A complete list of FCM2’s components can be found in the master components list. The majority of the components are not described in any further detail here because they are not related to encryption. The FCM2 drive contains a Xilinx Zynq Ultrascale+ XCZU19EG FPGA (vendor part # = XCZU19EG-L2FFVB1517E4845). That FPGA contains two processor complexes:

2.4 Approved and Allowed Algorithms
Page 10
Approved algorithm
NameCAVP CertKey SizeUse Function
AES-XTS-256 Encrypt (F/W)* SP 800-38EA1884256bits keyXTS-AES EncryptTo check XTS-AES- 256 Encrypt in H/W
Conditioning Component AES- CBC-MAC SP800-90BA1884Key Length: 128; Payload Length: 384AES-CBC-MACWhitening performed as part of entropy processing
Hash DRBG-SHA-512 (F/W) SP 800-90Arev1A1884DRBG with sha 512DRBGRandom number generation
HMAC-SHA-256 (F/W) FIPS 198-1A1884256bits digestHMAC-SHA-256Hash of PINs used to authenticate, as well as a primitive used by the KDF
KDF SP 800-108rev1A1884Key derivation function with HMAC-SHA-256KDFKey derivation
KTS SP 800-38FA1884SSP establishment methodology providing 256 bits of encryption strength800-38F. KTS (key wrapping and unwrapping) per IG D.GIt’s used in the context of TCG authentication
KTS-IFC (F/W) SP 800-56B Rev. 2A1884RSA 3072bits private key SSP establishment methodology provides 128 bits of encryption strengthKTS OAEP basic responder with SHA2-256 (*5)Unencapsulation KEK (key encryption key) by RSA private key with OAEP SHA2- 256 method
RSA Key Generation FIPS 186-4A1884RSA 3072bitsB.3.3Generation of RSA key pair at startup
SHA2-256 (F/W) FIPS 180-4A1884256bits digestSHA2A primitive used by HMAC-SHA- 256
SHA2-512 (F/W) FIPS 180-4A1884512bits digestSHA2A primitive used by DRBG-SHA-512
ECB-AES-256 (H/W) FIPS 197AES #5897256bits keyAES ECB modeA primitive used by XTS-AES-256
XTS-AES-256 Encrypt/Decrypt (H/W)* SP 800-38EAES #5897256bits keyXTS-AES Enc/DecUser Data written by a host application is encrypted; decryption is performed on read
ENT (P) SP 800-90BN/APhysical entropy source based on hardware ring oscillatorsENTSeeding the DRBG
RSA SigVer (H/W) FIPS 186-4Vendor Affirmed *34096bits modulus size, PKCS scheme v1.5, SHA3-384 hash functionRSAAs part of verification of a code load’s digital signature
CKG (F/W) SP 800-133rev2Vendor Affirmed *4Cryptographic Key GenerationCKGCryptographic Key Generation
Page 11
Approved algorithm
NameUse Function
AES-KW (No Security Claimed)IG 2.4.A scenario #1Obfuscation/ Unobfuscation of an SSP.

Table 2-2 Approved Algorithms Table 2-3 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed The modules does not support any of the following:

2.5 FCM2 Drive Brick

Figure 2-1 FCM2 Top View The following figure shows placement of TEL1 in red and TEL2 in red.

Page 12

Figure 2-2 FCM2 Front View Figure 2-3 FCM2 Back View

2.6 FCM2 Block Diagram

Edge connector is PCIe physically, NVMe logically Figure 2-4 FCM2 Block Diagram

Page 13
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
PCIe connectorPCIe connectorData InNVMe protocol commands in
PCIe connectorPCIe connectorData OutNVMe protocol commands out
PCIe connectorPCIe connectorControl InputDrive control operations
PCIe connectorPCIe connectorStatus OutputDrive status
PCIe connectorPCIe connectorPower InputN/A
3 Cryptographic module interfaces

N/A Table 3-1 Ports and Interfaces Notes: * FCM2 has no control output interface.

Page 14
4 Roles, services, and authentication
4.1 Crypto-Erase of User Data

Because all user data written to the FCM2 is encrypted when stored to its internal solid-state media, the data can be cryptographically erased (crypto-erased). The encrypted data, ciphertext, stored is effectively erased when the media encryption key (MEK) used to encrypt it is overwritten (with a fresh MEK) or erased (overwritten with a fixed value such as all zeroes). Because the FCM2 supports the ability to “zeroize” all keys and CSPs, per the FIPS 140-3 key management requirement, the FCM2 supports the capability to “zeroize” any and all MEKs, which in turn crypto-erases all the user data encrypted with those MEKs. The FCM2 supports the capability to zeroize any and all MEKs whether it is in approved mode or not. It should be noted that user data stored to the FCM2 cannot be reliably destroyed by overwrite from the host because the actual storage space where a given LBA’s data is stored moves over time within the FCM2 for multiple reasons including support for wear-leveling. But user data can be reliably destroyed by crypto-erase of the associated MEK. Alternately, all private keys and CSPs can be zeroized at once via Opal methods which cause Revert via OFS (see Section 4.2).

