© 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy Document Version 1.3 Last update: 2023-07-18 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 2 of 54 Table of Contents 1 Cryptographic Module Specification .....................................................................4 1.1 Module Overview................................................................................................................4 1.2 Modes of Operation ..........................................................................................................11 2 Cryptographic Module Ports and Interfaces ........................................................ 13 3 Roles, services, and authentication.................................................................... 14 3.1 Roles and their authentication .........................................................................................14 3.2 Services............................................................................................................................16 3.3 Authentication..................................................................................................................27 4 Physical Security............................................................................................... 28 5 Operational Environment................................................................................... 31 6 Key Management .............................................................................................. 32 6.1 Random Number Generation............................................................................................35 6.2 Key Generation.................................................................................................................35 6.3 Key Establishment............................................................................................................35 6.4 Key Entry/Output..............................................................................................................36 6.5 Key Zeroization ................................................................................................................36 6.6 Key Storage......................................................................................................................36 7 EMI/EMC ........................................................................................................... 38 8 Self-Tests ......................................................................................................... 39 8.1 Power-On Self-Tests .........................................................................................................39 8.1.1 Integrity Tests...........................................................................................................39 8.1.2 Known-Answer Self-Tests..........................................................................................40 8.1.3 Conditional Tests ......................................................................................................42 9 Design assurance .............................................................................................. 43 9.1 Delivery and Operation ....................................................................................................43 9.2 Crypto Officer Guidance ...................................................................................................43 IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 3 of 54 9.2.1 Coprocessor Physical Installation..............................................................................43 9.2.2 Firmware Installation and Entering Operational/FIPS Mode ......................................44 9.3 User Guidance..................................................................................................................44 9.3.1 Handling Self-Test Errors ..........................................................................................44 9.3.2 DSA signature service usage ....................................................................................46 9.4 Supplemental IBM Security Policy and Guidance..............................................................46 10 Mitigation of other attacks ................................................................................ 47 IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 4 of 54 1 Cryptographic Module Specification This document is the non-proprietary FIPS 140-2 Security Policy of the IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module. It describes the design and features of this cryptographic module and the rules under which the module operates. It also describes how the module meets the requirements of FIPS 140-2 for all applicable areas at security level 4. 1.1 Module Overview The IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module cryptographic module (hereafter referred to as “the module”) is a Multi-Chip Embedded Hardware cryptographic module in the form of a PCIe card. This module with components Miniboot (MB) hardware and EP11 firmware, provides crypto officers and users the security policy governing access to those services specified in section 3.2. EP11 provides an interface similar to the industry standard PKCS#11 API. The EP11 firmware provides a stateless backend, relying mainly on host- resident, encrypted datastores to maintain sensitive state, while presenting services as a regular HSM-based PKCS#11 implementation. The Module is a cryptographic coprocessor, a general-purpose computing platform with cryptographic accelerator engines, executing firmware and retaining secrets, despite foreseeable physical or logical attacks. The overall security rating of the module is 4. The Module is intended for use by US Federal agencies and other markets that require FIPS 140-2 validated Level 4 modules. End users can base high-assurance applications, such as digital signature generation or financial transaction processing, on this platform. Table 1 lists the security levels supported by the cryptographic module according to each section of FIPS 140-2. FIPS 140-2 Section Title Security Level Cryptographic Module Specification 4 Cryptographic Module Ports and Interfaces 4 Roles, Services, and Authentication 4 Finite State Model 4 Physical Security 4 Operational Environment N/A Cryptographic Key Management 4 EMI/EMC 4 Self-Tests 4 Design Assurance 4 Mitigation of Other Attacks N/A Overall 4 Table 1 - Security Levels For the purposes of this FIPS 140–2 validation, this policy describes fixed module configurations, and does not allow firmware updates. Therefore, this policy is applicable only when the appropriate configurations are loaded to suitable hardware. Components are identified through the IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 5 of 54 most significant eight bits (i.e. the first byte) of their content hashes, which is reported by host drivers in a platform-specific way. The configurations covered by this policy are the following: Model Hardware [Part Number and Version] Configuration 4770-001 PN 03JJ471-H07163 POST0 v9398 MB0 v9005 (Standard Power) Segment 0 Information The hardware part numbers imply Segment 0 configuration Segment 1 Information Name: 8.0.37z P3592 M3592 P4630 F0D0B Hash data: D5B3 3BE0 F565 9086 411F 58E7 30E3 3566 53FF C592 BA8F 8E55 2FBD 9BF3 C169 12A1 2097 C258 32DA C623 F570 C325 16ED 1492 B9A5 5584 EA2A 9D3F 330D BE44 385D 5F26 Segment 2 Information short ID: 5E8E 728A (the first bits of the hash value of segment firmware) Hash data: 5E8E 728A 67C5 1EAC FD88 6F93 E1EE C599 0885 4393 EDFD 171E DBE3 3377 20E6 09B5 EF97 C549 05B3 2D30 5926 D75B 8267 DC99 3043 5421 36EC 1FAA EC86 A15D B740 82BC Segment 3 Information short ID: 77FA 9138 Hash data: 77FA 9138 D034 9969 6369 709A F780 5126 4ED2 8165 5677 9BAF 5D07 BE4C CDAF E5A0 F2D5 2C4C 40A3 146C 1452 E44B 8963 90D1 9102 0D37 DEE7 B469 59B5 B1F2 EBBA 620F 4770-001 PN 03JJ467-H07163 POST0 v9398 MB0 v9005 (Low Power) Segment 0 Information The hardware part numbers imply Segment 0 configuration Segment 1 Information Name: 8.0.37z P3592 M3592 P4630 F0D0B Hash data: D5B3 3BE0 F565 9086 411F 58E7 30E3 3566 53FF C592 BA8F 8E55 2FBD 9BF3 C169 12A1 2097 C258 32DA C623 F570 C325 16ED 1492 B9A5 5584 EA2A 9D3F 330D BE44 385D 5F26 Segment 2 Information short ID: 5E8E 728A (the first bits of the hash value of segment firmware) Hash data: 5E8E 728A 67C5 1EAC FD88 6F93 E1EE C599 0885 4393 EDFD 171E DBE3 3377 20E6 09B5 EF97 C549 05B3 2D30 IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 6 of 54 5926 D75B 8267 DC99 3043 5421 36EC 1FAA EC86 A15D B740 82BC Segment 3 Information short ID: 77FA 9138 Hash data: 77FA 9138 D034 9969 6369 709A F780 5126 4ED2 8165 5677 9BAF 5D07 BE4C CDAF E5A0 F2D5 2C4C 40A3 146C 1452 E44B 8963 90D1 9102 0D37 DEE7 B469 59B5 B1F2 EBBA 620F 4770-001 PN 03JJ829-N38324 POST0 v8840 MB0 v3606 (Standard Power) Segment 0 Information The hardware part numbers imply Segment 0 configuration Segment 1 Information Name: 8.0.37z P3592 M3592 P4630 F0D0B Hash data: D5B3 3BE0 F565 9086 411F 58E7 30E3 3566 53FF C592 BA8F 8E55 2FBD 9BF3 C169 12A1 2097 C258 32DA C623 F570 C325 16ED 1492 B9A5 5584 EA2A 9D3F 330D BE44 385D 5F26 Segment 2 Information short ID: 5E8E 728A (the first bits of the hash value of segment firmware) Hash