I believe the relevant standard is described in the Implementation Guidance for FIPS 140-2: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf (see IG 9.11 beginning on page 179). I searched briefly for similar text in FIPS 140-3 IG but didn't see anything relevant.
Tom.III On Mon, Feb 14, 2022 at 3:31 PM Dr Paul Dale <pa...@openssl.org> wrote: > Yes, this has to do with the FIPS standards. I forget which standard it > is but the self tests are mandated to be run on each device independently. > > The fipsinstall process runs the self tests before generating the > configuration file. If the self tests fail, the module doesn't install. > Copying the configuration file across avoids the self tests and therefore > isn't compliant. > > > Pauli > > > On 15/2/22 02:25, Richard Dymond wrote: > > Hi > > Probably a dumb question, but why must the FIPS module configuration file > for OpenSSL 3.0 be generated on every machine that it is to be used on > (i.e. must not be copied from one machine to another)? > > I just ran 'openssl fipsinstall' on two different machines with the same > FIPS module and it produced exactly the same output each time, so > presumably the reason has nothing to do with the config file being unique > to the machine. > > Does it have something to do with the FIPS standard itself? > > Richard > > >