All modules
CMVP Validated Module · FIPS 140-3 Security Policy

NetApp StorageGRID Kernel Crypto API

Certificate#5097StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorNetApp, Inc.
Medium review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 3932 CVEs since this module's initial validation  ·  last validated 8 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/29/2030
CaveatWhen operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorNetApp, Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for NetApp StorageGRID Kernel Crypto API
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for NetApp StorageGRID Kernel Crypto API
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

NetApp, Inc. NetApp StorageGRID Kernel Crypto API Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 Document version: 1.1 www.atsec.com Last update: 2025-11-25

Page 2
Table of Contents
#SectionPage
Page 3

List of Tables Table 2: Tested Module Identification

Page 4

List of Figures © 2025 NetApp, Inc., atsec information security.

Page 5
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version kernel 6.1.129-1ntap1-amd64; libkcapi 1.4.0-1+ntap0 of the NetApp StorageGRID Kernel Cryptographic API module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels © 2025 NetApp, Inc., atsec information security.

Page 6
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The NetApp StorageGRID Kernel Cryptographic API (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a general-purpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary, the libkcapi shared library, and the sha512hmac binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. The cryptographic boundary is indicated by the small bold border in Figure

  1. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. It includes software in kernel and user space, as well as the PAA in the CPU. The TOEPP is indicated by the large thin border in Figure
  2. Figure 1: Block Diagram © 2025 NetApp, Inc., atsec information security.
Page 7

2.2 Tested and Vendor Affirmed Module Version and

Identification Tested Module Identification

12 1735TR ntap1-amd64;

libkcapi 1.4.01+ntap0 StorageGRID SG5812 Intel Xeon D- No kernel 6.1.129-1-

12 1735TR ntap1-amd64;

libkcapi 1.4.01+ntap0 StorageGRID SG6160 Intel Xeon Yes kernel 6.1.129-1-

12 Gold 5318Y ntap1-amd64;

libkcapi 1.4.01+ntap0 StorageGRID SG6160 Intel Xeon No kernel 6.1.129-1-

12 Gold 5318Y ntap1-amd64;

libkcapi 1.4.01+ntap0 StorageGRID SG110 Intel Xeon Yes kernel 6.1.129-1-

12 Silver 4310 ntap1-amd64;

libkcapi 1.4.01+ntap0 StorageGRID SG110 Intel Xeon No kernel 6.1.129-1-

12 Silver 4310 ntap1-amd64;

libkcapi 1.4.01+ntap0 Table 3: Tested Operational Environments - Software, Firmware, Hybrid The module implements Processor Algorithm Acceleration (PAA) for the tested platforms listed above. There is no Processor Algorithm Implementation (PAI). Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: © 2025 NetApp, Inc., atsec information security.

Page 8

Operating Hardware System Platform StorageGRID 12 SGF6112 StorageGRID 12 SG1100 StorageGRID 12 SG5860 Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

There are no components excluded from the requirements of the FIPS 140-3 standard.

2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name Approved Automatically Approved Mapped to approved service indicator in mode entered Section 4.3 for all approved algorithms except whenever an GCM: respective approved service function approved service returns indicator 0. For GCM: is requested crypto_aead_get_flags(tfm) has the CRYPTO_TFM_FIPS_COMPLIANCE flag set Non- Automatically Non- No service indicator required for non-approved approved entered Approved services per IG 2.4.C mode whenever a nonapproved service is requested Table 5: Modes List and Description After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A6242, A6245, A6248, A6251 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 © 2025 NetApp, Inc., atsec information security.

Page 9

Algorithm CAVP Cert Properties Reference AES-CBC-CS3 A6242, A6245, A6248, A6251 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A6242, A6245, A6251 Key Length - 128, 192, 256 SP 800-38C AES-CFB128 A6242, A6245, A6251 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A6242, A6245, A6251 Direction - Generation SP 800-38B Key Length - 128, 192, 256 AES-CTR A6242, A6245, A6248, A6251 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A6242, A6243, A6244, Direction - Decrypt, Encrypt SP 800-38A A6245, A6246, A6247, Key Length - 128, 192, 256 A6248, A6249, A6250, A6251, A6252, A6253, A6254, A6255, A6256, A6258, A6259, A6260, A6261, A6262, A6263 AES-GCM A6242, A6244, A6245, Direction - Decrypt, Encrypt SP 800-38D A6247, A6248, A6250, IV Generation - External A6251, A6253, A6254, Key Length - 128, 192, 256 A6256, A6258, A6260, A6261, A6263 AES-GCM A6243, A6246, A6249, Direction - Decrypt, Encrypt SP 800-38D A6252, A6255, A6259, A6262 IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A6242, A6245, A6248, Direction - Decrypt, Encrypt SP 800-38D A6251, A6254, A6258, A6261 IV Generation - External Key Length - 128, 192, 256 AES-KW A6242, A6245, A6251 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A6242, A6245, A6251 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS A6242, A6245, A6248, Direction - Decrypt, Encrypt SP 800-38E Testing A6251, A6254, A6257, Key Length - 128, 256 Revision 2.0 A6258, A6261 Counter A6242, A6243, A6244, Prediction Resistance - No, SP 800-90A DRBG A6245, A6246, A6247, Yes Rev. 1 A6248, A6249, A6250, Mode - AES-128, AES-192, A6251, A6252, A6253, AES-256 A6254, A6255, A6256, Derivation Function Enabled A6258, A6259, A6260, Yes A6261, A6262, A6263 ECDSA A6242 Curve - P-256, P-384 FIPS 186-5 KeyGen Secret Generation Mode (FIPS186-5) testing candidates Hash DRBG A6242, A6264, A6265, Prediction Resistance - No, SP 800-90A A6266, A6267 Yes Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 HMAC DRBG A6242, A6264, A6265, Prediction Resistance - No, SP 800-90A A6266, A6267 Yes Rev. 1 © 2025 NetApp, Inc., atsec information security.

Page 10

Algorithm CAVP Cert Properties Reference Mode - SHA-1, SHA2-256, SHA2-512 HMAC-SHA-1 A6242, A6264, A6265, Key Length - Key Length: FIPS 198-1 A6266, A6267 112-524288 Increment 8 HMAC-SHA2- A6242, A6264, A6265, Key Length - Key Length: FIPS 198-1

224 A6266, A6267 112-524288 Increment 8

HMAC-SHA2- A6242, A6264, A6265, Key Length - Key Length: FIPS 198-1

256 A6266, A6267 112-524288 Increment 8

HMAC-SHA2- A6242, A6264, A6265, A6266 Key Length - Key Length: FIPS 198-1

384 112-524288 Increment 8

HMAC-SHA2- A6242, A6264, A6265, A6266 Key Length - Key Length: FIPS 198-1

512 112-524288 Increment 8

HMAC-SHA3- A6242 Key Length - Key Length: FIPS 198-1

224 112-524288 Increment 8

HMAC-SHA3- A6242 Key Length - Key Length: FIPS 198-1

256 112-524288 Increment 8

HMAC-SHA3- A6242 Key Length - Key Length: FIPS 198-1

384 112-524288 Increment 8

HMAC-SHA3- A6242 Key Length - Key Length: FIPS 198-1

512 112-524288 Increment 8

KAS-ECC-SSC A6242 Domain Parameter SP 800-56A Sp800-56Ar3 Generation Methods - P-256, Rev. 3 P-384 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A6242 Domain Parameter SP 800-56A Sp800-56Ar3 Generation Methods - Rev. 3 ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 Scheme dhEphem KAS Role - initiator, responder KDA OneStep A6242 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Rev. 2 Shared Secret Length: 224-

2048 Increment 8

KDF SP800- A6242 KDF Mode - Counter SP 800-108

108 Supported Lengths - Rev. 1

4096 Increment 8

RSA SigVer A6242 Signature Type - PKCS 1.5 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A6242 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5 Safe Primes A6242 Safe Prime Groups - SP 800-56A Key ffdhe2048, ffdhe3072, Rev. 3 Generation ffdhe4096, ffdhe6144, ffdhe8192 © 2025 NetApp, Inc., atsec information security.

