IBM 4765 PCIe Cryptographic Coprocessor

Tab navigation

Tab navigation

Validating the IBM 4765

It is good practice to validate that a coprocessor is legitimate and untampered before using it. IBM ships a copy of CLU (Coprocessor Load Utility) to use with the CCA Support Program. You can use this utility to validate your coprocessor.

For information on using CLU, refer to the Coprocessor Load Utility referece section of the IBM 4765 PCIe Cryptographic Coprocessor CCA Support Program Installation Manual. This manual and all other product documentation can be found on the library page.

CLU status command

Use the the ST command of CLU to start the validation process. This returns the coprocessor status.

From the CLU status response, confirm that the ROM Status says INIT: INITIALIZED. This indicates that the coprocessor's Segment 1 is in initialized, which is the desired state.

If you are using the CCA Support Program, confirm that the ROM Status for SEG2 is RUNNABLE , OWNER2: 2 and for SEG3 is RUNNABLE , OWNER3: 2. This indicates that both segments are runnable and that the owner identifier for Segment 3 is 2 (which indicates the CCA product). Any other values for CCA are invalid.

Continuing with the status response, observe the hash values returned for the code segments. Each of these three hash values is associated with a particular release of code. See the table below. If a hash value does not match the expected value, the code loaded in the coprocessor should be considered illegitimate and tampered.

Expected hash values by segment and CCA release

Segment CCA Release Hash value
   1    4.4.20




   722D F07C 6C6B 4939 5FFC 5B6F 777C 5B88
   A35B F368 BB73 3F49 9164 6D49 8B9E 5107

   722D F07C 6C6B 4939 5FFC 5B6F 777C 5B88
   A35B F368 BB73 3F49 9164 6D49 8B9E 5107

   722D F07C 6C6B 4939 5FFC 5B6F 777C 5B88
   A35B F368 BB73 3F49 9164 6D49 8B9E 5107

   57DA 34B1 4327 9C43 4910 7A55 6C4B 1F69
   54BC 3209 13D7 5D59 050C D27D FE99 6B1A

   177C AF13 C601 2276 90AA 8E20 D3BB BA58
   79A6 7EBA 6C2A D68B 0A34 33E0 802C 4EA7
   2    4.4.20




   F3D7 5D25 2823 83FC EC69 20C3 73DC 45DF
   6D7A 2F8D 0CA9 B9D3 C4EC 8E22 AC79 3CF5

   01BA B729 C7AC CDD8 CFEF B6B2 E292 FF8C
   FDDB 07F0 0CB2 57DD 658E 87CA 09C5 E63E

   5EA8 9396 A42C 74DB 3664 9C1F 3622 C418
   435E 88FF D574 C38A 5132 0322 DCFD BE2C

   551D 27BE 0784 6DFC 5221 3DDA 46C2 E061
   7AAB 02B5 E884 6A88 1CEA 890A 6584 C5EE

   F131 02E0 8BA6 C68D 9190 FBA5 DAB8 9A4A
   59E8 2751 5D04 2358 F4BB EE32 A17C 7245
   3    4.4.20




   8E44 9398 32D1 6BC3 4772 249E 69C8 72F4
   71FB 2379 6C96 DD3E FDB3 9CDE 4826 D395

   2BCB 0FE8 C281 2ABE 56C9 E41D F3D5 2D6B
   58BF 4493 6B9D 6B91 1C28 DD16 A803 2868

   B0DB 1360 94C9 949C ECD5 B881 9A30 B6D6
   5459 D3BF 7B33 901B 143B 1314 FBE4 6003

   6B8A 8F58 3181 9348 1E58 4338 BFA7 216D
   EB98 1CD6 26F8 7E21 2FFF 13E3 DAE3 201E

   ADBA 6401 6349 1D1D 8769 F3C4 EDDE B197
   036F DFA8 4B11 C1C4 FE1F AF40 358B B6D0

The status response includes a PartNum (part number) value, such as 45D7930. Make a note of this 7-character alphanumeric value. It will be needed to complete the CLU validate command below.

