All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Rocky Linux 9 Kernel Cryptographic API

Certificate#5113StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorCtrl IQ, Inc.
Medium review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 3932 CVEs since this module's initial validation  ·  last validated 7 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date12/17/2030
CaveatWhen operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorCtrl IQ, Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Rocky Linux 9 Kernel Cryptographic API
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Rocky Linux 9 Kernel Cryptographic API
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Ctrl IQ, Inc. Rocky Linux 9 Kernel Cryptographic API Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 Document version: 1.1 www.atsec.com Last update: 2025-12-15 © 2025 Ctrl IQ, Inc., atsec information security.

Page 2
Table of Contents
#SectionPage
Page 3

© 2025 Ctrl IQ, Inc., atsec information security.

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 3: Tested Operational Environments - Software, Firmware, Hybrid8
Table 4: Modes List and Description8
Table 5: Approved Algorithms11
Table 6: Vendor-Affirmed Algorithms11
Table 7: Non-Approved, Not Allowed Algorithms11
Table 8: Security Function Implementations14
Table 9: Entropy Certificates16
Table 10: Entropy Sources16
Table 11: Ports and Interfaces18
Table 12: Roles19
Table 13: Approved Services24
Table 14: Non-Approved Services24
Table 15: Storage Areas30
Table 16: SSP Input-Output Methods30
Table 17: SSP Zeroization Methods31
Table 18: SSP Table 133
Table 19: SSP Table 235
Table 20: Pre-Operational Self-Tests36
Table 21: Conditional Self-Tests43
Table 22: Pre-Operational Periodic Information43
Table 23: Conditional Periodic Information47
Table 24: Error States47
Figure 1: Block Diagram7
Page 5
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version kernel rocky9.20250121; libkcapi-1.3.1-3.el9 of the Rocky Linux 9 Kernel Cryptographic API module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice.

1.1.1 How this Security Policy was Prepared

In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels © 2025 Ctrl IQ, Inc., atsec information security.

Page 6
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Rocky Linux 9 Kernel Cryptographic API (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a generalpurpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the kernel crypto object files, the libkcapi shared library, and the sha512hmac binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. The PAA provided by the processor is located within the module’s physical perimeter and outside of the module’s cryptographic boundary. The cryptographic boundary and TOEPP are schematically represented in Figure 1. © 2025 Ctrl IQ, Inc., atsec information security.

Page 7
2.2 Tested and Vendor Affirmed Module Version and

Identification Tested Module Identification

Page 8

Operating Hardware Processors PAA/PAI Hypervisor Version(s) System Platform or Host OS Rocky SuperMicro Intel Xeon No kernel Linux 9 SuperServer E3-1270 v6 rocky9.20250121; 5039MS libkcapi 1.3.1-3.el9 Table 3: Tested Operational Environments - Software, Firmware, Hybrid The module implements Processor Algorithm Acceleration (PAA) for the tested platforms listed above. There is no Processor Algorithm Implementation (PAI). Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module.

2.3 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name Approved Automatically Approved Mapped to approved service indicator in mode entered Section 4.3 for all approved algorithms except whenever an GCM: respective approved service function approved service returns indicator 0. For GCM: is requested crypto_aead_get_flags(tfm) has the CRYPTO_TFM_FIPS_COMPLIANCE flag set Non- Automatically Non- No service indicator required for nonapproved entered Approved approved services per IG 2.4.C mode whenever a nonapproved service is requested Table 4: Modes List and Description After passing all pre-operational self-tests and conditional self-tests executed on startup, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested.

2.5 Algorithms

Approved Algorithms: © 2025 Ctrl IQ, Inc., atsec information security.

Page 9

Algorithm CAVP Cert Properties Reference AES-CBC A5837, A5840, A5843, Direction - Decrypt, Encrypt SP 800-38A A5846 Key Length - 128, 192, 256 AES-CBC-CS3 A5837, A5840, A5843, Direction - decrypt, encrypt SP 800-38A A5846 Key Length - 128, 192, 256 AES-CCM A5837, A5840, A5846 Key Length - 128, 192, 256 SP 800-38C AES-CFB128 A5837, A5840, A5846 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A5837, A5840, A5846 Direction - Generation, SP 800-38B Verification Key Length - 128, 192, 256 AES-CTR A5837, A5840, A5843, Direction - Decrypt, Encrypt SP 800-38A A5846 Key Length - 128, 192, 256 AES-ECB A5837, A5838, A5839, Direction - Decrypt, Encrypt SP 800-38A A5840, A5841, A5842, Key Length - 128, 192, 256 A5843, A5844, A5845, A5846, A5847, A5848 AES-GCM A5837, A5839, A5840, Direction - Decrypt, Encrypt SP 800-38D A5842, A5843, A5845, IV Generation - External A5846, A5848 Key Length - 128, 192, 256 AES-GCM A5838, A5841, A5844, Direction - Decrypt, Encrypt SP 800-38D A5847 IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A5837, A5840, A5846 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External Key Length - 128, 192, 256 AES-KW A5837, A5840, A5846 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A5837, A5840, A5846 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS A5837, A5840, A5843, Direction - Decrypt, Encrypt SP 800-38E Testing A5846 Key Length - 128, 256 Revision 2.0 Counter DRBG A5837, A5838, A5839, Prediction Resistance - No, SP 800-90A A5840, A5841, A5842, Yes Rev. 1 A5843, A5844, A5845, Mode - AES-128, AES-192, A5846, A5847, A5848 AES-256 Derivation Function Enabled Yes Hash DRBG A5837, A5849, A5850, Prediction Resistance - No, SP 800-90A A5851 Yes Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 HMAC DRBG A5837, A5849, A5850, Prediction Resistance - No, SP 800-90A A5851 Yes Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 HMAC-SHA-1 A5837, A5849, A5850, Key Length - Key Length: 112- FIPS 198-1 A5851 524288 Increment 8 HMAC-SHA2- A5837, A5849, A5850, Key Length - Key Length: 112- FIPS 198-1

224 A5851 524288 Increment 8

© 2025 Ctrl IQ, Inc., atsec information security.

Page 10

Algorithm CAVP Cert Properties Reference HMAC-SHA2- A5837, A5849, A5850, Key Length - Key Length: 112- FIPS 198-1

256 A5851 524288 Increment 8

HMAC-SHA2- A5837, A5849, A5850, Key Length - Key Length: 112- FIPS 198-1

384 A5851 524288 Increment 8

HMAC-SHA2- A5837, A5849, A5850, Key Length - Key Length: 112- FIPS 198-1

512 A5851 524288 Increment 8

HMAC-SHA3- A5837 Key Length - Key Length: 112- FIPS 198-1

224 524288 Increment 8

HMAC-SHA3- A5837 Key Length - Key Length: 112- FIPS 198-1

256 524288 Increment 8

HMAC-SHA3- A5837 Key Length - Key Length: 112- FIPS 198-1

384 524288 Increment 8

HMAC-SHA3- A5837 Key Length - Key Length: 112- FIPS 198-1

512 524288 Increment 8

KAS-FFC-SSC A5837 Domain Parameter Generation SP 800-56A Sp800-56Ar3 Methods - ffdhe2048, Rev. 3 ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 Scheme dhEphem KAS Role - initiator, responder RSA SigVer A5837 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5 Safe Primes A5837 Safe Prime Groups - SP 800-56A Key ffdhe2048, ffdhe3072, Rev. 3 Generation ffdhe4096, ffdhe6144, ffdhe8192 SHA-1 A5837, A5849, A5850, Message Length - Message FIPS 180-4 A5851 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A5837, A5849, A5850, Message Length - Message FIPS 180-4 A5851 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5837, A5849, A5850, Message Length - Message FIPS 180-4 A5851 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5837, A5849, A5850, Message Length - Message FIPS 180-4 A5851 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5837, A5849, A5850, Message Length - Message FIPS 180-4 A5851 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-224 A5837 Message Length - Message FIPS 202 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-256 A5837 Message Length - Message FIPS 202 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-384 A5837 Message Length - Message FIPS 202 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 © 2025 Ctrl IQ, Inc., atsec information security.

