Silly me.
I did not read the entire thread carefully.
Thanks

Can somone on the Rocky team please provide an update? If you would like to email me directly, I can be contacted ‘jimmyg@nist.gov’

Thanks!

Jimmy Graham
jimmyg@nist.gov

I am also very interested in FIPS validation for Rocky Linux.
I don’t see anything in the NIST in -process list: https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List.

Is the process for FIPS validation actually started?

Thanks
Tom

If you read the earlier posts in this thread you would see the link to the thread that has an answer to your questions.

Regards

Bill

Thanks for your reply Bill, but as I stated above, the Rocky Linux libraries are not listed “in process”, so there is no indication that the FIPS validation process was started back in June 2021.

I was looking for confirmation that in fact the paperwork has been filed and we can expect that around June 2022 Rocky Linux will be a FIPS validated distro (aka the C libraries are FIPS 140-2 or 140-3 validated).

Thanks
Tom

FIPS is a goal. We’re really trying to hit a FIPS certification. And this is not my area of expertise at all, but I’ve been contacted by a lot of organizations that have basically offered to help us do this, help us achieve this level of certification. But to do that, that means that the entire infrastructure has to be approved. We have to build the entire infrastructure from ground up, kind of designed to be able to meet these standards, to ensure that what comes out of it, the product that comes out of this can be absolutely trusted. And it gets really difficult when you start thinking about how do you do that when you have n number of people in the community committing code. So that’s the big piece of what we’re trying to solve right now.

going by the commit for that podcast here: transcripts/the-changelog-427.md at master · thechangelog/transcripts · GitHub

that was 7 December 2021. Be patient guys, I’m sure they will announce it when it’s ready.

Reminds me when you go on a holiday in the car, and it takes hours to get there, and you’ve got the kids every 5-10 minutes saying “are we nearly there yet?”.

Thanks for the info iwalker, I fully understand the fact that these things take time.

As you may guess, I am involved in FedRAMP certified software and we are currently using CentOS 7. Luckily we are slow and never moved to 8, otherwise we would be really screwed.

The guidance from the PMO is that if you are using CentOS, you need to have a plan to move off. For CentOS dependent software like mine there are three strong possibilities: 1) Buy RHEL 2) look at Rocky Linux 3) Take the hit and move to another non-RHEL based distro.

My fervent hope is for #2 - Rocky Linux. But the PMO office requires a “firm commitment” to a timeline, which is why the expected ETA is very important to us.

So we nag. I would say that nagging every 3-6 months is fairly reasonable.

Thanks
Tom

Hi Tom, I think you’re lucky you didn’t rush from CentOS 7 to 8, as there were a lot thinking that it would be supported until 2029, and then found a month later they only had a year left.

Is your migration from CentOS7 reliant on FIPS? What I mean is, is that mandatory and your company or whatever won’t accept migration to a system which is not yet FIPS compliant? Or are they a little flexible in that they will allow you to move, on the basis that FIPS will appear in the near future?

I’m pretty confident that FIPS will be achieved by the Rocky Team, I believe in them that this will be done. Obviously with Rocky only running such a short time, there is so much to do. It’s a bit different for the players that have been doing this for years already and most likely have dedicated FIPS teams in place, like RHEL for example, Juniper, etc, etc, (and the other known companies on the NIST waiting for approval list).

After reading the transcript from the podcast, and what was mentioned there, seems there is a huge amount of things involved, rather than just a quick certify and job done. Alma Linux theoretically are also in progress (from a quick Google and the AMA on Reddit), although they also aren’t showing in the list as far as I can see anyway. Obviously, that’s on the basis that the list is completely up-to-date. So it could be that Rocky (or Alma) haven’t made the list but it’s in progress. Other than Oracle (not an alternative for me, but some would consider it), there isn’t too much else to choose from right now if you are time-constrained and are being forced to make a decision to migrate to an existing FIPS certified (leaving RHEL as a choice).

But I hope, you’re not being pushed and can hold out and wait for Rocky since CentOS 7 is not EOL until June 2024.

Ian

BUMP !
Any status updates available ?

Looking for any confirmation that this is at least in process. Upon knowing that, then it becomes more obvious that one can relax and simply add at least 6-12 months before checking on status again.

Appreciate anyone who can take the time to confirm one way or another whether this is actually being done. Thanks.

Thanks for this Ian. It is very helpful to know that 140-3 is the target and the wheels are turning.

My situation is that I need at least a plan for moving from CentOS7. If that plan can be “Moving to Rocky 8.x and they will be FIPS 140 when we do” then that will make me (and others) happy.

The scary part is having no visibility into the time frame of that plan because my bosses immediately ask the followup question: “When will Rocky be FIPS 140 validated?”

Tom

Good to know that Rocky 8 is working towards FIPS compliance. I guess, though, that you probably won’t be ready and approved by June 30, 2022 , huh?

That’s my government agency’s cutoff date for unsupported and non-FIPS compliant OSes.

Argh! Was trying to generate a new Cert for another Web Server and found this thread, so my question is, well disabling FIPS allow the generation of and use of the Cert using the traditional command?

openssl genrsa -des3 -out www.domainName2.com.key.pass 2048

UPDATE: I just realized I’ve asked the question around Aug’21 Generating RSA private key w/FIPS Enabled Error and never checked for a reply. I just read the link provided and it looks like this will take a while to understand and implement. So for now I’ll just disable FIPS and create a FIPS Dev Server.

FINAL QUESTION: Will a “Let’s Encrypt” Cert work properly with FIPS enable?

Incidentally, Rocky Linux has been listed as approved on the NGA swap list (that’s a software list of approved/disapproved software). Some entities will allow “reciprocity”

This website below is PKI CAC protected, but it shows Rocky Linux in the approved column. https://swap.nga.mil/list

Ok, that aside, is there any update on FIPS 140-3 for Rocky Linux? I realize FIPS 140-3 doesn’t get built any faster than Rome itself.

Thanks
Testedinproduction

So I am going to echo testedinproduction above and ask for the FIPS status of Rocky 8 again.
Its been 5 months, and I promised I wouldn’t nag more than every quarter.

So - Can we get the current status?

Thanks.
Tom

We are excited to announce that Rocky Linux has reached a significant step in the FIPS 140-3 validation process; right on schedule, Rocky Linux is now named in the NIST Implementation Under Test List.

Big thanks to our founding partner and sponsor CIQ, who has arranged and paid for the FIPS validation process and will be providing it back to the entire RESF/Rocky community. This is not a small effort, the FIPS validation is a million dollar investment and we’re very grateful for their contribution. Thank you CIQ!

Great news!

Thanks @brian .
Tom

Great news, however, I did wonder about two things:
I noted that it appears locked to 8.6 rather than a more generic 8. Would this mean that only 8.6 gets the FIPS certification rather than Rocky Linux 8? RHEL 8 does not have a specific sub version.

I also noted that RHEL had more components on the list: GnuTLS and Kernel Crypto API as well as the 3 Rocky Linux has (libgcrypt, NSS, OpenSSL). Will that also potentially have a long term affect?

RHEL is certified as minor versions, not sure why that doesn’t show up there. However it is listed correctly on Red Hat’s own website: Government Standards - Red Hat Customer Portal

I’ll dig around and see what the story is regarding components certified.