CLU validate command

In the final manufacturing step, an IBM 4765 Cryptographic Coprocessor generates its own public-private RSA device-key key-pair. The private key is retained within the coprocessor. Manufacturing uses a class key to certify the device key. The certificate is returned to the coprocessor.

Power from the on-board batteries or PCIe bus enables the coprocessor to actively monitor for tampering events. This monitoring occurs from the time of factory certification until the end of the coprocessor's useful life. Detection of tampering activity results in the zeroization of the coprocessor's secrets, along with the destruction of the device key and its certificate.

IBM ships files containing class-key certificates for each class of coprocessor. Hardcoded within CLU is the coprocessor root key used to validate these class-key certificates.

CLU has a VA (validate) command that uses as input a class-key certificate file. The file name is derived from the part number of the coprocessor. The part number (PartNum) can be retrieved using the CLU ST command. For a given part number, change the uppercase letter(s) to lowercase, and append "v.clu". For example, if PartNum = 45D7930, then the class-key certificate file name would be 45d7930v.clu.

When CLU is called with the VA command, it first validates the certificate contained in the class-key certificate file provided as input. Using this certificate, CLU then validates the device key certificate that it retrieves from the coprocessor. Finally, using the validated device key, CLU validates status responses that the coprocessor signs with its device key.

You will need one or more of the following class-key certificate files for the standard IBM 4765:

Class-key file for use with the CLU VA command

PartNum Class-key certificate file
00V5420 00v5420v.clu
41U8608 41u8608v.clu
41U9986 41u9986v.clu
45D5117 45D5117.clu
45D6045 45d6045v.clu
45D7930 45d7930v.clu
45D7947 45d7947v.clu

The IBM 4765 root key, which is hardcoded into CLU, is shown below expressed in hexadecimal with the most significant bit first:

Public exponent:
C686E350 E09D6B08 64914CED C5A50B27
9D9C9ADA 6A84F01A 239D9ADB 7B0CCD07
1E784362 B4734E76 ED9583E5 98BF868A
B168464C C118099D EBA19A51 963FD3F1
8B39D9D1 E371D5E9 52361D20 D7F6EA9F
1C31A527 B7D94D0A 57DB1DF0 41B7C25B
B77ECDB4 16D9BEA0 D012C320 DD1E94D1
0E7C36C3 5B7D333A FC168A86 7FDBEA30
C82BF1FF 75C65391 3EAF7D63 C022E074
F8C34C5B 734D89FA 0C24583C 8440F167
6C5CB5E2 FA8D676B 37151A5D DC47AA1E
9B5FFB46 B68EC29C 9226F1B5 B19E3FD5
C134CF36 34C77FD8 AE01DA56 1ECE58B9
B415A143 4E176477 16C42EFB AA3A2E19
93639C01 CA841A91 2B580065 DC73C676
D2A8F1DA 98252833 A3AC4D30 7F874492
15745E0B 8CB23113 B980CE73 EE20308C
4B3C358E D971F26F EAE8CCDB 3157EDF2
6BAA30EF EEB60EB2 A6B6E46E 651159DA
B66DB985 98E53879 EE8D341B FDE939EA
4B25C5D8 50BE1130 90B30349 F120852A
005BED05 5A579EDD A2B09847 E29A3E81
F0ADEB30 8B40DAA7 B07A3B7F 998AB6F5
0D7F59D0 F3506B0D E146293B A958026F
304539E8 717737BA 34F3D43C 5582B0AC
F1D1391C C7BC676A 6AC0CFC6 E914E8E1
729CCA56 210C29E6 9AF1F2A2 A0BAB802
7ECCFD14 0CABC729 9210450C A5574F2C
B35A8841 22299C71 F2B1B490 3FE953C3
8BEAD71A 71F2B6A9 5ABAE4C9 839D95B9