SUSE Linux Enterprise Kernel Crypto API
Cryptographic Module
Software Module Version 3.2
FIPS 140-2 Non-Proprietary Security Policy
Document Version: 1.2.2
Document Date: 2021-11-23
Prepared by:
atsec information security corporation
9130 Jollyville Road, Suite 260
Austin, TX 78759
www.atsec.com
©2021 SUSE, LLC., atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Table of contents
1 Introduction............................................................................................................................5
1.1 Purpose.........................................................................................................................5
1.2 External Resources and References..............................................................................5
2 Cryptographic Module Specifcation ......................................................................................6
2.1 Module Overview..........................................................................................................6
2.2 Modes of Operation.......................................................................................................8
3 Cryptographic Module Ports and Interfaces............................................................................9
4 Roles, Services and Authentication......................................................................................10
4.1 Roles...........................................................................................................................10
4.2 Services......................................................................................................................10
4.2.1 Services in the Approved Mode.........................................................................10
4.2.2 Services in the Non-Approved Mode..................................................................11
4.3 Operator Authentication.............................................................................................13
4.4 Algorithms..................................................................................................................13
4.4.1 Approved Algorithms.........................................................................................13
4.4.2 Non-Approved-But-Allowed Algorithms..............................................................22
4.4.3 Non-Approved Algorithms..................................................................................22
5 Physical Security .................................................................................................................24
6 Operational Environment ....................................................................................................25
6.1 Policy .........................................................................................................................25
7 Cryptographic Key Management .........................................................................................26
7.1 Random Number Generation......................................................................................26
7.2 Key Generation...........................................................................................................27
7.3 Key Establishment......................................................................................................27
7.4 Key/CSP Entry and Output..........................................................................................28
7.5 Key/CSP Storage.........................................................................................................28
7.6 Key/CSP Zeroization....................................................................................................28
8 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC).............................29
9 Self Tests ............................................................................................................................30
10 Guidance............................................................................................................................32
10.1 Crypto Ofcer Guidance ...........................................................................................32
10.1.1 Module Installation..........................................................................................32
10.1.2 Operating Environment Confgurations...........................................................32
10.2 User Guidance..........................................................................................................33
10.2.1 Cipher References and Priority........................................................................33
10.2.2 AES XTS...........................................................................................................33
10.2.3 AES GCM IV.....................................................................................................34
10.2.4 Triple-DES encryption......................................................................................34
10.3 Handling Self Test Errors..........................................................................................34
©2021 SUSE, LLC., atsec information security. Page 2 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
11 Mitigation of Other Attacks................................................................................................35
Appendix A Glossary and Abbreviations..................................................................................36
Appendix B Algorithm Implementations..................................................................................37
Appendix C References...........................................................................................................40
©2021 SUSE, LLC., atsec information security. Page 3 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
List of Tables
Table 1: Security levels.............................................................................................................6
Table 2: Cryptographic module components.............................................................................6
Table 3: Tested platforms.........................................................................................................7
Table 4: Ports and interfaces....................................................................................................9
Table 5: Services in FIPS mode of operation...........................................................................10
Table 6: Services in non-FIPS mode of operation....................................................................11
Table 7: Approved Cryptographic Algorithms..........................................................................13
Table 8: Non-Approved but Allowed Algorithms......................................................................22
Table 9: Non-Approved Cryptographic Algorithms..................................................................22
Table 10: LIfe cycle of keys and other CSPs............................................................................26
Table 11: Self tests.................................................................................................................30
Table 12: RPM packages.........................................................................................................32
Table 13: Algorithm implementations and their names in the CAVP certifcates.....................37
List of Figures
Figure 1: Software Block Diagram.............................................................................................7
Figure 2: Hardware Block Diagram............................................................................................8
©2021 SUSE, LLC., atsec information security. Page 4 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
1 Introduction
1.1 Purpose
This document is the non-proprietary security policy for the SUSE Linux Enterprise Kernel
Crypto API Cryptographic Module version 3.2 (also referred as “Kernel Crypto API module” or
“module” throughout this document). It contains the security rules under which the module
must operate and describes how this module meets the requirements as specifed in FIPS
140-2 (Federal Information Processing Standards Publication 140-2) for a security level 1
module.
FIPS 140-2 details the requirements of the Governments of the U.S. and Canada for
cryptographic modules, aimed at the objective of protecting sensitive but unclassifed
information. For more information on the FIPS 140-2 standard and validation program please
refer to the NIST website at http://csrc.nist.gov/.
1.2 External Resources and References
The SUSE website (www.suse.com) contains information about the module.
The Cryptographic Module Validation Program website (http://csrc.nist.gov/groups/STM/cmvp/)
contains links to the FIPS 140-2 certifcate and SUSE contact information.
©2021 SUSE, LLC., atsec information security. Page 5 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
2 Cryptographic Module Specifcation
2.1 Module Overview
The SUSE Linux Enterprise Kernel Crypto API Cryptographic Module is a software
cryptographic module that provides general-purpose cryptographic services. For the purpose
of the FIPS 140-2 validation, the module is a software-only, multi-chip standalone
cryptographic module validated at overall security level 1.
Table 1 shows the security level claimed for each of the eleven sections that comprise the
FIPS 140-2 standard.
Table 1: Security levels.
FIPS 140-2 Section Security
Level
1 Cryptographic Module Specifcation 1
2 Cryptographic Module Ports and Interfaces 1
3 Roles, Services and Authentication 1
4 Finite State Model 1
5 Physical Security N/A
6 Operational Environment 1
7 Cryptographic Key Management 1
8 EMI/EMC 1
9 Self Tests 1
10 Design Assurance 1
11 Mitigation of Other Attacks N/A
Table 2 lists the software components of the cryptographic module, which defne the
module’s logical boundary. The Linux kernel version, which is the output of $(uname -r), is
5.3.18-24.34-default.
Table 2: Cryptographic module components.
Description Component
Static kernel binary /boot/vmlinuz-5.3.18-24.34-default
Integrity check HMAC fle for
Linux kernel static binary
/boot/.vmlinuz-5.3.18-24.34-default.hmac
Cryptographic kernel object
fles
/lib/modules/5.3.18-24.34-default/kernel/crypto/*.ko
/lib/modules/5.3.18-24.34-
default/kernel/arch/x86/crypto/*.ko (x86 platform)
/lib/modules/5.3.18-24.34-
default/kernel/arch/arm64/crypto/*.ko (ARM platform)
/lib/modules/5.3.18-24.34-
©2021 SUSE, LLC., atsec information security. Page 6 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Description Component
default/kernel/arch/s390/crypto/*.ko (z15 platform)
Integrity test utility /usr/lib64/libkcapi/fpscheck
Integrity check HMAC fle for
integrity test utility
/usr/lib64/libkcapi/.fpscheck.hmac
The software block diagram (Figure 1) shows the logical boundary of the module and its
interfaces with the operational environment.
Figure 1: Software Block Diagram.
The module is aimed to run on a general purpose computer (GPC). Table 3 shows the
platforms on which the module has been tested:
Table 3: Tested platforms.
Platform Processor Test Confguration
Dell EMC PowerEdge 640 Intel Cascade Lake Xeon
Gold 6234
SUSE Linux Enterprise Server 15 SP2
with and without PAA (AES-NI)
IBM System Z z15 z15 SUSE Linux Enterprise Server 15 SP2
with and without PAI (CPACF)
Gigabyte R181-T90 Cavium ThunderX2
CN9975 ARMv8
SUSE Linux Enterprise Server 15 SP2
with and without PAA (CE, NEON)
Note: Per FIPS 140-2 IG G.5, the Cryptographic Module Validation Program (CMVP) makes no
statement as to the correct operation of the module or the security strengths of the
generated keys when this module is ported and executed in an operational environment not
listed on the validation certifcate.
©2021 SUSE, LLC., atsec information security. Page 7 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
The physical boundary of the module is the surface of the case (or physical enclosure) of the
tested platform. Figure 2 shows the hardware block diagram including major hardware
components of a GPC representing the tested platforms.
Figure 2: Hardware Block Diagram.