Page 11

Algorithm CAVP Cert Properties Reference SHA-1 A6242, A6264, A6265, Message Length - Message FIPS 180-4 A6266, A6267 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A6242, A6264, A6265, Message Length - Message FIPS 180-4 A6266, A6267 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A6242, A6264, A6265, Message Length - Message FIPS 180-4 A6266, A6267 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A6242, A6264, A6265, A6266 Message Length - Message FIPS 180-4 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A6242, A6264, A6265, A6266 Message Length - Message FIPS 180-4 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-224 A6242 Message Length - Message FIPS 202 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-256 A6242 Message Length - Message FIPS 202 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-384 A6242 Message Length - Message FIPS 202 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-512 A6242 Message Length - Message FIPS 202 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 Table 6: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference Asymmetric Key N/A SP 800-133r2, section 4, CKG Type:Asymmetric example 1 Table 7: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function AES-GCM with external IV Encryption with external IV (not compliant to FIPS 140-

3 IG C.H)

KBKDF in libkcapi Key Derivation with implementation not tested by CAVP © 2025 NetApp, Inc., atsec information security.

Page 12

Name Use and Function HKDF in libkcapi Key Derivation with implementation not tested by CAVP PBKDF2 in libkcapi Password-Based Key Derivation with implementation not tested by CAVP RSA PKCS#1 v1.5 with pre- Signature generation / verification hashed message RSA PKCS#1 v1.5 Key encapsulation / un-encapsulation (not compliant to SP 800-56Br2) RSA primitive Encryption / decryption (not compliant to SP 800-56Br2) Table 8: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Encryption BC-UnAuth Encrypt a AES-CBC: plaintext (A6242, A6245, A6248, A6251) AES-CBCCS3: (A6242, A6245, A6248, A6251) AES-CFB128: (A6242, A6245, A6251) AES-CTR: (A6242, A6245, A6248, A6251) AES-ECB: (A6242, A6243, A6244, A6245, A6246, A6247, A6248, A6249, A6250, A6251, A6252, A6253, A6254, A6255, A6256, A6258, A6259, A6260, © 2025 NetApp, Inc., atsec information security.

Page 13

Name Type Description Properties Algorithms A6261, A6262, A6263) AES-OFB: (A6242, A6245, A6251) AES-XTS Testing Revision 2.0: (A6242, A6245, A6248, A6251, A6254, A6257, A6258, A6261) Decryption BC-UnAuth Decrypt a AES-CBC: ciphertext (A6242, A6245, A6248, A6251) AES-CBCCS3: (A6242, A6245, A6248, A6251) AES-CFB128: (A6242, A6245, A6251) AES-CTR: (A6242, A6245, A6248, A6251) AES-ECB: (A6242, A6243, A6244, A6245, A6246, A6247, A6248, A6249, A6250, A6251, A6252, A6253, A6254, A6255, A6256, © 2025 NetApp, Inc., atsec information security.

Page 14

Name Type Description Properties Algorithms A6258, A6259, A6260, A6261, A6262, A6263) AES-OFB: (A6242, A6245, A6251) AES-XTS Testing Revision 2.0: (A6242, A6245, A6248, A6251, A6254, A6257, A6258, A6261) Authenticated BC-Auth Encrypt and AES-CCM: encryption authenticate (A6242, a plaintext A6245, A6251) AES-GCM: (A6242, A6243, A6244, A6245, A6246, A6247, A6248, A6249, A6250, A6251, A6252, A6253, A6254, A6255, A6256, A6258, A6259, A6260, A6261, A6262, A6263) AES-KW: (A6242, A6245, A6251) © 2025 NetApp, Inc., atsec information security.

Page 15

Name Type Description Properties Algorithms Authenticated BC-Auth Decrypt and AES-CCM: decryption authenticate (A6242, a ciphertext A6245, A6251) AES-GCM: (A6242, A6243, A6244, A6245, A6246, A6247, A6248, A6249, A6250, A6251, A6252, A6253, A6254, A6255, A6256, A6258, A6259, A6260, A6261, A6262, A6263) AES-KW: (A6242, A6245, A6251) Message SHA Compute a SHA-1: digest message (A6242, digest A6264, A6265, A6266, A6267) SHA2-224: (A6242, A6264, A6265, A6266, A6267) SHA2-256: (A6242, A6264, A6265, A6266, A6267) SHA2-384: (A6242, A6264, A6265, A6266) © 2025 NetApp, Inc., atsec information security.

Page 16

Name Type Description Properties Algorithms SHA2-512: (A6242, A6264, A6265, A6266) SHA3-224: (A6242) SHA3-256: (A6242) SHA3-384: (A6242) SHA3-512: (A6242) Message MAC Compute a AES-CMAC: authentication MAC tag (A6242, code A6245, generation A6251) AES-GMAC: (A6242, A6245, A6248, A6251, A6254, A6258, A6261) HMAC-SHA-1: (A6242, A6264, A6265, A6266, A6267) HMAC-SHA2224: (A6242, A6264, A6265, A6266, A6267) HMAC-SHA2256: (A6242, A6264, A6265, A6266, A6267) HMAC-SHA2384: (A6242, A6264, A6265, A6266) HMAC-SHA2512: (A6242, A6264, A6265, A6266) © 2025 NetApp, Inc., atsec information security.

Page 17

Name Type Description Properties Algorithms HMAC-SHA3224: (A6242) HMAC-SHA3256: (A6242) HMAC-SHA3384: (A6242) HMAC-SHA3512: (A6242) Message MAC Verify a MAC AES-GMAC: authentication tag (A6242, code A6245, verification A6248, A6251, A6254, A6258, A6261) Key-based key KBKDF Derive keying KDF SP800derivation material from 108: (A6242) a keyderivation key Key- KAS-56CKDF Derive keying KDA OneStep establishment material from SP800-56Cr2: key derivation a shared (A6242) secret Random DRBG Generate Counter number random bytes DRBG: generation (A6242, A6243, A6244, A6245, A6246, A6247, A6248, A6249, A6250, A6251, A6252, A6253, A6254, A6255, A6256, A6258, A6259, A6260, A6261, A6262, A6263) Hash DRBG: (A6242, A6264, A6265, A6266, © 2025 NetApp, Inc., atsec information security.

Page 18

Name Type Description Properties Algorithms A6267) HMAC DRBG: (A6242, A6264, A6265, A6266, A6267) Shared secret KAS-SSC Compute a FFC security strength:112- KAS-FFC-SSC computation shared secret 200 bits Sp800-56Ar3: ECC security (A6242) strength:128, 192 bits KAS-ECC-SSC FFC scheme:dhEphem Sp800-56Ar3: ECC (A6242) scheme:ephemeralUnified KAS role:initiator, responder Compliance:FIPS 140-3 IG D.F Scenario 2(1) Digital DigSig-SigVer Verify a RSA SigVer signature digital (FIPS186-4): verification signature on (A6242) a message RSA SigVer (FIPS186-5): (A6242) Key pair AsymKeyPair- Generate an Safe Primes generation KeyGen asymmetric Key CKG key pair Generation: (A6242) ECDSA KeyGen (FIPS186-5): (A6242) Asymmetric CKG: () Key Type: Asymmetric Table 9: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES-GCM IV

The module implements AES-GCM IV generation in the context of IPsec, TLS 1.2, and TLS 1.3, compliant with RFC 4106, RFC 5288, and RFC 8446 respectively. These methods fall under Scenario 1 (“TLS/DTLS 1.2 protocol IV generation” and “IPsec-v3 protocol IV generation”) and Scenario 5 (“Provisions of an industry protocol supporting AES-GCM encryption, not included among the acceptable protocols in scenario 1”) of FIPS 140-3 IG C.H. The module is also compliant with SP 800-52r2 Section 3.3.1. IVs generated using these mechanisms may only be used in the context of AES-GCM encryption within their respective protocols. © 2025 NetApp, Inc., atsec information security.

Page 19

The module does not implement IPsec. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES-GCM encryption keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. The module does not implement TLS. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 5288 (TLS 1.2) or RFC 8446 (TLS 1.3) to establish the cryptographic keys and initial values of the initialization vectors. For both TLS 1.2 and TLS 1.3, the nonce_explicit part of the IV does not exhaust the maximum number of possible values for a given session key. The design of the TLS protocol implicitly ensures that the nonce_explicit, or counter portion of the IV does not exhaust the maximum number of possible values for a given encryption key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. Finally, the module also provides a non-approved AES-GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES-GCM handle. When this is the case, the API will not set an approved service indicator, as described in this document.

2.7.2 AES XTS

The length of a single data unit encrypted or decrypted with AES-XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. As the module does not implement symmetric key generation, this check is performed when the keys are input by the operator. Key_1 and Key_2 shall be generated and/or established independently according to the rules for component symmetric keys from NIST SP 800-133r2, Section 6.3.

2.7.3 RSA

All supported modulus sizes for RSA signature verification have been CAVP tested.

