All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Hitachi Embedded Storage Manager Kernel Crypto API Cryptographic Module

Certificate#5086StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip EmbeddedStatusActiveVendorHitachi Vantara, Ltd.
Medium review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 3932 CVEs since this module's initial validation  ·  last validated 9 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Embedded
StatusActive
Sunset date10/22/2030
CaveatWhen operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorHitachi Vantara, Ltd.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Hitachi Embedded Storage Manager Kernel Crypto API Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C6 clue;
  class I2,I3,I6 infer;
  class R2,R3,R6 risk;
  class E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Hitachi Embedded Storage Manager Kernel Crypto API Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C6 clueLow;

Security Policy, page by page

Page 1

Hitachi Vantara, Ltd. Hitachi Embedded Storage Manager Kernel Crypto API Cryptographic Module Version 1.0 © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 2
Table of Contents
#SectionPage
Page 3

© Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)7
Table 3: Tested Operational Environments - Software, Firmware, Hybrid8
Table 4: Modes List and Description8
Table 5: Approved Algorithms9
Table 6: Non-Approved, Not Allowed Algorithms10
Table 7: Security Function Implementations22
Table 8: Ports and Interfaces23
Table 9: Roles23
Table 10: Approved Services27
Table 11: Non-Approved Services27
Table 12: Storage Areas28
Table 13: SSP Input-Output Methods29
Table 14: SSP Zeroization Methods29
Table 15: SSP Table 131
Table 16: SSP Table 231
Table 17: Pre-Operational Self-Tests31
Table 18: Conditional Self-Tests43
Table 19: Pre-Operational Periodic Information43
Table 20: Conditional Periodic Information48
Table 21: Error States48
Figure 1: Block Diagram7
Page 5
1 General
1.1 Overview

This document defines the Security Policy for the Hitachi Embedded Storage Manager Kernel Crypto API Cryptographic Module, hereafter denoted as the module. The module meets FIPS 140-3 overall Level 1 requirements.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The module provides general purpose cryptographic services for the Hitachi Embedded Storage Manager. The module works in kernel space and provides cryptographic services to other kernel functions through C language interfaces and to user space applications through the AF_ALG socket. Module Type: Software Module Embodiment: MultiChipEmbed Cryptographic Boundary: The cryptographic boundary for the module consists of the static kernel binary, the cryptographic kernel object files, the self-test program, the integrity test program, the Conditional Cryptographic Algorithm Self-Tests (CAST) result check program, the version printout program, and its integrity hash files. The components are enumerated below. © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 6

 Static kernel binary: /boot/Image-5.10.212-cip45  Cryptographic kernel object files: /lib/modules/5.10.212-cip45/kernel/crypto/*.ko /lib/modules/5.10.212-cip45/kernel/arch/arm64/crypto/*.ko  Self-test program: /usr/local/sbin/pltf-kernel-fips.sh  Integrity test utility: /usr/local/sbin/sha256sum-fips  Integrity test hash file: /usr/local/sbin/fips-checksums.txt  Conditional Cryptographic Algorithm Self-Tests (CAST) result check program: /usr/local/sbin/checkcrypto  Version printout program: /usr/local/sbin/showversion-fips The green solid line in Figure 1 shows the delimitation of the module’s cryptographic boundary. The module is designed to be able to utilize Processor Algorithm Acceleration(PAA) functions, Arm Neon instructions and ARMv8 Crypto Extensions, from the processor and assembly code for AES and SHA operations to accelerate the cryptographic calculations of the module. Tested Operational Environment’s Physical Perimeter (TOEPP) The tested operational environment hardware for the module is dedicated hardware for the Hitachi Storage System, Storage Management Controller. The enclosure of the Storage Management Controller is TOEPP. The Storage Management Controller implements a processor, Layerscape® 1046A. An operating system, EMLinux®, works on the processor. The module and the Embedded Storage Manager (ESM) applications work within the operating system. © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 7
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8

Tested Operational Environments - Software, Firmware, Hybrid: Operating Hardware Platform Processors PAA/PAI Hypervisor Version(s) System or Host OS EMLinux Storage Management Layerscape® Yes N/A 1.1

2.9 Controller 1046A

EMLinux Storage Management Layerscape® No N/A 1.1

2.9 Controller 1046A

Table 3: Tested Operational Environments - Software, Firmware, Hybrid The Layerscape® 1046A processor integrates quad 64-bit Arm® Cortex®-A72 cores. Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module.

2.3 Excluded Components

The module has no excluded components.

2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name Approved Only approved or allowed security Approved The indicator of the functions with sufficient security service as defined in strength can be used. Section 4.3. Non- Only non-approved security functions Non- The indicator of the approved can be used. Approved return value of the indicator function. Table 4: Modes List and Description When the operating system starts, the module automatically enters the approved mode of operation. No special API calls or settings are required to place the module in the approved mode of operation. Once the module is operational, if the use of the non-approved service is started, the module implicitly enters the non-approved mode. When the use of the non-approved service is ended, the module implicitly and immediately enters the approved mode.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A5827, A5828, A5829, Direction - Decrypt, Encrypt SP 800A5830, A5831, A5834 Key Length - 128, 192, 256 38A © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 9

Algorithm CAVP Cert Properties Reference AES-CBC-CS3 A5827, A5828, A5829, Direction - decrypt, encrypt SP 800A5830, A5831, A5833 Key Length - 128, 192, 256 38A AES-CMAC A5827, A5828, A5829, Direction - Generation, SP 800A5830, A5831, A5833 Verification 38B Key Length - 128, 192, 256 AES-CTR A5827, A5828, A5829, Direction - Decrypt, Encrypt SP 800A5830, A5831, A5834 Key Length - 128, 192, 256 38A AES-ECB A5827, A5828, A5829, Direction - Decrypt, Encrypt SP 800A5830, A5831, A5834 Key Length - 128, 192, 256 38A AES-KW A5827, A5828, A5830, Direction - Decrypt, Encrypt SP 800A5831 Key Length - 128, 192, 256 38F AES-XTS Testing A5827, A5828, A5829, Direction - Decrypt, Encrypt SP 800Revision 2.0 A5830, A5831, A5834 Key Length - 128, 256 38E HMAC-SHA-1 A5830, A5831 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-256 A5828, A5830, A5831, Key Length - Key Length: 112- FIPS 198-1 A5833 524288 Increment 8 HMAC-SHA2-384 A5828, A5831 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-512 A5828, A5831 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA3-256 A5831 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA3-384 A5831 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA3-512 A5831 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

SHA-1 A5830, A5831 Message Length - Message FIPS 180-4 Length: 0-65536 Increment 8 SHA2-256 A5828, A5830, A5831, Message Length - Message FIPS 180-4 A5832, A5833 Length: 0-65536 Increment 8 SHA2-384 A5828, A5831 Message Length - Message FIPS 180-4 Length: 0-65536 Increment 8 SHA2-512 A5828, A5831 Message Length - Message FIPS 180-4 Length: 0-65536 Increment 8 SHA3-256 A5831 Message Length - Message FIPS 202 Length: 0-65536 Increment 8 SHA3-384 A5831 Message Length - Message FIPS 202 Length: 0-65536 Increment 8 SHA3-512 A5831 Message Length - Message FIPS 202 Length: 0-65536 Increment 8 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 10

