OL 7 Kernel Crypto API Security Policy1.1 - csrc.nist.gov · Section 10.1.1 describes the Secure Installation and startup to correctly install and configure the module. The The module

DocumentVersion1.1 ©OracleCorporationThisdocumentmaybereproducedwholeandintactincludingtheCopyrightnotice.

FIPS140-2Non-ProprietarySecurityPolicy

OracleLinux7KernelCryptoAPICryptographicModule

FIPS140-2Level1Validation

SoftwareVersion:R7-2.0.0

Date:December7,2018

OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy

i

Title:OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy

December07,2018

Author:AtsecInformationSecurity

ContributingAuthors:

OracleLinuxEngineering

OracleSecurityEvaluations–GlobalProductSecurity

OracleCorporation

WorldHeadquarters

500OracleParkway

RedwoodShores,CA94065

U.S.A.

WorldwideInquiries:

Phone:+1.650.506.7000

Fax:+1.650.506.7200

oracle.com

Copyright©2018,Oracleand/oritsaffiliates.Allrightsreserved.Thisdocumentisprovidedforinformationpurposesonlyandthecontentshereofaresubjectto

changewithoutnotice.Thisdocumentisnotwarrantedtobeerror-free,norsubjecttoanyotherwarrantiesorconditions,whetherexpressedorallyorimpliedin

law,includingimpliedwarrantiesandconditionsofmerchantabilityorfitnessforaparticularpurpose.Oraclespecificallydisclaimanyliabilitywithrespecttothis

documentandnocontractualobligationsareformedeitherdirectlyorindirectlybythisdocument.Thisdocumentmayreproducedordistributedwholeand

intactincludingthiscopyrightnotice.

OracleandJavaareregisteredtrademarksofOracleand/oritsaffiliates.Othernamesmaybetrademarksoftheirrespectiveowners.

OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy ii

TABLEOFCONTENTSSection Title Page

1. Introduction.......................................................................................................................................................................1

1.1 Overview...............................................................................................................................................................................1

1.2 DocumentOrganization........................................................................................................................................................1

2. OracleLinux7KernelCryptoAPICryptographicModule.....................................................................................................2

2.1 FunctionalOverview.............................................................................................................................................................2

2.2 FIPS140-2ValidationScope..................................................................................................................................................2

3. CryptographicModuleSpecification...................................................................................................................................3

3.1 DefinitionoftheCryptographicModule...............................................................................................................................3

3.2 DefinitionofthePhysicalCryptographicBoundary..............................................................................................................4

3.3 ModesofOperation..............................................................................................................................................................4

3.4 ApprovedorAllowedSecurityFunctions..............................................................................................................................4

3.5 Non-ApprovedbutAllowedSecurityFunctions....................................................................................................................9

3.6 Non-ApprovedSecurityFunctions........................................................................................................................................9

4. ModulePortsandInterfaces.............................................................................................................................................10

5. PhysicalSecurity...............................................................................................................................................................11

6. OperationalEnvironment.................................................................................................................................................12

6.1 TestedEnvironments..........................................................................................................................................................12

6.2 VendorAffirmedEnvironments..........................................................................................................................................12

7. Roles,ServicesandAuthentication...................................................................................................................................17

7.1 Roles....................................................................................................................................................................................17

7.2 FIPSApprovedOperatorServicesandDescriptions...........................................................................................................17

7.3 Non-FIPSApprovedServicesandDescriptions...................................................................................................................18

7.4 OperatorAuthentication.....................................................................................................................................................18

8. KeyandCSPManagement................................................................................................................................................19

8.1 RandomNumberGeneration..............................................................................................................................................19

8.2 KeyEntry/Output................................................................................................................................................................20

8.3 Key/CSPStorage..................................................................................................................................................................20

8.4 Key/CSPZeroization............................................................................................................................................................20

9. Self-Tests..........................................................................................................................................................................21

9.1 Power-UpSelf-Tests............................................................................................................................................................21

9.1.1 IntegrityTests.....................................................................................................................................................................21

9.2 ConditionalSelf-Tests.........................................................................................................................................................22

10. Crypto-OfficerandUserGuidance....................................................................................................................................23

10.1 Crypto-OfficerGuidance.....................................................................................................................................................23

10.1.1 SecureInstallationandStartup...........................................................................................................................................23

10.1.2 FIPS140-2andAESNISupport...........................................................................................................................................24

10.2 UserGuidance.....................................................................................................................................................................24

10.2.1 AES-XTSUsage....................................................................................................................................................................24

10.2.2 AES-GCMUsage..................................................................................................................................................................25

10.2.3 Triple-DESUsage.................................................................................................................................................................25

10.3 HandlingSelf-TestErrors.....................................................................................................................................................25

11.MitigationofOtherAttacks..............................................................................................................................................26

Acronyms,TermsandAbbreviations.......................................................................................................................................27

References..............................................................................................................................................................................28

OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy

iii

ListofTables

Table1:FIPS140-2SecurityRequirements...............................................................................................................................2Table2:FIPSApprovedorAllowedSecurityFunctions...............................................................................................................9Table3:Non-ApprovedbutAllowedFunctions..........................................................................................................................9Table4:Non-ApprovedDisallowedFunctions...........................................................................................................................9Table5:MappingofFIPS140LogicalInterfacestoLogicalPorts..............................................................................................10Table6:TestedOperatingEnvironment...................................................................................................................................12Table7:VendorAffirmedOperatingEnvironment...................................................................................................................16Table8:FIPSApprovedOperatorServicesandDescriptions....................................................................................................18Table9:Non-FIPSApprovedOperatorServicesandDescriptions.............................................................................................18Table10:CSPTable.................................................................................................................................................................19Table11:Power-OnSelf-Tests.................................................................................................................................................21Table12:ConditionalSelf-Tests...............................................................................................................................................22Table13:Acronyms................................................................................................................................................................27Table14:References..............................................................................................................................................................28

ListofFigures

Figure1:OracleLinux7KernelCryptoAPILogicalCryptographicBoundary..............................................................................3Figure2:OracleLinux7KernelCryptoAPIHardwareBlockDiagram.........................................................................................4

OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page1of28

1. Introduction1.1 Overview

ThisdocumentistheSecurityPolicyfortheOracleLinux7KernelCryptoAPICryptographicModulebyOracle

Corporation.OracleLinux7KernelCryptoAPICryptographicModuleisalsoreferredtoas“theModuleor

Module”.ThisSecurityPolicyspecifiesthesecurityrulesunderwhichthemoduleshalloperatetomeetthe

requirementsofFIPS140-2Level1.ItalsodescribeshowtheOracleLinux7KernelCryptoAPICryptographic

ModulefunctionsinordertomeettheFIPSrequirements,andtheactionsthatoperatorsmusttaketomaintain

thesecurityofthemodule.

