1

FIPS140-2 standard specifies the following conditional test to be performed by the cryptographic module if software or firmware components can be externally loaded into a cryptographic module:

  1. An Approved authentication technique (e.g., an Approved message authentication code, digital signature algorithm, or HMAC) shall be applied to all validated software and firmware components when the components are externally loaded into a cryptographic module. The software/firmware load test is not required for any software and firmware components excluded from the security requirements of this standard (refer to Section 4.1).
  2. The calculated result shall be compared with a previously generated result. If the calculated result does not equal the previously generated result, the software/firmware load test shall fail.

Section 4.1: Hardware, software, and firmware components of a cryptographic module can be excluded from the requirements of this standard if shown that these components do not affect the security of the module.

Should I argue that the boot code can be excluded according to Section 4.1, thus boot code does not affect the security of the module, since there are attacks that involve the boot code like "Evil Maid"?

Note: this cryptographic module is defined as a hardware cryptographic module. The cryptographic officer can upgrade the boot code that bootstraps the firmware implementing the cryptographic functionality.

Do I have to add a digital signature or HMAC for the new boot code when upgrading is desired OR should I argue to exclude it?

Community
  • 1
Drew Lex
  • 2,013
  • 2
  • 19
  • 24
  • Do you have a CST (Computer Security and Testing) lab you can refer these questions to? The FIPS 140-2 submission process is extremely laborious, exacting, and expensive each time you have to re-submit. Getting these details right the first time is almost a necessity. – logicalscope Jun 30 '12 at 01:53
  • @logicalscope No, not there yet. The lab can test for compliance but I think is bad idea to let the lab drive what can be implemented and what not if we don't understand thoroughly the requirements ourselves. – Drew Lex Jun 30 '12 at 04:17

1 Answers1

1

I assume the question is about security level 1? There are various FIPS 140-2 level 1 compliant software modules on the market and they don't require the boot code to be authenticated. I believe security level 3 would require a full integrity check of the software including the boot code.

For a better understanding of what is required for FIPS 140-2 certification I would suggest taking a look at some of the security policies linked to on this page on the NIST site. If you find a product on that page which is similar to your own you can use their security policy document as a basis for your security policy.

David Wachtfogel
  • 5,512
  • 21
  • 35