On 03/27/2015 04:45 AM, Henrik Grindal Bakken wrote: > Steve Marquess <marquess at openssl.com> > writes: > >>> If the CMVP bureaucracy insists on a specific kernel version >>> for the platform number, this should be one of the "Long Term >>> Support" kernel releases to maximize longevity (assuming that >>> regular OS patching within a version number is still accepted >>> as "same platform"). >> >> Worse: it would need to be validated on every "Operational Environment" >> (OE): meaning every Linux distribution: Debian N.M for every N and M, >> Fedora N.M, Ubuntu N.M, CentOS N.M, ... > > Are you certain? For a user-space component like OpenSSL, this is > obviously true, but I think you could argue that a kernel module's > "Operational Environment" has no relation to the Linux distro, only to > the kernel it's loaded by and the hardware architecture (and perhaps the > compiler). > Nope, been there done that with the CMVP. When an known distro is in use (Debian, Fedora, ...) we're (generally) required to use that as the OE "operating system" name. Which is a bit ironic as a given Linux distro for a fixed major.minor version number may step through multiple kernel versions (even from 2.x to 3.x, for instance) during the life cycle of that major.minor release. Take a look at table 2 of the #1747 Security Policy (or any other module with large numbers of platforms, though there aren't many of those). You'll see multiple Linux distros that share the same Linux kernel. We didn't do that for fun. We've only been able to use the Linux kernel version itself as the "operating system" name and version number in the case of specialty embedded systems where the product vendor builds their own kernel from source. Then ironically vendors are allowed to do "vanity branding" of a standard distro, for example by rebranding stock "Ubuntu 12.04" as "AcmeOS 1.1". That vendor can then choose to rebrand Ubuntu 14.04 as "AcmeOS 1.1.1", which by the unwritten rule of OE equivalence is still AcmeOS 1.1. That's several kinds of crazy, but it is what it is. Note the point here holds for a hypothetical kernel module validation, as it hinges on the CMVP conception of an "OE". You can see that from the existing kernel module validations. Incidentally, the trend for the past several years has been for the CMVP to require ever more specificity in "OE" designations. For instance, the exact same guest image running on ESXi 5.1 and on ESXi 5.2, for identical hardware, now constitutes two separate "OEs". Logic doesn't really apply here... -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc