Page 1
DocumentVersion1.1 ©OracleCorporationThisdocumentmaybereproducedwholeandintactincludingtheCopyrightnotice.
FIPS140-2Non-ProprietarySecurityPolicy
OracleLinux7KernelCryptoAPICryptographicModule
FIPS140-2Level1Validation
SoftwareVersion:R7-2.0.0
Date:December7,2018
Page 2
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy
i
Title:OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy
December07,2018
Author:AtsecInformationSecurity
ContributingAuthors:
OracleLinuxEngineering
OracleSecurityEvaluations–GlobalProductSecurity
OracleCorporation
WorldHeadquarters
500OracleParkway
RedwoodShores,CA94065
U.S.A.
WorldwideInquiries:
Phone:+1.650.506.7000
Fax:+1.650.506.7200
oracle.com
Copyright©2018,Oracleand/oritsaffiliates.Allrightsreserved.Thisdocumentisprovidedforinformationpurposesonlyandthecontentshereofaresubjectto
changewithoutnotice.Thisdocumentisnotwarrantedtobeerror-free,norsubjecttoanyotherwarrantiesorconditions,whetherexpressedorallyorimpliedin
law,includingimpliedwarrantiesandconditionsofmerchantabilityorfitnessforaparticularpurpose.Oraclespecificallydisclaimanyliabilitywithrespecttothis
documentandnocontractualobligationsareformedeitherdirectlyorindirectlybythisdocument.Thisdocumentmayreproducedordistributedwholeand
intactincludingthiscopyrightnotice.
OracleandJavaareregisteredtrademarksofOracleand/oritsaffiliates.Othernamesmaybetrademarksoftheirrespectiveowners.
Page 3
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy ii
TABLEOFCONTENTSSection Title Page
1. Introduction.......................................................................................................................................................................1
1.1 Overview...............................................................................................................................................................................1
1.2 DocumentOrganization........................................................................................................................................................1
2. OracleLinux7KernelCryptoAPICryptographicModule.....................................................................................................2
2.1 FunctionalOverview.............................................................................................................................................................2
2.2 FIPS140-2ValidationScope..................................................................................................................................................2
3. CryptographicModuleSpecification...................................................................................................................................3
3.1 DefinitionoftheCryptographicModule...............................................................................................................................3
3.2 DefinitionofthePhysicalCryptographicBoundary..............................................................................................................4
3.3 ModesofOperation..............................................................................................................................................................4
3.4 ApprovedorAllowedSecurityFunctions..............................................................................................................................4
3.5 Non-ApprovedbutAllowedSecurityFunctions....................................................................................................................9
3.6 Non-ApprovedSecurityFunctions........................................................................................................................................9
4. ModulePortsandInterfaces.............................................................................................................................................10
5. PhysicalSecurity...............................................................................................................................................................11
6. OperationalEnvironment.................................................................................................................................................12
6.1 TestedEnvironments..........................................................................................................................................................12
6.2 VendorAffirmedEnvironments..........................................................................................................................................12
7. Roles,ServicesandAuthentication...................................................................................................................................17
7.1 Roles....................................................................................................................................................................................17
7.2 FIPSApprovedOperatorServicesandDescriptions...........................................................................................................17
7.3 Non-FIPSApprovedServicesandDescriptions...................................................................................................................18
7.4 OperatorAuthentication.....................................................................................................................................................18
8. KeyandCSPManagement................................................................................................................................................19
8.1 RandomNumberGeneration..............................................................................................................................................19
8.2 KeyEntry/Output................................................................................................................................................................20
8.3 Key/CSPStorage..................................................................................................................................................................20
8.4 Key/CSPZeroization............................................................................................................................................................20
9. Self-Tests..........................................................................................................................................................................21
9.1 Power-UpSelf-Tests............................................................................................................................................................21
9.1.1 IntegrityTests.....................................................................................................................................................................21
9.2 ConditionalSelf-Tests.........................................................................................................................................................22
10. Crypto-OfficerandUserGuidance....................................................................................................................................23
10.1 Crypto-OfficerGuidance.....................................................................................................................................................23
10.1.1 SecureInstallationandStartup...........................................................................................................................................23
10.1.2 FIPS140-2andAESNISupport...........................................................................................................................................24
10.2 UserGuidance.....................................................................................................................................................................24
10.2.1 AES-XTSUsage....................................................................................................................................................................24
10.2.2 AES-GCMUsage..................................................................................................................................................................25
10.2.3 Triple-DESUsage.................................................................................................................................................................25
10.3 HandlingSelf-TestErrors.....................................................................................................................................................25
11.MitigationofOtherAttacks..............................................................................................................................................26
Acronyms,TermsandAbbreviations.......................................................................................................................................27
References..............................................................................................................................................................................28
Page 4
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy
iii
ListofTables
Table1:FIPS140-2SecurityRequirements...............................................................................................................................2Table2:FIPSApprovedorAllowedSecurityFunctions...............................................................................................................9Table3:Non-ApprovedbutAllowedFunctions..........................................................................................................................9Table4:Non-ApprovedDisallowedFunctions...........................................................................................................................9Table5:MappingofFIPS140LogicalInterfacestoLogicalPorts..............................................................................................10Table6:TestedOperatingEnvironment...................................................................................................................................12Table7:VendorAffirmedOperatingEnvironment...................................................................................................................16Table8:FIPSApprovedOperatorServicesandDescriptions....................................................................................................18Table9:Non-FIPSApprovedOperatorServicesandDescriptions.............................................................................................18Table10:CSPTable.................................................................................................................................................................19Table11:Power-OnSelf-Tests.................................................................................................................................................21Table12:ConditionalSelf-Tests...............................................................................................................................................22Table13:Acronyms................................................................................................................................................................27Table14:References..............................................................................................................................................................28
ListofFigures
Figure1:OracleLinux7KernelCryptoAPILogicalCryptographicBoundary..............................................................................3Figure2:OracleLinux7KernelCryptoAPIHardwareBlockDiagram.........................................................................................4
Page 5
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page1of28
1. Introduction1.1 Overview
ThisdocumentistheSecurityPolicyfortheOracleLinux7KernelCryptoAPICryptographicModulebyOracle
Corporation.OracleLinux7KernelCryptoAPICryptographicModuleisalsoreferredtoas“theModuleor
Module”.ThisSecurityPolicyspecifiesthesecurityrulesunderwhichthemoduleshalloperatetomeetthe
requirementsofFIPS140-2Level1.ItalsodescribeshowtheOracleLinux7KernelCryptoAPICryptographic
ModulefunctionsinordertomeettheFIPSrequirements,andtheactionsthatoperatorsmusttaketomaintain
thesecurityofthemodule.
ThisSecurityPolicydescribesthefeaturesanddesignoftheOracleLinux7KernelCryptoAPICryptographic
ModuleusingtheterminologycontainedintheFIPS140-2specification.FIPS140-2,SecurityRequirementsfor
CryptographicModulespecifiesthesecurityrequirementsthatwillbesatisfiedbyacryptographicmoduleutilized
withinasecuritysystemprotectingsensitivebutunclassifiedinformation.TheNIST/CSECryptographicModule
ValidationProgram(CMVP)validatescryptographicmoduletoFIPS140-2.Validatedproductsareacceptedbythe
FederalagenciesofboththeUSAandCanadafortheprotectionofsensitiveordesignatedinformation.
1.2 DocumentOrganization
TheSecurityPolicydocumentisonedocumentinaFIPS140-2SubmissionPackage.Inadditiontothisdocument,
theSubmissionPackagecontains:
• OracleLinux7KernelCryptoAPICryptographicModuleNon-ProprietarySecurityPolicy
• Othersupportingdocumentationasadditionalreferences.