N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function RSA-sigGen (pkcs1pad(rsa- Used for RSA signature generation. generic,sha256/sha384/sha512)) RSA-sigVer (pkcs1pad(rsa- Used for RSA signature verification. generic,sha256/sha384/sha512)) RSA-signaturePrimitive (rsa-generic) Used for RSA signature primitive operation. RSA-decryptionPrimitive (rsa-generic) Used for RSA decrypt primitive operation. Table 6: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms sha1-generic SHA Used to SHA-1: (A5831) generate SHA1 hash value using generic C implementation. sha1-ce SHA Used to SHA-1: (A5830) generate SHA1 hash value using ARMv8 Crypto Extensions (CE). sha256-generic SHA Used to SHA2-256: generate SHA2- (A5831)

256 hash value

using generic C implementation. sha256-ce SHA Used to SHA2-256: generate SHA2- (A5830)

256 hash value

using ARMv8 Crypto Extensions (CE). sha256-arm64 SHA Used to SHA2-256: generate SHA2- (A5828)

256 hash value

using assembler. sha256-arm64- SHA Used to SHA2-256: neon generate SHA2- (A5833) © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 11

Name Type Description Properties Algorithms

256 hash value

using Arm NEON instructions. Integrity Check SHA Used to SHA2-256: Utility generate SHA2- (A5832)

256 hash value

for integrity check of the module. sha384-generic SHA Used to SHA2-384: generate SHA2- (A5831)

384 hash value

using generic C implementation. sha384-arm64 SHA Used to SHA2-384: generate SHA2- (A5828)

384 hash value

using assembler. sha512-generic SHA Used to SHA2-512: generate SHA2- (A5831)

512 hash value

using generic C implementation. sha512-arm64 SHA Used to SHA2-512: generate SHA2- (A5828)

512 hash value

using assembler. sha3-256- SHA Used to SHA3-256: generic generate SHA3- (A5831)

256 hash value

using generic C implementation. sha3-384- SHA Used to SHA3-384: generic generate SHA3- (A5831)

384 hash value

using generic C implementation. sha3-512- SHA Used to SHA3-512: generic generate SHA3- (A5831)

512 hash value

using generic C implementation. hmac(sha1- MAC Used to HMAC-SHA-1: generic) generate MAC (A5831) based on SHA1 function using © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 12

Name Type Description Properties Algorithms generic C implementation. hmac(sha1-ce) MAC Used to HMAC-SHA-1: generate MAC (A5830) based on SHA1 function using ARMv8 Crypto Extensions (CE). hmac(sha256- MAC Used to HMAC-SHA2generic) generate MAC 256: (A5831) based on SHA2-

256 function

using generic C implementation. hmac(sha256- MAC Used to HMAC-SHA2ce) generate MAC 256: (A5830) based on SHA2-

256 function

using ARMv8 Crypto Extensions (CE). hmac(sha256- MAC Used to HMAC-SHA2arm64) generate MAC 256: (A5828) based on SHA2-

256 function

using assembler. hmac(sha256- MAC Used to HMAC-SHA2arm64-neon) generate MAC 256: (A5833) based on SHA2-

256 function

using NEON instructions. hmac(sha384- MAC Used to HMAC-SHA2generic) generate MAC 384: (A5831) based on SHA2-

384 function

using generic C implementation. hmac(sha384- MAC Used to HMAC-SHA2arm64) generate MAC 384: (A5828) based on SHA2-

384 function

using assembler. hmac(sha512- MAC Used to HMAC-SHA2generic) generate MAC 512: (A5831) based on SHA2-

512 function

© Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 13

Name Type Description Properties Algorithms using generic C implementation. hmac(sha512- MAC Used to HMAC-SHA2arm64) generate MAC 512: (A5828) based on SHA2-

512 function

using assembler. hmac(sha3-256- MAC Used to HMAC-SHA3generic) generate MAC 256: (A5831) based on SHA3-

256 function

using generic C implementation. hmac(sha3-384- MAC Used to HMAC-SHA3generic) generate MAC 384: (A5831) based on SHA3-

384 function

using generic C implementation. hmac(sha3-512- MAC Used to HMAC-SHA3generic) generate MAC 512: (A5831) based on SHA3-

512 function

using generic C implementation. ecb(aes-generic) BC-UnAuth Used to AES-ECB: encrypt/decrypt (A5831) inputted data with AES-ECB composed of AES using generic C implementation and ECB mode using generic C implementation. ecb(aes-ce) BC-UnAuth Used to AES-ECB: encrypt/decrypt (A5830) inputted data with AES-ECB composed of AES using ARMv8 Crypto Extensions (CE) and ECB mode using generic C implementation. © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 14

Name Type Description Properties Algorithms ecb-aes-ce BC-UnAuth Used to AES-ECB: encrypt/decrypt (A5829) inputted data with AES-ECB composed of AES using ARMv8 Crypto Extensions (CE) and ECB mode using assembler. ecb(aes-arm64) BC-UnAuth Used to AES-ECB: encrypt/decrypt (A5828) inputted data with AES-ECB composed of AES using assembler and ECB mode using assembler. ecb(aes-fixed- BC-UnAuth Used to AES-ECB: time) encrypt/decrypt (A5827) inputted data with AES-ECB composed of Fixed time AES using generic C implementation and ECB mode using generic C implementation. ecb-aes-neonbs BC-UnAuth Used to AES-ECB: encrypt/decrypt (A5834) inputted data with AES-ECB composed of Bit sliced AES using Arm Neon instructions and ECB mode using assembler. ctr(aes-generic) BC-UnAuth Used to AES-CTR: encrypt/decrypt (A5831) inputted data with AES-CTR composed of AES using generic C implementation © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 15

Name Type Description Properties Algorithms and CTR mode using generic C implementation. ctr(aes-ce) BC-UnAuth Used to AES-CTR: encrypt/decrypt (A5830) inputted data with AES-CTR composed of AES using ARMv8 Crypto Extensions (CE) and CTR mode using generic C implementation. ctr-aes-ce BC-UnAuth Used to AES-CTR: encrypt/decrypt (A5829) inputted data with AES-CTR composed of AES using ARMv8 Crypto Extensions (CE) and CTR mode using assembler. ctr(aes-arm64) BC-UnAuth Used to AES-CTR: encrypt/decrypt (A5828) inputted data with AES-CTR composed of AES using assembler and CTR mode using assembler. ctr(aes-fixed- BC-UnAuth Used to AES-CTR: time) encrypt/decrypt (A5827) inputted data with AES-CTR composed of Fixed time AES using generic C implementation and CTR mode using generic C implementation. ctr-aes-neonbs BC-UnAuth Used to AES-CTR: encrypt/decrypt (A5834) inputted data with AES-CTR © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 16

Name Type Description Properties Algorithms composed of Bit sliced AES using Arm Neon instructions and CTR mode using assembler. cbc(aes-generic) BC-UnAuth Used to AES-CBC: encrypt/decrypt (A5831) inputted data with AES-CBC composed of AES using generic C implementation and CBC mode using generic C implementation. cbc(aes-ce) BC-UnAuth Used to AES-CBC: encrypt/decrypt (A5830) inputted data with AES-CBC composed of AES using ARMv8 Crypto Extensions (CE) and CBC mode using generic C implementation. cbc-aes-ce BC-UnAuth Used to AES-CBC: encrypt/decrypt (A5829) inputted data with AES-CTR composed of AES using ARMv8 Crypto Extensions (CE) and CTR mode using assembler. cbc(aes-arm64) BC-UnAuth Used to AES-CBC: encrypt/decrypt (A5828) inputted data with AES-CBC composed of AES using assembler and CBC mode using assembler. © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 17

