All modules
CMVP Validated Module · FIPS 140-3 Security Policy

AMD ASP Cryptographic CoProcessor ("Turin")

Certificate#5085StandardFIPS 140-3Level1TypeHardwareEmbodimentSingle ChipStatusActiveVendorAdvanced Micro Devices (AMD)
Medium review priority  ·  no TCB surface named  ·  last validated 9 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date10/21/2030
CaveatWhen operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs
VendorAdvanced Micro Devices (AMD)

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for AMD ASP Cryptographic CoProcessor ("Turin")
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>firmware load</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for AMD ASP Cryptographic CoProcessor ("Turin")
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>firmware load</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Advanced Micro Devices (AMD) AMD ASP Cryptographic CoProcessor ("Turin") Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 Document version: 1.1 www.atsec.com Last update: 2025-10-08

Page 2
Table of Contents
#SectionPage
Page 3

© 2025 Advanced Micro Devices (AMD), atsec information security.

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Hardware8
Table 3: Modes List and Description8
Table 4: Approved Algorithms10
Table 5: Vendor-Affirmed Algorithms10
Table 6: Non-Approved, Allowed Algorithms with No Security Claimed10
Table 7: Non-Approved, Not Allowed Algorithms11
Table 8: Security Function Implementations13
Table 9: Entropy Certificates14
Table 10: Entropy Sources14
Table 11: Ports and Interfaces16
Table 12: Roles17
Table 13: Approved Services25
Table 14: Non-Approved Services27
Table 15: Mechanisms and Actions Required30
Table 16: Storage Areas32
Table 17: SSP Input-Output Methods32
Table 18: SSP Zeroization Methods33
Table 19: SSP Table 135
Table 20: SSP Table 237
Table 21: Pre-Operational Self-Tests38
Table 22: Conditional Self-Tests41
Table 23: Pre-Operational Periodic Information41
Table 24: Conditional Periodic Information42
Table 25: Error States43
Figure 1: AMD EPYC 9B45 SoC7
Figure 2: Block Diagram7
Page 5
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for the AMD ASP Cryptographic CoProcessor ("Turin") cryptographic module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 3

6 Operational environment 1

7 Physical security 1

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 2

12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 6
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The AMD ASP Cryptographic CoProcessor ("Turin") cryptographic module (hereafter referred to as “the module”) is defined as a sub-chip hardware module in a single chip embodiment, with hardware and firmware components implementing general purpose cryptographic algorithms. Module Type: Hardware Module Embodiment: SingleChip Module Characteristics: SubChip Cryptographic Boundary: The module consists primarily of the ARM Cortex-A5, Random Bit Generation hardware, Security Infrastructure Block, Cryptographic CoProcessor, and OTP fuses. These hardware components are sub-components of the “IOD” (EPYC EIOD2.0), which itself is a smaller die in the larger single chip embodiment, the EPYC SoC. OTP fuses are used to persistently store FIPS support enablement and versioning information, security state information, and Entropy Source configuration values (sample rate, sample count, RCT and APT cutoffs). In addition, there is a ROM firmware component (“libROM”) permanently stored inside the EPYC SoC, and an overlay firmware component (“overlay firmware”) permanently stored inside SPI flash storage, outside the EPYC SoC, which is loaded into the IOD SRAM on startup. The block diagram in Figure 2 shows the design of the module when the module is operational and the firmware components are loaded into the SRAM. In this diagram, the physical boundary of the module, defined by the perimeter of the EPYC SoC (i.e., the enclosure of the SoC), is indicated by a dashed purple line. The cryptographic boundary is represented by the components painted in orange blocks. Solid orange lines indicate the flow of data within the cryptographic module (i.e., internal paths). Dashed green lines are used to denote the logical interfaces defined in Section 3. Components in white are only included in the diagram for informational purposes. They are not included in the cryptographic boundary (and therefore not part of the module’s validation). Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP is the EPYC SoC (shown in Figure 1), a rectangular enclosure measuring approximately 72 mm x 75.4 mm x 5.30 mm. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 7

Figure 1: AMD EPYC 9B45 SoC Figure 2: Block Diagram © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 8
2.2 Tested and Vendor Affirmed Module Version and

Identification Tested Module Identification

2.3 Excluded Components

There are no components excluded from the requirements of the FIPS 140-3 standard.

2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name Approved Automatically entered Approved Equivalent to the indicator of the mode whenever an approved requested service service is requested (FipsIndicatorStatus is set to

  1. Non- Automatically entered Non- Equivalent to the indicator of the approved whenever a non-approved Approved requested service mode service is requested (FipsIndicatorStatus is not set to
  2. Table 3: Modes List and Description After passing all pre-operational self-tests and conditional self-tests executed on startup, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. In the operational state, the module accepts service requests from calling applications through its logical interfaces. The operator can verify that the module is operational by requesting the RL_ARCL_GetState service and comparing the returned ArclState value with
  3. Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested.
2.5 Algorithms

Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A5794 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A5794 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A5794 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5794 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 9

Algorithm CAVP Properties Reference Cert AES-ECB A5795 Direction - Encrypt SP 800-38A Key Length - 256 Conditioning A5337 Key Length - 256 SP 800-90B Component AES-CBCMAC SP800-90B Counter DRBG A5795 Prediction Resistance - No SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - No ECDSA KeyGen A5794 Curve - P-384 FIPS 186-5 (FIPS186-5) Secret Generation Mode - extra bits ECDSA SigGen A5794 Curve - P-384 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Component - No ECDSA SigVer A5794 Component - No FIPS 186-4 (FIPS186-4) Curve - P-384 Hash Algorithm - SHA-1 ECDSA SigVer A5794 Curve - P-384 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 HMAC-SHA-1 A5794 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 HMAC-SHA2-224 A5794 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 HMAC-SHA2-256 A5794 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 HMAC-SHA2-384 A5794 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 HMAC-SHA2-512 A5794 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 HMAC-SHA3-224 A5794 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 HMAC-SHA3-256 A5794 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 HMAC-SHA3-384 A5794 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 HMAC-SHA3-512 A5794 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 KDF SP800-108 A5794 KDF Mode - Counter SP 800-108 Supported Lengths - Supported Rev. 1 Lengths: 112-4096 Increment 8 RSA KeyGen (FIPS186- A5794 Key Generation Mode - probable FIPS 186-5 5) Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standard © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 10

