FIPS compliance: openssl fipsinstall required for every container?

[kulkarniamit]

If a docker image has OpenSSL 3 (built with a validated FIPS provider and fipsmodule.cnf generated using openssl fipsinstall command), would each container based on that image need to run openssl fipsinstall again to achieve FIPS compliance?

As per the guidance in README-FIPS.md, it states that, "The FIPS module must have the self tests run, and the FIPS module config file output generated on every machine that it is to be used on"

Referring to the OpenSSL FIPS 140-2 Security Policy, it specifies that, "Module config file output generated on each platform where it is intended to be used. The Module config file output data shall not be copied from one machine to another"

Is a docker container considered a distinct platform or machine in this context?

[nhorman]

I believe the answer to your question is yes, fipsinstall must be re-run in a docker environment, as there is no guarantee that a docker container will be executed on the same platform as which it was built. There may be some leeway in that if your docker environment restricts the platforms on which it is run (i.e. if you are running strictly in a localized docker environment, so as to guarantee that the platform that built the container is always the one that runs the container), but if that cannot be guaranteed, the fipsinstall command should be re-run.

consider the use of a docker container in a heterogeneous kubernetes environment with a mix of systems. On some systems a source of entropy may be robust, whereas on another platform the a source of entropy may be weak, leading to self test failures.

the advice I would give you is to construct your container such that the fipsinstall command is part of your entrypoint startup script. If you are concerned about startup times, you could construct your container such that the path to your fipsconfig is bound to a local storage volume that is created on first run. Then, on subsequent image starts, only run the fipsinstall command if the fips config file isn't present, allowing subsequent startups to proceed more quickly. There is some danger with that approach, as it would be possible to inject an invalid fips configuration by manually creating the volume, but dependent on your specific approach you may be able to mitigate that (I believe that docker allows for encrypted volumes that prevent modification outside of the mounting container)

[paulidale]

Note: your container must not contain the fipsmodule.cnf file if you rely on this approach.

[paulidale]

As per the 3.0 FIPS provider security policy (which you absolutely must read & understand before claiming compliance), running fipsinstall is required for every installation regardless of how or where or when it is made. I.e. you must run fipsinstall on every installation before you can use the FIPS provider in approved mode.

The start up time augment should be mostly irrelevant with the more streamlined power on tests NIST has instigated over the past few years. It ought to run reasonable quickly on all platforms. No promises of course.

[t8m]

Note: your container must not contain the fipsmodule.cnf file if you rely on this approach.

This is not correct. The fipsmodule.cnf file is needed for the module integrity check checksum. However it must not contain the install-mac variable.