All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Christie IMB-S4 4K Integrated Media Block (IMB)

Certificate#5099StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip EmbeddedStatusActiveVendorChristie Digital Systems Canada Inc.
Medium review priority  ·  exposes firmware-update authentication, debug/recovery interface  ·  last validated 7 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Embedded
StatusActive
Sunset date11/30/2030
CaveatWhen operated in approved mode
VendorChristie Digital Systems Canada Inc.

Approved Algorithms (3)

AlgorithmACVP Cert
RSA SigVer (FIPS186- 4)C838
SHA-1A4665
SHA2-256A4665

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Physical Security7
Non-Invasive SecurityN/A
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Christie IMB-S4 4K Integrated Media Block (IMB)
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Digital Signature<br/>Secure Hash<br/>Upgrade</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Get Module Information<br/>Get Status<br/>Perform Self-test (power cycle)</i>"]
    C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>Ingest USB</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>no library/version identified</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C4 --> I4 --> R4 --> E4
  C5 --> I5 --> R5 --> E5
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C4,C5 clue;
  class I2,I3,I4,I5 infer;
  class R2,R3,R4,R5 risk;
  class E2,E3,E4,E5 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Christie IMB-S4 4K Integrated Media Block (IMB)
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Digital Signature<br/>Secure Hash<br/>Upgrade</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Get Module Information<br/>Get Status<br/>Perform Self-test (power cycle)</i><br/>src: securityPolicy.services"]
    C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>Ingest USB</i><br/>src: securityPolicy.portsAndInterfaces"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>no library/version identified</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C4 clueHigh;
  class C5 clueLow;

Security Policy, page by page

Page 1

Christie Digital Systems Canada Inc. Christie IMB-S4 4K Integrated Media Block (IMB)

Page 2
Table of Contents
#SectionPage
1General5
1.1Overview5
1.2Security Levels5
2Cryptographic Module Specification5
2.1Description5
2.2Tested and Vendor Affirmed Module Version and Identification8
2.3Excluded Components9
2.4Modes of Operation9
2.5Algorithms10
2.6Security Function Implementations11
2.7Algorithm Specific Information11
2.8RBG and Entropy11
2.9Key Generation11
2.10Key Establishment11
2.11Industry Protocols11
3Cryptographic Module Interfaces11
3.1Ports and Interfaces12
4Roles, Services, and Authentication12
4.1Authentication Methods12
4.2Roles13
4.3Approved Services13
4.4Non-Approved Services14
4.5External Software/Firmware Loaded23
5Software/Firmware Security23
5.1Integrity Techniques23
5.2Initiate on Demand24
6Operational Environment24
6.1Operational Environment Type and Requirements24
7Physical Security24
7.1Mechanisms and Actions Required24
8Non-Invasive Security25
9Sensitive Security Parameters Management25
9.1Storage Areas25
9.2SSP Input-Output Methods25
9.3SSP Zeroization Methods25
9.4SSPs26
10Self-Tests27
10.1Pre-Operational Self-Tests27
10.2Conditional Self-Tests27
10.3Periodic Self-Test Information28
10.4Error States31
11Life-Cycle Assurance31
11.1Installation, Initialization, and Startup Procedures31
11.2Administrator Guidance32
Physical Ports and logical Interfaces32
Security Events32
Approved & Non-approved Security Functions32
Security Parameters32
11.3Non-Administrator Guidance32
11.4Design and Rules32
11.5Maintenance Requirements33
11.6End of Life33
12Mitigation of Other Attacks33
Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Hardware8
Table 3 Get Module Information Service Response Fields9
Table 4 Excluded Components9
Table 5: Modes List and Description9
Table 6: Approved Algorithms10
Table 7: Non-Approved, Not Allowed Algorithms10
Table 8: Security Function Implementations11
Table 9: Ports and Interfaces12
Table 10: Authentication Methods13
Table 11: Roles13
Table 12: Approved Services14
Table 13: Non-Approved Services23
Table 14: Mechanisms and Actions Required24
Table 15: Storage Areas25
Table 16: SSP Input-Output Methods25
Table 17: SSP Zeroization Methods26
Table 18: SSP Table 126
Table 19: SSP Table 227
Table 20: Pre-Operational Self-Tests27
Table 21: Conditional Self-Tests28
Table 22: Pre-Operational Periodic Information30
Table 23: Conditional Periodic Information31
Table 24: Error States31
Figure 1 Top View of Christie IMB-S46
Figure 2 Bottom View of Christie IMB-S47
Figure 3 Block Diagram8
Figure 4 Physical Security Mechanisms24
Page 5
Security level
NameISO SectionRequirementLevel
11General2
22Cryptographic module specification2
33Cryptographic module interfaces3
44Roles, services, and authentication3
55Software/Firmware security3
66Operational environmentN/A
77Physical security2
88Non-invasive securityN/A
99Sensitive security parameter management3
1010Self-tests2
1111Life-cycle assurance3
1212Mitigation of other attacksN/A
Overall LevelOverall Level2
1.1 Overview

This document is the Cryptographic Module Security Policy for the Christie IMB-S4 4K Integrated Media Block (IMB) (also referred to herein as the Christie IMB-S4, the cryptographic module, or simply the module). This policy is a specification of the security rules under which the Christie IMB-S4 operates and meets the requirements of FIPS 140-3 Level 2.

