Questions on SCA6000 PCI card and SCF

Valerie Bubb Fenwick Valerie.Fenwick at Sun.COM
Fri Apr 18 12:06:15 PDT 2008 

On Tue, 15 Apr 2008, Sanjay Agrawal wrote:

> Thanks all. This has been very helpful.
>
> One more question:
> Using SCA6000 through SCF wouldn't void the FIPS compliance that SCA6000
> provides. I am aware of the FIPS/SCF project but am not sure if current
> SCF's non compliance with FIPS would affect the overall compliance. I
> guess if SCF is purely pass through with the "crypto boundary" at
> SCA6000, SCF shouldn't impact anything.

You have to be careful here. THe solaris cryptographic framework has
technologies like metaslot that may move cryptographic operations
to different providers seemlessly to the user.  So, if you wanted
to maintain 100% FIPS approved only access, you would need to disable
the metaslot or disable the non SCA6000 providers.

Valerie

>
> Thanks,
> - sanjay
>
> Darren J Moffat wrote:
>> Sanjay Agrawal wrote:
>>> Let me see if I get this right:
>>> 1) NSS provides a wrapper for PKCS11 which means any PKCS11 provider
>>> can "plug-in" into NSS libraries.
>>
>> correct
>>
>>> 2) SCF is also a wrapper ( actually much more than a wrapper but I am
>>> using the term to draw a parallel between NSS and SCF) for PKCS11.
>>
>> correct
>>
>>> 3) NSS does NOT use SCF. It is a standalone library with its own
>>> plugin modules. So it can't use SCF enabled cryptos. For SCA6000 h/w
>>> acceleration to work, SCA6000 needs to provide PKCS11 interfaces that
>>> directly plugin into NSS.
>>
>> NSS does not use the Solaris libpkcs11 (PLEASE don't use the TLA SCF
>> it mapps to far to many things in Solaris and libscf has nothing to do
>> with the crypto framework) by default but can be configured to do so
>> using modutil(1).
>>
>> For Solaris hardware crypto like the SCA-6000 plugins in to the kernel
>> part of the crypto framework and appears in userland via
>> /usr/lib/libpkcs11.so.1
>>
>> So the SCA-6000 CAN be accessed via NSS using PKCS#11 just like the
>> UltraSPARC T1/T2 on chip crypto.
>>
>
> _______________________________________________
> crypto-discuss mailing list
> crypto-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/crypto-discuss
>

Valerie
-- 
  Now appearing as "Shy" in the "Best Little W****house in Texas"
 	with Actors Theatre Center: April 19 - May 10
http://theatrecenter.biz/id13.html   http://blogs.sun.com/bubbva

More information about the crypto-discuss mailing list