[openssl-users] FIPS Linux kernel documentation ?

Steve Marquess marquess at openssl.com
Fri Mar 27 13:03:07 UTC 2015

On 03/27/2015 04:45 AM, Henrik Grindal Bakken wrote:
> Steve Marquess <marquess at openssl.com>
> writes:
>>> If the CMVP bureaucracy insists on a specific kernel version
>>> for the platform number, this should be one of the "Long Term
>>> Support" kernel releases to maximize longevity (assuming that
>>> regular OS patching within a version number is still accepted
>>> as "same platform").
>> Worse: it would need to be validated on every "Operational Environment"
>> (OE): meaning every Linux distribution: Debian N.M for every N and M,
>> Fedora N.M, Ubuntu N.M, CentOS N.M, ...
> Are you certain?  For a user-space component like OpenSSL, this is
> obviously true, but I think you could argue that a kernel module's
> "Operational Environment" has no relation to the Linux distro, only to
> the kernel it's loaded by and the hardware architecture (and perhaps the
> compiler).

Nope, been there done that with the CMVP. When an known distro is in use
(Debian, Fedora, ...) we're (generally) required to use that as the OE
"operating system" name. Which is a bit ironic as a given Linux distro
for a fixed major.minor version number may step through multiple kernel
versions (even from 2.x to 3.x, for instance) during the life cycle of
that major.minor release.

Take a look at table 2 of the #1747 Security Policy (or any other module
with large numbers of platforms, though there aren't many of those).
You'll see multiple Linux distros that share the same Linux kernel. We
didn't do that for fun.

We've only been able to use the Linux kernel version itself as the
"operating system" name and version number in the case of specialty
embedded systems where the product vendor builds their own kernel from

Then ironically vendors are allowed to do "vanity branding" of a
standard distro, for example by rebranding stock "Ubuntu 12.04" as
"AcmeOS 1.1". That vendor can then choose to rebrand Ubuntu 14.04 as
"AcmeOS 1.1.1", which by the unwritten rule of OE equivalence is still
AcmeOS 1.1. That's several kinds of crazy, but it is what it is.

Note the point here holds for a hypothetical kernel module validation,
as it hinges on the CMVP conception of an "OE". You can see that from
the existing kernel module validations.

Incidentally, the trend for the past several years has been for the CMVP
to require ever more specificity in "OE" designations. For instance, the
exact same guest image running on ESXi 5.1 and on ESXi 5.2, for
identical hardware, now constitutes two separate "OEs".

Logic doesn't really apply here...

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list