POC of replacing boringcrypto with Go's native FIPS-140-3 module#636
POC of replacing boringcrypto with Go's native FIPS-140-3 module#636mjlshen wants to merge 1 commit intoopenshift:masterfrom
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mjlshen The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
mjlshen
changed the title
mjlshen
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
mjlshen
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/hold This shouldn't be merged. It should be worked on internally if important. |
openshift-ci
bot
added
the
do-not-merge/hold
https://go.dev/blog/fips140 boringcrypto is slated to be removed in a future release. Signed-off-by: Michael Shen <[email protected]>
|
This is blocked internally for HCM security to confirm that FIPS-140-3 is good to go. I will follow up with them. |
|
I asked about this a long time ago when the blog first dropped, so it may not be valid information anymore. As I understand it, the FIPS in native Go is still "In process" and is not fully "approved" so there may be some legal/compliance-y back and forth on what that means. +1 to definitely discussing with internal compliance/security teams + the FIPS folks before any major changes. Lately I've been using go-toolset (installed via package manager) for FIPS builds which is essentially Red Hat's fork of Go with all the OpenSSL bits to ensure FIPS compliance. |
3 participants
Warning
Disclaimer: How boilerplate sets up FIPS compliance should definitely follow Red Hat guidelines. I don't know what they are. I am just making this MR to raise awareness of this configuration and its brief history.
GOEXPERIMENT=boringcrypto+ the"crypto/tls/fipsonly"library, which requiredCGO_ENABLED=1was initially used. The cgo requirement necessitated a swap fromubi*-micro-->ubi*-minimalimages.GOEXPERIMENT=strictfipsruntime, added in Use GOEXPERIMENT=strictfipsruntime #298 when Red Hat was supporting an internal fork of Go, this was deprecated and removed in OSD-29374: Drop unsupportedstrictfipsruntimeGOEXPERIMENT for Go 1.23 #516I think this makes FIPS compliance easier than ever - especially the removal of the cgo requirement should allow usage of
ubi*-microimages again if there's a desire for that (fewer CVEs to manage!).