This section specifies the requirements for the proper definition of the cryptographic module along with approved algorithms, modes of operation, and security policy. A cryptographic module is defined with one of the following module types:
- Hardware
- Software
- Firmware
- Hybrid software
- Hybrid firmware
The two hybrids are modules that are composed of either a software or firmware component and a disjoint hardware component (that is, the software/firmware component is not contained within the hardware component). Furthermore, this clause specifies requirements for the cryptographic boundary. This boundary defines what is included and excluded, physical ports and logical interfaces, and the control/status signals of modules. A FIPS-approved normal mode of operation of the module should use at least one service that employs an approved security function specified in the standard.
To help troubleshoot potential issues, FIPS 140-3 also introduces the degraded mode of operation in addition to the normal mode as specified in FIPS 140-2. Upon entering an approved degraded mode of operation, the module is allowed to operate even if it can only offer a subset of its functions due to an error that has occurred. The module is allowed to enter the degraded operation mode only if it successfully passes all pre-operational self-tests (see requirements in Self-tests).
The following Zynq UltraScale+ MPSoC attributes facilitate the creation of this specification in a timely manner:
- Built-in isolation mechanisms to provide the implemented functions with a well-defined, hardware-enforced cryptographic boundary.
- A hardware rooted chain of trust to ensure the secure boot of the system.
- A hardened unit (CSU) dedicated to implementing the SHA-3, RSA, and AES-GCM cryptographic algorithms that are FIPS-approved and have passed CAVP.
- The hardware and software programmability allows for additional FIPS-approved algorithms, bypass/non-FIPS modes, etc.
- Extensive documentation ( Developing Tamper-Resistant Designs with Zynq UltraScale+ Devices (XAPP1323), Isolation Design Flow for UltraScale+ FPGAs and Zynq UltraScale+ MPSoCs (XAPP1335), Isolation Methods in Zynq UltraScale+ MPSoCs (XAPP1320), External Secure Storage Using the PUF Application Note (XAPP1333), and Zynq UltraScale+ Device Technical Reference Manual (UG1085)) can provide additional information on how to use the device's features to isolate security functions, develop tamper-resistant designs, generate cryptographic keys, etc.