Skip to content

OpenSSL FIPS provider support #262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jbdelcuv merged 27 commits into from
Dec 27, 2024
Merged

OpenSSL FIPS provider support #262

jbdelcuv merged 27 commits into from
Dec 27, 2024

Conversation

@jbdelcuv
Copy link
Contributor

@jbdelcuv jbdelcuv commented Nov 27, 2024

Add support to the SGX-SSL library to have crypto algorithms run in the FIPS provider embedded in enclave images.

Instructions for building/testing, assuming you have an updated SGX SDK/PSW toolchain available:

$ cd Linux
$ make all FIPS=1
$ [sudo] make install
$ make test FIPS=1
$ make fips_test FIPS=1

Instructions for cleaning up:

$ sudo make uninstall
$ make clean

jinghe-INTC and others added 20 commits November 26, 2024 12:06
@jbdelcuv
update for OpenSSL 3.1.x (intel#187)
4586516 
Signed-off-by: He, Jing J <[email protected]>
@jbdelcuv
Create FIPS support branch based on OpenSSL 3.1 with a separate FIPS
87bad5c 
build option.

Co-authored-by: Juan del Cuvillo <[email protected]>
Signed-off-by: Jing He <[email protected]>
Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Improve the patch.
4432ab9 
Signed-off-by: Jing He <[email protected]>
@jbdelcuv
Fix the keygen tests and other updates.
3b8f1bf 
Signed-off-by: Jing He <[email protected]>
@jbdelcuv
Workaround the failure of ec_d2i_publickey_test.
98b359b 
Signed-off-by: Jing He <[email protected]>
@jbdelcuv
Workaround the failure of the EC test cases.
f0f1bb8 
Signed-off-by: Jing He <[email protected]>
@jbdelcuv
Fix DH and AES-GCM test cases.
b3df72b 
Signed-off-by: Jing He <[email protected]>
@jbdelcuv
Add another ECDSA test case.
4e9380d
@jbdelcuv
Minor update to AES-GCM test case.
1c55967
@jbdelcuv
Minor update to the test enclave.
13c5f33
@jbdelcuv
Support loading fipsmodule.cnf included in openssl.cnf
2aaf6ee
@jbdelcuv
Add suport for getpid and time functions to solve the issue where the
b403dd5 
self-test was failing due to the additional reseeding caused by using
the RDTSC instruction.

Signed-off-by: Jing He <[email protected]>
@jbdelcuv
avoid fflush()
12bfa07 
Signed-off-by: Jing He <[email protected]>
@jbdelcuv
Removed unused functionality from this file.
d9f61e9 
"make all FIPS=1; make test FIPS=1" shows the OpenSSL FIP provider working inside an enclave.

Signed-off-by: Jing He <[email protected]>
@jbdelcuv
Build the FIPS provider in its own Makefile.
1353a3c 
The new Makefile provides the standard targets: all, clean, install and
uninstall that the main Mafile calls when the option FIPS is set.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Don't build the test app by default in FIPS mode since it depends on
be5eb51 
the FIPS provider.
Execute the install target first.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Add a simple test program demonstrating how to load the OpenSSL FIPS
de2ac50 
provider inside an enclave.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Replace error code so that OpenSSL 3.1.2 builds without changes,
cdb5bba 
although it isn't currently supported.
It appears that RAND_R_INVALID_PROPERTY_QUERY was added to randerr.h in
OpenSSL 3.1.6.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Document limitation regarding the location of the OpenSSL configuration
9258c91 
file in CONF_modules_load_file_ex.

Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv
Don't send the output of tar to the console.
fc21415 
Signed-off-by: Juan del Cuvillo <[email protected]>
@jbdelcuv jbdelcuv requested a review from lzha101 November 27, 2024 22:59
@jbdelcuv jbdelcuv self-assigned this Dec 5, 2024
@fchinchilla
Copy link

fchinchilla commented Dec 5, 2024

Looks good to me

lzha101
lzha101 reviewed Dec 9, 2024
View reviewed changes
lzha101
lzha101 reviewed Dec 9, 2024
View reviewed changes
jbdelcuv
jbdelcuv commented Dec 9, 2024
View reviewed changes
lzha101
lzha101 reviewed Dec 10, 2024
View reviewed changes
lzha101
lzha101 reviewed Dec 16, 2024
View reviewed changes
@jbdelcuv jbdelcuv linked an issue Dec 17, 2024 that may be closed by this pull request
Possibilities of supporting FIPS mode #143
Closed
@jbdelcuv
Generate an OpenSSL configuration file at build time.
7d10ac4 
Both sample apps include a template from which an OpenSSL configuration
file is generated rather than copying one from the SGX SDK.
@jbdelcuv
Revert "Generate an OpenSSL configuration file at build time."
c0b43e4 
This reverts commit 7d10ac4.
@jbdelcuv
Generate an OpenSSL configuration file at build time.
4b83850 
Both sample apps include a template from which an OpenSSL configuration
file is be generated rather than copying one from the SGX SDK.

Signed-off-by: Juan del Cuvillo <[email protected]>
lzha101
lzha101 reviewed Dec 20, 2024
View reviewed changes
lzha101
lzha101 reviewed Dec 20, 2024
View reviewed changes
@jbdelcuv jbdelcuv merged commit 366b098 into intel:main Dec 27, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lzha101 lzha101 lzha101 left review comments

@binxing binxing Awaiting requested review from binxing

@andyzyb andyzyb Awaiting requested review from andyzyb

@fchinchilla fchinchilla Awaiting requested review from fchinchilla

Assignees

@jbdelcuv jbdelcuv

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Possibilities of supporting FIPS mode

3 participants

@jbdelcuv @fchinchilla @lzha101