2.7.4 SP 800-56Ar3 Assurances

The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS. To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use the Diffie-Hellman and Elliptic Curve Diffie-Hellman shared secret computation algorithms with the NVMe and Bluetooth related protocols. Additionally, the module’s approved key pair generation service must be used to generate ephemeral Diffie-Hellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of © 2025 NetApp, Inc., atsec information security.

Page 20

this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer DH public key, and the partial public key validation of the peer EC public key, complying with Section 5.6.2.2.2 of SP 800-56Ar3.

2.7.5 Legacy Use

Digital signature verification using SHA-1 is allowed for legacy use only. Digital signature generation using SHA-1 is non-approved and not allowed in approved services. These legacy algorithms can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M.

2.8 RBG and Entropy

Cert Vendor Number Name E223 NetApp, Inc. Table 10: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample NetApp StorageGRID Non- See Table 3 256 bits 256 bits SHA3-256 Kernel CPU Time Jitter Physical (A6242) RNG Entropy Source Table 11: Entropy Sources The module implements three different Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1: Counter DRBG, Hash DRBG, and HMAC DRBG. Each of these DRBG implementations can be instantiated by the operator of the module, using the parameters listed specified in the Security Function Implementations table. When instantiated, these DRBGs can be used to generate random numbers for external usage. Additionally, the module employs a specific HMAC-SHA-512 DRBG implementation for internal purposes (e.g. to generate asymmetric key pairs). The module complies with the Public Use Document for ESV certificate E223 by reading entropy data from the jent_kcapi_random() function, which corresponds to the GetEntropy() conceptual interface. This function outputs 256 bits of full entropy. The HMAC-SHA-512 DRBG is instantiated with a 384-bit entropy input and reseeded with a 256-bits long entropy input. Outputs of multiple GetEntropy() calls are concatenated to receive the entropy input length greater than 256 bits. The output is truncated to get the entropy input string which is not a multiple of 256. The operational environment on the ESV certificate is identical to the operating system described in this document, and the entropy source is implemented inside the cryptographic boundary. Thus, the module is compliant with scenario 1 of IG 9.3.A. There are no maintenance requirements for the entropy source. © 2025 NetApp, Inc., atsec information security.

Page 21
2.9 Key Generation

The module implements asymmetric key pair generation compliant with SP 800-133r2. When random values are required, they are directly obtained as output from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2 (without XOR). The following methods are implemented:

2.10 Key Establishment

The module implements shared secret computation methods as listed in the Security Function Implementations table in Section 2.6.

2.11 Industry Protocols

AES-GCM with internal IV generation in the approved mode is compliant with RFC 4106, RFC 5288, and RFC 8446 and shall only be used in conjunction with the IPsec, TLS 1.2, or TLS 1.3, protocols. Diffie-Hellman and EC Diffie-Hellman shall only be used with the NVMe and Bluetooth related protocols. No other parts of the NVMe, Bluetooth, IPsec, or TLS protocols, other than those mentioned above, have been tested by the CAVP and CMVP. © 2025 NetApp, Inc., atsec information security.

Page 22
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Data Input API data input parameters, AF_ALG type input sockets, SOL_TLS type input sockets N/A Data Output API data output parameters, AF_ALG type output sockets, SOL_TLS type output sockets, /proc/sys/crypto virtual files N/A Control Input API function calls, API control input parameters, AF_ALG type input sockets, SOL_TLS type input sockets N/A Status API return values, AF_ALG type output sockets, SOL_TLS type Output output sockets, kernel logs Table 12: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design, AF_ALG type socket message types, and SOL_TLS socket types. The module does not implement a control output interface. © 2025 NetApp, Inc., atsec information security.

Page 23
4 Roles, Services, and Authentication
4.1 Authentication Methods

The module does not implement any authentication methods.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role Crypto Officer None Table 13: Roles No support is provided for multiple concurrent operators.

4.3 Approved Services

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns Encryptio Encrypt a crypto_skcipher_setkey AES Ciphert Encryptio Crypto n plaintext returns 0 key, ext n Officer plaintex - AES t, IV (if key: W,E require d) Decryptio Decrypt crypto_skcipher_setkey AES Plaintex Decryptio Crypto n a returns 0 key, t n Officer cipherte ciphert - AES xt ext, IV key: W,E (if require d) Authentic Encrypt a AES-GCM: AES Ciphert Authentic Crypto ated plaintext crypto_aead_get_flags(t key, ext, ated Officer encryptio in an fm) has plaintex MAC tag encryptio - AES n authenti CRYPTO_ALG_FIPS140_ t, IV (CCM/G n key: W,E cated COMPLIANT set; Others: (CCM/G CM) mode crypto_aead_setkey CM) returns 0 Authentic Decrypt crypto_aead_setkey AES Plaintex Authentic Crypto ated a returns 0 key, t or ated Officer decryptio cipherte ciphert failure decryptio - AES n xt in an ext, IV n key: W,E authenti (CCM/G cated CM), mode MAC tag (CCM/G CM) © 2025 NetApp, Inc., atsec information security.

Page 24

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns Message Compute crypto_shash_init Messag Digest Message Crypto digest a returns 0 e value digest Officer message digest Message Compute crypto_shash_init AES key MAC tag Message Crypto authentic a MAC returns 0 or authentic Officer ation tag HMAC ation - AES code key, code key: W,E generatio messag generatio - HMAC n e n key: W,E Message Verify a crypto_shash_init AES Pass/fail Message Crypto authentic MAC tag returns 0 key, authentic Officer ation messag ation - AES code e, MAC code key: W,E verificati tag verificati on on Key- Derive crypto_kdf108_ctr_gene Key- Derived Key- Crypto based keying rate returns 0 derivati key based Officer key material on key, key - Keyderivatio from a output derivatio derivati n key- length n on key: derivatio W,E n key Derived key: G,R Key- Derive crypto_kdf108_ctr_gene Shared Derived Key- Crypto establish keying rate returns 0 secret, key establish Officer ment key material output ment key - Shared derivatio from a length derivatio secret: n shared n W,E secret Derived key: G,R Random Generate crypto_rng_get_bytes Output Random Random Crypto number random returns 0 length bytes number Officer generatio bytes generatio n n Entropy input: G,E,Z HMAC_D RBG Seed: G,E,Z HMAC_D RBG internal state (V, Key): G,W,E © 2025 NetApp, Inc., atsec information security.

Page 25

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns Hash_D RBG Seed: G,E,Z Hash_D RBG internal state (V, C): G,W,E CTR_DR BG Seed: G,E,Z CTR_DR BG internal state (V, Key): G,W,E Shared Compute crypto_kpp_compute_s Owner Shared Shared Crypto secret a shared hared_secret returns 0 private secret secret Officer computat secret key, computat - DH ion peer ion private public key: W,E key - DH public key: W,E - EC private key: W,E - EC public key: W,E - Shared secret: G,R Key pair Generate crypto_kpp_set_secret Group Key pair Key pair Crypto generatio a key and or generatio Officer n pair crypto_kpp_generate_p curve n - DH ublic_key return 0 private key: G,R - DH public key: G,R - EC private © 2025 NetApp, Inc., atsec information security.

Page 26

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns key: G,R - EC public key: G,R Interme diate key generati on value: G,E,Z Kernel Perform AES-GCM: AES Encrypt Authentic Crypto TLS TLS bulk crypto_aead_get_flags( key, ed TLS ated Officer encryptio data aead) has plaintex record encryptio - AES n encrypti CRYPTO_ALG_FIPS140_ t n key: W,E on COMPLIANT set; Others: setsockopt for SOL_TLS returns 0 Kernel Perform setsockopt for SOL_TLS AES Plaintex Authentic Crypto TLS TLS bulk returns 0 key, t or ated Officer decryptio data encrypt failure decryptio - AES n decrypti ed TLS n key: W,E on record Error Compute None Messag EDC None Crypto detection an EDC e Officer code (crc32, crc32c, crct10dif ) Compres Compres None Data Compre None Crypto sion s data ssed Officer (deflate, data lz4, lz4hc, lzo, zlibdeflate, zstd) Generic Use the None Identifi Various None Crypto system kernel to er, return Officer call perform various values various argume non- nts cryptogr aphic operatio ns Show Return None N/A Module None Crypto version the name Officer module © 2025 NetApp, Inc., atsec information security.

Page 27

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns name and and version version informati on Show Return None N/A Module None Crypto status the status Officer module status Self-test Perform None N/A Pass/Fai Encryptio Crypto the l n Officer CASTs Decryptio and n integrity Authentic tests ated encryptio n Authentic ated decryptio n Message digest Message authentic ation code verificati on Message authentic ation code generatio n Keybased key derivatio n Keyestablish ment key derivatio n Random number generatio n Shared secret © 2025 NetApp, Inc., atsec information security.

