support fips-compliant build for arm (#27622)

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Ryan Northey <ryan@synca.io>
envoyproxy · Jul 24, 2023 · 35af8f2 · 35af8f2
1 parent 9d5e760
commit 35af8f2
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 20 deletions.
diff --git a/bazel/BUILD b/bazel/BUILD
@@ -427,7 +427,6 @@ config_setting(
     name = "boringssl_fips",
     constraint_values = [
         "@platforms//os:linux",
-        "@platforms//cpu:x86_64",
     ],
     values = {"define": "boringssl=fips"},
 )

diff --git a/bazel/external/boringssl_fips.genrule_cmd b/bazel/external/boringssl_fips.genrule_cmd
@@ -2,15 +2,21 @@
 
 set -e
 
-# BoringSSL build as described in the Security Policy for BoringCrypto module (2020-07-02):
-# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf
+export CXXFLAGS=''
+export LDFLAGS=''
 
-# This works only on Linux-x86_64.
-if [[ `uname` != "Linux" || `uname -m` != "x86_64" ]]; then
-  echo "ERROR: BoringSSL FIPS is currently supported only on Linux-x86_64."
+# BoringSSL build as described in the Security Policy for BoringCrypto module (2022-05-06):
+# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf
+
+OS=`uname`
+ARCH=`uname -m`
+# This works only on Linux-x86_64 and Linux-aarch64.
+if [[ "$OS" != "Linux" || ("$ARCH" != "x86_64" && "$ARCH" != "aarch64") ]]; then
+  echo "ERROR: BoringSSL FIPS is currently supported only on Linux-x86_64 and Linux-aarch64."
   exit 1
 fi
 
+
 # Bazel magic.
 # ROOT=$(dirname $(rootpath boringssl/BUILDING.md))/..
 ROOT=./external/boringssl_fips
@@ -27,11 +33,15 @@ export PATH="$(dirname `which cmake`):/usr/bin:/bin"
 
 # Clang
 VERSION=12.0.0
-SHA256=a9ff205eb0b73ca7c86afc6432eed1c2d49133bd0d49e47b15be59bbf0dd292e
-PLATFORM="x86_64-linux-gnu-ubuntu-20.04"
+if [[ "$ARCH" == "x86_64" ]]; then
+  PLATFORM="x86_64-linux-gnu-ubuntu-20.04"
+  SHA256=a9ff205eb0b73ca7c86afc6432eed1c2d49133bd0d49e47b15be59bbf0dd292e
+else
+  PLATFORM="aarch64-linux-gnu"
+  SHA256=d05f0b04fb248ce1e7a61fcd2087e6be8bc4b06b2cc348792f383abf414dec48
+fi
 
-curl -sLO https://github.com/llvm/llvm-project/releases/download/llvmorg-"$VERSION"/clang+llvm-"$VERSION"-"$PLATFORM".tar.xz \
-  && echo "$SHA256" clang+llvm-"$VERSION"-"$PLATFORM".tar.xz | sha256sum --check
+curl -sLO https://github.com/llvm/llvm-project/releases/download/llvmorg-"$VERSION"/clang+llvm-"$VERSION"-"$PLATFORM".tar.xz
 tar xf clang+llvm-"$VERSION"-"$PLATFORM".tar.xz
 
 export HOME="$PWD"
@@ -45,8 +55,13 @@ fi
 
 # Go
 VERSION=1.16.5
-SHA256=b12c23023b68de22f74c0524f10b753e7b08b1504cb7e417eccebdd3fae49061
-PLATFORM="linux-amd64"
+if [[ "$ARCH" == "x86_64" ]]; then
+  PLATFORM="linux-amd64"
+  SHA256=b12c23023b68de22f74c0524f10b753e7b08b1504cb7e417eccebdd3fae49061
+else
+  PLATFORM="linux-arm64"
+  SHA256=d5446b46ef6f36fdffa852f73dfbbe78c1ddf010b99fa4964944b9ae8b4d6799
+fi
 
 curl -sLO https://dl.google.com/go/go"$VERSION"."$PLATFORM".tar.gz \
   && echo "$SHA256" go"$VERSION"."$PLATFORM".tar.gz | sha256sum --check
@@ -63,24 +78,30 @@ fi
 
 # Ninja
 VERSION=1.10.2
-SHA256=763464859c7ef2ea3a0a10f4df40d2025d3bb9438fcb1228404640410c0ec22d
-PLATFORM="linux"
-
-curl -sLO https://github.com/ninja-build/ninja/releases/download/v"$VERSION"/ninja-"$PLATFORM".zip \
-  && echo "$SHA256" ninja-"$PLATFORM".zip | sha256sum --check
-unzip -o ninja-"$PLATFORM".zip
+SHA256=ce35865411f0490368a8fc383f29071de6690cbadc27704734978221f25e2bed
+curl -sLO https://github.com/ninja-build/ninja/archive/refs/tags/v"$VERSION".tar.gz \
+  && echo "$SHA256" v"$VERSION".tar.gz | sha256sum --check
+tar -xvf v"$VERSION".tar.gz
+cd ninja-"$VERSION"
+python3 ./configure.py --bootstrap
 
 export PATH="$PWD:$PATH"
 
 if [[ `ninja --version` != "$VERSION" ]]; then
   echo "ERROR: Ninja version doesn't match."
   exit 1
 fi
+cd ..
 
 # CMake
 VERSION=3.20.1
-SHA256=b8c141bd7a6d335600ab0a8a35e75af79f95b837f736456b5532f4d717f20a09
-PLATFORM="linux-x86_64"
+if [[ "$ARCH" == "x86_64" ]]; then
+  PLATFORM="linux-x86_64"
+  SHA256=b8c141bd7a6d335600ab0a8a35e75af79f95b837f736456b5532f4d717f20a09
+else
+  PLATFORM="linux-aarch64"
+  SHA256=5ad1f8139498a1956df369c401658ec787f63c8cb4e9759f2edaa51626a86512
+fi
 
 curl -sLO https://github.com/Kitware/CMake/releases/download/v"$VERSION"/cmake-"$VERSION"-"$PLATFORM".tar.gz \
   && echo "$SHA256" cmake-"$VERSION"-"$PLATFORM".tar.gz | sha256sum --check