WiththeexceptionofthisNon-ProprietarySecurityPolicy,theFIPS140-2ValidationDocumentationis
proprietarytoOracleandisreleasableonlyunderappropriatenon-disclosureagreements.Foraccesstothese
documents,pleasecontactOracle.
Page 6
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page2of28
2. OracleLinux7KernelCryptoAPICryptographicModule
2.1 FunctionalOverviewTheOracleLinux7KernelCryptoAPICryptographicModule(hereafterreferredtoasthe“Module”)isasoftware
onlycryptographicmodulethatprovidesgeneral-purposecryptographicservicestotheremainderoftheLinux
kernel.TheOracleLinux7KernelCryptoAPICryptographicModuleissoftwareonly,securitylevel1cryptographic
module,runningonamulti-chipstandaloneplatform.
2.2 FIPS140-2ValidationScopeThefollowingtableshowsthesecuritylevelforeachoftheelevensectionsofthevalidation.SeeTable1below.
SecurityRequirementsSection LevelCryptographicModuleSpecification 1
CryptographicModulePortsandInterfaces 1
RolesandServicesandAuthentication 1
FiniteStateMachineModel 1
PhysicalSecurity N/A
OperationalEnvironment 1
CryptographicKeyManagement 1
EMI/EMC 1
Self-Tests 1
DesignAssurance 3
MitigationofOtherAttacks N/A
Table1:FIPS140-2SecurityRequirements
Page 7
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page3of28
3. CryptographicModuleSpecification
3.1 DefinitionoftheCryptographicModule
TheOracleLinux7KernelCryptoAPIisasoftware-onlymulti-chipstandalonemoduleasdefinedbythe
requirementswithinFIPSPUB140-2.Thelogicalcryptographicboundaryofthemoduleconsistsofshared
libraryfilesandtheirintegritycheckHMACfiles,whicharedeliveredthroughtheOraclePublicYumPackage
Manager(RPM)aslistedbelow:
Thelistofcomponentsrequiredforthemoduletooperatearedefinedbelow:
• OracleLinux7KernelCryptoAPICryptographicModulewiththeversionoftheRPMfile3.10.0-
862.3.3.0.1.el7.x86_64
• Themoduleinstantiationisprovidedbythedracut-fipsanddracut-fips-aesnipackagewiththeversionofthe
RPMfileof033-535.0.2.el7.x86_64
• TheboundmoduleOracleLinuxNSSCryptographicModulewithFIPS140-2Certificate#3143(hereafter
referredtoasthe“NSSboundmodule”or“NSSmodule”)
• ThecontentsofthehmaccalcRPMpackageversion0.9.13-4.el7.x86_64.
TheOracleLinux7KernelCryptoAPIRPMpackageoftheModuleincludesthebinaryfiles,integritycheckHMAC
filesandManPages.Thefilescomprisingthemodulearethefollowing:
• kernelloadablecomponents/lib/modules/$(uname-r)/kernel/crypto/*.ko
• kernelloadablecomponents/lib/modules/$(uname-r)/kernel/arch/x86/crypto/*.ko
• statickernelbinary/boot/vmlinuz-$(uname-r)
• sha512hmacbinaryfileforperformingtheintegritychecks/usr/bin/sha512hmac
• sha512hmacbinaryHMACfile:/usr/lib64/hmaccalc/sha512hmac.hmac
TheNSSboundmoduleprovidestheHMAC-SHA-512algorithmusedbythesha512hmac
binaryfiletoverifytheintegrityofboththesha512hmacfileandthevmlinuz(statickernelbinary).
Figure1showsthelogicalblockdiagramofthemoduleexecutinginmemoryonthehostsystem.
Figure1:OracleLinux7KernelCryptoAPILogicalCryptographicBoundary
Page 8
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page4of28
3.2 DefinitionofthePhysicalCryptographicBoundaryThephysicalcryptographicboundaryisdefinedasthehardenclosureofthehostsystemonwhichitruns.See
figure2below.NocomponentsareexcludedfromtherequirementsofFIPSPUB140-2.
Figure2:OracleLinux7KernelCryptoAPIHardwareBlockDiagram
3.3 ModesofOperation
Themodulesupportstwomodesofoperation:theFIPSapprovedandnon-approvedmodes.Theswitching
betweenthemodeisimplicitdependingontheserviceinvoked.
Section10.1.1describestheSecureInstallationandstartuptocorrectlyinstallandconfigurethemodule.The
moduleturnstoFIPSapprovedmodeaftercorrectinitializationandsuccessfulcompletionofpower-onself-tests.
Invokinganon-Approvedalgorithmoranon-ApprovedkeysizewithanApprovedalgorithmaslistedinTable4
willresultinthemoduleimplicitlyenteringthenon-FIPSmodeofoperation.Aftercompletionoftheservicethe
modulewillimplicitlytransitionbacktotheFIPSmodeandthendependingonthenextservicecallitwilleither
remaininFIPSmodeorwilltransitiontonon-approvedmode.
TheapprovedservicesavailableinFIPSmodecanbefoundinsection7.2,Table8.Thenon-approvedservices
availableinnon-FIPSmodecanbefoundinsection7,Table9.
3.4 ApprovedorAllowedSecurityFunctionsTheOracleLinux7KernelCryptoAPICryptographicModulecontainsthefollowingFIPSApprovedAlgorithms
listedinTable2:
ApprovedorAllowedSecurityFunctions Certificate
SymmetricAlgorithmsAES (aesasm):
CBC,ECB(e/d;128,192,256);CTR(extonly;128,192,256)
CCM(KS:128,192,256)(Assoc.DataLenRange:0-0,2^16)(PayloadLength
5407
5488
Page 9
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page5of28
ApprovedorAllowedSecurityFunctions Certificate
Range:0-32(NonceLength(s):78910111213(TagLength(s):46810121416)
CMAC:Generation:(AES-128,192,256)BlockSizes:Full,Partial
MessageLength:0-65536TagLength:0-16
Verification:(AES-128,192,256)BlockSizes:Full,Partial
MessageLength:0-65536TagLength:0-16
GCM(KS:AES_128,AES_192,AES_256)(d)TagLength(s):128120112104966432)(d)
PTLengthsTested:(0,128,256,120,248);AADLengthstested:(0,128,256,120,248);96BitIV_Supported
XTS((KS:XTS_128,XTS_256)((e/d)(f))
(aesgen):CBC,ECB(e/d;128,192,256);CTR(ext.only;128,192,256)CCMKeyLengths:128,192,256(bits)TagLengths:32,48,64,80,96,112,128(bits)IVLengths:56,64,72,80,88,96,104(bits)PlainTextLength:0-32
AADLength:0-65536
CMAC:Generation:(AES-128,192,256)BlockSizes:Full,Partial
MessageLength:0-65536TagLength:0-16
Verification:(AES-128,192,256)BlockSizes:Full,Partial
MessageLength:0-65536TagLength:0-16
GCM(KS:AES_128,AES_192,AES_256)(d)TagLength(s):128120112104966432)(d)
PTLengthsTested:(0,128,256,120,248);AADLengthstested:(0,128,256,120,248);96BitIV_Supported
XTS((KS:XTS_128,XTS_256)((e/d)(f))
5408
5490
aesgen_iiv:CBC,ECB(e/d;128,192,256);CTR(ext.only;128,192,256)
GCM(KS:AES_128,AES_192,AES_256(e)
TagLength(s):64,96,128)
IVGenerated:(Internally(usingSection8.2.1));PTLengthsTested:(128,256,120,248);AADLengthstested:(64,96);96BitIV_Supported
5421
5491
aesasm_iiv:CBC,ECB(e/d;128,192,256);CTR(extonly;128,192,256)
GCM(KS:AES_128,AES_192,AES_256(e)
TagLength(s):1289664)
IVGenerated:(Internally(usingSection8.2.1));
5420
5489
Page 10
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page6of28
ApprovedorAllowedSecurityFunctions Certificate
PTLengthsTested:(128,256,120,248);AADLengthstested:(64,96);96BitIV_Supported