data: 5E8E 728A 67C5 1EAC FD88 6F93 E1EE C599 0885 4393 EDFD 171E DBE3 3377 20E6 09B5 EF97 C549 05B3 2D30 5926 D75B 8267 DC99 3043 5421 36EC 1FAA EC86 A15D B740 82BC Segment 3 Information short ID: 77FA 9138 Hash data: 77FA 9138 D034 9969 6369 709A F780 5126 4ED2 8165 5677 9BAF 5D07 BE4C CDAF E5A0 F2D5 2C4C 40A3 146C 1452 E44B 8963 90D1 9102 0D37 DEE7 B469 59B5 B1F2 EBBA 620F 4770-001 PN 03JJ825-N38324 POST0 v8840 MB0 v3606 (Low Power) Segment 0 Information The hardware part numbers imply Segment 0 configuration Segment 1 Information Name: 8.0.37z P3592 M3592 P4630 F0D0B Hash data: D5B3 3BE0 F565 9086 411F 58E7 30E3 3566 53FF C592 BA8F 8E55 2FBD 9BF3 C169 12A1 2097 C258 32DA C623 F570 C325 16ED 1492 B9A5 5584 EA2A 9D3F 330D BE44 385D 5F26 Segment 2 Information short ID: 5E8E 728A (the first bits of the hash value of segment firmware) IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 7 of 54 Hash data: 5E8E 728A 67C5 1EAC FD88 6F93 E1EE C599 0885 4393 EDFD 171E DBE3 3377 20E6 09B5 EF97 C549 05B3 2D30 5926 D75B 8267 DC99 3043 5421 36EC 1FAA EC86 A15D B740 82BC Segment 3 Information short ID: 77FA 9138 Hash data: 77FA 9138 D034 9969 6369 709A F780 5126 4ED2 8165 5677 9BAF 5D07 BE4C CDAF E5A0 F2D5 2C4C 40A3 146C 1452 E44B 8963 90D1 9102 0D37 DEE7 B469 59B5 B1F2 EBBA 620F 4770-001 PN 03KY267-H07190 POST0 v8840 MB0 v3606 (Standard Power) Segment 0 Information The hardware part numbers imply Segment 0 configuration Segment 1 Information Name: 8.0.37z P3592 M3592 P4630 F0D0B Hash data: D5B3 3BE0 F565 9086 411F 58E7 30E3 3566 53FF C592 BA8F 8E55 2FBD 9BF3 C169 12A1 2097 C258 32DA C623 F570 C325 16ED 1492 B9A5 5584 EA2A 9D3F 330D BE44 385D 5F26 Segment 2 Information short ID: 5E8E 728A (the first bits of the hash value of segment firmware) Hash data: 5E8E 728A 67C5 1EAC FD88 6F93 E1EE C599 0885 4393 EDFD 171E DBE3 3377 20E6 09B5 EF97 C549 05B3 2D30 5926 D75B 8267 DC99 3043 5421 36EC 1FAA EC86 A15D B740 82BC Segment 3 Information short ID: 77FA 9138 Hash data: 77FA 9138 D034 9969 6369 709A F780 5126 4ED2 8165 5677 9BAF 5D07 BE4C CDAF E5A0 F2D5 2C4C 40A3 146C 1452 E44B 8963 90D1 9102 0D37 DEE7 B469 59B5 B1F2 EBBA 620F 4770-001 PN 03KY263-H07190 POST0 v8840 MB0 v3606 (Low Power) Segment 0 Information The hardware part numbers imply Segment 0 configuration Segment 1 Information Name: 8.0.37z P3592 M3592 P4630 F0D0B Hash data: D5B3 3BE0 F565 9086 411F 58E7 30E3 3566 53FF C592 BA8F 8E55 2FBD 9BF3 C169 12A1 2097 C258 32DA C623 F570 C325 16ED 1492 B9A5 5584 EA2A 9D3F 330D BE44 385D 5F26 IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 8 of 54 Table 2 - Cryptographic Module Components Figure 1 and Figure 2 show representations that apply to all part numbers listed in Table 2. Although the part numbers in the table are different, the module functionality and the structure are the same. The physical form of the 4770-001 PCIe module is depicted in Figure 1. The red outline in the picture depicts the physical cryptographic boundary. The module is comprised of two (2) electrical component cards with one used as a battery holder and the second one being the main functional component of the Module. The module relies on a host system that supplies a PCIe interface for input/output communication. Segment 2 Information short ID: 5E8E 728A (the first bits of the hash value of segment firmware) Hash data: 5E8E 728A 67C5 1EAC FD88 6F93 E1EE C599 0885 4393 EDFD 171E DBE3 3377 20E6 09B5 EF97 C549 05B3 2D30 5926 D75B 8267 DC99 3043 5421 36EC 1FAA EC86 A15D B740 82BC Segment 3 Information short ID: 77FA 9138 Hash data: 77FA 9138 D034 9969 6369 709A F780 5126 4ED2 8165 5677 9BAF 5D07 BE4C CDAF E5A0 F2D5 2C4C 40A3 146C 1452 E44B 8963 90D1 9102 0D37 DEE7 B469 59B5 B1F2 EBBA 620F IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 9 of 54 Figure 1 – Module IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 10 of 54 Figure 2 – 4770-001 Block Diagram The module is divided into four layers, which are further referred to as segments, as illustrated in Figure 3. The items on the left side of the segments in Figure 3 are not part of the module. The base two segments, and a stub in the third segment control security and configuration of the module: • Segment 0: Permanent POST 0 (Power-on Self-Test) and Miniboot 0 (security bootstrap). This code is in Secure Flash, bootstrapping the entire module, effectively non-modifiable. • Segment 1: Rewritable POST 1 and Miniboot 1, responsible for most of user-visible infrastructure functionality. POST 2, while executed by the module CPU, is logically controlled and is considered as part of Segment 1. Specifically, POST 2 gets control immediately after module CPU reset and before any OS or higher-level applications. POST 2 does not get access to secrets, and it must be approved by the Segment 1 crypto officer to load (being part of Segment 1 firmware updates). POST routines perform initial and higher-level testing of the module’s infrastructural functionality. If both POST 0 and POST 1 pass successfully, and POST 2 reports success of the module CPU tests, the PCIe card’s hardware is guaranteed to be functional for basic services. In addition to POSTs, both Miniboot 0 and Miniboot 1 perform detailed, targeted tests of card hardware—cryptographic, code integrity, other infrastructure—before relying on their services. • Segment 2: Special-purpose Linux operating system. • Segment 3: EP11, application code, including user space drivers. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 11 of 54 Figure 3 - Module Architecture The module has been tested on the operational environments listed in Table 3. Operating System Hardware P/N Processors Linux based on kernel v 3.1 PN 03JJ467-H07163POST0 v9398 MB0 v9005(Low Power) Capri ASIC Low Power with Power PC 405 x1 Power PC 470 x2 PN 03JJ825-N38324POST0 v8840 MB0 v3606(Low Power) PN 03KY263-H07190POST0 v8840 MB0 v3606 (Low Power) PN 03JJ471-H07163POST0 v9398 MB0 v9005(Standard Power) Capri ASIC Standard Power with Power PC 405 x1 Power PC 470 x2 PN 03JJ829-N38324POST0 v8840 MB0 v3606(Standard Power) PN 03KY267-H07190POST0 v8840 MB0 v3606 (Standard Power) Table 3: Tested Operational Environments 1.2 Modes of Operation The module supports two modes of operation: • FIPS mode (the Approved mode of operation): only approved or allowed security functions listed in Table 10can be used. • Non-FIPS mode (the non-Approved mode of operation): all security functions (approved services listed in Table 7 and Table 8 or non-approved services and algorithms listed in Table 9) can be used. In order to switch from FIPS mode to non-FIPS mode or from non-FIPS mode to FIPS mode, it requires reinitialization of the module that zeroizes or and/or re- creates the CSPs stored in volatile and non-volatile storage of the module such that there is no sharing of keys or CSPs between the two modes. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 12 of 54 The Segment 3 of the module can consist of multiple domains, also called EP11 domains. They domains are the partitions that maintain their own administrative settings, key material as well as their own operational mode (FIPS or non-FIPS) and the mode is reported via compliance settings using control point setups. The control points are administratively controlled sets of restrictions that enable or disable specific functionalities. When the compliance settings show that XCP_ADMS_FIPS2021 and XCP_ADMS_ADM_FIPS2021 are enabled it is identified that a domain is in FIPS mode. This mode prohibits use of any non-approved algorithm, mode key or key size. The key objects contain the expected mode of operation. Therefore, objects containing a non-expected mode of operation are not usable within the running mode. To enable FIPS mode, the administrative setting XCP_ADMM_STR_112BIT (or a higher key strength mode i.e., XCP_ADMM_STR_128) must be enabled, and the following control points must be disabled: XCP_CPB_KEYSZ_BELOW80BIT XCP_CPB_KEYSZ_80BIT XCP_CPB_ALG_RAW_RSA XCP_CPB_SKIP_KEYTESTS XCP_CPB_ALG_NFIPS2011 XCP_CPB_KEYSZ_HMAC_ANY XCP_CPB_KEYSZ_RSA65536 XCP_CPB_ALG_NFIPS2021 XCP_CPB_ECDSA_OTHER XCP_CPB_ALG_EC_25519 XCP_CPB_ALG_PQC XCP_CPB_BTC XCP_CPB_ALLOW_NONSESSION XCP_CPB_ALG_EC_SECGCRV XCP_CPB_ALG_EC_BPOOLCRV XCP_CPB_COMPAT_LEGACY_SHA3 XCP_CPB_DSA_PARAMETER_GEN XCP_CPB_WRAP_ASYMM XCP_CPB_UNWRAP_ASYMM IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 13 of 54 2 Cryptographic Module Ports and Interfaces Table 4 describes all the cryptographic module’s ports and interfaces. The physical ports listed in the table below maps to the physical ports shown in Figure 2. All input data of the cryptographic module uses data input interfaces, and all output data of the cryptographic module uses data output interfaces. Data output is inhibited during power-on self-tests and error state. Physical port Logical Interface Data that passes over port/interface PCIe data/addresses Data input Data output PCIe Express signals PCIe control Control input Status output PCIe Express signals Serial ports (RS232) Status output Auxiliary signals USB port N/A (the current firmware does not use USB port) The USB port is not used by the module. PCIe power Power Auxiliary signals Battery power (USB) Power Auxiliary signals External warning (Sensor connected to the Tamper Controller) Control input (from sensor) Status