Name Type Description Properties Algorithms cbc(aes-fixed- BC-UnAuth Used to AES-CBC: time) encrypt/decrypt (A5827) inputted data with AES-CBC composed of Fixed time AES using generic C implementation and CBC mode using generic C implementation. cbc-aes-neonbs BC-UnAuth Used to AES-CBC: encrypt/decrypt (A5834) inputted data with AES-CBC composed of Bit sliced AES using Arm Neon instructions and CBC mode using assembler. cts(cbc(aes- BC-UnAuth Used to AES-CBC-CS3: generic)) encrypt/decrypt (A5831) inputted data with AES-CBCCS3 composed of AES using generic C implementation and CBC-CS3 mode using generic C implementation. cts(cbc(aes-ce)) BC-UnAuth Used to AES-CBC-CS3: encrypt/decrypt (A5830) inputted data with AES-CBCCS3 composed of AES using ARMv8 Crypto Extensions (CE) and CBC-CS3 mode using generic C implementation. cts-cbc-aes-ce BC-UnAuth Used to AES-CBC-CS3: encrypt/decrypt (A5829) inputted data © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 18

Name Type Description Properties Algorithms with AES-CBCCS3 composed of AES using ARMv8 Crypto Extensions (CE) and CBC-CS3 mode using assembler. cts(cbc(aes- BC-UnAuth Used to AES-CBC-CS3: arm64)) encrypt/decrypt (A5828) inputted data with AES-CBCCS3 composed of AES using assembler and CBC-CS3 mode using assembler. cts(cbc(aes- BC-UnAuth Used to AES-CBC-CS3: fixed-time)) encrypt/decrypt (A5827) inputted data with AES-CBCCS3 composed of Fixed time AES using generic C implementation and CBC-CS3 mode using generic C implementation. cts-cbc-aes- BC-UnAuth Used to AES-CBC-CS3: neon encrypt/decrypt (A5833) inputted data with AES-CBCCS3 composed of AES using Arm Neon instructions and CBC-CS3 mode using assembler. cmac(aes- MAC Used to AES-CMAC: generic) generate MAC (A5831) based on AES encryption using generic C implementation and CMAC © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 19

Name Type Description Properties Algorithms mode using generic C implementation. cmac(aes-ce) MAC Used to AES-CMAC: generate MAC (A5830) based on AES encryption using ARMv8 Crypto Extensions (CE) and CMAC mode using generic C implementation. cmac-aes-ce MAC Used to AES-CMAC: generate MAC (A5829) based on AES encryption using ARMv8 Crypto Extensions (CE) and CMAC mode using assembler. cmac(aes- MAC Used to AES-CMAC: arm64) generate MAC (A5828) based on AES encryption using assembler and CMAC mode using assembler. cmac(aes-fixed- MAC Used to AES-CMAC: time) generate MAC (A5827) based on Fixed time AES encryption using generic C implementation and CMAC mode using generic C implementation. cmac-aes-neon MAC Used to AES-CMAC: generate MAC (A5833) based on AES encryption using Arm Neon instructions and CMAC mode © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 20

Name Type Description Properties Algorithms using assembler. xts(aes-generic) BC-UnAuth Used to AES-XTS encrypt/decrypt Testing Revision inputted data 2.0: (A5831) with AES-XTS composed of AES using generic C implementation and XTS mode using generic C implementation. xts(aes-ce) BC-UnAuth Used to AES-XTS encrypt/decrypt Testing Revision inputted data 2.0: (A5830) with AES-XTS composed of AES using ARMv8 Crypto Extensions (CE) and XTS mode using generic C implementation. xts-aes-ce BC-UnAuth Used to AES-XTS encrypt/decrypt Testing Revision inputted data 2.0: (A5829) with AES-XTS composed of AES using ARMv8 Crypto Extensions (CE) and XTS mode using assembler. xts(aes-arm64) BC-UnAuth Used to AES-XTS encrypt/decrypt Testing Revision inputted data 2.0: (A5828) with AES-XTS composed of AES using assembler and XTS mode using assembler. xts(aes-fixed- BC-UnAuth Used to AES-XTS time) encrypt/decrypt Testing Revision inputted data 2.0: (A5827) with AES-XTS composed of © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 21

Name Type Description Properties Algorithms Fixed time AES using generic C implementation and XTS mode using generic C implementation. xts-aes-neonbs BC-UnAuth Used to AES-XTS encrypt/decrypt Testing Revision inputted data 2.0: (A5834) with AES-XTS composed of Bit sliced AES using Arm Neon instructions and XTS mode using assembler. kw(aes-generic) BC-Auth Used to AES-KW: wrap/unwrap (A5831) inputted key with AES-KW composed of AES using generic C implementation and KW mode using generic C implementation. kw(aes-ce) BC-Auth Used to AES-KW: wrap/unwrap (A5830) inputted key with AES-KW composed of AES using ARMv8 Crypto Extensions (CE) and KW mode using generic C implementation. kw(aes-arm64) BC-Auth Used to AES-KW: wrap/unwrap (A5828) inputted key with AES-KW composed of AES using assembler and KW mode using assembler. kw(aes-fixed- BC-Auth Used to AES-KW: time) wrap/unwrap (A5827) © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 22

Name Type Description Properties Algorithms inputted key with AES-KW composed of Fixed time AES using generic C implementation and KW mode using generic C implementation. Table 7: Security Function Implementations

2.7 Algorithm Specific Information

AES XTS: As specified in SP800-38E, the AES algorithm in XTS mode (AES-XTS) was designed for the cryptographic protection of data on storage devices that use fixed length data units. Thus, it can only be used for the disk encryption functionality offered by dm-crypt (i.e., the hard disk encryption scheme). For dm-crypt, the length of a single data unit encrypted with the AES XTS is at most 65,536 bytes (64KiB of data), which does not exceed 220 AES blocks (16MiB of data). To meet the requirement stated in FIPS140-3 IG C.I, the module has a function that checks if two keys for the AES-XTS are different from each other. SHA-1: The use of SHA-1 is only approved for integrity checks and is not approved if used as part of digital signature generation.

2.8 RBG and Entropy

N/A for this module. N/A for this module.

2.9 Key Generation
2.10 Key Establishment
2.11 Industry Protocols

N/A for this module. © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 23
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Data Input API input parameters from kernel system calls, AF_ALG type socket. N/A Data Output API output parameters from kernel system calls, AF_ALG type socket. N/A Control Input API function calls, API input parameters for control from kernel system calls, AF_ALG type socket, command line input. N/A Status API return codes, AF_ALG type socket, kernel logs, user logs, Output command line output. Table 8: Ports and Interfaces

4 Roles, Services, and Authentication
4.1 Authentication Methods

N/A for this module. The module does not support authentication for roles.

4.2 Roles

Name Type Operator Type Authentication Methods Cryptographic Officer Role CO None Table 9: Roles Cryptographic Officer role is implicitly and always assumed.

4.3 Approved Services

Name Description Indicato Inputs Outputs Security SSP r Functions Access AES AES Approve AES Encrypted ecb(aes- Cryptographi encryption encryption d if the keys, data or generic) c Officer and and following Data to decrypted ecb(aes-ce) - AES Key: decryption decryption. condition encrypt data ecb-aes-ce W,E s are or ecb(aesmet. decrypt arm64) Conditio ecb(aesn 1: the fixed-time) return ecb-aesvalue of neonbs © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 24

Name Description Indicato Inputs Outputs Security SSP r Functions Access indicator ctr(aesfunction generic) is 1. ctr(aes-ce) Conditio ctr-aes-ce n 2: the ctr(aesreturn arm64) value of ctr(aes-fixedkey input time) is 0. ctr-aesneonbs cbc(aesgeneric) cbc(aes-ce) cbc-aes-ce cbc(aesarm64) cbc(aesfixed-time) cbc-aesneonbs cts(cbc(aesgeneric)) cts(cbc(aesce)) cts-cbc-aesce cts(cbc(aesarm64)) cts(cbc(aesfixed-time)) cts-cbc-aesneon xts(aesgeneric) xts(aes-ce) xts-aes-ce xts(aesarm64) xts(aesfixed-time) xts-aesneonbs Key Key Approve AES Wrapped kw(aes- Cryptographi wrapping wrapping d if the key, key or generic) c Officer and and following Key as unwrappe kw(aes-ce) - AES Key: unwrapping unwrapping condition data to d key kw(aes- W,E using AES. s are key arm64) met. wrap or kw(aesConditio fixed-time) © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 25

Name Description Indicato Inputs Outputs Security SSP r Functions Access n 1: the key return unwrap value of indicator function is

  1. Conditio n 2: the return value of key input is
  2. Message Message Approve Data for Digest sha1-generic Cryptographi digest digest d if the digest value sha1-ce c Officer generation. return sha256value of generic indicator sha256-ce function sha256is 1. arm64 sha256arm64-neon sha384generic sha384arm64 sha512generic sha512arm64 sha3-256generic sha3-384generic sha3-512generic Message Message Approve HMAC MAC hmac(sha1- Cryptographi authenticatio authenticatio d if the Key, generic) c Officer n code n code return messag hmac(sha1- - HMAC (HMAC) generation value of e ce) Key: W,E based on a indicator hmac(sha25 hash function 6-generic) function. is 1. hmac(sha25 6-ce) hmac(sha25 6-arm64) hmac(sha25 6-arm64neon) hmac(sha38 © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).
Page 26

Name Description Indicato Inputs Outputs Security SSP r Functions Access 4-generic) hmac(sha38 4-arm64) hmac(sha51 2-generic) hmac(sha51 2-arm64) hmac(sha3256-generic) hmac(sha3384-generic) hmac(sha3512-generic) Message Message Approve AES MAC cmac(aes- Cryptographi authenticatio authenticatio d if the Key, generic) c Officer n code n code return messag cmac(aes- - AES Key: (CMAC) generation value of e ce) W,E based on a indicator cmac-aes-ce cipher function cmac(aesfunction. is 1. arm64) cmac(aesfixed-time) cmac-aesneon Error Compute an None Data EDC None Cryptographi detection EDC (crc32, c Officer crc32c, xxhash64) Memory Memory None Data Output None Cryptographi copy copy c Officer operation Show Show None None Module None Cryptographi Module module ID ID, c Officer Information and version. module (show version. version) Show Status Show None None Module None Cryptographi module status c Officer status. Zeroise Zeroise None None None None Cryptographi SSPs. c Officer - AES Key: Z - HMAC Key: Z On-demand Perform None None None Integrity Cryptographi self test Integrity Check Utility c Officer © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 27

Name Description Indicato Inputs Outputs Security SSP r Functions Access check and CASTs. Table 10: Approved Services All approved services implemented by the module are listed above. Each service description also describes all usage of SSPs by the service. The access rights to keys and/or SSPs modes shown in the table are defined as:

4.4 Non-Approved Services

Name Description Algorithms Role RSA Signature RSA-sigGen (pkcs1pad(rsa- Cryptographic signature generation based generic,sha256/sha384/sha512)) Officer generation on the PKCS#1. RSA Signature RSA-sigVer (pkcs1pad(rsa- Cryptographic signature verification based generic,sha256/sha384/sha512)) Officer verification on the PKCS#1. RSA Signature primitive RSA-signaturePrimitive (rsa-generic) Cryptographic signature operation based on Officer primitive the RSA algorithm. operation RSA decrypt Decrypt primitive RSA-decryptionPrimitive (rsa- Cryptographic primitive operation based on generic) Officer operation the RSA algorithm. Table 11: Non-Approved Services

4.5 External Software/Firmware Loaded
5 Software/Firmware Security
5.1 Integrity Techniques

© Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 28

The integrity of the static kernel binary, the cryptographic kernel object files, the self-test program, the integrity test program, the Conditional Cryptographic Algorithm Self-Tests (CAST) result check program and the version printout program are tested by comparing the SHA2-256 digest values calculated at startup with the SHA2-256 digest values calculated and stored in the module during module development.

5.2 Initiate on Demand

The integrity tests are performed as part of the pre-operational self-tests. Thus, the integrity tests can be initiated on demand by power cycle or reboot of the operational environment of the module.

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable

6.2 Configuration Settings and Restrictions

The ptrace system call, the debugger gdb and strace shall not be used. In addition, other tracing mechanisms offered by the Linux environment, such as ftrace or systemtap shall not be used.

7 Physical Security

N/A. Since the module consists only of software, this section is not applicable.

8 Non-Invasive Security

N/A. The module does not implement non-invasive security techniques.

9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name Memory A volatile memory on the operational environment Dynamic Table 12: Storage Areas The module does not store SSPs in persistent storage. The SSPs are temporarily stored in process memory when the module is being used.

9.2 SSP Input-Output Methods

© Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 29

Name From To Format Distribution Entry SFI or Type Type Type Algorithm API Input Memory Memory Plaintext Manual Electronic AF_ALG_type Memory Memory Plaintext Manual Electronic sockets (input) Table 13: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Method Initiation Power Power cycle of the All SSPs of the module are zeroised by Yes cycle operational Power cycle because all SSPs are on a environment volatile memory. Reboot Reboot of the All SSPs of the module are zeroised by Yes operational Reboot because all SSPs are on a environment volatile memory. Table 14: SSP Zeroization Methods Administrators of the module can zeroise all SSPs of the module by cycling power or reboot of the Hitachi Embedded Storage Manager.