Page 28

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns computat ion Digital signature verificati on Key pair generatio n Zeroizati Zeroize None Any SSP N/A None Crypto on all SSPs Officer - AES key: Z - HMAC key: Z - Keyderivati on key: Z - Shared secret: Z Derived key: Z Entropy input: Z HMAC_D RBG Seed: Z HMAC_D RBG internal state (V, Key): Z Hash_D RBG Seed: Z Hash_D RBG internal state (V, C): Z CTR_DR BG © 2025 NetApp, Inc., atsec information security.

Page 29

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns Seed: Z CTR_DR BG internal state (V, Key): Z - DH public key: Z - DH private key: Z - EC public key: Z - EC private key: Z Interme diate key generati on value: Z Table 14: Approved Services The following convention is used to specify access rights to SSPs:

4.4 Non-Approved Services

Name Description Algorithms Role AES-GCM with Encrypt and authenticate a AES-GCM with Crypto external IV encryption plaintext using AES-GCM with external IV Officer an external IV Key derivation Derive a key from a key- KBKDF in libkcapi Crypto (libkcapi) derivation key, shared secret, HKDF in libkcapi Officer or password PBKDF2 in libkcapi Pre-hashed message Generate a digital signature for RSA PKCS#1 v1.5 Crypto signature generation a pre-hashed message with pre-hashed Officer message © 2025 NetApp, Inc., atsec information security.

Page 30

Name Description Algorithms Role Pre-hashed message Verify a digital signature for a RSA PKCS#1 v1.5 Crypto signature verification pre-hashed message with pre-hashed Officer message Key encapsulation Key encapsulation using RSA RSA PKCS#1 v1.5 Crypto PKCS#1 v1.5 Officer Key un-encapsulation Key un-encapsulation using RSA PKCS#1 v1.5 Crypto RSA PKCS#1 v1.5 Officer Encryption primitive Compute the RSA encryption RSA primitive Crypto primitive Officer Decryption primitive Compute the RSA decryption RSA primitive Crypto primitive Officer Table 15: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not load external software or firmware. © 2025 NetApp, Inc., atsec information security.

Page 31
5 Software/Firmware Security
5.1 Integrity Techniques

On system boot, the sha512hmac binary first performs an integrity test on itself and the libkcapi library, using the HMAC-SHA2-512 and HMAC-SHA2-256 algorithms (respectively) implemented by the module. Then, the sha512hmac binary performs an integrity test on the kernel binary using the HMAC-SHA2-512 algorithm. These tests are all performed using a key hardcoded in the sha512hmac binary, by recomputing the MAC tags and verifying they are equal to the MAC tags specified in the .hmac file.

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module (i.e. rebooting the system), which will perform (among others) the software integrity tests. © 2025 NetApp, Inc., atsec information security.

Page 32
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.2 Configuration Settings and Restrictions

The module shall be installed as stated in Section 11. Instrumentation tools like the ptrace system call, gdb and strace, user space live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2025 NetApp, Inc., atsec information security.

Page 33
7 Physical Security

The module is comprised of software only and therefore this section is not applicable. © 2025 NetApp, Inc., atsec information security.

Page 34
8 Non-Invasive Security

This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2025 NetApp, Inc., atsec information security.

Page 35
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of service Dynamic execution Table 16: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operator RAM Plaintext Manual Electronic parameters calling application TOEPP AF_ALG Operator RAM Plaintext Manual Electronic type input calling sockets application TOEPP SOL_TLS Operator RAM Plaintext Manual Electronic type input calling sockets application TOEPP API output RAM Operator Plaintext Manual Electronic parameters calling application TOEPP AF_ALG RAM Operator Plaintext Manual Electronic type output calling sockets application TOEPP Table 17: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Free cipher Zeroizes the Memory occupied by By calling the appropriate handle SSPs contained SSPs is overwritten zeroization functions: AES key: within the with zeroes, which crypto_free_skcipher and cipher handle renders the SSP crypto_free_aead; HMAC key: values irretrievable. crypto_free_shash and © 2025 NetApp, Inc., atsec information security.

Page 36

Zeroization Description Rationale Operator Initiation Method The completion of crypto_free_ahash; Keythe zeroization derivation key: routine indicates that crypto_free_shash; Shared secret: the zeroization crypto_free_shash; Entropy input: procedure crypto_free_rng; DRBG seed: succeeded. crypto_free_rng; DRBG internal state: crypto_free_rng; DH public key & DH private key: crypto_free_kpp; EC public key & EC private key: crypto_free_kpp; RSA public key: public_key_free Remove De-allocates Volatile memory By removing power power from the volatile used by the module the module memory used is overwritten within to store SSPs nanoseconds when power is removed. Module power off indicates that the zeroization procedure succeeded. Automatic Automatically Memory occupied by N/A zeroized by the SSPs is overwritten module when with zeroes, which no longer renders the SSP needed values irretrievable. Table 18: SSP Zeroization Methods All data output is inhibited during zeroization.

9.4 SSPs

Name Descripti Size - Type - Generated Establish Used By on Strengt Category By ed By h AES key Symmetric 128, 256 Symmetric Encryption key used bits key - CSP Decryption for AES (AES- Authenticat operations XTS); ed 128, encryption 192, 256 Authenticat bits ed (others) - decryption 128, 256 Message bits authenticati (AES- on code XTS); verification 128, Message 192, 256 authenticati © 2025 NetApp, Inc., atsec information security.

Page 37

Name Descripti Size - Type - Generated Establish Used By on Strengt Category By ed By h bits on code (others) generation HMAC key Symmetric 112- Authenticati Message key used 524288 on key - CSP authenticati for HMAC bits - on code operations 112-256 verification bits Message authenticati on code generation Key- Symmetric 112- Symmetric Key-based derivation key used 4096 key - CSP key key in bits - derivation performin 112-256 g key bits derivation Shared Shared P-256, P- Shared Shared Keysecret secret 384 / secret - CSP secret establishme generated ffdhe204 computati nt key by (EC) 8, on derivation Diffie- ffdhe307 Hellman 2, ffdhe409 6, ffdhe614 4, ffdhe819

2 - 128-

8192 bits Derived Symmetric 112- Symmetric Key-based key key 4096 - key - CSP key produced 112-256 derivation by a key Keyderivation establishm service. ent key derivation Entropy Entropy 128-384 Entropy Random Random input input used bits - input - CSP number number to seed 128-384 generation generation DRBGs bits HMAC_DR DRBG 440, 888 Seed - CSP Random Random BG Seed seed bits - number number derived 128, 256 generation generation from bits entropy input and additional data © 2025 NetApp, Inc., atsec information security.

Page 38

Name Descripti Size - Type - Generated Establish Used By on Strengt Category By ed By h CTR_DRBG DRBG 256, Seed - CSP Random Random Seed seed 320, 384 number number derived bits - generation generation from 128, Entropy 192, 256 Input and bits additional data Hash_DRB DRBG 440, 888 Seed - CSP Random Random G Seed seed bits - number number derived 128, 256 generation generation from bits Entropy Input and additional data HMAC_DR Internal 320, Internal Random Random BG state of 512, state - CSP number number internal HMAC_DR 1024 generation generation state (V, BG bits Key) 128, 256 bits CTR_DRBG Internal 256, Internal Random Random internal state of 320, 348 state - CSP number number state (V, CTR_DRBG bits - generation generation Key) 128, 192, 256 bits Hash_DRB Internal 880, Internal Random Random G internal state of 1776 state - CSP number number state (V, Hash_DRB bits - generation generation C) G 128, 256 bits DH private Private ffdhe204 Private key - Key pair Shared key key used 8, CSP generation secret for Diffie- ffdhe307 computatio Hellman 2, n ffdhe409 6, ffdhe614 4, ffdhe819

2 - 112-
200 bits

DH public Public key ffdhe204 Public key - Key pair Shared key used for 8, PSP generation secret Diffie- ffdhe307 computatio Hellman 2, n ffdhe409 6, © 2025 NetApp, Inc., atsec information security.

