Krishna Yenduri wrote: > Hai-May Chao wrote: > > The proposal looks good. >> ... >> >> c. When disable/enable fips command is issued from cryptoadm, >> we make sure that the following places are sync'ed: >> pkcs11.conf, kcf.conf and the global variable in kernel indicating >> the FIPS status. >> > > What happens during boot? Do we look at both pkcs11.conf and kcf.conf > and then issue a "cryptoadm enable fips", if needed? >
Yes. "cryptoadm refresh" is run during boot time. It will be enhanced to handle the "cryptoadm enable fips" case. > What happens if for some reason, pkcs11.conf and kcf.conf are > in disagreement (say system panicked before kcf.conf could be updated)? > If necessary, we could generate a warning message if they are out of sync asking the admin to re-issue cryptoadm enable/disable fips. >> 3. When FIPS mode is enabled >> >> a. Keeping metalsot enabled >> >> We keep metaslot enabled in FIPS mode even >> metaslot_auto_key_migrate >> is enabled. This is because the keys are encrypted when they >> cross the boundary. >> > > The boundary here refers to the boundary of a PKCS #11 slot. Right? > Correct. >> ... >> >> c. Keeping pkcs11_kernel enabled >> >> We don't disable pkcs11_kernel as pkcs11_kernel and KCF are inside >> the crypto boundary. It is what is plugged into KCF that is the >> issue, >> such as ncp and n2cp that should be disabled, but not >> pkcs11_kernel. >> > > Do we document that the admin should disable ncp and n2cp before doing > "cryptoadm enable fips" OR do we do it as part of the "cryptoadm > enable fips" > processing? > We should document this. This is because we don't have a programmatical way to tell whether a hardware provider is FIPS certified or not. >> However if an SCA-6000 is installed, which is FIPS approved, as >> long >> as the keys that pass from metaslot to pkcs11_kernel to >> /dev/crypto >> to KCF to mca are wrapped, it is good from the FIPS view. Note >> that >> such a configuration with the SCA-6000 we don't think should be >> part >> of the framework FIPS evaluation. >> >> d. Disable non FIPS approved algorithms >> > > Is this step required? If so, make sure we don't impact any system > services > that depend on non FIPS approved algorithms like MD5 (via the > crypto API). > It is required. But I'm not sure what can be done so it won't impact the consumers of such as MD5. Any insight is appreciated. >> b. CRYPTO_FIPS_SET >> >> This ioctl enables/disables the FIPS mode. >> > > This needs to be a privileged operation and we need to audit this action. > Agreed. Thanks for your review! Hai-May
