-
Notifications
You must be signed in to change notification settings - Fork 72
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
## Type of change <!-- Please be sure to add the appropriate label to your PR. --> Documentation update/fix ### What should this PR do? <!-- Does this PR resolve an issue? Please include a reference to it. --> Edits/replaces the content on the FIPS page ### Why are we making this change? <!-- What larger problem does this PR address? --> As time has passed, much of the information became outdated. This is a stage 1 fix to bring the page into parity with https://www.chainguard.dev/legal/fips-commitment so that we aren't sending mixed messages. The plan is to continue to evolve this page as time permits. ### What are the acceptance criteria? <!-- What should be happening for this PR to be accepted? Please list criteria. --> <!-- Do any stakeholders need to be tagged in this review? If so, please add them. --> Is the information accurate? I'm working with @xnox on this, so when he's happy we will merge. ### How should this PR be tested? <!-- What should your reviewer do to test this PR? Please list steps. --> n/a --------- Signed-off-by: Matthew Helmke <[email protected]> Co-authored-by: Mark Drake <[email protected]>
- Loading branch information
1 parent
bbe3b1b
commit a99736e
Showing
1 changed file
with
17 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,46 +18,35 @@ weight: 050 | |
| toc: true | ||
| --- | ||
|
|
||
| One of the primary requirements of federal compliance frameworks — including [FedRAMP](https://www.fedramp.gov/program-basics/) — is to use FIPS-validated cryptography. Chainguard offers FIPS-enabled versions of a number of its Images. This article provides a high-level overview of what FIPS is and how Chainguard's FIPS-enabled Images are built. | ||
| One of the primary requirements of federal compliance frameworks — including [FedRAMP](https://www.fedramp.gov/program-basics/) — is to use FIPS-validated cryptography. Chainguard offers FIPS-enabled versions of a number of its Images. This article provides a high-level overview of what FIPS is and what to expect from Chainguard’s FIPS-enabled Images. | ||
|
|
||
| [Federal Information Processing Standards](https://www.nist.gov/itl/publications-0/federal-information-processing-standards-fips) (FIPS) are publicly announced standards developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. FIPS compliance ensures that cryptographic security services within applications meet strict security and integrity standards, and are implemented and configured correctly. | ||
|
|
||
| ## What is FIPS? | ||
| Chainguard warranties the following with respect to Chainguard container images: | ||
|
|
||
| The [Federal Information Processing Standards](https://www.nist.gov/itl/publications-0/federal-information-processing-standards-fips), or FIPS, is a set of standards vendors must adhere to when providing data processing services to the US and Canadian governments. FIPS was developed by the National Institute of Standards and Technology (NIST), an agency within the United States Department of Commerce. | ||
| Chainguard’s FIPS Images available to be delivered in compliance with FIPS specifications are listed [here](https://images.chainguard.dev/?category=fips) (each a "Chainguard FIPS Image"). Images will be made available in compliance with FIPS specifications provided a customer’s applicable order form designates the purchase of Chainguard FIPS images. | ||
|
|
||
| NIST has published a number of different FIPS standards. The FIPS standard that concerns Chainguard Images is the 140 series which specify requirements for cryptographic modules. Currently, there are two active FIPS 140 standards: FIPS 140-2 and 140-3. FIPS 140-2 is scheduled to expire on September 21, 2026 as the industry transitions to the newer 140-3 standard. | ||
| The Chainguard FIPS images contain FIPS-validated software cryptographic modules. Entropy must be provided as specified in its cryptographic policy. The cryptographic module may provide non-approved algorithms, which will result in operating in FIPS non-approved mode. The cryptographic FIPS modules currently provided are: | ||
|
|
||
| ## Chainguard FIPS Images | ||
| - OpenSSL FIPS Provider (CMVP [#4282](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282)) | ||
| - Bouncy Castle FIPS Java API (CMVP [#4743](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4743), CMVP [#4616](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4616)) | ||
| - Chainguard CPU Time Jitter RNG Entropy Source (Entropy Certificate [#E191](https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropy-validations/certificate/191)) | ||
|
|
||
| Chainguard's FIPS Images are not themselves validated. Instead, most of Chainguard's FIPS-ready Images ship with a validated redistribution of [OpenSSL's FIPS provider module](https://www.openssl.org/docs/manmaster/man7/fips_module.html). The exceptions include our Java-based Images, which is explained further at the end of this section. | ||
| These may be updated occasionally; for further information, contact <[email protected]>. | ||
|
|
||
| Because standard OpenSSL is not validated for FIPS, the OpenSSL FIPS module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use FIPS-validated cryptography. Specifically, version 3.0 of the OpenSSL FIPS module has been validated for FIPS 140-2. | ||
| Additional guidance is available for specific images, like these: | ||
|
|
||
| Chainguard submitted a request for [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/projects/cryptographic-module-validation-program) validation for our redistribution of OpenSSL’s FIPS provider module to NIST. This submission to the CMVP allows Chainguard to redistribute a FIPS-validated module in Wolfi and Chainguard Images. As of this writing, this redistribution is derived from the OpenSSL 3.0.9 FIPS module sources. | ||
