Vikram Arwade wrote:
...
Also is it OK to build using “perl Configure fipscanisterbuild
solaris-sparcv9-cc” or do we need to use “./config fipscanisterbuild”?
If we need to use “./config fipscanisterbuild” then how do we build on
solaris sparcv9 using studio 11?
Not if you're planning to call the result FIPS 140-2 validated. The
Security Policy and User Guide are both (IMHO) excruciatingly clear on
that point.
You can't use the v1.2 module on a platform for which the module as
validated (including the Security Policy build instructions) is not
suitable. Those build instructions presume a default build environment
for the host O/S distribution, i.e. what you get when you procure and
install that distribution in the usual and customary way. Granted, there
is a bit of a gray area concerning the nature of that "usual and
customary" environment. The installation of standard vendor supplied
patches and upgrades presumably does not invalidate the host O/S
distribution (I say "presumably" because only the CMVP can make any
authoritative judgments). Installation of a vendor supplied optional
compiler (where more than one such is available) would presumably also
be allowed, as would standard well-known third-party libraries or tools.
I'm not familiar with Studio 11 but it does appear to be a vendor
supplied and supported development product, so it might be acceptable
provided that it is installed in such a way that is constitutes the
default compiler, linker, etc., so that "./config fipscanisterbuild"
works. Changing the module code or those build command incantations is
clearly *not* allowed, period.
Keep in mind that all you need is fipscanister.o itself. Too many
software vendors seem to think they have to fit the fipscanister.o build
from the source tarball into their own specific internal build process.
The CMVP has already staked out a claim on a particular special process
leaving little latitude for creative reinterpretation. It may be a lot
easier to create fipscanister.o as a separate independent step, as
defined and required in the Security Policy, and *then* throw the
resulting fipscanister.o into the special ornate and elaborate internal
process. It may even be appropriate to image a standalone build machine
with a stock O/S distribution just for the purposes of creating
fipscanister.o, as that file can then be moved to a non-standard but ABI
compatible platform.
-Steve M.
--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org