4.2 Revert via OFS

Whether in approved mode or not, the TCG Revert and RevertSP methods may be invoked by an appropriately authenticated Role to put the FCM2 into a non-compliant state. This corresponds to the “Revert via OFS” service and is akin to a “restore to factory defaults” operation. This operation causes zeroization of all CSPs and private (or secret) cryptographic keys. Subsequently, the FCM2 has to be reinitialized before it can return to an approved mode of operation. These Revert and RevertSP methods may be invoked by the Drive Owner, by the AdminSP’s Admin, by the LockingSP’s Admins, or by an unauthenticated role using the public PSID value (see Section 1.2 References 6). The TCG Revert and RevertSP methods are also the appropriate method to perform the drive “end of life” procedures.

4.3 Operator Roles

The following explains the Cryptographic Officer and User roles with a general description of the purpose and authority of each role. For further details of the services performed by each role while the FCM2 is in approved mode, see Section 4.5.

4.3.1 Cryptographic Officer (CO) Roles
4.3.1.1 Drive Owner

This role corresponds to the SID (Secure ID) Authority on the AdminSP as defined in Opal SSC (see Section 1.2 References 5). This role is used to transition the FCM2 to approved mode. It should be noted that to operate in approved mode, a FIPS validated code version (i.e. FIPS code) must be loaded into the FCM2, and the FCM2 must have booted to that code level. If the FCM2 is not running FIPS code, it cannot be operating in approved mode.

4.3.1.2 Admins (1-4) in LockingSP

When in approved mode, these roles’ Authority corresponds to the LockingSP’s Admin roles as defined in Opal SSC (see Section 1.2 References 5).

4.3.1.3 Admin1 in AdminSP

When in approved mode, this role’s Authority corresponds to the AdminSP’s Admin1 role defined in Opal SSC (see Section

1.2 References 5). This role is enabled by default, but can be disabled by the Drive Owner, if desired. When enabled, an

authenticated AdminSP Admin1 can invoke the “Revert via OFS” service.

4.3.2 LockingSP User2

When in Approved mode, this role’s Authority corresponds to the LockingSP’s User role as defined in Opal SSC (see Section

1.2 References 5). This role can unlock (and also lock) the corresponding SLR in the FCM3, so that an operator can read and

write data to that SLR. This role can also invoke the Crypto-Erase service of the associated SLR.

Page 15
4.3.3 Unauthenticated Role

Anyone who has the ability to remove and then restore power to a FCM2 can cause a power cycle which will cause a reset of the FCM2, that is one type of unauthenticated service. Note that since both the MSID and 26-byte PSID are public credentials, “authenticating” with either to gain MSID authority or PSID authority, respectively, amounts to operation in an unauthenticated role. Thus, entering the public PSID value enables unauthenticated invocation of some services (e.g. to invoke the “Revert via OFS” service). No authentication is required to perform the “FIPScode?” and “FIPSmode?” services.

4.4 Authentication
4.4.1 Authentication Type

Role-based authentication of operators is supported. For example, the Drive Owner role has its own unique ID which is associated with a dedicated PIN. The Drive Owner’s PIN can be personalized such that it is unique for that role. For some cases, the authentication is performed in a separate associated service. For example, the Read Unlock service is the authentication required to enable subsequent User Data Read service. If an attempt is made to use the User Data Read service without prior authentication, then the User Data Read will fail. Authentications which use the TCG interface can provide the operator and PIN in the StartSession method invocation. Or, an operator may use the Authenticate method to authenticate to a role within a Session that has already been started. Authentications persist until the associated session is closed.

4.4.2 Authentication in approved mode

Operators can authenticate by use of either the TCG Authenticate or StartSession methods. The host application can have only a single session open at a time. During a session the application can invoke services for which the authenticated operator(s) have authority. One of security rules enforced by the FCM2 is that the host must not authenticate to more than two operators’ roles while in a session. The host application can authenticate to the “Anybody” authority, which does not have a private credential, for the invocation of some services. Accordingly, the invoked services are effectively unauthenticated services.