1.2 Security Levels
2.1 Description

Purpose and Use: The Christie IMB-S4 is a multi-chip embedded cryptographic module. The IMB-S4 enables playback of encrypted cinema content packaged as an industry standard Digital Cinema Package (DCP). The IMB-S4 supports playback of digital cinema content from on-board storage (SSDs) as well as a network attached storage (NAS) device. Module Type: Hardware Module Embodiment: MultiChipEmbed Module Characteristics: Cryptographic Boundary: The illustrations below indicate the cryptographic boundary and the physical ports defined on the boundary.

Page 6

Cryptographic Boundary Security Enclosure S4-Power Battery 1 Battery 2 SSD M.2 NAS SYNC In S4-Data Service Door LED FIPS Storage LED LEDs Aux Audio SYNC Out Media Figure 1 Top View of Christie IMB-S4 LTC Out Ingest USB AES3 Audio

Page 7

Cryptographic Boundary DAD (not used) Figure 2 Bottom View of Christie IMB-S4 The cryptographic boundary is the outer physical perimeter of the module’s PCB board as represented by the blue boundary in the above photos.

Page 8
Module configuration
NameModelHardware VersionFirmware VersionProcessorFeatures
Christie IMB-S4 4K Integrated Media Block (IMB)Christie IMB-S4 4K Integrated Media Block (IMB)000-201699- 011.0.0- 5494@aIntel Atom x7-E3950 and SE050 (HW P/N: N7121 B1)N/A

Cryptographic Boundary Aux Audio Projector I/O (S4-Data) (latent

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 9
Service
NameDescriptionIndicatorType
Non- ApprovedRunning in non- approved mode of operationThe module supports a separate indicator for non-approved security services. Module will display Ethernet (S4-Data) Status (FIPS_STATE) == non-approvedNon- Approved
DataStatus ItemValue
Module nameFIPS Model NameIMB-S4
Hardware part number / versionFIPS Hardware Version000-201699-01
Firmware VersionIMB Software Version1.0.0-5494@a
Excluded Component #DescriptionReference Designator
1Resistor 0ΩR678
2Capacitor 47µFC711
3Capacitor 47µFC712

The Get Module Information approved service listed in section 4.3 Approved Services can be Specifically, each item is mapped to: Table 3 Get Module Information Service Response Fields

2.3 Excluded Components

The following components are outside the security enclosure and are non-security relevant. Table 4 Excluded Components Modes List and Description: NonApproved NonApproved Table 5: Modes List and Description As per FIPS 140-3 IG 2.4.A, the non-approved mode services of the module do not share, access, nor use any SSP used by the module in approved mode of operation. The SSPs used by the “Upgrade” service are not used in non-approved mode.

Page 10
Approved algorithm
NameCAVP CertPropertiesReference
RSA SigVer (FIPS186- 4)C838Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072FIPS 186-4
SHA-1A4665Message Length - Message Length: 8-1024 Increment 8FIPS 180-4
SHA2-256A4665Message Length - Message Length: 8-1024 Increment 8FIPS 180-4
SHA2-256C837Message Length - Message Length: 0-51200 Increment 8FIPS 180-4
Service
NameApproved Functions
MD5Used as part of the TLS 1.0 implementation.
RSA (non-compliant)Used as part of the TLS 1.0 implementation and the Ingest, Generate SM Report, Perform Marriage services.
TLS 1.0 KDF (non- compliant)Used as part of the TLS 1.0 implementation.
AES (non-compliant)Used as part of the TLS 1.0 implementation and the Ingest, Load Content, Playback services.
HMAC (non-compliant)Used as part of the TLS 1.0 implementation and the Load Content, Playback services.
SHS (non-compliant)Used as part of the TLS 1.0 implementation and Generate SM Report, Perform Marriage services.
DRBG (non-compliant)Used as part of the TLS 1.0 implementation.

Mode Change Instructions and Status: The module enters the approved mode of operation immediately after the self-test is completed. The module enters the non-approved mode of operation as soon as the first non-approved service is called. The module can transition from non-approved to approved mode by rebooting the module and letting the self-test complete.

