Re: Questions on fips object module for openssl
On 03/12/2014 01:19 AM, T, Satyanarayana (GE Healthcare) wrote: Hi, First thanks for the reply... Just some clarification needed, The difference between two processors I see is TI (AM37xx)Freescale(imx6) 1)ARMv7-A cortex A8Armv7-A cortex A9 2) Single core2 cores 3)Has neon capabilityHas neon capability So even if both has ARMv7+neon, but due to difference in both the architectures: no of cores:1,cortex A8 for TI and no of cores:4,cortex:A9 for imx6, can I assume that the validation for TI AM37xx is not valid for imx6q? Strange as it seems the *number* of cores in a processor is irrelevant to the FIPS 140-2 validation. Or perhaps not so strange when you consider that each of the multiple cores in a multi-core processor will execute the same object code in the same way (this is a case where common sense *does* apply). Likewise processor clock speed doesn't matter (FIPS 140-2 doesn't care about performance). Also is it possible for me to get any info on whether there is any openssl fips validation present which I can use for imx6+linux? We would all like more clarity for many aspects of FIPS 140-2. I've already shared my opinion about the equivalence of processor architectures (all ARMv7 processor with NEON being equivalent for FIPS validation purposes). You can always consult the formal scripture: http://csrc.nist.gov/groups/STM/cmvp/standards.html or ask the CMVP, the only ones able to supply authoritative answers: http://csrc.nist.gov/groups/STM/cmvp/contacts.html Or, you can sponsor formal testing of your specific platform which is the only other way to establish with absolute certainty the status of that platform. On several occasions we have done that for sponsors even when not necessary (as directly confirmed by the CMVP) to satisfy specific and unreasonable (as in above and beyond CMVP requirements) customer expectations. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Questions on fips object module for openssl
On 03/11/2014 06:16 AM, T, Satyanarayana (GE Healthcare) wrote: Hi, I have some queries on fips object module validation for openssl: I see in openssl project fips module that it is validated for linux 2.6 on some platforms (ex: TIAM3xx (armv7), PowerPC etc). The compiler for linux 2.6 is 4.2/4.1 versions pointed. We are planning to use freescale imx6(armv7) for our project with linux 2.6 and compiler 4.1/4.2, which I don’t see this specific configuration(linux OS+imx6 platform+gcc 4.1/4.2) being validated for fips. Can we use openssl fips with this specific configuration(linux OS+imx6+gcc 4.1/4.2) without validating again, since I see that fips is validated for linux os+gcc 4.1/4.2 or is it mandatory that processor platform also has to be same as one present in security policy. Unfortunately there isn't any clear and definitive guidance, but the general consensus appears to be that the specific version of the compiler is not critical to claiming a match to one of the officially tested platforms. That is a common sense conclusion as well, as many of those formally tested platforms use cross-compilation on a build system environment that is not specified (other than the compiler proper). The processor architecture does need to match. In the case of ARM processors that would be the core, as in ARMv5, ARMv7, etc., and in the case of ARMv7+ either ARMv7 without NEON or ARMv7 with NEON as those are considered two different processor architectures. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Questions on fips object module for openssl
Hi, First thanks for the reply... Just some clarification needed, The difference between two processors I see is TI (AM37xx) Freescale(imx6) 1)ARMv7-A cortex A8Armv7-A cortex A9 2) Single core2 cores 3)Has neon capabilityHas neon capability So even if both has ARMv7+neon, but due to difference in both the architectures: no of cores:1,cortex A8 for TI and no of cores:4,cortex:A9 for imx6, can I assume that the validation for TI AM37xx is not valid for imx6q? Also is it possible for me to get any info on whether there is any openssl fips validation present which I can use for imx6+linux? Regards, Satya. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Steve Marquess Sent: Tuesday, March 11, 2014 6:44 PM To: openssl-users@openssl.org Cc: Vember, Ananth G (GE Healthcare) Subject: Re: Questions on fips object module for openssl On 03/11/2014 06:16 AM, T, Satyanarayana (GE Healthcare) wrote: Hi, I have some queries on fips object module validation for openssl: I see in openssl project fips module that it is validated for linux 2.6 on some platforms (ex: TIAM3xx (armv7), PowerPC etc). The compiler for linux 2.6 is 4.2/4.1 versions pointed. We are planning to use freescale imx6(armv7) for our project with linux 2.6 and compiler 4.1/4.2, which I don't see this specific configuration(linux OS+imx6 platform+gcc 4.1/4.2) being validated for fips. Can we use openssl fips with this specific configuration(linux OS+imx6+gcc 4.1/4.2) without validating again, since I see that fips OS+imx6+is validated for linux os+gcc 4.1/4.2 or is it mandatory that processor platform also has to be same as one present in security policy. Unfortunately there isn't any clear and definitive guidance, but the general consensus appears to be that the specific version of the compiler is not critical to claiming a match to one of the officially tested platforms. That is a common sense conclusion as well, as many of those formally tested platforms use cross-compilation on a build system environment that is not specified (other than the compiler proper). The processor architecture does need to match. In the case of ARM processors that would be the core, as in ARMv5, ARMv7, etc., and in the case of ARMv7+ either ARMv7 without NEON or ARMv7 with NEON as those are considered two different processor architectures. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org