Go and FIPS 140 November update
ESV submission for v2.0.0 soon, less than 40 modules ahead of v1.0.0 in the MIP queue, and a new ML-DSA implementation
ESV submission almost done
We have sent all the materials to the lab for the Entropy Source Validation submission. ACVP vectors are passing, and the lab accepted the entropy samples after requesting an additional 300M samples for a new CPU jitter heuristic assessment.
We expect they will submit this week or next week, which should allow us to do the CMVP submission of the FIPS 140-3 Go Cryptographic Module v2.0.0 in January, before the Go 1.26 release.
At the bottom of this email you will find a list of the OEs we are submitting for the ESV certificate and its dedicated CAVP certificate. This is the last opportunity to make any changes.
v1.0.0 CMVP queue status
The CMVP queue moved unusually fast, and there's fewer than 40 modules ahead of us on the Modules In Process list now! (CMVP was almost unaffected by the government shutdown, unlike other parts of NIST.)
Once we get out of the Review Pending queue, we'll enter Coordination, and the timeline from there to the final FIPS 140-3 certificate depends on how much extra documentation NIST requests, if any.
ML-DSA
We have a new ML-DSA implementation which we plan to include in the FIPS 140-3 Go Cryptographic Module v2.0.0.
There will be no exported ML-DSA API in Go 1.26, but this way we can get the certification process started, so that there won't be a long delay between ML-DSA becoming available in Go and it being available in a certified FIPS 140-3 Go Cryptographic Module.
Fun fact: in the process of implementing and testing our implementation, we discovered that most of the test vectors provided by NIST as part of the ACVP specification don't actually test the rejection paths they are supposed to. (We also found a bug in a formally-verified Rust implementation.)
- Red Hat Enterprise Linux 9
Intel® Xeon® Silver 4410Y
Dell PowerEdge™ R660 - Red Hat Enterprise Linux 9
Ampere® Altra® Q64-22
ASRock Rack ALTRAD8UD-1L2T - Red Hat Enterprise Linux 9 on PR/SM Driver Level 51 with Bundle Level H34
IBM Z® System z16
IBM z16 3931-A01 - Red Hat Enterprise Linux 9 with PowerVM FW1040.00 with VIOS 3.1.3.00
IBM Power10
IBM 9080-HEX - Alpine Linux 3.22 image on Podman 5 on Linux 6.12
Intel® Xeon® Silver 4410Y
Dell PowerEdge™ R660 - Alpine Linux 3.22 image on Podman 5 on Linux 6.1
AMD EPYC™ 7443P
Supermicro H12SSW-AN6 - Alpine Linux 3.22 image on Podman 5 on Linux 6.12
Ampere® Altra® Q64-22
ASRock Rack ALTRAD8UD-1L2T - Amazon Linux 2023
AWS Graviton4
Amazon EC2 r8g.metal-24xl - Amazon Linux 2023
Intel® Xeon® Platinum 8375C
Amazon EC2 c6i.metal - Oracle Linux 9
Intel® Xeon® Platinum 8358
Oracle Server X9-2C - Oracle Linux 9
AMD EPYC™ 9J45
Oracle Server E6-2C - Oracle Linux 9
Ampere® Altra® Q80-30
Oracle Server A1-2C - Linux 5.4
Marvell® OCTEON III® CN7130
Ubiquiti EdgeRouter 4 - Linux 5.4
Broadcom BCM47094
Luxul ABR-4500 - Google Prodimage with Linux 6.6
AMD EPYC™ 7B12
APIF-824 - Google Prodimage with Linux 6.6
Intel® Xeon® Platinum 8273CL
APIF-738 - Google Prodimage with Linux 6.6
ARM Neoverse-N1
APIF-091 - Apple macOS 15
Apple M2
MacBook Air (M2, 2022) - FreeBSD 14
Intel® Core™ i3-4130T
Lenovo ThinkCentre M73 - Microsoft Windows Server 2022
Intel® Core™ i3-4130T
Lenovo ThinkCentre M73 - Microsoft Windows 11
Qualcomm Snapdragon® X Plus
Surface Laptop 7th Edition - SUSE Linux Enterprise Server 16.0
Intel® Xeon® Silver 4410Y
Dell PowerEdge™ R660 - SUSE Linux Enterprise Server 16.0
Ampere® Altra® Q64-22
ASRock Rack ALTRAD8UD-1L2T - Red Hat Enterprise Linux 10
Intel® Xeon® Silver 4410Y
Dell PowerEdge™ R660 - Red Hat Enterprise Linux 10
Ampere® Altra® Q64-22
ASRock Rack ALTRAD8UD-1L2T - VMware Photon OS 5.0 on ESXi 9.0
Intel® Xeon® Silver 4410Y
Dell PowerEdge™ R660 - Ubuntu 24.04 on ESXi 9.0
Intel® Xeon® Silver 4410Y
Dell PowerEdge™ R660