© 2022 Western Digital Corporation or its affiliates. Public Material - May be reproduced only in its original entirety [without revision]. Ultrastar® DC SN540, NVMe™ PCIe 3.0, Self-Encrypting Drive Ultrastar® DC ZN540, NVMe™ PCIe 3.0, Self-Encrypting Drive FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Protection of Data at Rest Document Version: 1.1 2022-07-05 Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 2 of 31 Table of Contents 1. Cryptographic Module Overview.............................................................................................................4 1.1 Models........................................................................................................................................................................5 1.2 Security Level............................................................................................................................................................6 2. FIPS 140 Modes of Operation..................................................................................................................6 2.1 FIPS Approved Mode of Operation.....................................................................................................................6 2.2 TCG Ruby Security Mode ......................................................................................................................................6 2.3 Single User Data Ranges.........................................................................................................................................7 2.4 Approved Algorithms..............................................................................................................................................7 2.5 Approved Random Number Generator...............................................................................................................8 3. Ports and Interfaces....................................................................................................................................9 4. Identification and Authentication Policy.................................................................................................9 4.1 Crypto Officer Roles ...............................................................................................................................................9 4.1.1 Secure ID (SID) .................................................................................................................................................................9 4.1.2 Admin SP Admin1.............................................................................................................................................................9 4.1.3 Locking SP Admins...........................................................................................................................................................9 4.2 User Roles .................................................................................................................................................................9 4.2.1 Locking SP Users...............................................................................................................................................................9 4.3 Anybody...................................................................................................................................................................10 4.4 Authentication Method and Strength .................................................................................................................10 5. Access Control Policy ..............................................................................................................................11 5.1 Roles and Authenticated Services........................................................................................................................11 5.2 Unauthenticated Services......................................................................................................................................12 5.3 Definition of Critical Security Parameters (CSPs) ............................................................................................13 5.4 Public Security Parameters....................................................................................................................................16 5.5 SP800-132 Key Derivation Function Affirmations..........................................................................................17 5.6 Critical Security Parameter Modes of Access ....................................................................................................18 5.7 Public Security Parameter Modes of Access......................................................................................................21 6. Operational Environment .......................................................................................................................22 7. Security Rules ............................................................................................................................................23 7.1 Invariant Rules........................................................................................................................................................23 7.2 Initialization Instructions......................................................................................................................................24 7.3 Zeroization Rules...................................................................................................................................................25 8. Physical Security Policy............................................................................................................................25 8.1 Mechanisms.............................................................................................................................................................25 8.2 Operator Responsibility ........................................................................................................................................25 9. Mitigation of Other Attacks Policy ........................................................................................................26 10. Definitions .................................................................................................................................................26 11. Key Words.................................................................................................................................................28 12. Acronyms...................................................................................................................................................28 13. References..................................................................................................................................................29 13.1 NIST Specifications...............................................................................................................................................29 13.2 Trusted Computing Group Specifications.........................................................................................................30 13.3 International Standards .........................................................................................................................................30 Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 3 of 31 13.4 Corporate Documents...........................................................................................................................................31 Tables Table 1 - Ultrastar DC SN540 Models...........................................................................................................5 Table 2 - Ultrastar DC ZN540 Models ..........................................................................................................5 Table 3 - Module Security Level Specification..............................................................................................6 Table 4 - FIPS Approved Algorithms ............................................................................................................8 Table 5 – Approved Cryptographic Functions Tested with Vendor Affirmation...................................8 Table 6 - Ultrastar DC SN540 Ports and Interfaces.....................................................................................9 Table 7 - Roles and Required Identification and Authentication.............................................................10 Table 8 - Authenticated CM Services ...........................................................................................................12 Table 9 - Unauthenticated CM Services.......................................................................................................13 Table 10 - Critical Security Parameters.........................................................................................................16 Table 11 - Public Security Parameters ..........................................................................................................17 Table 12 - CSP Access Rights within Roles & Services.............................................................................19 Table 13 - CSP Access Rights within Roles & Services.............................................................................21 Table 14 - PSP Access Rights within Roles & Services .............................................................................22 Figures Figure 1 Ultrastar DC SN540 ..........................................................................................................................4 Figure 2 Ultrastar DC ZN540..........................................................................................................................4 Figure 3: Ultrastar DC SN540/ZN540 Block Diagram ..............................................................................5 Figure 4: Tamper-Evident Seal Locations....................................................................................................25 Figure 5: Tamper Evidence on Tamper Seal...............................................................................................26 Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 4 of 31 1. Cryptographic Module Overview The self-encrypting Ultrastar DC SN540 NVMe™ PCIe 3.0 Self Encrypting Drive and Ultrastar DC ZN540 NVMe™ PCIe 3.0 Self Encrypting Drive, hereafter referred to as Ultrastar DC SN540, Ultrastar DC ZN540, or Cryptographic Module (CM), is a multiple-chip embedded module that complies with FIPS 140-2 Level 2 security. The drive enclosure defines the cryptographic boundary. See Figure 1 and Figure 2. The physical interface to the Cryptographic Module is the U.21 connector and a 2-pin UART port connector. All components within this boundary satisfy FIPS 140-2 requirements. The Cryptographic Module complies with the Trusted Computing Group (TCG) Storage Security Subsystem Class: Ruby Specification [8]. The TCG Storage specifications [1, 2, 3, 4, 5, 6, 7, and 8] define the logical interface. The range of supported services, which utilize NIST approved algorithms, include 256-bit AES hardware-based data encryption, cryptographic erasure of user data, authenticated protection of LBA data ranges and RSA 2048 authenticated firmware download support. The primary function of the module is to provide encrypted data storage, authenticated access control, and cryptographic erasure of the data stored on the solid-state media. The Cryptographic Module operator, interfaces with the CM through a host system application. Figure 1 Ultrastar DC SN540 Figure 2 Ultrastar DC ZN540 1 Formally referred to as PCIe SSD SFF-8639 Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 5 of 31 Figure 3: Ultrastar DC SN540/ZN540 Block Diagram 1.1 Models Multiple hardware versions define the scope of the Cryptographic Module. Storage capacity, data storage model, write endurance, and overprovisioning define the differences. Table 1 and Table 2 provide the model numbers, characteristics, and firmware version associated with each validated model. Hardware Version Firmware Version Description WUS4B7619DSP305 R611000Q SSD, TLC BICS4, 1.92 TB, NVMe PCIe 3.0, 1 DW/D, 7% OP WUS4B7638DSP305 R611000Q SSD, TLC BICS4, 3.84 TB, NVMe PCIe 3.0, 0.5 DW/D, 7% OP WUS4B7676DSP305 R611000Q SSD, TLC BICS4, 7.68 TB, NVMe PCIe 3.0, 0.5 DW/D, 7% OP WUS4B7696DSP305 R611000Q SSD, TLC BICS4, 960 GB, NVMe PCIe 3.0, 1 DW/D, 7% OP Table 1 - Ultrastar DC SN540 Models Hardware Version Firmware Version Description WZS4C8T1TDSP305 R6Z10022 SSD, TLC BICS4, 1TB, NVMe PCIe 3.0, ZNS, 3.5DW/D, 0% OP WZS4C8T2TDSP305 R6Z10022 SSD, TLC BICS4, 2TB, NVMe PCIe 3.0, ZNS, 3.5DW/D, 0% OP WZS4C8T4TDSP305 R6Z10022 SSD, TLC BICS4, 4TB, NVMe PCIe 3.0, ZNS, 3.5DW/D, 0% OP WZS4C8T8TDSP305 R6Z10022 SSD, TLC BICS4, 8TB, NVMe PCIe 3.0, ZNS, 3.5DW/D, 0% OP Table 2 - Ultrastar DC ZN540 Models Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 6 of 31 1.2 Security Level The Cryptographic Module meets all requirements applicable to FIPS 140-2 Level 2 Security. FIPS 140-2 Security Requirements Section FIPS 140-2 Security Level Achieved Cryptographic Module Specification 2 Module Ports and Interfaces 2 Roles, Services and Authentication 2 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 3 Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A Table 3 - Module Security Level Specification 2. FIPS 140 Modes of Operation 2.1 FIPS Approved Mode of Operation The Cryptographic Module has a single FIPS Approved mode of operation. Upon shipment from the vendor's manufacturing site the cryptographic module always operates in FIPS Approved Mode. See Section 7.2 for information on the recommended initialization instructions for the Cryptographic Module. The operator can confirm that the Cryptographic Module is operating in a FIPS Approved mode by invoking the Level 0 Discovery service and confirming that the inFIPS data field returns a value of 1. 2.2 TCG Ruby Security Mode The TCG Ruby security mode utilizes NVMe commands as well as TCG commands that address the TCG Admin SP and TCG Locking SP to provide services. The Crypto Officer must execute the Activate service to enable the TCG Ruby security mode. The TCG Ruby security mode allows multiple users with individualized access control to read, write, and erase data within independent data areas, which are referred to as LBA ranges. Access control tables define authorities, the secrets and authentication methods those authorities require, and the access control associations that permit method operation. Credential tables define the available encryption and decryption algorithms, authentication mechanisms, and store associated secrets or keys. Access control defines which authorities are permitted to successfully invoke which methods and modify ACLs. The TCG Ruby security mode supports administrator functions within the Crypto Officer role to, • Enable and disable Users • Grant LBA range access to Users • Create, configure, lock, and unlock LBA ranges • Cryptographically erase data ranges Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 7 of 31 2.3 Single User Data Ranges The Crypto Officer may elect to define one or more data ranges as Single User Data Ranges (SUDR) when invoking the Activate service. The TCG Storage Opal SSC Feature Set: Single User Mode [5] defines Single User Data Ranges. As specified, the associated User role solely manages its assigned SUDR. Executing the Reactivate service allows an enabled Locking SP Admin to reclassify user data ranges. 2.4 Approved Algorithms The Cryptographic Module supports the following FIPS Approved algorithms. All algorithms and key lengths comply with NIST SP 800-131A. CAVP Cert Algorithm Standards and Function A1184, A1232 [FIPS 186-4] RSA Function: Digital signature verification with SHA2-256 Mode: PKCS#1 v1.5 Key size: 2048 bits Strength: 112 bits Prerequisite: SHS 2942 A1232 [SP 800 38F] Key Wrapping Functions: Encryption, decryption, and key wrapping to protect the Root Signing Key Modes: KWP-AE, KWP-AD using AES-ECB-256 Key Size: 256 bits Security Strength: 256 bits Prerequisite: AES 3913 A1232 [SP 800-132] PBKDF2 Function: PBKDF2 utilizes a 32-byte PIN (password) and 256-bit KDF Salt to generate 256-bit Derived Authority Keys. Mode: HMAC-SHA2-256 Password Size: 32 bytes Salt Size: 256 bits Security Strength: 256 bits Prerequisite: SHS 2942, HMAC 2280 A1232 [SP 800-90A, SP 800-38A, SP 800-38D] DRBG Function: Deterministic random number generator (DRBG) Mode: CTR DRBG with AES-256 Derivation Function Key Size: 256 bits Key Length: 384 bits Security Strength: 256 bits Prerequisite: AES 3580 AES 35802 [FIPS 197, SP 800-38A, SP 800-38E] AES Function: AES-CBC-256 encrypts and decrypts CSPs and PSPs. Mode: CBC Key Size: 256 bits Security Strength: 256 bits AES 39133 [FIPS 197] AES Function: AES-ECB-256 encryption and decryption. Supports SP 800-38F key wrapping. Mode: ECB Key Size: 256 bits Security Strength: 256 bits 2 The cryptographic module does not use the AES ECB-128, AES ECB-256, AES-CBC-128, AES-XTS-128, and AES-XTS-256 capabilities listed under Cert# AES 3580. 3 The cryptographic module does not use the AES-ECB-128, AES-XTS-128 and AES-XTS-256 capabilities listed under Cert# AES 3913. Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 8 of 31 CAVP Cert Algorithm Standards and Function C1973 [FIPS 197, SP 800-38A, SP 800-38E] AES4 Function: Used to encrypt and decrypt data-at-rest in a storage application Mode: XTS5 • Per IG A.9, an LRK.AESKey/LRK.XTS keyset differs from its associated NSK.AESKey/NSK.XTS keyset Key Size: 256 Security Strength: 256 bits ENT (P) [SP800-90B] Function: Hardware entropy noise source seeds the Approved [SP800-90A] DRBG Type: Ring Oscillator DRBG Seed Length: 5120 bits DRBG Seed Entropy: 433.044 bits (2.7064 bits per 32 bits) HMAC 22806 [FIPS 198-1] HMAC Function: Used to sign and verify CSPs and PSPs and derive keys in PBKDF2. Mode: SHA2-256 Key Size: 256 Security Strength: 256 bits Prerequisite: SHS 2942 SHS 29427 [FIPS 180-4] SHS Functions: Digital signature verification and in used in the HMAC function Mode: SHA2-256 Key Size: 256 Security Strength: 256 bits Table 4 - FIPS Approved Algorithms Algorithm Description Rationale CKG [SP800 133] Cryptographic Key Generation Function: Generated from the DRBG without further modification or post processing Reference: Table 10 and Table 11 list the Symmetric Keys Vendor Affirmed [FIPS140] IG D.12 [SP 800 133] Sections 6.1, 6.2.3 and 6.3 Table 5 – Approved Cryptographic Functions Tested with Vendor Affirmation 2.5 Approved Random Number Generator A validated [SP 800-90B] ENT (P) seeds the Approved [SP800-90A] DRBG. Available entropy does not modify the security strength of the cryptographic keys generated by the module. Each 32-bit sample block contains at least 2.7064 bits of entropy. Each time the DRBG is instantiated or reseeded, one hundred sixty (160) 32-bit samples seed the DRBG. This equates to 5120 bits of entropy data and translates to at least 433.044 bits of entropy. The nonce consumes approximately 144.3 bits. Therefore, approximately 288.7 bits of entropy remain to determine the bit strength of the keys generated by the DRBG. This exceeds the 384 bits (256-bit entropy input and 128-bit nonce) of min-entropy needed to seed the DRBG with 256-bits of security. 4 AES ECB-128 and AES-XTS-128 were tested. However, the cryptographic module does not use these algorithms. 5 The length of the XTS-AES data unit does not exceed 220 blocks 6 The cryptographic module does not use the HMAC-SHA1, and HMAC-SHA2-224 capabilities listed under Cert# HMAC 2280. 7 The cryptographic module does not use the SHA-1 and SHA2-224 capabilities listed under Cert# SHS 2942. Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 9 of 31 3. Ports and Interfaces The drive uses the standard 68-pin PCIe U.2 connector that conforms to the mechanical requirements of SFF-8639. Table 6 identifies the Cryptographic Module’s ports and interfaces. The UART port is a three-wire port that consists of transmit (Tx), receive (Rx) and ground. A tamper evident seal protects the UART connector. The Cryptographic Module does not provide a removable maintenance access panel. FIPS 140-2 Interface Cryptographic Module Port Connector Pins Power Power connector Control Input U.2 connector, UART connector Status Output U.2 connector, UART connector Data Input U.2 connector, UART connector Data Output U.2 connector, UART connector Table 6 - Ultrastar DC SN540 Ports and Interfaces 4. Identification and Authentication Policy The Cryptographic Module enforces role separation by requiring a role identifier and an authentication credential in the form of a Personal Identification Number (PIN). The Cryptographic Module enforces the following FIPS140-2 operator roles. Table 7 maps TCG authorities to FIPS 140-2 roles. 4.1 Crypto Officer Roles 4.1.1 Secure ID (SID) This Crypto Officer role corresponds to the authority that represents the TPer owner within the Admin SP as defined in the TCG Storage Security Subsystem Class: Opal [2] specification. The Crypto Officer uses this role to transition the Cryptographic Module to the TCG Storage Ruby security mode. The Cryptographic Mode actively rejects firmware images that do not comply with FIPS 140 security requirements. 4.1.2 Admin SP Admin1 This Crypto Officer role corresponds to the Admin SP Admin1 authority defined in the TCG Storage Security Subsystem Class: Opal [2] specification. The Admin SP Admin1 authority can enable and disable a Locking SP Admin. 4.1.3 Locking SP Admins This Crypto Officer role corresponds to the Locking SP Admin Authority as defined in the TCG Storage Security Subsystem Class: Opal [2] specification. The CM enables Locking SP Admin1 by default. The CM can enable at most four (4) separate Locking SP Admins. By default, the CM disables Locking SP Admins beyond Admin1. When the Single User Data Range (SUDR) feature is disabled, a Locking SP Admin can enable and disable Users, create, and delete data ranges, set data range attributes, lock, unlock, and erase data ranges. A Locking SP Admin executes the Erase service to cryptographically erase a SUDR, by invoking TCG Erase. A Locking SP Admin executes the Erase service to cryptographically erase a non-SUDR, by invoking TCG GenKey. Both methods accomplish the same end by regenerating and replacing the Media Encryption Key (MEK) assigned to the data range. 4.2 User Roles 4.2.1 Locking SP Users This user role corresponds to the Locking SP User Authorities as defined in the TCG Storage Security Subsystem Class: Opal [2] specification. This role can lock and unlock LBA ranges to control the ability of the host to read and write data to and from the CM. By default, all Locking SP Users are disabled. The CM can enable at most nine (9) separate Users. Enabled Locking SP Admins enable Locking SP Users and assign them read/write/erase access to LBA data ranges. A Locking SP User executes the Erase service to cryptographically erase a SUDR by invoking TCG Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 10 of 31 Erase or TCG GenKey. A Locking SP User executes the Erase service to cryptographically erase a non-SUDR by invoking TCG GenKey. Both methods accomplish the same end by regenerating and replacing the Media Encryption Key (MEK) assigned to the data range. 4.3 Anybody The Anybody role can access services that do not require authentication. Apart from the Generate Random service, which provides output from an instance of the SP800-90A DRBG, unauthenticated services do not disclose, modify, or substitute Critical Security Parameters, use Approved security functions, or otherwise affect the security of the Cryptographic Module. If the operator has physical access to the drive, the Anybody role can use a power cycle to reset the Cryptographic Module, which results in the execution all the Power on Self-Tests (POST). TCG Authority Description Authentication Type Authentication Data SID The TCG Storage Security Subsystem Class: Opal [2] specification defines the SID authority. Role-based SID PIN Admin SP Admin1 The TCG Storage Security Subsystem Class: Opal [2] specification defines the Admin SP Admin1 authority. Role-based Admin SP Admin1 PIN Locking SP Admin The TCG Storage Security Subsystem Class: Opal [2] specification defines Locking SP Admin authority. Role-based Locking SP Admin PIN Locking SP User The TCG Storage Security Subsystem Class: Opal [2] specification defines the Locking SP User authority. Role-based Locking SP User PIN Anybody Anybody is a role that does not require authentication. The TCG Storage Security Subsystem Class: Opal [2] specification defines the Anybody authority. Unauthenticated N/A Table 7 - Roles and Required Identification and Authentication 4.4 Authentication Method and Strength Authentication occurs within a TCG session. At any one time, only a single session can be open. After opening an Admin SP session or a Locking SP session, an operator uses the Authenticate method to authenticate to a role. Authentications persist until the session closes or the Cryptographic Module powers down. Operators utilize an Authority PIN to authenticate to a Crypto Officer or User role. Authority PINs are 32-byte TCG credentials. For a 32-byte PIN, there are 2256 possible values. Each byte position contains a value from 0x00 to 0xFF. Assuming all possible values have an equal chance of use, the probability of guessing the correct PIN is one chance in 2256 or approximately 8.64 x 10-78, which is significantly less than 1/1,000,000. The TCG Ruby security model includes a TryLimit attribute, which if reached, locks out further attempts to authenticate to a TCG Credential. Assuming the TryLimit is non-zero8, an Authority_Locked_Out state exists if the Tries count value equals the TryLimit value associated with a TCG Authority. Each authentication attempt consumes approximately 198 microseconds. Hence, at most, approximately 30,287 authentication attempts can occur within one minute when the TryLimit equals zero (0). Thus, the probability that a false acceptance occurs within a one- minute interval is approximately 2.62 x 10-73 (8.64 x 10-78 x 30,287), which is significantly less than 1/100,000. 8 When TryLimit is set to zero (0), the CM places no limit on the number of authentication attempts. Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 11 of 31 5. Access Control Policy 5.1 Roles and Authenticated Services Service Description Role(s) Activate The Activate method allows the TPer owner to “turn on” a Security Provider (SP) that was created in manufacturing. LBA ranges are configured, and data encryption and access control credentials (re)generated and/or set within the Cryptographic Module. Access control is configured for LBA range unlocking. CO (SID, Admin SP Admin1) Authenticate Input a TCG Credential for authentication CO (SID, Admin SP Admin1, Locking SP Admins) Users (Locking SP Users) Disable User Set PIN This service disables the ability of a non-SUDR User to modify its own PIN. CO (Locking SP Admins) Enable/Disable Admin SP Admin This service enables and disables the Admin SP Admin1 authority. CO (SID) Enable/Disable Locking SP Admin This service enables and disables a Locking SP Admin or non-SUDR User authority. CO (Admin SP Admin1) Enable/Disable Locking SP User This service enables and disables a Locking SP User authority. CO (Locking SP Admins) Enable/Disable SUDR This service enables and disables the classification of a data range as a SUDR. CO (Locking SP Admins) Erase non-SUDR A cryptographic erasure service that utilizes the TCG GenKey method to generate and replace the MEK assigned to an LBA data range CO (Locking SP Admins) Users (Locking SP Users) Erase SUDR A cryptographic erasure service that utilizes the TCG GenKey or TCG Erase method to generate and replace the MEK assigned to an LBA data range CO (Locking SP Admins)9 Users (Locking SP Users)10 Field FA This service provides basic drive health analysis testing and media verification. The service does not leak any clear text user data to the host interface. This service is limited to performing the following functions: • Basic health tests • Media verification All Host Read/Write Commands are inhibited. CO (SID, Admin SP Admin1, Locking SP Admins) Users (Locking SP Users) Initialize Cryptographic Module11 Crypto Officer provisions the Cryptographic Module from the organizational policies CO (SID, Admin SP Admin1) Lock/Unlock Data Range This service denies or permits read and write access to an LBA range CO (Locking SP Admins)12 Users (Locking SP Users) 9 TCG Erase only 10 TCG GenKey or TCG Erase 11 See the Cryptographic Module Acceptance and Provisioning section within 7.2 Initialization Rules. 12 Applies only to non-SUDRs Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 12 of 31 Service Description Role(s) Reactivate In Single User Mode, the reactivate service allows the host to define which ranges are under the control of a single User authority. In addition, it allows the host to define range ownership within non-Global Range Locking objects. CO (Locking SP Admins) SecureDrive Command TCG IF-SEND and IF-RECV transport secure commands to and from the Cryptographic Module. CO (SID, Admin SP Admin1, Locking SP Admins) Users (Locking SP Users) Set Write data structures; access control enforcement occurs per data structure field. This service can change PINs. CO (SID, Admin SP Admin1, Locking SP Admins) Users (Locking SP Users) Set Data Range Attributes for a non-SUDR This service sets the starting location, size, and locking attributes for a SUDR. CO (Locking SP Admins) Users (Locking SP Users) Set Data Range Attributes for a SUDR This service sets the starting location, size, and locking attributes as well as the User access rights for a non-SUDR. CO (Locking SP Admins) Users (Locking SP Users) Zeroize This service utilizes the TCG Revert method to zeroize the CM and return the CM to its original manufactured state. Execution of this service requires the operator to authenticate to the PSID13 or the SID PIN. SID use case: CO (SID) PSID use case: CO (Admin SP Admin1, Locking SP Admins) Users (Locking SP Users) Anybody Table 8 - Authenticated CM Services 5.2 Unauthenticated Services Table 9 - Unauthenticated Services lists the unauthenticated services the Cryptographic Module provides. Service Description End Session End a TCG session by clearing all session state FIPS 140 Compliance Descriptor14 This service reports the FIPS 140 revision as well as the Cryptographic Module’s overall security level, hardware revision, firmware revision and module name. Firmware Download RSA2048 PKCS#1 v1.5 and SHA-256 verify the entire firmware image. Format NVM This service changes an LBA data size and/or metadata size. The low-level format operation may cryptographically erase all data and metadata associated with all namespaces or specific namespaces. Generate Random TCG Random method generates a random number from the SP800-90A DRBG Get Reads data structure; access control enforcement occurs per data structure field Get Data Store15 Read a stream of bytes from unstructured storage Level 0 Discovery TCG ‘Level 0 Discovery’ method outputs the FIPS mode of the Cryptographic Module NVMe Admin Commands The NVMe admin commands are defined in the NVM Express v1.3.c [10] and NVM Express™ Management Interface [11]] specifications NVMe I/O Commands The NVMe admin commands are defined in the NVM Express v1.3.c [10] and NVM Express™ Management Interface [11]] specifications 13 See PSID Feature Set Overview within the TCG Storage Opal SSC Feature Set: PSID [3] 14 See the FIPS 140 Compliance Descriptor section within the Security Features for SCSI Commands [14]. 15 The access control for the retrieval of data in the DataStore initially requires Admin SP Admin1 or an Locking SP Admin to enable access Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 13 of 31 Service Description Read Data This service decrypts user data when reading the data from a data range. The data range must be unlocked to enable reads from the data range. Reset Module Power on Reset SecureDrive Command TCG IF-SEND and IF-RECV transport secure commands to and from the Cryptographic Module. Security Receive The Security Receive command transfers the status and data result of one or more Security Send commands that were previously submitted to the controller. Security Send The Security Send command is used to transfer security protocol data to the controller. Self-Test The Cryptographic Module performs self-tests when it powers up Set Data Store16 Write a stream of bytes to unstructured storage. SoC Rebuild The SoC Rebuild service utilizes the SecureDrive Command service to zeroize and regenerate the Root Keyset and the Global Active Keyset Start Session Start TCG session Status Output TCG (IF-RECV) protocol Write Data This service encrypts user data when writing the data from a data range. The data range must be unlocked to enable writes to the data range. Table 9 - Unauthenticated CM Services 5.3 Definition of Critical Security Parameters (CSPs) The Cryptographic Module contains the CSPs listed in Table 10 - Critical Security Parameters. Zeroization of CSPs complies with the purge requirements for SCSI Hard Disk drives within [SP800-88], Guidelines for Media Sanitization. Name Type Description ENT (P) 5120-bit Entropy output Entropy source for DRBG DRBG.Seed 256-byte Entropy input Internal state associated with the [SP800-90A] CTR_DRBG using AES-256 Sourced from the ENT (P) DRBG.Key 256-bit value Internal state associated with the [SP800-90A] CTR_DRBG using AES-256 DRBG.V 128-bit value Internal state associated with the [SP800-90A] CTR_DRBG using AES-256. Authority Digest 256-bit digest An HMAC-SHA2-256 digest of an Authority PIN and its associated SED Admin SP key or SED Locking SP key. Authority PIN 32-byte value Values from 0x00 to 0xFF are allowed for each byte position. A PBKDF2 algorithm uses an Authority PIN to authenticate to the credential of a TCG Authority. SID PIN Authority PIN A 32-byte data value used to authenticate to the SID Authority’s TCG credential. Admin SP Admin1 PIN Authority PIN A 32-byte data value used to authenticate to the Admin SP Admin1 Authority’s TCG credential. 16 The access control for the modification of data in the DataStore initially requires Admin SP Admin1 or an Locking SP Admin to enable access. Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 14 of 31 Name Type Description Locking SP Admin PIN (Maximum of 4) Authority PIN A 32-byte data value used to authenticate to each Locking SP Admin Authority’s TCG credential. Locking SP User PIN (Maximum of 9) Authority PIN A 32-byte data value used to authenticate to each Locking SP User Authority’s TCG credential. Root Encryption Key 256-bit keys The CM utilizes AES-CBC-256 and the Root Encryption Key to encrypt and decrypt the Global Active Keyset. The [SP 800-38F] KWP algorithm uses the Root Encryption Key to wrap and unwrap the Root Signing Key. The Cryptographic Module’s DRBG generates this key without modification. The CM stores this key in OTP memory. Root Signing Key 256-bit key An HMAC-SHA-256 digest of the concatenated Root Signing Key and encrypted Global Active Keyset signs the Global Active Keyset. The Cryptographic Module’s DRBG generates this key without modification. The CM stores the Key Wrapped value within the Reserved Area of NOR flash. Global Active Keyset (AEK) Set of 256-bit keys: Global Active Key, Global Active Signing Key The CM utilizes AES-CBC-256 and the Global Active Key to encrypt and decrypt the SED Active Keyset, UAKa, and Namespace Keys. An HMAC-SHA2-256 digest of the Global Active Signing Key and the SED Active Keyset signs the SED Active Keyset. An HMAC-SHA2-256 digest of the Global Active Signing Key and the UAKa signs the UAKa. An HMAC-SHA2-256 digest of the Global Active Signing Key and a Namespace Key, signs a Namespace Key. The Cryptographic Module’s DRBG generates these keys without modification. The CM stores the encrypted keyset within the Reserved Area of NOR flash. SED Active Keyset Set of 256-bit keys: SED Active Key SED Active Signing Key The CM utilizes AES-CBC-256 and the SED Active Key to encrypt and decrypt the SED Admin SP Keyset and the SED Locking SP Keyset. An HMAC-SHA2-256 digest of the SED Active Signing Key and the SED Admin SP Keyset signs the SED Admin SP Keyset. An HMAC-SHA2-256 digest of the SED Active Signing Key and the SED Locking SP Keyset signs the SED Locking SP Keyset. The Cryptographic Module’s DRBG generates these key without modification. The CM stores the encrypted keyset within the Reserved Area of NOR flash. Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 15 of 31 Name Type Description SED Admin SP Keyset Set of 256-bit keys: SED Admin SP Key SED Admin SP Signing Key The CM utilizes AES-CBC-256 and the SED Admin SP Key to encrypt and decrypt TCG table data associated with an Admin SP. An HMAC-SHA2-256 digest of the SED Admin SP Signing Key and the entire contents of an Admin SP table signs the associated table. The Cryptographic Module’s DRBG generates these keys without modification. The CM stores the encrypted keyset within the Reserved Area of NOR flash. SED Locking SP Keyset Set of 256-bit keys: SED Locking SP Key SED Locking SP Signing Key The CM utilizes AES-CBC-256 and the SED Locking SP Key to encrypt and decrypt TCG table data associated with a Locking SP authority. An HMAC-SHA2-256 digest of the SED Locking SP Signing Key and the entire contents of a Locking SP table signs the associated table. The Cryptographic Module’s DRBG generates these keys without modification. The CM stores the encrypted keyset within the Reserved Area of NOR flash. SED Volatile Keyset Set of 256-bit keys: SED Volatile Key SED Volatile Signing Key The CM utilizes AES-CBC-256 and the SED Volatile Key to encrypt and decrypts key stored in IRAM. An HMAC-SHA2-256 digest of the SED Volatile Signing Key and the encrypted key stored in IRAM, signs the encrypted key. The Cryptographic Module’s DRBG generates these keys without modification. The CM stores the keyset in IRAM. Admin Authority Key (Ka) (Maximum of 5) 256-bit key The CM utilizes AES-CBC-256 and a PBKDF2 derived Ka key to encrypt and decrypt UAK0 and the UMK. The Cryptographic Module derives a unique Ka for Admin SP Admin1 and each enabled Locking SP Admin. Ka keys are destroyed after use. Non-Admin Authority Key (Ku) (Maximum of 9) 256-bit key The CM utilizes AES-CBC-256 and a PBKDF2 derived Ku key to encrypt and decrypt an associated UAK. The Cryptographic Module derives a unique Ku for each Locking SP User. Ku keys are destroyed after use. User Access Key (UAK) (Maximum of 9) 256-bit key The CM utilizes AES-CBC-256 and a UAK to encrypt and decrypt an associated RAK. The Cryptographic Module generates a unique UAK for each enabled Locking SP User. The Cryptographic Module’s DRBG generates these keys without modification. The CM stores each encrypted key within the Reserved Area of NAND flash. Admin User Access Key (UAK0) 256-bit key The CM utilizes AES-CBC-256 and UAK0 to encrypt and decrypt RAKs. All Locking SP Admins share UAK0. The Cryptographic Module’s DRBG generates this key without modification. The CM stores its encrypted value within the Reserved Area of NAND flash. Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 16 of 31 Name Type Description Anybody User Access Key (UAKa) 256-bit key The CM utilizes AES-CBC-256 and UAKa to encrypt and decrypt RAKs. The Cryptographic Module’s DRBG generates this key without modification. The CM stores its encrypted value within the Reserved Area of NAND flash. User Management Key (UMK) 256-bit key The CM utilizes AES-CBC-256 and the UMK to encrypt and decrypt UAKs. All enabled Locking SP Admins and Admin SP Admin1 share the UMK. The Cryptographic Module’s DRBG generates this key without modification. The CM stores its encrypted value within the Reserved Area of NAND flash. Range Access Key (RAK) (16 total – 1 per LBA range) 256-bit key The CM utilizes AES-CBC-256 and an RAK to encrypt and decrypt associated LRKs. The Cryptographic Module’s DRBG generates these keys without modification. The CM stores their encrypted value within the Reserved Area of NAND flash. Locking Range Key (LRK) (16 total - 1 per LBA range) Set of 256-bit keys: AES Key, XTS Key An LRK in combination with its associated NSK creates an MEK. The Cryptographic Module’s DRBG generates each LRK.AES Key and LRK.XTS Key without modification. The CM stores their encrypted value within the Reserved Area of NAND flash. Namespace Key (NSK) (16 total - 1 per LBA range) Set of 256-bit keys: AES Key, XTS Key An NSK in combination with its associated LRK creates an MEK. The Cryptographic Module’s DRBG generates each NSK.AES Key and NSK.XTS Key without modification. The CM stores their encrypted value within the Reserved Area of NAND flash. MEK - Media Encryption Keyset (16 total - 1 per LBA range) Derived set of 256-bit keys: AES Encryption Key, AES Decryption Key XTS Tweak Key The MEK encrypts and decrypts LBA ranges. The MEK.AESEnc Key is an XOR of an LRK.AES Key and an NSK.AES Key. The MEK.XTS.Tweak Key is an XOR of an LRK.XTS Key and an NSK.XTS Key. The CM stores each encrypted MEK in IRAM. Table 10 - Critical Security Parameters 5.4 Public Security Parameters The Cryptographic Module utilizes RSA public key cryptography to verify that firmware downloaded to the module is authentic and to verify specific steps in the secure boot process. The Cryptographic Module uses RSA 2048 PKCS#1 v1.5 to verify each signature within the asymmetric key tree to establish a chain of trust. The RSA Public/Private key pairs used in this process are generated and stored within a Western Digital controlled Hardware Security Module (HSM). The SD_CA Key, SD_BFW Key, SD_SM Key, PROD GROUP Key, OEM FW Key, and OEM_OFS Key public keys are injected during the manufacturing process and stored within the Reserved Area of NOR flash memory. The Cryptographic Module rejects downloaded firmware images if the digital signature verification process fails. Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 17 of 31 Key Name Type Description PSID17 32-character alphanumeric string The PSID derives from a 32-byte value generated by the Cryptographic Module’s DRBG. An Alphanumeric Character Conversion process derives the alphanumeric string from the 32-byte value. The module’s product label displays the PSID. The PSID provides authentication data and proof of physical presence for the Zeroize service. MSID18 32-character alphanumeric string The MSID derives from a 32-byte value generated by the Cryptographic Module’s DRBG. An Alphanumeric Character Conversion process derives the alphanumeric string from the 32-byte value. KDF Salt 256-bit key The PBKDF2 implementation, using HMAC-SHA2-256, utilizes unique KDF Salts to derive each Ka and Ku key. The Cryptographic Module’s DRBG generates KDF Salts without modification. Storage Device Certification Authority Key (SD_CA Key) RSA 2048 PKCS#1 v1.5 public key The SD_CA Key is the Master RSA Public Key used to verify the Secure Loader image. Storage Device Boot FW Key (SD_BFW Key) RSA 2048 PKCS#1 v1.5 public key The SD_BFW Key is public key used to verify all boot flash images. Storage Device Secure Message Key (SD_SM Key) RSA 2048 PKCS#1 v1.5 public key The SD_SM Key verifies secure messages used for manufacturing, development, and failure analysis Product Group Key (PROD GROUP Key) RSA 2048 PKCS#1 v1.5 public key The PROD GROUP Key verifies OEM Key certificates. OEM Firmware Key (OEM FW Key) RSA 2048 PKCS#1 v1.5 public key The OEM FW Key verifies OEM firmware images and packages. OEM Original Factory State Key (OEM_OFS Key) RSA 2048 PKCS#1 v1.5 public key The OEM_OFS Key verifies the OEM Original Factory Settings files. Table 11 - Public Security Parameters 5.5 SP800-132 Key Derivation Function Affirmations • The Cryptographic Module utilizes an HMAC-SHA-256 based [SP800 132] Password Based Key Derivation Function (PBKDF2) that complies with Option 2a of SP800-132. • Security Policy rules set the minimum Authority PIN length at 32-bytes. The Cryptographic Module allows values from 0x00 to 0xFF for each byte of the Authority PIN. • The upper bound for the probability of guessing an Authority PIN is 2-256. The difficulty of guessing the Authority PIN is equivalent to a brute force attack. • Derived Authority Keys, Ka, and Ku ([SP800 132] Master Keys) are derive by processing a 32-byte Authority PIN ([SP800 132] Password) and a 256-bit KDF Salt though an PBKDF2 algorithm [SP800 132], using HMAC- SHA2-256. Each KDF Salt associated with a Ka or Ku key is unique. Therefore, each Ka and Ku key is unique. • Each Ka and Ku has a security strength of 256 bits. • The Cryptographic Module’s [SP800 90A] DRBG generates each 256-bit KDF Salt without modification. 17 The SED Active Key encrypts the PSID. An HMAC SHA2-256 digest of the PSID is store in the Reserved Area. The TCG Revert method regenerates the digest. 18 An HMAC SHA2-256 digest of the MSID is store in the Reserved Area. The TCG Revert method regenerates the digest. Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 18 of 31 5.6 Critical Security Parameter Modes of Access Table 12 and Table 13 define the relationship between access to Critical Security Parameters (CSPs) and the listed Cryptographic Module services. The definitions shown below define the access modes listed in both tables. • G = Generate: The Cryptographic Module generates a CSP from the [SP800-90A] DRBG, derives a CSP with the PBKDF2 Key Derivation Function or generates an HMAC-SHA-256 hash to sign a CSP. • I = Input: The Cryptographic Module imports a CSP from outside the cryptographic boundary. • O = Output: The Cryptographic Module does not support the output of CSPs outside the cryptographic boundary. • E = Execute: The module executes a service that uses the CSP. • S = Store: The Cryptographic Module stores a CSP persistently on media within the Cryptographic Module. • Z = Zeroize: The Cryptographic Module zeroizes a CSP that is stored in volatile or non-volatile memory. Service Authority Digest SID PIN Admin SP Admin1 PIN Locking SP Admin PINs Locking SP User PINs DRBG.Seed DRBG.Key DRBG.V ENT (P) MEK K a K u LRK Activate GS Z E GE GE GS GS GS GS Authenticate E IE IE IE E E Disable User Set PIN Enable/Disable Admin SP Admin Enable/Disable Locking SP Admin or User (non- SUDR) Enable/Disable SUDR Erase non-SUDR GSZ GSZ Erase SUDR GSZ GSZ End Session Field FA FIPS 140 Compliance Descriptor Firmware Download Format NVM19 GSZ E Generate Random E GE GE Get 19 19 If a range is write locked the execution of Format NVM is blocked. Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 19 of 31 Service Authority Digest SID PIN Admin SP Admin1 PIN Locking SP Admin PINs Locking SP User PINs DRBG.Seed DRBG.Key DRBG.V ENT (P) MEK K a K u LRK Get Data Store E E E Initialize Cryptographic Module GS IE IE IE GE GE GE GE GS GS GS GS Level 0 Discovery Lock/Unlock Data Range NVMe Admin Commands NVMe I/O Commands Reactivate GS Z E GE GE GS Read Data E E Reset Module GEZ GEZ GEZ GE S S SecureDrive Command Security Receive Security Send Self-Test (KATs) Set I I I Set Data Range Attributes for a non-SUDR Set Data Range Attributes for a SUDR Set Data Store E E SoC Rebuild Start Session Status Output Write Data E E Zeroize (TCG Revert) GZ Z Z Z GE GE GE GSZ Z Z GSZ Table 12 - CSP Access Rights within Roles & Services Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 20 of 31 Service RAK UAK UAK 0 UAK a UMK NSK Root Keyset Global Active Keyset (AEK) SED Active Keyset SED Admin SP Keyset SED Locking SP Keyset SED Volatile Keyset Activate GS GS GS GS GS GS E E E GE Authenticate Disable User Set PIN Enable/Disable Admin SP Admin Enable/Disable Locking SP Admin or User (non-SUDR) Enable/Disable SUDR Erase non-SUDR E E GSZ Erase SUDR E E GSZ End Session Field FA FIPS 140 Compliance Descriptor Firmware Download Format NVM EGSZ E Generate Random Get Get Data Store E E E E E E E E E E E E Initialize Cryptographic Module EGS GS GS GS GS GS Level 0 Discovery Lock/Unlock Data Range NVMe Admin Commands NVMe I/O Commands Reactivate GS GS E E E GE Read Data E E E E E E E E E E E E Reset Module S S S S S GS SecureDrive Command Self-Test (KATs) Security Receive Security Send Set Set Data Range Attributes for a non-SUDR Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 21 of 31 Service RAK UAK UAK 0 UAK a UMK NSK Root Keyset Global Active Keyset (AEK) SED Active Keyset SED Admin SP Keyset SED Locking SP Keyset SED Volatile Keyset Set Data Range Attributes for a SUDR Set Data Store E E E E E E E E E E E E SoC Rebuild GSZ GSZ Start Session Status Output Write Data E E E E E E E E E E E E Zeroize (TCG Revert) EGSZ GSZ GSZ GSZ GSZ GSZ GSZ GSZ GSZ GSZ Table 13 - CSP Access Rights within Roles & Services 5.7 Public Security Parameter Modes of Access Table 14 defines the relationship between access to Public Security Parameters (PSP) and the listed Cryptographic Module services. The definitions shown below define the access modes listed in the table. • G = Generate: The Cryptographic Module generates a PSP from the [SP800-90A] DRBG, derives a PSP with the Key Derivation Function or hashes authentication data with SHA-256 or HMAC-SHA-256. • I = Input: The Cryptographic Module imports a PSP from outside the cryptographic boundary. • O = Output: The Cryptographic module outputs the value of selective PSPs. • E = Execute: The module executes a service that uses the PSP. • S = Store: The Cryptographic Module stores a PSP persistently on media within the Cryptographic Module. • Z = Zeroize: The Cryptographic Module zeroizes a PSP that is stored in volatile or non-volatile memory. Service MSID PSID KDF Salt SD_CA Key SD_BFW Key SD_SM Key PROD_GROUP Key OEM_FW Key OEM_OFS Key Activate EGS Authenticate E E Disable User Set PIN Enable/Disable Admin SP Admin Enable/Disable Locking SP Admin or User (non-SUDR) Enable/Disable SUDR Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 22 of 31 Service MSID PSID KDF Salt SD_CA Key SD_BFW Key SD_SM Key PROD_GROUP Key OEM_FW Key OEM_OFS Key Erase non-SUDR Erase SUDR End Session Field FA E FIPS 140 Compliance Descriptor Firmware Download IS IS Format NVM Generate Random Get Get Data Store Initialize Cryptographic Module OE GS Level 0 Discovery Lock/Unlock Data Range NVMe Admin Commands NVMe I/O Commands Reactivate EGS Read Data Reset Module E E E E SecureDrive Command E Security Receive Security Send Self-Test (KATs) Set Set Data Range Attributes for a non-SUDR Set Data Range Attributes for a SUDR Set Data Store SoC Rebuild Start Session Status Output Write Data Zeroize I GSZ Table 14 - PSP Access Rights within Roles & Services 6. Operational Environment The Cryptographic Module operating environment is non-modifiable. Therefore, the FIPS 140-2 operational environment requirements are not applicable to this module. When operational, the Cryptographic Module prohibits additions, deletions, or modification of the code working set. For firmware upgrades, the Cryptographic Module uses the Firmware Download service to verify the digital signature of the firmware image and save a complete firmware image. If the download operation is successful, authorized, and verified, the Cryptographic Module may begin operating with the new code working set. Firmware loaded into the module that is not on the FIPS 140-2 certificate is out of the scope of this validation and requires a separate FIPS 140-2 validation. Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 23 of 31 7. Security Rules The Cryptographic Module enforces applicable FIPS 140-2 Level 2 security requirements. This section documents the security rules that the Cryptographic Module enforces. 7.1 Invariant Rules 1. The Cryptographic Module supports two distinct types of operator roles: Crypto Officer and User. 2. Power cycling the Cryptographic Module or exiting a TCG sessions clears active authentications. 3. The Cryptographic Module requires operators to re-authenticate to TCG Authorities after power cycling the module or upon execution of the End Session service. 4. The Cryptographic Module powers up in FIPS Approved mode. 5. When the Cryptographic Module is unable to authenticate TCG Credentials, operators do not have access to any cryptographic service other than the unauthenticated Generate Random service. 6. The Cryptographic Module performs the following tests. Upon failure of any test, the Cryptographic Module enters a soft error state. The Cryptographic module reports the error condition by transmitting an UEC to the host over the U.2 interface. After entering the soft error state, the Cryptographic Module cannot execute security services unless a power cycle clears the error state. a. Power up Self-Tests i. RSA 2048 PKCS#1 v1.5 Verify KAT, Cert#A1184 ii. Firmware Integrity, RSAPKCS#1 v1.5 2048 Digital Signature, Cert# A1184 iii. AES ECB Encrypt KAT, Cert# AES 3913 iv. AES ECB Decrypt KAT, Cert# AES 3913 v. SHA-256 KAT, Cert# SHS 2942 vi. HMAC-SHA-256 KAT, Cert# HMAC 2280 vii. AES ECB Encrypt KAT, Cert# AES 3580 viii. AES ECB Decrypt KAT, Cert# AES 3580 ix. RSA 2048 PKCS#1 v1.5 Verify KAT, Cert# A1232 x. Key Wrap KAT, KW-AE, Cert# A123220 xi. Key Wrap KAT, KW-AD, Cert# A123219 xii. DRBG KAT21, Cert# A1232 xiii. PBKDF2 KAT, Cert# A1232 xiv. SP 800-90B Entropy Source Health Test xv. AES ECB Encrypt KAT, DEE, Cert# C1973 xvi. AES ECB Decrypt KAT, DEE, Cert# C1973 b. Conditional Tests i. The Cryptographic Module performs a Repetition Count Test and Adaptive Proportion Test on the ENT (P) entropy source. These entropy source health tests are executed each time the DRBG is reseeded at powered up and as the result of DRBG reseed event, which occurs after the DRBG consumes 232 bits of seed data. 20 Utilizes AES-ECB-256 (Cert# AES 3913) 21 The DRBG KAT is inclusive of the instantiate, generate and reseed function health tests required in [SP 800-90A] Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 24 of 31 ii. The Cryptographic Module performs a key comparison test on each LRK.AESKey/LRK.XTS keyset and its associated NSK.AESKey/NSK.XTS keyset to assure compliance with IG A.9 XTS-AES Key Generation Requirements. iii. Firmware Download Test, RSA 2048 PKCS#1 v1.5 (Cert# A1232), SHA-256 (Cert# SHS 2942) 7. An operator can command the Cryptographic Module to perform the power-up self-test by power cycling the module. 8. Power-up self-tests do not require operator action. 9. Data output is inhibited during key generation, self-tests, zeroization, and error states. 10. Status information does not contain CSPs or sensitive data that if misused, could compromise the Cryptographic Module. 11. The Zeroize service deletes all plaintext keys and CSPs. 12. The SoC Rebuild service deletes the Root Keyset and Global Active Keyset. 13. The Cryptographic Module does not support a maintenance role. 14. The Cryptographic Module does not support manual key entry. 15. The Cryptographic Module does not have any external input/output devices used for entry/output of data. 16. The Cryptographic Module does not output plaintext CSPs. 17. The Cryptographic Module does not output intermediate key values. 18. The Cryptographic Module does not support concurrent operators. 19. The Crypto Officer shall assure that all host issued Authority PINs are 32-bytes in length. 7.2 Initialization Instructions The MSID value is set at manufacturing time by the storage device. It represents the default TCG Credential for the SID and the Locking SP Admin1 authorities. This value is electronically readable, by the host, over the host interface. During enrollment, the host reads the MSID value from the Cryptographic Module and uses it to authenticate and change TCG Credential values within the Cryptographic Module. Having the MSID Credential value electronically available to the host constitutes a risk to the overall security of the Cryptographic Module. Therefore, as best practice, the host should execute a Take-Ownership scenario the first time the Cryptographic Module is provisioned in a system. Recommended Take-Ownership Scenario 1. StartSession to ‘Admin SP’ a. Get MSID b. Use the MSID to authenticate to the SID authority. i. An authentication failure indicates that a tamper event has occurred for the Cryptographic Module. c. Set the SID PIN to a new 32-byte value. d. Optional: i. Enable Admin SP Admin1. ii. Set the Admin SP Admin1 PIN to a non-MSID 32-byte value. e. Execute the TCG Activate command. f. EndSession 2. Optional: a. StartSession to ‘Locking SP’ i. Use the SID PIN established at step 1.c to authenticate to the Locking SP Admin1 authority. ii. Set the Locking SP Admin1 PIN to a new 32-byte value. Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 25 of 31 iii. Enable Locking SP Admin2. iv. Set the Locking SP Admin2 PIN to a non-MSID 32-byte value. v. Repeat steps 2.a.iii and 2.a.iv for Locking SP Admin [3-4]. vi. Enable Locking SP User1. vii. Set the Locking SP User1 PIN to a non-MSID 32-byte value. viii. Repeat steps 2.a.vi and 2.a.vii for Locking SP User [2-9]. b. EndSession If any of the above-mentioned steps fail, the Crypto Officer should remove the device from the system, as malicious behavior may have compromised the Cryptographic Module. 7.3 Zeroization Rules The Crypto Officer shall use the Zeroize service, which utilizes the TCG Revert Method, to zeroize all CSPs, apart from the Root Keyset and the Global Active Set. After successfully executing TCG Revert, the Crypto Officer should, as a best practice, power cycle the Cryptographic Module. The SoC Rebuild service zeroizes and regenerates the Root Keyset and the Global Active Keyset. Executing this process exhausts an SoC life. The CM is inoperable when the life count reaches zero. The Crypto Officer shall assure that SoC Rebuild service is never execute unless necessary to protect the integrity of the Cryptographic Module. 8. Physical Security Policy 8.1 Mechanisms The Cryptographic Module does not make claims in the Physical Security area beyond FIPS 140-2 Security Level 2. • All components are production-grade materials with standard passivation. • The Cryptographic Module enclosure is opaque and installed within a host system. • Engineering design supports opacity requirements. • Western Digital applies three (3) tamper-evident security seals during manufacturing. See Figure 4. The tamper-evident security seal cannot be penetrated or removed and reapplied without evidence of tampering. In addition, it is difficult to replicate the of tamper-evident security seal. Figure 4: Tamper-Evident Seal Locations 8.2 Operator Responsibility The Crypto Officer and/or User shall inspect the Cryptographic Module enclosure at installation and at least once a year thereafter for evidence of tampering. See Figure 5. If the inspection reveals evidence of tampering, the Crypto Officer should return the module to Western Digital. 1 3 2 Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 26 of 31 Figure 5: Tamper Evidence on Tamper Seal 9. Mitigation of Other Attacks Policy The Cryptographic Module lacks features to mitigate any specific attacks beyond the scope of the requirements within FIPS 140-2. 10. Definitions • Access Control Element: A Boolean expression of authorities. • Access Control List: A list of access control elements. • Allowed: NIST approved, i.e., recommended in a NIST Special Publication, or acceptable, i.e., no known security risk as opposed to deprecated, restricted, and legacy use. [SP800-131A] • Anybody: A formal TCG term for an unauthenticated role [1]. • Approved mode of operation: A mode of the Cryptographic Module that employs only approved security functions. [FIPS140] • Approved: [FIPS140] approved or recommended in a NIST Special Publication. • Authenticate: Prove the identity of an Operator or the integrity of an object. • Authorize: Grant an authenticated Operator access to a service or an object. • Ciphertext: Encrypted data transformed by an Approved security function. • Confidentiality: A cryptographic property that sensitive information is not disclosed to unauthorized parties. • Credential: A formal TCG term for data used to authenticate an Operator [1]. • Critical Security Parameter (CSP): Security-related information (e.g., secret keys, private keys, and authentication data such as credentials and PINs) whose disclosure or modification can compromise the security of a Cryptographic Module. [FIPS140] • Cryptographic Boundary: An explicitly defined continuous perimeter that establishes the physical bounds of a Cryptographic Module and contains all the hardware, software, and/or firmware components of a Cryptographic Module. [FIPS140] • Cryptographic key (Key): An input parameter to an Approved cryptographic algorithm • Cryptographic Module: The set of hardware, software, and/or firmware used to implement approved security functions contained within the cryptographic boundary. [FIPS140] • Crypto Officer: An Operator performing cryptographic initialization and management functions. [FIPS140] • Data at Rest: User data residing on the storage device media when the storage device is powered off. • Discovery: A TCG method that provides the properties of the TCG device. [TCG Enterprise] Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 27 of 31 • Drive Writes per Day (DWPD): Drive Writes per Day defines how many times the entire capacity of the HDD can be overwrite every single day of its usable life without failure during the warranty period. • Hardware Security Module (HSM): A hardware security module is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions. • Integrity: A cryptographic property to assure sensitive data has not been modified or deleted in an unauthorized and undetected manner. • Interface: A logical entry or exit point of a Cryptographic Module that provides access to the Cryptographic Module for logical information flows. [FIPS140] • Internal RAM (IRAM): RAM memory that is internal to an SoC. • Key Derivation Function (KDF): An Approved cryptographic algorithm by which one or more keys are derived from a shared secret and other information. • Key Encrypting Key (KEK): A cryptographic key used to encrypt or decrypt other keys. • Key management: The activities involving the handling of cryptographic keys and other related security parameters during the entire life cycle of the Cryptographic Module. The handling of authentication data is representative of a key management activity. • Key Wrap: An Approved cryptographic algorithm that uses a KEK to provide Confidentiality and Integrity. • LBA Range: A formal TCG SWG [1] term that defines a contiguous logical block range (sequential LBAs) to store encrypted User Data; ranges do not overlap, and each has its own unique encryption key and other settable properties. • Manufactured SID (MSID): A unique default value assigned to each SED during manufacturing. An externally visible MSID value is not required if the user can derive the MSID from other information printed on the drive. The MSID is readable with the TCG protocol. It is the initial and default value for all TCG credentials [1]. • Method: A remote procedure call to an SP that initiates an action on the SP [1]. • Namespace: A namespace is a collection of logical blocks that range from zero (0) to the capacity of the namespace. • Namespace Identifier (NSID): A namespace identifier is an identifier used by a controller to provide access to a namespace. • OFS file: OFS files are used to reset the Cryptographic Module’s configuration back to its original factory setting during the Revert operations (e.g., TCG Revert). • Operator: A consumer, either human or automation, of cryptographic services that is external to the Cryptographic Module. [FIPS140] • Personal Identification Number (PIN): A formal TCG term designating a string of octets used to authenticate an identity [1]. • Plaintext: Unencrypted data. • Port: A physical entry or exit point of a Cryptographic Module that. A port provides access to the Cryptographic Module’s physical signals. [FIPS140] • PSID (Physical Security Identifier): A SED unique value printed on the Cryptographic Module’s label used as authentication data and proof of physical presence for the Zeroize service. • Public Security Parameters (PSP): Public information, that if modified can compromise the security of the Cryptographic Module (e.g., a public key). Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 28 of 31 • Read Data: An external request to transfer User Data from the SED. [14] • Reserved Area: Private data on the Storage Medium that is not accessible outside the Cryptographic Boundary. • Sanitize: Sanitization cryptographically erases all user data in the NVM subsystem such that recovery of any previous user data from any cache, non-volatile media, or any controller memory buffer is not possible. • SD_CA Key: Storage Device Certification Authority Key (X509v3). This key serves as the Cryptographic Module’s Master RSA Public Key and is the root source of verification for all other key certificates. The SD_CA Key signs the SecureLoader. This key is injected at manufacturing time and a hash of this key is stored as OTP bits. • Security Identifier (SID): The authority that represents the TPer owner [1]. Crypto Officer serves in this role. • Security Provider (SP): A TCG term used to define a collection of Tables and Methods with access control. • Self-Encrypting Drive (SED): A storage device that provides data storage services, which automatically encrypts all user data written to the device and automatically decrypts all user data read from the device. • Session: A formal TCG term that envelops the lifetime of an Operator’s authentication [1]. • Small Form Factor (SFF): Small form factor is a computer form factor designed to minimize the volume and footprint of a desktop computer • Storage Medium: The non-volatile, persistent storage location of a SED; it is partitioned into two disjoint sets, a User Data area, and a Reserved Area. • Table: The basic data structures within a Security Provider (SP). The tables store persistent SP state data defined in TCG Storage Core specification [1]. • TPer: A Trusted Peripheral. The Trusted Peripheral (TPer) resides in a Storage Device. The TPer manages trusted storage-related functions and data structures as defined in TCG Storage Core specification [1]. • Triple Level Cell (TLC): Triple level cells refer to NAND flash devices that store three bits of information per cell, with eight total voltage states. • User Data: Data transferred from/to a SED using the Read Data and Write Data commands. [14] • User: An Operator that consumes cryptographic services. [FIPS140] • Write Data: An external request to transfer User Data to a SED. [14] • Zeroize: Invalidate a Critical Security Parameter. [FIPS140] • Zoned Namespace (ZNS): A namespace that is divided into zones and is associated with the Zoned Namespace Command Set. [12]. 11. Key Words The Key Words “SHALL”, “SHALL NOT”, “SHOULD,” and “MAY” if used in this document are to be interpreted as described in [9]. 12. Acronyms • ACL: Access Control List • AEK: Active Encryption Key • AES: Advanced Encryption Standard (FIPS 197) • BLRE: Boot Loader • CAC: Cryptographic Assist Controller • CBC: Cipher Block Chaining, an operational mode of AES Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 29 of 31 • CM: Cryptographic Module • CO: Crypto Officer [FIPS140] • CRC: Cyclic Redundancy Check • CSP: Critical Security Parameter [FIPS140] • DEE: Data Encryption Engine • DRAM: Dynamic Random Access Memory • DRBG: Deterministic Random Bit Generator • DW/D: Drive Writes per Day • EDC: Error Detection Code • EMI: Electromagnetic Interference • FSEC: Flash Security Data • FID: Flash Internal Data • FIPS: Federal Information Processing Standard • HDD: Hard Disk Drive • IRAM: Internal RAM • IV: Initialization Vector • KAT: Known Answer Test • KDF: Key Derivation Function • LBA: Logical Block Address • MEK: Media Encryption Key • MSID: Manufactured Security Identifier • NAND: Negative AND, Flash Memory technology • NOR: Negative OR, Flash Memory technology • NDRNG: Non-deterministic Random Number Generator • NIST: National Institute of Standards and Technology • NSID: Namespace Identifier • NVM: Non-volatile Memory • NVMe: NVM Express • OFS: Original Factory Setting • PBKDF2: Password Base Key Derivation Function • PCIe: Peripheral Component Interconnect Express • PIN: Personal Identification Number • POR: Power on Reset • PSID: Physical Security Identifier • PSP: Public Security Parameter • RID: Reserved Area Internal Data • SAS: Serial Attached SCSI • SECD: Security Data • SED: Self-Encrypting Drive • SCSI: Small Computer System Interface • SD_CA: Storage Device Certification Authority • SED: Self Encrypting Drive • SFF: HDD Form Factor or Small Form Factor • SID: Security Identifier, The TCG authority representing the Cryptographic Module owner • SIO: Serial Input/Output • SOC: System-on-a-Chip • SP: Security Provider or Security Partition (TCG), also Security Policy (FIPS 140) • SSC: Subsystem Class • SSD: Solid-state Drive • SWG: Storage Work Group • TCG: Trusted Computing Group • TLC: Triple Level Cell • UEC: Universal Error Code • XTS: A mode of AES that utilizes "Tweakable" block ciphers • ZNS: Zoned Namespace 13. References 13.1 NIST Specifications • [AES] Advanced Encryption Standard, FIPS PUB 197, NIST, November 2001 • [DSS] Digital Signature Standard, FIPS PUB 186-4, NIST, July 2013 Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 30 of 31 • [FIPS140] Security Requirements for Cryptographic Modules, FIPS PUB 140-2, NIST, December 2002 • [HMAC] The Keyed-Hash Message Authentication Code, FIPS PUB 198-1, July 2008 • [SHA] Secure Hash Standard (SHS), FIPS PUB 180-4, NIST, August 2015 • [SP800 38A] Recommendation for Block Cipher Modes of Operation: Methods and Techniques, NIST, December 2001 • [SP800 38E] Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices, SP800-38E, NIST, January 2010 • [SP800 38F] Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, NIST, December 2012 • [SP800 57] Recommendation for Key Management – Part I General (Revision 4), NIST, January 2016 • [SP800 90A] Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revision 1), NIST, June 2015 • [SP800 90B] Recommendation for the Entropy Sources Used for Random Bit Generation, NIST, January 2018 • [SP800 131A] Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths (Revision 2), NIST, March 2019 • [SP800 132] Recommendation for Password-Based Key Derivation, NIST, December 2010 • [SP800 133] Recommendation for Cryptographic Key Generation (Revision 2), NIST, June 2020 13.2 Trusted Computing Group Specifications • [1] TCG Storage Architecture Core Specification, Specification Version 2.01 Revision 1.00 (August 5, 2015) • [2] TCG Storage Security Subsystem Class: Opal, Specification Version 2.01, Final Revision 1.00 (August 5, 2015) • [3] TCG Storage Opal SSC Feature Set: PSID, Specification Version 1.00, Final Revision 1.00 (August 5, 2015) • [4] TCG Storage Opal SSC Feature Set: Configurable Namespace Locking, Specification Version 1.00, Final Revision 1.33 (February 22, 2019) • [5] TCG Storage Opal SSC Feature Set: Single User Mode, Specification Version 1.00, Final Revision 1.00 (February 24, 2012) • [6] TCG Storage Opal Integration Guidelines, Version 1.00, Final Revision 1.00 (March 16, 2016) • [7] TCG Storage Interface Interactions Specification (SIIS), Version 1.07, (January 30, 2018) • [8] TCG Storage Security Subsystem Class: Ruby, Version 1.00, Revision 1.00 (January 7, 2020) 13.3 International Standards • [9] IETF RFC 2119, 1997, “Key words for use in RFCs to Indicate Requirement Levels” • [10] NVM Express™, Revision 1.3.c, May 24, 2018 • [11]] NVM Express™ Management Interface, Revision 1.1, April 29, 2019 • [12] NVM Express™ Zoned Namespace Command Set Specification, Revision 1.1b, January 6, 2022 • [13] PCI Express® Base Specification, Revision 3.0, November 10 ,2010 • [14] SCSI Block Commands - 3, Revision 22, March 29, 2010 • [15] Security Features for SCSI Commands, Revision 2, September 25, 2015 • [16] SCSI Primary Commands - 5, Revision 22, April 19, 2019 Ultrastar DC SN540 and ZN540, NVMe™ PCIe 3.0, SED FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Page 31 of 31 • [17] Protocol Agnostic Multi-Lane High Speed Connector, Revision 1.3, February 19, 2020 13.4 Corporate Documents • [Datasheet] Ultrastar DC SN540 Datasheet, https://www.westerndigital.com/support • [Datasheet] Ultrastar DC ZN540 Datasheet, https://www.westerndigital.com/support