4.4.3 Authentication Mechanism, Data and Strength

On every startup, the FCM2 generates a fresh new RSA key pair. The RSA public key is discoverable on TCG protocol and the RSA private key is a secret. Operators first query the FCM2’s RSA public key and generate a key encryption key (KEK) outside of the drive. The operator encrypts the new KEK via RSA OAEP SHA2-256 method and sends it to the drive. FCM2 decrypts that message using the RSA private key, and then both parties have agreement upon the KEK. After establishment of the KEK, operators then authenticate with the FCM2 by PINs. Outside of the FCM2, any new PIN to be established is AES key wrapped by the KEK. Once sent inside the FCM2, the message is decrypted via AES Key unwrapping, the KEK is confirmed, and then both parties have agreement upon a new PIN. The provided PIN is salted, hashed and compared to the hash nonvolatilely stored when that PIN was established. The salt is stored in a different non-volatile location. Per the TCG SWG Core (see Section 1.2 References 4) specification, PINs have an associated retry attribute (“TryLimit”) that controls the number of unsuccessful attempts before the authentication is blocked. The default value of the TryLimit setting is 100 which specifies up to 100 retries and Persistence is TRUE which means that any count of incorrect authentications will not be reset on reboot. The count of incorrect authentications will be reset upon a successful authentication or TCG Revert via OFS (see Section 4.2). Neither the TryLimit nor the Persistence settings can be changed, both have their respective Writeable Flags permanently set to FALSE. The PINs have a variable length of 128 to 256 bits. Per the policy security rules, the FCM2 only allows programming of PINs that are of length 128 bits or longer (see Section 11.1’s Rule 7). This PIN length results in a probability of at most 1/2128 (i.e. less than 10-38) for the PIN to be guessed in a single random attempt.

Page 16

Each authentication attempt requires 39ms on average for the FCM2 to complete. This means that at most (60*1000)/39 (= 1538) attempts can, on average, be made in one minute. So the probability of multiple random attempts succeeding in guessing a PIN in a one minute period is at most 1538/2128 = 4.52 x 10-36. For PIN-based authentications (e.g., TCG SID, TCG Admins 1-4, etc.), they’re considered as ‘memorized secret’ authentication mechanism.

4.4.4 Personalizing Authentication Data

The SID is initially set to the value of the manufactured value (MSID). This is a device-unique public value which is 128 to

256 bits long. The Security Rules (see Section 11) for the FCM2 requires that the PIN values must be “personalized” to

private values using the “Set PIN” service. The Drive Owner PIN can be set to a different value by use of the TCG Set Method.

4.5 Approved Mode Services

The following tables details the FIPS 140-3 services the FCM2 provides when in approved mode. It shows which services (Approved Security Functions) can be invoked or used by which authenticated operators (Access Control). in terms of the and operator access control. Note the following:

