[openssl-users] FIPS Linux kernel documentation ?

Steve Marquess marquess at openssl.com
Thu Mar 26 17:13:44 UTC 2015

On 03/26/2015 01:00 PM, Marcus Meissner wrote:
> ...
>> Unfortunately FIPS 140-2 validation conflicts rather violently with open
>> source software (and with software engineering best practice in general,
>> for that matter). Even if some benevolent benefactor ponied up the
>> quarter megabuck it would take to do an open source based kernel crypto
>> validation, it would be fossilized code obsolete before the validation
>> was even approved. Linux got to be as good as it is due to constant
>> refinement and improvement; FIPS validation presumes that it is possible
>> to write perfect code in one shot and that the environment that code
>> runs in never changes.
> This is not true.
> Both Redhat and SUSE have certified or are currently in the process of
> certifying the Linux Kernel as a cryptographic module and it is not
> as hard as you make it.
> ...

As you note *binary* validations are a lot easier. Many such Level 1
software validations have been done (something like a thousand),
including ones by Red Hat, SuSE, and hundreds of "private label"
*binary* validations based on the OpenSSL FIPS Object Module (many using
that code verbatium). In fact the majority of all Level 1 software
validations are derived from OpenSSL code. We've done a number of those
private label vaildations ourselves, incidentally.

But, as someone who has been at ground zero of each of the only open
source based FIPS 140-2 validations that have ever been done I can tell
you that those are *much* harder.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list