Algorithm CAVP Properties Reference Cert RSA SigGen (FIPS186- A5794 Modulo - 2048, 3072, 4096 FIPS 186-5 5) Signature Type - pss RSA SigVer (FIPS186-2) A5794 Signature Type - PKCSPSS FIPS 186-4 Modulo - 1536 RSA SigVer (FIPS186-4) A5794 Signature Type - PKCSPSS FIPS 186-4 Modulo - 1024, 2048, 3072, 4096 RSA SigVer (FIPS186-5) A5794 Modulo - 2048, 3072, 4096 FIPS 186-5 Signature Type - pss SHA-1 A5794 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-224 A5794 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-256 A5794 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-384 A5794 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-512 A5794 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA3-224 A5794 Message Length - Message Length: 0- FIPS 202

65536 Increment 8

SHA3-256 A5794 Message Length - Message Length: 0- FIPS 202

65536 Increment 8

SHA3-384 A5794 Message Length - Message Length: 0- FIPS 202

65536 Increment 8

SHA3-512 A5794 Message Length - Message Length: 0- FIPS 202

65536 Increment 8

SHAKE-128 A5794 Output Length - Output Length: 1344 FIPS 202 SHAKE-256 A5794 Output Length - Output Length: 1088 FIPS 202 Table 4: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Key N/A SP 800-133r2, Section 4, (asymmetric) Type:Asymmetric example 1 Table 5: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: Name Caveat Use and Function RTL key de- When used to de-obfuscate data using the weak Deobfuscation RTL key obfuscation Table 6: Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms: © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 11

Name Use and Function HMAC with key Message authentication lengths less than

112 bits

Deterministic Key pair generation ECDSA key pair generation Deterministic RSA Key pair generation key pair generation ECDSA (pre-hashed Signature generation, Signature verification message) ECDSA with SHA-1 Signature generation RSA with 1024 or Key pair generation, Signature generation

1536 bits modulus

RSA (pre-hashed Signature generation, Signature verification message) RSA with SHA-1 Signature generation SHA-384 with non- PCR-based memory measurement standard initial hash value CCP_HAL algorithm Message digest (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512), XOF (SHAKE128, SHAKE256), encryption, decryption (AES ECB, CBC, OFB, CFB, CTR, GCTR, IAPM, XTS), message authentication (AES CMAC) SIB_HAL algorithm Random number generation Table 7: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Encryption BC-UnAuth Encrypt a AES-CBC: plaintext (A5794) AES-CTR: (A5794) AES-ECB: (A5794) Decryption BC-UnAuth Decrypt a AES-CBC: ciphertext (A5794) AES-CTR: (A5794) AES-ECB: (A5794) Message digest SHA Compute a SHA-1: (A5794) message digest SHA2-224: (A5794) SHA2-256: (A5794) SHA2-384: (A5794) SHA2-512: © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 12

Name Type Description Properties Algorithms (A5794) SHA3-224: (A5794) SHA3-256: (A5794) SHA3-384: (A5794) SHA3-512: (A5794) XOF XOF Compute an SHAKE-128: extendable (A5794) output message SHAKE-256: digest (A5794) MAC MAC Compute a MAC AES-CMAC: tag (A5794) HMAC-SHA-1: (A5794) HMAC-SHA2224: (A5794) HMAC-SHA2256: (A5794) HMAC-SHA2384: (A5794) HMAC-SHA2512: (A5794) HMAC-SHA3224: (A5794) HMAC-SHA3256: (A5794) HMAC-SHA3384: (A5794) HMAC-SHA3512: (A5794) Random DRBG Generate Conditioning number random bytes Component generation AES-CBC-MAC SP800-90B: (A5337) AES-ECB: (A5795) Counter DRBG: (A5795) Key derivation KBKDF Derive a key KDF SP800-108: from a key (A5794) derivation key Key pair AsymKeyPair- Generate a key ECDSA KeyGen generation KeyGen pair (FIPS186-5): CKG (A5794) RSA KeyGen (FIPS186-5): (A5794) © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 13

Name Type Description Properties Algorithms CKG (asymmetric): () Signature DigSig-SigGen Generate a ECDSA SigGen generation digital signature (FIPS186-5): (A5794) RSA SigGen (FIPS186-5): (A5794) Signature DigSig-SigVer Verify a digital ECDSA SigVer verification signature (FIPS186-5): (A5794) RSA SigVer (FIPS186-5): (A5794) Signature DigSig-SigVer Verify a digital Publications:FIPS RSA SigVer verification signature 140-3 IG C.M (FIPS186-4): (Legacy) legacy (A5794) algorithms RSA SigVer RSA Key:1024 or (FIPS186-2):

1536 bit (A5794)

modulus; 2048, ECDSA SigVer 3072, 4096 bit (FIPS186-4): modulus with (A5794) SHA-1 ECDSA Key:P-

384 with SHA-1

Table 8: Security Function Implementations

2.7 Algorithm Specific Information

SHA-1: Digital signature generation using SHA-1 is non-approved and not allowed in approved services. RSA: For RSA key pair generation, signature generation, and signature verification, the module supports modulus sizes 2048, 3072, and 4096 bits. Additionally, the module supports a modulus size of 1024 and 1536 bits for RSA signature verification. All supported modulus sizes have been CAVP tested. Legacy use and FIPS 186-5: In compliance with FIPS 140-3 IG C.K, the digital signature algorithm implementations have been CAVP tested against FIPS 186-5 where possible. FIPS 186-2 CAVP testing was performed for RSA signature verification with a 1536-bit modulus. FIPS 186-4 CAVP testing was performed for digital signature verification using SHA-1 and RSA signature verification with a 1024-bit modulus. These algorithms are allowed for legacy use only. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 14
2.8 RBG and Entropy