Page 17
Service
NameRolesInputOutput
Set PINDrive OwnerPINOperation status
Activate SLRPINOperation status
Enable / Disable AdminSP AdminPINOperation status
Revert via OFSPINOperation status
Set PINAdminSP Admin1PINOperation status
Revert via OFSPINOperation status
Set PINLockingSP Admin1-4PINOperation status
Enable / Disable LockingSP Admin(s)PINOperation status
Crypto-Erase of SLRPINOperation status
Revert via OFSPINOperation status
Set PINLockingSP User2PINOperation status
Set GeometryPINOperation status
Lock / Unlock SLR for Rd/WrPINOperation status
Crypto-Erase of SLRPINOperation status
User Data Read *UnauthenticatedNVMe read commandOperation status with data
User Data Write *NVMe write command with dataOperation status
Cold bootPower-cycle FCM2 driveCard boots up
Reset moduleNVMe reset commandCard resets and boots up
FIPSmode?NVMe identify controller commandOperation status with identify controller response
FIPScode?NVMe identify controller commandOperation status with identify controller response
Get VersionNVMe identify controller commandOperation status with identify controller response
KEK setupTCG vendor specific commandOperation status
Board reportNVMe vendor specific commandOperation status with board report data
DRBG generate bytesTCG random service commandOperation status with random bytes
Page 18
Approved algorithm
NameUse Function
128 to 256 bits PIN and 256 bits key in AES key unwrapPIN protected by AES key wrapDrive Owner
128 to 256 bits PIN and 256 bits key in AES key unwrapPIN protected by AES key wrapAdminSP Admin1
128 to 256 bits PIN and 256 bits key in AES key unwrapPIN protected by AES key wrapLockingSP Admin1-4
128 to 256 bits PIN and 256 bits key in AES key unwrapPIN protected by AES key wrapLockingSP User2
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Set PINChange operator authentication dataDrive Owner, AdminS P Admin1 , Locking SP Admin1 - 4/Locki ngSP User2SID PIN; LockingSP Admin1-4 PINs; AdminSP Admin1 PIN; LockingSP User2 PIN; KEK; LBA Range Root KeyAES-KW; SHA- 256; AES-KW (No Security Claimed );SID PINTCG set method returns GOODW
LockingSP Admin1-4 PINsLockingSP Admin1-4 PINsW
AdminSP Admin1 PINAdminSP Admin1 PINW
LockingSP User2 PINLockingSP User2 PINW
KEKKEKE
LBA Range Root KeyLBA Range Root KeyE
Activate SLRAllocate a SUM Locking Range (SLR)Drive OwnerSID PIN; KEKAES-KW; SHA-256SID PINTCG activate method returns GOODW, E
KEKKEKE
Firmwar e loadLoad firmware image. If the downloaded firmware image signature checks, then the FCM2 will boot to the new code at next reboot.None *FW Verification KeyRSA SigVer; SHA3- 384ENew code boots on boot following firmware load
Enable / Disable AdminSP AdminEnable / Disable the AdminSP Admin1Drive OwnerSID PIN; KEKAES-KW; SHA-256SID PINTCG set method returns GOODW, E
KEKKEKE
Enable / Disable LockingS P Admin(s)Enable / Disable a LockingSP AdminLocking SP Admin1 - 4LockingSP Admin1-4 PINs; KEKAES-KW; SHA-256LockingSP Admin1-4 PINsTCG set method returns GOODW, E
KEKKEKE
Set Geometr ySet the starting LBA and size of the SLR.Locking SP User2LockingSP User2 PINs; KEKAES-KW; SHA-256LockingSP User2 PINTCG set method returns GOODW, E
KEKKEKE
Lock / Unlock SLR for Rd/WrBlock or allow read (decrypt) / write (encrypt) of user data in a range.Locking SP User2LockingSP User2 PIN; KEK; LBA Range Root KeyAES-KW; SHA- 256; AES-KW (No Security Claimed ); KDF;LockingSP User2 PINTCG set method returns GOODW, E
KEK;KEK;E;
LBA Range Root KeyLBA Range Root KeyE
User DataEncryption/de cryption of user dataNoneLBA Range MEKsXTS- AES-256ENVMe read/write command returns GOOD
Read / Writeto/from a SLR. Access control to this service is provided through Lock/Unlock SLR for Rd/WrDecrypti on/ Encrypti on (Symme tric Key)
Crypto- Erase of SLRErase user data in a SUM Locking range by changing its associated MEKLocking SP Admin1 - 4LockingSP Admin1-4 PINs; LockingSP User2 PIN; KEK; LBA Range Root Key; LBA Range MEKs; DRBG EI; DRBG Seed; DRBG C; DRBG V;DRBG Symmet ric Key; AES-KW; SHA-256LockingSP Admin1-4 PINs;TCG Erase Method returns GOODW, E
LockingSP User2 PIN;LockingSP User2 PIN;E
KEK;KEK;Z
LBA Range Root Key;LBA Range Root Key;Z
Locking SP User2Locking SP User2User2PINsTCG GenKey/Erase Method returns GOODW, E;
KEKKEKE;
LBA Range Root KeyLBA Range Root KeyG, E, Z;
LBA Range MEKsLBA Range MEKsG, Z;
DRBG EIDRBG EIG, E;
DRBG SeedDRBG SeedG, E;
DRBG CDRBG CG, E;
DRBG VDRBG VG, E;
Revert via OFSExit approved mode. Note: FCM2 will enter non- compliant state.Drive OwnerSID PIN; LockingSP Admin1-4 PINs; AdminSP Admin1 PIN; LockingSP User2 PIN; KEK; LBA Range Root Key; LBA Range MEKs; RSA private key; RSA public key; DRBG EI; DRBG Seed; DRBG C; DRBG V;DRBG Symmet ric Key; AES-KW; SHA-256SID PINTCG LockingSPObj.Revert(), TCG AdminSPObj.Revert() returns GOODW, E, Z
LockingSP Admin1-4 PINsLockingSP Admin1-4 PINsZ
AdminSP Admin1 PINAdminSP Admin1 PINZ
LockingSP User2 PINLockingSP User2 PINZ
KEKKEKE, Z
LBA RangeRoot KeyLBA RangeRoot KeyG, E, Z
LBA Range MEKsLBA Range MEKsG, Z
RSA private keyRSA private keyZ
RSA public keyRSA public keyZ
DRBG EIDRBG EIG, E, Z
DRBG SeedDRBG SeedG, E, Z
DRBG CDRBG CG, E, Z
DRBG VDRBG VG, E, Z
AdminS P Admin1AdminS P Admin1SID PINTCG AdminSPObj.Revert()Z
LockingSP Admin1-4 PINsLockingSP Admin1-4 PINsZ
AdminSP Admin1 PINAdminSP Admin1 PINW, E, Z
LockingSP User2 PINLockingSP User2 PINZ
KEKKEKE, Z
LBA RangeRoot KeyLBA RangeRoot KeyG, E, Z
LBA Range MEKsLBA Range MEKsG, Z
RSA private keyRSA private keyZ
RSA public keyRSA public keyZ
DRBG EIDRBG EIG, E, Z
DRBG SeedDRBG SeedG, E, Z
DRBG CDRBG CG, E, Z
DRBG VDRBG VG, E, Z
Locking SP Admin1 - 4Locking SP Admin1 - 4LockingSP Admin1-4 PINsTCG LockingSP.RevertSP()W, E, Z
LockingSP User2 PINLockingSP User2 PINZ
KEKKEKE, Z
LBA RangeRoot KeyLBA RangeRoot KeyZ
LBA Range MEKsLBA Range MEKsZ
Power OnFirmware integrity check on boot (Pre- operational self-test)NoneFW Verification Key; RSA private key; RSA public key; KEK; DRBG EI; DRBG Seed; DRBG C; DRBG V;RSA SigVer; Generat e RSA key-pairFW Verification KeyCold-Boot or Power-On- Reset and drive boots upE
RSA private keyRSA private keyG, Z
RSA public keyRSA public keyG, Z
KEKKEKZ
DRBG EIDRBG EIZ
DRBG SeedDRBG SeedZ
DRBG CDRBG CZ
DRBG VDRBG VZ
FIPSmod e?Reports whether, from a drive perspective, the drive is in approved modeNoneNoneNoneN/ANVMe Identify: Controller Identify, bytes 3600-3607 (set to “FIPSmode”)
FIPScode ?Reports whether the code level in operation was FIPS validatedNoneNoneNoneN/ANVMe Identify: Controller Identify, bytes 3616-3623 (set to “FIPScode”)
Get VersionReports code versionNoneNoneNoneN/ANVMe Identify: Controller Identify, bytes 64-71
DRBGNoneDRBG EI;DRBGDRBG EIG, E
DRBG Generate BytesReturns a SP800- 90Arev1 DRBG Random Number of # of bytes requested up to 50DRBG Seed; DRBG C; DRBG V;DRBG SeedTCG Random() method returns GOODG, E
DRBG CDRBG CG, E
DRBG VDRBG VG, E
KEK setupEstablish KEK during startupNoneKEK; RSA private key; RSA public keyKTS- OAEP- basic respond er with SHA2- 256KEKTCG kek setup() method returns GOODW
RSA private keyRSA private keyE
RSA public keyRSA public keyR
Board reportDump FCM statusNoneN/AN/AN/ABoard report trigger and dump commands return GOOD
Firmware downloadFirmware imageOperation status