2.2 Modes of Operation
The module supports two modes of operation:
• FIPS mode (the Approved mode of operation): only approved or allowed security
functions with sufcient security strength can be used.
• non-FIPS mode (the non-Approved mode of operation): only non-approved security
functions can be used.
The module enters FIPS mode after power-up tests succeed. Once the module is operational,
the mode of operation is implicitly assumed depending on the security function invoked and
the security strength of the cryptographic keys.
Critical security parameters (CSPs) used or stored in FIPS mode are not used in non-FIPS
mode, and vice versa.
©2021 SUSE, LLC., atsec information security. Page 8 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
3 Cryptographic Module Ports and Interfaces
As a software-only module, the module does not have physical ports. For the purpose of the
FIPS 140-2 validation, the physical ports are interpreted to be the physical ports of the
hardware platform on which it runs.
The logical interfaces are the application program interface (API) through which applications
request services. Table 4 summarizes the logical interfaces.
Table 4: Ports and interfaces.
Logical
Interface
Description
Data Input API input parameters from kernel system calls, AF_ALG type socket.
Data Output API output parameters from kernel system calls, AF_ALG type socket.
Control Input API function calls, API input parameters from kernel system calls, AF_ALG
type socket, kernel command line.
Status Output API return values, AF_ALG type socket, kernel logs.
©2021 SUSE, LLC., atsec information security. Page 9 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
4 Roles, Services and Authentication
4.1 Roles
The module meets all FIPS 140-2 level 1 requirements for Roles and Services, implementing
both User and Crypto Ofcer (CO) roles. The module does not allow concurrent operators. The
roles execute the services as listed below.
⚫ User role: performs all services, except module installation and confguration.
⚫ Crypto Ofcer role: performs module installation and confguration.
The User and Crypto Ofcer roles are implicitly assumed by the entity accessing the services
implemented by the module depending on the service requested. No authentication is
required by the module for the assumption of a role.
4.2 Services
The module provides services to the operators that assume one of the available roles. All
services are shown in Table 5 and Table 6.
For each service, the tables list the associated cryptographic algorithm(s), the role that
performs the service, the cryptographic keys and other CSPs involved, and their access
type(s) from the point of view of the service. The details of the approved cryptographic
algorithms including the CAVP certifcate numbers can be found in Table 7.
The following convention is used to specify access rights from a service to a CSP.
• Create: the service can create a new CSP.
• Read: the service can read an existing CSP.
• Update: the service can write a new value to an existing CSP.
• Zeroize: the service can zeroize the existing CSP.
• N/A: the service does not access any CSP during its operation.
4.2.1 Services in the Approved Mode
Table 5 lists the services available in FIPS mode. In the Algorithm column, the only approved
algorithms’ modes and variations are those listed in Table 7.
Table 5: Services in FIPS mode of operation.
Service Algorithm Role Keys/CSPs Access
Symmetric
encryption and
decryption
AES User AES key Read
Three-key Triple-DES User Triple-DES key Read
Random number
generation
DRBG User Entropy input string,
Internal state
Read,
Update
Message digest SHA-1, SHA2, SHA3 User None N/A
Message
authentication
code (MAC)
HMAC User HMAC key Read
CMAC-AES User AES key Read
CMAC-Triple-DES User Triple-DES key Read
Encrypt-then-MAC
operation
AES-CBC, HMAC-
[SHA-1, SHA2]
User AES key, HMAC key Read
Triple-DES-CBC,
HMAC-[SHA-1, SHA2]
Triple-DES key, HMAC key Read
©2021 SUSE, LLC., atsec information security. Page 10 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Service Algorithm Role Keys/CSPs Access
Key wrapping
(asymmetric)
RSA encrypt/decrypt
primitives
User RSA public/private keys Read
Key wrapping,
(symmetric)
AES-KW, AES-CCM,
AES-GCM,
User AES key Read
Key wrapping
combination
(symmetric)
Combination AES-CBC
and HMAC, Triple-DES-
CBC and HMAC
User AES key, Triple-DES key,
HMAC key
Read
Shared secret
computation
EC Dife-Hellman User EC Dife-Hellman
public/private keys
Read
Shared Secret Create,
Read,
Update
Key generation for
EC Dife-Hellman
shared secret
computation1
Generation per Section
5.6.1.2 of SP800-
56Arev3 exclusively
for EC Dife-Hellman
User EC Dife-Hellman
public/private keys
Create
Digital signature
verifcation
Verify signature
operation using RSA
PKCS#1v1.5
User RSA public key Read
Zeroization N/A User All CSPs Zeroize
Self-tests See Section 9 User None N/A
Other services
Error detection
code
crc32c2
, crct10dif2
User None N/A
Data compression defate2
, lz42
, lz4hc2
,
lzo2
, zlib2
, 8422
User None N/A
Memory copy
operation
ecb(cipher_null)2
User None N/A
Show status N/A User None N/A
Module installation
and confguration
N/A Crypto
Ofcer
None N/A
4.2.2 Services in the Non-Approved Mode
Table 6 lists the services only available in non-FIPS mode of operation. The details of the non-
approved cryptographic algorithms available in non-FIPS mode can be found in Table 9.
1 The EC key generation service does not perform a pairwise consistency test on the generated keys.
This service is for exclusive use of the EC Dife-Hellman shared secret computation service, and only
under this context, this service is approved without the pairwise consistency test.
2 This algorithm does not provide any cryptographic attribute, i.e., its purpose in the module is not
security relevant.
©2021 SUSE, LLC., atsec information security. Page 11 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Table 6: Services in non-FIPS mode of operation.
Service Algorithm Role Keys Access
Symmetric
encryption and
decryption
AES-XTS with 192-bit
key size.
User AES key Read
GCM with external IV
(encryption), RFC4106
GCM with external IV
(encryption).
User AES key Read
Anubis block cipher
Blowfsh block cipher
Camellia block cipher
CAST5, CAST6
Serpent block cipher
Twofsh block cipher
ARC4 stream cipher
Salsa20 stream cipher
ChaCha20 stream
cipher
User AES, anubis, blowfsh,
camellia, cast5, cast6,
serpent, twofsh, arc4,
salsa20, chacha20 keys
Read
z15 platform: AES and
Triple-DES algorithms
with “generic”
implementation
User AES, Triple-DES keys Read
Message digest GHASH outside the
GCM context.
MD4, MD5
RIPEMD
Tiger Hashing
Whirlpool
z15 platform: SHA3
and SHA2 algorithms
with “generic”
implementation
User None N/A
Message
authentication
code (MAC)
HMAC with key smaller
than 112 bits
z15 platform: HMAC
with “generic”
implementation
User HMAC key Read
RSA signature
generation
RSA sign primitive
operation.
User RSA public/private keys Read
RSA signature
verifcation
RSA verify primitive
operation with keys
smaller than 2048 bits.
User RSA public/private keys Read
RSA key wrapping RSA keys smaller than
2048 bits.
User RSA public/private keys Read
EC key generation Curves not listed in
Table 7
User EC public/private keys Create,
Read,
Update
Shared Secret
Computation
Dife-Hellman
EC Dife-Hellman
using curves not listed
in Table 7
User Dife-Hellman
public/private keys
Read
EC Dife-Hellman
public/private keys
Read
©2021 SUSE, LLC., atsec information security. Page 12 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Service Algorithm Role Keys Access
Shared Secret Create,
Read,
Update
4.3 Operator Authentication
The module does not implement user authentication. The role of the user is implicitly
assumed based on the service requested.
4.4 Algorithms
The module provides multiple implementations of algorithms. Diferent implementations can
be invoked by using the unique algorithm driver names.
Among the implementations, the module supports generic C for all algorithms; generic
assembler for AES, Triple-DES ciphers, and block modes; AES-NI for AES; CLMUL for GHASH
within the GCM block mode; AVX, AVX2, SSSE3 for SHA algorithms; constant-time C
implementation for ciphers; NEON and CE instructions for ARM, and CPACF instructions for
z15.
Appendix B brings a list of the names contained in the CAVP algorithm certifcates that refer
to the specifc algorithm implementations, along with their description. The CAVP certifcates
group the algorithms per related implementation, which may not exist for all platforms.
