Skip to main content

About kernel independence

FIPS approved cryptography requires a strong entropy source to provide cryptographic protection using NIST-trusted algorithms. The entropy source is responsible for providing secure random bit generators whose output cannot be predicted and without it FIPS cryptography standards cannot be satisfied. Generally, there are two approaches to providing a FIPS validated entropy source: The entropy source may depend on specialized hardware with a certified kernel configured in FIPS mode, or it may be kernel-independent, with no hardware dependencies. This is termed a kernel-independent FIPS entropy source.
  • Kernel-dependent FIPS images must be run on specialized hardware approved by the NIST CMVP program with kernel-level FIPS mode enabled. In other words, the kernel must be configured in FIPS mode. This approach is highly dependent on the underlying operating system and other environment configurations.
  • Kernel-independent FIPS validated images can run on any standard hardware. A self-contained FIPS 140-3 validated cryptographic module eliminates cryptographic dependency on underlying OS kernel, hypervisor, and hardware. A kernel-independent FIPS module relies on a userspace entropy source so it does not need to run on a host with a certified FIPS-enabled kernel.

Minimus FIPS implementations

Many Minimus FIPS-validated images are kernel independent but not all. The rule is simple - the OpenSSL FIPS module is kernel independent thanks to the OpenSSL-compatible entropy provider. The Java FIPS module is kernel dependent and has hardware requirements.

OpenSSL FIPS 140-3 module

Minimus FIPS images that rely on OpenSSL come with an OpenSSL-compatible entropy provider that is kernel independent. These images use a module that has been certified by the NIST CMVP program and are approved to run on any hardware with confidence that they comply with FIPS security standards, regardless of the underlying OS kernel, hypervisor, and hardware. This module is used in many Minimus FIPS images including, C-based and Go-based images as well as Python, Node.js, PHP, and other language ecosystems.

Java FIPS 140-3 module

Minimus FIPS images that rely on the Java module require a FIPS-enabled kernel and specialized hardware as listed in the certificate. To check if your Minimus image includes the Java FIPS module, look for the package minimus-java-fips-libs in the SBOM. If it exists, the image requires specialized FIPS approved hardware and additional environment configurations to comply with FIPS 140-3 standards.

Do I need FIPS-certified hardware?

It depends which Minimus FIPS image you are using.
  • Images with the OpenSSL FIPS module and entropy provider do not require special hardware.
  • Images with the Java FIPS module do not have an independent entropy provider and they do require specialized hardware.
When no special hardware is required, there is an advantage of greatly lowering costs in cloud environments. Minimus FIPS-validated container images with the OpenSSL FIPS module and entropy provider can run in any environment, including local developer machines, existing CI/CD pipelines, and standard managed cloud services.
Minimus OpenSSL FIPS moduleMinimus Java FIPS module
Hardware requirementsNone, any host kernelCertified host kernel configured in FIPS mode
Cloud environment requirementsNone, any cloud environmentOnly certified FIPS-enabled environment
Entropy sourceUserspace entropyKernel-dependent entropy

Is my app FIPS 140-3 compliant?

A FIPS 140 validated image offers a mechanism to isolate the cryptography used in the implementation. It undergoes proper testing and validation by an independent laboratory according to the CMVP. This validation ensures a certain level of security assurance and compliance with a set of NIST cryptographic standards. Importantly, this validation is independent of the underlying operating system, hypervisor, and hardware. The CMVP certificate specifies the operational environment in which the cryptographic module was tested and any external dependencies, such as a validated entropy source.  As a user of the FIPS validated image, you are responsible to ensure the FIPS-validated cryptographic module is used with the correct configuration that meets CVMP requirements and tested by an independent laboratory. Since all cryptographic operations occur within a FIPS 140-validated cryptographic module in the image and have no direct cryptographic dependency on the host OS, hypervisor, or hardware, this has been tested and validated by the cryptographic module developer under various operational environments captured in the associated CMVP certificate or asserted by the cryptographic module developer for the module bundled and configured properly in the image. When it comes to non-dev images, including applications, utilities, infra, etc., you can rely on the Minimus FIPS validated image to deliver compliance. The image is already pre-configured with the necessary protections to prevent non-FIPS approved algorithms and protocols. As for dev images and Java FIPS images, compliance requires a more active approach. As a user, you will need to ensure that your implementation does not invoke insecure, unapproved algorithms, APIs, and other aspects that might undermine FIPS compliance.

Requesting FIPS 140-3 assistance

Particularly with Java FIPS images, compliance depends on the underlying OS, hypervisor, and hardware to also be correctly configured in FIPS mode. There is a risk that some lower layer in the stack or a malicious admin could alter the settings such that the image or application would not run in FIPS mode. Please get in touch with us directly if you would like to request guidance with FIPS related issues. Contact us directly

Further reading: FIPS 140-3 entropy requirements

FIPS compliance depends on an entropy source for secure key generation. Acceptable entropy sources and seeding behavior is detailed in the following: