The Digi ConnectCore 6UL module is FIPS 140-2 Level 1 certified. This topic describes how to enable, verify, and use FIPS-Capable OpenSSL on these modules.

The FIPS (Federal Information Processing Standards) 140-2 level 1 standard is an information technology security approval program for cryptographic modules. It is geared toward private-sector vendors who seek certification for products used in government departments and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share, and disseminate sensitive but unclassified (SBU) information.

OpenSSL itself is not FIPS validated, nor will it be validated in the future. Instead, a special carefully defined software component called the OpenSSL FIPS Object Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography.

Digi Embedded Yocto enables you to build the OpenSSL FIPS Object Module 2.0 and configure OpenSSL to use it.

This feature is not available out of the box and requires a Non-Disclosure Agreement to be in place. Contact a Digi sales representative for more information.

Add the meta-digi-fips layer

Contact a Digi sales representative to request the meta-digi-fips layer.
  1. Extract the meta-digi-fips Yocto layer under the Digi Embedded Yocto sources directory.

    $ tar -xf meta-digi-fips.tar -C <DEY-INSTALLDIR>/sources
  2. Edit your project’s bblayers.conf configuration file and add the meta-digi-fips layer by adding the following line:

    <DEY-INSTALLDIR>/sources/meta-digi-fips

Enable FIPS-capable OpenSSL

To enable FIPS-capable OpenSSL, add the following line to your local.conf:

OPENSSL_FIPS = "1"

This configures Digi Embedded Yocto to:

  • Build a FIPS Object Module

  • Build OpenSSL v1.0.2 with the fips configuration option

The combination of the validated FIPS Object Module plus an OpenSSL distribution built in this way is referred to as a FIPS-capable OpenSSL. You can use it either as a drop-in replacement for a non-FIPS OpenSSL or to generate FIPS mode applications.

Yocto 2.6 uses OpenSSL v1.1.1 by default, and many other packages in the filesystem depend on this specific version. Since the FIPS Object Module isn’t currently available for this version, the meta-digi-fips layer will make Yocto build both the regular v1.1.1 and the FIPS-capable v1.0.2 OpenSSL libraries. To avoid confusion, the command line app installed with the FIPS-capable v1.0.2 libraries is renamed to openssl102 in the filesystem.

Verify FIPS-capable OpenSSL

Check the openssl102 version with:

~# openssl102 version
OpenSSL 1.0.2r-fips  26 Feb 2019

The -fips suffix after the version number indicates that OpenSSL was built with FIPS support.

Note, however, that the openssl102 application does NOT use FIPS mode by default. To use FIPS mode, you must define the environment variable OPENSSL_FIPS. The following fragment shows the differences when enabling TIPS mode:

  • In a non-FIPS-capable OpenSSL, an error is shown.

~$ openssl102 version
OpenSSL 1.0.2r-fips  26 Feb 2019
~$ OPENSSL_FIPS=1 openssl102 version
FIPS mode not supported.
  • When you run a command in a FIPS-capable OpenSSL with FIPS mode enabled, execution time increases due to the POST (Power On Self Test), a procedure required by FIPS 140-2.

~$ time openssl102 version
OpenSSL 1.0.2r-fips  26 Feb 2019
real    0m 0.07s
user    0m 0.05s
sys     0m 0.01s
~$ OPENSSL_FIPS=1 time openssl102 version
OpenSSL 1.0.2r-fips  26 Feb 2019
real    0m 0.42s
user    0m 0.40s
sys     0m 0.02

Use FIPS-capable OpenSSL

Applications using the OpenSSL API should explicitly enable FIPS mode if desired. For reference, use the following code excerpt in the randtest application (automatically installed along with the OpenSSL library when using meta-digi-fips) to set and check FIPS mode:

#ifdef OPENSSL_FIPS
    if (!FIPS_mode_set(1))
        printf("Failed to enable FIPS mode\n");
    else
        printf("FIPS mode is set\n");
#else
    printf("FIPS mode is not available\n");
#endif

When building OpenSSL with FIPS 140-2 support, the randtest application will take some extra time doing the FIPS 140-2 Power On Self Test, and then it will run the random number test:

~$ time randtest
FIPS mode is set
test 1 done
test 2 done
test 3 done
test 4 done

real    0m0.143s
user    0m0.130s
sys     0m0.010s

On the other hand, building OpenSSL without FIPS 140-2 support results in the following execution time and message:

~$ time randtest
FIPS mode is not available
test 1 done
test 2 done
test 3 done
test 4 done

real    0m0.009s
user    0m0.010s
sys     0m0.000s

For more information, see Section 5: Creating Applications Which Reference the FIPS Object Module of the OpenSSL User Guide 2.0.

Build a custom SDK with FIPS support

The prebuilt DEY-2.6 toolchain includes the files needed to develop applications using the OpenSSL v1.1.1 library. However, since FIPS-capable OpenSSL is limited to v1.0.2, you must generate a custom SDK to develop applications with FIPS-capable libraries.

Using a project with OPENSSL_FIPS enabled, generate an SDK:

$ bitbake -c populate_sdk dey-image-qt

The SDK will include the FIPS OpenSSL v1.0.2 development files.