Cert Vendor Name Number E173 Advanced Micro Devices (AMD) Table 9: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample AMD TRNG Entropy Physical EPYC EIOD2.0 128 128 AES-CBC-MAC Source (A5337) Table 10: Entropy Sources The module provides an SP800-90Ar1-compliant Deterministic Random Bit Generator (DRBG) using CTR_DRBG mechanism with AES-256 for generation of key components of asymmetric keys, and random number generation. The module complies with the Public Use Document for ESV certificate E173 by reading entropy data from the 2048-bit FIFO, which corresponds to the GetEntropy() function. This function outputs 128 bits of entropy. The module constructs the 384-bit entropy input for the DRBG by requesting GetEntropy() three times and concatenating the result. The DRBG does not employ a derivation function, does not support a personalization string, and does not support additional input. Consequently, the 384-bit entropy input is used directly as the DRBG seed, for both seeding and reseeding. The operational environment on the ESV certificate is identical to the IOD in the EPYC SoC, in which the sub-chip components are contained. Thus, the module is compliant with scenario 1 of IG 9.3.A. There are no maintenance requirements for the entropy source.

2.9 Key Generation

The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133r2. When random values are required, they are obtained from the SP 800 90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2. The following methods are implemented:

256 PRF and a 32-bit counter. This implementation can be used to derive secret keys when

provided with a pre-existing key-derivation key. The resulting SSPs can be stored by the module in the Key Storage Block (if specified by the operator) or output as an API output parameter. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 15
2.10 Key Establishment

The module does not implement any automated key establishment methods.

2.11 Industry Protocols

The module does not implement any industry protocol. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 16
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) SRAM Data Input API input parameters for data. SRAM Data Output API output parameters for data. SRAM Control Input API function calls, API input parameters for control. SRAM Status Output API return codes, status values. Power port Power Power port or pin on the SoC. Table 11: Ports and Interfaces The logical interfaces are logically separated from each other by the API design. The module does not implement a control output interface. The power interface is physically separated from any other interface. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 17
4 Roles, Services, and Authentication
4.1 Authentication Methods

The module does not implement any authentication methods.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles No support is provided for multiple concurrent operators.

4.3 Approved Services

Name Descript Indicator Inputs Outputs Secu SSP ion rity Acces Func s tions RL_ARCL_Sha Generate FipsIndica Message, Message Mess Crypto a torStatus output digest age Officer (extenda is set to 2 length digest ble (XOF) XOF output) message digest RL_ARCL_Aes Perform FipsIndica Plaintext/ci Plaintext/c Encry Crypto an AES torStatus phertext, iphertext ption Officer operation is set to 2 AES key, Decry - AES (encrypt/ IV (if ption key: decrypt) applicable) W,E RL_ARCL_Mac Generate FipsIndica Message, MAC tag MAC Crypto a MAC torStatus AES/HMAC Officer tag is set to 2 key - AES key: W,E HMAC key: W,E RL_ARCL_EcdsaGener Generate FipsIndica Curve ECDSA Key Crypto ateKeyPair an torStatus key pair pair Officer ECDSA is set to 2 gener key pair ation ECDSA private key: G,R ECDSA public © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 18

Name Descript Indicator Inputs Outputs Secu SSP ion rity Acces Func s tions key: G,R Interm ediate key genera tion value: G,E,Z RL_ARCL_RsaGenerat Generate FipsIndica Modulus RSA key Key Crypto eKeyPair an RSA torStatus size pair pair Officer key pair is set to 2 gener - RSA ation private key: G,R ECDSA public key: G,R Interm ediate key genera tion value: G,E,Z RL_ARCL_Sign Sign a FipsIndica Message, Signature Signa Crypto message torStatus hash ture Officer is set to 2 algorithm, gener private key ation ECDSA private key: W,E - RSA private key: W,E RL_ARCL_Verify Verify a FipsIndica Message, Pass/fail Signa Crypto message torStatus hash ture Officer signature is set to 2 algorithm, verific signature, ation ECDSA public key Signa public ture key: verific W,E ation - RSA public © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 19

Name Descript Indicator Inputs Outputs Secu SSP ion rity Acces Func s tions (Lega key: cy) W,E RL_ARCL_X509CertCr Create FipsIndica X.509 Signed Signa Crypto eate and sign torStatus informatio X.509 ture Officer an X.509 is set to 2 n, hash certificate gener certificat algorithm, ation ECDSA e private key private key: W,E RL_ARCL_DeriveKeyU Derive a FipsIndica Key- Derived Key Crypto singPRF key using torStatus derivation- key deriv Officer SP 800- is set to 2 key, ation - Key108r1 derived derivat KDF key length ion key: W,E Derive d key: G,R RL_ARCL_GenerateRa Generate FipsIndica Output Random Rand Crypto ndom random torStatus length bytes om Officer bytes is set to 2 numb er Entrop gener y ation input: G,E,Z DRBG seed: G,E,Z Intern al state (V, Key): W,E RL_ARCL_FwImageLo Verify FipsIndica Firmware Pass/fail Signa Crypto adValidateWithKey the torStatus image, ture Officer signature is set to 2 public key verific - RSA of a ation public firmware Signa key: image ture W,E using a verific provided ation key (Lega cy) © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 20

