Hello Bennet,
Maybe someone else can chime in on this, as I have not worked on a system
with FIPS, but perhaps there is a way for the FIPS administrator to white list
all the Freesurfer binaries (and the license file), as security exempt.
I know some Enterprise/business applications like Adobe’s Acrobat, etc.,
(closed source) are built with code to work on FIPS compliant systems, but
I don’t see there is currently anything in Freesurfer (essentially open source),
code that knows about cryptographic modules, digital signatures, etc. to work on
a secure system. Even turning on SElinux for linux OS can be an
issue for some programs.
Another thing to inquire about is if the IT folks maintain any non-secure
servers,
, i.e., I would not assume that any application will just work in a secure
environment.
- rob
> On Apr 12, 2018, at 10:51 AM, Bennet Fauber <ben...@umich.edu> wrote:
>
> It appears that FreeSurfer is not compatible with systems for which
> FIPS level security is mandated. In our case, I am told this is part
> of our data use agreement with the VA.
>
> We tried to run it, and I get the following stack trace showing what
> appears to be license validation using the crypt() function, which is
> blacklisted by the Linux kernel by the FIPS configuration.
>
> 28063 open("/opt/apps/freesurfer-6.0/freesurfer/license.txt", O_RDONLY) = 3
> 28063 fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
> 28063 mmap(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa319883000
> 28063 read(3, "issc-sysad...@umich.edu\n23098\n*C"..., 4096) = 59
> 28063 read(3, "", 4096) = 0
> 28063 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> 28063 read(4, "1\n", 31) = 2
> 28063 close(4) = 0
> 28063 write(1, "ERROR: crypt() returned null wit"..., 46) = 46
> 28063 exit_group(1)
>
> Is there a workaround so we can run FreeSurfer FIPS-enabled systems?
>
> Appreciate your consideration of this question,
>
> -- bennet
>
>
>
> On Thu, Mar 29, 2018 at 5:05 PM, Bennet Fauber <ben...@umich.edu> wrote:
>> I have a couple of users here who are reporting that on machines with
>> FIPS enabled, which in turn disables certain cryptographic functions,
>> FreeSurfer core dumps with a call to the crypt() function, which FIPS
>> disables.
>>
>> Someone speculated based on output from strace that this is FreeSurfer
>> possibly attempting to validate its license.
>>
>> Is this a known problem? Is there a solution?
>>
>> We have a university compliance office and possibly similar people
>> from our local VA who are insisting that FIPS be enabled.
>>
>> If you need more information, please let me know and I will try to
>> obtain it for you.
>>
>> Thanks, -- bennet
> _______________________________________________
> Freesurfer mailing list
> Freesurfer@nmr.mgh.harvard.edu
> https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer
_______________________________________________
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer
The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.
