On 03/08/2013 05:00 AM, Jakob Bohm wrote: > On 3/8/2013 10:34 AM, Abhijit Ray Chaudhury wrote: >> Hello, >> >> I am trying to cross compile FIPS compliant openssl module >> (openssl-fips-ecp-2.0.2.tar.gz) for linux armv4 pratform : >> >> ... >> >> Please let me know how to pass CFLAGS to the build system or how to >> resolve above problems. >> > I don't think you can change the CFLAGS without having to go through the > entire many-thousand-dollars-and-lots-of-time official validation > process again.
As with so much of FIPS 140-2 that's a grey area. We sometimes set CFLAGS (or the moral equivalent) in the build environment for the formal Operational Environment testing, e.g.: http://opensslfoundation.com/testing/validation-2.0/platforms/ios/setenv-ios.sh So you could "user affirm" per the provisions of section G.5 of the Implementation Guidance: http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf. On 03/08/2013 05:20 AM, Abhijit Ray Chaudhury wrote:> > > Is it valid FIPS compliant procedure, if I create a shell script > naming gcc , which calls the cross compiler passing additional flags ? Same issue. One reason the 2.0 FIPS module (validation certificate #1747) has so many platforms (over 60 now, a record for any validation) is that the sponsors of some of those platforms weren't comfortable with I.G. G.5 user affirmation. So they chose to have their platform(s) of interest formally tested. We are also currently working on another dozen some platforms. Jakob is right about the cost, at least in absolute terms; figure about US$15K and 8-12 weeks. That's expensive compared to free but in relative terms a bargain compared to the commercial alternatives. In some cases user affirmation isn't possible. That happens when the processor architecture and corresponding "code path" hasn't been formally tested at all. Linux on MIPS, for instance. As the number of formally tested platforms grows those gaps shrink. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org