On 02/26/2015 07:04 AM, Isaac Hailperin wrote: > Steve, > > thank you for alerting us. Do I understand correctly that by > "platform", not a general OS (like "Linux", "Solaris") on a specific > hardware (sparc, x86, ...) is meant, but a very specific distribution > release, like "Ubuntu 14.04", or "CentOS 7.0", on e.g. x86? This > would mean that there would be no fips compliant openssl build > possible on e.g. a future "CentOS 8.1"? Note the pedantically correct term is "FIPS 140-2 validated", not "FIPS compliant". But yes, correct. > We are currently using the fips module on Solaris 10, and have plans > to use it on Linux, probably RHEL 7.X, but depending on the time in > the future, that could well be RHEL 8.X. "Platform" -- technically "Operational Environment" or "OE" -- is a rather peculiar concept in the context of FIPS 140-2 validations, and unfortunately one that has never been clearly defined (also one that changes over time due to ever shifting CMPV "guidance"). Based on observation and the conventional wisdom of the FIPS validation community, I'll attempt an oversimplified, unofficial, non-authoritative, non-definitive, and thoroughly worthless definition: For Level 1 validations, very roughly speaking, an OE is an operating system name (e.g. "Ubuntu") and the first two dot-rev levels of the version number (e.g. "14.04" for "14.04.01", "14.04.02", etc.), *and* a "processor architecture". All x86-64 processors with AES-NI (again roughly speaking) are the same "processor architecture", as are all those without (and ditto for ARMv7 and NEON). 32 and 64 code comprise separate "platforms", and a given OS+OS version+processor architecture+address bit length "platform" running "bare-iron" constitutes a different "platform" from the exact same software+hardware combination running virtualized under each distinct brand name and version of hypervisor environment. So for instance Ubuntu 14.04 64bit on Intel Xeon E3-1220 under Vmware ESXi 5.1 is a different "platform" from Ubuntu 14.04 64bit on Intel Xeon E3-1220 under Vmware ESXi 5.5 I've left out a number of known exceptions, complications, and anomalies... -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