However, all platforms in Table 3 implement all of the approved algorithms in one or more
implementations.
4.4.1 Approved Algorithms
Table 7 lists the approved algorithms, the CAVP certifcates, and other associated information
of the cryptographic implementations available in the FIPS mode.
Note: the module does not implement all of the algorithms, as FIPS approved algorithms, for
which the CAVP certifcates were issued.
Table 7: Approved Cryptographic Algorithms.
Algorithm Mode/Method Key Lengths,
Curves or Moduli
(in bits)
Use Standard CAVP Certs.
AES ECB 128, 192, 256 Data Encryption and
Decryption
FIPS197,
SP800-38A
A420 (DH_C)
A447 (ECDH_C)
A419
(RFC4106EIV_AESNI_
ASM)
A418
(RFC4106EIV_AESNI_
C)
A428
(RFC4106EIV_ARM64_
CE_C)
A452
(RFC4106EIV_C_C)
A462
(RFC4106EIV_CPACF_
ASM)
A457
(RFC4106EIV_CPACF_
C)
A450
(RFC4106EIV_CTI_C)
©2021 SUSE, LLC., atsec information security. Page 13 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Mode/Method Key Lengths,
Curves or Moduli
(in bits)
Use Standard CAVP Certs.
A464
(RFC4106EIV_X86AS
M_C)
A465
(RFC4106IIV_AESNI_A
SM)
A461
(RFC4106IIV_ASENI_C
)
A432
(RFC4106IIV_ARM64_
CE_C)
A424
(RFC4106IIV_C_C)
A433
(RFC4106IIV_CPACF_A
SM)
A439
(RFC4106IIV_CPACF_
C)
A426
(RFC4106IIV_CTI_C)
A441
(RFC4106IIV_X86ASM
_C)
ECB, CBC, CTR 128, 192, 256 Data Encryption and
Decryption
FIPS197,
SP800-38A
A467 (AESNI_C)
A422 (AESNI_ASM)
A472 (ARM64_CE)
A431 (ARM64_CE_C)
A438 (ARM64_NEON)
A436 (C_C)
A423 (CPACF_ASM)
A451 (CPACF_C)
A429 (CTI_C)
A449 (X86ASM_C)
CFB128 128, 192, 256 Data Encryption and
Decryption
SP800-38A A431 (ARM64_CE_C)
A435 (CFB_AESNI_C)
A459 (CFB_C_C)
A463 (CFB_CPACF_C)
A434 (CFB_CTI_C)
A466
(CFB_X86ASM_C)
OFB 128, 192, 256 Data Encryption and
Decryption
SP800-38A A431 (ARM64_CE_C)
A456 (OFB_AESNI_C)
A425 (OFB_C_C)
A446 (OFB_CPACF_C)
A455 (OFB_CTI_C)
A443
(OFB_X86ASM_C)
CBC-CS3 128, 192, 256 Data Encryption and
Decryption
SP800-38A-
addendum
A431 (ARM64_CE_C)
A437 (CTS_AESNI_C)
A448 (CTS_C_C)
A458 (CTS_CPACF_C)
A430 (CTS_CTI_C)
A469
(CTS_X86ASM_C)
©2021 SUSE, LLC., atsec information security. Page 14 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Mode/Method Key Lengths,
Curves or Moduli
(in bits)
Use Standard CAVP Certs.
KW 128, 192, 256 Key Wrapping SP800-38F A431 (ARM64_CE_C)
A470 (KW_AESNI_C)
A444 (KW_C_C)
A440 (KW_CPACF_C)
A460 (KW_CTI_C)
A442
(KW_X86ASM_C)
XTS 128, 256 Data Encryption and
Decryption for Data
Storage
SP800-38E A467 (AESNI_C)
A422 (AESNI_ASM)
A472 (ARM64_CE)
A431 (ARM64_CE_C)
A438 (ARM64_NEON)
A436 (C_C)
A423 (CPACF_ASM)
A451 (CPACF_C)
A429 (CTI_C)
A449 (X86ASM_C)
GCM with external
IV
128, 192, 256 Data Decryption3
SP800-38D A422 (AESNI_ASM)
A467 (AESNI_C)
A431 (ARM64_CE_C)
A436 (C_C)
A423 (CPACF_ASM)
A451 (CPACF_C)
A429 (CTI_C)
A449 (X86ASM_C)
GCM with internal
IV (RFC4106)
128, 192, 256 Data Encryption SP800-38D
RFC4106
A465
(RFC4106IIV_AESNI_A
SM)
A461
(RFC4106IIV_ASENI_C
)
A432
(RFC4106IIV_ARM64_
CE_C)
A424
(RFC4106IIV_C_C)
A433
(RFC4106IIV_CPACF_A
SM)
A439
(RFC4106IIV_CPACF_
C)
A426
(RFC4106IIV_CTI_C)
A441
(RFC4106IIV_X86ASM
_C)
GCM with external
IV (RFC4106)
128, 192, 256 Data Decryption3
SP800-38D
RFC4106
A419
(RFC4106EIV_AESNI_
ASM)
A418
(RFC4106EIV_AESNI_
C)
A428
(RFC4106EIV_ARM64_
3 This algorithm was tested for encryption and decryption, however the encryption operation is not
approved in the FIPS mode due to the use of external IV.
©2021 SUSE, LLC., atsec information security. Page 15 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Mode/Method Key Lengths,
Curves or Moduli
(in bits)
Use Standard CAVP Certs.
CE_C)
A452
(RFC4106EIV_C_C)
A462
(RFC4106EIV_CPACF_
ASM)
A457
(RFC4106EIV_CPACF_
C)
A450
(RFC4106EIV_CTI_C)
A464
(RFC4106EIV_X86AS
M_C)
CMAC 128, 192, 256 MAC Generation and
Verifcation
SP800-38B A467 (AESNI_C)
A472 (ARM64_CE)
A431 (ARM64_CE_C)
A436 (C_C)
A423 (CPACF_ASM)
A451 (CPACF_C)
A429 (CTI_C)
A449 (X86ASM_C)
CCM 128, 192, 256 Data Encryption and
Decryption
SP800-38C A467 (AESNI_C)
A472 (ARM64_CE)
A431 (ARM64_CE_C)
A436 (C_C)
A423 (CPACF_ASM)
A451 (CPACF_C)
A429 (CTI_C)
A449 (X86ASM_C)
GMAC 128, 192, 256 MAC Generation and
Verifcation
SP800-38D A467 (AESNI_C)
A431 (ARM64_CE_C)
A436 (C_C)
A423 (CPACF_ASM)
A451 (CPACF_C)
A429 (CTI_C)
A449 (X86ASM_C)
DRBG CTR_DRBG:
AES-128,
AES-192, AES-256
with derivation
function, with and
without PR
N/A Deterministic
Random Bit
Generation
SP800-90A A422 (AESNI_ASM)
A467 (AESNI_C)
A431 (ARM64_CE_C)
A436 (C_C)
A423 (CPACF_ASM)
A451 (CPACF_C)
A429 (CTI_C)
A420 (DH_C)
A447 (ECDH_C)
A419
(RFC4106EIV_AESNI_
ASM)
A418
(RFC4106EIV_AESNI_
C)
A428
(RFC4106EIV_ARM64_
CE_C)
©2021 SUSE, LLC., atsec information security. Page 16 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Mode/Method Key Lengths,
Curves or Moduli
(in bits)
Use Standard CAVP Certs.
