Skip to main content
Starting from a Minimus FIPS-validated image is a great way to create a private image. However, it does not guarantee that the resulting image remains FIPS-validated. Only testing can confirm this.

FIPS cryptography must be enforced

To be FIPS-compliant, the image must use cryptographic modules that conform to the FIPS 140-3 requirements, ensuring that all encryption, decryption, hashing, and digital signing operations meet strict security standards. A FIPS image must be restricted to use only approved algorithms (such as AES, SHA-256, or RSA with approved key lengths), manage cryptographic keys securely, and rely on a CMVP-validated cryptographic boundary. Furthermore, the image must enforce proper configuration of the relevant modules to prevent weak or unauthorized cryptographic operations and ensure that all non-compliant cryptography is disabled. When you add packages to a FIPS-validated image, you run the risk of introducing conflicts that could potentially undermine, override, or undo FIPS configurations. For example, Go (golang) has a default cryptographic module BoringCrypto that must be disabled and replaced with the FIPS-validated Minimus Cryptographic Module. If you introduce a Go package into another FIPS-validated starter image, you will undermine the FIPS module.

OpenSSL FIPS integrity tests

Testing a standard Minimus image for FIPS is fairly straightforward. You run the pre-configured command to test that the OpenSSL FIPS provider module is configured on the image. However, when you use FIPS validated images to compile and build an application, it can be trickier to validate FIPS compatibility. The simplest approach is proof by contrapositive - showing that if an image is not FIPS validated it will not run.

Example for testing a custom FIPS image

In this example, we will invalidate the openssl-fips module and attempt to run the app.
  1. Delete a file to modify the module-mac portion of the FIPS provider to invalidate it: 
    sudo rm /etc/ssl/fipsmodule.cnf
  2. Try to re-run the application server: 
    go/bin/helloserver
    We expect the app to abort because it does not satisfy the OpenSSL FIPS provider requirements.
  3. The app should not run with the following error: 
    panic: opensslcrypto: can't enable FIPS mode for OpenSSL 3.4.0 22 Oct 2024: OSSL_PROVIDER_try_load
openssl error(s):
error:1C8000D4:Provider routines::invalid state
providers/fips/self_test.c:262
  4. Any software that uses OpenSSL should exit as segfault (segmentation fault). A segmentation fault is a failure condition raised by hardware with memory protection, notifying an operating system that the software has attempted to access a restricted area of memory.

    Examples include apk update.
  5. Restore the fipsmodule.cnf file to fix the problem. The image should run as expected.