ThisSecurityPolicydescribesthefeaturesanddesignoftheOracleLinux7KernelCryptoAPICryptographic

ModuleusingtheterminologycontainedintheFIPS140-2specification.FIPS140-2,SecurityRequirementsfor

CryptographicModulespecifiesthesecurityrequirementsthatwillbesatisfiedbyacryptographicmoduleutilized

withinasecuritysystemprotectingsensitivebutunclassifiedinformation.TheNIST/CSECryptographicModule

ValidationProgram(CMVP)validatescryptographicmoduletoFIPS140-2.Validatedproductsareacceptedbythe

FederalagenciesofboththeUSAandCanadafortheprotectionofsensitiveordesignatedinformation.

1.2 DocumentOrganization

TheSecurityPolicydocumentisonedocumentinaFIPS140-2SubmissionPackage.Inadditiontothisdocument,

theSubmissionPackagecontains:

• OracleLinux7KernelCryptoAPICryptographicModuleNon-ProprietarySecurityPolicy

• Othersupportingdocumentationasadditionalreferences.

WiththeexceptionofthisNon-ProprietarySecurityPolicy,theFIPS140-2ValidationDocumentationis

proprietarytoOracleandisreleasableonlyunderappropriatenon-disclosureagreements.Foraccesstothese

documents,pleasecontactOracle.


2. OracleLinux7KernelCryptoAPICryptographicModule

2.1 FunctionalOverviewTheOracleLinux7KernelCryptoAPICryptographicModule(hereafterreferredtoasthe“Module”)isasoftware

onlycryptographicmodulethatprovidesgeneral-purposecryptographicservicestotheremainderoftheLinux

kernel.TheOracleLinux7KernelCryptoAPICryptographicModuleissoftwareonly,securitylevel1cryptographic

module,runningonamulti-chipstandaloneplatform.

2.2 FIPS140-2ValidationScopeThefollowingtableshowsthesecuritylevelforeachoftheelevensectionsofthevalidation.SeeTable1below.

SecurityRequirementsSection LevelCryptographicModuleSpecification 1

CryptographicModulePortsandInterfaces 1

RolesandServicesandAuthentication 1

FiniteStateMachineModel 1

PhysicalSecurity N/A

OperationalEnvironment 1

CryptographicKeyManagement 1

EMI/EMC 1

Self-Tests 1

DesignAssurance 3

MitigationofOtherAttacks N/A

Table1:FIPS140-2SecurityRequirements


3. CryptographicModuleSpecification

3.1 DefinitionoftheCryptographicModule

TheOracleLinux7KernelCryptoAPIisasoftware-onlymulti-chipstandalonemoduleasdefinedbythe

requirementswithinFIPSPUB140-2.Thelogicalcryptographicboundaryofthemoduleconsistsofshared

libraryfilesandtheirintegritycheckHMACfiles,whicharedeliveredthroughtheOraclePublicYumPackage

Manager(RPM)aslistedbelow:

Thelistofcomponentsrequiredforthemoduletooperatearedefinedbelow:

• OracleLinux7KernelCryptoAPICryptographicModulewiththeversionoftheRPMfile3.10.0-

862.3.3.0.1.el7.x86_64

• Themoduleinstantiationisprovidedbythedracut-fipsanddracut-fips-aesnipackagewiththeversionofthe

RPMfileof033-535.0.2.el7.x86_64

• TheboundmoduleOracleLinuxNSSCryptographicModulewithFIPS140-2Certificate#3143(hereafter

referredtoasthe“NSSboundmodule”or“NSSmodule”)

• ThecontentsofthehmaccalcRPMpackageversion0.9.13-4.el7.x86_64.

TheOracleLinux7KernelCryptoAPIRPMpackageoftheModuleincludesthebinaryfiles,integritycheckHMAC

filesandManPages.Thefilescomprisingthemodulearethefollowing:

• kernelloadablecomponents/lib/modules/$(uname-r)/kernel/crypto/*.ko

• kernelloadablecomponents/lib/modules/$(uname-r)/kernel/arch/x86/crypto/*.ko

• statickernelbinary/boot/vmlinuz-$(uname-r)

• sha512hmacbinaryfileforperformingtheintegritychecks/usr/bin/sha512hmac

• sha512hmacbinaryHMACfile:/usr/lib64/hmaccalc/sha512hmac.hmac

TheNSSboundmoduleprovidestheHMAC-SHA-512algorithmusedbythesha512hmac

binaryfiletoverifytheintegrityofboththesha512hmacfileandthevmlinuz(statickernelbinary).

Figure1showsthelogicalblockdiagramofthemoduleexecutinginmemoryonthehostsystem.

Figure1:OracleLinux7KernelCryptoAPILogicalCryptographicBoundary


3.2 DefinitionofthePhysicalCryptographicBoundaryThephysicalcryptographicboundaryisdefinedasthehardenclosureofthehostsystemonwhichitruns.See

figure2below.NocomponentsareexcludedfromtherequirementsofFIPSPUB140-2.

Figure2:OracleLinux7KernelCryptoAPIHardwareBlockDiagram

3.3 ModesofOperation

Themodulesupportstwomodesofoperation:theFIPSapprovedandnon-approvedmodes.Theswitching

betweenthemodeisimplicitdependingontheserviceinvoked.

Section10.1.1describestheSecureInstallationandstartuptocorrectlyinstallandconfigurethemodule.The

moduleturnstoFIPSapprovedmodeaftercorrectinitializationandsuccessfulcompletionofpower-onself-tests.

Invokinganon-Approvedalgorithmoranon-ApprovedkeysizewithanApprovedalgorithmaslistedinTable4

willresultinthemoduleimplicitlyenteringthenon-FIPSmodeofoperation.Aftercompletionoftheservicethe

modulewillimplicitlytransitionbacktotheFIPSmodeandthendependingonthenextservicecallitwilleither

remaininFIPSmodeorwilltransitiontonon-approvedmode.

TheapprovedservicesavailableinFIPSmodecanbefoundinsection7.2,Table8.Thenon-approvedservices

availableinnon-FIPSmodecanbefoundinsection7,Table9.

3.4 ApprovedorAllowedSecurityFunctionsTheOracleLinux7KernelCryptoAPICryptographicModulecontainsthefollowingFIPSApprovedAlgorithms

listedinTable2:

ApprovedorAllowedSecurityFunctions Certificate

SymmetricAlgorithmsAES (aesasm):

CBC,ECB(e/d;128,192,256);CTR(extonly;128,192,256)

CCM(KS:128,192,256)(Assoc.DataLenRange:0-0,2^16)(PayloadLength

5407

5488



Range:0-32(NonceLength(s):78910111213(TagLength(s):46810121416)

CMAC:Generation:(AES-128,192,256)BlockSizes:Full,Partial

MessageLength:0-65536TagLength:0-16

Verification:(AES-128,192,256)BlockSizes:Full,Partial


GCM(KS:AES_128,AES_192,AES_256)(d)TagLength(s):128120112104966432)(d)

PTLengthsTested:(0,128,256,120,248);AADLengthstested:(0,128,256,120,248);96BitIV_Supported

XTS((KS:XTS_128,XTS_256)((e/d)(f))

(aesgen):CBC,ECB(e/d;128,192,256);CTR(ext.only;128,192,256)CCMKeyLengths:128,192,256(bits)TagLengths:32,48,64,80,96,112,128(bits)IVLengths:56,64,72,80,88,96,104(bits)PlainTextLength:0-32

