1# FIPS Compliance {#fips} 2 3SPDK does not implement any cryptography itself, and for use cases requiring cryptographic 4functions it relies on external components. Therefore, SPDK alone has not acquired any FIPS 5(Federal Information Processing Standards) certification, but a reasonable effort has been made to 6check, if SPDK can be a part of a FIPS certified system as one of the components. Any FIPS 7certification of such a system, however, is a responsibility of the system integrator or builder. 8The dependencies are: 9 10* [Intel(R) Intelligent Storage Acceleration Library Crypto Version (isa-l-crypto)](https://github.com/intel/isa-l_crypto), 11* [Intel(R) Multi-Buffer Crypto for IPSec (intel-ipsec-mb)](https://github.com/intel/intel-ipsec-mb), 12* [Intel QuickAssist Technology (QAT) Crypto Driver](https://doc.dpdk.org/guides/cryptodevs/qat.html), 13* [NVIDIA MLX5 Crypto Driver](https://doc.dpdk.org/guides/cryptodevs/mlx5.html), 14* [OpenSSL](https://www.openssl.org/). 15 16Intel QAT driver, NVIDIA MLX5 driver and intel-ipsec-mb are delivered by DPDK as 17[Crypto Device Drivers](https://doc.dpdk.org/guides/cryptodevs/). 18MLX5 usage is supported for both DPDK and SPDK. 19 20SPDK can be compatible with FIPS, if all enabled dependencies are operating in a FIPS approved 21state. 22 23## DPDK 24 25To ensure the system using SPDK can apply for FIPS certification, please use FIPS certified 26versions of DPDK and intel-ipsec-mb - you may include a custom DPDK version via `--with-dpdk` 27configuration flag. Please also make sure, that FIPS-certified hardware and firmware is used 28(e.g. Intel QAT). 29 30## isa-l-crypto 31 32The isa-l-crypto library has not yet acquired the FIPS certification. In order for SPDK to be 33included in a FIPS certified system, please do not use the software Acceleration Framework module 34for encryption/decryption. 35 36## OpenSSL 37 38SPDK uses various functions from OpenSSL library to perform tasks like key derivation in 39[NVMe TCP](https://github.com/spdk/spdk/blob/master/include/spdk_internal/nvme_tcp.h) and TLS 40handshake in [socket module](https://github.com/spdk/spdk/blob/master/module/sock/posix/posix.c). 41OpenSSL delivers code implementations via 42[providers](https://www.openssl.org/docs/man3.0/man7/provider.html). 43 44One of such providers delivers Federal Information Processing Standards (FIPS) compliant functions, 45called [FIPS provider](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-FIPS.html), and if 46[set up correctly](https://wiki.openssl.org/index.php/OpenSSL_3.0#Using_the_FIPS_module_in_SSL.2FTLS), 47will include only function implementations that fall under FIPS 140-2. 48 49SPDK provides a test in `test/nvmf/fips/fips.sh` that includes OpenSSL configuration via 50[OPENSSL_CONF](https://www.openssl.org/docs/man1.1.1/man5/config.html). As seen in that test, the 51configuration will differ between some operating systems (see [Fedora38](https://www.redhat.com/en/blog/openssl-fips-140-2-upstream-140-3-downstream) 52for example). Correctly configuring OpenSSL FIPS is user responsibility (see [this link](https://github.com/openssl/openssl/blob/master/README-FIPS.md) 53for reference on how to enable FIPS provider). OpenSSL documentation states that "It is undefined 54which implementation of an algorithm will be used if multiple implementations are available", so we 55strongly recommend to use FIPS + base provider combination exclusively to ensure FIPS compliance 56([OpenSSL doc](https://www.openssl.org/docs/man3.0/man7/fips_module.html#Programmatically-loading-the-FIPS-module-default-library-context)). 57 58To ensure the system using SPDK can apply for FIPS certification, please use OpenSSL versions 593.0.0+ only. In terms of generation and handling of the pre-shared keys for TLS, it is recommended 60to ensure compliance with FIPS standards – in particular: NIST Special Publication 800-133, 61Revision 2. 62 63## Example crypto configuration 64 65Below are RPCs that can be sent to SPDK application to configure FIPS compliant cryptography. 66See `test/bdev/blockdev.sh` for example usage and @ref jsonrpc for explanations of RPC commands. 67 68Configuration of dpdk_cryptodev in acceleration framework should first initialize the module, then 69select cryptodev device (crypto_aesni_mb, crypto_qat or mlx5_pci) and finally assign the 70dpdk_cryptodev driver to specific operations: 71 72```bash 73./scripts/rpc.py dpdk_cryptodev_scan_accel_module 74./scripts/rpc.py dpdk_cryptodev_set_driver -d crypto_aesni_mb 75./scripts/rpc.py accel_assign_opc -o encrypt -m dpdk_cryptodev 76./scripts/rpc.py accel_assign_opc -o decrypt -m dpdk_cryptodev 77``` 78 79MLX5 configuration, which depends on 3rd party FIPS-certified hardware, should contain only module 80initialization ad operation assignment: 81 82```bash 83./scripts/rpc.py mlx5_scan_accel_module 84./scripts/rpc.py accel_assign_opc -o encrypt -m mlx5 85./scripts/rpc.py accel_assign_opc -o decrypt -m mlx5 86``` 87 88## Symmetric encryption keys 89 90It is recommended to use the 256 bit keys with symmetric encryption algorithms. For AES-XTS 91specifically, the supplied Key1 must be different from Key2. 92