Name Descript Indicator Inputs Outputs Secu SSP ion rity Acces Func s tions RL_ARCL_FwImageLo Verify FipsIndica Firmware Pass/fail Signa Crypto adValidate the torStatus image ture Officer signature is set to 2 verific - RSA of a ation public firmware Signa key: image ture W,E using an verific embedde ation d key (Lega cy) RL_ARCL_KeyDbInstal Verify FipsIndica Key Pass/fail Signa Crypto l the torStatus database ture Officer signature is set to 2 image verific - RSA of a key ation public database Signa key: image ture W,E using an verific embedde ation d key (Lega cy) RL_ARCL_KeyImageV Verify FipsIndica Key image Pass/fail Signa Crypto alidate the torStatus ture Officer signature is set to 2 verific - RSA of a key ation public image Signa key: using an ture W,E embedde verific d key ation (Lega cy) RL_ARCL_SelfTest Perform FipsIndica None Pass/fail None Crypto on- torStatus Officer demand is set to 2 self-tests RL_ARCL_RtlDeobfusc De- FipsIndica Obfuscate De- None Crypto ate obfuscat torStatus d input obfuscate Officer e some is set to 2 data d output data data using the RTL key RL_ARCL_Reconfig Update None Register None None Crypto the ASP base Officer register address base address RL_ARCL_GetState Show the None None Module None Crypto (Show Status / Show module status, Officer Version) status, version, © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 21

Name Descript Indicator Inputs Outputs Secu SSP ion rity Acces Func s tions version, service and indicator service indicator RL_ARCL_Scrap Zeroize None None None None Crypto the KSB Officer and - AES prepare key: Z the module HMAC for end- key: Z of-life - Keyderivat ion key: Z Derive d key: Z ECDSA private key: Z ECDSA public key: Z - RSA private key: Z - RSA public key: Z RL_ARCL_Shutdown Zeroize None None None None Crypto the KSB Officer and shut - AES down the key: Z module HMAC key: Z - Keyderivat ion key: Z Derive d key: Z © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 22

Name Descript Indicator Inputs Outputs Secu SSP ion rity Acces Func s tions ECDSA private key: Z ECDSA public key: Z - RSA private key: Z - RSA public key: Z RL_ARCL_KeyDbRetir Disable None None None None Crypto e the Officer installed key database image RL_ARCL_ReinitHw Reinitializ None None None None Crypto e CCP Officer hardware RL_ARCL_GetShaInfo Get SHA None SHA type IV, None Crypto IV, message Officer message block size, block output size, and hash output length hash length RL_ARCL_ModExp Perform None Base, Result None Crypto a exponent, Officer modular modulus exponent iation RL_ARCL_RtlDisableK Disable None None None None Crypto eyUsage usage of Officer the RTL key RL_ARCL_AddAddress Register None Device None None Crypto Map a new address Officer device map address map RL_ARCL_GetRuntime Get the None None Runtime None Crypto Profile runtime profile Officer profile address address © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 23

Name Descript Indicator Inputs Outputs Secu SSP ion rity Acces Func s tions RL_ARCL_GetReadOnl Get list of None None List of None Crypto yRegions read-only read-only Officer regions regions RL_ARCL_CcpDma Copy None SRAM SRAM None Crypto data address or address or Officer from a KSB slot KSB slot source to handle handle a destinati on using the CCP RL_ARCL_KsbAlloc Allocate None Length, KSB slot None Crypto a slot in allocation handle Officer the KSB type RL_ARCL_KsbChange Change None KSB slot, None None Crypto Usage attribute attributes Officer s for a KSB slot RL_ARCL_KsbGetAttri Retrieve None KSB slot Attributes None Crypto butes attribute Officer s for a KSB slot RL_ARCL_KsbClear Set the None KSB slot None None Crypto first 64 Officer bytes of a KSB slot to zero RL_ARCL_KsbLock Lock a None KSB slot None None Crypto KSB slot Officer RL_ARCL_KsbFree Free and None KSB slot None None Crypto zeroize a Officer previousl - AES y key: Z allocated KSB slot HMAC key: Z - Keyderivat ion key: Z Derive d key: Z ECDSA private © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 24

Name Descript Indicator Inputs Outputs Secu SSP ion rity Acces Func s tions key: Z ECDSA public key: Z - RSA private key: Z - RSA public key: Z RL_ARCL_ZlibDecomp Decompr None Compresse Uncompre None Crypto ress ess zlib d data ssed data Officer data RL_ARCL_ClearInterru Clear None Flags None None Crypto pt CCP Officer interrupt for the flags RL_ARCL_GetInterrupt Check if None Flags Interrupt None Crypto State CCP state Officer interrupt is signaled for the flags RL_ARCL_EnableInterr Enable None Flags None None Crypto upt CCP Officer interrupt for the flags RL_ARCL_GetKeyUsag Check None None Key usage None Crypto eHistory key counters Officer usage so far in boot RL_ARCL_RngReinit Reinitializ None None None Rand Crypto e the om Officer Entropy numb Source er Entrop and gener y DRBG ation input: G,E,Z DRBG seed: G,E,Z © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 25

Name Descript Indicator Inputs Outputs Secu SSP ion rity Acces Func s tions Intern al state (V, Key): G RL_ARCL_RngReseed Reseed None None None Rand Crypto the om Officer DRBG numb er Entrop gener y ation input: G,E,Z DRBG seed: G,E,Z Intern al state (V, Key): W,E RL_ARCL_DeInitVcq Disable None None None None Crypto and clear Officer the virtual queue VCQ0 RL_ARCL_QueryRootK Check None Key True/false None Crypto ey whether reference Officer the provided key reference is one of the root keys Table 13: Approved Services For the above table, the convention below applies when specifying the access permissions (types) that the service has for each SSP.

Page 26

• Zeroize (Z): The module zeroizes the SSP. • N/A: The module does not access any SSP or key during its operation. The module provides three different API layers, each with distinct services:

  1. The ARCL layer, which provides high-level cryptographic (both approved and nonapproved) and non-cryptographic functionality.
  2. The CCP HAL layer, which provides non-approved, low-level cryptographic functionality.
  3. The SIB HAL layer, which provides non-approved, low-level functionality to interact with the Key Storage Block, Entropy Source, DRBG, and Security State. The ARCL API layer provides the RL_ARCL_GetState function which returns the ArclState, ArclVersion, and FipsIndicatorStatus values: • The ArclState value serves as the module’s status indicator and is used to indicate the error states. • The ArclVersion value contains the module’s versioning information. The FipsIndicatorStatus value serves as the approved service indicator. If this value is set to 2, the previously requested ARCL service was approved. If this value is set to any other value, the service was non-approved. The CCP HAL and SIB HAL layers only provide non-approved services.
4.4 Non-Approved Services

Name Description Algorithms Role RL_ARCL_Mac Generate a MAC tag HMAC with key Crypto lengths less than 112 Officer bits RL_ARCL_EcdsaGenerateKeyPair Generate an ECDSA Deterministic ECDSA Crypto key pair key pair generation Officer RL_ARCL_RsaGenerateKeyPair Generate an RSA Deterministic RSA Crypto key pair key pair generation Officer RSA with 1024 or

1536 bits modulus

RL_ARCL_Sign Sign a message ECDSA with SHA-1 Crypto RSA with 1024 or Officer

1536 bits modulus

RSA with SHA-1 RL_ARCL_X509CertCreate Create and sign an ECDSA with SHA-1 Crypto X.509 certificate Officer RL_ARCL_EcdsaSignDigest Sign a pre-hashed ECDSA (pre-hashed Crypto message message) Officer RL_ARCL_RsaPssSignDigest Sign a pre-hashed RSA (pre-hashed Crypto message message) Officer RL_ARCL_EcdsaVerifySignature Verify a pre-hashed ECDSA (pre-hashed Crypto message signature message) Officer RL_ARCL_RsaPssVerifySignature Verify a pre-hashed RSA (pre-hashed Crypto message signature message) Officer © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 27

Name Description Algorithms Role RL_ARCL_MeasureMemoryPerPcr PCR-based memory SHA-384 with non- Crypto measurement standard initial hash Officer value CCP_HAL API Any API in the CCP_HAL algorithm Crypto CCP_HAL API layer Officer SIB_HAL API Any API in the SIB_HAL algorithm Crypto SIB_HAL API layer Officer Table 14: Non-Approved Services

4.5 External Software/Firmware Loaded

Upon startup, the libROM firmware component loads the overlay firmware from external storage (SPI flash) into the sub-chip cryptographic subsystem. The integrity of the overlay firmware is determined by verifying an RSA-PSS 4096 with SHA-384 signature stored in the firmware that was computed at build time. If the signature verification fails, the firmware load test fails. The public key used to verify this signature is stored inside the libROM firmware component of the module, the private key associated with this public key is controlled by the vendor. All data output is inhibited during the execution of the firmware load test and the firmware loading process. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 28
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the libROM component of the module is verified by comparing a SHA-384 digest value calculated at runtime with the SHA-384 digest value stored in the module that was computed at build time. The integrity of the overlay firmware component of the module is discussed in Section 4.5.

5.2 Initiate on Demand

The module provides the RL_ARCL_SelfTest service to perform self-tests on demand. Among those self-tests is the integrity test, as part of the pre-operational self-tests. More details on the API are provided by the vendor in its developer’s manual. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 29
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Limited How Requirements are Satisfied: Any SSPs contained within the module are protected by the hardware and firmware restrictions implemented by the Key Storage Block. Only the module has access to these SSPs, and access is only possible through the defined interfaces.

6.2 Configuration Settings and Restrictions

No configuration of the operational environment is required for the module to operate in an approved mode. Therefore, there are no rules, settings, or restrictions to the configuration of the operational environment. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 30
7 Physical Security
7.1 Mechanisms and Actions Required

Mechanism Inspection Frequency Inspection Guidance Opaque sealing No actions are required to No actions are required to coat maintain the physical security of maintain the physical security of the module the module Table 15: Mechanisms and Actions Required The module provides no additional physical security techniques. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 31
8 Non-Invasive Security

The module does not implement any non-invasive security mechanisms. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 32
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Area Description Persistence Name Type Hardware registers Hardware registers store the SSPs used by the Dynamic hardware DRBG Key Storage Block Hardware block used to securely store SSPs while the Dynamic (KSB) module is operational SRAM Temporary storage for SSPs used by the module as Dynamic part of service execution Table 16: Storage Areas The Key Storage Block (KSB) maintains internal separation of the SSPs (including CSPs) in approved and non-approved modes of operation using a “virtual queue” mechanism: virtual queue 0 is exclusively used for approved services, whereas virtual queue 1 is always used for non- approved services. The module does not perform persistent storage of SSPs; SSPs in use by the module exist in volatile memory only.

9.2 SSP Input-Output Methods

Name From To Format Distributio Entry SFI or Type n Type Type Algorith m API input Operator Cryptographi Plaintex Manual Electroni parameter calling c module t c s application (TOEPP) API output Cryptographi Operator Plaintex Manual Electroni parameter c module calling t c s application (TOEPP) Table 17: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method RL_ARCL_KsbFree Zeroize a single Memory occupied by the By calling the KSB slot SSP is overwritten with RL_ARCL_KsbFree zeroes, which renders the function SSP value irretrievable. Completion of the function indicates that the zeroization procedure succeeded. RL_ARCL_Shutdown Zeroize all data Memory occupied by the By calling the stored in the SSPs is overwritten with RL_ARCL_Shutdown KSB zeroes, which renders the function © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 33

Zeroization Description Rationale Operator Initiation Method SSP values irretrievable. Completion of the function indicates that the zeroization procedure succeeded. RL_ARCL_Scrap Zeroize all data Memory occupied by the By calling the stored in the SSPs is overwritten with RL_ARCL_Scrap KSB zeroes, which renders the function SSP values irretrievable. Completion of the function indicates that the zeroization procedure succeeded. Remove power from De-allocates the Volatile memory used by By removing power the SoC volatile memory the module is overwritten used to store within nanoseconds when SSPs power is removed Automatic Automatically Every service overwrites N/A zeroized by the its temporary memory module when no upon completion, which longer needed renders any SSP values used by the service irretrievable. Completion of the service indicates that the zeroization procedure succeeded. Table 18: SSP Zeroization Methods All data output is inhibited during zeroization.