Page 39

Name Descripti Size - Type - Generated Establish Used By on Strengt Category By ed By h ffdhe614 4, ffdhe819

2 - 112-
200 bits

EC private Private P-256, P- Private key - Key pair Shared key key used 384 - CSP generation secret for EC 128, 192 computatio Diffie- bits n Hellman EC public Public key P-256, P- Public key - Key pair Shared key used for 384 - PSP generation secret EC Diffie- 128, 192 computatio Hellman bits n Intermedi Temporar 256- Intermediat Key pair ate key y value 8192 e value - generation generatio generated bits - CSP n value during key 112-200 pair bits generatio n services Table 19: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES key API input RAM:Plaintext Until cipher Free cipher parameters handle is handle AF_ALG freed or Remove type input module is power from sockets powered off the module SOL_TLS type input sockets HMAC key API input RAM:Plaintext Until cipher Free cipher parameters handle is handle AF_ALG freed or Remove type input module is power from sockets powered off the module Key- API input RAM:Plaintext Until cipher Free cipher derivation parameters handle is handle key AF_ALG freed or Remove type input module is power from sockets powered off the module Shared API input RAM:Plaintext Until cipher Free cipher secret parameters handle is handle API output freed or Remove parameters module is power from AF_ALG powered off the module type input © 2025 NetApp, Inc., atsec information security.

Page 40

Name Input - Storage Storage Zeroization Related SSPs Output Duration sockets AF_ALG type output sockets Derived key API output RAM:Plaintext For the Automatic Key-derivation parameters duration of key:Derived AF_ALG the service From type output Shared sockets secret:Derived From Entropy RAM:Plaintext From Automatic DRBG input generation seed:Derivation until DRBG Of seed/reseed HMAC_DRBG RAM:Plaintext From Automatic Entropy Seed generation input:Derived until From HMAC_DRBG DRBG internal Seed is state (V, created Key):Derivation Of DRBG internal state (V, C):Derivation Of CTR_DRBG RAM:Plaintext From Automatic Entropy Seed generation input:Derived until DRBG From seed is created Hash_DRBG RAM:Plaintext From Automatic Entropy Seed generation input:Derived until DRBG From seed is created HMAC_DRBG RAM:Plaintext Until cipher Free cipher HMAC_DRBG internal handle is handle Seed:Derived state (V, freed or Remove From Key) module is power from powered off the module CTR_DRBG RAM:Plaintext Until cipher Free cipher CTR_DRBG internal handle is handle Seed:Derived state (V, freed or Remove From Key) module is power from powered off the module Hash_DRBG RAM:Plaintext Until cipher Free cipher Hash_DRBG internal handle is handle Seed:Derived state (V, C) freed or Remove From module is power from powered off the module © 2025 NetApp, Inc., atsec information security.

Page 41

Name Input - Storage Storage Zeroization Related SSPs Output Duration DH private API input RAM:Plaintext Until cipher Free cipher DH public key parameters handle is handle key:Paired With API output freed or Remove parameters module is power from AF_ALG powered off the module type input sockets AF_ALG type output sockets DH public API input RAM:Plaintext Until cipher Free cipher DH private key parameters handle is handle key:Paired With API output freed or Remove parameters module is power from AF_ALG powered off the module type input sockets AF_ALG type output sockets EC private API input RAM:Plaintext Until cipher Free cipher EC public key parameters handle is handle key:Paired With API output freed or Remove parameters module is power from AF_ALG powered off the module type input sockets AF_ALG type output sockets EC public API input RAM:Plaintext Until cipher Free cipher EC private key parameters handle is handle key:Paired With API output freed or Remove parameters module is power from AF_ALG powered off the module type input sockets AF_ALG type output sockets Intermediate RAM:Plaintext For the Automatic key duration of generation the service value Table 20: SSP Table 2

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. © 2025 NetApp, Inc., atsec information security.

Page 42
10 Self-Tests

While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module does not return control to the calling application until the tests are completed. If any of the self-tests fails, the module immediately transitions to the error state.

10.1 Pre-Operational Self-Tests

Algorithm or Test Test Method Test Indicator Details Test Properties Type HMAC-SHA2- 128-bit key Message SW/FW Module Integrity test

512 - kcapi- Authentication Integrity becomes for kcapi-

hasher operational hasher binary HMAC-SHA2- 256-bit key Message SW/FW Module Integrity test

256 - libkcapi Authentication Integrity becomes for libkcapi

operational shared library HMAC-SHA2- 128-bit key Message SW/FW Module Integrity test

512 - vmlinuz Authentication Integrity becomes for vmlinuz

operational binary Table 21: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state.

10.2 Conditional Self-Tests

Algorithm or Test Test Tes Indicator Details Condition Test Properti Metho t s es d Typ e AES-CBC 128, 192, KAT CAS Module is Encryption Module Encryption 256-bit T operational initializatio keys n AES-CBC 128, 192, KAT CAS Module is Decryption Module Decryption 256-bit T operational initializatio keys n AES-CBC 128, 192, KAT CAS Module is Encryption Module (AESNI_ASM) 256-bit T operational initializatio Encryption keys n AES-CBC 128, 192, KAT CAS Module is Decryption Module (AESNI_ASM) 256-bit T operational initializatio Decryption keys n AES-CBC 128, 192, KAT CAS Module is Encryption Module (AESNI_C) 256-bit T operational initializatio Encryption keys n AES-CBC 128, 192, KAT CAS Module is Decryption Module (AESNI_C) 256-bit T operational initializatio Decryption keys n © 2025 NetApp, Inc., atsec information security.

Page 43

Algorithm or Test Test Tes Indicator Details Condition Test Properti Metho t s es d Typ e AES-CBC-CS3 128, 192, KAT CAS Module is Encryption Module Encryption 256-bit T operational initializatio keys n AES-CBC-CS3 128, 192, KAT CAS Module is Decryption Module Decryption 256-bit T operational initializatio keys n AES-CBC-CS3 128, 192, KAT CAS Module is Encryption Module (AESNI_C) 256-bit T operational initializatio Encryption keys n AES-CBC-CS3 128, 192, KAT CAS Module is Decryption Module (AESNI_C) 256-bit T operational initializatio Decryption keys n AES-CCM 128, 192, KAT CAS Module is Authenticat Module Authenticated 256-bit T operational ed initializatio encryption keys; 56, encryption n 64, 72, 80, 88, 96, 112, 128bit IVs AES-CCM 128, 192, KAT CAS Module is Authenticat Module Authenticated 256-bit T operational ed initializatio decryption keys; 56, decryption n 64, 72, 80, 88, 96, 112, 128bit IVs AES-CCM 128, 192, KAT CAS Module is Authenticat Module (AESNI_C) 256-bit T operational ed initializatio Authenticated keys; 56, encryption n encryption 64, 72, 80, 88, 96, 112, 128bit IVs AES-CCM 128, 192, KAT CAS Module is Authenticat Module (AESNI_C) 256-bit T operational ed initializatio Authenticated keys; 56, decryption n decryption 64, 72, 80, 88, 96, 112, 128bit IVs AES-CFB128 128, 192, KAT CAS Module is Encryption Module Encryption 256-bit T operational initializatio keys n AES-CFB128 128, 192, KAT CAS Module is Decryption Module Decryption 256-bit T operational initializatio keys n AES-CFB128 128, 192, KAT CAS Module is Encryption Module (AESNI_C) 256-bit T operational initializatio Encryption keys n © 2025 NetApp, Inc., atsec information security.

Page 44

Algorithm or Test Test Tes Indicator Details Condition Test Properti Metho t s es d Typ e AES-CFB128 128, 192, KAT CAS Module is Decryption Module (AESNI_C) 256-bit T operational initializatio Decryption keys n AES-CTR 128, 192, KAT CAS Module is Encryption Module Encryption 256-bit T operational initializatio keys n AES-CTR 128, 192, KAT CAS Module is Decryption Module Decryption 256-bit T operational initializatio keys n AES-CTR 128, 192, KAT CAS Module is Encryption Module (AESNI_ASM) 256-bit T operational initializatio Encryption keys n AES-CTR 128, 192, KAT CAS Module is Decryption Module (AESNI_ASM) 256-bit T operational initializatio Decryption keys n AES-ECB 128, 192, KAT CAS Module is Encryption Module Encryption 256-bit T operational initializatio keys n AES-ECB 128, 192, KAT CAS Module is Decryption Module Decryption 256-bit T operational initializatio keys n AES-ECB (CTI_C) 128, 192, KAT CAS Module is Encryption Module Encryption 256-bit T operational initializatio keys n AES-ECB (CTI_C) 128, 192, KAT CAS Module is Decryption Module Decryption 256-bit T operational initializatio keys n AES-ECB 128, 192, KAT CAS Module is Encryption Module (AESNI_ASM) 256-bit T operational initializatio Encryption keys n AES-ECB 128, 192, KAT CAS Module is Decryption Module (AESNI_ASM) 256-bit T operational initializatio Decryption keys n AES-ECB 128, 192, KAT CAS Module is Encryption Module (AESNI_C) 256-bit T operational initializatio Encryption keys n AES-ECB 128, 192, KAT CAS Module is Decryption Module (AESNI_C) 256-bit T operational initializatio Decryption keys n AES-GCM 128, 192, KAT CAS Module is Authenticat Module Authenticated 256-bit T operational ed initializatio encryption keys; 96- encryption n bit IVs AES-GCM 128, 192, KAT CAS Module is Authenticat Module Authenticated 256-bit T operational ed initializatio decryption keys; 96- decryption n bit IVs © 2025 NetApp, Inc., atsec information security.

