18:39:03 <gitomat> [illumos-gate] 17182 libc: cleanup *printf code duplication -- Hans Rosenfeld <rosenfeld⊙gho>
19:12:32 <nomad> I'm going to regret asking this but I already regret needing to ask. We have a new grant coming in and need to comply with their security requirements. One of them is "The Contractor (and/or any subcontractor) must protect all government information that is or may be sensitive by securing it with a solution that is validated with current FIPS 140 validation certificate from the NIST CMVP.
19:12:39 <nomad> "
19:13:07 <nomad> anyway, I don't suppose there's any such certificates for, e,g the cryptographic modules in Illumos?
19:13:20 <nomad> especially those used with ZFS.
19:21:38 <richlowe> if there is, it would be via a distribution
19:21:49 <richlowe> I don't think it's really possible for illumos to be fips140
19:22:12 <richlowe> for a start, I'm pretty sure we'd have to ship a binary :)
19:22:31 <richlowe> danmcd: you're probably a person who would know?
19:22:46 <richlowe> jbk: and you're a person who would work somewhere that had a cert, if anyone did, I reckon
19:24:27 <danmcd> <sigh> fucking gumbies...
19:24:51 <nomad> I'm particularly concerned with OmniOS, as that's the distro we're using.
19:24:53 <danmcd> WE DO HAVE some FIPS140 infrastructure in Encryption Framework per se...
19:24:56 <danmcd>        The cryptoadm utility provides subcommands to enable and disable
19:24:56 <danmcd>        FIPS-140 mode in the Cryptographic Framework. It also provides a list
19:24:56 <danmcd>        subcommand to display the current status of FIPS-140 mode.
19:25:02 <jbk> we've licensed a FIPS140 certified crypto library and integrated it as a KCF module for zfs
19:25:07 <jbk> in our product
19:25:16 <danmcd> BUT TBH you want things outside of gate that do this.  Like OpenSSL, etc.
19:25:23 <jbk> (we also support FIPS140 certified self encrypting drives)
19:25:55 <danmcd> I don't know how gumby-ish "The Contractor (and/or any subcontractor)" is about it, but I expect they're probably more-than-just-checkboxing.
19:26:03 <jbk> there's all sorts of 'profiles' so just saying FIPS140 is a bit unspecific
19:26:39 <danmcd> You'll need someone who speaks official-standards to tell you what to expect-and-not and what is required-or-not.
19:26:47 <nomad> I'd like to honor the spirit as well as the wording, if that's at all possible.
19:27:15 <richlowe> the spirit of fips140 is "we're pretty sure you implemented this right, but to be pretty sure we have decided to be Onerous and nonsensical"
19:27:23 <danmcd> See jbk's idea of profiles.  That should honor the spirit insofar as "Don't use DES, MD5 (even HMAC), SHA1, etc..."
19:27:32 <jbk> danmcd: I thought garrett pulled a lot of that out since there was some closed sourced bits involved
19:27:34 <richlowe> forbid anyone to read your data while wearing matching socks
19:27:37 <danmcd> richlowe: in other words a fucking gumby.
19:27:47 <danmcd> jbk: that might very much be true.
19:27:52 <neuroserve> searching for "FIPS 140 zfs" finds at least quite a few people who have asked things in the same direction... 
19:28:13 <jbk> beyond that, it's you only use these approved mechanisms (e.g. I don't think chacha20/poly1305 is on the list)
19:28:30 <richlowe> jbk: that would make sense, if I recall (at least at the time) they certify _binaries_ of implementations
19:28:30 <jbk> and things like doing a self test at startup and basically not working if things fail
19:28:33 <jbk> etc.
19:28:37 <jbk> yes
19:28:47 <jbk> so things like updates become tricky
19:29:00 <jbk> since things like 'new behavior' require a new certification
19:29:01 <danmcd> My first contribution to anything public/open-source-y (yes even before fixing a small sockaddr kernel bug in  4.4BSD Lite) was definitions 2 and 3 here:
19:29:02 <danmcd> http://www.catb.org/jargon/html/G/gumby.html
19:29:03 <richlowe> I remember Val Fenwick had a lot of words about this, but some vague idea it might get better
19:29:11 <jbk> though things that are bug fixes I believe do not
19:29:14 <richlowe> but then I never had a reason to learn if it got better
19:29:17 <danmcd> ^^^  she's at Apple now (along with Mark)
19:29:59 <danmcd> (And yes I know all about esr ... this was literally 30 or more years ago)
19:30:52 <tsoome> the crypto bits we are using are from nss. not just nss, its like 14 years old nss. 
19:31:39 <nomad> the same contract also wants us to run SCAP, which - at least for Leeenux - demands automatic nightly patching.
19:31:47 <nomad> so much for certified binaries.
19:32:43 <nomad> "To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf."
19:34:00 <danmcd> Left hand and right hand are at cross-purposes... that NEVER HAPPENS IN THE GOVERNMENT!  (Even true in sane ones.)
19:34:44 <alanc> I suspect any FIPS-140 stuff in the gate is for older revisions the government no longer accepts
19:34:54 <richlowe> I would hope so alan
19:35:59 <richlowe> nomad: I don't know of a pre-built way to get automatic updates, and I'm not 100% certain the exit status of pkg(1) tells you enough to do it thoroughly
19:36:09 <nomad> Speaking of which, I don't suppose there's an openSCAP or equiv for Illumos/OmniOS by any chance? I haven't gotten around to looking  yet but thought I'd ask here as a lazy shortcut. :)
19:36:38 <richlowe> I don't know if you can tell if you need to reboot just from the exit
19:36:40 <jbk> they have long tails though
19:36:50 <alanc> we build & ship openscap in Solaris, so it should be buildable for illumos
19:37:01 <jbk> FIPS140-3 is (relatively) new, and has a pretty decent backlog in terms of certification
19:37:15 <richlowe> I would assume that would get worse before it gets better
19:37:29 <nomad> $BOSS just told me to focus on the SCAP stuff so.. <shrug>
19:37:31 <jbk> why if you look, lots of things tend to have disclaimers to the effect of 'certification in progress'
19:37:45 <alanc> does look like we patch it a bit though: https://github.com/oracle/solaris-userland/tree/master/components/openscap
19:41:52 <richlowe> some of the patches a bit important too: https://github.com/oracle/solaris-userland/blob/master/components/openscap/patches/zz_probe_package511.patch
19:42:59 <alanc> yeah, you probably want that if you're on a distro using IPS
19:43:00 <nomad> could I possibly be so lucky that there's an installable package? That would be a nice improvement on my day so far.
19:44:09 <alanc> looks like OI dropped their openscap package years ago: https://github.com/OpenIndiana/oi-userland/pull/1430
19:44:45 <alanc> an installable package?  the solaris-userland one will only be installable on Solaris - you'd need to build from source for an illumos distro
19:45:54 <alanc> the solaris-userland one also provides the framework, but the openscap benchmarks for the Solaris compliance & healthcheck tests are closed source and not provided there
19:50:32 <andyf> richlowe - this is how I do itbloody% pfexec pkg update --parsable=0 -n | jq '."create-new-be"'
19:50:32 <andyf> true
19:52:11 <richlowe> clever
21:25:25 <gitomat> [illumos-gate] 16151 want dprintf() -- Hans Rosenfeld <rosenfeld⊙gho>