9.4 SSPs

Name Description Size - Type - Generated Established Used By Strength Category By By AES AES key 128, 192, Symmetric ecb(aesKey used for 256 bits; Key - generic) encryption, XTS 128, CSP ecb(aes-ce) decryption, 256 bits - ecb-aes-ce and 128, 192, ecb(aesgenerating 256 bits; arm64) MAC. XTS 128, ecb(aes-fixed-

256 bits time)

ecb-aesneonbs ctr(aesgeneric) ctr(aes-ce) ctr-aes-ce ctr(aesarm64) ctr(aes-fixedtime) ctr-aesneonbs cbc(aesgeneric) cbc(aes-ce) cbc-aes-ce © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 30

Name Description Size - Type - Generated Established Used By Strength Category By By cbc(aesarm64) cbc(aes-fixedtime) cbc-aesneonbs cts(cbc(aesgeneric)) cts(cbc(aesce)) cts-cbc-aes-ce cts(cbc(aesarm64)) cts(cbc(aesfixed-time)) cts-cbc-aesneon cmac(aesgeneric) cmac(aes-ce) cmac-aes-ce cmac(aesarm64) cmac(aesfixed-time) cmac-aesneon xts(aesgeneric) xts(aes-ce) xts-aes-ce xts(aesarm64) xts(aes-fixedtime) xts-aesneonbs kw(aesgeneric) kw(aes-ce) kw(aesarm64) kw(aes-fixedtime) HMAC HMAC key 112 - Symmetric hmac(sha1Key used for 65,535 Key - CSP generic) generating bits - 112 hmac(sha1MAC - 256 bits ce) hmac(sha256© Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 31

Name Description Size - Type - Generated Established Used By Strength Category By By generic) hmac(sha256ce) hmac(sha256arm64) hmac(sha256arm64-neon) hmac(sha384generic) hmac(sha384arm64) hmac(sha512generic) hmac(sha512arm64) hmac(sha3256-generic) hmac(sha3384-generic) hmac(sha3512-generic) Table 15: SSP Table 1 Name Input - Output Storage Storage Zeroization Related Duration SSPs AES API Input Memory:Plaintext During the Power Key AF_ALG_type execution of the cycle sockets (input) service. Reboot HMAC API Input Memory:Plaintext During the Power Key AF_ALG_type execution of the cycle sockets (input) service. Reboot Table 16: SSP Table 2

9.5 Transitions

The SHA-1 algorithm, as implemented by the module, will be non-approved for all purposes after December 31, 2030.

10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm or Test Test Test Test Type Indicator Details Properties Method SHA2-256 (A5832) SHA2-256 KAT SW/FW Integrity user.err log Message Digest Table 17: Pre-Operational Self-Tests If the pre-operational self-test fails, the module enters the error state. © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 32
10.2 Conditional Self-Tests

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-ECB Key size: KAT CAST Kernel Encrypt From the (A5827)- 128, 192, log operation of the Encrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-CBC Key size: KAT CAST Kernel Encrypt From the (A5827)- 128, 192, log operation of the Encrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-CTR Key size: KAT CAST Kernel Encrypt From the (A5827)- 128, 192, log operation of the Encrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-XTS Key size: KAT CAST Kernel Encrypt From the (A5827)- 128, 256 bits log operation of the Encrypt module to the firsttime use of this algorithm after OS boot. AES-CBC- Key size: KAT CAST Kernel Encrypt From the CS3 128 bits log operation of the (A5827)- module to the firstEncrypt time use of this algorithm after OS boot. AES-KW Key size: KAT CAST Kernel Encrypt From the (A5827)- 128, 256 bits log operation of the Encrypt module to the firsttime use of this algorithm after OS boot AES-CMAC Key size: KAT CAST Kernel Generation From the (A5827)- 128, 256 bits log operation of the Generation module to the firsttime use of this algorithm after OS boot. AES-ECB Key size: KAT CAST Kernel Encrypt From the (A5828)- 128, 192, log operation of the Encrypt 256 bits module to the first© Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 33

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type time use of this algorithm after OS boot. AES-CBC Key size: KAT CAST Kernel Encrypt From the (A5828)- 128, 192, log operation of the Encrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-CTR Key size: KAT CAST Kernel Encrypt From the (A5828)- 128, 192, log operation of the Encrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-XTS Key size: KAT CAST Kernel Encrypt From the (A5828)- 128, 256 bits log operation of the Encrypt module to the firsttime use of this algorithm after OS boot. AES-CBC- Key size: KAT CAST Kernel Encrypt From the CS3 128 bits log operation of the (A5828)- module to the firstEncrypt time use of this algorithm after OS boot. AES-KW Key size: KAT CAST Kernel Encrypt From the (A5828)- 128, 256 bits log operation of the Encrypt module to the firsttime use of this algorithm after OS boot AES-ECB Key size: KAT CAST Kernel Decrypt From the (A5827)- 128, 192, log operation of the Decrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-CBC Key size: KAT CAST Kernel Decrypt From the (A5827)- 128, 192, log operation of the Decrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-CTR Key size: KAT CAST Kernel Decrypt From the (A5827)- 128, 192, log operation of the Decrypt 256 bits module to the first© Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 34

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type time use of this algorithm after OS boot. AES-XTS Key size: KAT CAST Kernel Decrypt From the (A5827)- 128, 256 bits log operation of the Decrypt module to the firsttime use of this algorithm after OS boot. AES-CBC- Key size: KAT CAST Kernel Decrypt From the CS3 128 bits log operation of the (A5827)- module to the firstDecrypt time use of this algorithm after OS boot. AES-KW Key size: KAT CAST Kernel Decrypt From the (A5827)- 128, 256 bits log operation of the Decrypt module to the firsttime use of this algorithm after OS boot AES-CMAC Key size: KAT CAST Kernel Verification From the (A5827)- 128, 256 bits log operation of the Verification module to the firsttime use of this algorithm after OS boot. AES-ECB Key size: KAT CAST Kernel Decrypt From the (A5828)- 128, 192, log operation of the Decrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-CBC Key size: KAT CAST Kernel Decrypt From the (A5828)- 128, 192, log operation of the Decrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-CTR Key size: KAT CAST Kernel Decrypt From the (A5828)- 128, 192, log operation of the Decrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-XTS Key size: KAT CAST Kernel Decrypt From the (A5828)- 128, 256 bits log operation of the Decrypt module to the first© Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 35

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type time use of this algorithm after OS boot. AES-CBC- Key size: KAT CAST Kernel Decrypt From the CS3 128 bits log operation of the (A5828)- module to the firstDecrypt time use of this algorithm after OS boot. AES-KW Key size: KAT CAST Kernel Decrypt From the (A5828)- 128, 256 bits log operation of the Decrypt module to the firsttime use of this algorithm after OS boot SHA2-256 N/A KAT CAST Kernel Hash From the module (A5828) log startup to the operation of the module. SHA2-384 N/A KAT CAST Kernel Hash From the module (A5828) log startup to the operation of the module. SHA2-512 N/A KAT CAST Kernel Hash From the module (A5828) log startup to the operation of the module. AES-CMAC Key size: KAT CAST Kernel Generation From the (A5828)- 128, 256 bits log operation of the Generation module to the firsttime use of this algorithm after OS boot. AES-CMAC Key size: KAT CAST Kernel Verification From the (A5828)- 128, 256 bits log operation of the Verification module to the firsttime use of this algorithm after OS boot. HMAC- Key size: 32, KAT CAST Kernel MAC From the SHA2-256 256, 296, log operation of the (A5828) 640 bits module to the firsttime use of this algorithm after OS boot. HMAC- Key size: 32, KAT CAST Kernel MAC From the SHA2-384 160, 1048 log operation of the (A5828) bits module to the first© Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 36