aesni_blkasm:CBC,ECB(e/d;128,192,256);CTR(extonly;128,192,256)
GCM(KS:AES_128,AES_192,AES_256)(d)TagLength(s):1289664)
PTLengthsTested:(128,256,120,248);AADLengthstested:(64,96);
96BitIV_Supported
XTS((KS:XTS_128,XTS_256);((e/d)(f))
5410
5493
aesni:CBC,ECB(e/d;128,192,256);CTR(ext.only;128,192,256)
CCM:KeyLengths:128,192,256(bits)TagLengths:32,48,64,80,96,112,128(bits)
IVLengths:56,64,72,80,88,96,104(bits)PlainTextLength:0-32
AADLength:0-65536
CMAC:Generation:(AES-128,192,256)BlockSizes:Full,Partial
MessageLength:0-65536TagLength:0-16
Verification:(AES-128,192,256)BlockSizes:Full,Partial
MessageLength:0-65536TagLength:0-16
GCM(KS:AES_128,AES_192,AES_256)d)
TagLength(s):32,64,96,104,112,120,128)
PTLengthsTested:(0,128,256,120,248);AADLengthstested:(0,120,128,248,256);
96BitIV_Supported
XTS((KS:XTS_128,XTS_256);((e/d)(f))
5409
5492
aesni_blkasm_iiv:CBC,ECB(e/d;128,192,256);CTR(ext.only;128,192,256)
GCM(KS:AES_128,AES_192,AES_256)(e)
IVGeneration:Internal(usingSection8.2.1)
KeyLengths:128,192,256(bits)
TagLengths:64,96,128(bits)
PlainTextLengths:120,128,248,256(bits)
96BitIV_Supported
5411
5494
aesni_iivCBC,ECB(e/d;128,192,256);CTR(ext.only;128,192,256)
GCM(KS:AES_128,AES_192,AES_256)e)
TagLength(s):64,96,128)
PTLengthsTested:(120,128,248,256);AADLengthstested:(64,96);
96BitIV_Supported
5422
5495
Page 11
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page7of28
ApprovedorAllowedSecurityFunctions Certificate
TripleDES CImplementation:TCBC,TECB(KO1e/d);CTR(extonly)CMAC:Generation:3-Key:BlockSizes:Full,PartialMessageLength:0-65536
TagLength:0-8
Verification:3-Key:BlockSizes:Full,PartialMessageLength:0-65536
TagLength:0-8
2729
2763
SecureHashStandard(SHS)SHS GenericCImplementation:
SHA-1(BYTE-only)SHA-224(BYTE-only)SHA-256(BYTE-only)SHA-384(BYTE-only)SHA-512(BYTE-only)
4342
4591
shaavx:SHA-1(BYTE-only)SHA-224(BYTE-only)SHA-256(BYTE-only)SHA-384(BYTE-only)SHA-512(BYTE-only)
4352
4418
shaavx2:SHA-1(BYTE-only)SHA-224(BYTE-only)SHA-256(BYTE-only)SHA-384(BYTE-only)SHA-512(BYTE-only)
4341
4405
shamb:SHA-256(BYTE-only)SHA-512(BYTE-only)
4363
4417
DataAuthenticationCodeHMAC GenericCImplementation:
HMAC-SHA1(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA224(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA256(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA384(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA512(KeySizeRangesTested:KS<BSKS=BSKS>BS)
3583
3816
shaavx:HMAC-SHA1(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA224(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA256(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA384(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA512(KeySizeRangesTested:KS<BSKS=BSKS>BS)
3590
3662
Shaavx2:HMAC-SHA1(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA224(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA256(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA384(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA512(KeySizeRangesTested:KS<BSKS=BSKS>BS)
3582
3646
Page 12
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page8of28
ApprovedorAllowedSecurityFunctions Certificate
Shamb:HMAC-SHA256(KeySizeRangesTested:KS<BSKS=BSKS>BS)HMAC-SHA512(KeySizeRangesTested:KS<BSKS=BSKS>BS)
3602
3661
AsymmetricAlgorithmsRSA shagen:
FIPS186-4:ALG[RSASSA-PKCS1_V1_5]SIG(Ver)(2048SHA(1,224,256,384,512))(3072SHA(1,
224,256,384,512))
2892
3072
shaavx:FIPS186-4:ALG[RSASSA-PKCS1_V1_5]SIG(Ver)(2048SHA(1,224,256,384,512))(3072SHA(1,
224,256,384,512))
2905
2954
Shaavx2:FIPS186-4:ALG[RSASSA-PKCS1_V1_5]SIG(Ver)(2048SHA(1,224,256,384,512))(3072SHA(1,
224,256,384,512))
2891
2949
Shamb:FIPS186-4:ALG[RSASSA-PKCS1_V1_5]SIG(Ver)(2048SHA(256,512))(3072SHA(256,512))
2920
2953
RandomNumberGenerationDRBG CTRDRBG:
aesasm:CTR_DRBG:[PredictionResistanceTested:EnabledandNotEnabled;BlockCipher_Use_df:(AES-128,AES-192,AES-256)
2103
2163
aesni:CTR_DRBG:[PredictionResistanceTested:EnabledandNotEnabled;BlockCipher_Use_df:(AES-128,AES-192,AES-256)
2105
2165
aesgen:CTR_DRBG:[PredictionResistanceTested:EnabledandNotEnabled;BlockCipher_Use_df:(AES-128,AES-192,AES-256)
2104
2164
HashDRBG:shagen:Hash_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled(SHA-1,SHA-256,SHA-384,SHA-512)
2107
2363
shaavx:Hash_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled(SHA-1,SHA-256,SHA-384,SHA-512)
2116
2175
shaavx2:Hash_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled(SHA-1,SHA-256,SHA-384,SHA-512)
2106
2166
shamb:Hash_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled(SHA-256,SHA-512)
2128
2174
HMACDRBG:shagen:
2107
2363
Page 13
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page9of28
ApprovedorAllowedSecurityFunctions Certificate
HMAC_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled(SHA-1,SHA-256,SHA-384,SHA-512)
shaavx:HMAC_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled (SHA-1,SHA-256,SHA-384,SHA-512)
2116
2175
Shaavx2:HMAC_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled (SHA-1,SHA-256,SHA-384,SHA-512)
2106
2166
shamb:HMAC_BasedDRBG:[PredictionResistanceTested:EnabledandNotEnabled (SHA-256,SHA-512)
2128
2174
AlgorithmsusedfromBoundNSSmoduleHMAC HMAC-SHA512(KeySizeRangesTested:KS<BSKS=BSKS>BS) 3077
3767
Table2:FIPSApprovedorAllowedSecurityFunctions
3.5 Non-ApprovedbutAllowedSecurityFunctionsThefollowingalgorithmisconsiderednon-ApprovedbutallowedtobeusedinaFIPS-approvedmode:
Algorithm Usage
NDRNGfromLinuxRNG UsedforseedingNISTSP800-90ADRBG
Table3:Non-ApprovedbutAllowedFunctions
3.6 Non-ApprovedSecurityFunctionsThefollowingalgorithmsareconsiderednon-ApprovedandmaynotbeusedinaFIPS-approvedmodeof
operation:
Algorithm Usage
AES-XTS(192bit) Encrypt/Decrypt
AESGCM EncryptionwithexternalIV
DES Encrypt/Decrypt
SHA-1(multiple-buffer) AnyuseofSHA1-mb(CAVStestedCerts#4363,#4417;KATnotperformed)
ANSIX9.31RNG KeyandSeedGeneration
JitterRNG Non-DeterministicRandomNumberGeneration
Table4:Non-ApprovedDisallowedFunctions
Page 14
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page10of28
4. ModulePortsandInterfaces
Themoduleinterfacescanbecategorizedasfollows:
• DataInputInterface• DataOutputInterface• ControlInputinterface• StatusOutputInterfaceThemodulecanbeaccessedbyutilizingtheAPIitexposes.Tablebelow,showsthemappingofportsand
interfacesasperFIPS140-2Standard.
