On 07/21/2014 01:48 PM, Moffatt, Greg wrote: > Greetings > > > > We’re investigating on what’s required to add FIPS support to our product. > > > > We’ve noticed that OpenSSL currently doesn’t support MIPS – specifically > on Linux 3.10 kernels. > > > > It’s not clear to me that the “Change Letter” process would be suitable > for this. In our investigation we can generate a FIPS module with only > additions to the Configure script, without any other source changes > required. > > > > What would be the process to investigate this further and/or proceed > with a “Change Letter” to add MIPS?
This is a common situation and the reason we're currently testing the 101st platform ("Operational Environment") for the #1747 validation. The Security Policy, and caveat on the NIST CMVP web site, very specifically state that "There shall be no additions, deletions or alterations to the tar file contents as used during module build." They mean that quite literally; no modifications no matter how trivial, not even cosmetic or whitespace changes. So the Implementation Guidance G.5 "user affirmation" isn't a viable option when such modifications are necessary. Such modifications -- for platform portability -- are generally allowed in the context of a "change letter" update, which is why we're now working on the eighth such revision. For "uncomplicated" platforms our cost for adding that platform to the #1747 validation is typically US$15,000 (sometimes less for current clients or multiple platforms done at once). Anything running Linux *probably* qualifies as "uncomplicated". If you can afford to wait long enough there is always the chance that someone else will sponsor the specific platform that you want. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org