AADLength:0-65536





GCM(KS:AES_128,AES_192,AES_256)(d)TagLength(s):128120112104966432)(d)

PTLengthsTested:(0,128,256,120,248);AADLengthstested:(0,128,256,120,248);96BitIV_Supported

XTS((KS:XTS_128,XTS_256)((e/d)(f))

5408

5490

aesgen_iiv:CBC,ECB(e/d;128,192,256);CTR(ext.only;128,192,256)

GCM(KS:AES_128,AES_192,AES_256(e)

TagLength(s):64,96,128)

IVGenerated:(Internally(usingSection8.2.1));PTLengthsTested:(128,256,120,248);AADLengthstested:(64,96);96BitIV_Supported

5421

5491

aesasm_iiv:CBC,ECB(e/d;128,192,256);CTR(extonly;128,192,256)

GCM(KS:AES_128,AES_192,AES_256(e)

TagLength(s):1289664)

IVGenerated:(Internally(usingSection8.2.1));

5420

5489



PTLengthsTested:(128,256,120,248);AADLengthstested:(64,96);96BitIV_Supported

aesni_blkasm:CBC,ECB(e/d;128,192,256);CTR(extonly;128,192,256)

GCM(KS:AES_128,AES_192,AES_256)(d)TagLength(s):1289664)

PTLengthsTested:(128,256,120,248);AADLengthstested:(64,96);

96BitIV_Supported

XTS((KS:XTS_128,XTS_256);((e/d)(f))

5410

5493

aesni:CBC,ECB(e/d;128,192,256);CTR(ext.only;128,192,256)

CCM:KeyLengths:128,192,256(bits)TagLengths:32,48,64,80,96,112,128(bits)

IVLengths:56,64,72,80,88,96,104(bits)PlainTextLength:0-32

AADLength:0-65536





GCM(KS:AES_128,AES_192,AES_256)d)

TagLength(s):32,64,96,104,112,120,128)

PTLengthsTested:(0,128,256,120,248);AADLengthstested:(0,120,128,248,256);

96BitIV_Supported

XTS((KS:XTS_128,XTS_256);((e/d)(f))

5409

5492

aesni_blkasm_iiv:CBC,ECB(e/d;128,192,256);CTR(ext.only;128,192,256)

GCM(KS:AES_128,AES_192,AES_256)(e)

IVGeneration:Internal(usingSection8.2.1)

KeyLengths:128,192,256(bits)

TagLengths:64,96,128(bits)

PlainTextLengths:120,128,248,256(bits)

96BitIV_Supported

5411

5494

aesni_iivCBC,ECB(e/d;128,192,256);CTR(ext.only;128,192,256)

GCM(KS:AES_128,AES_192,AES_256)e)

TagLength(s):64,96,128)

PTLengthsTested:(120,128,248,256);AADLengthstested:(64,96);

96BitIV_Supported

5422

5495



TripleDES CImplementation:TCBC,TECB(KO1e/d);CTR(extonly)CMAC:Generation:3-Key:BlockSizes:Full,PartialMessageLength:0-65536

TagLength:0-8

Verification:3-Key:BlockSizes:Full,PartialMessageLength:0-65536

TagLength:0-8

2729

2763

SecureHashStandard(SHS)SHS GenericCImplementation:

SHA-1(BYTE-only)SHA-224(BYTE-only)SHA-256(BYTE-only)SHA-384(BYTE-only)SHA-512(BYTE-only)

4342

4591

shaavx:SHA-1(BYTE-only)SHA-224(BYTE-only)SHA-256(BYTE-only)SHA-384(BYTE-only)SHA-512(BYTE-only)

4352

4418

shaavx2:SHA-1(BYTE-only)SHA-224(BYTE-only)SHA-256(BYTE-only)SHA-384(BYTE-only)SHA-512(BYTE-only)

4341

4405

shamb:SHA-256(BYTE-only)SHA-512(BYTE-only)

4363

4417

DataAuthenticationCodeHMAC GenericCImplementation:

HMAC-SHA1(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA224(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA256(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA384(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA512(KeySizeRangesTested:KS<BSKS=BSKS>BS)

3583

3816

shaavx:HMAC-SHA1(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA224(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA256(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA384(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA512(KeySizeRangesTested:KS<BSKS=BSKS>BS)

3590

3662

Shaavx2:HMAC-SHA1(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA224(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA256(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA384(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA512(KeySizeRangesTested:KS<BSKS=BSKS>BS)

3582

3646



Shamb:HMAC-SHA256(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA512(KeySizeRangesTested:KS<BSKS=BSKS>BS)

3602

3661

AsymmetricAlgorithmsRSA shagen:

FIPS186-4:ALG[RSASSA-PKCS1_V1_5]SIG(Ver)(2048SHA(1,224,256,384,512))(3072SHA(1,

224,256,384,512))

2892

3072

shaavx:FIPS186-4:ALG[RSASSA-PKCS1_V1_5]SIG(Ver)(2048SHA(1,224,256,384,512))(3072SHA(1,

224,256,384,512))

2905

2954

Shaavx2:FIPS186-4:ALG[RSASSA-PKCS1_V1_5]SIG(Ver)(2048SHA(1,224,256,384,512))(3072SHA(1,

224,256,384,512))

2891

2949

Shamb:FIPS186-4:ALG[RSASSA-PKCS1_V1_5]SIG(Ver)(2048SHA(256,512))(3072SHA(256,512))

2920

2953

RandomNumberGenerationDRBG CTRDRBG:

aesasm:CTR_DRBG:[PredictionResistanceTested:EnabledandNotEnabled;BlockCipher_Use_df:(AES-128,AES-192,AES-256)

2103

2163

aesni:CTR_DRBG:[PredictionResistanceTested:EnabledandNotEnabled;BlockCipher_Use_df:(AES-128,AES-192,AES-256)

2105

2165

aesgen:CTR_DRBG:[PredictionResistanceTested:EnabledandNotEnabled;BlockCipher_Use_df:(AES-128,AES-192,AES-256)

2104

2164

HashDRBG:shagen:Hash_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled(SHA-1,SHA-256,SHA-384,SHA-512)

2107

2363

shaavx:Hash_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled(SHA-1,SHA-256,SHA-384,SHA-512)

2116

2175

shaavx2:Hash_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled(SHA-1,SHA-256,SHA-384,SHA-512)

2106

2166

shamb:Hash_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled(SHA-256,SHA-512)

2128

2174

HMACDRBG:shagen:

2107

2363



HMAC_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled(SHA-1,SHA-256,SHA-384,SHA-512)

shaavx:HMAC_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled (SHA-1,SHA-256,SHA-384,SHA-512)

2116

2175

Shaavx2:HMAC_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled (SHA-1,SHA-256,SHA-384,SHA-512)

2106

2166

shamb:HMAC_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled (SHA-256,SHA-512)

2128

2174

AlgorithmsusedfromBoundNSSmoduleHMAC HMAC-SHA512(KeySizeRangesTested:KS<BSKS=BSKS>BS) 3077