Page 11

Algorithm CAVP Cert Properties Reference SHA3-512 A5837 Message Length - Message FIPS 202 Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference Asymmetric Cryptographic Key N/A SP 800-133r2, Key Generation (CKG) type:Asymmetric section 4, example Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function AES-GCM with external IV Encryption with external IV (not compliant to FIPS 140-3 IG C.H) KBKDF in libkcapi Key derivation with implementation not tested by CAVP HKDF in libkcapi Key derivation with implementation not tested by CAVP PBKDF2 in libkcapi Password-based key derivation with implementation not tested by CAVP RSA PKCS#1 v1.5 with Signature generation; Signature verification pre-hashed message RSA PKCS#1 v1.5 Key encapsulation (not compliant to SP 800-56Br2); Key unencapsulation (not compliant to SP 800-56Br2) RSA primitive Encryption primitive; Decryption primitive (not compliant to SP 800-56Br2) Table 7: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Encryption BC-UnAuth Encrypt a AES-CBC: plaintext (A5837, A5840, A5843, A5846) AES-CBC-CS3: (A5837, A5840, A5843, A5846) AES-CFB128: (A5837, A5840, © 2025 Ctrl IQ, Inc., atsec information security.

Page 12

Name Type Description Properties Algorithms A5846) AES-CTR: (A5837, A5840, A5843, A5846) AES-ECB: (A5837, A5838, A5839, A5840, A5841, A5842, A5843, A5844, A5845, A5846, A5847, A5848) AES-OFB: (A5837, A5840, A5846) AES-XTS Testing Revision 2.0: (A5837, A5840, A5843, A5846) Decryption BC-UnAuth Decrypt a AES-CBC: ciphertext (A5837, A5840, A5843, A5846) AES-CBC-CS3: (A5837, A5840, A5843, A5846) AES-CFB128: (A5837, A5840, A5846) AES-CTR: (A5837, A5840, A5843, A5846) AES-ECB: (A5837, A5838, A5839, A5840, A5841, A5842, A5843, A5844, A5845, A5846, A5847, A5848) AES-OFB: (A5837, A5840, A5846) AES-XTS Testing Revision 2.0: (A5837, A5840, A5843, A5846) Authenticated BC-Auth Encrypt and AES-CCM: encryption authenticate a (A5837, A5840, plaintext A5846) AES-GCM: (A5838, A5841, A5844, A5847) AES-KW: (A5837, A5840, A5846) © 2025 Ctrl IQ, Inc., atsec information security.

Page 13

Name Type Description Properties Algorithms Authenticated BC-UnAuth Decrypt and AES-CCM: decryption authenticate a (A5837, A5840, ciphertext A5846) AES-GCM: (A5837, A5839, A5840, A5842, A5843, A5845, A5846, A5848) AES-KW: (A5837, A5840, A5846) Message digest SHA Compute a SHA-1: (A5837, message digest A5849, A5850, A5851) SHA2-224: (A5837, A5849, A5850, A5851) SHA2-256: (A5837, A5849, A5850, A5851) SHA2-384: (A5837, A5849, A5850, A5851) SHA2-512: (A5837, A5849, A5850, A5851) SHA3-224: (A5837) SHA3-256: (A5837) SHA3-384: (A5837) SHA3-512: (A5837) Message MAC Compute a MAC AES-CMAC: authentication tag (A5837, A5840, A5846) AES-GMAC: (A5837, A5840, A5846) HMAC-SHA-1: (A5837, A5849, A5850, A5851) HMAC-SHA2224: (A5837, A5849, A5850, A5851) HMAC-SHA2256: (A5837, A5849, A5850, A5851) HMAC-SHA2384: (A5837, © 2025 Ctrl IQ, Inc., atsec information security.

Page 14

Name Type Description Properties Algorithms A5849, A5850, A5851) HMAC-SHA2512: (A5837, A5849, A5850, A5851) HMAC-SHA3224: (A5837) HMAC-SHA3256: (A5837) HMAC-SHA3384: (A5837) HMAC-SHA3512: (A5837) Random DRBG Generate Counter DRBG: number random bytes (A5837, A5838, generation A5839, A5840, A5841, A5842, A5843, A5844, A5845, A5846, A5847, A5848) Hash DRBG: (A5837, A5849, A5850, A5851) HMAC DRBG: (A5837, A5849, A5850, A5851) Shared secret KAS-SSC Compute a Compliance:FIPS KAS-FFC-SSC computation shared secret 140-3 IG D.F Sp800-56Ar3: Scenario 2(1) (A5837) Signature DigSig-SigVer Verify a digital RSA SigVer verification signature (FIPS186-5): (A5837) Key pair CKG Generate a key Safe Primes Key generation pair Generation: (A5837) Asymmetric Cryptographic Key Generation (CKG): () Key type: Asymmetric Table 8: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES-GCM IV

For IPsec, the module offers the AES-GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs © 2025 Ctrl IQ, Inc., atsec information security.

Page 15

generated using this mechanism may only be used in the context of AES-GCM encryption within the IPsec protocol. The module does not implement IPsec. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES-GCM encryption keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. The module also provides a non-approved AES-GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES-GCM handle. When this is the case, the API will not set an approved service indicator, as described in this document.

2.7.2 AES-XTS

The length of a single data unit encrypted or decrypted with AES-XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. As the module does not implement symmetric key generation, this check is performed when the keys are input by the operator. Key_1 and Key_2 shall be generated and/or established independently according to the rules for component symmetric keys from NIST SP 800-133r2, Section 6.3.

2.7.3 RSA

All supported modulus sizes for RSA signature verification have been CAVP tested.

2.7.4 SP 800-56Ar3 Assurances

To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use the Diffie-Hellman shared secret computation algorithms with the NVMe and Bluetooth related protocols. Additionally, the module’s approved key pair generation service must be used to generate ephemeral Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer DH public key, complying with Section 5.6.2.2.2 of SP 800-56Ar3.

2.7.5 SHA-1

© 2025 Ctrl IQ, Inc., atsec information security.

Page 16

Digital signature generation using SHA-1 is non-approved and not allowed in approved services.

2.7.6 Authenticated Encryption/Decryption

The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS.