FIPS140Interface ModuleInterfacesDataInput APIinputparameters
DataOutput APIoutputparameters
ControlInput APIfunctioncalls,kernelcommandline
StatusOutput APIreturncodes,kernellogs
Table5:MappingofFIPS140LogicalInterfacestoLogicalPorts
Page 15
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page11of28
5. PhysicalSecurityTheModuleiscomprisedofsoftwareonlyandthusdoesnotclaimanyphysicalsecurity.
Page 16
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page12of28
6. OperationalEnvironment
6.1 TestedEnvironments
ThemoduleoperatesinamodifiableoperationalenvironmentperFIPS140-2level1specifications.TheModule
wastestedonthefollowingenvironmentswithandwithoutPAAi.e.AES-NI:
OperatingEnvironment Processor HardwareOracleLinux7.364bit Intel(R)Xeon(R)E5-2699v4 OracleServerX6-2
OracleLinux7.364bit Intel(R)Xeon(R)Silver4114 OracleServerX7-2
Table6:TestedOperatingEnvironment
6.2 VendorAffirmedEnvironments
ThefollowingplatformshavenotbeentestedaspartoftheFIPS140-2level1certificationhoweverOracle
“vendoraffirms”thattheseplatformsareequivalenttothetestedandvalidatedplatforms.Additionally,Oracle
affirmsthatthemodulewillfunctionthesamewayandprovidethesamesecurityservicesonanyofthesystems
listedbelow.
OperatingEnvironment Processor HardwareOracleLinux7.364-bit Intel®Xeon®E5-2600/E5-2600v2 CiscoUCSB200M3
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 CiscoUCSB200M4
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors CiscoUCSB200M5
OracleLinux7.364-bit Intel®Xeon®E5-2400/E5-2400v2 CiscoUCSB22M3
OracleLinux7.364-bit Intel®Xeon®E7-2800/E7-8800 CiscoUCSB230M2
OracleLinux7.364-bit Intel®Xeon®E7-2800/E7-8800v3 CiscoUCSB260M4
OracleLinux7.364-bit Intel®Xeon®E5-4600/E5-4600v2 CiscoUCSB420M3
OracleLinux7.364-bit Intel®Xeon®E5-4600v3&v4 CiscoUCSB420M4
OracleLinux7.364-bit Intel®Xeon®E7-2800/E7-8800 CiscoUCSB440M2
OracleLinux7.364-bit Intel®Xeon®E7-2800v2/E7-4800v2/E7-8800
v2/E7-4800v3/E7-8800v3
CiscoUCSB460M4
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors CiscoUCSB480M5
OracleLinux7.364-bit Intel®Xeon®E5-2400/E5-2400v2 CiscoUCSC22M3
OracleLinux7.364-bit Intel®Xeon®E5-2600/E5-2600v2 CiscoUCSC220M3
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 CiscoUCSC220M4
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors CiscoUCSC220M5
OracleLinux7.364-bit Intel®Xeon®E5-2400/E5-2400v2 CiscoUCSC24M3
OracleLinux7.364-bit Intel®Xeon®E5-2600/E5-2600v2 CiscoUCSC240M3
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 CiscoUCSC240M4
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors CiscoUCSC240M5
OracleLinux7.364-bit Intel®Xeon®E7-2800v2/E7-4800v2,v3&
v4/E7-8800v2&v4
CiscoUCSC460M4
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors CiscoUCSC480M5
OracleLinux7.364-bit Intel®Xeon®D-1500 CiscoUCSE1120D-M3/K9
OracleLinux7.364-bit Intel®Xeon®D-1500 CiscoUCSE180D-M3/K9
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 DellPowerEdgeFC630
Page 17
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page13of28
OperatingEnvironment Processor HardwareOracleLinux7.364-bit Intel®Xeon®E5-4600v3 DellPowerEdgeFC830
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 DellPowerEdgeM630Blade
OracleLinux7.364-bit Intel®Xeon®E5-4600v4 DellPowerEdgeM830Blade
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 DellPowerEdgeR630
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 DellPowerEdgeR730
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 DellPowerEdgeR730xd
OracleLinux7.364-bit Intel®Xeon®E7-4800v4 DellPowerEdgeR930
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 DellPowerEdgeT630
OracleLinux7.364-bit Intel®Xeon®E7-4800v2/E7-8800v2 FujitsuPRIMEQUEST2400E
OracleLinux7.364-bit Intel®Xeon®E7-8800v3 FujitsuPRIMEQUEST2400E2
OracleLinux7.364-bit Intel®Xeon®E7-8800v4 FujitsuPRIMEQUEST2400E3
OracleLinux7.364-bit Intel®Xeon®E7-4800v2 FujitsuPRIMEQUEST2400L
OracleLinux7.364-bit Intel®Xeon®E7-8800v3 FujitsuPRIMEQUEST2400L2
OracleLinux7.364-bit Intel®Xeon®E7-8800v4 FujitsuPRIMEQUEST2400L3
OracleLinux7.364-bit Intel®Xeon®E7-4800v2 FujitsuPRIMEQUEST2400S
OracleLinux7.364-bit Intel®Xeon®E7-4800v2 FujitsuPRIMEQUEST2400SLite
OracleLinux7.364-bit Intel®Xeon®E7-8800v3 FujitsuPRIMEQUEST2400S2
OracleLinux7.364-bit Intel®Xeon®E7-8800v3 FujitsuPRIMEQUEST2400S2Lite
OracleLinux7.364-bit Intel®Xeon®E7-8800v4 FujitsuPRIMEQUEST2400S3
OracleLinux7.364-bit Intel®Xeon®E7-8800v4 FujitsuPRIMEQUEST2400S3Lite
OracleLinux7.364-bit Intel®Xeon®E7-8800v2 FujitsuPRIMEQUEST2800B
OracleLinux7.364-bit Intel®Xeon®E7-8800v3 FujitsuPRIMEQUEST2800B2
OracleLinux7.364-bit Intel®Xeon®E7-8800v4 FujitsuPRIMEQUEST2800B3
OracleLinux7.364-bit Intel®Xeon®E7-8800v2 FujitsuPRIMEQUEST2800E
OracleLinux7.364-bit Intel®Xeon®E7-8800v3 FujitsuPRIMEQUEST2800E2
OracleLinux7.364-bit Intel®Xeon®E7-8800v4 FujitsuPRIMEQUEST2800E3
OracleLinux7.364-bit Intel®Xeon®E7-8800v2 FujitsuPRIMEQUEST2800L
OracleLinux7.364-bit Intel®Xeon®E7-8800v3 FujitsuPRIMEQUEST2800L2
OracleLinux7.364-bit Intel®Xeon®E7-8800v4 FujitsuPRIMEQEST2800L3
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors FujitsuPRIMEQUEST3800B
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 FujitsuPRIMERGYBX2580M1
OracleLinux7.364-bit Intel®Xeon®E5-2600v4 FujitsuPRIMERGYBX2580M2
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors FujitsuPRIMERGYCX2560M4
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 FujitsuPRIMERGYRX2530M1
OracleLinux7.364-bit Intel®Xeon®E5-2600v4 FujitsuPRIMERGYRX2530M2
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors FujitsuPRIMERGYRX2530M4
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 FujitsuPRIMEGYRX2540M1
OracleLinux7.364-bit Intel®Xeon®E5-2600v4 FujitsuPRIMERGYRX2540M2
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors FujitsuPRIMERGYRX2540M4
OracleLinux7.364-bit Intel®Xeon®E7-4800v2/E7-8800v2 FujitsuPRIMERGYRX4770M1
OracleLinux7.364-bit Intel®Xeon®E7-4800v3/E7-8800v3 FujitsuPRIMERGYRX4770M2
OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 FujitsuPRIMERGYRX4770M3
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors FujitsuPRIMERGYRX4770M4
OracleLinux7.364-bit Intel®Xeon®E5-2600v4 HitachiComputeBlade2500CB520HB4
Page 18
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page14of28
OperatingEnvironment Processor HardwareOracleLinux7.364-bit Intel®Xeon®E7-8800v2 HitachiComputeBlade2500CB520XB2
OracleLinux7.364-bit Intel®Xeon®E7-8800v3 HitachiComputeBlade2500CB520XB3
OracleLinux7.364-bit Intel®Xeon®E5-2600v4 HitachiComputeBlade500CB520HB4
OracleLinux7.364-bit Intel®Xeon®E7-8800v2 HitachiComputeBlade500CB520XB2
OracleLinux7.364-bit Intel®Xeon®E5-2600v4 HitachiQuantaGridD51B-2U
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HitachiQuantaPlexT41S-2U
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HitachiVantaraHitachiAdvancedServer
DS120
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HitachiVantaraHitachiAdvancedServer
DS220
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HitachiVantaraHitachiAdvancedServer