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type time use of this algorithm after OS boot. HMAC- Key size: 32, KAT CAST Kernel MAC From the SHA2-512 160, 1048 log operation of the (A5828) bits module to the firsttime use of this algorithm after OS boot. AES-ECB Key size: KAT CAST Kernel Encrypt From the (A5830)- 128, 192, log operation of the Encrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-CBC Key size: KAT CAST Kernel Encrypt From the (A5830)- 128, 192, log operation of the Encrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-CTR Key size: KAT CAST Kernel Encrypt From the (A5830)- 128, 192, log operation of the Encrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-XTS Key size: KAT CAST Kernel Encrypt From the (A5830)- 128, 256 bits log operation of the Encrypt module to the firsttime use of this algorithm after OS boot. AES-CBC- Key size: KAT CAST Kernel Encrypt From the CS3 128 bits log operation of the (A5830)- module to the firstEncrypt time use of this algorithm after OS boot. AES-KW Key size: KAT CAST Kernel Encrypt From the (A5830)- 128, 256 bits log operation of the Encrypt module to the firsttime use of this algorithm after OS boot AES-ECB Key size: KAT CAST Kernel Decrypt From the (A5830)- 128, 192, log operation of the Decrypt 256 bits module to the first© Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 37

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type time use of this algorithm after OS boot. AES-CBC Key size: KAT CAST Kernel Decrypt From the (A5830)- 128, 192, log operation of the Decrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-CTR Key size: KAT CAST Kernel Decrypt From the (A5830)- 128, 192, log operation of the Decrypt 256 bits module to the firsttime use of this algorithm after OS boot. AES-XTS Key size: KAT CAST Kernel Decrypt From the (A5830)- 128, 256 bits log operation of the Decrypt module to the firsttime use of this algorithm after OS boot. AES-CBC- Key size: KAT CAST Kernel Decrypt From the CS3 128 bits log operation of the (A5830)- module to the firstDecrypt time use of this algorithm after OS boot. AES-KW Key size: KAT CAST Kernel Decrypt From the (A5830)- 128, 256 bits log operation of the Decrypt module to the firsttime use of this algorithm after OS boot SHA-1 N/A KAT CAST Kernel Hash From the module (A5830) log startup to the operation of the module. SHA2-256 N/A KAT CAST Kernel Hash From the module (A5830) log startup to the operation of the module. AES-CMAC Key size: KAT CAST Kernel Generation From the (A5830)- 128, 256 bits log operation of the Generation module to the firsttime use of this algorithm after OS boot. © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 38

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-CMAC Key size: KAT CAST Kernel Verification From the (A5830)- 128, 256 bits log operation of the Verification module to the firsttime use of this algorithm after OS boot. HMAC-SHA- Key size: 32, KAT CAST Kernel MAC From the

1 (A5830) 160, 200, log operation of the

640 bits module to the first-

time use of this algorithm after OS boot. HMAC- Key size: 32, KAT CAST Kernel MAC From the SHA2-256 256, 296, log operation of the (A5830) 640 bits module to the firsttime use of this algorithm after OS boot. AES-ECB Key size: KAT CAST Kernel Encrypt From the module (A5829)- 128, 192, log startup to the Encrypt 256 bits operation of the module. AES-CBC Key size: KAT CAST Kernel Encrypt From the module (A5829)- 128, 192, log startup to the Encrypt 256 bits operation of the module. AES-CTR Key size: KAT CAST Kernel Encrypt From the module (A5829)- 128, 192, log startup to the Encrypt 256 bits operation of the module. AES-XTS Key size: KAT CAST Kernel Encrypt From the module (A5829)- 128, 256 bits log startup to the Encrypt operation of the module. AES-CBC- Key size: KAT CAST Kernel Encrypt From the module CS3 128 bits log startup to the (A5829)- operation of the Encrypt module. AES-ECB Key size: KAT CAST Kernel Decrypt From the module (A5829)- 128, 192, log startup to the Decrypt 256 bits operation of the module. AES-CBC Key size: KAT CAST Kernel Decrypt From the module (A5829)- 128, 192, log startup to the Decrypt 256 bits operation of the module. © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 39

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-CTR Key size: KAT CAST Kernel Decrypt From the module (A5829)- 128, 192, log startup to the Decrypt 256 bits operation of the module. AES-XTS Key size: KAT CAST Kernel Decrypt From the module (A5829)- 128, 256 bits log startup to the Decrypt operation of the module. AES-CBC- Key size: KAT CAST Kernel Decrypt From the module CS3 128 bits log startup to the (A5829)- operation of the Decrypt module. AES-CMAC Key size: KAT CAST Kernel Generation From the module (A5829)- 128, 256 bits log startup to the Generation operation of the module. AES-CMAC Key size: KAT CAST Kernel Verification From the module (A5829)- 128, 256 bits log startup to the Verification operation of the module. AES-ECB Key size: KAT CAST Kernel Encrypt From the module (A5831)- 128, 192, log startup to the Encrypt 256 bits operation of the module. AES-CBC Key size: KAT CAST Kernel Encrypt From the module (A5831)- 128, 192, log startup to the Encrypt 256 bits operation of the module. AES-CTR Key size: KAT CAST Kernel Encrypt From the module (A5831)- 128, 192, log startup to the Encrypt 256 bits operation of the module. AES-XTS Key size: KAT CAST Kernel Encrypt From the module (A5831)- 128, 256 bits log startup to the Encrypt operation of the module. AES-CBC- Key size: KAT CAST Kernel Encrypt From the module CS3 128 bits log startup to the (A5831)- operation of the Encrypt module. AES-KW Key size: KAT CAST Kernel Encrypt From the (A5831)- 128, 256 bits log operation of the Encrypt module to the firsttime use of this algorithm after OS boot © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 40

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-ECB Key size: KAT CAST Kernel Decrypt From the module (A5831)- 128, 192, log startup to the Decrypt 256 bits operation of the module. AES-CBC Key size: KAT CAST Kernel Decrypt From the module (A5831)- 128, 192, log startup to the Decrypt 256 bits operation of the module. AES-CTR Key size: KAT CAST Kernel Decrypt From the module (A5831)- 128, 192, log startup to the Decrypt 256 bits operation of the module. AES-XTS Key size: KAT CAST Kernel Decrypt From the module (A5831)- 128, 256 bits log startup to the Decrypt operation of the module. AES-CBC- Key size: KAT CAST Kernel Decrypt From the module CS3 128 bits log startup to the (A5831)- operation of the Decrypt module. AES-KW Key size: KAT CAST Kernel Decrypt From the (A5831)- 128, 256 bits log operation of the Decrypt module to the firsttime use of this algorithm after OS boot SHA-1 N/A KAT CAST Kernel Hash From the module (A5831) log startup to the operation of the module. SHA2-256 N/A KAT CAST Kernel Hash From the module (A5831) log startup to the operation of the module. SHA2-384 N/A KAT CAST Kernel Hash From the module (A5831) log startup to the operation of the module. SHA2-512 N/A KAT CAST Kernel Hash From the module (A5831) log startup to the operation of the module. SHA3-256 N/A KAT CAST Kernel Hash From the module (A5831) log startup to the operation of the module. SHA3-384 N/A KAT CAST Kernel Hash From the module (A5831) log startup to the © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 41

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type operation of the module. SHA3-512 N/A KAT CAST Kernel Hash From the module (A5831) log startup to the operation of the module. AES-CMAC Key size: KAT CAST Kernel Generation From the module (A5831)- 128, 256 bits log startup to the Generation operation of the module. AES-CMAC Key size: KAT CAST Kernel Verification From the module (A5831)- 128, 256 bits log startup to the Verification operation of the module. HMAC-SHA- Key size: 32, KAT CAST Kernel MAC From the