2.5 Algorithms

Approved Algorithms: Table 6: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Table 7: Non-Approved, Not Allowed Algorithms

Page 11
Service
NameDescriptionApproved FunctionsType
Digital SignatureVerification is used during the authentication of the firmware package during upgrade.RSA SigVer (FIPS186-4): (C838) SHA2-256: (C837)DigSig-SigVer
Secure HashSHA2-256 is used for Firmware Integrity during Upgrade and Self- Test. SHA-1 is only used as a standalone message digest.SHA-1: (A4665) SHA2-256: (A4665)SHA
2.6 Security Function Implementations

Table 8: Security Function Implementations

2.7 Algorithm Specific Information

As per FIPS 140-3 IG C.K, the module supports a FIPS 186-4 algorithm (RSA 2048 SigVer) that was tested in 2019 prior to the Feb 5, 2024, transition. The FIPS 186-4 CAVP test (RSA 2048 SigVer) is mathematically identical to FIPS 186-5 CAVP tests (RSA 2048 SigVer), therefore this module will claim FIPS 186-5 compliance for this test (RSA 2048 SigVer). Please also note that the SHA-1 algorithm has a transition date of December 31st, 2030. SHA-1 will be disallowed for applying cryptographic protection effective January 1st, 2031.

2.8 RBG and Entropy

N/A for this module. N/A for this module.

2.9 Key Generation
2.10 Key Establishment
2.11 Industry Protocols
3 Cryptographic Module Interfaces
Page 12
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
Aux AudioAux AudioData Input Data Output Control Output Status OutputLatent - Reserved for future use
Sync OutSync OutControl OutputLatent - Reserved for future use
Sync InSync InControl InputLatent - Reserved for future use
LTCLTCControl OutputTime code information
AES3 AudioAES3 AudioData OutputUnencrypted Audio
Storage LEDsStorage LEDsStatus OutputSSD 1 / 2 / 3 status information
Ingest USBIngest USBData InputDCP / KDM
MediaMediaData Input Data OutputDCP / KDM
MediaMediaStatus OutputNetwork Link status, Network Activity Status (via LEDs) Unauthenticated Status Information (TCP port 2000)
FIPS LEDFIPS LEDStatus OutputFIPS Status
Service Door LEDService Door LEDStatus OutputService Door open / closed
Video SERDES (S4-Data)Video SERDES (S4-Data)Data OutputUnencrypted Video
SSDs M.2SSDs M.2Data Input Data OutputDCP / KDM / Show Playlist
Marriage (S4-Data)Marriage (S4-Data)Control InputElectrical signal indicating open or closed Marriage Ring
Service Door (S4-Data)Service Door (S4-Data)Control InputElectrical signal indicating open or closed Service Door
NASNASData Input Data OutputDCP / KDM
NASNASStatus OutputNetwork Link status, Network Activity Status (via LEDs) Unauthenticated Status Information (TCP port 2000)
Projector I/O (S4-Data)Projector I/O (S4-Data)Control InputFPGA handshake signals
Projector I/O (S4-Data)Projector I/O (S4-Data)Control OutputIMB Ready Electrical Signal
Aux SERDES (S4-Data)Aux SERDES (S4-Data)Data InputAudio
Aux SERDES (S4-Data)Aux SERDES (S4-Data)Status OutputLatent - Reserved for future use
Ethernet (S4-Data)Ethernet (S4-Data)Data InputDCP / KDM
Ethernet (S4-Data)Ethernet (S4-Data)Data OutputDCP / KDM / Rendered Subtitles
Ethernet (S4-Data)Ethernet (S4-Data)Control InputCEP API
Ethernet (S4-Data)Ethernet (S4-Data)Control OutputFTP control as a client to a server
Ethernet (S4-Data)Ethernet (S4-Data)Status OutputUnauthenticated Status Information (TCP port 2000)
Ingest USBIngest USBPowerN/A
SSDs M.2SSDs M.2PowerN/A
Battery 1 & 2Battery 1 & 2PowerN/A
S4-PowerS4-PowerPowerN/A
DADDADStatus OutputLatent - Reserved for future use
Sensitive security parameter
NameDescriptionStrengthStrength per Minute
RSA Digital Signature VerificationIdentity-based operator authenticationThe authentication is based on RSA 2048 which provides an equivalent encryption strength of 112 bits. TheRSA Digital Signature VerificationThere is a 1 second retry delay after each attempt which limits the number of attempts that can be launched per
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 9: Ports and Interfaces