output (to host) Auxiliary signals N/A EP11 Data input/ EP11 Data output API input parameters for data/ API output parameters for data EP11 Control input API function calls EP11 Status output API return code Table 4 - Ports and Interfaces IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 14 of 54 3 Roles, services, and authentication 3.1 Roles and their authentication Table 5 describes the roles supported by the cryptographic module. The module supports the Cryptographic Officer roles and User role. The module does not support concurrent operators, and it does not support a Maintenance role. Role Description CO1 Cryptographic Officer 1 Owns Segment 1 and established by IBM as the base authority. CO2 Cryptographic Officer 2 Owns Segment 2 and established by CO1. CO3 Cryptographic Officer 3 Owns Segment 3 and established by CO2. CO (EP11 Module Administrator) Performs EP11 administrative services that are opaque to the User role. Module administrators are the most privileged EP11 identities. They are authorized to submit state-changing commands at the module level. CO (EP11 Domain Administrator) Performs EP11 administrative services that are opaque to the User role. Domain administrators are authorized to submit state-changing commands to its own domain, but not the entire module or other domains. User Uses EP11 Domain services. Table 5 - Roles Description Table 6 lists the roles and their respective authentication methods and strengths. Role Authentication Method Authentication Strength CO1 Identity-based ECC P-521 using SHA-512 is used for the signing and verification of digital signatures. The probability that a random attempt will succeed, or a false acceptance will occur is 1/2^256, which is less than 1/1,000,000. Even considering the rate of one (1) signature verification per 1μs, the probability of successfully authenticating to the Module within one minute through random attempts is 60,000,000/2^256, which is less than 1/100,000. CO2 Identity-based ECC P-521 using SHA-512 is used for the signing and verification of digital signatures. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 15 of 54 The probability that a random attempt will succeed, or a false acceptance will occur is 1/2^256, which is less than 1/1,000,000. Even considering the rate of one (1) signature verification per 1μs, the probability of successfully authenticating to the Module within one minute through random attempts is 60,000,000/2^256, which is less than 1/100,000. CO3 Identity-based ECC P-521 using SHA-512 is used for the signing and verification of digital signatures. The probability that a random attempt will succeed, or a false acceptance will occur is 1/2^256, which is less than 1/1,000,000. Even considering the rate of one (1) signature verification per 1μs, the probability of successfully authenticating to the Module within one minute through random attempts is 60,000,000/2^256, which is less than 1/100,000. CO (EP11 Module Administrator) Identity-based ECDSA with curves P-224, P-256, P-384, P-521 and RSA with approved keys 2048, 3072, 4096 with SHA-256 is used for the signing and verification of digital signatures. Considering lowest key size, the probability that a random attempt will succeed, or a false acceptance will occur is 1/2^112, which is less than 1/1,000,000. Even considering the rate of one (1) signature verification per 1μs, the probability of successfully authenticating to the Module within one minute through random attempts is 60,000,000/2^256, which is less than 1/100,000. CO (EP11 Domain Administrator) Identity-based ECDSA with curves P-224, P-256, P-384, P-521 and RSA with approved keys 2048, 3072, 4096 with SHA-256 is used for the signing and verification of digital signatures. Considering lowest key size, the probability that a random attempt will succeed, or a false acceptance will occur is 1/2^112, which is less than 1/1,000,000. Even considering the rate of one (1) signature verification per 1μs, the probability of successfully authenticating to the Module within one minute through random attempts is 60,000,000/2^256, which is less than 1/100,000. User Identity-based The user authentication is performed by verifying a PIN blob protected under authenticated-encryption that uses AES Key Wrapping under a 256-bit shared key derived from the SP800-56Ar3 compliance shared secret computation. The authentication strength is 2^256 , which is the security strength of the AES Key Wrapping with a 256-bit key. Even considering the rate of one (1) AES Key Unwrapping per 1μs, the probability of successfully authenticating to the Module within one minute through random attempts is 60,000,000/2^256, which is less than 1/100,000. Table 6 - Roles and Authentication IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 16 of 54 3.2 Services • G = Generates keys • I = Input keys from outside of the Module • O = Output Key • K = Used to Encrypt/Decrypt • U = Use Key • W = Write/Store Key • Z = Zeroize • R = Read • D = Delete • V= Verify Signature • S = Generate Signature Table 7 lists the authenticated services supported by the cryptographic module. Service Description Approved Security Functions CSPs/Public Keys Roles Access rights to CSPs/ Public Keys Miniboot Establish Officer (CO) 2 Register new Officer 2 ECDSA ECDSA Key (Crypto Officer1 public key) CO1 V ECDSA ECDSA Key (Device keypair (DKP1) private key) S Establish Officer (CO) 3 Register new Officer 3 ECDSA ECDSA Key (Crypto Officer2 public key) CO2 V ECDSA ECDSA Keys (Device keypair (DKP1) private key) S Surrender Officer (CO) 2 Clear Segment 2 and 3 parameters and persistent data, and officer 2 and officer 3 public keys ECDSA ECDSA Keys (Device keypair (DKP1) private key) S ECDSA Key (Crypto Officer2 public key) V, W ECDSA ECDSA Key (Crypto Officer3 public key) W Surrender Officer (CO) 3 Clear Segment 3 parameters and persistent data and officer 3 public key ECDSA ECDSA Keys (Device keypair (DKP1) private key) CO3 S ECDSA Key (Crypto Officer3 public key) V, W IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 17 of 54 Service Description Approved Security Functions CSPs/Public Keys Roles Access rights to CSPs/ Public Keys Ordinary Burn 1 Load Segment 1 firmware and officer 1 public key; optionally clear Segment 2 and/or 3 parameters and persistent data and officer public key, as defined by Segment 2/3 persistent object definitions ECDSA Dilithium is used in conjunction with ECDSA but has no security claimed per IG 1.23 bullet 2 as a redundant algorithm. ECDSA Key (Crypto Officer1 public key1) CO1 V, I, W Dilithium Key2 1312 to 2592 bytes ECDSA Keys (Device keypair (DKP1) public key) G, W ECDSA Keys (Device keypair (DKP1) private key) G, W, S Key Encrypting Key (DKP1_KEK) G, W, D, K Ordinary Burn 2 Load (replace) Segment 2 firmware; optionally clear Segment 3 parameters, persistent data, and officer public key, as defined by Segment 3 persistent object definitions ECDSA ECDSA Keys (Device keypair (DKP1) private key) CO2 S ECDSA Key (Crypto Officer2 public key) V Emergency Burn 2 Clear Segment 2 and 3 parameters and persistent data and officer 2 and officer 3 public keys; Load segment 2 firmware and officer 2 public key ECDSA ECDSA Keys (Device keypair (DKP1) private key) CO1 S ECDSA Key (Crypto Officer1 public key) V ECDSA Key (Crypto Officer2 public key) I, W, V Ordinary Burn 3 Load (replace) segment 3 firmware ECDSA ECDSA Keys (Device keypair (DKP1) private key) CO3 S 1 For Ordinary Burn 1 there are two instances of the Officer1 public key – one that is already present in the Module and one that is supplied in the command. The “old” key is used to verify a signature on the command, at which point the “new” key is imported and written (replacing the “old” key). 2 Dilithium is a non-approved but allowed algorithm in FIPS mode with no security claimed per IG 1.23. Therefore, the Dilithium key is not a CSP and is not listed in Table 16. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 18 of 54 Service Description Approved Security Functions CSPs/Public Keys Roles Access rights to CSPs/ Public Keys ECDSA Key (Crypto Officer3 public key) V Emergency Burn 3 Clear Segment 3 parameters and persistent data and officer 3 public key; Load Segment 3 firmware and officer 3 public key ECDSA ECDSA Keys (Device keypair (DKP1) private key) CO2 S ECDSA Key (Crypto Officer2 public key) V ECDSA Key (Crypto Officer3 public key) I, W, V Software-Induced Tamper Render a PCIe HSM card (i.e. the module) inoperable by evoking the module’s tamper response mechanism. Evocation of this service destroys all CSPs residing on the PCIe HSM card. Note: this command is not expected to be used during the lifetime of a typical deployment since it decommissions the module and renders it useless. ECDSA ECDSA Key (Device keypair (DKP1) private key), DRBG seed, DRBG state CO1 Z ECDSA (Crypto Officer1 public key) V EP11 Domain EC Diffie-Hellman Shared Secret Computation Shared secret computation with EC Diffie Hellman KAS-ECC-SSC EC Key Pair, EP11 User R Shared Secret W Diffie-Hellman Shared Secret Computation Shared secret computation with Diffie Hellman KAS-FCC-SSC DH Key Pair R Shared Secret W Key Wrapping/Unwrapping Key wrapping AES-KW/KWP AES Key wrapping key, wrapped key R Symmetric Encryption/Decryption Symmetric encryption/decrypt ion AES, Triple-DES AES, Triple-DES Keys R Key Generation Key generation DSA, ECDSA, RSA DSA, ECDSA, RSA Keys W IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 19 of 54 Service Description Approved Security Functions CSPs/Public Keys Roles Access rights to CSPs/ Public Keys Key Verification Key verification ECDSA ECDSA public key R Signature Generation/Verification Signature generation/verifica tion DSA, ECDSA, RSA DSA, ECDSA, RSA Keys R Random Number Generation Random number generation DRBG Entropy Input R Seed, Internal State W Message Digest Message digest SHA-1, SHA-224, SHA-256, SHA- 384, SHA-512, SHA3-224, SHA3- 256, SHA3-384, SHA3-512 N/A N/A Message Authentication Code (MAC) Message Authentication Code (MAC) AES-CMAC, Triple-DES-CMAC AES, Triple-DES Keys R HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, HMAC-SHA- 512/224, HMAC- SHA-512/256, HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512 HMAC Keys R Manage module administrator (public keys) Replace, add or remove administrator public keys RSA, ECDSA RSA, ECDSA Keys, (EP11 Module Administrator Keys) CO (EP11 Module Administra tor) V, R, W, Z, D Export module state Export module state by encrypting its sensitive part (wrapping keys) using AES KW AES, RSA RSA, ECDSA Keys (EP11 Module Administrator Keys) V, R AES Key (EP11 Domain Wrapping Keys) R Import module state Import module state that contains sensitive (wrapping keys) and non-sensitive data. Sensitive data is encrypted AES, RSA RSA, ECDSA Keys (EP11 Module Administrator Keys) V, R AES Keys (EP11 Domain Wrapping Keys) W IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 20 of 54 Service Description Approved Security Functions CSPs/Public Keys Roles Access rights to CSPs/ Public Keys Zeroize Module seg 3 Zeroize all objects in segment 3 including anything within domains N/A RSA, ECDSA Keys (EP11 Domain Administrator Keys) D, Z AES Keys (EP11 Domain Wrapping Keys) D, Z RSA, ECDSA Keys (EP11 Module Administrator Keys) V, R Manage domain administrator (public keys) Import administrative keys with their certificates RSA, ECDSA RSA, ECDSA Keys (EP11 Domain Administrator Keys) CO (EP11 Domain Administra tor) R, W Generate importer key Generate the importer key for importing sensitive data RSA, ECDSA Keys (Importer Keys) R, W RSA, ECDSA Keys (EP11 Module Administrator Keys) V, R Set domain attributes Set the domain attributes RSA, ECDSA Keys (EP11 Domain Administrator Keys) V, R Manage (set, add, remove) control points Manage the control points to adjust the functionality of the module RSA, ECDSA Keys (EP11 Domain Administrator Keys) V, R Export Wrapping Key Export a wrapping key in encrypted form using key transport with AES KW AES, RSA AES Key (EP11 Domain Wrapping Keys) R RSA, ECDSA Key (EP11 Domain Administrator Key) V Import Wrapping Key Generate or import a key by generating an importer key and providing it for encryption of the wrapping key that is to be imported AES, RSA, ECDSA AES Key (EP11 Domain Wrapping Keys) W RSA, ECDSA Key (EP11 Domain Administrator Key) V Generate Wrapping Key RSA, ECDSA AES Key (EP11 Domain Wrapping Keys) W IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 21 of 54 Service Description Approved Security Functions CSPs/Public Keys Roles Access rights to CSPs/ Public Keys RSA, ECDSA Keys (EP11 Domain Administrator Keys) V, D, Z Zeroize Domain Zeroizes the domain N/A AES Keys (EP11 Domain Wrapping Keys) D, Z RSA, ECDSA Keys (EP11 Domain Administrator Keys) D, Z Table 7 - Authenticated Services Table 8 lists the unauthenticated services supported by the cryptographic module. Service Description Cold Boot Reboots the Module and performs power-on self-tests Query Status Read infrastructure status, including segment owners. Reset the Module CPU (MCPU) (OS/application). Query Status/Noreset Read module status, including segment owners. Do not reset Module CPU. Query Signed Health (“Get Health”) Read module status, including owner identities and officer public keys; Reset Module CPU conditionally (only if Segment 2 or Segment 3 has been updated since the MCPU was last reset [in practice this is only possible for Segment 3]) Query Signed Health/No reset (“Query Firmware”) Read module status, including owner identities and officer public keys. Do not reset Module CPU. Query Certificate Returns the entire Segment 1 certificate list, one certificate at a time (repeated calls to Miniboot 1). Query Segment 0 Hash Returns the computed SHA-512 hash of Segment 0 (Miniboot 0 concatenated with POST0). Algorithm Test (SHA-256 test) Compute SHA-256 hash of host-supplied data as an interactive communications/infrastructure self-test; Does not access CSPs Continue to Segment 1 Advance from Segment 0 into Segment 1 if status permits Continue to Segment 2 Start Segment 2 firmware if status permits PKCS#11 Queries Includes environment and key queries Non-Administrative Extended Queries Queries unique to EP11, beyond PKCS#11. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 22 of 54 Service Description Administrative Queries General information about the module Self-Test On-demand self-test Show Status Show the status of the module Login The service used to login to the module that performs user role authentication Logout The service used to logout from the module Table 8 - Unauthenticated Services Table 9 lists all the non-approved services used by the module. Service Algorithm Key type Role EP11 Key Establishment ECDH Brainpool/Montgomery curves EP11 User Key Generation RSA 1024 bits DSA L=1024, N=160 ECDSA BP192r1/t1, BP224r1/t1, BP256r1/t1, BP320r1/t1, BP384r1/t1, BP512r1/t1, secp256k1, Edwards/Montgomery curves Domain Parameter Generation DSA L=1024, N=160; L=2048, N=256; L=3072, N=256 NOTE: DSA Domain Parameter Generation for approved key sizes has not been ACVP-tested therefore listed as non-approved. Key Derivation BIP32 secp256k1 SLIP10 secp256k1, ed25519, nist256 Signature Generation/Verification DSA L=1024, N=160 EdDSA ED25591, ED448 ECDSA Brainpool, secp256k1 curves Signature Generation/Verification Dilithium 1312 to 2592 bytes Table 9: Non-Approved Services IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 23 of 54 Table 10 lists all security functions of the module, including specific key strengths employed for approved services, and implemented modes of operation. CAVP Cert Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function Miniboot #A2431 DRBG [NIST SP800- 90A Rev 1] SHA-512 N/A Random number generation ECDSA [FIPS 186-4] Testing candidates P-521 Key generation ECDSA [FIPS 186-4] SHA-512 P-521 signature generation, signature generation component, signature verification N/A CKG [SP800-133 Rev 2] Vendor Affirmed ECDSA: P-521 Key generation EP11 Domain #A2495 AES [FIPS 197, SP 800-38A] CBC, ECB 128, 192, 256 bits Encryption/decryption KW, KWP 256 bits Key wrapping/unwrapping AES-CMAC [FIPS 197, SP 800-38B] CMAC 128, 192, 256 bits Encryption/decryption Triple-DES [SP 800- 67, SP 800-38A] CBC, ECB 168 bits (without parity) Decryption Triple-DES [SP 800- 67, SP 800-38B CMAC MAC generation/verification HMAC [FIPS 198-1] SHA-224, SHA- 256, SHA-384, SHA-512, SHA- 512/224, SHA- 512/256, SHA3- 224, SHA3-256, SHA3-384, SHA3- 512 112 bits or greater Message authentication IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 24 of 54 CAVP Cert Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function SHS [FIPS 180-4] SHA-1, SHA-224, SHA-256, SHA- 384, SHA-512, SHA-512/224, SHA-512/256 N/A Message digest #A2471 SHA-512 N/A N/A CKG [SP800-133 Rev 2] Vendor Affirmed DSA: L=2048, N=256; L=3072, N=256 ECDSA: P-224, P- 256, P-384, P-521 RSA: 2048, 3072, 4096 bits Key generation #A2495 SHA-3 [FIPS 202] SHA3-224, SHA3- 256, SHA3-384, SHA3-512 N/A Message digest ECDSA [FIPS 186-4] SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2- 512/256, SHA3- 224, SHA3-256, SHA3-384, SHA3- 512 P-224, P-256, P- 384, P-521 Signature generation, Signature generation component, signature verification ECDSA [FIPS 186-4] B.2.1 Extra random bits P-224, P-256, P- 384, P-521 Key generation KAS-ECC-SSC [Sp800-56Ar3] ephemralUnified P-256, P-521 Shared Secret computation KTS [FIPS197] [SP800-38F] [FIPS 198-1] AES-KW, KWP 256 Key wrapping/unwrapping AES-CBC and HMAC-SHA-224/ HMAC-SHA-256/ HMAC-SHA-384/ HMAC-SHA-512 AES 256 HMAC with keys equal to or greater than 112 bits RSA Encrypt/Decrypt (CVL) N/A NOTE: This is tested but not used. 2048, 3072, 4096 Encryption/decryption IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 25 of 54 CAVP Cert Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function RSA [FIPS 186-4] B.3.3 Random Primes that are Probably Prime 2048, 3072, 4096 bits Key generation PSS with SHA-224, SHA-256, SHA- 384, SHA-512 2048, 3072, 4096 bits Signature generation PSS with SHA-1 SHA-224, SHA- 256, SHA-384, SHA-512 Signature verification PKCS1v1.5 with SHA-1, SHA-224, SHA-256, SHA- 384, SHA-512 #A2471 DSA [FIPS 186-4] N/A {L=2048, N=256}, {L=3072 N=256} Key generation SHA-256 {L=2048, N=256}, {L=3072 N=256} Signature generation SHA-256, SHA- 384, SHA-512, SHA-512/224, SHA-512/256 {L=2048 N=256}, {L=3072 N=256} Signature verification KAS-FFC-SSC [SP 800-56Ar3] dhEphem 2048, 3072 Shared Secret computation #A2495 KDA-KDF [SP800- 56Cr2] OneStep HMAC-SHA2-256 N/A Key derivation KBKDF [SP800-108] Counter