DS240
OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 HPEIntegrityMC990X
OracleLinux7.364-bit Intel®Xeon®E5-2600v2 HPEProLiantBL460cGen8
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 HPEProLiantBL460cGen9
OracleLinux7.364-bit Intel®Xeon®E5-4600v3 HPEProLiantBL660cGen9
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HPEProLiantDL160Gen9
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HPEProLiantDL180Gen9
OracleLinux7.364-bit Intel®Pentium®G2120&Intel®Xeon®E3-
1200v2
HPEProLiantDL320eGen8
OracleLinux7.364-bit Intel®Pentium®G3200-series/G3420,Corei3-
4100-series/Intel®Xeon®E3-12v3
HPEProLiantDL320eGen8v2
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HPEProLiantDL360Gen9
OracleLinux7.364-bit Intel®Xeon®E5-2400/E5-2400v2 HPEProLiantDL360eGen8
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HPEProLiantDL360pGen8
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HPEProLiantDL380Gen9
OracleLinux7.364-bit Intel®Xeon®E5-2400/E5-2400v2 HPEProLiantDL380eGen8
OracleLinux7.364-bit Intel®Xeon®E5-4600/E5-4600v2 HPEProLiantDL560Gen8
OracleLinux7.364-bit Intel®Xeon®E5-4600v3&v4 HPEProLiantDL560Gen9
OracleLinux7.364-bit Intel®Xeon®E7-4800v2/E7-8800v2 HPEProLiantDL580Gen8
OracleLinux7.364-bit Intel®Xeon®E7-4800v3/E7-8800v3 HPEProLiantDL580Gen9
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HPEProLiantML350Gen9
OracleLinux7.364-bit Intel®Xeon®E5-2600v4 HPESynergy480Gen9ComputeModule
OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 HPESynergy620Gen9ComputeModule
OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 HPESynergy680Gen9ComputeModule
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HuaweiFusionServer1288HV5
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HuaweiFusionServer2288HV5
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HuaweiFusionServerCH121V5
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HuaweiFusionServerCH121LV5
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HuaweiFusionServerCH242V5
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 HuaweiFusionServerRH2288HV3
OracleLinux7.364-bit Intel®Xeon®ScalableProcessors HuaweiFusionServerXH321V5
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 InspurYingxinNF5170M4
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 InspurYingxinNF5180M4
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 InspurYingxinNF5240M4
Page 19
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page15of28
OperatingEnvironment Processor HardwareOracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 InspurYingxinNF5270M4
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 InspurYingxinNF5280M4
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 InspurYingxinNF5460M4
OracleLinux7.364-bit Intel®Xeon®E7-4800v3&v4/E7-8800v3&v4 InspurYingxinNX8480M4
OracleLinux7.364-bit Intel®Xeon®Scalable
8100/6100/5100/4100/3100Processors
LenovoThinkSystemSD530
OracleLinux7.364-bit Intel®Xeon®Scalable
8100/6100/5100/4100/3100Processors
LenovoThinkSystemSN550
OracleLinux7.364-bit Intel®Xeon®Scalable8100/6100/5100
Processors
LenovoThinkSystemSN850
OracleLinux7.364-bit Intel®Xeon®Scalable8100/6100/5100
Processors
LenovoThinkSystemSR850
OracleLinux7.364-bit Intel®Xeon®Scalable8100/6100/5100
Processors
LenovoThinkSystemSR860
OracleLinux7.364-bit Intel®Xeon®Scalable8100/6100/5100
Processors
LenovoThinkSystemSR950
OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 NECExpress5800/A1040d
OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 NECExpress5800/A2010d
OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 NECExpress5800/A2020d
OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 NECExpress5800/A2040d
OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 NECNX7700x/A4010M-4
OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 NECNX7700x/A4012L-1
OracleLinux7.364-bit Intel®Xeon®E7-8800/4800v4 NECNX7700x/A4012L-1D
OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v4 NECNX7700x/A4012L-2
OracleLinux7.364-bit Intel®Xeon®E7-8800/4800v4 NECNX7700x/A4012L-2D
OracleLinux7.364-bit Intel®Xeon®E7-4800v3/E7-8800v3 NECNX7700x/A4012M-4
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 OracleNetraServerX5-2
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 OracleServerX5-2
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 OracleServerX5-2L
OracleLinux7.364-bit Intel®Xeon®E7-8800v3 OracleServerX5-4
OracleLinux7.364-bit Intel®Xeon®E7-8800v3 OracleServerX5-8
OracleLinux7.364-bit Intel®Xeon®E5-2600v4 OracleServerX6-2
OracleLinux7.364-bit Intel®Xeon®E5-2600v4 OracleServerX6-2L
OracleLinux7.364-bit Intel®Xeon®E5-2600v4 OracleServerX6-2M
OracleLinux7.364-bit Intel®Xeon®Scalable8100/6100/4100
Processors
OracleServerX7-2
OracleLinux7.364-bit Intel®Xeon®Scalable8100/6100/4100
Processors
OracleServerX7-2L
OracleLinux7.364-bit Intel®Xeon®Scalable8100/6100Processors OracleServerX7-8
OracleLinux7.364-bit Intel®Xeon®x7500-series OracleSunFireX4470
OracleLinux7.364-bit Intel®Xeon®x7500-series OracleSunFireX4800
OracleLinux7.364-bit Intel®Xeon®E7-8800 OracleSunServerX2-8
OracleLinux7.364-bit Intel®Xeon®E7-4800 OracleSunServerX2-4
OracleLinux7.364-bit Intel®Xeon®E5-2600 OracleSunServerX3-2
OracleLinux7.364-bit Intel®Xeon®E5-2600 OracleSunServerX3-2L
OracleLinux7.364-bit Intel®Xeon®E5-2600v2 OracleSunServerX4-2
Page 20
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page16of28
OperatingEnvironment Processor HardwareOracleLinux7.364-bit Intel®Xeon®E5-2600v2 OracleSunServerX4-2L
OracleLinux7.364-bit Intel®Xeon®E7-8800v2 OracleSunServerX4-4
OracleLinux7.364-bit Intel®Xeon®E7-8800v2 OracleSunServerX4-8
OracleLinux7.364-bit Intel®Xeon®E7-8800v3&v4 SGIUV300RL
OracleLinux7.364-bit Intel®Xeon®E7-4800v4/E7-8800v3&v4 SGIUV300
OracleLinux7.364-bit AMDOpteron™6000 SugonA840-G10
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 SugonCB50-G20
OracleLinux7.364-bit AMDOpteron™6000 SugonA840-G10
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 SugonCB50-G20
OracleLinux7.364-bit Intel®Xeon®E7-4800v2 SugonCB80-G20
OracleLinux7.364-bit Intel®Xeon®E7-4800v4 SugonCB80-G25
OracleLinux7.364-bit AMDOpteron™6300 SugonCB85-G10
OracleLinux7.364-bit Intel®Xeon®6100,5100,4100,3100 SugonI420-G30
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 SugonI610-G20
OracleLinux7.364-bit Intel®Xeon®E5-2600v3 SugonI620-G20
OracleLinux7.364-bit Intel®Xeon®E7-4800v3&v4 SugonI840-G20
OracleLinux7.364-bit Intel®Xeon®E7-4800v2 SugonI840-G25
OracleLinux7.364-bit Intel®Xeon®E7-4800v2&v3/E7-8800v2&v3 SugonI980-G20
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 SugonTC4600T
OracleLinux7.364-bit Intel®Xeon®E5-2600v3&v4 SupermicroSuperServerSYS-6018U-
TR4T+
Table7:VendorAffirmedOperatingEnvironmentCMVPmakesnostatementastothecorrectoperationofthemoduleorthesecuritystrengthsofthegeneratedkeyswhensoportedifthespecificoperationalenvironmentisnotlistedonthevalidationcertificate.