4 Roles, Services, and Authentication
4.1 Authentication Methods
Page 13
Sensitive security parameter
NameStrengthStrength per Minute
probability that a random attempt will succeed, or a false acceptance will occur is 1/2 ^ 112 which is less than 1/1,000,000.probability that a random attempt will succeed, or a false acceptance will occur is 1/2 ^ 112 which is less than 1/1,000,000.minute. The probability that a random attempt will successfully authenticate to the module within one minute is 60/2 ^ 112 which is less than 1/100,000.
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCrypto OfficerIdentityRSA Digital Signature Verification
UpgradeVerify authenticity and integrity of firmware package.Crypto Officer - Christie Firmware Update Certificate: E - Christie Firmware Update Public Key: E - Cave SMS Certificate: W - Cave SMS Public Key: W - Christie Root CA Self Signed Certificate: E - Christie Root CA Public Key: E - Christie CA Certificate Chain: EDigital Signature Secure HashEthernet (S4- Data) Status (FIPS_STATE) == approvedFirmware Package, CAVE SMS CertificateEthernet (S4- Data) Upgrade Status == Success
Get Module InformationRetrieve hardware version and firmware version (Show Version)UnauthenticatedNoneEthernet (S4- Data) Status (FIPS_STATE) == approvedNoneHardware Version, Firmware Version
Get StatusRetrieve Status (Show Status)UnauthenticatedNoneEthernet (S4- Data) Status (FIPS_STATE) == approvedNoneStatus of module
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutputSecurity Functions
Crypto OfficerCrypto OfficerIdentityRSA Digital Signature Verification
UpgradeVerify authenticity and integrity of firmware package.Crypto Officer - Christie Firmware Update Certificate: E - Christie Firmware Update Public Key: E - Cave SMS Certificate: W - Cave SMS Public Key: W - Christie Root CA Self Signed Certificate: E - Christie Root CA Public Key: E - Christie CA Certificate Chain: EDigital Signature Secure HashEthernet (S4- Data) Status (FIPS_STATE) == approvedFirmware Package, CAVE SMS CertificateEthernet (S4- Data) Upgrade Status == Success
Get Module InformationRetrieve hardware version and firmware version (Show Version)UnauthenticatedNoneEthernet (S4- Data) Status (FIPS_STATE) == approvedNoneHardware Version, Firmware Version
Get StatusRetrieve Status (Show Status)UnauthenticatedNoneEthernet (S4- Data) Status (FIPS_STATE) == approvedNoneStatus of module
Perform Self-test (power cycle)Run pre- operational self-testsUnauthenticatedNoneN/A - self-tests are performed at boot-up irrespective of the mode of operation.NoneEthernet (S4- Data) FIPS_STATE == approved
Get Upgrade StatusRetrieve status of upgradeUnauthenticatedNoneEthernet (S4- Data) Status (FIPS_STATE) == approvedNoneStatus Information of upgrade
IngestRetrieve and store DCP / KDMMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Load ContentUnwrap Content Decryption Keys and perform CPL verificationMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant)Crypto Officer
PlaybackDecrypt Content, verify frame integrity, and perform playbackMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Generate SM ReportBuild and sign the SM ReportMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Perform MarriagePerform Electronic MarriageMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
List Remote Device ConfigurationsList all remote device configurationsMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Add Remote Device ConfigurationSpecify a remote device to ingest content fromMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Delete Remote Device ConfigurationDelete a remote device configurationMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant)Crypto Officer
Test FTP ServerConfirm connectivity to FTP ServerMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
List Ingest SourcesList sources to ingest content fromMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Scan for Ingestible ContentFind all ingestible content on local drivesMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Cancel Scan for Ingestible ContentCancel a scan in progressMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
List Ingestible ContentList all ingestible content found from scanMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Cancel IngestCancel an ingest in progressMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant)Crypto Officer
Get Ingest StatusGet Status information about current ingestMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get List of Shared DirectoriesRetrieve list of shared directories on NAS driveMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
List ContentRetrieve list of contentMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Refresh ContentRefresh cached list of contentMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get CPLRetrieve a CPLMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get CPL DetailsRetrieve details of a CPLMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant)Crypto Officer
Is CPL CompleteConfirm all assets are available for CPLMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get KDMRetrieve a KDMMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Delete ContentRemove content from Onboard StorageMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get Type of UUIDRetrieve type of content for UUIDMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get Load StatusRetrieve status of load operationMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get ID of Loaded ContentRetrieve ID of loaded contentMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant)Crypto Officer
Enable LoopingEnable content loopingMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Unload ContentUnload content from memoryMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get Module Details / HistoryStart information collection of ModuleMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get Status of Information CollectionRetrieve status of information collectionMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get Show PlaylistsRetrieve list of show playlistsMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Is Show Playlist CompleteDetermine if all components of show playlist are presentMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant)Crypto Officer
Does Content Exist in Show PlaylistCheck if content exists in a playlistMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Confirm KDM Validity for Show PlaylistConfirm that all KDMs for playlist are valid at specified timeMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Validate Show PlaylistValidate a specified playlistMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get Show Playlist Validation ResultsGet the results of the playlist validationMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Enable Scheduler SupportEnable flag indicating that scheduler is activeMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get Status ItemRetrieve individual status itemMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant)Crypto Officer
Get SM CertificateRetrieve SM Leaf CertificateMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get LS CertificateRetrieve LS Leaf CertificateMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Stop SM Report GenerationStop SM Report generationMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get Audio ConfigurationRetrieve Audio ConfigurationMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Save Audio ConfigurationSave Audio ConfigurationMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Test NAS ConnectivityVerify connectivity to NASMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant)Crypto Officer
Get Storage StatusRetrieve status of each storage deviceMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Save Storage ConfigurationSave Storage ConfigurationMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get Storage ConfigurationGet Storage ConfigurationMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Does Show Playlist ExistCheck for an individual show playlistMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Save Show PlaylistSave a show playlistMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Get Show PlaylistRetrieve a saved show playlistMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant)Crypto Officer
Adjust TimeAdjust the Real Time ClockMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer
Is SM BusyReturn True if SM is BusyMD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant)Crypto Officer