A452
(RFC4106EIV_C_C)
A462
(RFC4106EIV_CPACF_
ASM)
A457
(RFC4106EIV_CPACF_
C)
A450
(RFC4106EIV_CTI_C)
A464
(RFC4106EIV_X86AS
M_C)
A465
(RFC4106IIV_AESNI_A
SM)
A461
(RFC4106IIV_ASENI_C
)
A432
(RFC4106IIV_ARM64_
CE_C)
A424
(RFC4106IIV_C_C)
A433
(RFC4106IIV_CPACF_A
SM)
A439
(RFC4106IIV_CPACF_
C)
A426
(RFC4106IIV_CTI_C)
A441
(RFC4106IIV_X86ASM
_C)
A449 (X86ASM_C)
Hash_DRBG:
SHA-1, SHA2-256,
SHA2-384,
SHA2-512 with
and without PR
N/A Deterministic
Random Bit
Generation
SP800-90A A422 (AESNI_ASM)
A467 (AESNI_C)
A453 (AVX)
A468 (AVX2)
A436 (C_C)
A451 (CPACF_C)
A429 (CTI_C)
A420 (DH_C)
A447 (ECDH_C)
A419
(RFC4106EIV_AESNI_
ASM)
A418
(RFC4106EIV_AESNI_
C)
A428
(RFC4106EIV_ARM64_
CE_C)
A452
(RFC4106EIV_C_C)
A462
(RFC4106EIV_CPACF_
ASM)
A457
(RFC4106EIV_CPACF_
©2021 SUSE, LLC., atsec information security. Page 17 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Mode/Method Key Lengths,
Curves or Moduli
(in bits)
Use Standard CAVP Certs.
C)
A450
(RFC4106EIV_CTI_C)
A464
(RFC4106EIV_X86AS
M_C)
A465
(RFC4106IIV_AESNI_A
SM)
A461
(RFC4106IIV_ASENI_C
)
A432
(RFC4106IIV_ARM64_
CE_C)
A424
(RFC4106IIV_C_C)
A433
(RFC4106IIV_CPACF_A
SM)
A439
(RFC4106IIV_CPACF_
C)
A426
(RFC4106IIV_CTI_C)
A441
(RFC4106IIV_X86ASM
_C)
A471 (SSSE3)
A454 (X86ASM_ASM)
A449 (X86ASM_C)
HMAC_DRBG:
HMAC-[SHA-1,
SHA2-256,
SHA2-384,
SHA2-512] with
and without PR
N/A Deterministic
Random Bit
Generation
SP800-90A A422 (AESNI_ASM)
A467 (AESNI_C)
A453 (AVX)
A468 (AVX2)
A436 (C_C)
A451 (CPACF_C)
A429 (CTI_C)
A420 (DH_C)
A447 (ECDH_C)
A419
(RFC4106EIV_AESNI_
ASM)
A418
(RFC4106EIV_AESNI_
C)
A428
(RFC4106EIV_ARM64_
CE_C)
A452
(RFC4106EIV_C_C)
A462
(RFC4106EIV_CPACF_
ASM)
A457
(RFC4106EIV_CPACF_
C)
A450
(RFC4106EIV_CTI_C)
A464
(RFC4106EIV_X86AS
©2021 SUSE, LLC., atsec information security. Page 18 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Mode/Method Key Lengths,
Curves or Moduli
(in bits)
Use Standard CAVP Certs.
M_C)
A465
(RFC4106IIV_AESNI_A
SM)
A461
(RFC4106IIV_ASENI_C
)
A432
(RFC4106IIV_ARM64_
CE_C)
A424
(RFC4106IIV_C_C)
A433
(RFC4106IIV_CPACF_A
SM)
A439
(RFC4106IIV_CPACF_
C)
A426
(RFC4106IIV_CTI_C)
A441
(RFC4106IIV_X86ASM
_C)
A471 (SSSE3)
A454 (X86ASM_ASM)
A449 (X86ASM_C)
HMAC HMAC-[SHA-1,
SHA2-224,
SHA2-256,
SHA2-384,
SHA2-512]
112 or greater Message
authentication code
FIPS198-1 A453 (AVX)
A468 (AVX2)
A436 (C_C)
A451 (CPACF_C)
A420 (DH_C)
A447 (ECDH_C)
A471 (SSSE3)
HMAC-[SHA-1,
SHA2-224,
SHA2-256]
112 or greater Message
authentication code
FIPS198-1 A472 (ARM64_CE)
HMAC-[SHA2-224,
SHA2-256]
112 or greater Message
authentication code
FIPS198-1 A438 (ARM64_NEON)
HMAC-[SHA2-224,
SHA2-256,
SHA2-384,
SHA2-512]
112 or greater Message
authentication code
FIPS198-1 A427 (ARM64-ASM)
HMAC-[SHA3-224,
SHA3-256,
SHA3-384,
SHA3-512]
112 or greater Message
authentication code
FIPS198-1 A445 (CPACF_SHA3)
A421 (SHA3_C_C)
ECDSA Testing
Candidates
P-256 Key Generation (for
use of the EC Dife-
Hellman algorithm)
FIPS186-4 A447 (ECDH_C)
KAS ECC-SSC
SP800-56Ar3
Ephemeral Unifed P-256 Shared secret
computation
SP800-
56Arev3
IG D.8 X1 (1)
A776
(SP800_56Arev3)
RSA PKCS#1v1.5:
SHA-1, SHA2-224,
SHA2-256,
SHA2-384,
SHA2-512
2048, 3072, 4096 Digital Signature
Verifcation
FIPS186-4 A453 (AVX)
A468 (AVX2)
A436 (C_C)
A451 (CPACF_C)
©2021 SUSE, LLC., atsec information security. Page 19 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Mode/Method Key Lengths,
Curves or Moduli
(in bits)
Use Standard CAVP Certs.
A471 (SSSE3)
SHA-3 SHA3-224,
SHA3-256,
SHA3-384,
SHA3-512
N/A Message Digest FIPS202 A445 (CPACF_SHA3)
A421 (SHA3_C_C)
SHS SHA-1, SHA2-224,
SHA2-256,
SHA2-384,
SHA2-512
N/A Message Digest FIPS180-4 A453 (AVX)
A468 (AVX2)
A436 (C_C)
A451 (CPACF_C)
A420 (DH_C)
A447 (ECDH_C)
A471 (SSSE3)
SHA-1, SHA2-224,
SHA2-256
N/A Message Digest FIPS180-4 A472 (ARM64_CE)
SHA2-224,
SHA2-256
N/A Message Digest FIPS180-4 A438 (ARM64_NEON)
SHA2-224,
SHA2-256,
SHA2-384,
SHA2-512
N/A Message Digest FIPS180-4 A427 (ARM64-ASM)
Triple-DES
(three-key)4
ECB, CBC, CTR 192 Data Encryption and
Decryption
SP800-67
SP800-38A
A436 (C_C)
A423 (CPACF_ASM)
A451 (CPACF_C)
A454 (X86ASM_ASM)
A449 (X86ASM_C)
CMAC 192 MAC Generation and
Verifcation
SP800-67
SP800-38B
A436 (C_C)
A423 (CPACF_ASM)
A451 (CPACF_C)
A449 (X86ASM_C)
CFB64 192 Data Encryption and
Decryption
SP800-67
SP800-38A
A459 (CFB_C_C)
A463 (CFB_CPACF_C)
A466
(CFB_X86ASM_C)
OFB 192 Data Encryption and
Decryption
SP800-67
SP800-38A
A425 (OFB_C_C)
A446 (OFB_CPACF_C)
A443
(OFB_X86ASM_C)
KTS AES-KW 128, 192, 256 Key wrapping SP800-38F A431 (ARM64_CE_C)
A470 (KW_AESNI_C)
A444 (KW_C_C)
A440 (KW_CPACF_C)
A460 (KW_CTI_C)
A442
(KW_X86ASM_C)
AES-GCM, AES-
CCM
128, 192, 256 Key wrapping SP800-38F A465
(RFC4106IIV_AESNI_A
SM)
A461
(RFC4106IIV_ASENI_C
)
A432
4 The security strength of the Triple-DES algorithm is 112 bits [SP800-57].
©2021 SUSE, LLC., atsec information security. Page 20 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Mode/Method Key Lengths,
Curves or Moduli
(in bits)
Use Standard CAVP Certs.