3767

Table2:FIPSApprovedorAllowedSecurityFunctions

3.5 Non-ApprovedbutAllowedSecurityFunctionsThefollowingalgorithmisconsiderednon-ApprovedbutallowedtobeusedinaFIPS-approvedmode:

Algorithm Usage

NDRNGfromLinuxRNG UsedforseedingNISTSP800-90ADRBG

Table3:Non-ApprovedbutAllowedFunctions

3.6 Non-ApprovedSecurityFunctionsThefollowingalgorithmsareconsiderednon-ApprovedandmaynotbeusedinaFIPS-approvedmodeof

operation:

Algorithm Usage

AES-XTS(192bit) Encrypt/Decrypt

AESGCM EncryptionwithexternalIV

DES Encrypt/Decrypt

SHA-1(multiple-buffer) AnyuseofSHA1-mb(CAVStestedCerts#4363,#4417;KATnotperformed)

ANSIX9.31RNG KeyandSeedGeneration

JitterRNG Non-DeterministicRandomNumberGeneration

Table4:Non-ApprovedDisallowedFunctions


4. ModulePortsandInterfaces

Themoduleinterfacescanbecategorizedasfollows:

• DataInputInterface• DataOutputInterface• ControlInputinterface• StatusOutputInterfaceThemodulecanbeaccessedbyutilizingtheAPIitexposes.Tablebelow,showsthemappingofportsand

interfacesasperFIPS140-2Standard.

FIPS140Interface ModuleInterfacesDataInput APIinputparameters

DataOutput APIoutputparameters

ControlInput APIfunctioncalls,kernelcommandline

StatusOutput APIreturncodes,kernellogs

Table5:MappingofFIPS140LogicalInterfacestoLogicalPorts


5. PhysicalSecurityTheModuleiscomprisedofsoftwareonlyandthusdoesnotclaimanyphysicalsecurity.


6. OperationalEnvironment

6.1 TestedEnvironments

ThemoduleoperatesinamodifiableoperationalenvironmentperFIPS140-2level1specifications.TheModule

wastestedonthefollowingenvironmentswithandwithoutPAAi.e.AES-NI:

OperatingEnvironment Processor HardwareOracleLinux7.364bit Intel(R)Xeon(R)E5-2699v4 OracleServerX6-2

OracleLinux7.364bit Intel(R)Xeon(R)Silver4114 OracleServerX7-2

Table6:TestedOperatingEnvironment

6.2 VendorAffirmedEnvironments

ThefollowingplatformshavenotbeentestedaspartoftheFIPS140-2level1certificationhoweverOracle

“vendoraffirms”thattheseplatformsareequivalenttothetestedandvalidatedplatforms.Additionally,Oracle

affirmsthatthemodulewillfunctionthesamewayandprovidethesamesecurityservicesonanyofthesystems

listedbelow.

OperatingEnvironment Processor HardwareOracleLinux7.364-bit Intel®Xeon®E5-2600/E5-2600v2 CiscoUCSB200M3

OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 CiscoUCSB200M4

OracleLinux7.364-bit Intel®Xeon®ScalableProcessors CiscoUCSB200M5

OracleLinux7.364-bit Intel®Xeon®E5-2400/E5-2400v2 CiscoUCSB22M3

OracleLinux7.364-bit Intel®Xeon®E7-2800/E7-8800 CiscoUCSB230M2



OracleLinux7.364-bit Intel®Xeon®E5-4600v3&v4 CiscoUCSB420M4

OracleLinux7.364-bit Intel®Xeon®E7-2800/E7-8800 CiscoUCSB440M2

OracleLinux7.364-bit Intel®Xeon®E7-2800v2/E7-4800v2/E7-8800

v2/E7-4800v3/E7-8800v3

CiscoUCSB460M4

OracleLinux7.364-bit Intel®Xeon®ScalableProcessors CiscoUCSB480M5

OracleLinux7.364-bit Intel®Xeon®E5-2400/E5-2400v2 CiscoUCSC22M3


OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 CiscoUCSC220M4

OracleLinux7.364-bit Intel®Xeon®ScalableProcessors CiscoUCSC220M5



OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 CiscoUCSC240M4


OracleLinux7.364-bit Intel®Xeon®E7-2800v2/E7-4800v2,v3&

v4/E7-8800v2&v4

CiscoUCSC460M4


OracleLinux7.364-bit Intel®Xeon®D-1500 CiscoUCSE1120D-M3/K9

OracleLinux7.364-bit Intel®Xeon®D-1500 CiscoUCSE180D-M3/K9

OracleLinux7.364-bit Intel®Xeon®E5-2600v3 DellPowerEdgeFC630


OperatingEnvironment Processor HardwareOracleLinux7.364-bit Intel®Xeon®E5-4600v3 DellPowerEdgeFC830