Table 10: Authentication Methods Authentication for the Ethernet Control Input Interface is accomplished via identity-based

4.2 Roles
4.3 Approved Services
Page 14

Run preoperational Ethernet (S4Data) Z Table 12: Approved Services As per FIPS 140-3 IG 2.4.C, module supports a separate indicator per approved security service. HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)

Page 15

DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)

Page 16

DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)

Page 17

DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)

Page 18

DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)

Page 19

DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)

Page 20

DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)

Page 21

DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)

Page 22

DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)

Page 23

DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) Table 13: Non-Approved Services

4.5 External Software/Firmware Loaded

Any firmware loaded into this module that is not shown on the module certificate, is out of scope of this validation and requires a separate FIPS 140-3 validation. Loading of External Firmware is performed through the Upgrade Service via the Crypto Officer role. Unauthorized firmware loading is not possible. Additionally, all firmware is digitally signed and checked as per section 5. Data Output and Control Output is inhibited during firmware load testing. The module also prevents firmware loading during any Data Output and/or Control Output operations. During firmware loading, requests for other services involving Data Output and/or Control Output are prohibited until firmware load is complete and the module is restarted. The module implements partial image replacement since there is a BIOS firmware component that is not upgradeable in the field and can only be modified by Christie at Christie’s secure facility.

5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified by comparing the SHA2-256 (SHS Cert. # A4665) value of the firmware calculated at the time of construction of the firmware, with the SHA2-256 value of the currently running firmware. This is performed as part of the Pre-Operational Self-Tests. Please note the SHA2-256 implementation will perform a Cryptographic Algorithm Self-Test using a Known Answer Test, prior to performing the firmware integrity test.

Page 24
MechanismInspection FrequencyInspection Guidance
Metal Security EnclosureUpon receipt of module and as often as feasible.Visually inspect metal enclosure for scratches, gouges, deformation, and other signs of visible signs of tamper.
Tamper Evident SealsUpon receipt of module and as often as feasible.Visually inspect the tamper evident seals for scratches, gouges, deformation, or other physical signs of tampering.
5.2 Initiate on Demand

The operator can initiate firmware integrity test by power-cycling the module.

6 Operational Environment
6.1 Operational Environment Type and Requirements

The module operates in a limited operational environment that only allows the loading of a trusted and validated firmware binary image through an authenticated service. Firmware binary images are signed by an RSA key which is part of the Christie certificate chain. Type of Operational Environment: Limited

7.1 Mechanisms and Actions Required

Table 14: Mechanisms and Actions Required The Christie IMB-S4 is a multi-chip embedded cryptographic module which is composed of production-grade components. The module satisfies Security Level 2 only for physical security. Figure 4 Physical Security Mechanisms

Page 25
Sensitive security parameter
NameTypeDescription
IMB CPU RAMDynamicSystem Memory
IMB CPU FlashStaticSystem Non-Volatile Memory
Service
NameTypeFromTo
Factory InstalledPlaintextManufacturerN/AAutomatedElectronic
Upgrade ServicePlaintextEthernet (S4-Data)IMB CPU RAMAutomatedElectronic

The physical security mechanisms of the module include a hard, opaque and tamper-evident metal security enclosure. The module includes four tamper evident seals (Figure 4 Physical Security Mechanisms) covering the screws that secure the metal enclosure to the module; said tamper evident seals are installed as part of the manufacturing process and shall not be removed (i.e. maintenance role is not supported, maintenance interface is not supported). The tamper evident metal security enclosure and the tamper-evident seals shall be periodically inspected to ensure the physical security of the module is maintained. All components which lie outside the metal enclosure are not security relevant and are listed under section 2.3 Excluded Components. NOTE: Although strictly outside the scope of physical security level 2, the metal security enclosure is monitored 24/7 by battery backed-up tamper detection and response mechanisms. Any attempt to remove the metal enclosure results in instantaneous active zeroization. Zeroization also occurs if both batteries become discharged.