Page 45

Algorithm or Test Test Tes Indicator Details Condition Test Properti Metho t s es d Typ e AES-GCM 128, 192, KAT CAS Module is Authenticat Module (AESNI_ASM) 256-bit T operational ed initializatio Authenticated keys; 96- encryption n encryption bit IVs AES-GCM 128, 192, KAT CAS Module is Authenticat Module (AESNI_ASM) 256-bit T operational ed initializatio Authenticated keys; 96- decryption n decryption bit IVs AES-GCM 128, 192, KAT CAS Module is Authenticat Module (AESNI_AVX) 256-bit T operational ed initializatio Authenticated keys; 96- encryption n encryption bit IVs AES-GCM 128, 192, KAT CAS Module is Authenticat Module (AESNI_AVX) 256-bit T operational ed initializatio Authenticated keys; 96- decryption n decryption bit IVs AES-GCM 128, 192, KAT CAS Module is Authenticat Module (VAES_AVX10_2 256-bit T operational ed initializatio 56) keys; 96- encryption n Authenticated bit IVs encryption AES-GCM 128, 192, KAT CAS Module is Authenticat Module (VAES_AVX10_2 256-bit T operational ed initializatio 56) keys; 96- decryption n Authenticated bit IVs decryption AES-GCM 128, 192, KAT CAS Module is Authenticat Module (VAES_AVX10_5 256-bit T operational ed initializatio 12) keys; 96- encryption n Authenticated bit IVs encryption AES-GCM 128, 192, KAT CAS Module is Authenticat Module (VAES_AVX10_5 256-bit T operational ed initializatio 12) keys; 96- decryption n Authenticated bit IVs decryption AES-OFB 128, 192, KAT CAS Module is Encryption Module Encryption 256-bit T operational initializatio keys n AES-OFB 128, 192, KAT CAS Module is Decryption Module Decryption 256-bit T operational initializatio keys n AES-OFB 128, 192, KAT CAS Module is Encryption Module (AESNI_C) 256-bit T operational initializatio Encryption keys n AES-OFB 128, 192, KAT CAS Module is Decryption Module (AESNI_C) 256-bit T operational initializatio Decryption keys n © 2025 NetApp, Inc., atsec information security.

Page 46

Algorithm or Test Test Tes Indicator Details Condition Test Properti Metho t s es d Typ e AES-XTS Testing 128, 256- KAT CAS Module is Encryption Module Revision 2.0 bit keys T operational initializatio Encryption n AES-XTS Testing 128, 256- KAT CAS Module is Decryption Module Revision 2.0 bit keys T operational initializatio Decryption n AES-XTS Testing 128, 256- KAT CAS Module is Encryption Module Revision 2.0 bit keys T operational initializatio (AESNI_ASM) n Encryption AES-XTS Testing 128, 256- KAT CAS Module is Decryption Module Revision 2.0 bit keys T operational initializatio (AESNI_ASM) n Decryption AES-XTS Testing 128, 256- KAT CAS Module is Encryption Module Revision 2.0 bit keys T operational initializatio (AESNI_AVX) n Encryption AES-XTS Testing 128, 256- KAT CAS Module is Decryption Module Revision 2.0 bit keys T operational initializatio (AESNI_AVX) n Decryption AES-XTS Testing 128, 256- KAT CAS Module is Encryption Module Revision 2.0 bit keys T operational initializatio (VAES_AVX2) n Encryption AES-XTS Testing 128, 256- KAT CAS Module is Decryption Module Revision 2.0 bit keys T operational initializatio (VAES_AVX2) n Decryption AES-XTS Testing 128, 256- KAT CAS Module is Encryption Module Revision 2.0 bit keys T operational initializatio (VAES_AVX10_2 n

  1. Encryption AES-XTS Testing 128, 256- KAT CAS Module is Decryption Module Revision 2.0 bit keys T operational initializatio (VAES_AVX10_2 n
  2. Decryption AES-XTS Testing 128, 256- KAT CAS Module is Encryption Module Revision 2.0 bit keys T operational initializatio (VAES_AVX10_5 n
  3. Encryption AES-XTS Testing 128, 256- KAT CAS Module is Decryption Module Revision 2.0 bit keys T operational initializatio (VAES_AVX10_5 n
  4. Decryption SHA-1 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n © 2025 NetApp, Inc., atsec information security.
Page 47

Algorithm or Test Test Tes Indicator Details Condition Test Properti Metho t s es d Typ e SHA-1 (SSSE3) 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA-1 (AVX) 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA-1 (AVX2) 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA-1 (SHA_NI) 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA2-224 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA2-224 0-65536- KAT CAS Module is Message Module (SSSE3) bit T operational Digest initializatio messages n SHA2-224 (AVX) 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA2-224 0-65536- KAT CAS Module is Message Module (AVX2) bit T operational Digest initializatio messages n SHA2-224 0-65536- KAT CAS Module is Message Module (SHA_NI) bit T operational Digest initializatio messages n SHA2-256 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA2-256 0-65536- KAT CAS Module is Message Module (SSSE3) bit T operational Digest initializatio messages n SHA2-256 (AVX) 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA2-256 0-65536- KAT CAS Module is Message Module (AVX2) bit T operational Digest initializatio messages n SHA2-256 0-65536- KAT CAS Module is Message Module (SHA_NI) bit T operational Digest initializatio messages n SHA2-384 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA2-384 0-65536- KAT CAS Module is Message Module (SSSE3) bit T operational Digest initializatio messages n © 2025 NetApp, Inc., atsec information security.

Page 48

Algorithm or Test Test Tes Indicator Details Condition Test Properti Metho t s es d Typ e SHA2-384 (AVX) 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA2-384 0-65536- KAT CAS Module is Message Module (AVX2) bit T operational Digest initializatio messages n SHA2-512 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA2-512 0-65536- KAT CAS Module is Message Module (SSSE3) bit T operational Digest initializatio messages n SHA2-512 (AVX) 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA2-512 0-65536- KAT CAS Module is Message Module (AVX2) bit T operational Digest initializatio messages n SHA3-224 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA3-256 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA3-384 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n SHA3-512 0-65536- KAT CAS Module is Message Module bit T operational Digest initializatio messages n AES-CMAC 128, 192, KAT CAS Module is Message Module 256-bit T operational Authenticati initializatio keys on n AES-CMAC 128, 192, KAT CAS Module is Message Module (AESNI_C) 256-bit T operational Authenticati initializatio keys on n HMAC-SHA-1 112- KAT CAS Module is Message Module 524288- T operational Authenticati initializatio bit keys on n HMAC-SHA-1 112- KAT CAS Module is Message Module (SHA_NI) 524288- T operational Authenticati initializatio bit keys on n HMAC-SHA2- 112- KAT CAS Module is Message Module

224 524288- T operational Authenticati initializatio

bit keys on n HMAC-SHA2- 112- KAT CAS Module is Message Module

224 (SHA_NI) 524288- T operational Authenticati initializatio

bit keys on n © 2025 NetApp, Inc., atsec information security.

