Need FIPS 140-2 Compliant variant of Talos #9141
Comments
JoeHCQ1
changed the title
|
Do we have any update in getting Talos Linux to be FIPS Compliant ? |
|
We are in research phase here, not commitment/dates so far. |
|
Absent a compelling commercial case, we are unlikely to explore FIPS compliance in the next 12 months. |
|
You might have someone take enough interest eventually to contribute FIPS to this CNCF project without any need for commercial spending if there was some idea of where to start documented in this issue. If FIPS support is compiled into the kernel, it might be as easy as tossing an option to add "fips=1" to the boot loader. Looks like talos might be doing something similar with kspp? I see some possibly relevant stuff in the machinery/kernel too.
What exactly are you looking for? US Government's budget isn't exactly a small customer. Not wishing to focus on that market is valid of course for many different reasons, but that's a business decisions, not a lack of commercial opportunity. Rancher, before they were bought by SUSE, created RKE2 (originally RKE Gov) specifically to address this market and forked off Rancher Government when SUSE bought the rest which is still successfully selling services to support government kubernetes installations. Red Hat is making tons off of US Gov selling OpenShift. Broadcom/VMWare has sold Tanzu hard to the government. There is also a lot of push toward more automated and higher security solutions which Talos has the potential to be, but FIPS is a foundational expectation. You can get things through that aren't that, but the compliance battle to do something different than the old way benefits from these things not being a hindrance. In other words, it's a chicken and egg problem. You aren't likely to have someone champion your solution in gov space before you show a willingness to invest something. It'll take partnership with someone who knows the market to make the initial wins. As I said before though, being open source, maybe there is an alternative to Sidero Labs putting in some of that investment. |
|
It's definitely a chicken and egg problem, and we agree there is a good business opportunity in the federal arena that getting FIPS compliant would help. However, as a small company, unless we get someone saying "We will give you $500K contract if you get the FIPS cert", we are not going to do it in the short term.
We are just expanding our engineering team and marketing (from zero!) currently, so will be increasing investment over the short term before our revenue reflects that, and we are not in a position to invest for other long term initiatives just now. SO... we will get to it. But in a while. |
|
Yeah, valid. |
What if the contract was just "get FIPS compliant?" How much would that cost? |
|
golang/go#69536 |
Feature Request
In order to use Talos in any US Government context, we need all cryptography to be FIPS 140-2 compliant. Without FIPS compliance, we cannot consider using Talos in our production environments, and we would very much like Talos to be a serious contender in this space.
This would also make Talos a viable solution for any other high-security environments which care about FIPS 140-2 compliance.
Description
Provide a variant of the Talos image which contains only FIPS 140-2 authorized cryptography modules. FIPS variants of other opensource offerings exist. For reference:
This was requested previously in #6230 but grew stale. You can search to see if a particular library is FIPS compliant here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search.
The text was updated successfully, but these errors were encountered: