[openssl-users] FIPS Linux kernel documentation ?

Steve Marquess marquess at openssl.com
Thu Mar 26 15:56:28 UTC 2015

On 03/26/2015 11:30 AM, John Foley wrote:
> We looked at this very briefly a couple of years ago.  In theory, there
> may be a way to achieve the goal as a loadable kernel module (a.k.a.
> device driver).  The idea would be to have a kernel module that provides
> crypto support.  This kernel module would be the FIPS object module,
> with the FIPS boundary drawn around the kernel module.  This would be
> loaded at run time like any other device driver when FIPS mode needed to
> be enabled.
> There is likely some kernel work required to allow the ciphers in the
> kernel module to be injected into the crypto flow within the kernel. 
> The other issue is getting the kernel to automatically run the FIPS
> integrity test on the module at load time.

We looked at it in quite a bit of detail about two years ago also, to
the point of developing a formal proposal for a prospective sponsor.

Yes, a loadable module is the way to go. We had worked out how to do the
POST at module load (including an actual implementation).

But, as with any open source based FIPS validation it would have been
expensive and risky, and the end result would still have been fossilized
code that would always be a painfully awkward fit in the Linux
ecosystem. We'd still consider tackling that, with financial
sponsorship, but we have no prospects for such.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list