We looked at this very briefly a couple of years ago. In theory, there
may be a way to achieve the goal as a loadable kernel module (a.k.a.
device driver). The idea would be to have a kernel module that provides
crypto support. This kernel module would be the FIPS object module,
with the FIPS boundary drawn around the kernel module. This would be
loaded at run time like any other device driver when FIPS mode needed to
be enabled.
There is likely some kernel work required to allow the ciphers in the
kernel module to be injected into the crypto flow within the kernel.
The other issue is getting the kernel to automatically run the FIPS
integrity test on the module at load time.
On 03/26/2015 10:57 AM, Steve Marquess wrote:
On 03/25/2015 06:26 PM, jone...@teksavvy.com wrote:
On Wed, 25 Mar 2015 17:03:04 -0400
Steve Marquess <marqu...@openssl.com> wrote:
I wasn't aware the Linux kernel (the real one, not proprietary
commercial derivatives) had a "FIPS" mode. Please enlighten me.
It could very well be that the word 'mode' is not the right one.
'option' would perhaps be better. This article from 2009 sets the
foundation:
http://www.guerilla-ciso.com/archives/793
I wonder, 6 years later, what the kernel fips option implies. Maybe I
could try to contact Neil Horman andéor look into the sources.
That reference gives a pretty good explanation. CONFIG_CRYPTO_FIPS
doesn't get you any closer to FIPS 140-2 validated kernel cryptography.
Unfortunately FIPS 140-2 validation conflicts rather violently with open
source software (and with software engineering best practice in general,
for that matter). Even if some benevolent benefactor ponied up the
quarter megabuck it would take to do an open source based kernel crypto
validation, it would be fossilized code obsolete before the validation
was even approved. Linux got to be as good as it is due to constant
refinement and improvement; FIPS validation presumes that it is possible
to write perfect code in one shot and that the environment that code
runs in never changes.
-Steve M.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