9.4 SSPs

Name Descriptio Size - Type - Generate Establishe Used By n Strengt Category d By d By h AES key Symmetric 128, Symmetric Encryptio key used 192, 256 - CSP n for AES bits - Decryptio operations 128, n 192, 256 MAC bits HMAC key Symmetric 112-256 Symmetric MAC key used bits - - CSP for HMAC 112-256 operations bits Key- Symmetric 112-256 Symmetric Key derivation key used to bits - - CSP derivation key derive 112-256 other bits © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 34

Name Descriptio Size - Type - Generate Establishe Used By n Strengt Category d By d By h symmetric keys Derived Symmetric 112-256 Symmetric Key key key derived bits - - CSP derivation from a key- 112-256 derivation bits key Entropy Entropy 384 bits Entropy Random Random input input used - 384 input - CSP number number to seed the bits generation generatio DRBG n DRBG seed DRBG seed 384 bits DRBG seed Random Random derived - 256 - CSP number number from bits generation generatio entropy n input Internal Internal 384 bits Internal Random Random state (V, state of the - 256 state - CSP number number Key) CTR_DRBG bits generation generatio instance n ECDSA Private key P-384 - Private key Key pair Signature private key used for 192 bits - CSP generation generatio ECDSA n ECDSA Public key P-384 - Public key - Key pair Signature public key used for 192 bits PSP generation verificatio ECDSA n Signature verificatio n (Legacy) RSA private Private key 2048, Private key Key pair Signature key used for 3072, - CSP generation generatio RSA 4096 n bits 112, 128, 150 bits RSA public Public key 1024, Public key - Key pair Signature key used for 1536, PSP generation verificatio RSA 2048, n 3072, Signature

4096 verificatio

bits - 80, n 96, 112, (Legacy) 128, 150 bits © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 35

Name Descriptio Size - Type - Generate Establishe Used By n Strengt Category d By d By h Intermediat Temporary 384- Intermediat Key pair e key value 4096 e value - generation generation generated bits - CSP value during key 112-256 pair bits generation services Table 19: SSP Table 1 Name Input - Storage Storage Zeroization Related Output Duration SSPs AES key API input Key Storage KSB: until RL_ARCL_KsbFree paramete Block explicitly RL_ARCL_Shutdo rs (KSB):Plaintext removed wn SRAM:Plaintext or the RL_ARCL_Scrap module Remove power ends its from the SoC operation; Automatic SRAM: for the duration of the service HMAC key API input Key Storage KSB: until RL_ARCL_KsbFree paramete Block explicitly RL_ARCL_Shutdo rs (KSB):Plaintext removed wn SRAM:Plaintext or the RL_ARCL_Scrap module Remove power ends its from the SoC operation; Automatic SRAM: for the duration of the service Key- API input Key Storage KSB: until RL_ARCL_KsbFree derivation paramete Block explicitly RL_ARCL_Shutdo key rs (KSB):Plaintext removed wn SRAM:Plaintext or the RL_ARCL_Scrap module Remove power ends its from the SoC operation; Automatic SRAM: for the duration of the service Derived API output Key Storage KSB: until RL_ARCL_KsbFree Keykey paramete Block explicitly RL_ARCL_Shutdo derivation rs (KSB):Plaintext removed wn key:Derived SRAM:Plaintext or the RL_ARCL_Scrap From module Remove power © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 36

Name Input - Storage Storage Zeroization Related Output Duration SSPs ends its from the SoC operation; Automatic SRAM: for the duration of the service Entropy Hardware From Remove power input registers:Plainte generation from the SoC xt until DRBG seed is created DRBG seed Hardware While the Remove power Entropy registers:Plainte DRBG is from the SoC input:Derive xt instantiate d From d Internal Hardware From Remove power DRBG state (V, registers:Plainte DRBG from the SoC seed:Derive Key) xt instantiatio d From n until DRBG terminatio n ECDSA API input Key Storage KSB: until RL_ARCL_KsbFree ECDSA private key paramete Block explicitly RL_ARCL_Shutdo public rs (KSB):Plaintext removed wn key:Paired API output SRAM:Plaintext or the RL_ARCL_Scrap With paramete module Remove power rs ends its from the SoC operation; Automatic SRAM: for the duration of the service ECDSA API input SRAM:Plaintext For the Remove power ECDSA public key paramete duration of from the SoC private rs the service Automatic key:Paired API output With paramete rs RSA private API input Key Storage KSB: until RL_ARCL_KsbFree RSA public key paramete Block explicitly RL_ARCL_Shutdo key:Paired rs (KSB):Plaintext removed wn With API output SRAM:Plaintext or the RL_ARCL_Scrap paramete module Remove power rs ends its from the SoC operation; Automatic SRAM: for the duration of the service © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 37

Name Input - Storage Storage Zeroization Related Output Duration SSPs RSA public API input Key Storage KSB: until RL_ARCL_KsbFree RSA private key paramete Block explicitly RL_ARCL_Shutdo key:Paired rs (KSB):Plaintext removed wn With API output SRAM:Plaintext or the RL_ARCL_Scrap paramete module Remove power rs ends its from the SoC operation; Automatic SRAM: for the duration of the service Intermediat SRAM:Plaintext For the Remove power e key duration of from the SoC generation the service Automatic value Table 20: SSP Table 2

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 38
10 Self-Tests

While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module does not return control to the calling application until the tests are completed.

10.1 Pre-Operational Self-Tests

Algorith Test Test Test Indicator Details m or Test Propertie Metho Type s d SHA2-384 N/A Messag SW/FW RomIntegrityState is set to Integrity (A5794) e digest Integrit ARCL_SELFTEST_STATE_PASSE test on y D the libROM firmware componen t at power up Table 21: Pre-Operational Self-Tests The pre-operational firmware integrity test on the libROM firmware component is performed automatically when the module is initialized. If this test fails, the module transitions to the hard error state.

10.2 Conditional Self-Tests

As part of the initialization, the libROM firmware component loads the overlay firmware component and performs the firmware load test on the overlay firmware. Only if this test succeeds, will the module move to the operational state. Similar to the pre-operational integrity test, if the firmware load test fails, the module transitions to the hard error state. Algorit Test Test Test Indicator Details Conditio hm or Properti Method Type ns Test es RSA 4096-bit Signatur SW/F FwIntegrityState is set to Firmware Power up SigVer key, e W ARCL_SELFTEST_STATE_P load test (FIPS186 SHA-384 verificati Load ASSED on the -5) on overlay (A5794) firmware compone nt SHA-1 0-bit KAT CAST KatState is set to KAT Prior to (A5794) message ARCL_SELFTEST_STATE_P message first ASSED digest approved use of SHA-1 SHA2- 0-bit KAT CAST KatState is set to Message Prior to

256 message ARCL_SELFTEST_STATE_P digest first

(A5794) ASSED approved use of SHA-224 or SHA© 2025 Advanced Micro Devices (AMD), atsec information security.

Page 39

Algorit Test Test Test Indicator Details Conditio hm or Properti Method Type ns Test es SHA2- 0-bit KAT CAST KatState is set to Message Prior to

512 message ARCL_SELFTEST_STATE_P digest libROM

(A5794) ASSED firmware integrity test SHA3- 0-bit KAT CAST KatState is set to Message Prior to

512 message ARCL_SELFTEST_STATE_P digest first

(A5794) ASSED approved use of SHA-3 or SHAKE AES-ECB 128-bit KAT CAST KatState is set to Encryptio Prior to (A5794) key ARCL_SELFTEST_STATE_P n first encrypti ASSED approved on use of AES ECB, CBC, or CTR AES-ECB 128-bit KAT CAST KatState is set to Decryptio Prior to (A5794) key ARCL_SELFTEST_STATE_P n first decrypti ASSED approved on use of AES ECB, CBC, or CTR AES- 128-bit KAT CAST KatState is set to MAC tag Prior to CMAC key ARCL_SELFTEST_STATE_P generatio first (A5794) ASSED n approved use of AES CMAC HMAC- 384-bit KAT CAST KatState is set to MAC tag Prior to SHA2- key, ARCL_SELFTEST_STATE_P generatio first

384 SHA-384 ASSED n approved

(A5794) use of HMAC KDF 256-bit KAT CAST KatState is set to Key- Prior to SP800- key- ARCL_SELFTEST_STATE_P based first

108 derivatio ASSED key approved

(A5794) n key, derivatio use of 128-bit n KBKDF derived key Entropy Cutoff: 5 RCT CAST Entropy Source is SP 800- Initializati Source samples operational 90B on of the start-up start-up Entropy RCT health Source test ran over © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 40

Algorit Test Test Test Indicator Details Conditio hm or Properti Method Type ns Test es 4096 samples Entropy Cutoff: APT CAST Entropy Source is SP 800- Initializati Source 16 operational 90B on of the start-up samples start-up Entropy APT health Source test ran over 4096 samples Entropy Cutoff: 5 RCT CAST Entropy Source produces SP 800- DRBG Source samples entropy 90B seeding continuo continuo us RCT us health test Entropy Cutoff: APT CAST Entropy Source produces SP 800- DRBG Source 16 entropy 90B seeding continuo continuo us APT us health test Counter AES-256 KAT CAST TrngState is set to SP 800- Prior to DRBG ARCL_SELFTEST_STATE_P 90Ar1 first (A5795) ASSED (instantia approved te, use of reseed, the generate CTR_DRB ) health G test ECDSA P-384 KAT CAST KatState is set to Signature Prior to SigGen with ARCL_SELFTEST_STATE_P generatio first (FIPS186 SHA-384 ASSED n approved -5) use of (A5794) ECDSA signature generatio n ECDSA P-384 KAT CAST KatState is set to Signature Prior to SigVer with ARCL_SELFTEST_STATE_P verificati first (FIPS186 SHA-384 ASSED on approved -5) use of (A5794) ECDSA signature verificati on RSA 2048-bit KAT CAST KatState is set to Signature Prior to SigGen key with ARCL_SELFTEST_STATE_P generatio first (FIPS186 SHA-384 ASSED n approved -5) use of (A5794) RSA-PSS © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 41

Algorit Test Test Test Indicator Details Conditio hm or Properti Method Type ns Test es signature generatio n RSA 2048-bit KAT CAST KatState is set to Signature Prior to SigVer key with ARCL_SELFTEST_STATE_P verificati overlay (FIPS186 SHA-384 ASSED on firmware -5) load test (A5794) ECDSA SHA-384 PCT PCT EcdsaPctState is set to Signature ECDSA KeyGen ARCL_SELFTEST_STATE_P generatio key pair (FIPS186 ASSED n& generatio -5) verificati n (A5794) on RSA SHA-384 PCT PCT RsaPctState is set to Signature RSA key KeyGen ARCL_SELFTEST_STATE_P generatio pair (FIPS186 ASSED n& generatio -5) verificati n (A5794) on Table 22: Conditional Self-Tests Upon generation of an ECDSA or RSA key pair, the module will perform a pair-wise consistency test (PCT) as shown in the table above, which provides some assurance that the generated key pair is well formed.