HMAC-SHA2-256 #A2427, #A2471, #A2495 Hash DRBG [SP 800-90A] SHA-512 Random number generation #A2427 ECDSA [FIPS 186-4] Testing candidate P-521 Key generation/verification IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 26 of 54 CAVP Cert Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function SHA-512 Signature generation component, signature verification N/A ENT (P) SP800-90B N/A N/A Random number generation Table 10 - Approved Algorithms Table 11 lists the algorithms that are non-approved but allowed in the approved mode of operation. Algorithm Key Type Use/Function Miniboot Dilithium 1312 to 2592 bytes Signature Generation/Verification (no security claimed per IG 1.23) Table 11: Non-Approved but Allowed in the Approved Mode of Operation Table 12 lists the algorithms that are non-approved and not allowed in the approved mode of operation. Algorithm Key Type Use/Function ECDH Brainpool/Montgomery curves Key Establishment DSA L=1024, N=160 Key Generation RSA 1024 bit DSA L=1024, N=160 Signature Generation/Verification ECDSA BP192r1/t1, BP224r1/t1, BP256r1/t1, BP320r1/t1, BP384r1/t1, BP512r1/t1, secp256k1, Edwards/Montgomery curves DSA L=1024, N=160; L=2048, N=256; L=3072, N=256 Domain Parameter Generation NOTE: DSA Domain Parameter Generation for approved key sizes has not been ACVP-tested therefore listed as non-approved IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 27 of 54 BIP32 secp256k1 Key Derivation SLIP10 secp256k1, ed25519, nist256 EdDSA ED25591, ED448 Signature Generation/Verification ECDSA Brainpool, secp256k1 curves Dilithium (Implemented in EP11) 1312 to 2592 bytes Table 12: Non-Approved Not Allowed in the Approved Mode of Operation 3.3 Authentication The cryptographic module supports identity-based authentication. Interacting Miniboot, Crypto officers are authenticated via signed service request. Crypto officers prove their identities via signatures using the keys that corresponds to their identities. Therefore, their requests are signed by them using ECDSA with administrative keys and authenticated by the module. Crypto Officers (EP11 Administrators) are added during initialization. During initialization, the module accepts Crypto Officers (administrators); therefore, the first administrator’s certificates will be accepted without authentication as part of the initialization and ownership establishment. As soon as enough administrators are present, and a special request is submitted, the module leaves initialization. All the subsequent requests are authenticated. Administrator commands are authenticated through public-key cryptography, while some module’s state-changing commands require signatures of multiple administrators. An administrator’s identity is proven through the possession of a signing key that corresponds to its public key. Administrator’s public keys are supplied during administrator login using X.509 certificates. The user’s role authenticates through a token-based authentication mechanism, where the authentication token is derived from user provided PIN and session related information. The EP11 authenticated services listed in Table 7, requires the user to present the authentication token. Upon a successful verification on the provided authentication token, the requested service is granted. The EP11 services that do not disclose, modify, substitute keys or key pairs do not require authentication. These services are listed in Table 8. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 28 of 54 4 Physical Security Module physical security mechanisms are mainly automatic. Intrusions, which destroy card secrets through an internal, independent action, are host-observable as system administration events. A picture of the Module security cover is presented in Figure 1. COs may notice tamper detection through unusual Module startup, such as a card failing to initialize. It is recommended to investigate the tamper event type reported by the Module, possibly cross-checking the tamper event with other logs. Physical Security Mechanism Recommended Frequency of Inspection/Test Inspection/Test Guidance Details Hard Tamper N/A (Automatic) N/A Soft Tamper N/A (Automatic) N/A External Warning Module Restart Application Discretion Low Battery As frequent as possible Replace as soon as possible Table 13 - Physical Security Inspection Guidelines Physical security is constantly monitored through a tamper detection/ response envelope with tamper response and zeroization circuitry. No external physical monitoring is required. Environmental failure protection (EFP) is included. A hard tamper event is caused by very high overvoltage, temperature or its rate of change out of reasonable operational range, or physical tamper (penetration of the tamper-detection matrix). Module memory-type devices (e.g., Battery Backed RAM (BBRAM), communication FIFOs) are actively zeroized. Module secrets are immediately destroyed: High Speed Erasable BBRAM (HSEB) is actively cleared at microelectronic speeds (sub-milliseconds). The Module becomes permanently inoperative: Miniboot startup does not successfully complete without secrets in HSEB. A soft tamper event is caused by moderate overvoltage or temperature moderately out of operational range. Reaction is instantaneous. The Module is held under reset while the soft tamper conditions persist. Secrets are not destroyed. Hard and soft temper events’ specifics are listed in Table 14. Temperature or voltage measurement Specify EFP or EFT Specify if this condition results in shutdown or zeroisation Hard tamper event IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 29 of 54 Low Temperature Shipping/Storage temperature below -38°C ±3°C EFP Module memory-type devices (e.g., BBRAM, communication FIFOs) are actively zeroized. Module secrets are immediately destroyed: HSEB is actively cleared at microelectronic speeds (sub- milliseconds). The Module becomes permanently inoperative: Miniboot startup does not successfully terminate without secrets in HSEB. High Temperature Shipping/Storage temperature above +90°C ± 2°C EFP Low Voltage Dead Battery tamper threshold < 2.4V ± 0.1V on Battery Voltage EFP High Voltage High Voltage tamper threshold > 4.2V ± 0.2V on +3.3V Power supply and battery High Voltage tamper threshold > 6.28V ± 0.01V on +5V Power supply EFP Low tamper event Low Temperature Crypto operating temperature below 0°C ± 2°C EFP Reaction is instantaneous. The Module is held under reset while the soft tamper conditions persist. Secrets are not destroyed. High Temperature Crypto operating temperature above 83°C ± 2°C EFP Low Voltage Under voltage soft tamper threshold 4.76V ± 0.01V on +5.0V Power supply EFP High Voltage Over voltage soft tamper threshold 5.89V ± 0.05V on +5.0V Power Supply EFP Table 14 - EFP/EFT Table 15 lists the module's intended temperature range of operation. The module is tested at the low and the high temperatures of operation to pass the hardness requirement for a level 4 module. Hardness tested temperature measurement IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 30 of 54 Low Temperature -42 °C High Temperature 93 °C Table 15 - Hardness testing temperature ranges IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 31 of 54 5 Operational Environment The Module is designated as a limited operational environment under the FIPS 140-2 definitions. The Module includes a firmware load service to support necessary updates. New firmware versions within the scope of this validation must be validated by the CMVP against FIPS 140-2 or its successor. Any firmware other than the one listed in Table 2 loaded into this Module is out of the scope of this validation and require a separate FIPS 140-2 validation. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 32 of 54 6 Key Management Table 16 describes the usage CSPs by the cryptographic services of the module. An approved SP 800-90A compliant DRBG is used for key generation; the entropy source is contained within the module scope. The module does not output intermediate keys. In Table 16 HSEB and Secure Flash are non-volatile memory, and DRAM is volatile memory. CSPs/ keys Name /Type Generation Entry /Output Storage Zeroization Miniboot ECDSA Key (Device keypair (DKP1) private key) FIPS 186-4 B.4.2 compliant key pair generation using unmodified DRBG output. No entry/no output Flash (encrypted) Overwritten by new values ECDSA Key (Device keypair (DKP1) public key) FIPS 186-4 B.4.2 compliant key pair generation using unmodified DRBG output. No entry Output to the host. Flash N/A Entropy Input Obtained from SP 800-90B compliant entropy source No entry/no output DRAM xcDRNGUninstantiate DRBG seed and internal state Derived from entropy input as defined in SP800-90A No entry/no output DRAM xcDRNGUninstantiate AES Key (File System Encryption Key) Unmodified DRBG output No entry/no output HSEB On hard tamper ECDSA Key (Crypto Officer1 public key) N/A (not generated by the module) Entered through a signed service request command Output to the host. Flash N/A IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 33 of 54 ECDSA Key (Crypto Officer2 public key) Entered through a signed service request command Output to the host. Flash N/A ECDSA Key (Crypto Officer3 public key) Entered through a signed service request command Output to