[openssl-users] End of the line for the OpenSSL FIPS Object Module?

Steve Marquess marquess at openssl.com
Thu Feb 26 13:18:22 UTC 2015 

On 02/26/2015 07:04 AM, Isaac Hailperin wrote:
> Steve,
> 
> thank you for alerting us. Do I understand correctly that by
> "platform", not  a general OS (like "Linux", "Solaris") on a specific
> hardware (sparc, x86, ...) is meant, but a very specific distribution
> release, like "Ubuntu 14.04", or "CentOS 7.0", on e.g. x86? This
> would mean that there would be no fips compliant openssl build
> possible on e.g. a future "CentOS 8.1"?

Note the pedantically correct term is "FIPS 140-2 validated", not "FIPS
compliant". But yes, correct.

> We are currently using the fips module on Solaris 10, and have plans
> to use it on Linux, probably RHEL 7.X, but depending on the time in
> the future, that could well be RHEL 8.X.

"Platform" -- technically "Operational Environment" or "OE" -- is a
rather peculiar concept in the context of FIPS 140-2 validations, and
unfortunately one that has never been clearly defined (also one that
changes over time due to ever shifting CMPV "guidance").

Based on observation and the conventional wisdom of the FIPS validation
community, I'll attempt an oversimplified, unofficial,
non-authoritative, non-definitive, and thoroughly worthless definition:

For Level 1 validations, very roughly speaking, an OE is an operating
system name (e.g. "Ubuntu") and the first two dot-rev levels of the
version number (e.g. "14.04" for "14.04.01", "14.04.02", etc.), *and* a
"processor architecture". All x86-64 processors with AES-NI (again
roughly speaking) are the same "processor architecture", as are all
those without (and ditto for ARMv7 and NEON).

32 and 64 code comprise separate "platforms", and a given OS+OS
version+processor architecture+address bit length "platform" running
"bare-iron" constitutes a different "platform" from the exact same
software+hardware combination running virtualized under each distinct
brand name and version of hypervisor environment. So for instance

  Ubuntu 14.04 64bit on Intel Xeon E3-1220 under Vmware ESXi 5.1

is a different "platform" from

  Ubuntu 14.04 64bit on Intel Xeon E3-1220 under Vmware ESXi 5.5

I've left out a number of known exceptions, complications, and anomalies...

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list