Page 49

Algorithm or Test Test Tes Indicator Details Condition Test Properti Metho t s es d Typ e HMAC-SHA2- 112- KAT CAS Module is Message Before

256 524288- T operational Authenticati integrity

bit keys on test HMAC-SHA2- 112- KAT CAS Module is Message Before

256 (SHA_NI) 524288- T operational Authenticati integrity

bit keys on test HMAC-SHA2- 112- KAT CAS Module is Message Module

384 524288- T operational Authenticati initializatio

bit keys on n HMAC-SHA2- 112- KAT CAS Module is Message Module

384 (AVX2) 524288- T operational Authenticati initializatio

bit keys on n HMAC-SHA2- 112- KAT CAS Module is Message Module

512 524288- T operational Authenticati initializatio

bit keys on n HMAC-SHA2- 112- KAT CAS Module is Message Module

512 (AVX2) 524288- T operational Authenticati initializatio

bit keys on n HMAC-SHA3- 112- KAT CAS Module is Message Module

224 524288- T operational Authenticati initializatio

bit keys on n HMAC-SHA3- 112- KAT CAS Module is Message Module

256 524288- T operational Authenticati initializatio

bit keys on n HMAC-SHA3- 112- KAT CAS Module is Message Module

384 524288- T operational Authenticati initializatio

bit keys on n HMAC-SHA3- 112- KAT CAS Module is Message Module

512 524288- T operational Authenticati initializatio

bit keys on n KDF SP800-108 SHA2-256 KAT CAS Module is Key Module T operational derivation initializatio n KDA OneStep SHA2-256 KAT CAS Module is Key Module SP800-56Cr2 T operational derivation initializatio n Counter DRBG AES-128, KAT CAS Module is Instantiate, Module AES-192, T operational seed, initializatio and AES- reseed, n

256 generate

with/witho (compliant ut to SP 800prediction 90Ar1 resistance Section 11.3) Hash DRBG SHA-1, KAT CAS Module is Instantiate, Module SHA-256, T operational seed, initializatio and SHA- reseed, n

512 generate

© 2025 NetApp, Inc., atsec information security.

Page 50

Algorithm or Test Test Tes Indicator Details Condition Test Properti Metho t s es d Typ e with/witho (compliant ut to SP 800prediction 90Ar1 resistance Section 11.3) HMAC DRBG SHA-1, KAT CAS Module is Instantiate, Module SHA-256, T operational seed, initializatio and SHA- reseed, n

512 generate

with/witho (compliant ut to SP 800prediction 90Ar1 resistance Section 11.3) KAS-FFC-SSC ffdhe2048 KAT CAS Module is Shared Module Sp800-56Ar3 , T operational secret initializatio ffdhe3072 computatio n , n ffdhe4096 , ffdhe6144 , ffdhe8192 KAS-ECC-SSC P-256, P- KAT CAS Module is Shared Module Sp800-56Ar3 384 T operational secret initializatio computatio n n RSA SigVer PKCS#1 KAT CAS Module is Signature Module (FIPS186-5) v1.5 with T operational verification initializatio SHA-224, n SHA-256, SHA-384, SHA-512 and 2048, 3072, 4096-bit keys Entropy Source Cutoff C = APT CAS Entropy source Entropy Entropy Start Up APT 325; T is operational source source Window start-up test initializatio size = 512 on 1024 n samples Entropy Source Cutoff C = RCT CAS Entropy source Entropy Entropy Start Up RCT 31 T is operational source source start-up test initializatio on 1024 n samples Entropy Source Permanen APT CAS jent_kcapi_rand Entropy Continuou Continuous APT t cutoff C T om returns 0 source sly as © 2025 NetApp, Inc., atsec information security.

Page 51

Algorithm or Test Test Tes Indicator Details Condition Test Properti Metho t s es d Typ e = 355; continuous entropy is Window test requested size = 512 Entropy Source Permanen RCT CAS jent_kcapi_rand Entropy Continuou Continuous RCT t cutoff C T om returns 0 source sly as = 61 continuous entropy is test requested Safe Primes Key ffdhe2048 PCT PCT Key pair SP 800- Key pair Generation , generation is 56Ar3 generation ffdhe3072 successful Section , 5.6.2.1.4 ffdhe4096 , ffdhe6144 , ffdhe8192 ECDSA KeyGen P-256, P- PCT PCT Key pair SP 800- Key pair (FIPS186-5) 384 generation is 56Ar3 generation successful Section 5.6.2.1.4 Table 22: Conditional Self-Tests Data output through the data output interface is inhibited during the conditional self-tests. The module does not return control to the calling application until the tests are completed. If any of these tests fails, the module transitions to the error state (Section 10.4).

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- Message SW/FW Integrity On demand Manually

512 - kcapi- Authentication

hasher HMAC-SHA2- Message SW/FW Integrity On demand Manually

256 - libkcapi Authentication

HMAC-SHA2- Message SW/FW Integrity On demand Manually

512 - vmlinuz Authentication

Table 23: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC KAT CAST On demand Manually Encryption AES-CBC KAT CAST On demand Manually Decryption © 2025 NetApp, Inc., atsec information security.

Page 52

Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC KAT CAST On demand Manually (AESNI_ASM) Encryption AES-CBC KAT CAST On demand Manually (AESNI_ASM) Decryption AES-CBC (AESNI_C) KAT CAST On demand Manually Encryption AES-CBC (AESNI_C) KAT CAST On demand Manually Decryption AES-CBC-CS3 KAT CAST On demand Manually Encryption AES-CBC-CS3 KAT CAST On demand Manually Decryption AES-CBC-CS3 KAT CAST On demand Manually (AESNI_C) Encryption AES-CBC-CS3 KAT CAST On demand Manually (AESNI_C) Decryption AES-CCM KAT CAST On demand Manually Authenticated encryption AES-CCM KAT CAST On demand Manually Authenticated decryption AES-CCM KAT CAST On demand Manually (AESNI_C) Authenticated encryption AES-CCM KAT CAST On demand Manually (AESNI_C) Authenticated decryption AES-CFB128 KAT CAST On demand Manually Encryption AES-CFB128 KAT CAST On demand Manually Decryption AES-CFB128 KAT CAST On demand Manually (AESNI_C) Encryption AES-CFB128 KAT CAST On demand Manually (AESNI_C) Decryption AES-CTR KAT CAST On demand Manually Encryption AES-CTR KAT CAST On demand Manually Decryption AES-CTR KAT CAST On demand Manually (AESNI_ASM) Encryption © 2025 NetApp, Inc., atsec information security.

Page 53

Algorithm or Test Method Test Type Period Periodic Test Method AES-CTR KAT CAST On demand Manually (AESNI_ASM) Decryption AES-ECB KAT CAST On demand Manually Encryption AES-ECB KAT CAST On demand Manually Decryption AES-ECB (CTI_C) KAT CAST On demand Manually Encryption AES-ECB (CTI_C) KAT CAST On demand Manually Decryption AES-ECB KAT CAST On demand Manually (AESNI_ASM) Encryption AES-ECB KAT CAST On demand Manually (AESNI_ASM) Decryption AES-ECB (AESNI_C) KAT CAST On demand Manually Encryption AES-ECB (AESNI_C) KAT CAST On demand Manually Decryption AES-GCM KAT CAST On demand Manually Authenticated encryption AES-GCM KAT CAST On demand Manually Authenticated decryption AES-GCM KAT CAST On demand Manually (AESNI_ASM) Authenticated encryption AES-GCM KAT CAST On demand Manually (AESNI_ASM) Authenticated decryption AES-GCM KAT CAST On demand Manually (AESNI_AVX) Authenticated encryption AES-GCM KAT CAST On demand Manually (AESNI_AVX) Authenticated decryption AES-GCM KAT CAST On demand Manually (VAES_AVX10_256) Authenticated encryption AES-GCM KAT CAST On demand Manually (VAES_AVX10_256) Authenticated decryption © 2025 NetApp, Inc., atsec information security.

Page 54

Algorithm or Test Method Test Type Period Periodic Test Method AES-GCM KAT CAST On demand Manually (VAES_AVX10_512) Authenticated encryption AES-GCM KAT CAST On demand Manually (VAES_AVX10_512) Authenticated decryption AES-OFB KAT CAST On demand Manually Encryption AES-OFB KAT CAST On demand Manually Decryption AES-OFB (AESNI_C) KAT CAST On demand Manually Encryption AES-OFB (AESNI_C) KAT CAST On demand Manually Decryption AES-XTS Testing KAT CAST On demand Manually Revision 2.0 Encryption AES-XTS Testing KAT CAST On demand Manually Revision 2.0 Decryption AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (AESNI_ASM) Encryption AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (AESNI_ASM) Decryption AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (AESNI_AVX) Encryption AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (AESNI_AVX) Decryption AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (VAES_AVX2) Encryption AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (VAES_AVX2) Decryption AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (VAES_AVX10_256) Encryption © 2025 NetApp, Inc., atsec information security.