OracleLinux7.364-bit Intel®Xeon®E5-2600v3 DellPowerEdgeM630Blade

OracleLinux7.364-bit Intel®Xeon®E5-4600v4 DellPowerEdgeM830Blade

OracleLinux7.364-bit Intel®Xeon®E5-2600v3 DellPowerEdgeR630


OracleLinux7.364-bit Intel®Xeon®E5-2600v3 DellPowerEdgeR730xd


OracleLinux7.364-bit Intel®Xeon®E5-2600v3 DellPowerEdgeT630

OracleLinux7.364-bit Intel®Xeon®E7-4800v2/E7-8800v2 FujitsuPRIMEQUEST2400E

OracleLinux7.364-bit Intel®Xeon®E7-8800v3 FujitsuPRIMEQUEST2400E2


OracleLinux7.364-bit Intel®Xeon®E7-4800v2 FujitsuPRIMEQUEST2400L

OracleLinux7.364-bit Intel®Xeon®E7-8800v3 FujitsuPRIMEQUEST2400L2


OracleLinux7.364-bit Intel®Xeon®E7-4800v2 FujitsuPRIMEQUEST2400S

OracleLinux7.364-bit Intel®Xeon®E7-4800v2 FujitsuPRIMEQUEST2400SLite

OracleLinux7.364-bit Intel®Xeon®E7-8800v3 FujitsuPRIMEQUEST2400S2

OracleLinux7.364-bit Intel®Xeon®E7-8800v3 FujitsuPRIMEQUEST2400S2Lite

OracleLinux7.364-bit Intel®Xeon®E7-8800v4 FujitsuPRIMEQUEST2400S3

OracleLinux7.364-bit Intel®Xeon®E7-8800v4 FujitsuPRIMEQUEST2400S3Lite

OracleLinux7.364-bit Intel®Xeon®E7-8800v2 FujitsuPRIMEQUEST2800B

OracleLinux7.364-bit Intel®Xeon®E7-8800v3 FujitsuPRIMEQUEST2800B2

OracleLinux7.364-bit Intel®Xeon®E7-8800v4 FujitsuPRIMEQUEST2800B3

OracleLinux7.364-bit Intel®Xeon®E7-8800v2 FujitsuPRIMEQUEST2800E



OracleLinux7.364-bit Intel®Xeon®E7-8800v2 FujitsuPRIMEQUEST2800L


OracleLinux7.364-bit Intel®Xeon®E7-8800v4 FujitsuPRIMEQEST2800L3

OracleLinux7.364-bit Intel®Xeon®ScalableProcessors FujitsuPRIMEQUEST3800B

OracleLinux7.364-bit Intel®Xeon®E5-2600v3 FujitsuPRIMERGYBX2580M1

OracleLinux7.364-bit Intel®Xeon®E5-2600v4 FujitsuPRIMERGYBX2580M2

OracleLinux7.364-bit Intel®Xeon®ScalableProcessors FujitsuPRIMERGYCX2560M4

OracleLinux7.364-bit Intel®Xeon®E5-2600v3 FujitsuPRIMERGYRX2530M1


OracleLinux7.364-bit Intel®Xeon®ScalableProcessors FujitsuPRIMERGYRX2530M4

OracleLinux7.364-bit Intel®Xeon®E5-2600v3 FujitsuPRIMEGYRX2540M1



OracleLinux7.364-bit Intel®Xeon®E7-4800v2/E7-8800v2 FujitsuPRIMERGYRX4770M1




OracleLinux7.364-bit Intel®Xeon®E5-2600v4 HitachiComputeBlade2500CB520HB4


OperatingEnvironment Processor HardwareOracleLinux7.364-bit Intel®Xeon®E7-8800v2 HitachiComputeBlade2500CB520XB2

OracleLinux7.364-bit Intel®Xeon®E7-8800v3 HitachiComputeBlade2500CB520XB3

OracleLinux7.364-bit Intel®Xeon®E5-2600v4 HitachiComputeBlade500CB520HB4

OracleLinux7.364-bit Intel®Xeon®E7-8800v2 HitachiComputeBlade500CB520XB2

OracleLinux7.364-bit Intel®Xeon®E5-2600v4 HitachiQuantaGridD51B-2U

OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HitachiQuantaPlexT41S-2U

OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HitachiVantaraHitachiAdvancedServer

DS120


DS220


DS240

OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 HPEIntegrityMC990X

OracleLinux7.364-bit Intel®Xeon®E5-2600v2 HPEProLiantBL460cGen8



OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HPEProLiantDL160Gen9


OracleLinux7.364-bit Intel®Pentium®G2120&Intel®Xeon®E3-

1200v2

HPEProLiantDL320eGen8

OracleLinux7.364-bit Intel®Pentium®G3200-series/G3420,Corei3-

4100-series/Intel®Xeon®E3-12v3

HPEProLiantDL320eGen8v2


OracleLinux7.364-bit Intel®Xeon®E5-2400/E5-2400v2 HPEProLiantDL360eGen8

OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HPEProLiantDL360pGen8


OracleLinux7.364-bit Intel®Xeon®E5-2400/E5-2400v2 HPEProLiantDL380eGen8

OracleLinux7.364-bit Intel®Xeon®E5-4600/E5-4600v2 HPEProLiantDL560Gen8


OracleLinux7.364-bit Intel®Xeon®E7-4800v2/E7-8800v2 HPEProLiantDL580Gen8

OracleLinux7.364-bit Intel®Xeon®E7-4800v3/E7-8800v3 HPEProLiantDL580Gen9

OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HPEProLiantML350Gen9

OracleLinux7.364-bit Intel®Xeon®E5-2600v4 HPESynergy480Gen9ComputeModule

OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 HPESynergy620Gen9ComputeModule

OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 HPESynergy680Gen9ComputeModule

OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HuaweiFusionServer1288HV5

OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HuaweiFusionServer2288HV5

OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HuaweiFusionServerCH121V5

OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HuaweiFusionServerCH121LV5

OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HuaweiFusionServerCH242V5

OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HuaweiFusionServerRH2288HV3

OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HuaweiFusionServerXH321V5

OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 InspurYingxinNF5170M4

OracleLinux7.364-bit Intel®Xeon®E5-2600v3 InspurYingxinNF5180M4



OperatingEnvironment Processor HardwareOracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 InspurYingxinNF5270M4



OracleLinux7.364-bit Intel®Xeon®E7-4800v3&v4/E7-8800v3&v4 InspurYingxinNX8480M4

OracleLinux7.364-bit Intel®Xeon®Scalable

8100/6100/5100/4100/3100Processors

LenovoThinkSystemSD530

OracleLinux7.364-bit Intel®Xeon®Scalable

8100/6100/5100/4100/3100Processors

LenovoThinkSystemSN550

OracleLinux7.364-bit Intel®Xeon®Scalable8100/6100/5100

Processors

LenovoThinkSystemSN850


Processors

LenovoThinkSystemSR850


Processors



Processors


OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 NECExpress5800/A1040d




OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 NECNX7700x/A4010M-4

OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 NECNX7700x/A4012L-1

OracleLinux7.364-bit Intel®Xeon®E7-8800/4800v4 NECNX7700x/A4012L-1D

OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 NECNX7700x/A4012L-2

OracleLinux7.364-bit Intel®Xeon®E7-8800/4800v4 NECNX7700x/A4012L-2D

OracleLinux7.364-bit Intel®Xeon®E7-4800v3/E7-8800v3 NECNX7700x/A4012M-4

OracleLinux7.364-bit Intel®Xeon®E5-2600v3 OracleNetraServerX5-2

OracleLinux7.364-bit Intel®Xeon®E5-2600v3 OracleServerX5-2

OracleLinux7.364-bit Intel®Xeon®E5-2600v3 OracleServerX5-2L




OracleLinux7.364-bit Intel®Xeon®E5-2600v4 OracleServerX6-2L

OracleLinux7.364-bit Intel®Xeon®E5-2600v4 OracleServerX6-2M


Processors

OracleServerX7-2


Processors

OracleServerX7-2L

OracleLinux7.364-bit Intel®Xeon®Scalable8100/6100Processors OracleServerX7-8

OracleLinux7.364-bit Intel®Xeon®x7500-series OracleSunFireX4470

OracleLinux7.364-bit Intel®Xeon®x7500-series OracleSunFireX4800

OracleLinux7.364-bit Intel®Xeon®E7-8800 OracleSunServerX2-8



OracleLinux7.364-bit Intel®Xeon®E5-2600 OracleSunServerX3-2L

OracleLinux7.364-bit Intel®Xeon®E5-2600v2 OracleSunServerX4-2


OperatingEnvironment Processor HardwareOracleLinux7.364-bit Intel®Xeon®E5-2600v2 OracleSunServerX4-2L



OracleLinux7.364-bit Intel®Xeon®E7-8800v3&v4 SGIUV300RL

OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v3&v4 SGIUV300

OracleLinux7.364-bit AMDOpteron™6000 SugonA840-G10

OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 SugonCB50-G20

OracleLinux7.364-bit AMDOpteron™6000 SugonA840-G10

OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 SugonCB50-G20

OracleLinux7.364-bit Intel®Xeon®E7-4800v2 SugonCB80-G20

OracleLinux7.364-bit Intel®Xeon®E7-4800v4 SugonCB80-G25

OracleLinux7.364-bit AMDOpteron™6300 SugonCB85-G10

OracleLinux7.364-bit Intel®Xeon®6100,5100,4100,3100 SugonI420-G30

OracleLinux7.364-bit Intel®Xeon®E5-2600v3 SugonI610-G20


OracleLinux7.364-bit Intel®Xeon®E7-4800v3&v4 SugonI840-G20


OracleLinux7.364-bit Intel®Xeon®E7-4800v2&v3/E7-8800v2&v3 SugonI980-G20

OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 SugonTC4600T

OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 SupermicroSuperServerSYS-6018U-

TR4T+

Table7:VendorAffirmedOperatingEnvironmentCMVPmakesnostatementastothecorrectoperationofthemoduleorthesecuritystrengthsofthegeneratedkeyswhensoportedifthespecificoperationalenvironmentisnotlistedonthevalidationcertificate.


