[openssl-users] Enabling FIPS on an custom embedded system.

Steve Marquess marquess at openssl.com
Wed Oct 26 21:04:07 UTC 2016


On 10/26/2016 04:37 PM, Eric Tremblay wrote:
> Hi all,____
> 
> __ __
> 
> I have built the FIPS module into our Platform but I am stuck at the
> point to enable it.____
> 
> __ __
> 
> We need FIPS to be enabled « Platform wide » not just for one
> application.____
> 
> __ __
> 
> I have read the documentation and search on the web for answer but it
> seem that I would have ____
> 
> to modify a package or write a small application just to enable FIPS.____
> 
> __ __
> 
> Is there another way to enable it on startup of Linux ?  or maybe
> something in OpenSSH ?____
> 
> __ __
> 
> I also read about the OPENSSL_Config in the User Guide but I’m not sure
> if/who and how it is called.____
> 
> __ __
> 
> I am working with OpenSSL 1.0.2j and FIPS 2.0.9.____
> 
> __ __
> 
> Thanks____
> 
> __ __
> 
> Eric
> 
> 
> 


Hmmm ... where to start.

First there is really no such thing as "enabling FIPS" for a platform.
The FIPS module is executable code that runs in the context of a
process, and to be righteous FIPS-wise each process (that uses
cryptography) must invoke the FIPS_mode_set() call that performs the
mandatory POST (Power Up Self Test). Note that is true even when the
FIPS module is embedded in a shared library (the "FIPS enabled"
OpenSSL), as each process using said shared library maps writable data
into its own private address space.

So to make the sweeping claim that a "platform" is FIPS enabled, you
must make sure that *every* process for that platform enables FIPS mode
via a FIPS_mode_set() call (whether directly or indirectly). Note that
for your typical general purpose (e.g. Windows or Linux-like) operating
system that is an essentially unachievable goal, as not all of the many
crypto-using applications are readily converted to use the FIPS enabled
OpenSSL (for instance OpenSSH needs non-trivial hacks). Likewise
kernel-mode crypto can't be addressed with the OpenSSL FIPS module.

For that reason the wise and prudent vendor does not attempt to "enable
FIPS" for an entire platform (for Level 1 validations), but rather only
makes claims about specific individual applications running on that
platform.

In the case where all processes of interest are compatible with the FIPS
capable OpenSSL (specifically, not referencing any other crypto
implementations, or non-approved cryptographic operations), then
OPENSSL_config() can in principle be used to indirectly call
FIPS_mode_set() for each such application. That is only *after* every
such application/process has *first* been modified for compatibility
with the FIPS capable OpenSSL. Very few applications not already
designed to support the OpenSSL FIPS module will be compatible without
some degree of modification.

-Steve M.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


More information about the openssl-users mailing list