1 (A5831) 160, 200, log operation of the

640 bits module to the first-

time use of this algorithm after OS boot. HMAC- Key size: 32, KAT CAST Kernel MAC From the SHA2-256 256, 296, log operation of the (A5831) 640 bits module to the firsttime use of this algorithm after OS boot. HMAC- Key size: 32, KAT CAST Kernel MAC From the SHA2-384 160, 1048 log operation of the (A5831) bits module to the firsttime use of this algorithm after OS boot. HMAC- Key size: 32, KAT CAST Kernel MAC From the SHA2-512 160, 1048 log operation of the (A5831) bits module to the firsttime use of this algorithm after OS boot. HMAC- Key size: 32, KAT CAST Kernel MAC From the SHA3-256 160, 1048 log operation of the (A5831) bits module to the firsttime use of this algorithm after OS boot. HMAC- Key size: 32, KAT CAST Kernel MAC From the SHA3-384 160, 1048 log operation of the (A5831) bits module to the firsttime use of this © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 42

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type algorithm after OS boot. HMAC- Key size: 32, KAT CAST Kernel MAC From the SHA3-512 160, 1048 log operation of the (A5831) bits module to the firsttime use of this algorithm after OS boot. SHA2-256 N/A KAT CAST user.err Hash From the module (A5832) log startup to the integrity testing. AES-CBC- Key size: KAT CAST Kernel Encrypt From the module CS3 128 bits log startup to the (A5833)- operation of the Encrypt module. AES-CBC- Key size: KAT CAST Kernel Decrypt From the module CS3 128 bits log startup to the (A5833)- operation of the Decrypt module. SHA2-256 N/A KAT CAST Kernel Hash From the module (A5833) log startup to the operation of the module. AES-CMAC Key size: KAT CAST Kernel Generation From the module (A5833)- 128, 256 bits log startup to the Generation operation of the module. AES-CMAC Key size: KAT CAST Kernel Verification From the module (A5833))- 128, 256 bits log startup to the Verification operation of the module. HMAC- Key size: 32, KAT CAST Kernel MAC From the SHA2-256 256, 296, log operation of the (A5833) 640 bits module to the firsttime use of this algorithm after OS boot. AES-ECB Key size: KAT CAST Kernel Encrypt From the module (A5834)- 128, 192, log startup to the Encrypt 256 bits operation of the module. AES-CBC Key size: KAT CAST Kernel Encrypt From the module (A5834)- 128, 192, log startup to the Encrypt 256 bits operation of the module. AES-CTR Key size: KAT CAST Kernel Encrypt From the module (A5834)- 128, 192, log startup to the Encrypt 256 bits © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 43

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type operation of the module. AES-XTS Key size: KAT CAST Kernel Encrypt From the module (A5834)- 128, 256 bits log startup to the Encrypt operation of the module. AES-ECB Key size: KAT CAST Kernel Decrypt From the module (A5834)- 128, 192, log startup to the Decrypt 256 bits operation of the module. AES-CBC Key size: KAT CAST Kernel Decrypt From the module (A5834)- 128, 192, log startup to the Decrypt 256 bits operation of the module. AES-CTR Key size: KAT CAST Kernel Decrypt From the module (A5834)- 128, 192, log startup to the Decrypt 256 bits operation of the module. AES-XTS Key size: KAT CAST Kernel Decrypt From the module (A5834)- 128, 256 bits log startup to the Decrypt operation of the module. Table 18: Conditional Self-Tests When the operational environment is powered on and the module is loaded, the module starts to perform each cryptographic algorithm self-test for the algorithm which “Conditions” item in the Conditional Self-Tests table is "From the module startup to the operation of the module" or "From the module startup to the integrity testing". If one of the self-tests fails, the module enters the error state.

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method SHA2-256 KAT SW/FW Integrity On Demand Manually (A5832) Table 19: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB KAT CAST On Demand Manually (A5827)-Encrypt AES-CBC KAT CAST On Demand Manually (A5827)-Encrypt AES-CTR KAT CAST On Demand Manually (A5827)-Encrypt AES-XTS KAT CAST On Demand Manually (A5827)-Encrypt © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 44

Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC-CS3 KAT CAST On Demand Manually (A5827)-Encrypt AES-KW KAT CAST On Demand Manually (A5827)-Encrypt AES-CMAC KAT CAST On Demand Manually (A5827)Generation AES-ECB KAT CAST On Demand Manually (A5828)-Encrypt AES-CBC KAT CAST On Demand Manually (A5828)-Encrypt AES-CTR KAT CAST On Demand Manually (A5828)-Encrypt AES-XTS KAT CAST On Demand Manually (A5828)-Encrypt AES-CBC-CS3 KAT CAST On Demand Manually (A5828)-Encrypt AES-KW KAT CAST On Demand Manually (A5828)-Encrypt AES-ECB KAT CAST On Demand Manually (A5827)-Decrypt AES-CBC KAT CAST On Demand Manually (A5827)-Decrypt AES-CTR KAT CAST On Demand Manually (A5827)-Decrypt AES-XTS KAT CAST On Demand Manually (A5827)-Decrypt AES-CBC-CS3 KAT CAST On Demand Manually (A5827)-Decrypt AES-KW KAT CAST On Demand Manually (A5827)-Decrypt AES-CMAC KAT CAST On Demand Manually (A5827)Verification AES-ECB KAT CAST On Demand Manually (A5828)-Decrypt AES-CBC KAT CAST On Demand Manually (A5828)-Decrypt AES-CTR KAT CAST On Demand Manually (A5828)-Decrypt AES-XTS KAT CAST On Demand Manually (A5828)-Decrypt AES-CBC-CS3 KAT CAST On Demand Manually (A5828)-Decrypt AES-KW KAT CAST On Demand Manually (A5828)-Decrypt SHA2-256 KAT CAST On Demand Manually (A5828) © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 45

Algorithm or Test Method Test Type Period Periodic Test Method SHA2-384 KAT CAST On Demand Manually (A5828) SHA2-512 KAT CAST On Demand Manually (A5828) AES-CMAC KAT CAST On Demand Manually (A5828)Generation AES-CMAC KAT CAST On Demand Manually (A5828)Verification HMAC-SHA2- KAT CAST On Demand Manually

256 (A5828)

HMAC-SHA2- KAT CAST On Demand Manually

384 (A5828)

HMAC-SHA2- KAT CAST On Demand Manually

512 (A5828)

AES-ECB KAT CAST On Demand Manually (A5830)-Encrypt AES-CBC KAT CAST On Demand Manually (A5830)-Encrypt AES-CTR KAT CAST On Demand Manually (A5830)-Encrypt AES-XTS KAT CAST On Demand Manually (A5830)-Encrypt AES-CBC-CS3 KAT CAST On Demand Manually (A5830)-Encrypt AES-KW KAT CAST On Demand Manually (A5830)-Encrypt AES-ECB KAT CAST On Demand Manually (A5830)-Decrypt AES-CBC KAT CAST On Demand Manually (A5830)-Decrypt AES-CTR KAT CAST On Demand Manually (A5830)-Decrypt AES-XTS KAT CAST On Demand Manually (A5830)-Decrypt AES-CBC-CS3 KAT CAST On Demand Manually (A5830)-Decrypt AES-KW KAT CAST On Demand Manually (A5830)-Decrypt SHA-1 (A5830) KAT CAST On Demand Manually SHA2-256 KAT CAST On Demand Manually (A5830) AES-CMAC KAT CAST On Demand Manually (A5830)Generation © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 46

