Hello Bennet,
Maybe someone else can chime in on this, as I have not worked on a system with FIPS, but perhaps there is a way for the FIPS administrator to white list all the Freesurfer binaries (and the license file), as security exempt.
I know some Enterprise/business applications like Adobe’s Acrobat, etc., (closed source) are built with code to work on FIPS compliant systems, but I don’t see there is currently anything in Freesurfer (essentially open source), code that knows about cryptographic modules, digital signatures, etc. to work on a secure system. Even turning on SElinux for linux OS can be an issue for some programs.
Another thing to inquire about is if the IT folks maintain any non-secure servers, , i.e., I would not assume that any application will just work in a secure environment.
- rob
On Apr 12, 2018, at 10:51 AM, Bennet Fauber bennet@umich.edu wrote:
It appears that FreeSurfer is not compatible with systems for which FIPS level security is mandated. In our case, I am told this is part of our data use agreement with the VA.
We tried to run it, and I get the following stack trace showing what appears to be license validation using the crypt() function, which is blacklisted by the Linux kernel by the FIPS configuration.
28063 open("/opt/apps/freesurfer-6.0/freesurfer/license.txt", O_RDONLY) = 3 28063 fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0 28063 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa319883000 28063 read(3, "issc-sysadmin@umich.edu\n23098\n*C"..., 4096) = 59 28063 read(3, "", 4096) = 0 28063 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4 28063 read(4, "1\n", 31) = 2 28063 close(4) = 0 28063 write(1, "ERROR: crypt() returned null wit"..., 46) = 46 28063 exit_group(1)
Is there a workaround so we can run FreeSurfer FIPS-enabled systems?
Appreciate your consideration of this question,
-- bennet
On Thu, Mar 29, 2018 at 5:05 PM, Bennet Fauber bennet@umich.edu wrote:
I have a couple of users here who are reporting that on machines with FIPS enabled, which in turn disables certain cryptographic functions, FreeSurfer core dumps with a call to the crypt() function, which FIPS disables.
Someone speculated based on output from strace that this is FreeSurfer possibly attempting to validate its license.
Is this a known problem? Is there a solution?
We have a university compliance office and possibly similar people from our local VA who are insisting that FIPS be enabled.
If you need more information, please let me know and I will try to obtain it for you.
Thanks, -- bennet
Freesurfer mailing list Freesurfer@nmr.mgh.harvard.edu https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer