Skip to content

docs: Add FIPS documentation to BUILDING.md and README.md #2387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

docs: Add FIPS documentation to BUILDING.md and README.md #2387

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c1b2752
docs: Add FIPS documentation to BUILDING.md and README.md
dougch May 1, 2025
968ab14
Merge branch 'main' into buildw_fips
dougch May 1, 2025
4b9e041
docs: move FIPS platform limitations from README to FIPS.md
dougch May 6, 2025
13a33c5
Merge branch 'main' into buildw_fips
dougch May 13, 2025
0c99f51
Merge branch 'main' into buildw_fips
dougch May 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions BUILDING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,10 @@ mechanism is ignored.
Snapshots taken on active hosts can potentially be unsafe to use.
See "Snapshot Safety Prerequisites" here: https://lkml.org/lkml/2021/3/8/677

# FIPS Mode

For more details on building AWS-LC in FIPS mode, see the [crypto/fipsmodule/FIPS.md](crypto/fipsmodule/FIPS.md).

# Data Independent Timing on AArch64

The functions described in this section are still experimental.
Expand Down
6 changes: 4 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,10 @@ that improve the experience for consumers on these platforms.
| OpenBSD | x86-64 |
| FreeBSD | x86-64 |

### FIPS Compliance

For information about FIPS compliance, building AWS-LC in FIPS mode, and platform limitations, see [crypto/fipsmodule/FIPS.md](crypto/fipsmodule/FIPS.md).

### Post-Quantum Cryptography

Details on the post-quantum algorithms supported by AWS-LC can be found at [PQREADME](https://github.com/aws/aws-lc/tree/main/crypto/fipsmodule/PQREADME.md).
Expand Down Expand Up @@ -188,5 +192,3 @@ Security via our
Please do **not** create a public GitHub issue.

If you package or distribute AWS-LC, or use AWS-LC as part of a large multi-user service, you may be eligible for pre-notification of future AWS-LC releases. Please contact aws-lc-pre-notifications@amazon.com.


9 changes: 8 additions & 1 deletion crypto/fipsmodule/FIPS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,14 @@ NIST has also awarded SP 800-90B validation certificate for our CPU Jitter Entro

1. 2023-09-14: entropy certificate [#E77](https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropy-validations/certificate/77), [public use document](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/entropy/E77_PublicUse.pdf)

## Platform Limitations

When building AWS-LC in FIPS mode, please be aware of the following platform limitations:

- Static FIPS builds are only supported on Linux platforms
- Shared library FIPS builds are supported on both Linux and Windows
- Windows Debug builds are not supported with FIPS

### Modules in Process

The modules below have been tested by an accredited lab and have been submitted to NIST for FIPS 140-3 validation.
Expand Down Expand Up @@ -180,4 +188,3 @@ Initially the known-good value will be incorrect. Another script (`inject_hash.g
The utility in `util/fipstools/break-hash.go` can be used to corrupt the FIPS module inside a binary and thus trigger a failure of the integrity test. Note that the binary must not be stripped, otherwise the utility will not be able to find the FIPS module.

![build process](./intcheck2.png)

Loading