8 Non-Invasive Security
9 Sensitive Security Parameters Management
9.1 Storage Areas
9.2 SSP Input-Output Methods

N/A Table 16: SSP Input-Output Methods

9.3 SSP Zeroization Methods
Page 26
Service
NameDescriptionOperator Initiation Zeroization Service
TamperSecurity Enclosure Removal or full loss of powerRemove Security Enclosure Remove Both Batteries and main power
Loss of Main PowerLoss of Main Power but battery power is still presentDisconnect power from S4-Power Physical Port
Completion of ServiceSSP temporary values are zeroised at the completion of a serviceAutomatically performed by the module
Sensitive security parameter
NameTypeDescriptionStrengthStorageZeroizationUseInputStorage DurationRelated SSPs
Christie Firmware Update CertificateX.509 - PSPX.509 Firmware Update Certificate for update package verification2048 - 112Digital Signature
Christie Firmware Update Public KeyPublic - PSPRSA Public Key for verifying update package signature2048 - 112Digital Signature
Cave SMS CertificateX.509 - PSPX.509 Certificate containing the Cave SMS Public Key2048 - 112Digital Signature
Cave SMS Public KeyPublic - PSPCrypto Officer RSA Public Key2048 - 112Digital Signature
Christie Root CA Self Signed CertificateX.509 - PSPX.509 CA Certificate for leaf certificate verification2048 - 112Digital Signature
Christie Root CA Public KeyPublic - PSPRSA Public Key for leaf certificate verification2048 - 112Digital Signature
Christie CA Certificate ChainX.509 - PSPX.509 CA Certificate2048 - 112Secure Hash Digital Signature
Christie Firmware Update CertificateIMB CPU Flash:Plaintext IMB CPU RAM:PlaintextTamper Zeroization ServiceFactory InstalledN/AChristie Firmware Update Public Key:Paired With
Christie Firmware Update Public KeyIMB CPU Flash:Plaintext IMB CPU RAM:PlaintextTamper Zeroization ServiceFactory InstalledN/AChristie Firmware Update Certificate:Paired With
Cave SMS CertificateIMB CPU RAM:PlaintextLoss of Main Power Completion of ServiceUpgrade ServiceDuring authentication of Upgrade ServiceCave SMS Public Key:Paired With
Sensitive security parameter
NameTypeDescriptionStrengthStorageZeroizationUseInputStorage DurationRelated SSPs
Christie Firmware Update CertificateX.509 - PSPX.509 Firmware Update Certificate for update package verification2048 - 112Digital Signature
Christie Firmware Update Public KeyPublic - PSPRSA Public Key for verifying update package signature2048 - 112Digital Signature
Cave SMS CertificateX.509 - PSPX.509 Certificate containing the Cave SMS Public Key2048 - 112Digital Signature
Cave SMS Public KeyPublic - PSPCrypto Officer RSA Public Key2048 - 112Digital Signature
Christie Root CA Self Signed CertificateX.509 - PSPX.509 CA Certificate for leaf certificate verification2048 - 112Digital Signature
Christie Root CA Public KeyPublic - PSPRSA Public Key for leaf certificate verification2048 - 112Digital Signature
Christie CA Certificate ChainX.509 - PSPX.509 CA Certificate2048 - 112Secure Hash Digital Signature
Christie Firmware Update CertificateIMB CPU Flash:Plaintext IMB CPU RAM:PlaintextTamper Zeroization ServiceFactory InstalledN/AChristie Firmware Update Public Key:Paired With
Christie Firmware Update Public KeyIMB CPU Flash:Plaintext IMB CPU RAM:PlaintextTamper Zeroization ServiceFactory InstalledN/AChristie Firmware Update Certificate:Paired With
Cave SMS CertificateIMB CPU RAM:PlaintextLoss of Main Power Completion of ServiceUpgrade ServiceDuring authentication of Upgrade ServiceCave SMS Public Key:Paired With

Table 17: SSP Zeroization Methods The module explicitly zeroizes SSPs as per the methods above. Please see Section 9.4 for more details. Table 18: SSP Table 1 N/A N/A

