We are excited to announce that Rocky Linux has reached a significant step in the FIPS 140-3 validation process; right on schedule, Rocky Linux is now named in the NIST Implementation Under Test List.
Big thanks to our founding partner and sponsor CIQ, who has arranged and paid for the FIPS validation process and will be providing it back to the entire RESF/Rocky community. This is not a small effort, the FIPS validation is a million dollar investment and we’re very grateful for their contribution. Thank you CIQ!
Great news, however, I did wonder about two things:
I noted that it appears locked to 8.6 rather than a more generic 8. Would this mean that only 8.6 gets the FIPS certification rather than Rocky Linux 8? RHEL 8 does not have a specific sub version.
I also noted that RHEL had more components on the list: GnuTLS and Kernel Crypto API as well as the 3 Rocky Linux has (libgcrypt, NSS, OpenSSL). Will that also potentially have a long term affect?
I see that Rocky 8 OpenSSL is still IUT for FIPS 140-3. What version of Rocky 8 openssl is currently being tested for CMVP?
RHEL8 is maintaining their 1.1.1 certification under the FIPS 140-2 requirements, but CMVP is longer accept new submissions for 140-2. With the RHEL8 upstream being OpenSSL 1.1.1, I am assuming that Rocky has submitted 1.1.1 for FIPS 140-3, but I have heard that there were new FIPS 140-3 requirements that may not be able to be met with OpenSSL 1.1.1.
If Rocky is pursuing 140-3 for 1.1.1, has the cryptography team run into any challenges in meeting the 140-3 requirements that may prevent this certification from completing?
@christopher.schanzle the first validation is for 8, but the subsequent validation for 9 will be much faster (and preparations are being made for it).
@chroot I don’t have an exact timeline, but additional funding won’t help (though donations are always appreciated!). It’s a tremendous amount of development, testing, and back and forth with the crypto lab.
?