FIPS Validation

Where is Rocky Linux in its quest to become FIPS validated, please ?

1 Like

I don’t know if there’s been any update on this but you can find an answer from brian in this thread: Need FIPS 140-2 requirement for Rocky Linux - #3 by dave.t.engineer

Yes, but that thread is six months old
:dizzy_face:

Yes, but the comment says that the process will take “…a little over a year” and my my reckoning it still has six months plus to go.

Silly me.
I did not read the entire thread carefully.
Thanks

Can somone on the Rocky team please provide an update? If you would like to email me directly, I can be contacted ‘jimmyg@nist.gov’

Thanks!

Jimmy Graham
jimmyg@nist.gov

I am also very interested in FIPS validation for Rocky Linux.
I don’t see anything in the NIST in -process list: https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List.

Is the process for FIPS validation actually started?

Thanks
Tom

If you read the earlier posts in this thread you would see the link to the thread that has an answer to your questions.

Regards

Bill

Thanks for your reply Bill, but as I stated above, the Rocky Linux libraries are not listed “in process”, so there is no indication that the FIPS validation process was started back in June 2021.

I was looking for confirmation that in fact the paperwork has been filed and we can expect that around June 2022 Rocky Linux will be a FIPS validated distro (aka the C libraries are FIPS 140-2 or 140-3 validated).

Thanks
Tom

FIPS is a goal. We’re really trying to hit a FIPS certification. And this is not my area of expertise at all, but I’ve been contacted by a lot of organizations that have basically offered to help us do this, help us achieve this level of certification. But to do that, that means that the entire infrastructure has to be approved. We have to build the entire infrastructure from ground up, kind of designed to be able to meet these standards, to ensure that what comes out of it, the product that comes out of this can be absolutely trusted. And it gets really difficult when you start thinking about how do you do that when you have n number of people in the community committing code. So that’s the big piece of what we’re trying to solve right now.

going by the commit for that podcast here: transcripts/the-changelog-427.md at master · thechangelog/transcripts · GitHub

that was 7 December 2021. Be patient guys, I’m sure they will announce it when it’s ready.

Reminds me when you go on a holiday in the car, and it takes hours to get there, and you’ve got the kids every 5-10 minutes saying “are we nearly there yet?”. :slight_smile:

Thanks for the info iwalker, I fully understand the fact that these things take time.

As you may guess, I am involved in FedRAMP certified software and we are currently using CentOS 7. Luckily we are slow and never moved to 8, otherwise we would be really screwed. :expressionless:

The guidance from the PMO is that if you are using CentOS, you need to have a plan to move off. For CentOS dependent software like mine there are three strong possibilities: 1) Buy RHEL 2) look at Rocky Linux 3) Take the hit and move to another non-RHEL based distro.

My fervent hope is for #2 - Rocky Linux. But the PMO office requires a “firm commitment” to a timeline, which is why the expected ETA is very important to us.

So we nag. I would say that nagging every 3-6 months is fairly reasonable. :slight_smile:

Thanks
Tom

Hi Tom, I think you’re lucky you didn’t rush from CentOS 7 to 8, as there were a lot thinking that it would be supported until 2029, and then found a month later they only had a year left.

Is your migration from CentOS7 reliant on FIPS? What I mean is, is that mandatory and your company or whatever won’t accept migration to a system which is not yet FIPS compliant? Or are they a little flexible in that they will allow you to move, on the basis that FIPS will appear in the near future?

I’m pretty confident that FIPS will be achieved by the Rocky Team, I believe in them that this will be done. Obviously with Rocky only running such a short time, there is so much to do. It’s a bit different for the players that have been doing this for years already and most likely have dedicated FIPS teams in place, like RHEL for example, Juniper, etc, etc, (and the other known companies on the NIST waiting for approval list).

After reading the transcript from the podcast, and what was mentioned there, seems there is a huge amount of things involved, rather than just a quick certify and job done. Alma Linux theoretically are also in progress (from a quick Google and the AMA on Reddit), although they also aren’t showing in the list as far as I can see anyway. Obviously, that’s on the basis that the list is completely up-to-date. So it could be that Rocky (or Alma) haven’t made the list but it’s in progress. Other than Oracle (not an alternative for me, but some would consider it), there isn’t too much else to choose from right now if you are time-constrained and are being forced to make a decision to migrate to an existing FIPS certified (leaving RHEL as a choice).

But I hope, you’re not being pushed and can hold out and wait for Rocky :slight_smile: since CentOS 7 is not EOL until June 2024.

Ian

1 Like