2.7.7 Key Agreement

The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS.

2.8 RBG and Entropy

Cert Vendor Number Name E205 Ctrl IQ, Inc. Table 9: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample Rocky Linux Non- Rocky Linux 9 on 256 bits 256 bits SHA3-256 Kernel CPU Time Physical Intel Kaby Lake Xeon (A5837) Jitter RNG E3-1270 v6 Entropy Source Table 10: Entropy Sources The module implements three different Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1: Counter DRBG, Hash DRBG, and HMAC DRBG. Each of these DRBG implementations can be instantiated by the operator of the module, using the parameters listed specified in the Security Function Implementations table. When instantiated, these DRBGs can be used to generate random numbers for external usage. Additionally, the module employs a specific HMAC-SHA-512 DRBG implementation for internal purposes (e.g. to generate asymmetric key pairs). The module complies with the Public Use Document for ESV certificate E260 by reading entropy data from the jent_kcapi_random() function, which corresponds to the GetEntropy() conceptual interface. This function outputs 256 bits of full entropy. The HMAC-SHA-512 DRBG is instantiated with a 384-bit entropy input and reseeded with a 256-bits long entropy input. Outputs of multiple GetEntropy() calls are concatenated to receive the entropy input length greater than 256 bits. The output is truncated to get the entropy input string which is not a multiple of 256. The operational environment on the ESV certificate is identical to the operating system described in this document, and the entropy source is implemented inside the cryptographic © 2025 Ctrl IQ, Inc., atsec information security.

Page 17

boundary. Thus, the module is compliant with scenario 1 of IG 9.3.A. There are no maintenance requirements for the entropy source.

2.9 Key Generation

The module implements asymmetric key pair generation compliant with SP 800-133r2, as listed in the Security Function Implementations table in Section 2.6. When random values are required, they are directly obtained as output from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2 (without XOR). Intermediate key generation values are not output from the module and are explicitly zeroized after processing the service.

2.10 Key Establishment

The module implements shared secret computation methods as listed in the Security Function Implementations table in Section 2.6.

2.11 Industry Protocols

AES-GCM with internal IV generation in the approved mode is compliant with RFC 4106 and shall only be used in conjunction with the IPsec protocol. Diffie-Hellman shall only be used with the NVMe related protocol. No parts of the NVMe or IPSec protocols, other than those mentioned above, have been tested by the CAVP and CMVP. © 2025 Ctrl IQ, Inc., atsec information security.

Page 18
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Data Input API data input parameters, AF_ALG type input sockets N/A Data Output API data output parameters, AF_ALG type output sockets, /proc/sys/crypto virtual files N/A Control Input API function calls, API control input parameters, AF_ALG type input sockets N/A Status API return values, AF_ALG type output sockets, kernel logs Output Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design and AF_ALG type socket message types. The module does not implement a control output interface. © 2025 Ctrl IQ, Inc., atsec information security.

Page 19
4 Roles, Services, and Authentication
4.1 Authentication Methods

The module does not implement any authentication methods.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role Crypto Officer None Table 12: Roles No support is provided for multiple concurrent operators.

4.3 Approved Services

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns Encryptio Encrypt crypto_skcipher_setkey AES Ciphert Encryptio Crypto n a returns 0 key, ext n Officer plaintext plaintex - AES t, IV (if key: require W,E d) Decryptio Decrypt crypto_skcipher_setkey AES Plaintex Decryptio Crypto n a returns 0 key, t n Officer cipherte ciphert - AES xt ext, IV key: (if W,E require d) Authentic Encrypt For all except AES GCM: AES Ciphert Authentic Crypto ated and crypto_aead_setkey key, ext, ated Officer encryptio authenti returns 0; For AES GCM: plaintex MAC encryptio - AES n cate a crypto_aead_get_flags(t t, IV tag n key: plaintext fm) has the (CCM/G (CCM/G W,E CRYPTO_TFM_FIPS_COM CM) CM) PLIANCE flag set Authentic Decrypt crypto_aead_setkey AES Plaintex Authentic Crypto ated and returns 0 key, t or ated Officer decryptio authenti ciphert failure decryptio - AES n cate a ext, IV n key: cipherte (CCM/G W,E xt CM), MAC tag (CCM/G CM) © 2025 Ctrl IQ, Inc., atsec information security.

Page 20

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns Message Compute crypto_shash_init Messag Digest Message Crypto digest a returns 0 e value digest Officer message digest Message Compute crypto_shash_init AES key MAC Message Crypto authentic a MAC returns 0 or tag authentic Officer ation tag HMAC ation - AES key, key: messag W,E e - HMAC key: W,E Random Generate crypto_rng_get_bytes Output Random Random Crypto number random returns 0 length bytes number Officer generatio bytes generatio n n Entropy input (IG D.L): G,E,Z CTR_DR BG seed (IG D.L): G,E,Z HMAC_D RBG seed (IG D.L): G,E,Z Hash_D RBG seed (IG D.L): G,E,Z CTR_DR BG internal state (V, Key) (IG D.L): G,W,E HMAC_D RBG internal state (V, Key) (IG D.L): © 2025 Ctrl IQ, Inc., atsec information security.

Page 21

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns G,W,E Hash_D RBG internal state (V, C) (IG D.L): G,W,E Shared Compute crypto_kpp_compute_s Owner Shared Shared Crypto secret a shared hared_secret returns 0 private secret secret Officer computat secret key, computat - DH ion peer ion private public key: key W,E - DH public key: W,E - Shared secret: G,R Key pair Generate crypto_kpp_set_secret Group Key pair Key pair Crypto generatio a key and generatio Officer n pair crypto_kpp_generate_p n - DH ublic_key return 0 private key: G,R - DH public key: G,R Interme diate key generati on value: G,E,Z Error Compute None Messag EDC None Crypto detection an EDC e Officer code (crc32, crc32c, crct10dif ) Compres Compres None Data Compre None Crypto sion s data ssed Officer (deflate, data lz4, lz4hc, lzo, zlib© 2025 Ctrl IQ, Inc., atsec information security.

Page 22

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns deflate, zstd) Generic Use the None Identifi Various None Crypto system kernel to er, return Officer call perform various values various argume non- nts cryptogr aphic operatio ns Show Return None N/A Module None Crypto version the name Officer module and name version and version informati on Show Return None N/A Module None Crypto status the status Officer module status Self-test Perform None N/A Pass/fail Encryptio Crypto the n Officer CASTs Decryptio and n integrity Authentic tests ated encryptio n Authentic ated decryptio n Message digest Message authentic ation Random number generatio n Shared secret computat ion Signature verificati on © 2025 Ctrl IQ, Inc., atsec information security.

Page 23

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns Key pair generatio n Zeroizati Zeroize None Any N/A None Crypto on SSPs SSP Officer - AES key: Z - HMAC key: Z - Shared secret: Z Entropy input (IG D.L): Z CTR_DR BG seed (IG D.L): Z HMAC_D RBG seed (IG D.L): Z Hash_D RBG seed (IG D.L): Z CTR_DR BG internal state (V, Key) (IG D.L): Z HMAC_D RBG internal state (V, Key) (IG D.L): Z Hash_D RBG internal state (V, C) (IG © 2025 Ctrl IQ, Inc., atsec information security.

Page 24

Name Descrip Indicator Inputs Output Security SSP tion s Functio Access ns D.L): Z - DH public key: Z - DH private key: Z Interme diate key generati on value: Z Table 13: Approved Services For the above table, the convention below applies when specifying the access permissions (types) that the service has for each SSP.

4.4 Non-Approved Services

Name Description Algorithms Role AES-GCM with Encrypt and authenticate a AES-GCM with Crypto external IV encryption plaintext using AES-GCM with external IV Officer an external IV Key derivation Derive a key from a key- KBKDF in libkcapi Crypto derivation key, shared secret, HKDF in libkcapi Officer or password PBKDF2 in libkcapi Pre-hashed message Generate a digital signature RSA PKCS#1 v1.5 Crypto signature generation for a pre-hashed message with pre-hashed Officer message Pre-hashed message Verify a digital signature for a RSA PKCS#1 v1.5 Crypto signature verification pre-hashed message with pre-hashed Officer message Key encapsulation Key encapsulation using RSA RSA PKCS#1 v1.5 Crypto PKCS#1 v1.5 Officer Key un-encapsulation Key un-encapsulation using RSA PKCS#1 v1.5 Crypto RSA PKCS#1 v1.5 Officer Encryption primitive Compute the RSA encryption RSA primitive Crypto primitive Officer Decryption primitive Compute the RSA decryption RSA primitive Crypto primitive Officer Table 14: Non-Approved Services © 2025 Ctrl IQ, Inc., atsec information security.

Page 25
4.5 External Software/Firmware Loaded

The module does not load external software or firmware. © 2025 Ctrl IQ, Inc., atsec information security.

Page 26
5 Software/Firmware Security
5.1 Integrity Techniques

On system boot, the sha512hmac binary and libkcapi library are first integrity tested using the HMAC-SHA2-512 and HMAC-SHA2-256 algorithms (respectively) implemented by the module. Then, the kernel binary is integrity tested using the HMAC-SHA2-512 algorithm. These tests are all performed using a key hardcoded in the sha512hmac binary, by recomputing the MAC tags and verifying they are equal to the MAC tags specified in the .hmac file. Finally, the kernel crypto object files are loaded on start-up by the kernel binary and verified using RSA signature verification with PKCS#1 v1.5 padding, SHA2-256, and a hardcoded 3072bit key. The signature is stored inside the kernel object file. If the signature verification fails, the integrity test is unsuccessful.

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module (i.e., rebooting the system), which will perform (among others) the software integrity tests. © 2025 Ctrl IQ, Inc., atsec information security.

Page 27
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.2 Configuration Settings and Restrictions

The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environments. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2025 Ctrl IQ, Inc., atsec information security.

Page 28
7 Physical Security

The module is comprised of software only and therefore this section is not applicable. © 2025 Ctrl IQ, Inc., atsec information security.

Page 29
8 Non-Invasive Security

The module does not implement any non-invasive security mechanisms. © 2025 Ctrl IQ, Inc., atsec information security.

Page 30
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name Module Temporary storage for SSPs used by the module as part of Dynamic RAM service execution Table 15: Storage Areas The module does not perform persistent storage of SSPs; SSPs in use by the module exist in volatile memory only. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operator Module Plaintext Manual Electronic parameters calling RAM application (TOEPP) AF_ALG Operator Module Plaintext Manual Electronic type input calling RAM sockets application (TOEPP) API output Module Operator Plaintext Manual Electronic parameters RAM calling application (TOEPP) AF_ALG Module Operator Plaintext Manual Electronic type output RAM calling sockets application (TOEPP) Table 16: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Free cipher Zeroizes the Memory occupied by By calling the appropriate handle SSPs contained SSPs is overwritten zeroization functions: AES key: within the with zeroes, which crypto_free_skcipher and cipher handle renders the SSP crypto_free_aead; HMAC key: values irretrievable. crypto_free_shash and The completion of crypto_free_ahash; Entropy the zeroization input: crypto_free_rng; DRBG routine indicates seed: crypto_free_rng; DRBG that the zeroization internal state: crypto_free_rng; © 2025 Ctrl IQ, Inc., atsec information security.

Page 31

Zeroization Description Rationale Operator Initiation Method procedure DH public key & DH private key: succeeded. crypto_free_kpp Remove De-allocates Volatile memory By removing power power from the volatile used by the module the module memory used is overwritten within to store SSPs nanoseconds when power is removed. Module power off indicates that the zeroization procedure succeeded. Automatic Automatically Memory occupied by N/A zeroized by the SSPs is overwritten module when with zeroes, which no longer renders the SSP needed values irretrievable. Table 17: SSP Zeroization Methods All data output is inhibited during zeroization.

9.4 SSPs

Name Descripti Size - Type - Generat Establish Used By on Strengt Category ed By ed By h AES key Symmetric 128, 256 Symmetric Encryption key used bits key - CSP Decryption for AES (AES- Authenticat operations XTS); ed 128, encryption 192, 256 Authenticat bits ed (others) - decryption 128, 256 Message bits authenticati (AES- on XTS); 128, 192, 256 bits (others) HMAC key Symmetric 112- Authenticati Message key used 524288 on key - CSP authenticati for HMAC bits - on operations 112-256 bits Shared Shared ffdhe204 Shared Shared secret secret 8, secret - CSP secret generated ffdhe307 © 2025 Ctrl IQ, Inc., atsec information security.

Page 32

Name Descripti Size - Type - Generat Establish Used By on Strengt Category ed By ed By h by (EC) 2, computati Diffie- ffdhe409 on Hellman 6, ffdhe614 4, ffdhe819

2 - 112-
200 bits

Entropy Entropy 128-384 Entropy Random Random input (IG input used bits - input - CSP number number D.L) to seed 128-384 generatio generation DRBGs (IG bits n D.L) CTR_DRBG CTR_DRBG 256, Seed - CSP Random Random seed (IG seed 320, 384 number number D.L) derived bits - generatio generation from 128, n entropy 192, 256 input and bits additional data (IG D.L) Hash_DRB Hash_DRB 440, 888 Seed - CSP Random Random G seed (IG G seed bits - number number D.L) derived 128, 256 generatio generation from bits n entropy input and additional data (IG D.L) HMAC_DR HMAC_DR 440, 888 Seed - CSP Random Random BG seed BG seed bits - number number (IG D.L) derived 128, 256 generatio generation from bits n entropy input and additional data (IG D.L) CTR_DRBG Internal 256, Internal Random Random internal state of 320, 348 state - CSP number number state (V, CTR_DRBG bits - generatio generation Key) (IG (IG D.L) 128, n D.L) 192, 256 bits HMAC_DR Internal 320, Internal Random Random BG state of 512, state - CSP number number internal HMAC_DR 1024 bits generatio generation state (V, BG (IG - 128, n D.L) 256 bits © 2025 Ctrl IQ, Inc., atsec information security.

Page 33

Name Descripti Size - Type - Generat Establish Used By on Strengt Category ed By ed By h Key) (IG D.L) Hash_DRB Internal 880, Internal Random Random G internal state of 1776 bits state - CSP number number state (V, Hash_DRB - 128, generatio generation C) (IG D.L) G (IG D.L) 256 bits n DH private Private ffdhe204 Private key - Key pair Shared key key used 8, CSP generatio secret for Diffie- ffdhe307 n computatio Hellman 2, n ffdhe409 6, ffdhe614 4, ffdhe819

2 - 112-
200 bits

DH public Public key ffdhe204 Public key - Key pair Shared key used for 8, PSP generatio secret Diffie- ffdhe307 n computatio Hellman 2, n ffdhe409 6, ffdhe614 4, ffdhe819

2 - 112-
200 bits

Intermedia Temporary 2048- Intermediat Key pair te key value 8192 bits e value - generatio generation generated - 112- CSP n value during key 200 bits pair generation services Table 18: SSP Table 1 Name Input - Storage Storage Zeroization Related Output Duration SSPs AES key API input Module Until cipher Free cipher parameters RAM:Plaintext handle is handle AF_ALG freed or Remove type input module is power from sockets powered off the module HMAC key API input Module Until cipher Free cipher parameters RAM:Plaintext handle is handle AF_ALG freed or Remove type input module is power from sockets powered off the module © 2025 Ctrl IQ, Inc., atsec information security.

Page 34

Name Input - Storage Storage Zeroization Related Output Duration SSPs Shared API output Module For the Remove secret parameters RAM:Plaintext duration of power from AF_ALG the service the module type output sockets Entropy input Module From Automatic CTR_DRBG (IG D.L) RAM:Plaintext generation seed (IG until DRBG D.L):Derives seed is HMAC_DRBG created seed (IG D.L):Derives Hash_DRBG seed (IG D.L):Derives CTR_DRBG Module While the Automatic Entropy input seed (IG D.L) RAM:Plaintext DRBG is (IG being D.L):Derived instantiated From CTR_DRBG internal state (V, Key) (IG D.L):Derives Hash_DRBG Module While the Automatic Entropy input seed (IG D.L) RAM:Plaintext DRBG is (IG being D.L):Derived instantiated From Hash_DRBG internal state (V, C) (IG D.L):Derives HMAC_DRBG Module While the Automatic Entropy input seed (IG D.L) RAM:Plaintext DRBG is (IG being D.L):Derived instantiated From HMAC_DRBG internal state (V, Key) (IG D.L):Derives CTR_DRBG Module Until cipher Free cipher CTR_DRBG internal state RAM:Plaintext handle is handle seed (IG (V, Key) (IG freed or Remove D.L):Derived D.L) module is power from From powered off the module HMAC_DRBG Module Until cipher Free cipher HMAC_DRBG internal state RAM:Plaintext handle is handle seed (IG (V, Key) (IG freed or Remove D.L):Derived D.L) module is power from From powered off the module Hash_DRBG Module Until cipher Free cipher Hash_DRBG internal state RAM:Plaintext handle is handle seed (IG (V, C) (IG freed or Remove D.L):Derived D.L) From © 2025 Ctrl IQ, Inc., atsec information security.

Page 35

Name Input - Storage Storage Zeroization Related Output Duration SSPs module is power from powered off the module DH private API input Module Until cipher Free cipher DH public key parameters RAM:Plaintext handle is handle key:Paired API output freed or Remove With parameters module is power from AF_ALG powered off the module type input sockets AF_ALG type output sockets DH public API input Module Until cipher Free cipher DH private key parameters RAM:Plaintext handle is handle key:Paired API output freed or Remove With parameters module is power from AF_ALG powered off the module type input sockets AF_ALG type output sockets Intermediate Module For the Automatic key RAM:Plaintext duration of generation the service value Table 19: SSP Table 2

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. © 2025 Ctrl IQ, Inc., atsec information security.

Page 36
10 Self-Tests

While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module does not return control to the calling application until the tests are completed. If any of the self-tests fails, the module immediately transitions to the error state.

10.1 Pre-Operational Self-Tests

Algorithm or Test Test Method Test Indicator Details Test Properties Type HMAC-SHA2- 128-bit key Message SW/FW Module Integrity test

512 (A5851) - authentication Integrity

becomes for sha512hmac operational sha512hmac and services binary are available for use HMAC-SHA2- 256-bit key Message SW/FW Module Integrity test

256 (A5851) - authentication Integrity becomes for libkcapi

libkcapi operational shared library library and services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module Integrity test

512 (A5851) - authentication Integrity becomes for kernel

kernel operational binary and services are available for use RSA SigVer 3072-bit key Signature SW/FW Module Integrity test (FIPS186-5) with SHA2- verification Integrity becomes for kernel (A5837) 256 operational object files and services are available for use Table 20: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state.

10.2 Conditional Self-Tests

Algorith Test Test Test Indicator Details Conditions m or Propertie Metho Typ Test s d e AES-CBC - 128, 192, KAT CAS Module is Encryption Module Encrypt 256-bit T operational initializatio keys n AES-CBC - 128, 192, KAT CAS Module is Decryption Module Decrypt 256-bit T operational initializatio keys n © 2025 Ctrl IQ, Inc., atsec information security.

Page 37

Algorith Test Test Test Indicator Details Conditions m or Propertie Metho Typ Test s d e AES-CBC 128, 192, KAT CAS Module is Encryption Module (A5843) - 256-bit T operational initializatio Encrypt keys n AES-CBC 128, 192, KAT CAS Module is Decryption Module (A5843) - 256-bit T operational initializatio Decrypt keys n AES-CBC 128, 192, KAT CAS Module is Encryption Module (A5846) - 256-bit T operational initializatio Encrypt keys n AES-CBC 128, 192, KAT CAS Module is Decryption Module (A5846) - 256-bit T operational initializatio Decrypt keys n AES-CBC- 128-bit KAT CAS Module is Encryption Module CS3 - keys T operational initializatio Encrypt n AES-CBC- 128-bit KAT CAS Module is Decryption Module CS3 - keys T operational initializatio Decrypt n AES-CBC- 128-bit KAT CAS Module is Encryption Module CS3 keys T operational initializatio (A5843) - n Encrypt AES-CBC- 128-bit KAT CAS Module is Decryption Module CS3 keys T operational initializatio (A5843) - n Decrypt AES-CCM - 128, 192, KAT CAS Module is Encryption Module Encrypt 256-bit T operational initializatio keys n AES-CCM - 128, 192, KAT CAS Module is Decryption Module Decrypt 256-bit T operational initializatio keys n AES-CCM 128, 192, KAT CAS Module is Encryption Module (A5846) - 256-bit T operational initializatio Encrypt keys n AES-CCM 128, 192, KAT CAS Module is Decryption Module (A5846) - 256-bit T operational initializatio Decrypt keys n AES- 128, 192, KAT CAS Module is Encryption Module CFB128 - 256-bit T operational initializatio Encrypt keys n AES- 128, 192, KAT CAS Module is Decryption Module CFB128 - 256-bit T operational initializatio Decrypt keys n AES- 128, 192, KAT CAS Module is Encryption Module CFB128 256-bit T operational initializatio (A5846) - keys n Encrypt © 2025 Ctrl IQ, Inc., atsec information security.

Page 38

Algorith Test Test Test Indicator Details Conditions m or Propertie Metho Typ Test s d e AES- 128, 192, KAT CAS Module is Decryption Module CFB128 256-bit T operational initializatio (A5846) - keys n Decrypt AES-CTR - 128, 192, KAT CAS Module is Encryption Module Encrypt 256-bit T operational initializatio keys n AES-CTR - 128, 192, KAT CAS Module is Decryption Module Decrypt 256-bit T operational initializatio keys n AES-CTR 128, 192, KAT CAS Module is Encryption Module (A5843) - 256-bit T operational initializatio Encrypt keys n AES-CTR 128, 192, KAT CAS Module is Decryption Module (A5843) - 256-bit T operational initializatio Decrypt keys n AES-ECB - 128, 192, KAT CAS Module is Encryption Module Encrypt 256-bit T operational initializatio keys n AES-ECB - 128, 192, KAT CAS Module is Decryption Module Decrypt 256-bit T operational initializatio keys n AES-ECB 128, 192, KAT CAS Module is Encryption Module (A5840) - 256-bit T operational initializatio Encrypt keys n AES-ECB 128, 192, KAT CAS Module is Encryption Module (A5843) - 256-bit T operational initializatio Encrypt keys n AES-ECB 128, 192, KAT CAS Module is Decryption Module (A5843) - 256-bit T operational initializatio Decrypt keys n AES-GCM 128, 192, KAT CAS Module is Encryption Module - Encrypt 256-bit T operational initializatio keys n AES-GCM 128, 192, KAT CAS Module is Decryption Module - Decrypt 256-bit T operational initializatio keys n AES-GCM 128, 192, KAT CAS Module is Encryption Module (A5845) - 256-bit T operational initializatio Encrypt keys n AES-GCM 128, 192, KAT CAS Module is Decryption Module (A5845) - 256-bit T operational initializatio Decrypt keys n AES-OFB - 128-bit KAT CAS Module is Encryption Module Encrypt keys T operational initializatio n AES-OFB - 128-bit KAT CAS Module is Decryption Module Decrypt keys T operational initializatio n © 2025 Ctrl IQ, Inc., atsec information security.

Page 39

Algorith Test Test Test Indicator Details Conditions m or Propertie Metho Typ Test s d e AES-OFB 128-bit KAT CAS Module is Encryption Module (A5846) - keys T operational initializatio Encrypt n AES-OFB 128-bit KAT CAS Module is Decryption Module (A5846) - keys T operational initializatio Decrypt n AES-XTS 256, 512- KAT CAS Module is Encryption Module Testing bit keys T operational initializatio Revision n

2.0 -

Encrypt AES-XTS 256, 512- KAT CAS Module is Decryption Module Testing bit keys T operational initializatio Revision n

2.0 -

Decrypt AES-XTS 256, 512- KAT CAS Module is Encryption Module Testing bit keys T operational initializatio Revision n 2.0 (A5843) Encrypt AES-XTS 256, 512- KAT CAS Module is Decryption Module Testing bit keys T operational initializatio Revision n 2.0 (A5843) Decrypt SHA-1 0-8184-bit KAT CAS Module is Message Module (A5837) messages T operational digest initializatio n SHA-1 0-8184-bit KAT CAS Module is Message Module (A5849) messages T operational digest initializatio n SHA-1 0-8184-bit KAT CAS Module is Message Module (A5850) messages T operational digest initializatio n SHA-1 0-8184-bit KAT CAS Module is Message Module (A5851) messages T operational digest initializatio n SHA2-224 0-8184-bit KAT CAS Module is Message Module (A5837) messages T operational digest initializatio n SHA2-224 0-8184-bit KAT CAS Module is Message Module (A5849) messages T operational digest initializatio n SHA2-224 0-8184-bit KAT CAS Module is Message Module (A5850) messages T operational digest initializatio n © 2025 Ctrl IQ, Inc., atsec information security.

Page 40

Algorith Test Test Test Indicator Details Conditions m or Propertie Metho Typ Test s d e SHA2-224 0-8184-bit KAT CAS Module is Message Module (A5851) messages T operational digest initializatio n SHA2-256 0-8184-bit KAT CAS Module is Message Module (A5837) messages T operational digest initializatio n SHA2-256 0-8184-bit KAT CAS Module is Message Module (A5849) messages T operational digest initializatio n SHA2-256 0-8184-bit KAT CAS Module is Message Module (A5850) messages T operational digest initializatio n SHA2-256 0-8184-bit KAT CAS Module is Message Module (A5851) messages T operational digest initializatio n SHA2-384 0-8184-bit KAT CAS Module is Message Module (A5837) messages T operational digest initializatio n SHA2-384 0-8184-bit KAT CAS Module is Message Module (A5849) messages T operational digest initializatio n SHA2-384 0-8184-bit KAT CAS Module is Message Module (A5850) messages T operational digest initializatio n SHA2-384 0-8184-bit KAT CAS Module is Message Module (A5851) messages T operational digest initializatio n SHA2-512 0-8184-bit KAT CAS Module is Message Module (A5837) messages T operational digest initializatio n SHA2-512 0-8184-bit KAT CAS Module is Message Module (A5849) messages T operational digest initializatio n SHA2-512 0-8184-bit KAT CAS Module is Message Module (A5850) messages T operational digest initializatio n SHA2-512 0-8184-bit KAT CAS Module is Message Module (A5851) messages T operational digest initializatio n SHA3-224 0-8184-bit KAT CAS Module is Message Module (A5837) messages T operational digest initializatio n SHA3-256 0-8184-bit KAT CAS Module is Message Module (A5837) messages T operational digest initializatio n SHA3-384 0-8184-bit KAT CAS Module is Message Module (A5837) messages T operational digest initializatio n © 2025 Ctrl IQ, Inc., atsec information security.

Page 41

Algorith Test Test Test Indicator Details Conditions m or Propertie Metho Typ Test s d e SHA3-512 0-8184-bit KAT CAS Module is Message Module (A5837) messages T operational digest initializatio n AES-CMAC 128, 256- KAT CAS Module is Message Module bit keys T operational authenticatio initializatio n n AES-CMAC 128, 256- KAT CAS Module is Message Module (A5846) bit keys T operational authenticatio initializatio n n HMAC- 32-64-bit KAT CAS Module is Message Module SHA-1 keys T operational authenticatio initializatio n n HMAC- 32-64-bit KAT CAS Module is Message Module SHA-1 keys T operational authenticatio initializatio (A5851) n n HMAC- 32-1048- KAT CAS Module is Message Module SHA2-224 bit keys T operational authenticatio initializatio n n HMAC- 32-1048- KAT CAS Module is Message Module SHA2-224 bit keys T operational authenticatio initializatio (A5851) n n HMAC- 32-64-bit KAT CAS Module is Message Module SHA2-256 keys T operational authenticatio initializatio n n HMAC- 32-64-bit KAT CAS Module is Message Module SHA2-256 keys T operational authenticatio initializatio (A5851) n n HMAC- 32-1048- KAT CAS Module is Message Module SHA2-384 bit keys T operational authenticatio initializatio n n HMAC- 32-1048- KAT CAS Module is Message Module SHA2-384 bit keys T operational authenticatio initializatio (A5851) n n HMAC- 32-1048- KAT CAS Module is Message Module SHA2-512 bit keys T operational authenticatio initializatio n n HMAC- 32-1048- KAT CAS Module is Message Module SHA2-512 bit keys T operational authenticatio initializatio (A5851) n n HMAC- 32-1048- KAT CAS Module is Message Module SHA3-224 bit keys T operational authenticatio initializatio (A5837) n n HMAC- 32-1048- KAT CAS Module is Message Module SHA3-256 bit keys T operational authenticatio initializatio (A5837) n n HMAC- 32-1048- KAT CAS Module is Message Module SHA3-384 bit keys T operational authenticatio initializatio (A5837) n n © 2025 Ctrl IQ, Inc., atsec information security.

