On 03/25/2015 06:26 PM, jonetsu at teksavvy.com wrote: > On Wed, 25 Mar 2015 17:03:04 -0400 > Steve Marquess <marquess at openssl.com> wrote: > >> I wasn't aware the Linux kernel (the real one, not proprietary >> commercial derivatives) had a "FIPS" mode. Please enlighten me. > > It could very well be that the word 'mode' is not the right one. > 'option' would perhaps be better. This article from 2009 sets the > foundation: > > http://www.guerilla-ciso.com/archives/793 > > I wonder, 6 years later, what the kernel fips option implies. Maybe I > could try to contact Neil Horman and?or look into the sources. That reference gives a pretty good explanation. CONFIG_CRYPTO_FIPS doesn't get you any closer to FIPS 140-2 validated kernel cryptography. Unfortunately FIPS 140-2 validation conflicts rather violently with open source software (and with software engineering best practice in general, for that matter). Even if some benevolent benefactor ponied up the quarter megabuck it would take to do an open source based kernel crypto validation, it would be fossilized code obsolete before the validation was even approved. Linux got to be as good as it is due to constant refinement and improvement; FIPS validation presumes that it is possible to write perfect code in one shot and that the environment that code runs in never changes. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
