In article <u859bs$q1h7$1@dont-email.me>,
Arne Vajhøj <arne@vajhoej.dk> wrote:
>On 7/5/2023 9:43 PM, Dan Cross wrote:
>> In article <u84l3q$kcjd$1@dont-email.me>,
>> Arne Vajhøj <arne@vajhoej.dk> wrote:
>>> On 7/5/2023 4:33 PM, Arne Vajhøj wrote:
>>>> Per:
>>>>
>>>> https://www.openssl.org/docs/fips.html
>>>> https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282
>>>>
>>>> then OpenSSL is FIPS 140-2 certified on:
>>>>
>>>> <quote>
>>>>     Debian 11.5 running on Dell Inspiron 7591 with Intel i7(x86) with PAA
>>>>     Debian 11.5 running on Dell Inspiron 7591 with Intel i7(x86)
>>>> without PAA
>>>>     FreeBSD 13.1 running on Dell Inspiron 7591 with Intel i7(x64) with PAA
>>>>     FreeBSD 13.1 running on Dell Inspiron 7591 with Intel i7(x64)
>>>> without PAA
>>>>     macOS 11.5.2 running on Apple i7 Mac Mini with Intel i7(x64) with PAA
>>>>     macOS 11.5.2 running on Apple i7 Mac Mini with Intel i7(x64)
>>>> without PAA
>>>>     macOS 11.5.2 running on Apple M1 Mac Mini with M1 with PAA
>>>>     macOS 11.5.2 running on Apple M1 Mac Mini with M1 without PAA
>>>> (single-user mode)
>>>>     Ubuntu Linux 22.04.1 LTS running on Dell Inspiron 7591 with Intel
>>>> i7(x64) with PAA
>>>>     Ubuntu Linux 22.04.1 LTS running on Dell Inspiron 7591 with Intel
>>>> i7(x64) without PAA
>>>>     Windows 10 running on Dell Inspiron 7591 with Intel i7(x64) with PAA
>>>>     Windows 10 running on Dell Inspiron 7591 with Intel i7(x64) without
>>>> PAA
>>>> </quote>
>>>>
>>>> Maybe VSI want VMS on that list.
>>>
>>> But I wonder.
>>>
>>> How will VSI get FIPS 140-2 certification for VMS x86-64 if they only
>>> support running in VM not on physical hardware??
>>
>> Virtual Machines, by definition, run most of their instructions
>> on the physical hardware, including in kernel mode. Running in
>> a VM does not preclude one from access to high-quality hardware
>> facilitated entropy sources a priori.
>
>No. But that is not the problem.
>
>FIPS 140-2 certification is a certification of hardware
>and software.

Hypervisors are software. The guest OS running on them is also
software. Certifying an OS running on a specific hypervisor on
a specific hardware platform is certainly doable.

>VMS 9.2-1 on a VirtualBox VM setup as ... running on
>RockyLinux 9 running on Dell Inspiron 7591 with Intel i7(x64)????

Sounds pretty bog standard as these things go, but I imagine it
would be more like VMS on ESXi on a Dell Xeon thing. Probably
much of that combination is already at least partially tested
for the US military (ESXi on Dell hardware was very common when
I was a communications officer in the US Marine Corps, which
wasn't _that_ long ago).

- Dan C.

On Wednesday, July 5, 2023 at 10:36:48 PM UTC-4, Arne Vajhøj wrote:
> No. But that is not the problem.
>
> FIPS 140-2 certification is a certification of hardware
> and software.
>
> VMS 9.2-1 on a VirtualBox VM setup as ... running on
> RockyLinux 9 running on Dell Inspiron 7591 with Intel i7(x64)????
>
> Arne

I'll note that certification isn't necessarily required for procurement, and that
it ISN'T a combination of hardware AND software together. You can certify
specific combinations, yes, just as you can certify just hardware alone, or
just software alone.

Note, that windows, with the correct configuration, is considered compliant
on ANY hardware or virtualization solution. You can be validated as Software,
Software-Hybrid, or Hardware. Microsoft's solutions are almost all validated
as SOFTWARE or SOFTWARE-HYBRID. It is compliant when configured
correctly, regardless of hardware.

What you listed above in a previous post is the "tested configuration"
which isn't the actual validation. It's just saying what they used to
validate that specific module meets the requirements and standards in
NIST lab setup.

Take a look at the consolidated certificate, showing the hardware/software
configurations of the actual validations:

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/August%202022_010922_0715_signed.pdf

Note that the OpenSSL FIPS Provider validation is only referring to the
software version, and has NO hardware data with it. Because the validation is
on the software only.

The important takeaways from the OpenSSL validation you linked is -
"When operated in FIPS mode. No assurance of the minimum strength of
generated keys." and "Module type: SOFTWARE". That means, yes, it's
compliant, with caveats.

Nominally, the software is only considered to be functioning in validated
and compliant mode if configured according to the security policy (usually)
linked on the validation page.

"This is what we tested it on" isn't the same as "it is only validated on".

