[openssl-users] FIPS Linux kernel documentation ?

Steve Marquess marquess at openssl.com
Thu Mar 26 14:57:28 UTC 2015

On 03/25/2015 06:26 PM, jonetsu at teksavvy.com wrote:
> On Wed, 25 Mar 2015 17:03:04 -0400
> Steve Marquess <marquess at openssl.com> wrote:
>> I wasn't aware the Linux kernel (the real one, not proprietary
>> commercial derivatives) had a "FIPS" mode. Please enlighten me.
> It could very well be that the word 'mode' is not the right one.
> 'option' would perhaps be better.  This article from 2009 sets the
> foundation:
> http://www.guerilla-ciso.com/archives/793
> I wonder, 6 years later, what the kernel fips option implies.  Maybe I
> could try to contact Neil Horman andéor look into the sources.

That reference gives a pretty good explanation. CONFIG_CRYPTO_FIPS
doesn't get you any closer to FIPS 140-2 validated kernel cryptography.

Unfortunately FIPS 140-2 validation conflicts rather violently with open
source software (and with software engineering best practice in general,
for that matter). Even if some benevolent benefactor ponied up the
quarter megabuck it would take to do an open source based kernel crypto
validation, it would be fossilized code obsolete before the validation
was even approved. Linux got to be as good as it is due to constant
refinement and improvement; FIPS validation presumes that it is possible
to write perfect code in one shot and that the environment that code
runs in never changes.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list