Page 21
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page17of28
7. Roles,ServicesandAuthentication7.1 Roles
Therolesareimplicitlyassumedbytheentityaccessingthemoduleservices.Themodulesupportsthefollowingroles:• UserRole:performssymmetricencryption/decryption,keyedhash,messagedigest,randomnumbergeneration,showstatus,zeroization.• CryptoOfficerRole:performsthemoduleinstallationandconfiguration,module'sinitialization,self-tests.
7.2 FIPSApprovedOperatorServicesandDescriptions
ThebelowtableprovidesafulldescriptionofFIPSApprovedservicesprovidedbythemoduleandtherolesallowedtoinvokeeachservice.U CO ServiceName ServiceDescription KeysandCSP(s) AccessType(s)X Symmetric
Encryption/DecryptionEncryptsordecryptsablockofdatausing3-KeyTriple-DESorAESinFIPSmode
AESor3-KeyTriple-DESKey R,W,X
X KeyedHash(HMAC) SignandorauthenticatedatausingHMAC-SHA HMACKey R,W,XX MessageDigest HashablockofdatausingSHS. None N/AX RandomNumberGeneration GeneraterandomnumbersbasedontheNISTSP800-90A
StandardEntropyinputstringandseed
R,W,X
X AuthenticatedEncryption Encrypt-then-MACcipher(authenc)usedforIPsec AESkey,HMACkey R,W,XX ShowStatus Showstatusofthemodulestateviaverbosemode,exitcodes
andkernellogs(dmesg) None N/A
X Self-Test Initiateondemandpower-onself-testsbyrestartingthedevicewhichwillalsocleartheRAMmemory.
None N/A
X Zeroize Zeroizeallcriticalsecurityparameterswhenfreeingthecipherhandler
AllkeysandCSP’s Z
X ModuleInitialization InitializethemoduleintotheFIPSApprovedMode None N/A X InstallationandConfiguration Installandconfigurethemodule. None N/A
X Errordetectioncode1 Errordetectioncodeusingcrc32c,crct10dif None N/AX Datacompression1 Performsdatacompressionusingdeflate,lz4,lz4hc,lzo,zlib,
zlib-deflateNone N/A
R–Read,W–Write,X–Execute,Z–Zeroize
1Thealgorithmsusedinthisservicedonotprovidecryptographicattribute.
Page 22
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page18of28
Table8:FIPSApprovedOperatorServicesandDescriptions
7.3 Non-FIPSApprovedServicesandDescriptions
Thefollowingtableliststhenon-Approvedservicesavailableinnon-FIPSmode.
U CO ServiceName ServiceDescription KeysandCSP(s) AccessType(s)X Symmetric
Encryption/DecryptionEncryptsordecryptsusingnon-Approvedalgorithms AES-XTS(192-bitkey),DES,AESGCM
encryptionwithexternalIVR,W,X
X RandomNumberGeneration
GenerationofrandomnumbersusingtheANSIX9.31PRNGorJitterRNG.
None N/A
X MessageDigest Hashingusingnon-approvedhashfunctionsfromTable4
None N/A
X KeyedHash HMACKeys<112bits. HMACkeys<112bits. R,W,X
R–Read,W–Write,X–Execute,Z–Zeroize
Table9:Non-FIPSApprovedOperatorServicesandDescriptions
7.4 OperatorAuthentication
ThemoduleisaLevel1software-onlycryptographicmoduleanddoesnotimplementauthentication.Theroleisimplicitlyassumedbasedontheservicerequested.
Page 23
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page19of28
8. KeyandCSPManagementThefollowingkeys,cryptographickeycomponentsandothercriticalsecurityparametersarecontainedinthemodule.
CSPName Generation Entry/Output Storage ZeroizationAESKeys(128,192,256bits) N/A Keyispassedintothemodulevia
APIinputparameterkernelmemory Memoryisautomatically
overwrittenbyzeroeswhenfreeingthecipherhandler
Triple-DESKeys(192bits) N/A KeyispassedintothemoduleviaAPIinputparameter
kernelmemory Memoryisautomaticallyoverwrittenbyzeroeswhenfreeingthecipherhandler
DRBGEntropyInputString ObtainedfromNDRNG N/A kernelmemory Memoryisautomaticallyoverwrittenbyzeroeswhenfreeingthecipherhandler
DRBGinternalstate(V,keyandCvalues
DerivedfromEntropyinputasdefinedinNISTSP800-90A
N/A kernelmemory Memoryisautomaticallyoverwrittenbyzeroeswhenfreeingthecipherhandler
HMACKey(≥112bits) N/A KeyispassedintothemoduleviaAPIinputparameter
kernelmemory Automaticallyzeroizedwhenfreeingthecipherhandle
Table10:CSPTable
8.1 RandomNumberGeneration
ThemoduleemploystheDeterministicRandomBitGenerator(DRBG)basedon[SP800-90A]forthecreationofrandomnumbers.TheDRBGsupportstheHash_DRBG,HMAC_DRBGandCTR_DRBGmechanisms.TheDRBGisinitializedduringmoduleinitialization.ThemoduleloadsbydefaulttheDRBGusingHMACDRBGwithSHA-512,withoutpredictionresistance.ToseedtheDRBG,themoduleusesaNon-DeterministicRandomNumberGenerator(NDRNG)astheentropysource.TheNDRNGprovidesatleast130bitsofentropytotheDRBGduringinitialization(seed)andreseeding(reseed).ThemoduleperformscontinuousrandomnumbergeneratortestontheoutputofNDRNGtoensurethatconsecutiverandomnumbersdonotrepeat,andperformsDRBGhealthtestsasdefinedinsection11.3of[SP800-90A].ThemoduledoesnotprovideanykeygenerationserviceorperformkeygenerationforanyofitsApprovedalgorithms.KeysarepassedinfromcallingapplicationviaAPIparameters.CAVEAT:Themodulegeneratesrandomstringswhosestrengthsaremodifiedbyavailableentropy.
