[illumos-Developer] webrev: removal of closed kcfd
Joerg Schilling
Joerg.Schilling at fokus.fraunhofer.de
Sun Sep 12 12:46:17 PDT 2010
"Garrett D'Amore" <garrett at nexenta.com> wrote:
> On Sun, 2010-09-05 at 00:15 +0200, Joerg Schilling wrote:
> > "Garrett D'Amore" <garrett at nexenta.com> wrote:
> >
> > > This is a first pass at removing the closed kcfd. It removes the
> > > daemon, and also does away with all fips and module verification, and
> > > runs the kernel threads for crypto using lwps in the kernel rather than
> > > relying on a daemon. (Thanks to richlowe for the suggestion.)
> > >
> > > http://mexico.purplecow.org/gdamore/webrev/nokcfd/
> >
> > Why did you remove fips?
>
> Because you can't have fips without module verification. And you can't
> have module verification without the closed code or reimplementing the
> closed code.
>
> Furthermore, FIPS is *very* difficult to get right, and requires quite a
> bit beyond just writing the code. So there's no way we could continue
> to have a FIPS solution without massive investment.
fips-140 is part of openssl and I've seen that it has been certified. What is
special with openssl?
What do you understand by "module verification"? Are you talking about chking
whether a signed library is unchanged?
If this code closed source on Solaris?
Jörg
--
EMail:joerg at schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin
js at cs.tu-berlin.de (uni)
joerg.schilling at fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily
More information about the Developer
mailing list