Design review of Admin/policy for FIPS 140-2 Solaris Crypto Framework

Hai-May Chao Hai-May.Chao at sun.com
Thu Mar 13 11:29:35 PDT 2008 

Garrett D'Amore wrote:
> Roughly, it looks reasonable to me.  I'd like to see more detail on 
> the crypto boundaries though.  And presumably you are seeking only 
> level 1?
>

Thanks for your review.

The level needs to be finalized and we're in the process of working on it.

Based on the current work, the crypto boundaries include libpkcs11, 
pkcs11_softtoken,
pkcs11_kernel, /dev/crypto, KCF, and the kernel software modules.

Thanks,
Hai-May


>    -- Garrett
>
> Hai-May Chao wrote:
>> The following is the design for administration and policy configuration
>> to support FIPS 140-2 Cryptographic Framework. We had discussions
>> in this area among Valerie, Darren and myself. Thanks for their
>> earlier feedback.
>>
>> Please take a look and send comments. The review period for this will
>> close on 3/19/08.
>>
>> 1. Administration cryptoadm command
>>
>>    We need to have the ability to toggle the FIPS mode of
>>    operation in the Cryptographic Framework. Extending cryptoadm
>>    command to support the enabling and disabling FIPS mode.
>>
>>    SYNOPSIS:
>>
>>    a. cryptoadm enable fips
>>
>>       This is to enable FIPS mode.
>>
>>    b. cryptoadm disable fips
>>
>>       This is to disable FIPS mode.
>>
>>    c. cryptoadm list fips
>>
>>       This is to display the status of FIPS mode policy.
>>       Output is:
>>       fips=disabled (The default mode is disabled) or
>>       fips=enabled
>>
>> 2. Policy configuration files
>>
>>    a. The kernel-level policy configuration file (kcf.conf):
>>
>>       A new entry corresponds to FIPS mode policy is added.
>>       fips=disabled (The default mode is disabled) or
>>       fips=enabled
>>
>>       Example - kcf.conf:
>>       # Start SUNWcsr
>>       fips=disabled
>>       des:supportedlist=CKM_DES_CBC,CKM_DES_ECB,CKM_DES3_CBC,
>>       CKM_DES3_ECB
>>       aes:supportedlist=CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR
>>       ...
>>       ...
>>       # End SUNWcsr
>>
>>       The status of FIPS mode is set according to the command:
>>       cryptoadm enable|disable fips
>>
>>    b. The user-level policy configuration file (pkcs11.conf):
>>
>>       A new entry corresponds to FIPS mode policy is added.
>>       fips=disabled (The default mode is disabled) or
>>       fips=enabled
>>
>>       Example - pkcs11.conf:
>>       # Start SUNWcsr
>>       fips=disabled
>>       
>> metaslot:metaslot_status=enabled;metaslot_auto_key_migrate=enabled;
>>       metaslot_token=Sun Software PKCS#11 softtoken;
>>       metaslot_slot=Sun Crypto Softtoken
>>       /usr/lib/security/$ISA/pkcs11_kernel.so
>>       /usr/lib/security/$ISA/pkcs11_softtoken.so
>>       # End SUNWcsr
>>
>>       The status of FIPS mode is set according to the command:
>>       cryptoadm enable|disable fips
>>
>>    c. When disable/enable fips command is issued from cryptoadm,
>>       we make sure that the following places are sync'ed:
>>       pkcs11.conf, kcf.conf and the global variable in kernel indicating
>>       the FIPS status.
>>
>> 3. When FIPS mode is enabled
>>
>>    a. Keeping metalsot enabled
>>
>>       We keep metaslot enabled in FIPS mode even 
>> metaslot_auto_key_migrate
>>       is enabled. This is because the keys are encrypted when they
>>       cross the boundary.
>>
>>    b. pkcs11_softtoken will be left enabled
>>
>>    c. Keeping pkcs11_kernel enabled
>>
>>       We don't disable pkcs11_kernel as pkcs11_kernel and KCF are inside
>>       the crypto boundary. It is what is plugged into KCF that is the 
>> issue,
>>       such as ncp and n2cp that should be disabled, but not 
>> pkcs11_kernel.
>>       However if an SCA-6000 is installed, which is FIPS approved, as 
>> long
>>       as the keys that pass from metaslot to pkcs11_kernel to 
>> /dev/crypto
>>       to KCF to mca are wrapped, it is good from the FIPS view.  Note 
>> that
>>       such a configuration with the SCA-6000 we don't think should be 
>> part
>>       of the framework FIPS evaluation.
>>
>>    d. Disable non FIPS approved algorithms
>>
>> 4. Administrative ioctl changes
>>
>>    a. CRYPTO_FIPS_STATUS
>>
>>       This ioctl gets the current running FIPS status.
>>       This ioctl is synchronous for the caller and does not
>>       block before returning.
>>
>>         typedef struct crypto_fips {
>>                 uint_t                  fi_return_value;
>>                 uint_t                  fi_op;
>>                 uint_t                  fi_status;
>>         } crypto_fips_t;
>>
>>         Valid values for fi_return_value are:
>>                 CRYPTO_SUCCESS
>>                 CRYPTO_FAILED
>>
>>         Valid values for fi_status are:
>>             FIPS_ENABLED (1)
>>             FIPS_DISABLED (0)
>>
>>         fi_op is not used for this ioctl.
>>
>>    b. CRYPTO_FIPS_SET
>>
>>       This ioctl enables/disables the FIPS mode.
>>       This ioctl is synchronous for the caller and does not
>>       block before returning.
>>
>>       A global variable (e.g., uint_t fips_enable) will be defined
>>       to be read/written from/to in KCF.
>>
>>         typedef struct crypto_fips {
>>                 uint_t                  fi_return_value;
>>                 uint_t                  fi_op;
>>                 uint_t                  fi_status;
>>         } crypto_fips_t;
>>
>>         Valid values for fi_return_value are:
>>                 CRYPTO_SUCCESS
>>                 CRYPTO_FAILED
>>
>>         Valid values for fi_op are:
>>             FIPS_ENABLE (1)
>>             FIPS_DISABLE (0)
>>
>>         fi_status is not used for this ioctl.
>>
>>
>> Thanks,
>> Hai-May
>>
>> _______________________________________________
>> crypto-discuss mailing list
>> crypto-discuss at opensolaris.org
>> http://mail.opensolaris.org/mailman/listinfo/crypto-discuss
>>   
>

More information about the crypto-discuss mailing list