

## SP 800-90B Non-Proprietary Public Use Document

## **FortiOS CPU Jitter Entropy Library 1.0**

CPU Jitter Firmware Version: 3.4.1

Fortinet, Inc. 899 Kifer Road Sunnyvale, CA 94086 USA

Document Version 1.1 May 1, 2024

#### **Revision History**

| Version | Change                        |  |  |
|---------|-------------------------------|--|--|
| 1.0     | Initial draft.                |  |  |
| 1.1     | Addressed Certifier comments. |  |  |

## **Table of Contents**

| 1 | Description                           | 4 |
|---|---------------------------------------|---|
| 2 | Security Boundary                     | 4 |
| 3 | Operating Environments and Conditions | 5 |
| 4 | Configuration Settings                | 6 |
| 5 | Physical Security Mechanisms          | 6 |
| 6 | Min-Entropy Rate                      | 6 |
| 7 | Health Tests                          | 6 |
| 8 | Maintenance                           | 7 |
| 9 | Required Testing                      | 7 |

## 1 Description

The FortiOS CPU Jitter Entropy Library 1.0 implements CPU Jitter version 3.4.1 without any modifications. CPU Jitter Entropy Source is a non-physical entropy source. It makes no IID claim and thus meets all the requirements for non-IID compliance. Table 1 summarizes the Fortinet platforms and their respective processors for which testing was performed.

## 2 Security Boundary

The boundary of the CPU Jitter implementation is shown in Figure 1. CPU Jitter gets its entropy from the time deltas between repeated hash/memory collection operations. The CPU Jitter output is used to seed an SP 800-90A compliant DRBG, which is outside of the boundary of the entropy source. The security boundary of the CPU Jitter implementation contains the source code files provided as part of the software delivery. The source code contains API calls which are used by modules requesting entropy from CPU Jitter.



Figure 1 - Entropy Source Diagram

# **3 Operating Environments and Conditions**

Table 1 summarizes the operating conditions for each of the tested platforms.

| Platform             | Processor                                         | Clock<br>Speed | Cache                                                 | Platform<br>Temperature | Platform<br>Voltage (AC) |
|----------------------|---------------------------------------------------|----------------|-------------------------------------------------------|-------------------------|--------------------------|
| FGR_60F              | FortiSOC4, 4<br>Core                              | 1.2GHz         | Cache L1:32KB<br>Cache L2:2MB<br>Cache L3:N/A         | -40° C - 75° C          | 166W                     |
| FG_200F<br>FG_201F   | Intel Xeon D-<br>1627, 4 Core                     | 2.9 GHz        | Cache L1:32KB<br>Cache L2:256KB<br>Cache L3:1.5MB     | 0° C - 105° C           | 45W                      |
| FG_600F<br>FG_601F   | Intel Xeon E-<br>2386G(Rocket<br>Lake), 6 Core    | 4.2 GHz        | Cache L1:32KB<br>Cache L2:512KB<br>Cache L3:2MB       | 0° C - 100° C           | 95W                      |
| FG_1000F             | Intel Xeon E-<br>2388G (Rocket<br>Lake), 8 Core   | 4.1GHz         | Cache L1:32KB<br>Cache L2:512KB<br>Cache L3:1.5MB     | 0° C - 100° C           | 95W                      |
| FG_1800F<br>FG_1801F | Intel Xeon W-<br>3223, 8 Core                     | 3.5GHz         | Cache L1:32KB<br>Cache L2:1MB<br>Cache L3:2MB         | 0° C - 66° C            | 160W                     |
| FG_2600F<br>FG_2601F | Intel Xeon Gold<br>6208U, 16 Core                 | 2.9GHz         | Cache L1:512KB<br>Cache L2:1MB<br>Cache<br>L3:2.75MB  | 0° C - 95° C            | 150W                     |
| FG_3000F<br>FG_3001F | AMD EPYC<br>7502P(ROME),<br>32 Core               | 2.5 GHz        | Cache L1:32KB<br>Cache L2:512KB<br>Cache L3:2MB       | 30° C - 65° C           | 180W                     |
| FG_3500F<br>FG_3501F | AMD EPYC<br>7542(ROME), 32<br>Core                | 2.9 GHz        | Cache L1:32KB<br>Cache L2:512KB<br>Cache L3:2MB       | 30° C - 65° C           | 225W                     |
| FG_3700F<br>FG_3701F | Intel Xeon Gold<br>ICX 6348(Ice<br>Lake) 28 Core  | 2.6 GHz        | Cache L1:32KB<br>Cache L2: 1MB<br>Cache<br>L3:1.375MB | 0° C - 98° C            | 235W                     |
| FG_4400F<br>FG_4401F | Intel Xeon Gold<br>6248(Cascade<br>Lake), 20 Core | 2.5 GHz        | Cache L1:32KB<br>Cache L2:1MB<br>Cache<br>L3:1.375MB  | 0° C - 86° C            | 150W                     |
| FG_VM on<br>PacStar  | Intel Xeon D-<br>1559, 12 Core                    | 1.5 GHz        | Cache L1:32KB<br>Cache L2:256KB<br>Cache L3:1.5MB     | 0° C - 108° C           | 45W                      |

