On 03/25/2015 06:26 PM, jone...@teksavvy.com wrote: > On Wed, 25 Mar 2015 17:03:04 -0400 > Steve Marquess <marqu...@openssl.com> wrote: > >> I wasn't aware the Linux kernel (the real one, not proprietary >> commercial derivatives) had a "FIPS" mode. Please enlighten me. > > It could very well be that the word 'mode' is not the right one. > 'option' would perhaps be better. This article from 2009 sets the > foundation: > > http://www.guerilla-ciso.com/archives/793 > > I wonder, 6 years later, what the kernel fips option implies. Maybe I > could try to contact Neil Horman andéor look into the sources.
That reference gives a pretty good explanation. CONFIG_CRYPTO_FIPS doesn't get you any closer to FIPS 140-2 validated kernel cryptography. Unfortunately FIPS 140-2 validation conflicts rather violently with open source software (and with software engineering best practice in general, for that matter). Even if some benevolent benefactor ponied up the quarter megabuck it would take to do an open source based kernel crypto validation, it would be fossilized code obsolete before the validation was even approved. Linux got to be as good as it is due to constant refinement and improvement; FIPS validation presumes that it is possible to write perfect code in one shot and that the environment that code runs in never changes. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users