[openssl-users] End of the line for the OpenSSL FIPS Object Module?

Isaac Hailperin Isaac.Hailperin at lcsystems.ch
Thu Feb 26 14:35:23 UTC 2015

Thanks, that makes things a lot clearer for me.
Not sure what we will do.


-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Steve Marquess
Sent: Donnerstag, 26. Februar 2015 14:18
To: openssl-users at openssl.org
Subject: Re: [openssl-users] End of the line for the OpenSSL FIPS Object Module?

On 02/26/2015 07:04 AM, Isaac Hailperin wrote:
> Steve,
> thank you for alerting us. Do I understand correctly that by 
> "platform", not  a general OS (like "Linux", "Solaris") on a specific 
> hardware (sparc, x86, ...) is meant, but a very specific distribution 
> release, like "Ubuntu 14.04", or "CentOS 7.0", on e.g. x86? This would 
> mean that there would be no fips compliant openssl build possible on 
> e.g. a future "CentOS 8.1"?

Note the pedantically correct term is "FIPS 140-2 validated", not "FIPS compliant". But yes, correct.

> We are currently using the fips module on Solaris 10, and have plans 
> to use it on Linux, probably RHEL 7.X, but depending on the time in 
> the future, that could well be RHEL 8.X.

"Platform" -- technically "Operational Environment" or "OE" -- is a rather peculiar concept in the context of FIPS 140-2 validations, and unfortunately one that has never been clearly defined (also one that changes over time due to ever shifting CMPV "guidance").

Based on observation and the conventional wisdom of the FIPS validation community, I'll attempt an oversimplified, unofficial, non-authoritative, non-definitive, and thoroughly worthless definition:

For Level 1 validations, very roughly speaking, an OE is an operating system name (e.g. "Ubuntu") and the first two dot-rev levels of the version number (e.g. "14.04" for "14.04.01", "14.04.02", etc.), *and* a "processor architecture". All x86-64 processors with AES-NI (again roughly speaking) are the same "processor architecture", as are all those without (and ditto for ARMv7 and NEON).

32 and 64 code comprise separate "platforms", and a given OS+OS
version+processor architecture+address bit length "platform" running
"bare-iron" constitutes a different "platform" from the exact same
software+hardware combination running virtualized under each distinct
brand name and version of hypervisor environment. So for instance

  Ubuntu 14.04 64bit on Intel Xeon E3-1220 under Vmware ESXi 5.1

is a different "platform" from

  Ubuntu 14.04 64bit on Intel Xeon E3-1220 under Vmware ESXi 5.5

I've left out a number of known exceptions, complications, and anomalies...

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list