Cryptographic Module Interfaces

Zynq UltraScale+ MPSoC: A FIPS 140-3 Primer (WP543)

Document ID
WP543
Release Date
2024-08-28
Revision
1.0.1 English

The cryptographic module should have the following logical interfaces specified in FIPS 140-2 plus a Control output interface introduced in FIPS 140-3.

  • Data input
  • Data output
  • Control input
  • Status output
  • Control output (introduced in FIPS 140-3)

The addition of the control output interface aims to enable the exchange of commands among modules. All non-software modules should also have a power interface if power is not managed within the cryptographic boundary. Furthermore, FIPS 140-3 introduces the concept of trusted channels (similar to the trusted paths specified in FIPS 140-2) to specify the secure exchange of plaintext critical security parameters (CSPs) among modules. For SLs 1 and 2, there are no requirements for the use of trusted channels. However, for SLs 3 and 4, the exchange of plaintext CSPs requires the use of trusted channels. The trusted channels should have either their physical ports physically separated from all other ports or their logical interfaces logically separated from all other interfaces. Depending on the security level (SL3 or SL4), there are specific requirements for authentication of all the services that use the trusted channel and for its protection against eavesdropping and physical/logical tampering.

The designer of the cryptographic module is responsible for the implementation of the requested ports and for the interfaces that are used for transferring keys to and from the device. The Zynq UltraScale+ MPSoC is composed of four major power domains. Three of the power domains provide power to the PS and the fourth is used to power the device's PL, which is known as the PL power domain (PLPD). Consequently, PL-only modules can be isolated from PS-based applications post-boot. If the designer opts to repurpose the hardened cryptographic engines of the CSU (see Figure 1), the module can take advantage of the Zynq UltraScale+ MPSoC's security features. Data from the PS/PL are DMA'ed to the CSU and then distributed to the appropriate cryptographic engine using the CSU's secure stream switch. Cryptographic keys can be updated at runtime using the CSU's key management facility. As discussed in Zynq UltraScale+ MPSoC Security, access to the engines can be hardware-controlled using the XPPUs. Furthermore, the CSU along with the RPU and the platform management systems are powered by the same domain (low-power domain) and, consequently, the module can be power-isolated from the PL and the rest of the PS system.