Table 4-1 Roles, Service Commands, Input and Output Notes: * the drive first needs to be unlocked by an authenticated role. d s SHA256; ); P , W W W W E E W, E E SHA3384 E

Page 22

SP80090Arev1 DRBG KTSOAEPbasic SHA2256 N/A N/A G, E G, E G, E W E R N/A Table 4-3 Approved Services * This is unauthenticated as per clause (c) of IG 4.1.A. G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP.

Page 23
5 Software/Firmware security

FCM2 firmware image has a RSA 4096 with sha3-384 digital signature appended, it’s checked during firmware download and startup. If non-IBM image is downloaded, the firmware download procedure will return failure and reject it. The original image in NOR flash won’t be updated at all. On every startup, a similar check occurs and put the card in fault state when it fails.

Page 24
6 Operational Environment

N/A The FCM2 operates in a “limited operational environment”. Specifically, the operational environment cannot be modified while the FCM2 is in operation, and no code can be added or deleted. Firmware can be replaced or upgraded with a signed firmware download operation. If the code download’s digital signature checks as authentic, then the FCM2 will boot to it following the next cold boot and so will begin operating with the new firmware image. See Section 11.1 on how to configure and setup approved mode on FCM2.

Page 25
Physical Security MechanismRecommended Frequency of Inspection/TestInspection/Test Guidance Details
Inspect physical tamper evidence TEL1-2At least once per monthVisual inspection on the tamper evidence TELs
7.1 Mechanisms

The FCM2 is a multi-chip embedded module that has the following physical security: Built of production-grade components which have standard passivation Two opaque tamper-evident labels (TELs) on the FCM2. There is one TEL on each end of the FCM2. See “Figure 7-1 TEL1 BSMI Label” for placement of TEL1 and Figure 7 2 TEL2 BSMI Label for placement of TEL2. The TELs are applied during IBM’s manufacturing process. They protect against physical access to the electronics by board removal and prevent electronic design visibility. Tamper-evident security labels applied by IBM manufacturing prevent FlashCore Module 2 Assembly cover removal for access to or visibility of the solid-state memory Exterior of the FCM2 is opaque The tamper-evident labels (TELs) cannot be penetrated, or removed and reapplied, without that tamper being readily evident The TELs cannot be easily replicated with a low attack time The operator is required to inspect the FCM2 periodically for any of the following types of tamper evidence:

7.1.1 Figure 1 – TEL1 and TEL2

Figure shows TEL1 the BSMI label and TEL2 Warrantee Label.