Algorithm or Test Method Test Type Period Periodic Test Method AES-CMAC KAT CAST On Demand Manually (A5830)Verification HMAC-SHA-1 KAT CAST On Demand Manually (A5830) HMAC-SHA2- KAT CAST On Demand Manually

256 (A5830)

AES-ECB KAT CAST On Demand Manually (A5829)-Encrypt AES-CBC KAT CAST On Demand Manually (A5829)-Encrypt AES-CTR KAT CAST On Demand Manually (A5829)-Encrypt AES-XTS KAT CAST On Demand Manually (A5829)-Encrypt AES-CBC-CS3 KAT CAST On Demand Manually (A5829)-Encrypt AES-ECB KAT CAST On Demand Manually (A5829)-Decrypt AES-CBC KAT CAST On Demand Manually (A5829)-Decrypt AES-CTR KAT CAST On Demand Manually (A5829)-Decrypt AES-XTS KAT CAST On Demand Manually (A5829)-Decrypt AES-CBC-CS3 KAT CAST On Demand Manually (A5829)-Decrypt AES-CMAC KAT CAST On Demand Manually (A5829)Generation AES-CMAC KAT CAST On Demand Manually (A5829)Verification AES-ECB KAT CAST On Demand Manually (A5831)-Encrypt AES-CBC KAT CAST On Demand Manually (A5831)-Encrypt AES-CTR KAT CAST On Demand Manually (A5831)-Encrypt AES-XTS KAT CAST On Demand Manually (A5831)-Encrypt AES-CBC-CS3 KAT CAST On Demand Manually (A5831)-Encrypt AES-KW KAT CAST On Demand Manually (A5831)-Encrypt AES-ECB KAT CAST On Demand Manually (A5831)-Decrypt © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 47

Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC KAT CAST On Demand Manually (A5831)-Decrypt AES-CTR KAT CAST On Demand Manually (A5831)-Decrypt AES-XTS KAT CAST On Demand Manually (A5831)-Decrypt AES-CBC-CS3 KAT CAST On Demand Manually (A5831)-Decrypt AES-KW KAT CAST On Demand Manually (A5831)-Decrypt SHA-1 (A5831) KAT CAST On Demand Manually SHA2-256 KAT CAST On Demand Manually (A5831) SHA2-384 KAT CAST On Demand Manually (A5831) SHA2-512 KAT CAST On Demand Manually (A5831) SHA3-256 KAT CAST On Demand Manually (A5831) SHA3-384 KAT CAST On Demand Manually (A5831) SHA3-512 KAT CAST On Demand Manually (A5831) AES-CMAC KAT CAST On Demand Manually (A5831)Generation AES-CMAC KAT CAST On Demand Manually (A5831)Verification HMAC-SHA-1 KAT CAST On Demand Manually (A5831) HMAC-SHA2- KAT CAST On Demand Manually

256 (A5831)

HMAC-SHA2- KAT CAST On Demand Manually

384 (A5831)

HMAC-SHA2- KAT CAST On Demand Manually

512 (A5831)

HMAC-SHA3- KAT CAST On Demand Manually

256 (A5831)

HMAC-SHA3- KAT CAST On Demand Manually

384 (A5831)

HMAC-SHA3- KAT CAST On Demand Manually

512 (A5831)

SHA2-256 KAT CAST On Demand Manually (A5832) AES-CBC-CS3 KAT CAST On Demand Manually (A5833)-Encrypt © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 48

Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC-CS3 KAT CAST On Demand Manually (A5833)-Decrypt SHA2-256 KAT CAST On Demand Manually (A5833) AES-CMAC KAT CAST On Demand Manually (A5833)Generation AES-CMAC KAT CAST On Demand Manually (A5833))Verification HMAC-SHA2- KAT CAST On Demand Manually

256 (A5833)

AES-ECB KAT CAST On Demand Manually (A5834)-Encrypt AES-CBC KAT CAST On Demand Manually (A5834)-Encrypt AES-CTR KAT CAST On Demand Manually (A5834)-Encrypt AES-XTS KAT CAST On Demand Manually (A5834)-Encrypt AES-ECB KAT CAST On Demand Manually (A5834)-Decrypt AES-CBC KAT CAST On Demand Manually (A5834)-Decrypt AES-CTR KAT CAST On Demand Manually (A5834)-Decrypt AES-XTS KAT CAST On Demand Manually (A5834)-Decrypt Table 20: Conditional Periodic Information The pre-operational self-tests, and all cryptographic algorithm self-tests listed in Conditional Self-Tests Table are available on demand by power cycling or rebooting of the operational environment.

10.4 Error States

Name Description Conditions Recovery Method Indicator Error A state when the Condition 1: Failed the Power cycling or Condition 1: module has pre-operational self- rebooting of the user.err log; encountered an tests or the conditional operational Condition 2: error condition. self-test for SHA2-256 environment. kernel log (A5832). Condition 2: Failed the conditional self-tests except for that of SHA2-

256 (A5832).

Table 21: Error States © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).

Page 49

After the OS boots, the user.err log and the kernel log (kern.log) are moved to /pstorage1/pltf/snapshot-log/<id>/var/log/ directory. <id> is a number from 0 to 4. <id> is incremented by the OS boot and wrapped back to 0 when that max value is reached. The latest <id> corresponds to that of the filename of the “latest-number-<id>” file in /pstorage1/pltf/snapshot-log/ directory.

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is integrated into Embedded Storage Manager. When Embedded Storage Manager is installed by the vendor of Hitachi storage system, the module is also installed. No other special procedure is required to securely install and initialize the module.

11.2 Administrator Guidance

Administrators can verify that an ID and a version of the module is identical to the ID (Embedded Storage Manager Kernel Crypto API) and the version (1.1). To show an ID and a version of the module, run “showversion-fips” command in Command Console of ESM. All the functions, physical ports, and logical interfaces of the module are available to the Crypto Officer.

11.3 Non-Administrator Guidance

There are no requirements for non-administrator.

11.4 Design and Rules

The module design corresponds to the module security rules. This subsection documents the security rules enforced by the module to implement the security requirements of this FIPS 140-3 Level 1 module.

  1. The module shall provide a Cryptographic Officer role.
  2. The operator shall be capable of commanding the module to perform the pre-operational selftests and the cryptographic algorithm self-tests which are configured to be executed during the module initialization process by cycling power or reboot of the operational environment.
  3. Pre-operational self-tests do not require any operator action.
  4. Data output shall be inhibited during self-tests, zeroisation, and error states.
  5. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  6. The module does not support degraded operation.
  7. The module does not support concurrent operators.
  8. The module does not support a maintenance interface or role.
  9. The module does not support manual key entry. © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).
Page 50

10. The module does not have any external input/output devices used for entry/output of data.

12 Mitigation of Other Attacks

N/A. The module does not provide mitigation of other attacks. © Hitachi Vantara, Ltd. 2024 This document may be reproduced and distributed only in its original entirety (without revision).