Page 55

Algorithm or Test Method Test Type Period Periodic Test Method AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (VAES_AVX10_256) Decryption AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (VAES_AVX10_512) Encryption AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (VAES_AVX10_512) Decryption SHA-1 KAT CAST On demand Manually SHA-1 (SSSE3) KAT CAST On demand Manually SHA-1 (AVX) KAT CAST On demand Manually SHA-1 (AVX2) KAT CAST On demand Manually SHA-1 (SHA_NI) KAT CAST On demand Manually SHA2-224 KAT CAST On demand Manually SHA2-224 (SSSE3) KAT CAST On demand Manually SHA2-224 (AVX) KAT CAST On demand Manually SHA2-224 (AVX2) KAT CAST On demand Manually SHA2-224 (SHA_NI) KAT CAST On demand Manually SHA2-256 KAT CAST On demand Manually SHA2-256 (SSSE3) KAT CAST On demand Manually SHA2-256 (AVX) KAT CAST On demand Manually SHA2-256 (AVX2) KAT CAST On demand Manually SHA2-256 (SHA_NI) KAT CAST On demand Manually SHA2-384 KAT CAST On demand Manually SHA2-384 (SSSE3) KAT CAST On demand Manually SHA2-384 (AVX) KAT CAST On demand Manually SHA2-384 (AVX2) KAT CAST On demand Manually SHA2-512 KAT CAST On demand Manually SHA2-512 (SSSE3) KAT CAST On demand Manually SHA2-512 (AVX) KAT CAST On demand Manually SHA2-512 (AVX2) KAT CAST On demand Manually SHA3-224 KAT CAST On demand Manually SHA3-256 KAT CAST On demand Manually SHA3-384 KAT CAST On demand Manually SHA3-512 KAT CAST On demand Manually AES-CMAC KAT CAST On demand Manually AES-CMAC KAT CAST On demand Manually (AESNI_C) HMAC-SHA-1 KAT CAST On demand Manually HMAC-SHA-1 KAT CAST On demand Manually (SHA_NI) HMAC-SHA2-224 KAT CAST On demand Manually HMAC-SHA2-224 KAT CAST On demand Manually (SHA_NI) HMAC-SHA2-256 KAT CAST On demand Manually © 2025 NetApp, Inc., atsec information security.

Page 56

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2-256 KAT CAST On demand Manually (SHA_NI) HMAC-SHA2-384 KAT CAST On demand Manually HMAC-SHA2-384 KAT CAST On demand Manually (AVX2) HMAC-SHA2-512 KAT CAST On demand Manually HMAC-SHA2-512 KAT CAST On demand Manually (AVX2) HMAC-SHA3-224 KAT CAST On demand Manually HMAC-SHA3-256 KAT CAST On demand Manually HMAC-SHA3-384 KAT CAST On demand Manually HMAC-SHA3-512 KAT CAST On demand Manually KDF SP800-108 KAT CAST On demand Manually KDA OneStep KAT CAST On demand Manually SP800-56Cr2 Counter DRBG KAT CAST On demand Manually Hash DRBG KAT CAST On demand Manually HMAC DRBG KAT CAST On demand Manually KAS-FFC-SSC KAT CAST On demand Manually Sp800-56Ar3 KAS-ECC-SSC KAT CAST On demand Manually Sp800-56Ar3 RSA SigVer KAT CAST On demand Manually (FIPS186-5) Entropy Source APT CAST On demand Manually Start Up APT Entropy Source RCT CAST On demand Manually Start Up RCT Entropy Source APT CAST On demand Manually Continuous APT Entropy Source RCT CAST On demand Manually Continuous RCT Safe Primes Key PCT PCT On demand Manually Generation ECDSA KeyGen PCT PCT On demand Manually (FIPS186-5) Table 24: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Error The Linux kernel immediately Any self-test Restart of the Kernel stops executing failure module panic Table 25: Error States In the error state, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running). © 2025 NetApp, Inc., atsec information security.

Page 57
10.5 Operator Initiation of Self-Tests

The software integrity tests, CASTs and entropy source start-up tests can be invoked on demand by unloading and subsequently re-initializing the module. The PCTs can be invoked on demand by requesting the key pair generation service. © 2025 NetApp, Inc., atsec information security.

Page 58
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is distributed as a part of the StorageGRID 12 operating system. The StorageGRID Grid Manager is used to install the module:

  1. Open the sidebar menu and click CONFIGURATION
  2. Under Security, click Security settings
  3. Install the FIPS module using one of the following options: a. Use the “FIPS strict” policy b. Configure and use a custom policy with the “fipsMode” key set to “true”
  4. After enabling the policy, a rolling reboot must be performed; the module is not considered installed until a reboot is performed
11.2 Administrator Guidance

After installation of module, the Crypto Officer must use the StorageGRID Grid Manager to verify the correct name and version of the module:

  1. Open the sidebar menu and click SUPPORT
  2. Under Tools, click Diagnostics
  3. Find the “FIPS module versions” diagnostic and verify the FIPS module name and FIPS module version are listed as follows: NetApp StorageGRID Kernel Crypto API 6.1.129-1-ntap1-amd64 kcapi-tools 1.4.0-1+ntap0 libkcapi1:amd64 1.4.0-1+ntap0 The FIPS module is only installed on a given node if the aforementioned names and versions are displayed for that node.
11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 Design and Rules
11.5 Maintenance Requirements
11.6 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. © 2025 NetApp, Inc., atsec information security.

Page 59
12 Mitigation of Other Attacks

The module does not offer mitigation of other attacks and therefore this section is not applicable. © 2025 NetApp, Inc., atsec information security.

Page 60

A Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CBC-CS3 Cipher Block Chaining with Ciphertext Stealing 3 CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDSA Elliptic Curve Digital Signature Algorithm ESV Entropy Source Validation FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Keyed-hash Message Authentication Code IG Implementation Guidance IPsec Internet Protocol Security IV Initialization Vector KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-based Key Derivation Function KDA Key Derivation Algorithm KDF Key Derivation Function KW Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PBKDF Password-Based Key Derivation Function PCT Pair-wise Consistency Test PKCS Public-Key Cryptography Standard PSP Public Security Parameter PUB Processing Standards Publication RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSP Sensitive Security Parameter TLS Transport Layer Security TOEPP Tested Operational Environment’s Physical Perimeter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 NetApp, Inc., atsec information security.

Page 61

B References FIPS 140-3 Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/CSRC/media/Projects/cryptographic-modulevalidation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS 180-4 Secure Hash Standard (SHS) August 2015 https://doi.org/10.6028/NIST.FIPS.180-4 FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://doi.org/10.6028/NIST.FIPS.186-4 FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://doi.org/10.6028/NIST.FIPS.186-5 FIPS 197 Advanced Encryption Standard (AES) November 2001; Updated May 2023 https://doi.org/10.6028/NIST.FIPS.197-upd1 FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) July 2008 https://doi.org/10.6028/NIST.FIPS.198-1 FIPS 202 SHA-3 Standard: Permutation-Based Hash and ExtendableOutput Functions August 2015 https://doi.org/10.6028/NIST.FIPS.202 PKCS#1 PKCS #1: RSA Cryptography Specifications Version 2.2 November 2016 https://doi.org/10.17487/RFC8017 RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) June 2005 https://doi.org/10.17487/RFC4106 RFC 5288 The Transport Layer Security (TLS) Protocol Version 1.2 August 2008 https://doi.org/10.17487/RFC5246 RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://doi.org/10.17487/RFC8446 SP 800-38A Recommendation for Block Cipher Modes of Operation: Methods and Techniques December 2001 https://doi.org/10.6028/NIST.SP.800-38A SP800-38A- Recommendation for Block Cipher Modes of Operation: Three Add Variants of Ciphertext Stealing for CBC Mode October 2010 https://doi.org/10.6028/NIST.SP.800-38A-Add SP 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication May 2005; Updated October 2016 https://doi.org/10.6028/NIST.SP.800-38B © 2025 NetApp, Inc., atsec information security.

Page 62

SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004; Updated July 2007 https://doi.org/10.6028/NIST.SP.800-38C SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://doi.org/10.6028/NIST.SP.800-38D SP 800-38E Recommendation for Block Cipher Modes of Operation: the XTSAES Mode for Confidentiality on Storage Devices January 2010 https://doi.org/10.6028/NIST.SP.800-38E SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://doi.org/10.6028/NIST.SP.800-38F SP 800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://doi.org/10.6028/NIST.SP.800-52r2 SP 800-56Ar3 Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 SP 800-56Cr2 Recommendation for Key-Derivation Methods in KeyEstablishment Schemes August 2020 https://doi.org/10.6028/NIST.SP.800-56Cr2 SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://doi.org/10.6028/NIST.SP.800-90Ar1 SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP 800-108r1 Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://doi.org/10.6028/NIST.SP.800-108r1-upd1 SP 800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths Marcy 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP 800-140Br1 Cryptographic Module Validation Program (CMVP) Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B November 2023 https://doi.org/10.6028/NIST.SP.800-140Br1 © 2025 NetApp, Inc., atsec information security.