Page 26

Figure 7-1 TEL1 BSMI Label Figure 7-2 TEL2 BSMI Label

7.2 TELs on ends of FCM2

To provide tamper-evidence of FlashCore Module 2 Assembly cover removal:

7.2.1 Figure 2 – tampered TEL1

Showing tamper-evidence on TEL1 Figure 7-3 Tampered TEL1 Where flaking and general distress are seen at each end of the label

7.2.2 Figure 3 – tampered TEL2

Showing tamper evidence of TEL2

Page 27

Figure 7-4 Tampered TEL2 Where flaking and general distress are seen at each end of the label

Page 28
8 Non-invasive security

The FCM2 does not claim to non-invasive security relevant to FIPS 140-3 validation.

Page 29
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportKey/SSP Name/Typ eZeroisation
Use to authenticate as Drive Owner128 to 256 bits size / 128 to 256 bits strengthSHA-256 #A1884Set by operatorThis PIN is setup or changed by the drive ownerNon- volatile, hashed via SHA- 256Import Encrypted via AES-KWSID PINRevert via OFS
RAM, PlaintextRAM, PlaintextAfter authenticatio n service
Use to authenticate as a LockingSP Admin128 to 256 bits size / 128 to 256 bits strengthSHA-256 #A1884Set by operatorThese PINs are setup or changed by the correspondin g adminsNon- volatile, hashed via SHA- 256Import Encrypted via AES-KWLockingSP Admin1-4 PINsRevert via OFS
RAM, PlaintextRAM, PlaintextAfter authenticatio n service
Use to authenticate as AdminSP Admin1128 to 256 bits size / 128 to 256 bits strengthSHA-256 #A1884Set by operatorThese PINs are setup or changed by theNon- volatile, hashed via SHA- 256Import Encrypted via AES-KWAdminSP Admin1 PINRevert via OFS
9 Sensitive security parameters management
9.1 Cryptographic Keys and CSPs

The following table defines the keys / CSPs and the operators / services which use them. Note that:

Page 30
Service
NameRole AccessRAM, Plaintext
Revert via OFSThese PINs are setup or changed by the correspondin g usersLockingSP User2 PIN128 to 256 bits size / 128 to 256 bits strengthSHA-256 #A1884Set by operatorImport Encrypted via AES-KWNon- volatile, hashed via SHA- 256Use to authenticate as a LockingSP User
Revert via OFS; Crypto-Erase of SLRN/ALBA Range Root Key256 bits size / 256 bits strengthKDF SP800- 108 #A1884Generate d from DRBGN/ANon- volatile, obfuscate dUse to derive LBA Range MEKs
Revert via OFS; Crypto-Erase of SLR; Auto- zeroized after useThese 2 keys are derived from the LBA range root key using the approved SP800- 108rev1 KDFLBA Range MEKs256 bits size each / 256 bits strength eachAES-XTS #AES 5897These 2 keys are derived from the LBA range root key using the approved SP800- 108rev1 KDFN/ACPU RAM, plaintextUse in Encrypt / Decrypt User Data
Revert via OFS; Power On; Auto- zeroized after useN/ADRBG EI1024 bits/ 256 bit strengthHash DRBG #A1884Generate d using the module’s ENT (P)N/ACPU RAM, plaintextUse in services which use the DRBG
Power On; Auto- zeroized after useThis seed is generated using the module’s ENT (P)DRBG Seed888bits*/ 256 bit strengthHash DRBG #A1884Generate d using the module’s ENT (P)N/ACPU RAM, plaintextUse in services which use the DRBG
Revert via OFS; Power OnThis is generated using the module’s ENT (P)DRBG CDRBG intermediat e values C (888 bits each) / 256 bit strengthHash DRBG #A1884Generate d using the module’s ENT (P)N/ACPU RAM, plaintextUse in services which use the DRBG
Revert via OFS; Power OnThis is generated using theDRBG VDRBG intermediat e values V (888 bitsHash DRBG #A1884Generate d using theN/ACPU RAM, plaintextUse in services which use the DRBG
each) / 256 bit strengthmodule’s ENT (P)each) / 256 bit strengthmodule’s ENT (P)
N/AN/AFW Verificatio n Key4096bits size / 152 bits strengthRSA digital signatur e (Vendor affirmed )Pre- loaded; Generate d externall y and hardcode d into the moduleN/ANon- volatile, plaintextUse in firmware load test signature verification
Revert via OFS; Power OnN/ARSA private key3072 bits size / 128 bits strengthRSA KeyGen (FIPS18 6-4) #A1884Generate d by FCM2 on power upN/ACPU RAM; stored in CLiC libraryUse in KEK establishmen t
Revert via OFS; Power OnN/ARSA public key3072 bits size / 128 bits strengthRSA KeyGen (FIPS18 6-4) #A1884Generate d by FCM2 on power upExported in plaintextCPU RAM; stored in CLiC libraryUse in KEK establishmen t
Revert via OFS; Power OnThis key is generated by operators and is used to unwrap the TCG keys/CSPs on authenticatio n.KEK256 bits size / 256 bits strengthAES-KW A1884N/AImport Encrypted via RSACPU RAM, plaintextUse in unwrap of any encrypted PIN during authenticatio n