(RFC4106IIV_ARM64_
CE_C)
A424
(RFC4106IIV_C_C)
A433
(RFC4106IIV_CPACF_A
SM)
A439
(RFC4106IIV_CPACF_
C)
A426
(RFC4106IIV_CTI_C)
A441
(RFC4106IIV_X86ASM
_C)
A467 (AESNI_C)
A472 (ARM64_CE)
A431 (ARM64_CE_C)
A436 (C_C)
A423 (CPACF_ASM)
A451 (CPACF_C)
A429 (CTI_C)
A449 (X86ASM_C)
Combination AES-
CBC and HMAC-
SHA-1 or HMAC-
SHA2
128, 192, 256 Key wrapping SP800-38F
FIPS140-2 IG
D.9
AES
A467 (AESNI_C)
A422 (AESNI_ASM)
A472 (ARM64_CE)
A431 (ARM64_CE_C)
A438 (ARM64_NEON)
A436 (C_C)
A423 (CPACF_ASM)
A451 (CPACF_C)
A429 (CTI_C)
A449 (X86ASM_C)
HMAC
A453 (AVX)
A468 (AVX2)
A436 (C_C)
A451 (CPACF_C)
A420 (DH_C)
A447 (ECDH_C)
A471 (SSSE3)
A472 (ARM64_CE)
A438 (ARM64_NEON)
A427 (ARM64-ASM)
Combination
Triple-DES-CBC5
and HMAC-SHA-1
or HMAC-SHA2
192 Key wrapping SP800-38F
FIPS140-2 IG
D.9
Triple-DES
A436 (C_C)
A423 (CPACF_ASM)
A451 (CPACF_C)
A454 (X86ASM_ASM)
A449 (X86ASM_C)
HMAC
5 The security strength of the Triple-DES algorithm is 112 bits [SP800-57].
©2021 SUSE, LLC., atsec information security. Page 21 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Mode/Method Key Lengths,
Curves or Moduli
(in bits)
Use Standard CAVP Certs.
A453 (AVX)
A468 (AVX2)
A436 (C_C)
A451 (CPACF_C)
A420 (DH_C)
A447 (ECDH_C)
A471 (SSSE3)
A472 (ARM64_CE)
A438 (ARM64_NEON)
A427 (ARM64-ASM)
4.4.2 Non-Approved-But-Allowed Algorithms
Table 8 describes the non-Approved but allowed algorithms in FIPS mode:
Table 8: Non-Approved but Allowed Algorithms.
Algorithm Use
NDRNG The module obtains the entropy data from
NDRNG to seed the DRBG.
RSA encrypt/decrypt primitives with keys
equal or greater than 2048 bits (including
15360 bits or more)
Key transport; allowed per [FIPS140-2_IG] D.8.
Key establishment methodology provides
between 112 and 256 bits of encryption
strength.
4.4.3 Non-Approved Algorithms
Table 9 shows the non-Approved cryptographic algorithms implemented in the module that
are only available in non-FIPS mode.
Table 9: Non-Approved Cryptographic Algorithms.
Algorithm Implementation
name
Use
GCM encryption with external
IV
gcm(aes) with external
IV
Data encryption
RFC4106 GCM encryption with
external IV
rfc4106(gcm(aes)) with
external IV
Data encryption
AES-XTS with 192-bit keys xts Data encryption and decryption
Anubis block cipher anubis-generic Data encryption and decryption
Blowfsh block cipher Any blowfsh Data encryption and decryption
Camellia block cipher Any camellia Data encryption and decryption
CAST5, CAST6 cast5-generic, cast6-
generic
Data encryption and decryption
Serpent block cipher Any serpent Data encryption and decryption
Twofsh block cipher Any twofsh Data encryption and decryption
ARC4 stream cipher ecb(arc4)-generic Data encryption and decryption
Salsa20 stream cipher Any salsa20 Data encryption and decryption
©2021 SUSE, LLC., atsec information security. Page 22 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Implementation
name
Use
ChaCha20 stream cipher Any chacha20 Data encryption and decryption
RSA digital signature sign
primitive operation
rsa Digital signature generation
RSA digital signature verify
primitive operation with keys
smaller than 2048 bits.
rsa Digital signature verifcation
RSA encrypt/decrypt with keys
smaller than 2048 bits
rsa Key wrapping
HMAC with keys smaller than
112 bits of length
hmac Message authentication code
MD4, MD5 md4, md5 Message digest
RACE Integrity Primitives
Evaluation Message Digest
(RIPEMD)
Any rmd Message digest
Tiger Hashing Any tgr Message digest
Whirlpool Any wp Message digest
GHASH ghash Message digest outside the GCM
mode
Random number generator Any cprng Random number generator
EC Dife-Hellman shared
secret computation with curves
not included in Table 7
ecdh Shared secret computation
Dife-Hellman shared secret
computation
dh Shared secret computation
EC key generation with curves
not listed in Table 7
ecdh EC key generation
z15 Platform Only (in addition to the above algorithms)
Algorithms in Table 7 with
“generic” implementation
aes-generic
des3_ede-generic
sha3-224-generic
sha3-256-generic
sha3-384-generic
sha3-512-generic
sha512-generic
sha384-generic
hmac([sha3*]-generic)
hmac([sha512,
sha384]-generic)
Data encryption and decryption
Message digest
Message authentication code
©2021 SUSE, LLC., atsec information security. Page 23 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
5 Physical Security
The module is comprised of software only and thus does not claim any physical security.
©2021 SUSE, LLC., atsec information security. Page 24 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
6 Operational Environment
This module operates in a modifable operational environment per the FIPS 140-2 level 1
specifcations.
The SUSE Linux Enterprise Server operating system is used as the basis of other products
which include but are not limited to:
• SLES
• SLES for SAP
• SLED
• SLE Micro
Compliance is maintained for these products whenever the binary is found unchanged.
Note: The CMVP makes no statement as to the correct operation of the module or the
security strengths of the generated keys when so ported if the specifc operational
environment is not listed on the validation certifcate.
6.1 Policy
The operating system is restricted to a single operator mode of operation (i.e., concurrent
operators are explicitly excluded). The application that requests cryptographic services is the
single user of the module, even when the application is serving multiple of its own users.
The ptrace system call, the debugger gdb and strace shall not be used. In addition, other
tracing mechanisms ofered by the Linux environment, such as ftrace or systemtap shall not
be used.
©2021 SUSE, LLC., atsec information security. Page 25 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
7 Cryptographic Key Management
Table 10 summarizes the Critical Security Parameters (CSPs) that are used by the
cryptographic services implemented in the module:
Table 10: LIfe cycle of keys and other CSPs.
Name Generation Entry and Output Zeroization
AES key N/A The keys are passed into
the module via API input
parameters in plaintext.
Zeroized when
freeing the cipher
handler.
Triple-DES key
HMAC key
Entropy input string Obtained from
NDRNG.
N/A Zeroized when
freeing the cipher
handler.
DRBG internal state: V
value, C value, key (if
applicable) and seed
material
Derived from
entropy input as
defned in SP800-
90A.
N/A Zeroized when
freeing the cipher
handler.
EC Dife-Hellman
public/private keys
Generated using
the
FIPS 186-4 EC key
generation
service;
random values are
obtained from the
SP800-90A DRBG.
The key is passed into the
module via API input
parameters in plaintext.
Zeroized when
freeing the cipher
handler.
Shared secret Computed during
the EC Dife
Hellman shared
secret
computation.
N/A Zeroized when
freeing the cipher
handler.
RSA public/private keys N/A The key is passed into the
module via API input
parameters in plaintext.
Zeroized when
freeing the cipher
handler.
The following sections describe how keys and other CSPs are managed during their life cycle.
7.1 Random Number Generation
The module employs a SP 800-90A DRBG as a random number generator for the creation of
random numbers and the creation of key components of asymmetric keys for use of the EC
Dife-Hellman algorithm. In addition, the module provides a Random Number Generation
service to applications. The DRBG supports the Hash_DRBG, HMAC_DRBG and CTR_DRBG
mechanisms. The DRBG is initialized during module initialization.
The module uses a Non-Deterministic Random Number Generator (NDRNG) as the entropy
source. The NDRNG is based on the Linux RNG and the CPU Time Jitter RNG, both within the
module's logical boundary.
For seeding the DRBG, the module obtains an amount of entropy input data from the NDRNG
that is 1.5 times the security strength expected for the DRBG method. For reseeding, the
module obtains an amount of entropy input data equivalent to the security strength of the
DRBG method.