Side note, CMVP which is no longer accepting submissions for 140-2
certifications - only 140-3. After September 21, 2026 140-2 modules are
considered "historical" and should only be procured in support of existing
deployments.

On Wednesday, July 5, 2023 at 11:28:37 PM UTC-4, Dan Cross wrote:
> In article <u859bs$q1h7$1...@dont-email.me>,
> Arne Vajhøj <ar...@vajhoej.dk> wrote:
> >On 7/5/2023 9:43 PM, Dan Cross wrote:
> >> In article <u84l3q$kcjd$1...@dont-email.me>,
> >> Arne Vajhøj <ar...@vajhoej.dk> wrote:
> >>>> Debian 11.5 running on Dell Inspiron 7591 with Intel i7(x86) with PAA
> >>>> Debian 11.5 running on Dell Inspiron 7591 with Intel i7(x86)
> >>>> without PAA
> >>>> FreeBSD 13.1 running on Dell Inspiron 7591 with Intel i7(x64) with PAA
> >>>> FreeBSD 13.1 running on Dell Inspiron 7591 with Intel i7(x64)
> >>>> without PAA
> >>>> macOS 11.5.2 running on Apple i7 Mac Mini with Intel i7(x64) with PAA
> >>>> macOS 11.5.2 running on Apple i7 Mac Mini with Intel i7(x64)
> >>>> without PAA
> >>>> macOS 11.5.2 running on Apple M1 Mac Mini with M1 with PAA
> >>>> macOS 11.5.2 running on Apple M1 Mac Mini with M1 without PAA
> >>>> (single-user mode)
> >>>> Ubuntu Linux 22.04.1 LTS running on Dell Inspiron 7591 with Intel
> >>>> i7(x64) with PAA
> >>>> Ubuntu Linux 22.04.1 LTS running on Dell Inspiron 7591 with Intel
> >>>> i7(x64) without PAA
> >>>> Windows 10 running on Dell Inspiron 7591 with Intel i7(x64) with PAA
> >>>> Windows 10 running on Dell Inspiron 7591 with Intel i7(x64) without
> >>>> PAA

> Hypervisors are software. The guest OS running on them is also
> software. Certifying an OS running on a specific hypervisor on
> a specific hardware platform is certainly doable.
> >VMS 9.2-1 on a VirtualBox VM setup as ... running on
> >RockyLinux 9 running on Dell Inspiron 7591 with Intel i7(x64)????
> Sounds pretty bog standard as these things go, but I imagine it
> would be more like VMS on ESXi on a Dell Xeon thing. Probably
> much of that combination is already at least partially tested
> for the US military (ESXi on Dell hardware was very common when
> I was a communications officer in the US Marine Corps, which
> wasn't _that_ long ago).
>
> - Dan C.

In this specific case, it's just the test/lab configurations that were used..
Note that it's each OS on two different configurations.

Linux x86 (where applicable) and x64 in both modes.
FreeBSD in x64 with both modes.
macOS on x64 and ARM in both modes.

The organization that submitted it for validation wanted it tested in all
those.

Sounds like the lab just used the first 3 machines available that
could run all the tests under the submission's request.

But as this is a software module validation, as long as the source is
unmodified for this module, and it passes its own internal unmodified
self-tests, it would be considered validated and approved on VSI VMS
without any additional need to do anything.

Since it's only the OpenSSL module itself that's validated. Nothing else.

However, for sake of ease and procurement procedures, OS vendors
do tend to time to time submit for validation their implementation.
Especially ones delivered in binary form. But it would be trivial for me
to get approval and/or defend procurement if I can demonstrate that
the correct module and version is loaded and in use in the correct
configuration.

On 2023-06-15 22:26:00 +0000, John Dallman said:

> * AMD CPUs compatibility
> * Initial support for KVM SCSI VirtIO
> * Built-in SSL3
> * Numerous fixes and improvements to the debugger and dump analyzer
> * Many native compilers, such as C, C++, Fortran, and Macro, are now
> available for field test. A new set that includes Bliss, COBOL, and
> BASIC is expected to become available soon
> * Support for newer VMWare hypervisors versions
> * Additional entropy collection mechanism
>
> https://vmssoftware.com/about/news/2023-06-15-openvms-v9-2-1-release/
>
> "SSL3" seems to mean OpenSSL v3, not the SSL v3 protocol, which has been
> deprecated for years.
>
> John

It would be nice to get my hands on this. The registration page form
is hopelessly horked with the stupid reCAPTCHA.

Doesn't anyone read the messaged via the site's contact form or is that
too fucked up?

On 2023-08-16, Brian Schenkenberger <mail@SendSpamHere.ORG> wrote:
>
> It would be nice to get my hands on this. The registration page form
> is hopelessly horked with the stupid reCAPTCHA.
>

That must be new. Don't ever recall having to do that before or is it
only x86-64 specific ?

> Doesn't anyone read the messaged via the site's contact form or is that
> too fucked up?
>

I do get replies from queries sent via the contact form (at least when
VSI decide not to ignore me. :-))

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.