fips: mention the internal jitter source in the FIPS README

author Pauli <ppzgs1@gmail.com>

Thu, 19 Sep 2024 22:59:40 +0000 (08:59 +1000)

committer Pauli <ppzgs1@gmail.com>

Wed, 9 Oct 2024 02:53:10 +0000 (13:53 +1100)
author Pauli <ppzgs1@gmail.com>
Thu, 19 Sep 2024 22:59:40 +0000 (08:59 +1000)
committer Pauli <ppzgs1@gmail.com>
Wed, 9 Oct 2024 02:53:10 +0000 (13:53 +1100)
diff --git a/README-FIPS.md b/README-FIPS.md

index d8ca3c482d5660002eaf5d3331b9ff98fa23073b..c15cbad67c6deed0b1242e89edb44f0211ea52af 100644 (file)
--- a/README-FIPS.md
+++ b/README-FIPS.md
@@ -167,6 +167,22 @@ manual page.
  
   [fips_module(7)]: https://www.openssl.org/docs/manmaster/man7/fips_module.html
  
+Entropy Source
+==============
+
+The FIPS provider typically relies on an external entropy source,
+specified during OpenSSL build configuration (default: `os`).  However, by
+enabling the `enable-fips-jitter` option during configuration, an internal
+jitter entropy source will be used instead.  Note that this will cause
+the FIPS provider to operate in a non-compliant mode unless an entropy
+assessment [ESV] and validation through the [CMVP] are additionally conducted.
+
+Note that the `enable-fips-jitter` option is only available in OpenSSL
+versions 3.5 and later.
+
+ [CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
+ [ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
+
  3rd-Party Vendor Builds
  =====================================
author	Pauli <ppzgs1@gmail.com>
	Thu, 19 Sep 2024 22:59:40 +0000 (08:59 +1000)
committer	Pauli <ppzgs1@gmail.com>
	Wed, 9 Oct 2024 02:53:10 +0000 (13:53 +1100)