| - [go-fips](https://images.chainguard.dev/directory/image/go-fips/overview) | ||
| - [node-fips](https://images.chainguard.dev/directory/image/node-fips/overview) | ||
| - [jdk-fips](https://images.chainguard.dev/directory/image/jdk-fips/overview) | ||
|
|
||
| By including this redistribution of the OpenSSL FIPS module, Chainguard is able to provide Images that use FIPS-validated cryptography until the official certificate comes through. You can find the submission status on [NIST’s Modules in Process list](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List). We also run tests on each of our FIPS Images to ensure the given application is configured with FIPS-validated cryptography end-to-end. Note that Chainguard's FIPS Images use these modules by default, so there aren't any build flags users need to enable to apply this feature. | ||
| You can find more at: [https://images.chainguard.dev/?category=fips](https://images.chainguard.dev/?category=fips). | ||
|
|
||
| Additionally, Chainguard is already prepared for the migration to FIPS 140-3 in the near future because we provide the OpenSSL 3.1 module required for certification. It is expected that the certification process for this module will begin in 2024. | ||
| All of Chainguard's FIPS Images have [STIGs](/chainguard/chainguard-images/working-with-images/image-stigs/). | ||
|
|
||
| ### Regarding Java-based FIPS Images | ||
| As mentioned previously, Chainguard provides several FIPS-ready Images that are based on Java. However, this presents some challenges because Java applications generally don't leverage OpenSSL for cryptography and there isn't another cryptographic library serving as a widely-used standard for Java applications. For these reasons, Chainguard's Java-based Images instead ship with the [FIPS variant of the Bouncy Castle Crypto package](https://www.bouncycastle.org/about/bouncy-castle-fips-faq/), a Java implementation of cryptographic algorithms. | ||
|
|
||
| Some Java applications may bundle their own cryptographic libraries at the application level. In these cases, Chainguard can only build a FIPS-enabled Image if the bundled libraries are FIPS-compliant or the applications in question support use with FIPS-compliant variants like Bouncy Castle's. Other Java applications do not bundle cryptographic libraries, instead relying on the bundled cryptography providers from the JRE. | ||
|
|
||
| If the underlying JRE/JDK on the host system is FIPS compliant, then theoretically, the application could also be considered FIPS compliant. However, without explicit support or documentation for FIPS compliance, there is no guarantee that the application will consistently use these FIPS-compliant features. You can refer to the [Java Cryptography Architecture documentation](https://docs.oracle.com/en/java/javase/21/security/java-cryptography-architecture-jca-reference-guide.html#GUID-2BCFDD85-D533-4E6C-8CE9-29990DEB0190) for more information. | ||
|
|
||
| The full FIPS compliance of a Java application and its related image depends heavily on the application itself, specifically how it is architected and what it supports. | ||
|
|
||
| ## A note about FIPS compliance | ||
|
|
||
| To ensure your organization is FIPS compliant, you'll need to do more than just install the OpenSSL module. Your organization's software must also be correctly configured to use only approved cryptographic algorithms. | ||
|
|
||
| In order to help customers ensure their applications are running in FIPS mode, Chainguard provides [`openssl-fips-test`](https://github.com/chainguard-dev/openssl-fips-test), a useful utility in our FIPS-enabled Images that allows you to verify that the OpenSSL FIPS module is properly installed and configured. When called, this utility will run a series of tests to make sure only the approved algorithms are active and will return an error if the FIPS module is not correctly configured. | ||
|
|
||
| Be aware that this tool can only detect whether or not OpenSSL is properly configured. This tool does not validate whether any other element in an overall delivered configuration is, or is not, FIPS 140-2/140-3 compliant. It only tests whether OpenSSL is properly configured and makes use of the FIPS module correctly. Any applications and languages must be built to use the [OpenSSL Cryptographic library](https://www.openssl.org/docs/man3.0/man7/crypto.html) (also known as `libcrypto`) in order for the OpenSSL FIPS configuration to be useful. | ||
|
|
||
| You will need to pay attention to how you deploy your Chainguard Images. For example, sometimes people configure installations via Helm in a way that copies an application from an image and deploys it, which would mean that you cannot ensure the code or configuration are unchanged and could put you into a state of non-compliance. | ||
| Chainguard will take commercially reasonable efforts to ensure applications utilize FIPS-validated cryptographic modules for any cryptographic operations, provided that the parties acknowledge and agree that certain behaviors or functionalities within such applications, which are beyond the direct control of Chainguard, may not fully adhere to FIPS requirements. In the event there are common vulnerabilities and exposures identified, the Chainguard SLA will apply. | ||
|
|
||
| If Customer requests an image not currently available as a Chainguard FIPS Image, Chainguard will use commercially reasonable efforts to determine if such request is feasible. For further information, contact <[email protected]>. | ||
|
|
||
| ## Learn more | ||
|
|
||
|
|
||