7. Roles,ServicesandAuthentication7.1 Roles

Therolesareimplicitlyassumedbytheentityaccessingthemoduleservices.Themodulesupportsthefollowingroles:• UserRole:performssymmetricencryption/decryption,keyedhash,messagedigest,randomnumbergeneration,showstatus,zeroization.• CryptoOfficerRole:performsthemoduleinstallationandconfiguration,module'sinitialization,self-tests.

7.2 FIPSApprovedOperatorServicesandDescriptions

ThebelowtableprovidesafulldescriptionofFIPSApprovedservicesprovidedbythemoduleandtherolesallowedtoinvokeeachservice.U CO ServiceName ServiceDescription KeysandCSP(s) AccessType(s)X Symmetric

Encryption/DecryptionEncryptsordecryptsablockofdatausing3-KeyTriple-DESorAESinFIPSmode

AESor3-KeyTriple-DESKey R,W,X

X KeyedHash(HMAC) SignandorauthenticatedatausingHMAC-SHA HMACKey R,W,XX MessageDigest HashablockofdatausingSHS. None N/AX RandomNumberGeneration GeneraterandomnumbersbasedontheNISTSP800-90A

StandardEntropyinputstringandseed

R,W,X

X AuthenticatedEncryption Encrypt-then-MACcipher(authenc)usedforIPsec AESkey,HMACkey R,W,XX ShowStatus Showstatusofthemodulestateviaverbosemode,exitcodes

andkernellogs(dmesg) None N/A

X Self-Test Initiateondemandpower-onself-testsbyrestartingthedevicewhichwillalsocleartheRAMmemory.

None N/A

X Zeroize Zeroizeallcriticalsecurityparameterswhenfreeingthecipherhandler

AllkeysandCSP’s Z

X ModuleInitialization InitializethemoduleintotheFIPSApprovedMode None N/A X InstallationandConfiguration Installandconfigurethemodule. None N/A

X Errordetectioncode1 Errordetectioncodeusingcrc32c,crct10dif None N/AX Datacompression1 Performsdatacompressionusingdeflate,lz4,lz4hc,lzo,zlib,

zlib-deflateNone N/A

R–Read,W–Write,X–Execute,Z–Zeroize

1Thealgorithmsusedinthisservicedonotprovidecryptographicattribute.


Table8:FIPSApprovedOperatorServicesandDescriptions

7.3 Non-FIPSApprovedServicesandDescriptions

Thefollowingtableliststhenon-Approvedservicesavailableinnon-FIPSmode.

U CO ServiceName ServiceDescription KeysandCSP(s) AccessType(s)X Symmetric

Encryption/DecryptionEncryptsordecryptsusingnon-Approvedalgorithms AES-XTS(192-bitkey),DES,AESGCM

encryptionwithexternalIVR,W,X

X RandomNumberGeneration

GenerationofrandomnumbersusingtheANSIX9.31PRNGorJitterRNG.

None N/A

X MessageDigest Hashingusingnon-approvedhashfunctionsfromTable4

None N/A

X KeyedHash HMACKeys<112bits. HMACkeys<112bits. R,W,X

R–Read,W–Write,X–Execute,Z–Zeroize

Table9:Non-FIPSApprovedOperatorServicesandDescriptions

7.4 OperatorAuthentication

ThemoduleisaLevel1software-onlycryptographicmoduleanddoesnotimplementauthentication.Theroleisimplicitlyassumedbasedontheservicerequested.


8. KeyandCSPManagementThefollowingkeys,cryptographickeycomponentsandothercriticalsecurityparametersarecontainedinthemodule.

CSPName Generation Entry/Output Storage ZeroizationAESKeys(128,192,256bits) N/A Keyispassedintothemodulevia

APIinputparameterkernelmemory Memoryisautomatically

overwrittenbyzeroeswhenfreeingthecipherhandler

Triple-DESKeys(192bits) N/A KeyispassedintothemoduleviaAPIinputparameter

kernelmemory Memoryisautomaticallyoverwrittenbyzeroeswhenfreeingthecipherhandler

DRBGEntropyInputString ObtainedfromNDRNG N/A kernelmemory Memoryisautomaticallyoverwrittenbyzeroeswhenfreeingthecipherhandler

DRBGinternalstate(V,keyandCvalues

DerivedfromEntropyinputasdefinedinNISTSP800-90A

N/A kernelmemory Memoryisautomaticallyoverwrittenbyzeroeswhenfreeingthecipherhandler

HMACKey(≥112bits) N/A KeyispassedintothemoduleviaAPIinputparameter

kernelmemory Automaticallyzeroizedwhenfreeingthecipherhandle

Table10:CSPTable

8.1 RandomNumberGeneration

ThemoduleemploystheDeterministicRandomBitGenerator(DRBG)basedon[SP800-90A]forthecreationofrandomnumbers.TheDRBGsupportstheHash_DRBG,HMAC_DRBGandCTR_DRBGmechanisms.TheDRBGisinitializedduringmoduleinitialization.ThemoduleloadsbydefaulttheDRBGusingHMACDRBGwithSHA-512,withoutpredictionresistance.ToseedtheDRBG,themoduleusesaNon-DeterministicRandomNumberGenerator(NDRNG)astheentropysource.TheNDRNGprovidesatleast130bitsofentropytotheDRBGduringinitialization(seed)andreseeding(reseed).ThemoduleperformscontinuousrandomnumbergeneratortestontheoutputofNDRNGtoensurethatconsecutiverandomnumbersdonotrepeat,andperformsDRBGhealthtestsasdefinedinsection11.3of[SP800-90A].ThemoduledoesnotprovideanykeygenerationserviceorperformkeygenerationforanyofitsApprovedalgorithms.KeysarepassedinfromcallingapplicationviaAPIparameters.CAVEAT:Themodulegeneratesrandomstringswhosestrengthsaremodifiedbyavailableentropy.


8.2 KeyEntry/OutputThekeysareprovidedtothemoduleviaAPIinputparametersinplaintextform.Thekeysarenottransmittedbeyondthephysicalboundary.Themoduledoesnotsupportmanualkeyentry.

8.3 Key/CSPStorageSymmetrickeysandHMACkeysareprovidedtothemodulebythecallingprocess,andaredestroyedwhenreleasedbytheappropriateAPIfunctioncalls.Themoduledoesnotperformpersistentstorageofkeys.TheRSApublickeyusedforsignatureverificationisstoredaspartofthemoduleandreliesontheoperatingsystemforitsprotection.