the host. Flash N/A ECDSA Key (IBM Class Root public key) Not generated by the module Entered during the manufacture process Output to the host. Flash N/A Key Encrypting Key (DKP1_KEK) Unmodified DRBG output No entry/no output HSEB On hard tamper EP11 AES Key Unmodified DRBG output No entry/output to the host in encrypted form DRAM/HSEB memclr() Triple-DES Unmodified DRBG output No entry/output to the host in encrypted form DRAM/HSEB memclr() RSA key pair FIPS 186-4 compliant key pair generation using unmodified DRBG output No entry/output to the host in encrypted form DRAM/HSEB memclr() DSA key pair FIPS 186-4 compliant key pair generation using unmodified DRBG output. No entry/output to the host in encrypted form DRAM/HSEB memclr() Entropy input Obtained from SP 800-90B compliant entropy source No entry/no output DRAM memclr() IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 34 of 54 DRBG seed and internal state Derived from entropy input as defined in SP800-90A No entry/no output DRAM memclr() ECDSA key pair FIPS 186-4 B.4.1 compliant key pair generation using unmodified DRBG output No entry/output to the host in encrypted form DRAM/HSEB memclr() DH key pair SP 800- 56ARev3 compliant key pair generation using unmodified DRBG output No entry/output to the host in encrypted form DRAM/HSEB memclr() ECDH key pair SP 800- 56ARev3 compliant key pair generation using unmodified DRBG output No entry/output to the host in encrypted form DRAM/HSEB memclr() HMAC key Unmodified DRBG output No entry/output to the host in encrypted form DRAM/HSEB memclr() Shared Secret Generated during the Diffie-Hellman or EC Diffie- Hellman shared secret computation. No entry/output DRAM memclr() ECDSA/RSA Keys (EP 11 Module Administrator Public Key) N/A Entered with certificates/no output Flash/DRAM N/A ECDSA/RSA Keys (EP11 Domain Administrator Public Key) N/A Entered with certificates/no output Flash/DRAM N/A AES Key Unmodified DRBG output Can be imported and exported by HSEB/DRAM memclr() IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 35 of 54 Table 16 – Keys and CSPs 6.1 Random Number Generation The module provides an [SP800-90A]-compliant Deterministic Random Bit Generator (DRBG) for creation of symmetric keys, asymmetric keys, and random number generation. The DRBG is based on SHA-512 hash function. The module performs the DRBG health tests as defined in section 11.3 of [SP800-90A]. The module uses ring oscillators (ROs) as a noise source. The entropy source is compliant with [SP800-90B] and marked as ENT (P) on the certificate. The entropy source provides full 512-bits of entropy as the input to the Hash_DRBG which uses SHA-512. 6.2 Key Generation The Key Generation methods implemented in the module for approved services in FIPS mode are compliant with Cryptographic Key Generation (CKG) standard [SP800-133] (vendor affirmed) . The module implements symmetric key generation service for AES, Triple-DES and HMAC and asymmetric key generation services for RSA, DSA and ECDSA which are compliant with [FIPS 186- 4]. The random numbers used in asymmetric and symmetric key generation are directly obtained from the [SP800-90A] Hash_DRBG. The public and private keys used in the EC Diffie-Hellman key agreement schemes are generated internally by the module using the ECDSA key generation method compliant with [FIPS186-4] and [SP800-56Ar3]. The Diffie-Hellman key agreement scheme is also compliant with [SP800-56Ar3] and generates keys using safe primes defined in RFC7919 and RFC3526. 6.3 Key Establishment According to Table 10 Comparable strengths in [SP800-57], the key sizes of AES, Diffie-Hellman, and EC Diffie-Hellman provide the following security strengths in FIPS mode of operation. • Diffie-Hellman provides 112 or 128 bits of encryption strength. (EP11 Domain Wrapping Key) domain administrators in encrypted form EC/RSA Importer Key FIPS 186-4 compliant key pair generation using unmodified DRBG output No entry/no output for private key May output public key DRAM memclr() ECDSA Keys (Operating System Keypair private key) FIPS 186-4 compliant key pair generation using unmodified DRBG output No entry/no output for private key May output public key Flash (private key encrypted) Key encryption key used to encrypt the ECDSA private key is zeroized on hard tamper IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 36 of 54 • EC Diffie-Hellman provides 128 or 256 bits of encryption strength. • AES key wrapping with AES KW and KWP key establishment methodology provides 256 bits of encryption strength. • AES key wrapping with CBC and HMAC provides between 128 and 256 bits of encryption strength. The module implements SP800-56ARev3 compliant DH and ECDH shared secret computation that maps to IG D.8 scenario X1(1). The module also implements key agreement scheme consisting of shared secret computation followed by SP 800-56C KDF mapping to IG D.8 scenario X1(2). However, this key agreement operation is performed internally as part of user authentication process and is not available as a service from the module. 6.4 Key Entry/Output The module supports cryptographic AES-256 key entry and output using split knowledge based on Shamir’s Secret Sharing algorithm. The module splits the key into at least two components, which must be used to reconstruct the original key. Knowledge of any k-1 or fewer components provide no information about the original key. CSPs that are entered, and output are encrypted with approved algorithms such as AES-CBC with HMAC or AES KW/KWP. When wrapping keys (WKs) or their parts are transported, they are encrypted with key encryption keys using the specified approved algorithms. The module associates entered or output cryptographic keys with entities to which the keys are assigned. The association of keys with their corresponding entities is performed through authentication which described in section 3. The specification of keys that are entered into or output from the module is included in Table 16. 6.5 Key Zeroization The module provides two types of zeroization mechanisms: zeroization to respond administrative services and zeroization to respond tamper events. The former is called firmware-induced zeroization, and the latter is called Tamper-induced zeroization. EP11 firmware-induced zeroization can be triggered by by Crypto Officer (EP11 Module Administrator) “Zeroize module seg 3” service and the Crypto Officer (EP11 Domain Administrator) “Zeroize domain” service on the need-basis. The functions for zeroization are specified in Table 16, where memclr() function is the central key clearing function. The module also implements Tamper-induced zeroization, which can only be triggered by the module hardware in response to tamper attempts. The EP11 firmware is not involved in the Tamper-induced zeroization mechanism. In the event of tamper, keys and CSPs in the non-volatile memory HSEB and DRAM are all zeroized. All the public keys are protected from the modification and substitution by the digital signatures on the public key certificates. 6.6 Key Storage The module stores CSPs used by the cryptographic module, which are listed in Table 16, including keys that are used for validity of the module’s current configuration (operating system ECDSA private key) and proof of authenticity of the module (DKP1 key private key). These keys are stored in flash memory encrypted with an AES key that is stored in HSEB, as specified in Table 16. The module’s internal key storage is verified by Miniboot Error Correction Code to prevent corruption IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 37 of 54 caused by accidental bit flips. The tamper subsystem monitors a set of parameters to determine if a hard tamper event has occurred. In case if a tamper event has occurred, the tamper controller erases the internal key storage by overwriting it with zeroes or random values. The keys used in user services including symmetric and asymmetric keys are stored in non- persistent form. In some cases, copies of keys, not including public keys, are stored in HSEB. The storage methods for all the keys used by the module are listed in Table 16. Additionally, the module exports user keys for storage outside its cryptographic boundary in encrypted form with authenticated encryption using the approved algorithm AES with HMAC using keys listed in section 3.2. The module does not release CSPs in non-protected form. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 38 of 54 7 EMI/EMC The module meets the requirements of 47 CFR FCC PART 15, Subpart B, Class B (Home use). IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 39 of 54 8 Self-Tests Each time the Module is powered on, it tests that the cryptographic algorithms still operate correctly, and that sensitive data have not been damaged. Power-on self–tests are available on demand by power cycling the Module. On power on or reset, the Module performs the self-tests described in the Power-On Self-tests table below. All KATs must be completed successfully prior to any other use of cryptography by the Module. If one of the KATs fails, the Module halts and a POST error code is generated. In addition to startup tests, the Module executes conditional data tests. 