[openssl-users] Provisional FIPS 140-2 casualty list

Steve Marquess marquess at openssl.com
Mon Jun 22 09:34:43 UTC 2015

On 06/22/2015 02:36 AM, Jeffrey Walton wrote:
> Hi Steve,
> Forgive my ignorance....
>>From the previous postings, I *thought* that the validation only
> applies to real iron, and [retroactively] was not conferred to the
> VMs. But it seems like this list includes real hardware, too:
>     12  Ubuntu 10.04 running on Intel Core i5 with AES-NI (32 bit)
> (gcc Compiler Version 4.1.3)
>     32  Ubuntu 10.04 (32 bit) (gcc Compiler Version 4.1.3)
>     33  Ubuntu 10.04 (64 bit) (gcc Compiler Version 4.1.3)
> Those caught my eye because I used them in the past (specifically, 12).
> What exactly changed? Or where is my disconnect?

CMVP requirements relating to virtualization have evolved considerably
over time, and in fact it's the retroactive enforcement of those
changing requirements that led to this "hostage" mess[*].

Once upon a time a virtualized OS+processor was treated the same as that
OS running on that processor "bare iron", i.e. no virtualization. For
instance, "AcmeOS 1.2 on x86".

At the time the #1747 validation was started the CMVP required that
virtualization be noted, as in an OS and a processor architecture
running virtualized under some general virtualization environment (e.g.
"AcmeOS 1.2 under vSphere on x86"), but there was no requirement for a
hypervisor product version number.

Then came a requirement for a hypervisor brand name plus version, e.g.
"AcmeOS 1.2 under vSphere ESXi 4.4". This last requirement came into
force after the #1747 validation was out and already had quite a few
platforms. The platforms added since this requirement was introduced
have the hypervisor brand name version qualification (e.g. platforms 97,

-Steve M.

[*] retroactive requirements changes imposed on in-process validation
actions have long been common, and are part of the challenge of
completing any validation action with any kind of predictable budget or
schedule. The imposition of retroactive changes on previously approved
validations is a disturbing new development.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list