©2021 SUSE, LLC., atsec information security. Page 26 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
For seeding and reseeding, the module ensures the following entropy amount per each DRBG
security strength:
• DRBG with 128 bits of security strength: 128 bits of entropy in the entropy input from
the NDRNG.
• DRBG with 192 bits of security strength: 192 bits of entropy in the entropy input from
the NDRNG.
• DRBG with 256 bits of security strength: 256 bits of entropy in the entropy input from
the NDRNG.
Therefore, the module ensures that the NDRNG always provides the required amount of
entropy to meet the security strength of the DRBG methods during initialization (seed) and
reseeding.
The module performs conditional self-tests on the output of NDRNG to ensure that
consecutive random numbers do not repeat, and performs DRBG health tests as defned in
Section 11.3 of [SP800-90A].
7.2 Key Generation
The public and private keys used in the EC Dife-Hellman shared secret computation portion
of the key agreement scheme are generated internally by the module using the ECDSA key
generation method compliant with [SP800-133], [FIPS186-4] and [SP800-56Arev3]. the
random value used in asymmetric key generation is directly obtained from the [SP800-90A]
DRBG. This key generation method is used exclusively by the EC Dife-Hellman algorithm and
provides support for the required assurances of [SP800-56Arev3].
In accordance with IG D.12, the cryptographic module performs Cryptographic Key
Generation (CKG) for asymmetric keys per SP800-133 (vendor afrmed).
7.3 Key Establishment
The module provides EC Dife-Hellman shared secret computation compliant with [SP800-
56Arev3] and EC Dife-Hellman shared secret computation primitive compliant with [SP800-
56A]. The module provides AES key wrapping per [SP800-38F] and RSA key wrapping or
encapsulation as allowed by [FIPS140-2_IG] D.9.
The module provides approved key transport methods as permitted by IG D.9. These key
transport methods are provided either by using an approved key wrapping algorithm, an
approved authenticated encryption mode, or a combination method of approved symmetric
encryption (AES, Triple-DES) and HMAC-SHA-1/SHA-2.
Table 7 and Table 8 specify the key sizes allowed in the FIPS mode of operation. According to
“Table 2: Comparable strengths” in [SP800-57], the key sizes of AES and Triple-DES key
wrapping, EC Dife-Hellman shared secret computation, and RSA key wrapping provide the
following security strengths:
 AES-KW key wrapping; key establishment methodology provides between 128 and 256
bits of encryption strength.
 AES-GCM and AES-CCM authenticated encryption key wrapping: key establishment
methodology provides between 128 and 256 bits of encryption strength.
 Combination method of approved AES-CBC block mode and message authentication
code (HMAC-SHA-1/SHA-2) key wrapping: key establishment methodology provides
between 128 and 256 bits of encryption strength.
 Combination method of approved Triple-DES-CBC block mode and message
authentication code (HMAC-SHA-1/SHA-2) key wrapping: key establishment
methodology provides 112 bits of encryption strength.
 EC Dife-Hellman: Shared secret computation provides 128 bits of encryption
strength.
©2021 SUSE, LLC., atsec information security. Page 27 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
 RSA key wrapping: key establishment methodology provides between 112 and 256
bits of encryption strength.
7.4 Key/CSP Entry and Output
The module does not support manual key entry. It supports electronic entry of symmetric
keys, HMAC keys and asymmetric keys via API input parameters in plaintext form. The
module does not produce key output outside its physical boundary.
The keys can thus be entered into the module or output from the module in plaintext via API
parameters, to and from the calling application only.
7.5 Key/CSP Storage
The module does not perform persistent storage of keys. The keys and CSPs are stored as
plaintext in the RAM. The only exceptions are the HMAC keys and RSA public keys used for
the integrity tests, which are stored in the module and rely on the operating system for
protection.
7.6 Key/CSP Zeroization
The application is responsible for calling the appropriate destruction functions from the
Kernel Crypto API. When a calling application calls the appropriate API function, that function
overwrites the memory with zeros and deallocates the memory when the cipher handler is
freed.
©2021 SUSE, LLC., atsec information security. Page 28 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
8 Electromagnetic Interference/Electromagnetic
Compatibility (EMI/EMC)
The test platforms as shown in Table 3 are compliant to 47 CFR FCC Part 15, Subpart B, Class
A (Business use).
©2021 SUSE, LLC., atsec information security. Page 29 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
9 Self Tests
The module performs both power-up self-tests at module initialization and conditional tests
during operation to ensure that the module is not corrupted and that the cryptographic
algorithms work as expected.
The services are only available when the power-up self-tests have succeeded. If the power-up
self-tests pass, a success message is recorded in the dmesg log and the module transitions to
be operational, and then all cryptographic services are available. If the power-up self-tests
fail, the module outputs an error message and enters the error state.
On-demand self-tests can be invoked by rebooting the operating system.
Conditional tests are performed during the operation of the module. If a conditional test is
successful, the module remains operational. If a conditional test fails, the module outputs an
error message and enters the error state.
When the module is in the error state, data output is inhibited and no further operations are
possible. The operating system must be rebooted to recover from the error state.
Table 11 lists all the self-tests performed by the module. For algorithms that have more than
one implementation in the module (per Table 7), the module performs the self-tests
independently for each of these implementations.
Table 11: Self tests.
Self Test Description
Power-up tests performed at power-up and on demand
Cryptographic
Algorithm Known
Answer Tests (KATs)
KATs for AES in ECB, CBC, CTR, GCM, CCM and XTS modes; encryption
and decryption are performed separately.
KATs for Triple-DES in ECB, CBC and CTR modes; encryption and
decryption are performed separately.
KATs for AES and Triple-DES CMAC, MAC generation and verifcation.
KATs for SHA-1, SHA2-224, SHA2-256, SHA2-384 and SHA2-512.
KATs for SHA3-224, SHA3-256, SHA3-384 and SHA3-512.
KATs for HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-
SHA2-384 and HMAC-SHA2-512.
KATs for HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384 and
HMAC-SHA3-512.
KATs for Hash_DRBG, HMAC_DRBG, and CTR_DRBG, with and without
PR.
KAT for RSA public key encryption and private key decryption with
2048 bit keys.
KAT for RSA signature verifcation is covered by the integrity tests
performed on kernel object fles.
KAT for EC Dife-Hellman primitive "Z" computation with P-256 curve.
Software Integrity
Test
The module uses the HMAC-SHA2-256 algorithm for the integrity test
of the static kernel binary and the fpscheck application. The HMAC
calculation is performed by the fpscheck application itself.
The module uses RSA signature verifcation using SHA2-256 with a
4096-bit key for the integrity test of each of the kernel object fles
loaded during boot-up time.
Conditional tests performed during operation
Continuous Random
Number Generator
Test (CRNGT)
The module performs conditional self-tests on the output of NDRNG to
ensure that consecutive random numbers do not repeat.
©2021 SUSE, LLC., atsec information security. Page 30 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Self Test Description
DRBG DRBG health tests as specifed in Section 11.3 of SP 800-90A.
On demand execution of self tests
On Demand Testing Invocation of the self tests on demand can be achieved by rebooting
the operating system. This will trigger a new power-up self-test
procedure.
©2021 SUSE, LLC., atsec information security. Page 31 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
10 Guidance
10.1 Crypto Ofcer Guidance
The binaries of the module are contained in the RPM packages for delivery. The Crypto Ofcer
shall follow this Security Policy to confgure the operational environment and install the
module to be operated as a FIPS 140-2 validated module.
Table 12 shows the RPM packages that contain the FIPS validated module.
Table 12: RPM packages.
Processor Architecture RPM Package
Intel Cascade Lake Xeon® Gold 6234 dracut-fps-049.1+suse.144.ge0eaf296-1.2.rpm
linux-5.3.18-24.34.1.rpm
libkcapi-tools-0.13.0-1.114.x86_64.rpm
z15
Cavium ThunderX2 CN9975 ARM
Additional kernel components that register with the Kernel Crypto API shall not be loaded as
the kernel confguration is fxed in approved mode.
10.1.1 Module Installation
The Crypto Ofcer shall install the RPM packages containing the module as listed in Table 12
using the zypper tool. The integrity of the RPM package is automatically verifed during the
installation, and the Crypto Ofcer shall not install the RPM package if there is any integrity
error.
10.1.2 Operating Environment Confgurations
The operating environment needs to be confgured to support FIPS, so the following steps
shall be performed with the root privilege:
1. Install the dracut-fps RPM package:
# zypper install dracut-fips-049.1+suse.144.ge0eaf296-1.2.rpm
2. Recreate the INITRAMFS image:
# dracut -f
3. After regenerating the initrd, the Crypto Ofcer has to append the following parameter
in the /etc/default/grub confguration fle in the GRUB_CMDLINE_LINUX_DEFAULT line:
fips=1
After editing the confguration fle, please run the following command to change the setting in
the boot loader:
# grub2-mkconfig -o /boot/grub2/grub.cfg
If /boot or /boot/ef resides on a separate partition, the kernel parameter boot=<partition
of /boot or /boot/ef> must be supplied. The partition can be identifed with the command
"df /boot" or "df /boot/ef" respectively. For example:
# df /boot
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 233191 30454 190296 14% /boot
The partition of /boot is located on /dev/sda1 in this example. Therefore, the following string
needs to be appended in the aforementioned grub fle:
"boot=/dev/sda1"
©2021 SUSE, LLC., atsec information security. Page 32 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Reboot to apply these settings.
Now, the operating environment is confgured to support FIPS operation. The Crypto Ofcer
should check the existence of the fle /proc/sys/crypto/fps_enabled, and verify it contains a
numeric value “1”. If the fle does not exist or does not contain “1”, the operating
environment is not confgured to support FIPS and the module will not operate as a FIPS
validated module properly.
10.2 User Guidance
10.2.1 Cipher References and Priority
The cryptographic module provides multiple implementations of diferent algorithms as
shown in Section 4.4 and Appendix B.
If more than one of the kernel components are loaded, the respective implementation can be
requested by using the following cipher mechanism strings with the initialization calls (such
as crypto_alloc_blkcipher):
⚫ aes-generic kernel component: “aes-generic”.
⚫ aesni-intel kernel component: "__aes-aesni".
⚫ aes-x86_64 kernel component: "aes-asm".
The AES cipher can also be loaded by simply using the string "aes" with the initialization call.
In this case, the AES implementation whose kernel component is loaded with the highest
priority is used. The following priority exists:
⚫ aesni-intel.
⚫ aes-x86_64.
⚫ aes-generic.
For example: If the kernel components aesni-intel and aes-asm are loaded and the caller uses
the initialization call (such as crypto_alloc_blkcipher) with the cipher string of "aes", the aesni-
intel implementation is used. On the other hand, if only the kernel components of aes-x86_64
and aes-generic are loaded, the cipher string of "aes" implies that the aes-x86_64
implementation is used.
The discussion about the naming and priorities of the AES implementation also applies when
cipher strings are used that include the block modes, such as "cbc(aes-asm)", "cbc(aes)", or
"cbc(__aes-aesni)".
When using the module, the user shall utilize the Linux kernel crypto API-provided memory
allocation mechanisms. In addition, the user shall not use the function copy_to_user() on any
portion of the data structures used to communicate with the Linux kernel crypto API.
10.2.2 AES XTS
As specifed in SP800-38E, the AES algorithm in XTS mode is designed for the cryptographic
protection of data on storage devices. Thus it can only be used for the disk encryption
functionality ofered by dm-crypt (i.e., the hard disk encryption scheme). For dm-crypt, the
length of a single data unit encrypted with AES XTS mode is at most 65,536 bytes (64KiB of
data), which does not exceed 220
AES blocks (16MiB of data).
To meet the requirement stated in IG A.9, the module implements a check to ensure that the
two AES keys used in AES XTS mode are not identical.
Note: AES-XTS shall be used with 128 and 256-bit keys only. AES-XTS with 192-bit keys is not
an Approved service.
©2021 SUSE, LLC., atsec information security. Page 33 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
10.2.3 AES GCM IV
In case the module's power is lost and then restored, the key used for the AES GCM
encryption or decryption shall be redistributed.
When a GCM IV is used for encryption, the module complies with IG A.5 Scenario 2 [FIPS140-
2_IG], in which the GCM IV is generated internally at its entirety randomly by the module’s
DRGB. The DRBG seeds itself from the NDRNG, which is within the module's boundary. The
GCM IV is 96 bits in length. Per Section 7.1, this 96-bit IV contains 96 bits of entropy.
When a GCM IV is used for decryption, the responsibility for the IV generation lies with the
party that performs the AES GCM encryption and therefore there is no restriction on the IV
generation.
10.2.4 Triple-DES encryption
1 Data encryption using the same three-key Triple-DES key shall not exceed 216
Triple-DES
blocks (2GiB of data), in accordance to SP800-67 and IG A.13. The user of the module is
responsible for ensuring the module’s compliance with this requirement.
10.3 Handling Self Test Errors
Self test failure within the kernel crypto API module will panic the kernel and the operating
system will not load and/or halt immediately.
Error recovery and return to operational state can be accomplished by rebooting the system.
If the failure continues, the Crypto Ofcer must re-install the software package and make
sure to follow all instructions. If the software was downloaded, the package hash value must
be verifed to confrm a proper download. Please contact SUSE if these steps do not resolve
the problem.
The kernel dumps self-test success and failure messages into the kernel message ring bufer.
Post boot, the messages are moved to /var/log/messages.
Use dmesg to read the contents of the kernel ring bufer. The format of the ringbufer
(dmesg) output is:
alg: self-tests for %s (%s) passed
Typical messages are similar to "alg: self-tests for xts(aes) (xts(aes-x86_64)) passed" for each
algorithm/sub-algorithm type.
©2021 SUSE, LLC., atsec information security. Page 34 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
11 Mitigation of Other Attacks
The module does not ofer mitigation of other attacks.
©2021 SUSE, LLC., atsec information security. Page 35 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Appendix A Glossary and Abbreviations
AES Advanced Encryption Specifcation
AES_NI Intel Advanced Encryption Standard (AES) New Instructions
AVX Advanced Vector Extensions
AVX2 Advanced Vector Extensions 2
CAVP Cryptographic Algorithm Validation Program
CBC Cipher Block Chaining
CCM Counter with Cipher Block Chaining Message Authentication Code
CE Cryptographic Extensions
CLMUL Carry-less Multiplication
CMAC Cipher-based Message Authentication Code
CMVP Cryptographic Module Validation Program
CPACF CP Assist for Cryptographic Functions
CSP Critical Security Parameter
CTI Constant-Time
CTR Counter Mode
DES Data Encryption Standard
DRBG Deterministic Random Bit Generator
ECB Electronic Code Book
FIPS Federal Information Processing Standards Publication
GCM Galois Counter Mode
HMAC Hash-based Message Authentication Code, keyed-Hash Message
Authenticated Code
MAC Message Authentication Code
NIST National Institute of Science and Technology
PKCS Public Key Cryptography Standards
PR Prediction Resistance
RNG Random Number Generator
RPM Red hat Package Manager
RSA Rivest, Shamir, Addleman
SHA Secure Hash Algorithm
SHS Secure Hash Standard
SSSE3 Supplemental Streaming SIMD (Single Instruction, Multiple Data) Extensions 3
XTS XEX Tweakable Block Cipher with Ciphertext Stealing
©2021 SUSE, LLC., atsec information security. Page 36 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Appendix B Algorithm Implementations
Table 13 describes the names utilized in the algorithm certifcates and the implementations
to which they refer for the test platforms.
Table 13: Algorithm implementations and their names in the CAVP certifcates.
Name Description
AESNI_ASM AES cipher with AESNI, and block modes with assembler
AESNI_C AES cipher with AESNI, and block modes with C
ARM64_ASM ARM: SHA algorithms using assembler
ARM64_CE
ARM: AES using Cryptographic Extension (CE) instructions, block
modes using assembler
ARM64_CE_C
ARM: AES using Cryptographic Extension (CE) instructions, block
modes using non-optimized C
ARM64_CE_SHA2_512 ARM: SHA2-512 using Cryptographic Extension (CE) instructions
ARM64_CE_SHA3 ARM: SHA3 using Cryptographic Extension (CE) instructions
ARM64_NEON ARM: SHA algorithms using NEON (AES also?)