Page 27
Sensitive security parameter
NameStorageZeroizationInputStorage DurationRelated SSPs
Cave SMS Public KeyIMB CPU RAM:PlaintextLoss of Main Power Completion of ServiceUpgrade ServiceDuring authentication of Upgrade ServiceCave SMS Certificate:Paired With
Christie Root CA Self Signed CertificateIMB CPU Flash:Plaintext IMB CPU RAM:PlaintextLoss of Main Power Completion of ServiceUpgrade ServiceDuring authentication of Upgrade ServiceChristie Root CA Public Key:Paired With
Christie Root CA Public KeyIMB CPU RAM:Plaintext IMB CPU Flash:PlaintextLoss of Main Power Completion of ServiceUpgrade ServiceDuring authentication of Upgrade ServiceChristie Root CA Self Signed Certificate:Paired With
Christie CA Certificate ChainIMB CPU RAM:Plaintext IMB CPU Flash:PlaintextLoss of Main Power Completion of ServiceUpgrade ServiceDuring authentication of Upgrade ServiceChristie Root CA Self Signed Certificate:Used With
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
Check Security MCUCheck Security MCUN/ACritical FunctionCheck Security MCUN/AIf success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=SECURITY_MCU_OFFLINE" and FIPS LED will be solid red. If success
Check Enclosure StatusCheck Enclosure StatusN/ACritical FunctionCheck Enclosure StatusN/AIf success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=TAMPERED: 1 EN_OPEN: 1" and FIPS LED will be solid red.
Check NXP SE050Check NXP SE050N/ACritical FunctionCheck NXP SE050N/AIf success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=TPM_FAILURE" and FIPS LED will be solid red.
SHSSHSFW IntegritySW/FW IntegritySecure HashSHA2-256If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=IMAGE_INTEGRITY" and FIPS LED will be solid red.
RSA SigVer (FIPS186- 4) (C838)RSA SigVer (FIPS186- 4) (C838)KATCASTSign, Verify2048-bit data, 160- bit digestIf success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=KAT_CHECK" and FIPS LED will be solid red.Power-Up
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
Check Security MCUCheck Security MCUN/ACritical FunctionCheck Security MCUN/AIf success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=SECURITY_MCU_OFFLINE" and FIPS LED will be solid red. If success
Check Enclosure StatusCheck Enclosure StatusN/ACritical FunctionCheck Enclosure StatusN/AIf success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=TAMPERED: 1 EN_OPEN: 1" and FIPS LED will be solid red.
Check NXP SE050Check NXP SE050N/ACritical FunctionCheck NXP SE050N/AIf success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=TPM_FAILURE" and FIPS LED will be solid red.
SHSSHSFW IntegritySW/FW IntegritySecure HashSHA2-256If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=IMAGE_INTEGRITY" and FIPS LED will be solid red.
RSA SigVer (FIPS186- 4) (C838)RSA SigVer (FIPS186- 4) (C838)KATCASTSign, Verify2048-bit data, 160- bit digestIf success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=KAT_CHECK" and FIPS LED will be solid red.Power-Up
SHA2-256 (A4665)SHA2-256 (A4665)KATCASTSecure HashSHA-256, 256-bit dataIf success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=KAT_CHECK" and FIPS LED will be solid red.Power-Up
SHA-1 (A4665)SHA-1 (A4665)KATCASTSecure HashSHA-1If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=KAT_CHECK" and FIPS LED will be solid red.Power-Up
RSA SigVer (FIPS186- 4) (C838)RSA SigVer (FIPS186- 4) (C838)SW/FW LoadSW/FW LoadVerify2048-bit key with SHA2-256 Signature VerificationIf success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=UPGRADE_FAILURE" and FIPS LED will be solid red.Conditional
Check Security MCUCheck Security MCUN/ACritical Function7 daysThe periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test.
Check Enclosure StatusCheck Enclosure StatusN/ACritical Function7 daysThe periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed,
10 Self-Tests
10.1 Pre-Operational Self-Tests

N/A N/A N/A N/A N/A N/A Table 20: Pre-Operational Self-Tests The NXP SE050 referenced above is synonymous with TPM.

