[openssl-users] FIPS 140-2 hostages executed

Steve Marquess marquess at openssl.com
Tue Jun 16 21:57:03 UTC 2015


If you don't know or care what FIPS 140-2 is then count yourself very
lucky and move on.

There is a new development in the long running saga of the "hostage
issue"[*]; the hostages have been executed:

  http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747

Cross-referencing the Big Blob '0 Text in the rightmost cell on that
NIST CMVP web site entry shows that fourteen of the original "hostages"
were "executed":

  47 Windows 2008 32-bit under vSphere Xeon E3-1220v2 (x86) None
  48 Windows 2008 64-bit under vSphere Xeon E3-1220v2 (x86) None
  49 RHEL 6 32-bit under vSphere Xeon E3-1220v2 (x86) None
  50 RHEL 6 64-bit under vSphere Xeon E3-1220v2 (x86)
  59 VMware Horizon Mobile 1.3 under VMware under Android 4.0 Qualcomm
MSM8X60 (ARMv7) NEON
  66 VMware Horizon Workspace 1.5 under vSphere Intel Xeon E3-1220 (x86)
None
  67 VMware Horizon Workspace 1.5 under vSphere Intel Xeon E3-1220 (x86)
AES-NI
  72 Linux 3.4 under Citrix XenServer Intel Xeon E5-2430L (x86) AES-NI
  73 Linux 3.4 under VMware ESX Intel Xeon E5-2430L (x86) None
  74 Linux 3.4 under VMware ESX Intel Xeon E5-2430L (x86) AES-NI
  75 Linux 3.4 under Microsoft Hyper-V Intel Xeon E5-2430L (x86) None
  76 Linux 3.4 under Microsoft Hyper-V Intel Xeon E5-2430L (x86) AES-NI
  79 PexOS 1.0 under vSphere Intel Xeon E5-2430L (x86) None
  80 PexOS 1.0 under vSphere Intel Xeon E5-2430L (x86) AES-NI

along with what I'm guessing are accidental random bystanders:

  8 Ubuntu 10.04 Intel Pentium T4200 (x86) None

and one of

  20 Linux 2.6 Broadcom BCM11107 (ARMv6) None
  21 Linux 2.6 TI TMS320DM6446 (ARMv4) None

I don't know which of 20 and 21 was executed (if deliberate) and which
was spared; I have asked for clarification.

I am assuming that platform 71, Linux 3.4 under Citrix XenServer Intel
Xeon E5-2430L (x86), was spared only by mistake and will soon share the
fate of its fellow hostages.

If you are currently using a FIPS module on any of these 16 now deleted
platforms, that module has retroactively become non-validated.

It's my understanding from the test lab that we may be allowed to
restore the deleted platforms, with modifications (once OSF has
permission from the sponsors of those platforms). Obviously if those
sponsors had been presented with the choice between complete removal of
their platforms and restricting them to particular hypervisor versions
they would have chosen the latter. Instead they were forced to choose
between preserving their platforms and adding new platforms, which led
us down the "ransom" path and months of delay...

-Steve M.

[*] See http://openssl.com/fips/hostage.html,
    http://openssl.com/fips/ransom.html

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


More information about the openssl-users mailing list