AVX SHA using AVX instructions
AVX2 SHA using AVX2 instructions
C_C Cipher in C, block modes in C
CFB_AESNI_C AES-CFB with AES using AESNI, CFB block mode using C
CFB_C_C AES-CFB with AES in C, block mode in C
CFB_CPACF_C
AES-CFB and Triple-DES-CFB with AES/Triple-DES using CP Assist
for Cryptographic Functions (CPACF), block mode using C
CFB_CTI_C
AES-CFB with AES in constant-time C implementation, block
mode in regular C
CFB_X86ASM_C
AES-CFB and Triple-DES-CFB with AES/Triple-DES using
assembler, block mode using C
CPACF_ASM
AES and Triple-DES using CPACF instructions, block mode using
assembler
CPACF_C
AES and Triple-DES using CPACF instructions, block mode using
C
CPACF_SHA3 SHA3 using CPACF instructions
CTI_C Cipher in constant time C implementation, block mode in C
CTS_AESNI_C
AES-CBC-CS with AES using AESNI implementation, block mode
using non-optimized C
CTS_C_C AES-CBC-CS with AES using C, block mode using C
CTS_CPACF_C
AES-CBC-CS with AES using CP Assist for Cryptographic
Functions (CPACF), block mode using C
CTS_CTI_C AES-CBC-CS with AES using constant-time C implementation,
©2021 SUSE, LLC., atsec information security. Page 37 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Name Description
block mode using C
CTS_X86ASM_C
AES-CBC-CS with AES using assembler implementation, block
mode using C
DH_C DH with generic, non-optimized C implementation
ECDH_C ECDH with generic, non-optimized C implementation
KW_AESNI_C
AES-KW: AES with AESNI, block mode with generic non-optimized
C
KW_C_C AES-KW: AES in C, block mode in C
KW_CPACF_C
AES-KW: AES using CP Assist for Cryptographic Functions
(CPACF), block mode using C
KW_CTI_C
AES-KW: AES using constant-time C implementation, block mode
using C
KW_X86ASM_C
AES-KW: AES using assembler implementation, block mode using
C
OFB_AESNI_C AES-OFB with AES using AESNI, block mode using C
OFB_C_C
AES-OFB and Triple-DES OFB, with AES and Triple-DES using C,
block mode using C
OFB_CPACF_C
AES-OFB and Triple-DES OFB, with AES and Triple-DES using CP
Assist for Cryptographic Functions (CPACF), block mode using C
OFB_CTI_C
AES-OFB with AES using contant-time C implementation, block
mode using C
OFB_X86ASM_C
AES-OFB and Triple-DES OFB, with AES and Triple-DES using
assembler, block mode using C
RFC4106EIV_AESNI_ASM
RFC4106 GCM with external IV generation: AES using AESNI,
block mode using assembler
RFC4106EIV_AESNI_C
RFC4106 GCM with external IV generation: AES using AESNI,
block mode using C
RFC4106EIV_ARM64_CE_C
RFC4106 GCM with external IV generation: AES using ARM
Cryptographic Extension (CE), block mode using C
RFC4106EIV_C_C
RFC4106 GCM with external IV generation: AES using C, block
mode using C
RFC4106EIV_CPACF_ASM
RFC4106 GCM with external IV generation: AES using CP Assist
for Cryptographic Functions (CPACF), block mode using
assembler
RFC4106EIV_CPACF_C
RFC4106 GCM with external IV generation: AES using CP Assist
for Cryptographic Functions (CPACF), block mode using C
RFC4106EIV_CTI_C
RFC4106 GCM with external IV generation: AES using constant-
time C, block mode using C
RFC4106EIV_X86ASM_C
RFC4106 GCM with external IV generation: AES using assembler
block mode using C
RFC4106IIV_AESNI_ASM RFC4106 GCM with internal IV generation: AES using AESNI,
©2021 SUSE, LLC., atsec information security. Page 38 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Name Description
block mode using assembler
RFC4106IIV_AESNI_C
RFC4106 GCM with internal IV generation: AES using AESNI,
block mode using C
RFC4106IIV_ARM64_CE_C
RFC4106 GCM with internal IV generation: AES using ARM
Cryptographic Extension (CE), block mode using C
RFC4106IIV_C_C
RFC4106 GCM with internal IV generation: AES using C, block
mode using C
RFC4106IIV_CPACF_ASM
RFC4106 GCM with internal IV generation: AES using CP Assist
for Cryptographic Functions (CPACF), block mode using
assembler
RFC4106IIV_CPACF_C
RFC4106 GCM with internal IV generation: AES using CP Assist
for Cryptographic Functions (CPACF), block mode using C
RFC4106IIV_CTI_C
RFC4106 GCM with internal IV generation: AES using constant-
time C, block mode using C
RFC4106IIV_X86ASM_C
RFC4106 GCM with internal IV generation: AES using assembler
block mode using C
SHA3_C_C SHA-3 implementation in generic C
SSSE3 SHA implementation using SSSE3
X86ASM_ASM Cipher in assembler, block mode in assembler
X86ASM_C Cipher in assembler, block mode in C
©2021 SUSE, LLC., atsec information security. Page 39 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Appendix C References
FIPS 140-2 FIPS PUB 140-2 - Security Requirements for Cryptographic Modules
http://csrc.nist.gov/publications/fps/fps140-2/fps1402.pdf
FIPS 140-2_IG Implementation Guidance for FIPS PUB 140-2 and the
Cryptographic Module Validation Program
August 28, 2020
http://csrc.nist.gov/groups/STM/cmvp/documents/fps140-2/FIPS1402IG.pdf
FIPS180-4 Secure Hash Standard (SHS)
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
FIPS186-4 Digital Signature Standard (DSS)
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
FIPS197 Advanced Encryption Standard
http://csrc.nist.gov/publications/fps/fps197/fps-197.pdf
FIPS198-1 The Keyed Hash Message Authentication Code (HMAC)
http://csrc.nist.gov/publications/fps/fps198-1/FIPS-198-1_fnal.pdf
PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography
Specifcations Version 2.1
http://www.ietf.org/rfc/rfc3447.txt
SP800-38A NIST Special Publication 800-38A - Recommendation for Block
Cipher Modes of Operation Methods and Techniques
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
38a.pdf
SP800-38B NIST Special Publication 800-38B - Recommendation for Block
Cipher Modes of Operation: The CMAC Mode for Authentication
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
SP800-38C NIST Special Publication 800-38C - Recommendation for Block
Cipher Modes of Operation: the CCM Mode for Authentication and
Confdentiality
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
38c.pdf
SP800-38D NIST Special Publication 800-38D - Recommendation for Block
Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
38d.pdf
SP800-38E NIST Special Publication 800-38E - Recommendation for Block
Cipher Modes of Operation: The XTS AES Mode for Confdentiality
on Storage Devices
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
38e.pdf
SP800-38F NIST Special Publication 800-38F - Recommendation for Block
Cipher Modes of Operation: Methods for Key Wrapping
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
©2021 SUSE, LLC., atsec information security. Page 40 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
SP800-
56Arev3
NIST Special Publication 800-56Arev3 - Recommendation for Pair-
Wise Key Establishment Schemes Using Discrete Logarithm
Cryptography (Revision 3)
https://doi.org/10.6028/NIST.SP.800-56Ar3
SP800-57 NIST Special Publication 800-57 - Recommendation for Key
Management: Part 1 – General (Revision 5)
https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/fnal
SP800-67 NIST Special Publication 800-67 Revision 1 - Recommendation for
the Triple Data Encryption Algorithm (TDEA) Block Cipher
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
67r1.pdf
SP800-90A NIST Special Publication 800-90A Revision 1 - Recommendation for
Random Number Generation Using Deterministic Random Bit
Generators
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
SP800-131A NIST Special Publication 800-131A Revision 1- Transitions:
Recommendation for Transitioning the Use of Cryptographic
Algorithms and Key Lengths
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
©2021 SUSE, LLC., atsec information security. Page 41 of 41
This document can be reproduced and distributed only whole and intact, including this copyright notice.