Page 24
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page20of28
8.2 KeyEntry/OutputThekeysareprovidedtothemoduleviaAPIinputparametersinplaintextform.Thekeysarenottransmittedbeyondthephysicalboundary.Themoduledoesnotsupportmanualkeyentry.
8.3 Key/CSPStorageSymmetrickeysandHMACkeysareprovidedtothemodulebythecallingprocess,andaredestroyedwhenreleasedbytheappropriateAPIfunctioncalls.Themoduledoesnotperformpersistentstorageofkeys.TheRSApublickeyusedforsignatureverificationisstoredaspartofthemoduleandreliesontheoperatingsystemforitsprotection.
8.4 Key/CSPZeroizationTheapplicationthatusesthemoduleisresponsibleforappropriatedestructionandzeroizationofthekeymaterial.Themoduleprovidesfunctionsforkeyallocationanddestruction.WhenacallingkernelcomponentscallstheappropriateAPIfunctionthatoperationoverwritesmemorywith0’sandthenfreesthatmemory.
Page 25
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page21of28
9. Self-TestsFIPS140-2requiresthattheModuleperformself-teststoensuretheintegrityoftheModuleandthecorrectnessofthecryptographicfunctionalityatstartup.Inaddition,themoduleperformsconditionaltestforNDRNG.Onsuccessfulcompletionofthepower-uptests,themoduleisoperationalandthecryptoservicesareavailable.Afailureofanyoftheself-testspanicstheModuleandnocryptooperationsarepossible.Theonlyrecoveryistorebootthemodule.Seesection10.3fordetails.
9.1 Power-UpSelf-TestsThemoduleperformspower-upself-testsatmoduleinitializationwithoutoperatorintervention.Whilethemoduleisperformingthepower-uptests,servicesarenotavailableandinputoroutputisnotpossible.Theon-demandpowerupself-testscanbeperformedbypowercyclingtheModuleorbyrebootingtheoperatingsystem.Thetablebelowsummarizesthepower-onself-testsperformedbythemodule.Iftheknownanswerdoesnotmatchthetestfails.ThedifferentimplementationsofthesamealgorithmslistedinTable2aretestedseparatelybyperformingtheknown-answertestsusingthesametestvectors.
Algorithm Test
AES KAT,encryptionanddecryptionare tested separately for themodesECB,CBC,CTR,XTS,GCM,CCM,CMAC
Triple-DES KAT,encryptionanddecryptionare tested separately for themodesECB,CBC,CTR,CMAC.
SP800-90ACTR_DRBG KAT
SP800-90AHash_DRBG KAT
SP800-90AHMAC_DRBG KAT
SHS SHA-1,SHA-256,SHA-512KAT
HMAC HMAC-SHA-1,HMAC-SHA-256,HMAC-SHA-512KAT
ModuleIntegritytest Performedbysha512hmacapplicationwithHMAC-SHA-512providedbyNSS
RSASignatureVerification2 Partoftheintegritytest(consideredasaKAT)
Table11:Power-OnSelf-Tests
9.1.1 IntegrityTests
Theintegrityofthestatickernelbinaryisperformedbysha512hmacapplicationusingHMAC-SHA-512.Atruntime,themoduleinvokesthesha512hmacutilitytocalculatetheHMACvalueofthestatickernelbinaryfileandthencomparesitwiththepre-storedHMACfilein/boot/.vmlinuz-$(uname-r).hmac.Thesha512hmacapplicationperformsitsownintegritycheckbycalculatingtheHMACvalueofitsbinaryandcomparingittotheHMACvaluestoredinsha512hmac.hmac.TheHMAC-SHA-512algorithmisprovidedbytheboundNSSmoduleandisKATtestedbeforetheNSSmodulemakesitselfavailabletothesha512hmacapplication.
2TheRSAsignatureverificationisonlyusedaspartofintegritytestandisnotavailableasaservicefromthemodule.
Page 26
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page22of28
TheOracleLinuxloadablecomponents(*.koreferencedinsection3.1)loadedintotheLinuxkernelduringboottimearecheckedwiththeRSAsignatureverificationimplementationoftheLinuxkerneltoconfirmtheirintegrity.IftheHMACvaluesdonotmatchortheRSAsignatureverificationfailsthekernelpanicsindicatingerrorstate.
9.2 ConditionalSelf-TestsThemoduleperformsconditionaltestsonthecryptographicalgorithmsshowninthefollowingtable:
Algorithm TestNDRNG Themoduleperformsconditionalself-testsontheoutputofNDRNG.
Table12:ConditionalSelf-Tests
Page 27
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page23of28
10. Crypto-OfficerandUserGuidanceThissectionprovidesguidancefortheCryptographicOfficerandtheUsertomaintainproperuseofthemoduleperFIPS140-2requirements.
10.1 Crypto-OfficerGuidance
TooperatetheKernelCryptoAPImodule,theoperatingsystemmustberestrictedtoasingleoperatormodeofoperation.(Thisshouldnotbeconfusedwithsingleusermodewhichisrunlevel1onOracleLinux.ThisreferstoprocesseshavingaccesstothesamecryptographicinstancewhichOracleLinuxensurescannothappenbythememorymanagementhardware.)
10.1.1 SecureInstallationandStartupCryptoOfficersusetheInstallationinstructionstoinstalltheModuleintheirenvironment.TheversionoftheRPMcontainingtheFIPSvalidatedmoduleisstatedinsection3.1above.TheRPMpackageoftheModulecanbeinstalledbystandardtoolsrecommendedfortheinstallationofOraclepackagesonanOracleLinuxsystem(forexample,yum,RPM,andtheRHNremotemanagementtool).TheintegrityoftheRPMisautomaticallyverifiedduringtheinstallationoftheModuleandtheCryptoOfficershallnotinstalltheRPMfileiftheOracleLinuxYumServerindicatesanintegrityerror.TheRPMfileslistedinsection3aresignedbyOracleandduringinstallation;Yumperformssignatureverificationwhichensuresassecuredeliveryofthecryptographicmodule.IftheRPMpackagesaredownloadedmanually,thentheCOshouldrun‘rpm–K<rpm-file-name>’commandafterimportingthebuilder’sGPGkeytoverifythepackagesignature.Inaddition,theCOcanalsoverifythehashoftheRPMpackagetoconfirmaproperdownload.ToconfiguretheoperatingenvironmenttosupportFIPSperformthefollowingsteps:1. Installthedracut-fipspackage:
#yuminstalldracut-fips-033-535.0.2.el7.x86_642. RecreatetheINITRAMFSimage:
#dracut-fAfterregeneratingtheinitramfs,theCryptoOfficerhastoappendthefollowingstringtothekernelcommandlinebychangingthesettinginthebootloader:
fips=1
If/bootor/boot/efiresidesonaseparatepartition,thekernelparameterboot=<partitionof/bootor/boot/efi>mustbesupplied.Thepartitioncanbeidentifiedwiththecommand"df/boot"or"df/boot/efi"respectively.Forexample:$df/bootFilesystem 1K-blocks Used Available Use Mountedon/dev/sda1 233191 30454 190296 14% /bootThepartitionof/bootislocatedon/dev/sda1inthisexample.Therefore,thefollowingstringneedstobeappendedtothekernelcommandline:
boot=/dev/sda1Executetherebootcommandtorebootthesystemandselectthenewlyinstalledkernel.