Table 1 - Operating Environment and Conditions

## **4 Configuration Settings**

Table 3 summarizes the configuration settings used by the Fortinet implementation of CPU Jitter. These settings must be preserved to comply with the CPU Jitter ESV certificate.

| Parameter                      | Value   | Description                                                                                  |
|--------------------------------|---------|----------------------------------------------------------------------------------------------|
| JENT_RANDOM_MEMACCESS          | Enabled | Enables random memory access using bit versus blocks                                         |
| JENT_MEMORY_BITS               | 17      | Number of bits in a memory block (i.e., the memory block size in bits is 2^JENT_MEMORY_BITS) |
| JENT_MEMORY_SIZE               | 128KiB  | Memory block size                                                                            |
| JENT_MEMORY_ACCESSLOOPS        | 128     | Memory access loops                                                                          |
| JENT_MIN_OSR                   | 3       | Set in code by  JENT_CONF_DISABLE_LOOP_SHUFFLE  (Enabled: 3 (default), Disabled: 1)          |
| JENT_CONF_DISABLE_LOOP_SHUFFLE | Enabled | Disables pseudo-random looping e.g., lower boundary entropy equals upper boundary entropy.   |

**Table 2 - Configuration Settings** 

## 5 Physical Security Mechanisms

The FortiOS CPU Jitter Entropy Library 1.0 is enclosed entirely within the module's cryptographic boundary which is protected by tamper evident seals, anti-probing barriers and electronic tamper detection and is assessed for FIPS level 3 Physical Security compliance.

#### 6 Min-Entropy Rate

The FortiOS CPU Jitter Entropy Library 1.0 generates an output that is considered to have full entropy. A request for 256 bits of entropy results in 256 + 64 bits of entropy per output sample, or full entropy, where 64 is a new CPU Jitter safety factor based on draft SP 800-90C considerations in section 2.6 Assumptions and Assertions.

#### 7 Health Tests

Per the SP 800-90B requirements, health tests are run when CPU Jitter starts, and are then run continuously while it is operating. All tests check for persistent failures based on their respective "cutoff" values, which represent expected error thresholds.

CPU Jitter implements four types of health tests:

- Stuck Test
- Repetition Count Test (RCT)
- Adaptive Proportion Test (APT)
- Lag Predictor Test

All health test failures are considered permanent failures. If one is triggered, the current instance of the CPU Jitter will always remain in error state. The documentation of the API call jent\_read\_entropy(3) explains that the caller can only clear this error state by deallocating the CPU Jitter instance followed by an allocation of a new CPU Jitter Entropy Source instance to reset the noise source.

#### 8 Maintenance

There are no maintenance requirements for the CPU Jitter library.

#### 9 Required Testing

The entropy report contains the results of the testing Intel did on their raw and restart data. Raw data was collected by running the invoke\_testing.sh script included in the CPU Jitter package. This script gathers 1,000,000 samples of 8-bits of raw time stamp data. It also gathers 1000 samples of 8-bits of raw data after restarting CPU Jitter each time, thus eventually gathering 1,000,000 samples of raw data for the restart tests.

#### **Raw Data Analysis**

Each raw data sample consists of one time stamp, which is 64 bits long. The CPU Jitter design states that the source can deliver full entropy if and only if the min-entropy is at least 1/osr (osr=3) bits of entropy per time stamp. This CPU Jitter implementation uses an oversampling rate of 3.

#### **Restart Data Analysis**

The CPU Jitter Entropy does not have a stochastic model, but an H<sub>submitter</sub> estimate of 1 was determined using analysis as described in SP 800-90B Section 3.2.2, Requirement 3. The CPU Jitter Entropy Source implementation uses an oversampling rate of 3. For that reason, the initial entropy estimate is set to 0.333 (1/3) for the purpose of running the NIST restart tests.

For the restart tests, the raw entropy data is collected for 1,000 CPU Jitter Entropy Source instances allocated sequentially. That means, for one collection of raw entropy, one CPU Jitter Entropy Source instance is allocated. After the conclusion of the data gathering it is deallocated and a new CPU Jitter Entropy Source instance is allocated for the next restart test round.