8.4 Key/CSPZeroizationTheapplicationthatusesthemoduleisresponsibleforappropriatedestructionandzeroizationofthekeymaterial.Themoduleprovidesfunctionsforkeyallocationanddestruction.WhenacallingkernelcomponentscallstheappropriateAPIfunctionthatoperationoverwritesmemorywith0’sandthenfreesthatmemory.


9. Self-TestsFIPS140-2requiresthattheModuleperformself-teststoensuretheintegrityoftheModuleandthecorrectnessofthecryptographicfunctionalityatstartup.Inaddition,themoduleperformsconditionaltestforNDRNG.Onsuccessfulcompletionofthepower-uptests,themoduleisoperationalandthecryptoservicesareavailable.Afailureofanyoftheself-testspanicstheModuleandnocryptooperationsarepossible.Theonlyrecoveryistorebootthemodule.Seesection10.3fordetails.

9.1 Power-UpSelf-TestsThemoduleperformspower-upself-testsatmoduleinitializationwithoutoperatorintervention.Whilethemoduleisperformingthepower-uptests,servicesarenotavailableandinputoroutputisnotpossible.Theon-demandpowerupself-testscanbeperformedbypowercyclingtheModuleorbyrebootingtheoperatingsystem.Thetablebelowsummarizesthepower-onself-testsperformedbythemodule.Iftheknownanswerdoesnotmatchthetestfails.ThedifferentimplementationsofthesamealgorithmslistedinTable2aretestedseparatelybyperformingtheknown-answertestsusingthesametestvectors.

Algorithm Test

AES KAT,encryptionanddecryptionare tested separately for themodesECB,CBC,CTR,XTS,GCM,CCM,CMAC

Triple-DES KAT,encryptionanddecryptionare tested separately for themodesECB,CBC,CTR,CMAC.

SP800-90ACTR_DRBG KAT

SP800-90AHash_DRBG KAT

SP800-90AHMAC_DRBG KAT

SHS SHA-1,SHA-256,SHA-512KAT

HMAC HMAC-SHA-1,HMAC-SHA-256,HMAC-SHA-512KAT

ModuleIntegritytest Performedbysha512hmacapplicationwithHMAC-SHA-512providedbyNSS

RSASignatureVerification2 Partoftheintegritytest(consideredasaKAT)

Table11:Power-OnSelf-Tests

9.1.1 IntegrityTests

Theintegrityofthestatickernelbinaryisperformedbysha512hmacapplicationusingHMAC-SHA-512.Atruntime,themoduleinvokesthesha512hmacutilitytocalculatetheHMACvalueofthestatickernelbinaryfileandthencomparesitwiththepre-storedHMACfilein/boot/.vmlinuz-$(uname-r).hmac.Thesha512hmacapplicationperformsitsownintegritycheckbycalculatingtheHMACvalueofitsbinaryandcomparingittotheHMACvaluestoredinsha512hmac.hmac.TheHMAC-SHA-512algorithmisprovidedbytheboundNSSmoduleandisKATtestedbeforetheNSSmodulemakesitselfavailabletothesha512hmacapplication.

2TheRSAsignatureverificationisonlyusedaspartofintegritytestandisnotavailableasaservicefromthemodule.


TheOracleLinuxloadablecomponents(*.koreferencedinsection3.1)loadedintotheLinuxkernelduringboottimearecheckedwiththeRSAsignatureverificationimplementationoftheLinuxkerneltoconfirmtheirintegrity.IftheHMACvaluesdonotmatchortheRSAsignatureverificationfailsthekernelpanicsindicatingerrorstate.

9.2 ConditionalSelf-TestsThemoduleperformsconditionaltestsonthecryptographicalgorithmsshowninthefollowingtable:

Algorithm TestNDRNG Themoduleperformsconditionalself-testsontheoutputofNDRNG.

Table12:ConditionalSelf-Tests


10. Crypto-OfficerandUserGuidanceThissectionprovidesguidancefortheCryptographicOfficerandtheUsertomaintainproperuseofthemoduleperFIPS140-2requirements.

10.1 Crypto-OfficerGuidance

TooperatetheKernelCryptoAPImodule,theoperatingsystemmustberestrictedtoasingleoperatormodeofoperation.(Thisshouldnotbeconfusedwithsingleusermodewhichisrunlevel1onOracleLinux.ThisreferstoprocesseshavingaccesstothesamecryptographicinstancewhichOracleLinuxensurescannothappenbythememorymanagementhardware.)

10.1.1 SecureInstallationandStartupCryptoOfficersusetheInstallationinstructionstoinstalltheModuleintheirenvironment.TheversionoftheRPMcontainingtheFIPSvalidatedmoduleisstatedinsection3.1above.TheRPMpackageoftheModulecanbeinstalledbystandardtoolsrecommendedfortheinstallationofOraclepackagesonanOracleLinuxsystem(forexample,yum,RPM,andtheRHNremotemanagementtool).TheintegrityoftheRPMisautomaticallyverifiedduringtheinstallationoftheModuleandtheCryptoOfficershallnotinstalltheRPMfileiftheOracleLinuxYumServerindicatesanintegrityerror.TheRPMfileslistedinsection3aresignedbyOracleandduringinstallation;Yumperformssignatureverificationwhichensuresassecuredeliveryofthecryptographicmodule.IftheRPMpackagesaredownloadedmanually,thentheCOshouldrun‘rpm–K<rpm-file-name>’commandafterimportingthebuilder’sGPGkeytoverifythepackagesignature.Inaddition,theCOcanalsoverifythehashoftheRPMpackagetoconfirmaproperdownload.ToconfiguretheoperatingenvironmenttosupportFIPSperformthefollowingsteps:1. Installthedracut-fipspackage:

#yuminstalldracut-fips-033-535.0.2.el7.x86_642. RecreatetheINITRAMFSimage:

#dracut-fAfterregeneratingtheinitramfs,theCryptoOfficerhastoappendthefollowingstringtothekernelcommandlinebychangingthesettinginthebootloader:

fips=1

If/bootor/boot/efiresidesonaseparatepartition,thekernelparameterboot=<partitionof/bootor/boot/efi>mustbesupplied.Thepartitioncanbeidentifiedwiththecommand"df/boot"or"df/boot/efi"respectively.Forexample:$df/bootFilesystem 1K-blocks Used Available Use Mountedon/dev/sda1 233191 30454 190296 14% /bootThepartitionof/bootislocatedon/dev/sda1inthisexample.Therefore,thefollowingstringneedstobeappendedtothekernelcommandline:

boot=/dev/sda1Executetherebootcommandtorebootthesystemandselectthenewlyinstalledkernel.