Page 42

Algorith Test Test Test Indicator Details Conditions m or Propertie Metho Typ Test s d e HMAC- 32-1048- KAT CAS Module is Message Module SHA3-512 bit keys T operational authenticatio initializatio (A5837) n n Counter AES-128, KAT CAS Module is Instantiate, Module DRBG AES-192, T operational seed, reseed, initializatio AES-256 generate n with/witho (compliant to ut SP 800prediction 90Ar1 resistance Section 11.3) Hash SHA-1, KAT CAS Module is Instantiate, Module DRBG SHA2-256, T operational seed, reseed, initializatio SHA2-512 generate n with/witho (compliant to ut SP 800prediction 90Ar1 resistance Section 11.3) HMAC SHA-1, KAT CAS Module is Instantiate, Module DRBG SHA2-256, T operational seed, reseed, initializatio SHA2-512 generate n with/witho (compliant to ut SP 800prediction 90Ar1 resistance Section 11.3) KAS-FFC- ffdhe2048 KAT CAS Module is Shared Module SSC T operational secret initializatio Sp800- computation n 56Ar3 (A5837) RSA PKCS#1 KAT CAS Module is Signature Module SigVer v1.5 with T operational verification initializatio (FIPS186- SHA-512 n 5) and 4096(A5837) bit key Safe N/A PCT PCT Key pair SP 800- Key pair Primes generation is 56Ar3 generation Key successful Section Generatio 5.6.2.1.4 n (A5837) Entropy Cutoff C = APT CAS Entropy source is Entropy Entropy source - 325; T operational source start- source Init APT Windows up test on initializatio size = 512 1024 n samples Entropy Cutoff C = RCT CAS Entropy source is Entropy Entropy source - 31 T operational source start- source Init RCT up test on initializatio

1024 n

samples Entropy Cutoff C = APT CAS jent_kcapi_rando Entropy Continuousl source - 355; T m returns 0 source y as © 2025 Ctrl IQ, Inc., atsec information security.

Page 43

Algorith Test Test Test Indicator Details Conditions m or Propertie Metho Typ Test s d e Continuou Windows continuous entropy is s APT size = 512 test requested Entropy Cutoff C = RCT CAS jent_kcapi_rando Entropy Continuousl source - 61 T m returns 0 source y as Continuou continuous entropy is s RCT test requested Table 21: Conditional Self-Tests Data output through the data output interface is inhibited during the conditional self-tests. The module does not return control to the calling application until the tests are completed. If any of these tests fails, the module transitions to the error state (Section 10.4).

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- Message SW/FW Integrity On demand Manually

512 (A5851) - authentication

sha512hmac HMAC-SHA2- Message SW/FW Integrity On demand Manually

256 (A5851) - authentication

libkcapi library HMAC-SHA2- Message SW/FW Integrity On demand Manually

512 (A5851) - authentication

kernel RSA SigVer Signature SW/FW Integrity On demand Manually (FIPS186-5) verification (A5837) Table 22: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC - KAT CAST On demand Manually Encrypt AES-CBC - KAT CAST On demand Manually Decrypt AES-CBC KAT CAST On demand Manually (A5843) Encrypt AES-CBC KAT CAST On demand Manually (A5843) Decrypt AES-CBC KAT CAST On demand Manually (A5846) Encrypt AES-CBC KAT CAST On demand Manually (A5846) Decrypt © 2025 Ctrl IQ, Inc., atsec information security.

Page 44

Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC-CS3 - KAT CAST On demand Manually Encrypt AES-CBC-CS3 - KAT CAST On demand Manually Decrypt AES-CBC-CS3 KAT CAST On demand Manually (A5843) Encrypt AES-CBC-CS3 KAT CAST On demand Manually (A5843) Decrypt AES-CCM - KAT CAST On demand Manually Encrypt AES-CCM - KAT CAST On demand Manually Decrypt AES-CCM KAT CAST On demand Manually (A5846) Encrypt AES-CCM KAT CAST On demand Manually (A5846) Decrypt AES-CFB128 - KAT CAST On demand Manually Encrypt AES-CFB128 - KAT CAST On demand Manually Decrypt AES-CFB128 KAT CAST On demand Manually (A5846) Encrypt AES-CFB128 KAT CAST On demand Manually (A5846) Decrypt AES-CTR - KAT CAST On demand Manually Encrypt AES-CTR - KAT CAST On demand Manually Decrypt AES-CTR KAT CAST On demand Manually (A5843) Encrypt AES-CTR KAT CAST On demand Manually (A5843) Decrypt AES-ECB - KAT CAST On demand Manually Encrypt AES-ECB - KAT CAST On demand Manually Decrypt AES-ECB KAT CAST On demand Manually (A5840) Encrypt AES-ECB KAT CAST On demand Manually (A5843) Encrypt © 2025 Ctrl IQ, Inc., atsec information security.

Page 45

Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB KAT CAST On demand Manually (A5843) Decrypt AES-GCM - KAT CAST On demand Manually Encrypt AES-GCM - KAT CAST On demand Manually Decrypt AES-GCM KAT CAST On demand Manually (A5845) Encrypt AES-GCM KAT CAST On demand Manually (A5845) Decrypt AES-OFB - KAT CAST On demand Manually Encrypt AES-OFB - KAT CAST On demand Manually Decrypt AES-OFB KAT CAST On demand Manually (A5846) Encrypt AES-OFB KAT CAST On demand Manually (A5846) Decrypt AES-XTS Testing KAT CAST On demand Manually Revision 2.0 Encrypt AES-XTS Testing KAT CAST On demand Manually Revision 2.0 Decrypt AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5843) Encrypt AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5843) Decrypt SHA-1 (A5837) KAT CAST On demand Manually SHA-1 (A5849) KAT CAST On demand Manually SHA-1 (A5850) KAT CAST On demand Manually SHA-1 (A5851) KAT CAST On demand Manually SHA2-224 KAT CAST On demand Manually (A5837) SHA2-224 KAT CAST On demand Manually (A5849) SHA2-224 KAT CAST On demand Manually (A5850) SHA2-224 KAT CAST On demand Manually (A5851) SHA2-256 KAT CAST On demand Manually (A5837) © 2025 Ctrl IQ, Inc., atsec information security.

