amazonlinux
[Feature Request] - FIPS certification
Is your feature request related to a problem? Please describe. Regulatory and industry standards require workloads use FIPS 140-2 certified cryptographic modules. Amazon Linux 2023 must be FIPS certified in order for regulated workloads to migrate off of Amazon Linux 2.
Describe the solution you'd like Amazon Linux 2023 achieves FIPS certification.
Describe alternatives you've considered N/A
Additional context Amazon Linux 2 is FIPS 140-2 certified per NIST, expect the same to occur for Amazon Linux 2023
We are in the process of certifying for FIPS 140-3. Unfortunately we aren't in a position to provide an ETA
While this is not a FIPS certification, we have recently updated our documentation to cover enabling FIPS mode in AL2023: https://docs.aws.amazon.com/linux/al2023/ug/fips-mode.html
@stewartsmith what about FIPS mode for the AL2023 container image? I thought that I could just run the commands from the link above in a Dockerfile, but when I do and re-pull the image to run fips-mode-setup --check, I'm getting this:
cat: /proc/sys/crypto/fips_enabled: No such file or directory
FIPS mode is .
Initramfs fips module is disabled.
The current crypto policy (FIPS) is based on the FIPS policy.
Inconsistent state detected.
The release notes for 2023.2.20231002 were the last ones to include the known issue for FIPS certification:
AL2023 is not yet FIPS certified. AL2023 is in the process of being certified for FIPS 140-3.
Since then several versions have been released with that line omitted while this task remains open. Is this task the source of truth for whether or not FIPS certification has been achieved? If not where should I be looking to track on FIPS status?
Regarding FIPS mode for the AL2023 container - to enable FIPS in the container then you need to enable FIPS on the host. For example, if you enable FIPS on an AL2023 host per the instructions mentioned above and then create an AL2023 container (i.e. as documented in https://docs.aws.amazon.com/linux/al2023/ug/base-container.html) then FIPS mode should be enabled in the container as well. This topic may also deserve its own Github issue aside from the FIPS certification status question.
Update:
I started an AL2 and AL2023 AMI and setup FIPS mode on each.
Then I ran an AL2023 container on each. When I ran fips-mode-setup --check inside the container (on both AL2 and AL2023 AMIs), I saw this.
FIPS mode is enabled.
Initramfs fips module is disabled.
The current crypto policy (FIPS) is based on the FIPS policy.
Inconsistent state detected.
The first line (FIPS mode is enabled.) is better than I had before.
However, the second line (Initramfs fips module is disabled.) makes me worried. Does that matter? Is FIPS truly enabled?
has AL2023 been officially FIPS 140-3 certified yet? data in the release notes as stated has been dropped.
Edit: we dont need to know how to enable it - we need to know if the certification has been completed
Hey @stewartsmith, long time no hassle on github issues! I hope you're doing well.
Are you able to provide some clarity here on the state of FIPS certification for AL2023? I'm about to deploy a bazillion systems using it, so I'd really like to be sure the certification process is complete first.
I found this - looks like due date is q1 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Modules-In-Process/IUT-List
I found this - looks like due date is q1 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Modules-In-Process/IUT-List
Q1 2024? The due date says 2023?
This page says it's still in Review Pending (12/15/2023).
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list
@lmarchione-r7 - re: "Q1 2024? The due date says 2023?" - Support relayed to me it was expected Q1. I know nothing more then that.
NIST has two status pages that can be useful for checking the state of any module going through the FIPS process:
- https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List
- https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/iut-list
It does appear that with the transition from FIPS 140-2 to 140-3, things are moving a little slower than prior to that transition. No doubt the folk at NIST are busy with a lot of us wishing things would go faster.
As per https://csrc.nist.gov/projects/cryptographic-module-validation-program going for 140-2 wasn't an option given timing.
According to the below URL, as of Feburary 2024 the first 14 FIPS 140-3 validation certificates ever issued took an average of 1.6 years from the moment it was "Review Pending", up to the issuance of the certificate itself. Note that this is all after passing the "Implementation Under Test" phase. https://keypair.us/2024/02/fips-140-3-validation-times/
As of today's date, the number of issued certificates is 15. Six in 2022, six in 2023, and three so far in Q1 2024 (one per month). As of right now it doesn't look like either the certificate issuance velocity by the CMVP, nor the average time spent in review/coordination/validation, is improving at all.
As such, my guess for Amazon Linux 2023, with all six modules under Review Pending as of 2/2/2024, is FIPS 140-3 issuance for all six modules sometime in Q3 of 2025.
Of course, this is all speculation and extrapolation, with untested assumptions and great uncertainty over what the issuance rate is likely to be. But for anyone having to do a similar exercise to what I had to do (for new product/service-development planning purposes in my case), the above was my analysis.
Update from my last comment.
Update:
I started an AL2 and AL2023 AMI and setup FIPS mode on each.
Then I ran an AL2023 container on each. When I ran
fips-mode-setup --checkinside the container (on both AL2 and AL2023 AMIs), I saw this.FIPS mode is enabled. Initramfs fips module is disabled. The current crypto policy (FIPS) is based on the FIPS policy. Inconsistent state detected.The first line (
FIPS mode is enabled.) is better than I had before.However, the second line (
Initramfs fips module is disabled.) makes me worried. Does that matter? Is FIPS truly enabled?
Per AWS support: the lines “Initramfs fips module is disabled.” and “Inconsistent state detected.” can safely be ignored.
Note that AL2023 is still not FIPS-certified, but just running in FIPS mode.
Also, per RedHat documentation, the fips-mode-setup command doesn't work correctly inside containers (hence my error). Apparently, initramfs FIPS is controlled by the host.
It appears to me that Amazon Linux 2023 finally achieved FIPS validation with NIST! Does that mean this can be closed? https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4808
However, the latest release notes still indicate that it hasn't been certified: "AL2023 is not yet FIPS certified. AL2023 is in the process of being certified for FIPS 140-3." https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.6.20250123.html
What's the deal?
My understanding is that the validation certificate #4808 (https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4808) applies only to the Amazon Linux 2023 Kernel Cryptographic API.
I can see there are other cryptographic modules related to Amazon Linux 2023 in the Modules in Process List at https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List