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method SHA2-384 Message digest SW/FW Integrity On demand Manually (A5794) Table 23: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method RSA SigVer Signature SW/FW Load On demand Manually (FIPS186-5) verification (A5794) SHA-1 (A5794) KAT CAST On demand Manually SHA2-256 KAT CAST On demand Manually (A5794) SHA2-512 KAT CAST On demand Manually (A5794) SHA3-512 KAT CAST On demand Manually (A5794) AES-ECB KAT CAST On demand Manually (A5794) encryption © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 42

Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB KAT CAST On demand Manually (A5794) decryption AES-CMAC KAT CAST On demand Manually (A5794) HMAC-SHA2- KAT CAST On demand Manually

384 (A5794)

KDF SP800-108 KAT CAST On demand Manually (A5794) Entropy Source RCT CAST On demand Manually start-up RCT Entropy Source APT CAST On demand Manually start-up APT Entropy Source RCT CAST Every sample Manually continuous RCT Entropy Source APT CAST Every sample Manually continuous APT Counter DRBG KAT CAST On demand Manually (A5795) ECDSA SigGen KAT CAST On demand Manually (FIPS186-5) (A5794) ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5794) RSA SigGen KAT CAST On demand Manually (FIPS186-5) (A5794) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5794) ECDSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A5794) RSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A5794) Table 24: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Method Indicator Soft The module only Cryptographic Invoke ArclState Error responds to status, algorithm self-test RL_ARCL_SelfTest =8 zeroization, and self- error or Pair-wise service test service requests consistency test error © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 43

Name Description Conditions Recovery Method Indicator Hard The module does not FW integrity test error Power off the ArclState Error respond to any or FW load test error module = 16 service requests and must be reset Table 25: Error States In the Soft Error state, the module outputs the error type through the status indicator and status output interface. Moreover, the data input and data output interfaces are inhibited, and the module only accepts control input. In the Hard Error state, no input or output is possible at all.

10.5 Operator Initiation of Self-Tests

The operator can request on-demand self-tests by invoking the RL_ARCL_SelfTest service. This service executes all self-tests listed above. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 44
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

To detect any potential tampering during delivery of the module, the user can verify the Thermoform or JEDEC tray is securely strapped and vacuum sealed in the moisture barrier bag. Additionally, the SoC itself provides tamper evidence as specified in Section 7. Upon delivery, no further installation or configuration is required for the hardware to operate as the validated module in conformance with the rules in this Security Policy document. The module implicitly transitions between the approved mode and the non-approved mode when appropriate.

11.2 Administrator Guidance

All the functions, ports and logical interfaces described in this document are available to the Crypto Officer. The module implicitly transitions between the approved mode and the nonapproved mode contingent on the service that is invoked. Therefore, there are no special procedures to administer the approved or non-approved modes.

11.3 Non-Administrator Guidance

The module implements only the Crypto Officer. There are no requirements for nonadministrator operators.

11.4 Design and Rules
11.5 Maintenance Requirements
11.6 End of Life

The process for performing “End of Life” occurs at the chronological point of 10 years starting from manufacturing date of the module. The module does not possess persistent storage of SSPs. The SSP value only exists in volatile memory and that value vanishes when the module is powered off. The procedure for secure sanitization of the module at the end of life is simply to power it off, which is the action of zeroization of the SSPs. As a result of this sanitization via power-off, the SSP is removed from the module, so that the module may either be distributed to other operators or disposed. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 45
12 Mitigation of Other Attacks

The module does not implement security mechanisms to mitigate other attacks. © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 46

A Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface ARCL AMD Root of Trust Crypto Library ASP AMD Secure Processor CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CBC-MAC Cipher Block Chaining Message Authentication Code CCP Cryptographic Co-Processor CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECDSA Elliptic Curve Digital Signature Algorithm FIPS Federal Information Processing Standards GCTR Galois Counter HAL Hardware Abstraction Layer HMAC Keyed-Hash Message Authentication Code IAPM Integrity-Aware Parallelizable Mode IV Initialization Vector JEDEC Joint Electron Device Engineering Council KAT Known Answer Test KSB Key Storage Block MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback OTP One-Time Programmable PCT Pair-wise Consistency Test PKI Public Key Infrastructure PSP Public Security Parameter PSS Probabilistic Signature Scheme ROM Read-Only Memory RSA Rivest Shamir Adleman RTL Register-Transfer Level SHA Secure Hash Algorithm SHAKE Secure Hash Algorithm with Keccak SIB Security Infrastructure Block SoC System on Chip SRAM Static Random-Access Memory SSP Sensitive Security Parameter TRNG True Random Number Generator XOF Extendable Output Function XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 47

B References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/CSRC/media/Projects/cryptographic-modulevalidation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS 180-4 Secure Hash Standard (SHS) August 2015 https://doi.org/10.6028/NIST.FIPS.180-4 FIPS 186-2 Digital Signature Standard (DSS) January 2000 https://csrc.nist.gov/files/pubs/fips/186-2/final/docs/fips186-2.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://doi.org/10.6028/NIST.FIPS.186-4 FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://doi.org/10.6028/NIST.FIPS.186-5 FIPS 197 Advanced Encryption Standard (AES) November 2001; Updated May 2023 https://doi.org/10.6028/NIST.FIPS.197-upd1 FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) July 2008 https://doi.org/10.6028/NIST.FIPS.198-1 FIPS 202 SHA-3 Standard: Permutation-Based Hash and ExtendableOutput Functions August 2015 https://doi.org/10.6028/NIST.FIPS.202 SP 800-38A Recommendation for Block Cipher Modes of Operation: Methods and Techniques December 2001 https://doi.org/10.6028/NIST.SP.800-38A SP 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication May 2005; Updated October 2016 https://doi.org/10.6028/NIST.SP.800-38B SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://doi.org/10.6028/NIST.SP.800-38D SP 800-38E Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices January 2010 https://doi.org/10.6028/NIST.SP.800-38E SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://doi.org/10.6028/NIST.SP.800-90Ar1 SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation © 2025 Advanced Micro Devices (AMD), atsec information security.

Page 48

January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP 800-108r1 Recommendation for Key Derivation Using Pseudorandom Functions August 2022; Updated February 2024 https://doi.org/10.6028/NIST.SP.800-108r1-upd1 SP 800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP 800-140Br1 Cryptographic Module Validation Program (CMVP) Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B November 2023 https://doi.org/10.6028/NIST.SP.800-140Br1 © 2025 Advanced Micro Devices (AMD), atsec information security.