8.1 Power-On Self-Tests 8.1.1 Integrity Tests Configuration integrity test verifies firmware flash memory component and code integrity. Non-modifiable Security Service Processor code, POST 0 and Miniboot 0, are checked for integrity, initially through an embedded non-cryptographic checksum. In case of checksum mismatch, the code halts itself (POST 0) or is not even permitted to execute (Miniboot 0, inhibited by POST 0). This code is executed only at startup, verifying that the Miniboot 0 image is not corrupted. Once Miniboot 0 takes control, it uses the Persistent Memory Manger (PMM) to determine which copy of POST1 should be run. The PMM maintains a truncated SHA-512 hash of the contents of each segment and verifies that the hash of the chosen copy of POST1 matches the stored hash. When POST1 runs, it performs a full PMM initialization. The PMM checks the hash on both copies of all segments and (if possible) corrects any errors detected. Uncorrectable errors cause the module to halt. During regular operations, the crypto ASIC covers all traffic through combinations of redundant implementations, CRCs, and parity checks, in engine-specific ways. Failures are reported as specific hardware errors. The Firmware Integrity tests are listed and described in Table 17. Algorithm Test Firmware Integrity Test POST0 32-bit Checksum The POST0 firmware image incorporates a 32-bit checksum computed so that when the POST0 image is treated as an array of four-byte numbers the sum of the entries is zero. POST0 copies itself from flash to RAM and then verifies the checksum on the RAM copy. POST1 32-bit Checksum SHA-512 (truncated) The POST1 firmware image incorporates a 32-bit checksum computed so that when the POST1 image is treated as an array of four-byte numbers the sum of the entries is zero. When POST1 runs, it verifies the checksum on the RAM copy of itself. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 40 of 54 Algorithm Test POST1 is covered by the Persistent Memory Manager (PMM). MB0 directs the PMM to decide which copy of POST1 should be loaded and run. The PMM verifies the hash of POST1 at this time. POST2 32-bit Checksum SHA-512 (truncated) The POST2 firmware image incorporates a 32-bit checksum computed so that when the POST2 image is treated as an array of four-byte numbers, the sum of the entries is zero. POST2 copies itself from flash to RAM and then verifies the checksum on the RAM copy. POST2 is covered by the Persistent Memory Manager (PMM). The PMM verifies the hash of POST2 when POST1 directs the PMM to initialize itself. MB0 32-bit Checksum The MB0 firmware image incorporates a 32-bit checksum computed so that when the MB0 image is treated as an array of four-byte numbers, the sum of the entries is zero. POST0 verifies the checksum on the copy of MB0 in flash before transferring control to MB0. While MB0 copies itself from flash to RAM, it computes the checksum and verifies that the result is zero at the end. MB1 SHA-512 (truncated) MB1 is covered by the Persistent Memory Manager (PMM). The PMM verifies the hash of MB1 when POST1 directs the PMM to initialize itself. Table 17: Integrity Tests 8.1.2 Known-Answer Self-Tests Table 18 lists the Known-Answer Self-Tests performed by the module. Algorithm Test Miniboot HASH DRBG Modes: SHA-512 ECDSA Sign, Verify Modes: SHA-512 Keys: P-521 EP11 AES Encryption, Decryption Modes: ECB, CBC Keys: 128, 192, 256 Message Authentication Modes: CMAC IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 41 of 54 Algorithm Test Keys: 128, 192, 256 DH DH Shared Secret Computation (Primitive Z Computation KAT) Hash: SHA-256 Keys: 2048 ECDH ECDH Shared Secret Computation (Primitive Z Computation KAT) Keys: P-256, P-521 DSA Sign/Verify using 2048 bit key SP 800-56Cr2 KDF (KDA) Modes: One Step with HMAC-SHA-256 SP 800-108 KDF Modes: Counter with HMAC-SHA-256 ECDSA Sign Verify Modes: SHA-256 Keys: P-192, P-224, P-256, P-384, P-521 HASH DRBG Modes: SHA-512 HMAC SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 RSA Modes: PKCS and PSS with SHA-256 Sign, Verify Keys: 2048 SHS SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Triple-DES Encryption, Decryption Modes: ECB/CBC Keys: 168 Message Authentication Modes: CMAC Keys: 168 Table 18 – Known-Answer Self-Tests IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 42 of 54 8.1.3 Conditional Tests Table 19 lists all the pairwise consistency tests performed by the module. Algorithm Test Miniboot ECDSA Key Generation Signature Generation and Verification Hash: SHA-256 EP11 RSA Key Generation Signature Generation and Verification Hash: SHA-256 DSA Key Generation Signature Generation and Verification Hash: SHA-256 ECDSA Key Generation Signature Generation and Verification, Hash: SHA-256 SP800-90B Health Tests: RCT and APT Table 19 - Conditional Tests IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 43 of 54 9 Design assurance 9.1 Delivery and Operation The module is initialized at the factory. Internal controls guarantee that each one may be initialized only once, therefore there are no field initialization requirements, other than platform- specific ones for installation of PCIe cards. Once a module has been delivered, its configuration should be logged, to verify that it is fully operational and loaded by an approved code level. Application-specific details of this verification are available outside this policy. 1. The Module will provide six (6) distinct operator roles: Cryptographic Officer 1, Cryptographic Officer 2, and Cryptographic Officer 3, Crypto Officer (EP11 Domain Administrator), Crypto Officer (EP11 Module Administrator), EP11 User. 2. The Module will provide identity-based authentication. 3. When the Module has not been placed in a valid role, the operator will not have access to any cryptographic services. 4. The operator will be capable of commanding the Module to perform the power on self-tests by cycling power or resetting the Module. 5. Power on self-tests do not require any operator action. 6. Data output will be inhibited during key generation, self-tests, zeroization, and error states. 7. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the Module. 8. Please refer to section 6 for the respective zeroization methods for each CSP. Specifically, to zeroize the persistent keys the operator will have to initiate the hard tamper on the device. However, note that this will make the module inoperable. 9. The Module does not support concurrent operators. 10. The Module does not support a maintenance interface or role. 11. The Module does not support manual key entry. 12. The Module does not have any external input/output devices used for entry/output of data. 13. The Module does not enter or output plaintext CSPs. 14. The Module does not output intermediate key values. 9.2 Crypto Officer Guidance 9.2.1 Coprocessor Physical Installation Note that on a Microsoft Windows operating system, it is necessary to install the Common Cryptographic Architecture (CCA) support software before installing a coprocessor. Other supported operating systems do not require this, but it is recommended. To install the coprocessor into the host computer, follow these steps: 1. Locate your computer’s instructions for installing expansion cards. Throughout this procedure, follow the safety instructions in that manual. 2. Turn OFF the computer and all attached devices. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 44 of 54 3. Disconnect all cables, including the power cable. Refer to “Danger Notice D005” in Appendix B. 4. Choose a PCIe expansion slot able to accommodate a standard short-type adapter card. 5. If the expansion slot has an individual cover, remove any bracket-holding screw and the cover. Attention: Electrostatic discharge (ESD) can damage the card and its components. Wear an ESD wrist-strap while handling and installing the card, or take the following precautions: • Limit your movements; this helps prevent static electricity from building up around you. • Prevent others from touching the card or other components. • Before removing the card from the electrostatic discharge (ESD) barrier bag, touch the bag to an unpainted metal surface on your computer and hold it there for at least two seconds. • Handle the card by its edges only. Do not touch exposed circuitry and components. 6. Remove the cryptographic coprocessor from its ESD barrier bag. Do not discard the bag. It can be used again whenever the coprocessor is removed from the server. 7. Insert the coprocessor into the slot; be sure that the card is fully seated. 8. If possible, install a bracket-holding screw. Some server models have a row of screws available inside the machine for this purpose. 9. Replace the host computer’s cover. 10. Reconnect the power cable and any other cables that you disconnected. 11. Turn the computer ON. The cryptographic coprocessor runs it power-on self-test (POST). 9.2.2 Firmware Installation and Entering Operational/FIPS Mode 1. Surrender and establish seg3 HSM card ownership 2. Load firmware image with Coprocessor Load Utility (CLU) tool 3. Run CLU Status command 4. Run EP11Info command to show card is being initialized 5. Use Trusted Key Entry (TKE) script to bring domain out of initialization 6. Run EP11Info to show card has transitioned out of initialization 7. Run EP11Info to show domain has transitioned out of initialization 8. Use TKE to disable control points for entering FIPS mode as mentioned in section 1.2 9. Run EP11Info to show domain / card is in FIPS mode. 9.3 User Guidance 9.3.1 Handling Self-Test Errors When the cryptographic module is in error state it is inactive, and all the data output and services are inhibited. Errors occurred during the self-tests and conditional tests transition the module into an error state. To recover from the error state the cryptographic module must be reset. