The Digi ConnectCore 6UL module is FIPS 140-2 Level 1 certified. This topic describes how to enable, verify, and use FIPS-Capable OpenSSL on these modules.
|Check the current FIPS certificate at https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3176.|
The FIPS (Federal Information Processing Standards) 140-2 level 1 standard is an information technology security approval program for cryptographic modules. It is geared toward private-sector vendors who seek certification for products used in government departments and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share, and disseminate sensitive but unclassified (SBU) information.
OpenSSL itself is not FIPS validated, nor will it be validated in the future. Instead, a special carefully defined software component called the OpenSSL FIPS Object Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography.
Digi Embedded Yocto enables you to build the OpenSSL FIPS Object Module 2.0 and configure OpenSSL to use it.
|This feature is not available out of the box and requires a Non-Disclosure Agreement to be in place. Contact a Digi sales representative for more information.|
Add the meta-digi-fips layer
|Contact a Digi sales representative to request the meta-digi-fips layer.|
Extract the meta-digi-fips Yocto layer under the Digi Embedded Yocto sources directory.
$ tar -xf meta-digi-fips.tar -C <DEY-INSTALLDIR>/sources
Edit your project’s bblayers.conf configuration file and add the meta-digi-fips layer by adding the following line:
Enable FIPS-capable OpenSSL
To enable FIPS-capable OpenSSL, add the following line to your local.conf:
OPENSSL_FIPS = "1"
This configures Digi Embedded Yocto to:
Build a FIPS Object Module
Build OpenSSL v1.0.2 with the fips configuration option
The combination of the validated FIPS Object Module plus an OpenSSL distribution built in this way is referred to as a FIPS-capable OpenSSL. You can use it either as a drop-in replacement for a non-FIPS OpenSSL or to generate FIPS mode applications.
|Yocto 2.6 uses OpenSSL v1.1.1 by default, and many other packages in the filesystem depend on this specific version. Since the FIPS Object Module isn’t currently available for this version, the meta-digi-fips layer will make Yocto build both the regular v1.1.1 and the FIPS-capable v1.0.2 OpenSSL libraries. To avoid confusion, the command line app installed with the FIPS-capable v1.0.2 libraries is renamed to openssl102 in the filesystem.|
Verify FIPS-capable OpenSSL
Check the openssl102 version with:
~# openssl102 version OpenSSL 1.0.2r-fips 26 Feb 2019
The -fips suffix after the version number indicates that OpenSSL was built with FIPS support.
Note, however, that the openssl102 application does NOT use FIPS mode by default. To use FIPS mode, you must define the environment variable OPENSSL_FIPS. The following fragment shows the differences when enabling TIPS mode:
In a non-FIPS-capable OpenSSL, an error is shown.
~$ openssl102 version OpenSSL 1.0.2r-fips 26 Feb 2019 ~$ OPENSSL_FIPS=1 openssl102 version FIPS mode not supported.
When you run a command in a FIPS-capable OpenSSL with FIPS mode enabled, execution time increases due to the POST (Power On Self Test), a procedure required by FIPS 140-2.
~$ time openssl102 version OpenSSL 1.0.2r-fips 26 Feb 2019 real 0m 0.07s user 0m 0.05s sys 0m 0.01s ~$ OPENSSL_FIPS=1 time openssl102 version OpenSSL 1.0.2r-fips 26 Feb 2019 real 0m 0.42s user 0m 0.40s sys 0m 0.02
Use FIPS-capable OpenSSL
Applications using the OpenSSL API should explicitly enable FIPS mode if desired. For reference, use the following code excerpt in the randtest application (automatically installed along with the OpenSSL library when using meta-digi-fips) to set and check FIPS mode:
#ifdef OPENSSL_FIPS if (!FIPS_mode_set(1)) printf("Failed to enable FIPS mode\n"); else printf("FIPS mode is set\n"); #else printf("FIPS mode is not available\n"); #endif
When building OpenSSL with FIPS 140-2 support, the randtest application will take some extra time doing the FIPS 140-2 Power On Self Test, and then it will run the random number test:
~$ time randtest FIPS mode is set test 1 done test 2 done test 3 done test 4 done real 0m0.143s user 0m0.130s sys 0m0.010s
On the other hand, building OpenSSL without FIPS 140-2 support results in the following execution time and message:
~$ time randtest FIPS mode is not available test 1 done test 2 done test 3 done test 4 done real 0m0.009s user 0m0.010s sys 0m0.000s
For more information, see Section 5: Creating Applications Which Reference the FIPS Object Module of the OpenSSL User Guide 2.0.
Build a custom SDK with FIPS support
The prebuilt DEY-2.6 toolchain includes the files needed to develop applications using the OpenSSL v1.1.1 library. However, since FIPS-capable OpenSSL is limited to v1.0.2, you must generate a custom SDK to develop applications with FIPS-capable libraries.
Using a project with OPENSSL_FIPS enabled, generate an SDK:
$ bitbake -c populate_sdk dey-image-qt
The SDK will include the FIPS OpenSSL v1.0.2 development files.