Page 46

Algorithm or Test Method Test Type Period Periodic Test Method SHA2-256 KAT CAST On demand Manually (A5849) SHA2-256 KAT CAST On demand Manually (A5850) SHA2-256 KAT CAST On demand Manually (A5851) SHA2-384 KAT CAST On demand Manually (A5837) SHA2-384 KAT CAST On demand Manually (A5849) SHA2-384 KAT CAST On demand Manually (A5850) SHA2-384 KAT CAST On demand Manually (A5851) SHA2-512 KAT CAST On demand Manually (A5837) SHA2-512 KAT CAST On demand Manually (A5849) SHA2-512 KAT CAST On demand Manually (A5850) SHA2-512 KAT CAST On demand Manually (A5851) SHA3-224 KAT CAST On demand Manually (A5837) SHA3-256 KAT CAST On demand Manually (A5837) SHA3-384 KAT CAST On demand Manually (A5837) SHA3-512 KAT CAST On demand Manually (A5837) AES-CMAC KAT CAST On demand Manually AES-CMAC KAT CAST On demand Manually (A5846) HMAC-SHA-1 KAT CAST On demand Manually HMAC-SHA-1 KAT CAST On demand Manually (A5851) HMAC-SHA2- KAT CAST On demand Manually HMAC-SHA2- KAT CAST On demand Manually

224 (A5851)

HMAC-SHA2- KAT CAST On demand Manually HMAC-SHA2- KAT CAST On demand Manually

256 (A5851)

HMAC-SHA2- KAT CAST On demand Manually HMAC-SHA2- KAT CAST On demand Manually

384 (A5851)

HMAC-SHA2- KAT CAST On demand Manually © 2025 Ctrl IQ, Inc., atsec information security.

Page 47

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- KAT CAST On demand Manually

512 (A5851)

HMAC-SHA3- KAT CAST On demand Manually

224 (A5837)

HMAC-SHA3- KAT CAST On demand Manually

256 (A5837)

HMAC-SHA3- KAT CAST On demand Manually

384 (A5837)

HMAC-SHA3- KAT CAST On demand Manually

512 (A5837)

Counter DRBG KAT CAST On demand Manually Hash DRBG KAT CAST On demand Manually HMAC DRBG KAT CAST On demand Manually KAS-FFC-SSC KAT CAST On demand Manually Sp800-56Ar3 (A5837) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5837) Safe Primes Key PCT PCT On demand Manually Generation (A5837) Entropy source - APT CAST On demand Manually Init APT Entropy source - RCT CAST On demand Manually Init RCT Entropy source - APT CAST On demand Manually Continuous APT Entropy source - RCT CAST On demand Manually Continuous RCT Table 23: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Error The Linux kernel immediately Any self-test Restart of the Kernel stops executing failure module panic Table 24: Error States In the error state, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).

10.5 Operator Initiation of Self-Tests

The software integrity tests, CASTs and entropy source start-up tests can be invoked on demand by unloading and subsequently re-initializing the module. The PCTs can be invoked on demand by requesting the key pair generation service. © 2025 Ctrl IQ, Inc., atsec information security.

Page 48
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is distributed as a part of the Rocky Linux 9 distribution, in the form of the kernel5.14.0-284.30.1.el9_2.ciqfips.0.8.1, libkcapi-1.3.1-3.el9, and libkcapi-hmaccalc-1.3.1-3.el9 RPM packages. The module can achieve FIPS validated configuration by:

11.2 Administrator Guidance

After installation of the RPM packages, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_name” command. The Crypto Officer must ensure that the proper name is listed in the output as follows: Rocky Linux 9 - Kernel Cryptographic API Then, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_version” and “rpm -qa | grep kcapi” commands. These commands must output the following (one line per output): $ cat /proc/sys/crypto/fips_version rocky9.20250121 $ rpm -qa | grep kcapi libkcapi-hmaccalc-1.3.1-3.el9.x86_64 libkcapi-1.3.1-3.el9.x86_64

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 Design and Rules
11.5 Maintenance Requirements
11.6 End of Life

© 2025 Ctrl IQ, Inc., atsec information security.

Page 49

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the kernel5.14.0-284.30.1.el9_2.ciqfips.0.8.1, libkcapi-1.3.1-3.el9, and libkcapi-hmaccalc-1.3.1-3.el9 RPM packages can be uninstalled from the Rocky Linux 9 system. © 2025 Ctrl IQ, Inc., atsec information security.

Page 50
12 Mitigation of Other Attacks

The module does not implement security mechanisms to mitigate other attacks. © 2025 Ctrl IQ, Inc., atsec information security.

Page 51

A Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CBC-CS3 Cipher Block Chaining with Ciphertext Stealing 3 CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HMAC Keyed-Hash Message Authentication Code IPsec Internet Protocol Security IG Implementation Guidance IV Initialization Vector KAS Key Agreement Scheme KAT Known Answer Test KW Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PCT Pair-wise Consistency Test PSP Public Security Parameter RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSP Sensitive Security Parameter TOEPP Tested Operational Environment’s Physical Perimeter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Ctrl IQ, Inc., atsec information security.

Page 52

B References FIPS 140-3 Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/CSRC/media/Projects/cryptographic-modulevalidation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS 180-4 Secure Hash Standard (SHS) August 2015 https://doi.org/10.6028/NIST.FIPS.180-4 FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://doi.org/10.6028/NIST.FIPS.186-5 FIPS 197 Advanced Encryption Standard (AES) November 2001; Updated May 2023 https://doi.org/10.6028/NIST.FIPS.197-upd1 FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) July 2008 https://doi.org/10.6028/NIST.FIPS.198-1 FIPS 202 SHA-3 Standard: Permutation-Based Hash and ExtendableOutput Functions August 2015 https://doi.org/10.6028/NIST.FIPS.202 PKCS#1 PKCS #1: RSA Cryptography Specifications Version 2.2 November 2016 https://doi.org/10.17487/RFC8017 RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) June 2005 https://doi.org/10.17487/RFC4106 SP 800-38A Recommendation for Block Cipher Modes of Operation: Methods and Techniques December 2001 https://doi.org/10.6028/NIST.SP.800-38A SP 800-38A- Recommendation for Block Cipher Modes of Operation: Three Add Variants of Ciphertext Stealing for CBC Mode October 2010 https://doi.org/10.6028/NIST.SP.800-38A-Add SP 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication May 2005; Updated October 2016 https://doi.org/10.6028/NIST.SP.800-38B SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004; Updated July 2007 https://doi.org/10.6028/NIST.SP.800-38C SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://doi.org/10.6028/NIST.SP.800-38D SP 800-38E Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices © 2025 Ctrl IQ, Inc., atsec information security.

Page 53

January 2010 https://doi.org/10.6028/NIST.SP.800-38E SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://doi.org/10.6028/NIST.SP.800-38F SP 800-56Ar3 Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://doi.org/10.6028/NIST.SP.800-90Ar1 SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP 800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths Marcy 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP 800-140Br1 Cryptographic Module Validation Program (CMVP) Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B November 2023 https://doi.org/10.6028/NIST.SP.800-140Br1 © 2025 Ctrl IQ, Inc., atsec information security.