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 45 of 54 Error State Cause of Error Error Indicator Miniboot ERROR STATE DRBG KATs failure Code 8003* ECDSA KATs failure ECDSA PCT failure POST0 checksum failure de00a900:000000a0 MB0 checksum failure 8003a1b0:xxxxxxxx POST1 checksum failure de00a200:00001000 MB1 checksum failure de00a200:02001100 EP11 ERROR STATE SHA* KATs failure Hash KAT HW/SW disagree on digest / KAT: SHA* failed / KAT: hash selftests failed / KAT: selftests failed HMAC-SHA-* KATs failure KAT: HMAC/SHA* f / KAT: HMAC selftests failed KAT: selftests failed AES KATs failure KAT: AES/* failed / KAT: symmetric selftests failed / KAT: selftests failed / KAT: symmetric encrypt result mismatched / AES CMAC KATs failure KAT: AES*-CMAC failed / KAT: CMAC selftests failed / KAT: selftests failed / Triple-DES KATs failure KAT: 3DES/* failed / KAT: symmetric selftests failed / KAT: selftests failed / KAT: symmetric encrypt result mismatched RSA KATs failure KAT: RSA/PSS/sign mismatched / KAT: RSA/sign-verify failed / KAT: RSA selftests failed / KAT: selftests failed / KAT: RSA selftests failed IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 46 of 54 Error State Cause of Error Error Indicator ECDSA KATs failure KAT: EC/sign+verify failed / KAT: EC/sign-verify failed / KAT: EC selftests failed / KAT: selftests failed / KAT: EC/sign KAT compare failed DH KATs failure KAT: DH exchange disagrees / DH: 1+2 mismatched / KAT: DH key agreement selftest failed / KAT: selftests failed SP800-108 KDF KAT failure KAT: selftests failed / KAT: KDF data invalid / KAT: KDF f SP800-56Cr2 KDF KAT failure DSA KAT failure Inject Fault DRBG KAT failure KAT: HW-DRNG/1 failed KAT: SW-DRNG/1 failed ECDSA PCT failure CSP: signature does not verify / could not verify signing key / PK: key/gen verify failed DSA PCT failure RSA PCT failure ECDH KATs failure KAT: ECDH f / KAT: EC selftests failed ENT RCT and APT Health-tests failure Code 8003*/Code 80010101 Table 20 - Error States 9.3.2 DSA signature service usage In the approved mode, the module does not provide DSA domain parameter generation service. For DSA, the only approved services available in the approved mode are DSA key generation, signature generation and signature verification. During the DSA signature operation, the module performs the validation of parameter "g" as required per section 4.1 of SP 800-89. the module cannot perform similar validation on parameters "p" and "q" due to unavailability of domain_parameter_seed. The module's User requesting the DSA signature service shall confirm the assurance on the validity of "p" and "q" as required per section 4.1 or 4.2 of SP 800-89. 9.4 Supplemental IBM Security Policy and Guidance Supplemental security policy that contains additional information regarding the cryptographic module is available here. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 47 of 54 10 Mitigation of other attacks The module does not implement security mechanisms to mitigate other attacks. IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 48 of 54 Glossary and Abbreviations AES Advanced Encryption Standard APT Adaptive Proportion Test BBRAM Battery Backed RAM CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCA Common Cryptographic Architecture CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter DES Data Encryption Standard DH Diffie Hellman DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie Hellman ECDSA Elliptic Curve Digital Signature Algorithm EFP Environmental Failure Protection EFT Environmental Failure Testing FIPS Federal Information Processing Standards Publication HMAC Hash Message Authentication Code HSEB High Speed Erasable BBRAM KAT Known Answer Test KEK Key Encrypting Key MAC Message Authentication Code MB Miniboot MCPU Module CPU NIST National Institute of Science and Technology NDRNG Non-Deterministic Random Number Generator PCT Pair-Wise Consistency Test PCIe PCI Express Interface PKCS Public-Key Cryptography Standards POST Power-On Self-Test RCT Repetitive Count Test RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard SKM Session Key Modifier IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 49 of 54 SP Special Publication SSC Shared Secret Computation SSP Sensitive Security Parameter TKE Trusted Key Entry IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 50 of 54 Appendix A. References FIPS140-2 FIPS PUB 140-2 - Security Requirements For Cryptographic Modules May 2001 https://doi.org/10.6028/NIST.FIPS.140-2 FIPS140-2_IG Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program May 2021 https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation- program/documents/fips140-2/FIPS1402IG.pdf FIPS180-4 Secure Hash Standard (SHS) August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm August 2009 http://www.ietf.org/rfc/rfc5649.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 51 of 54 SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38e.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800-56Ar3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP800-56Cr2 NIST Special Publication 800-56C – Revision 1 - Recommendation for Key Derivation through Extraction-then-Expansion August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP800-57 NIST Special Publication 800-57 Part 1 Revision 4 - Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf SP800-67r2 NIST Special Publication 800-67 Revision 2 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher November 2017 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf SP800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP800-90B (Second DRAFT) NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP800-108 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions (Revised) October 2009 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-108.pdf IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 52 of 54 SP800-131Ar1 NIST Special Publication 800-131A Revision 2- Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf SP800-133 NIST Special Publication 800-133 Revision 2 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP800-135 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 53 of 54 Appendix B. Danger Notice D005 DANGER: When working on or around the system, observe the following precautions: Electrical voltage and current from power, telephone, and communication cables are hazardous. To avoid a shock hazard: • If IBM supplied a power cord(s), connect power to this unit only with the IBM provided power cord. Do not use the IBM provided power cord for any other product. • Do not open or service any power supply assembly. • Do not connect or disconnect any cables or perform installation, maintenance, or reconfiguration of this product during an electrical storm. • The product might be equipped with multiple power cords. To remove all hazardous voltages, disconnect all power cords. • Connect all power cords to a properly wired and grounded electrical outlet. Ensure that the outlet supplies proper voltage and phase rotation according to the system rating plate. • Connect any equipment that will be attached to this product to properly wired outlets. • When possible, use one hand only to connect or disconnect signal cables. • Never turn on any equipment when there is evidence of fire, water, or structural damage. • Do not attempt to switch on power to the machine until all possible unsafe conditions are corrected. • Assume that an electrical safety hazard is present. Perform all continuity, grounding, and power checks specified during the subsystem installation procedures to ensure that the machine meets safety requirements. • Do not continue with the inspection if any unsafe conditions are present. • Disconnect the attached power cords, telecommunications systems, networks, and modems before you open the device covers, unless instructed otherwise in the installation and configuration procedures. • Connect and disconnect cables as described in the following procedures when installing, moving, or opening covers on this product or attached devices. To disconnect: 1. Turn off everything (unless instructed otherwise). 2. Remove the power cords from the outlets. 3. Remove the signal cables from the connectors. 4. Remove all cables from the devices. To connect: IBM 4770-001 Enterprise PKCS#11 HSM Cryptographic Coprocessor Security Module FIPS 140-2 Non-Proprietary Security Policy © 2023 IBM / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 54 of 54 1. Turn off everything (unless instructed otherwise). 2. Attach all cables to the devices. 3. Attach the signal cables to the connectors. 4. Attach the power cords to the outlets. 5. Turn on the devices. • Sharp edges, corners and joints may be present in and around the system. Use care when handling equipment to avoid cuts, scrapes, and pinching. (D005)