Nonvolatile, via SHA256 SP800108 N/A N/A Nonvolatile, d N/A SP800108rev1 KDF Autozeroized SP800108rev1 N/A N/A N/A (P) (P) Autozeroized Autozeroized N/A N/A

Page 31

e ) 6-4) 6-4) Preloaded; d N/A (P) N/A N/A N/A N/A N/A n. Table 9-1 SSPs Nonvolatile, N/A t t n * per https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Arev1r1.pdf; Table 2, seedlen

Page 32
Approved algorithm
NameKey Size
DetailsEntropy sourcesMinimum number of bits of
The entropy source provides 128- bits of entropy for each 128-bit output from the vetted conditioning component (AES-CBC- MAC Cert. #A1884). The module's DRBG is seeded with 1024 bits of output, thus providing 1024 bits of entropy.1024 bitsHardware ring oscillator
If this KAT test failsSelf-TestFunction TestedKAT Implementation
Enters FIPS Self-Test Fail StatePre-Operational Self- TestFirmware Integrity TestRSA-4096 with SHA3-384
Firmware Load operation failsConditional Firmware Load TestFirmware Load TestRSA-4096 with SHA3-384
Enters FIPS Self-Test Fail StateCASTSHA2-256Hash KAT performed
Enters FIPS Self-Test Fail StateCASTAES-256-KEY-WRAPEncrypt KAT performed
Enters FIPS Self-Test Fail StateCASTAES-256-KEY- UNWRAPDecrypt KAT performed
Enters FIPS Self-Test Fail StateCASTDRBG (SHA-512)DRBG Instantiate/Generate KAT performed
Enters FIPS Self-Test Fail StateCASTSP 800-108rev1 KDF with HMAC-SHA2-256KDF and HMAC KAT performed
Enters FIPS Self-Test Fail StateCASTAES-ECB-256Encrypt KAT performed
Enters FIPS Self-Test Fail StateCASTXTS-AES-256Encrypt KAT performed
Enters FIPS Self-Test Fail StateCASTCBC-AES-128Encrypt KAT performed
Enters FIPS Self-Test Fail StateCASTSHA3-384 (H/W)Digest KAT performed
Enters FIPS Self-Test Fail StateCASTRSA-4096 (H/W)Verify KAT performed
Enters FIPS Self-Test Fail StateCASTXTS-AES-256 (H/W)Encrypt performed
Enters FIPS Self-Test Fail StateCASTECB-AES-256 (H/W)Decrypt performed
Enters FIPS Self-Test Fail StateCASTECB-AES-256 (H/W)Encrypt performed
Enters FIPS Self-Test Fail StateCASTKTS-OAEP 3072 with SHA2-256RSA decrypt KAT performed
Enters FIPS Self-Test Fail StateCAST (at Power-On and during Entropy Generation)Entropy source APT & RCTAPT and RCT performed on entropy source samples
Enters FIPS Self-Test Fail StateConditional critical function test (Before Key Usage)*XTS Key1 != XTS Key 2Not a KAT
Enters FIPS Self-Test Fail StateConditional Pairwise Consistency test (Before Key Usage)*2RSA pair-wise consistency test (PCT)Encrypt with public key and decrypt with private key, then compare the answer

Table 9-2 Non-Deterministic Random Number Generation Specification

9.2 Temporary CSPs

No matter if the FCM2 is in approved mode or non-compliant state, all the temporary keys and CSPs are zeroized when they are no longer needed.

9.3 Control Output Interface

No additional logical interface in FCM2 module.

Page 33
10 Self-tests
10.1 Self-Tests

The NVMe identify controller command indicates failure of self-tests. Instead of reporting “NoErrors” as required by the approved mode, the identify controller command will show “FailAAAA” where AAAA are ASCII characters providing additional detail on the type of self-test failure. Self-tests may be invoked on-demand via power-cycle. All errors result in the module entering a "fenced" error state. The two fenced error states are referred to as "Self-Test Failed" and "Operational Test Failed". These error states cannot be normally recovered from without returning the module to the manufacturer for servicing, although IBM also suggests attempting an NVMe "NVM Subsystem Reset" (NSSR) first to attempt to have the module re-run the self-tests.

