FIPS 140-3 Kernel Module Implementation
A new FIPS 140 standalone kernel module is available as part of an effort to redesign and
shrink the FIPS 140-3 cryptographic module boundary by encapsulating a stable kernel
crypto API within a standalone fips140.ko kernel module.
This change helps to provide separation between the cryptographic module and the rest of the kernel, so FIPS certification can be targeted to the cryptographic module used by the kernel. This implementation means that the cryptographic module boundary doesn't change each time the kernel is compiled, and provides greater confidence in the certification.
The new implementation embeds the fips140.ko module and HMAC digest
within the vmlinux kernel image after compilation. The HMAC is checked
when the module is loaded using the HMAC algorithm from within the
fips140.ko itself. The module and its digest are loaded into memory
alongside the rest of the kernel by the boot loader when FIPS mode is enabled. These
cryptographic components can easily be extracted from the kernel image for verification
purposes.
Note:
This change is transparent and you continue to enable FIPS mode in the same way as before.