10.2 Conditional Self-Tests
Page 28
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
SHA2-256 (A4665)SHA2-256 (A4665)KATCASTSecure HashSHA-256, 256-bit dataIf success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=KAT_CHECK" and FIPS LED will be solid red.Power-Up
SHA-1 (A4665)SHA-1 (A4665)KATCASTSecure HashSHA-1If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=KAT_CHECK" and FIPS LED will be solid red.Power-Up
RSA SigVer (FIPS186- 4) (C838)RSA SigVer (FIPS186- 4) (C838)SW/FW LoadSW/FW LoadVerify2048-bit key with SHA2-256 Signature VerificationIf success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=UPGRADE_FAILURE" and FIPS LED will be solid red.Conditional
Check Security MCUCheck Security MCUN/ACritical Function7 daysThe periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test.
Check Enclosure StatusCheck Enclosure StatusN/ACritical Function7 daysThe periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed,
Check NXP SE050Check NXP SE050N/ACritical Function7 daysThe periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test.
SHSSHSFW IntegritySW/FW Integrity7 daysThe periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7-

(FIPS1864) (C838) Table 21: Conditional Self-Tests The IMB-S4 has one conditional self-test related to firmware loading. Firmware loading requires are tested as part of the self-test on boot up and during the periodic self-tests. N/A N/A

Page 30
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
RSA SigVer (FIPS186-4) (C838)RSA SigVer (FIPS186-4) (C838)KATCAST7 daysThe periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test.
SHA2-256 (A4665)SHA2-256 (A4665)KATCAST7 daysThe periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test.
SHA-1 (A4665)SHA-1 (A4665)KATCAST7 daysThe periodic self- test is performed
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
RSA SigVer (FIPS186-4) (C838)RSA SigVer (FIPS186-4) (C838)KATCAST7 daysThe periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test.
SHA2-256 (A4665)SHA2-256 (A4665)KATCAST7 daysThe periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test.
SHA-1 (A4665)SHA-1 (A4665)KATCAST7 daysThe periodic self- test is performed
RSA SigVer (FIPS186-4) (C838)RSA SigVer (FIPS186-4) (C838)SW/FW LoadSW/FW LoadNoneAutomatically performed by the module during the Upgrade service

Table 22: Pre-Operational Periodic Information

Page 31
Service
NameDescriptionRole AccessIndicator
TamperedTampering, Zeroization ServiceFull loss of power Security Enclosure Removal Started by Crypto OfficerFIPS LED will be solid red.Return to Factory
Self-Test FailureCritical Function FailurePre-operational self-test failureFIPS LED will be solid red.Return to Factory
Firmware Integrity FailureVerify Firmware Integrity SHA2-256 checksumIncorrect checksumFIPS LED will be solid red.Return to Factory
Firmware Load Test FailureFailure during firmware loadSignature Verification or SHA Checksum failure.FIPS LED will be solid red.Power Cycle

Table 23: Conditional Periodic Information

10.4 Error States

Table 24: Error States For more information about each error state, please see the relevant Self-Test section above.

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is manufactured in a secure facility and placed into the approved mode of operation prior to shipping to the customer. On powering up the module (from battery to main power), the module goes through self-tests and an image integrity check to confirm that the non-modifiable operating environment has not been tampered with.

Page 32

Any other failure will result in a hard FIPS error state to prevent use of the product in a nonapproved mode.

11.2 Administrator Guidance

The module consists of a single Crypto Officer role (see 4.2 Roles) and there are no administrative specific procedures functions required to administer the module while it’s in its approved mode of operation. The module is fully secured and in the approved mode of operation once it is shipped from the factory. There is no additional user behavior expected for secure operation of the module. Physical Ports and logical Interfaces Please refer to section 3 Cryptographic Module Interfaces. Security Events Please refer to section 2.4 Modes of Operation. Approved & Non-approved Security Functions Please refer to section 4.3 Approved Services and section 4.4 Non-Approved Services. Security Parameters Please refer to section 9.4 SSPs.

11.3 Non-Administrator Guidance

As defined in section 4.1 Authentication Methods, the module supports identity-based operator authentication and there are no specific procedures required to maintain the operator authentication data and mechanisms functionally independent. The module enters the approved mode of operation immediately after self-test is completed. The module enters the non-approved mode of operation as soon as the first non-approved service is called. The module can transition from non-approved to approved mode by rebooting the module and letting the self-test complete. Please see section 2.4 Modes of Operation for more details.

11.4 Design and Rules
Page 33

The module supports both battery power and main power by design. Powering up is defined as the process of switching from battery power to main power. All pre-operational self-tests are performed during the powering up sequence and the model automatically transitions to the operational state when the self-tests have passed. Once in this state, the module awaits service requests from the operator.

11.5 Maintenance Requirements
11.6 End of Life

Procedure for secure sanitization of the IMB-S4 at end-of-life:

  1. Remove both battery boards from the IMB-S4. This causes tampering and zeroization of the IMB-S4 module.
  2. Dispose of the board properly according to local e-waste regulations and laws.
  3. Dispose of the batteries, which contain lithium, properly according to local regulations and laws. Please ensure all components of the IMB-S4 are disposed of properly according to local regulations and laws.
12 Mitigation of Other Attacks

The IMB-S4 module does not mitigate any specific attacks beyond the scope of FIPS140-3.