Garrett D'Amore wrote:
> Roughly, it looks reasonable to me. I'd like to see more detail on
> the crypto boundaries though. And presumably you are seeking only
> level 1?
>
Thanks for your review.
The level needs to be finalized and we're in the process of working on it.
Based on the current work, the crypto boundaries include libpkcs11,
pkcs11_softtoken,
pkcs11_kernel, /dev/crypto, KCF, and the kernel software modules.
Thanks,
Hai-May
> -- Garrett
>
> Hai-May Chao wrote:
>> The following is the design for administration and policy configuration
>> to support FIPS 140-2 Cryptographic Framework. We had discussions
>> in this area among Valerie, Darren and myself. Thanks for their
>> earlier feedback.
>>
>> Please take a look and send comments. The review period for this will
>> close on 3/19/08.
>>
>> 1. Administration cryptoadm command
>>
>> We need to have the ability to toggle the FIPS mode of
>> operation in the Cryptographic Framework. Extending cryptoadm
>> command to support the enabling and disabling FIPS mode.
>>
>> SYNOPSIS:
>>
>> a. cryptoadm enable fips
>>
>> This is to enable FIPS mode.
>>
>> b. cryptoadm disable fips
>>
>> This is to disable FIPS mode.
>>
>> c. cryptoadm list fips
>>
>> This is to display the status of FIPS mode policy.
>> Output is:
>> fips=disabled (The default mode is disabled) or
>> fips=enabled
>>
>> 2. Policy configuration files
>>
>> a. The kernel-level policy configuration file (kcf.conf):
>>
>> A new entry corresponds to FIPS mode policy is added.
>> fips=disabled (The default mode is disabled) or
>> fips=enabled
>>
>> Example - kcf.conf:
>> # Start SUNWcsr
>> fips=disabled
>> des:supportedlist=CKM_DES_CBC,CKM_DES_ECB,CKM_DES3_CBC,
>> CKM_DES3_ECB
>> aes:supportedlist=CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR
>> ...
>> ...
>> # End SUNWcsr
>>
>> The status of FIPS mode is set according to the command:
>> cryptoadm enable|disable fips
>>
>> b. The user-level policy configuration file (pkcs11.conf):
>>
>> A new entry corresponds to FIPS mode policy is added.
>> fips=disabled (The default mode is disabled) or
>> fips=enabled
>>
>> Example - pkcs11.conf:
>> # Start SUNWcsr
>> fips=disabled
>>
>> metaslot:metaslot_status=enabled;metaslot_auto_key_migrate=enabled;
>> metaslot_token=Sun Software PKCS#11 softtoken;
>> metaslot_slot=Sun Crypto Softtoken
>> /usr/lib/security/$ISA/pkcs11_kernel.so
>> /usr/lib/security/$ISA/pkcs11_softtoken.so
>> # End SUNWcsr
>>
>> The status of FIPS mode is set according to the command:
>> cryptoadm enable|disable fips
>>
>> c. When disable/enable fips command is issued from cryptoadm,
>> we make sure that the following places are sync'ed:
>> pkcs11.conf, kcf.conf and the global variable in kernel indicating
>> the FIPS status.
>>
>> 3. When FIPS mode is enabled
>>
>> a. Keeping metalsot enabled
>>
>> We keep metaslot enabled in FIPS mode even
>> metaslot_auto_key_migrate
>> is enabled. This is because the keys are encrypted when they
>> cross the boundary.
>>
>> b. pkcs11_softtoken will be left enabled
>>
>> c. Keeping pkcs11_kernel enabled
>>
>> We don't disable pkcs11_kernel as pkcs11_kernel and KCF are inside
>> the crypto boundary. It is what is plugged into KCF that is the
>> issue,
>> such as ncp and n2cp that should be disabled, but not
>> pkcs11_kernel.
>> However if an SCA-6000 is installed, which is FIPS approved, as
>> long
>> as the keys that pass from metaslot to pkcs11_kernel to
>> /dev/crypto
>> to KCF to mca are wrapped, it is good from the FIPS view. Note
>> that
>> such a configuration with the SCA-6000 we don't think should be
>> part
>> of the framework FIPS evaluation.
>>
>> d. Disable non FIPS approved algorithms
>>
>> 4. Administrative ioctl changes
>>
>> a. CRYPTO_FIPS_STATUS
>>
>> This ioctl gets the current running FIPS status.
>> This ioctl is synchronous for the caller and does not
>> block before returning.
>>
>> typedef struct crypto_fips {
>> uint_t fi_return_value;
>> uint_t fi_op;
>> uint_t fi_status;
>> } crypto_fips_t;
>>
>> Valid values for fi_return_value are:
>> CRYPTO_SUCCESS
>> CRYPTO_FAILED
>>
>> Valid values for fi_status are:
>> FIPS_ENABLED (1)
>> FIPS_DISABLED (0)
>>
>> fi_op is not used for this ioctl.
>>
>> b. CRYPTO_FIPS_SET
>>
>> This ioctl enables/disables the FIPS mode.
>> This ioctl is synchronous for the caller and does not
>> block before returning.
>>
>> A global variable (e.g., uint_t fips_enable) will be defined
>> to be read/written from/to in KCF.
>>
>> typedef struct crypto_fips {
>> uint_t fi_return_value;
>> uint_t fi_op;
>> uint_t fi_status;
>> } crypto_fips_t;
>>
>> Valid values for fi_return_value are:
>> CRYPTO_SUCCESS
>> CRYPTO_FAILED
>>
>> Valid values for fi_op are:
>> FIPS_ENABLE (1)
>> FIPS_DISABLE (0)
>>
>> fi_status is not used for this ioctl.
>>
>>
>> Thanks,
>> Hai-May
>>
>> _______________________________________________
>> crypto-discuss mailing list
>> crypto-discuss at opensolaris.org
>> http://mail.opensolaris.org/mailman/listinfo/crypto-discuss
>>
>