10.1.2 FIPS140-2andAESNISupport

AccordingtotheKernelCryptoAPIFIPS140-2SecurityPolicy,theKernelCryptoAPImodulesupportstheAES-NIIntelprocessorinstructionsetasanapprovedcipher.TheAES-NIinstructionsetisusedbytheModule.IncaseyouconfiguredafulldiskencryptionusingAES,youmayusetheAES-NIsupportforahigherperformancecomparedtothesoftware-onlyimplementation.ToutilizetheAES-NIsupport,thementionedModulemustbeloadedduringboottimebyinstallingaplugin.Beforeyouinstalltheplugin,youMUSTverifythatyourprocessorofferstheAES-NIinstructionsetbycallingthefollowingcommand:

cat/proc/cpuinfo|grepaesIfthecommandreturnsalistofproperties,includingthe“aes”string,yourCPUprovidestheAES-NIinstructionset.Ifthecommandreturnsnothing,AES-NIisnotsupported.YouMUSTNOTinstallthefollowingpluginifyourCPUdoesnotsupportAES-NIbecausethekernelwillpanicduringboot.ThesupportfortheAES-NIinstructionsetduringboottimeisenabledbyinstallingthefollowingplugin(makesurethattheversionofthepluginRPMmatchestheversionoftheinstalledRPMs!):

#installthedracut-fips-aesnipackageyuminstalldracut-fips-aesni-033-535.0.2.el7.x86_64#recreatetheinitramfsimagedracut–f

Thechangescomeintoeffectduringthenextreboot.

10.2 UserGuidance

CTRandRFC3686modemustonlybeusedforIPsec.Itmustnotbeusedotherwise.TherearethreeimplementationsofAES:aes-generic,aesni-intel,andaes-x86_64onx86_64machines.TheadditionalspecificimplementationsofAESforthex86architecturearedisallowedandnotavailableonthetestplatforms.WhenusingtheModule,theusershallutilizetheLinuxKernelCryptoAPIprovidedmemoryallocationmechanisms.Inaddition,theusershallnotusethefunctioncopy_to_user()onanyportionofthedatastructuresusedtocommunicatewiththeLinuxKernelCryptoAPI.OnlythecryptographicmechanismsprovidedwiththeLinuxKernelCryptoAPIareconsideredforuse.TheNSSboundmodule,althoughused,isonlyconsideredtosupporttheintegrityverificationandisnotintendedforgeneral-purposeusewithrespecttothisModule.

10.2.1 AES-XTSUsage

TheXTSmodemustonlybeusedforthediskencryptionfunctionalityofferedbydm-crypt.


10.2.2 AES-GCMUsageTheGCMwithinternalIVgenerationinFIPSmodeisincompliancewithRFC4106andshallonlybeusedinconjunctionwiththeIPsecstackofthekerneltobecomplaintwithIGA.5.AnyotherusageofGCMwillbeconsiderednon-Approved.Incasethemodule'spowerislostandthenrestored,thekeyusedfortheAESGCMshallberedistributed.

10.2.3 Triple-DESUsage

AccordingtoIGA.13,thesameTriple-DESkeyshallnotbeusedtoencryptmorethan2^1664-bitblocksofdata.

10.3 HandlingSelf-TestErrors

TheModuletransitiontoerrorstatewhenanyofself-testorconditionaltestfails.Inerrorstate,thekernelisinapanickedstateandtheoperatingsystemwillnotload.Assuch,theoutputisinhibitedandnocryptooperationsareavailableintheerrorstate.Inordertorecoverfromtheerror,themoduleneedstorebooted.Ifthefailurecontinues,themoduleneedstobereinstalled.Thekerneldumpsselftestsuccessandfailuremessagesintothekernelmessageringbuffer.Postboot,themessagesaremovedto/var/log/messages.Usedmesgtoreadthecontentsofthekernelringbuffer.Theformatoftheringbuffer(dmesg)outputis:

alg:self-testsfor%s(%s)passedTypicalmessagesaresimilarto"alg:self-testsforhmac(sha1-generic)(hmac(sha1))passed"foreachalgorithm/sub-algorithmtype.


11. MitigationofOtherAttacksThemoduledoesnotclaimtomitigateagainstanyattacks.


Acronyms,TermsandAbbreviations

Term DefinitionAES AdvancedEncryptionStandardCAVP CryptographicAlgorithmValidationProgramCMVP CryptographicModuleValidationProgramCSE CommunicationsSecurityEstablishmentCSP CriticalSecurityParameterDH Diffie-HellmanDHE Diffie-HellmanEphemeralDRBG DeterministicRandomBitGeneratorECDH EllipticCurveDiffie-HellmanECDSA EllipticCurveDigitalSignatureAlgorithmEDC ErrorDetectionCodeHMAC (Keyed)HashMessageAuthenticationCodeIKE InternetKeyExchangeKAT KnownAnswerTestKDF KeyDerivationFunctionNIST NationalInstituteofStandardsandTechnologyPAA ProcessorAlgorithmAccelerationPBKDF PasswordBasedKeyDerivationFunctionPOST PowerOnSelfTestPR PredictionResistancePSS ProbabilisticSignatureSchemePUB PublicationSHA SecureHashAlgorithm

Table13:Acronyms


ReferencesTheFIPS140-2standard,andinformationontheCMVP,canbefoundathttp://csrc.nist.gov/groups/STM/cmvp/index.html.MoreinformationdescribingthemodulecanbefoundontheOraclewebsiteathttps://www.oracle.com/linux/.

ThisSecurityPolicycontainsnon-proprietaryinformation.AllotherdocumentationsubmittedforFIPS140-2conformancetestingandvalidationis“Oracle-Proprietary”andisreleasableonlyunderappropriatenon-disclosureagreements.

Document Author TitleFIPSPUB140-2 NIST FIPSPUB140-2:SecurityRequirementsforCryptographicModulesFIPSIG NIST Implementation Guidance for FIPS PUB 140-2 and the Cryptographic

ModuleValidationProgramFIPSPUB140-2AnnexA NIST FIPS140-2AnnexA:ApprovedSecurityFunctionsFIPSPUB140-2AnnexB NIST FIPS140-2AnnexB:ApprovedProtectionProfiles

FIPSPUB140-2AnnexC NIST FIPS140-2AnnexC:ApprovedRandomNumberGenerators

FIPSPUB140-2AnnexD NIST FIPS140-2AnnexD:ApprovedKeyEstablishmentTechniquesDTRforFIPSPUB140-2 NIST Derived Test Requirements (DTR) for FIPS PUB 140-2, Security

RequirementsforCryptographicModulesNISTSP800-67 NIST Recommendation for the Triple Data Encryption Algorithm TDEA Block

CypherFIPSPUB197 NIST AdvancedEncryptionStandardFIPSPUB198-1 NIST TheKeyedHashMessageAuthenticationCode(HMAC)FIPSPUB186-4 NIST DigitalSignatureStandard(DSS)FIPSPUB180-4 NIST SecureHashStandard(SHS)NISTSP800-131A NIST RecommendationfortheTransitioningofCryptographicAlgorithmsand

KeySizesPKCS#1 RSA

LaboratoriesPKCS#1v2.1:RSACryptographicStandard

Table14:References

OL 7 Kernel Crypto API Security Policy1.1 - csrc.nist.gov · Section 10.1.1 describes the Secure Installation and startup to correctly install and configure the module. The The module

Documents