Page 34

Table 10-1 Self-tests * This check is made each time a Root Key is expanded, by two key derivations, into XTS’s Key1 and Key2. *2 The RSA PCT is performed upon module startup right after generation of the keypair and therefore prior to any export. The purpose of the keypair is only for key transport. The Entropy source is continuously tested by a Repetition Count Test (RCT) and Adaptive Proportion Test (APT). SP 800-90Arev1 DRBG Instantiate and Generate Health Tests are addressed by destructing the existing instance and instantiating a new one each time a random number is to be generated. A KAT test is run against the new SP 800-90Arev1 instantiation to assure it is sound before it is used. The DRBG is then used to generate a random number by processing ENT (P) samples. A Continuous Random Number Generator Test (CRNGT) is performed on the output of the DRBG. The first random number generated after power up is not used, and SHA2-256 hash of each subsequently generated new random number is compared to the SHA2-256 of the immediately previous generated random number. The continuous test fails if the two numbers match indicating the output of the DRBG has not changed (i.e. is stuck).

Page 35
11 Life-cycle assurance
11.1 Establishing approved mode and exit conditions

The FCM2 does not typically change mode across power cycles and resets. However, certain operations can result in the FCM2 exiting approved mode. In some of these situations (e.g. failure of the Power On Self Test), the FCM2 cannot be restored to approved mode and in that case could not provide any further Approved service. The administrator guidance and product documentation may be acquired by contacting the following email addresses: gkimbue@us.ibm.com nehal@us.ibm.com The following are the security rules for establishment and operation of the FCM2 in the approved mode. Further detail is available in the appropriate sections of this document.

  1. Cryptographic Officers: At receipt of the product examine the shipping packaging and the product packaging to ensure it has not been accessed during shipping by the trusted courier.
  2. Cryptographic Officers and Users: At installation, and periodically thereafter, examine the Tamper Evident Labels (TELs) installed at time of manufacture for tamper evidence.
  3. Cryptographic Officers and Users: At installation, and periodically thereafter, query the FCM2’s firmware’s code level to be sure it matches the FIPS validated firmware level (see section 2.3). Additionally, use the “FIPScode?” service to assure the firmware identifies itself as “FIPScode” (i.e. that the proper compile time options were used when it was built).
  4. Cryptographic Officers: A key encryption key needs to be established for any future TCG authentication. First the FCM public key needs to be queried, generate a 256bits KEK, encrypt it by the RSA public key and pass it down to FCM.
  5. Cryptographic Officers: At installation, determine if the FCM2 has been used previously (e.g. has a SLR already been established?). If so, then invoke the “Revert via OFS” service to zeroize all previously established secret keys and CSPs and remove any SLRs.
  6. Cryptographic Officers: Transition the FCM2 to approved mode by invoking the Activate method for each SLR to be created
  7. Cryptographic Officers and Users: At installation, set all operator PINs applicable for the approved mode to private values of

128 to 256 bits length by use of approved mode: Drive Owner, Admins, and Users. The default authentication data is

forcefully replaced upon first-time authentication, otherwise it won’t be in approved mode of operation.

  1. Cryptographic Officers (specifically LockingSP Admins) to operate in approved mode: Set ReadLockEnabled and WriteLockEnabled to “True” on each activated SLR. Periodically thereafter the ReadLockEnabled and WriteLockEnabled settings should be checked to be sure they have not been modified.
  2. Cryptographic Officers: Use the “FIPSmode?” service to assure the firmware sees itself as being in approved mode.
  3. Cryptographic Officers: At installation, disable the “Makers” authority by use of the TCG Set method.
  4. After secure establishment is complete, do a power-on reset to clear authentications established during establishment.
  5. Users: do a GenKey of each SLR’s Media Encryption Key (MEK)
  6. Cryptographic Officers: verify that the FCM2 indicates it is running “FIPSmodeNoErrors”. If all of these steps are followed correctly, the FCM2 will be in approved mode of operation. It should be noted that all of the conditions detailed above must continue to be met to remain in approved mode. Failure to follow these steps would result in the module operating in a non-compliant state.
11.2 Ongoing Policy Restrictions

Each time a new CO role is to be assumed, the current Session must be closed, and a new Session started (or do a power-on reset), so that the previous authentication to the previous CO authority is cleared.

Page 36
12 Mitigation of Other Attacks Policy

The FCM2 does not claim to mitigate against any other attacks relevant to FIPS 140-3 validation. -- End --

Referenced URLs