Page 28
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page24of28
10.1.2 FIPS140-2andAESNISupport
AccordingtotheKernelCryptoAPIFIPS140-2SecurityPolicy,theKernelCryptoAPImodulesupportstheAES-NIIntelprocessorinstructionsetasanapprovedcipher.TheAES-NIinstructionsetisusedbytheModule.IncaseyouconfiguredafulldiskencryptionusingAES,youmayusetheAES-NIsupportforahigherperformancecomparedtothesoftware-onlyimplementation.ToutilizetheAES-NIsupport,thementionedModulemustbeloadedduringboottimebyinstallingaplugin.Beforeyouinstalltheplugin,youMUSTverifythatyourprocessorofferstheAES-NIinstructionsetbycallingthefollowingcommand:
cat/proc/cpuinfo|grepaesIfthecommandreturnsalistofproperties,includingthe“aes”string,yourCPUprovidestheAES-NIinstructionset.Ifthecommandreturnsnothing,AES-NIisnotsupported.YouMUSTNOTinstallthefollowingpluginifyourCPUdoesnotsupportAES-NIbecausethekernelwillpanicduringboot.ThesupportfortheAES-NIinstructionsetduringboottimeisenabledbyinstallingthefollowingplugin(makesurethattheversionofthepluginRPMmatchestheversionoftheinstalledRPMs!):
#installthedracut-fips-aesnipackageyuminstalldracut-fips-aesni-033-535.0.2.el7.x86_64#recreatetheinitramfsimagedracut–f
Thechangescomeintoeffectduringthenextreboot.
10.2 UserGuidance
CTRandRFC3686modemustonlybeusedforIPsec.Itmustnotbeusedotherwise.TherearethreeimplementationsofAES:aes-generic,aesni-intel,andaes-x86_64onx86_64machines.TheadditionalspecificimplementationsofAESforthex86architecturearedisallowedandnotavailableonthetestplatforms.WhenusingtheModule,theusershallutilizetheLinuxKernelCryptoAPIprovidedmemoryallocationmechanisms.Inaddition,theusershallnotusethefunctioncopy_to_user()onanyportionofthedatastructuresusedtocommunicatewiththeLinuxKernelCryptoAPI.OnlythecryptographicmechanismsprovidedwiththeLinuxKernelCryptoAPIareconsideredforuse.TheNSSboundmodule,althoughused,isonlyconsideredtosupporttheintegrityverificationandisnotintendedforgeneral-purposeusewithrespecttothisModule.
10.2.1 AES-XTSUsage
TheXTSmodemustonlybeusedforthediskencryptionfunctionalityofferedbydm-crypt.
Page 29
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page25of28
10.2.2 AES-GCMUsageTheGCMwithinternalIVgenerationinFIPSmodeisincompliancewithRFC4106andshallonlybeusedinconjunctionwiththeIPsecstackofthekerneltobecomplaintwithIGA.5.AnyotherusageofGCMwillbeconsiderednon-Approved.Incasethemodule'spowerislostandthenrestored,thekeyusedfortheAESGCMshallberedistributed.
10.2.3 Triple-DESUsage
AccordingtoIGA.13,thesameTriple-DESkeyshallnotbeusedtoencryptmorethan2^1664-bitblocksofdata.
10.3 HandlingSelf-TestErrors
TheModuletransitiontoerrorstatewhenanyofself-testorconditionaltestfails.Inerrorstate,thekernelisinapanickedstateandtheoperatingsystemwillnotload.Assuch,theoutputisinhibitedandnocryptooperationsareavailableintheerrorstate.Inordertorecoverfromtheerror,themoduleneedstorebooted.Ifthefailurecontinues,themoduleneedstobereinstalled.Thekerneldumpsselftestsuccessandfailuremessagesintothekernelmessageringbuffer.Postboot,themessagesaremovedto/var/log/messages.Usedmesgtoreadthecontentsofthekernelringbuffer.Theformatoftheringbuffer(dmesg)outputis:
alg:self-testsfor%s(%s)passedTypicalmessagesaresimilarto"alg:self-testsforhmac(sha1-generic)(hmac(sha1))passed"foreachalgorithm/sub-algorithmtype.
Page 30
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page26of28
11. MitigationofOtherAttacksThemoduledoesnotclaimtomitigateagainstanyattacks.
Page 31
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page27of28
Acronyms,TermsandAbbreviations
Term DefinitionAES AdvancedEncryptionStandardCAVP CryptographicAlgorithmValidationProgramCMVP CryptographicModuleValidationProgramCSE CommunicationsSecurityEstablishmentCSP CriticalSecurityParameterDH Diffie-HellmanDHE Diffie-HellmanEphemeralDRBG DeterministicRandomBitGeneratorECDH EllipticCurveDiffie-HellmanECDSA EllipticCurveDigitalSignatureAlgorithmEDC ErrorDetectionCodeHMAC (Keyed)HashMessageAuthenticationCodeIKE InternetKeyExchangeKAT KnownAnswerTestKDF KeyDerivationFunctionNIST NationalInstituteofStandardsandTechnologyPAA ProcessorAlgorithmAccelerationPBKDF PasswordBasedKeyDerivationFunctionPOST PowerOnSelfTestPR PredictionResistancePSS ProbabilisticSignatureSchemePUB PublicationSHA SecureHashAlgorithm
Table13:Acronyms
Page 32
OracleLinux7KernelCryptoAPICryptographicModuleSecurityPolicy Page28of28
ReferencesTheFIPS140-2standard,andinformationontheCMVP,canbefoundathttp://csrc.nist.gov/groups/STM/cmvp/index.html.MoreinformationdescribingthemodulecanbefoundontheOraclewebsiteathttps://www.oracle.com/linux/.
ThisSecurityPolicycontainsnon-proprietaryinformation.AllotherdocumentationsubmittedforFIPS140-2conformancetestingandvalidationis“Oracle-Proprietary”andisreleasableonlyunderappropriatenon-disclosureagreements.
Document Author TitleFIPSPUB140-2 NIST FIPSPUB140-2:SecurityRequirementsforCryptographicModulesFIPSIG NIST Implementation Guidance for FIPS PUB 140-2 and the Cryptographic
ModuleValidationProgramFIPSPUB140-2AnnexA NIST FIPS140-2AnnexA:ApprovedSecurityFunctionsFIPSPUB140-2AnnexB NIST FIPS140-2AnnexB:ApprovedProtectionProfiles
FIPSPUB140-2AnnexC NIST FIPS140-2AnnexC:ApprovedRandomNumberGenerators
FIPSPUB140-2AnnexD NIST FIPS140-2AnnexD:ApprovedKeyEstablishmentTechniquesDTRforFIPSPUB140-2 NIST Derived Test Requirements (DTR) for FIPS PUB 140-2, Security
RequirementsforCryptographicModulesNISTSP800-67 NIST Recommendation for the Triple Data Encryption Algorithm TDEA Block
CypherFIPSPUB197 NIST AdvancedEncryptionStandardFIPSPUB198-1 NIST TheKeyedHashMessageAuthenticationCode(HMAC)FIPSPUB186-4 NIST DigitalSignatureStandard(DSS)FIPSPUB180-4 NIST SecureHashStandard(SHS)NISTSP800-131A NIST RecommendationfortheTransitioningofCryptographicAlgorithmsand
KeySizesPKCS#1 RSA
LaboratoriesPKCS#1v2.1:RSACryptographicStandard
Table14:References