Please note that there are two checksums in the configuration file. One of them is the FIPS module checksum and the other is the checksum of the configuration. You can copy the file across machines if it is without the configuration checksum - that means the selftest will be always run when the FIPS module (i.e., the fips provider) is loaded. You cannot copy the file if the configuration checksum is present in it though because that means the selftest won't be run on the machines where you copy the configuration file to. That would be against the FIPS implementation guidance that requires to run the selftests at least once after the installation. Tomas On Tue, 2022-02-15 at 10:31 +1100, Dr Paul Dale wrote: > Yes, this has to do with the FIPS standards. I forget which > standard > it is but the self tests are mandated to be run on each device > independently. > > The fipsinstall process runs the self tests before generating the > configuration file. If the self tests fail, the module doesn't > install. Copying the configuration file across avoids the self tests > and therefore isn't compliant. > > > Pauli > > > On 15/2/22 02:25, Richard Dymond wrote: > > > > > Hi > > > > Probably a dumb question, but why must the FIPS module > > configuration file for OpenSSL 3.0 be generated on every machine > > that it is to be used on (i.e. must not be copied from one machine > > to another)? > > > > I just ran 'openssl fipsinstall' on two different machines with the > > same FIPS module and it produced exactly the same output each time, > > so presumably the reason has nothing to do with the config file > > being unique to the machine. > > > > Does it have something to do with the FIPS standard itself? > > > > Richard > > -- Tomáš Mráz, OpenSSL
