support fips-compliant build for arm #27622
Conversation
zhaohuabing
force-pushed
the
boringssl-fips-arm
branch
from
4ad692c
to
10dbd06
Compare
zhaohuabing
force-pushed
the
boringssl-fips-arm
branch
2 times, most recently
from
549ba41
to
1ab29e2
Compare
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
zhaohuabing
force-pushed
the
boringssl-fips-arm
branch
from
1ab29e2
to
318d0fa
Compare
There was a problem hiding this comment.
hi @zhaohuabing thanks for working on this
looking at ci and doing a quick review here im wondering how this should work, atm its failing due to trying to use non-hermetic binaries
not entirely clear how fips is expected to build wrt versions, but i think we dont want to be installing cmake/ninja etc in the host, and not sure it will work (current non-hermetic issue in ci is python afaict)
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
There was a problem hiding this comment.
@zhaohuabing i confirmed offline that the current build is not affected by the switch to the toolchain/vendored tooling
(apologies for any confusion)
this lgtm, my one concern is that we dont have any testing for it, maybe thats ok
would be good to get a signoff from someone with better knowledge of fips
There was a problem hiding this comment.
This looks fine to me. Did you try to run the ARM build and validate that fips_mode is reported in the admin? I am not sure if the CI tries this build.
Re: @phlax: FIPS mode performs a self-test so if envoy self-reports FIPS mode, it should be correct.
i more meant in ci |
|
@phlax Yeah, I'm a bit concerned about the lack of testing for compile time options for ARM. Should we create a CI pipelne similar to x86 one? |
the only problem is that it doesnt use a free azp host, so there is a ~cost implication - i was wondering about adding a fips build in the main release stage, but not sure |
|
I think it's OK to verify manually right now since there is no logic change. Can we get a confirmation that the ARM build reports fips_mode correctly? |
@kyessenov Verified on my arm machine. ➜ envoy git:(boringssl-fips-arm) ✗ lscpu|grep arc
Architecture: aarch64
➜ envoy git:(boringssl-fips-arm) ✗ echo "build --define boringssl=fips" >> .bazelrc
➜ envoy git:(boringssl-fips-arm) ✗ ./ci/run_envoy_docker.sh ' ./ci/do_ci.sh bazel.release.server_only'
➜ envoy git:(boringssl-fips-arm) ✗ /tmp/envoy-docker-build/envoy/arm64/source/exe/envoy/envoy --version|grep FIPS
/tmp/envoy-docker-build/envoy/arm64/source/exe/envoy/envoy version: 2a4c291b281ecc9fad3a28868da4618eb2a6e0f2/1.27.0-dev/Modified/RELEASE/BoringSSL-FIPS |
|
cc @kyessenov If this ready to merge or need a second review from other maintainers? |
| && echo "$SHA256" v"$VERSION".tar.gz | sha256sum --check | ||
| tar -xvf v"$VERSION".tar.gz | ||
| cd ninja-"$VERSION" | ||
| python3 ./configure.py --bootstrap |
There was a problem hiding this comment.
i guess we will have to just go with this for now but there is no guarantee of any python in an environment
we could use the hermetic python provided by rules_python, but then im thinking rather just use rules_foreign_cc and avoid these problems altogether
either way, we can address the non-hermetic fips build subsequently - i appreciate this is mostly just doing for arm what is currently done for x86
There was a problem hiding this comment.
one small nit, and i think this should be good to land @zhaohuabing
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
|
@zhaohuabing A better test is to run envoy and query server stats for |
@kyessenov Sure I can try that. Below is the output: ➜ ~ /tmp/envoy-docker-build/envoy/arm64/source/exe/envoy/envoy --config-path test.yml>/dev/null 2>&1 &
[1] 1513328
➜ ~ curl 127.0.0.1:9901/stats|grep fips
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 31898 0 31898 0 0 15.2M 0 --:--:-- --:--:-- --:--:-- 15.2M
server.compilation_settings.fips_mode: 1 |
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Ryan Eskin <ryan.eskin89@protonmail.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Ryan Northey <ryan@synca.io>
Follow up from: - envoyproxy#27087 - envoyproxy#27622 Signed-off-by: Ryan Northey <ryan@synca.io> Signed-off-by: phlax <phlax@users.noreply.github.com>
Follow up from: - envoyproxy#27087 - envoyproxy#27622 Signed-off-by: Ryan Northey <ryan@synca.io> Signed-off-by: phlax <phlax@users.noreply.github.com>
Follow up from: - envoyproxy#27087 - envoyproxy#27622 Signed-off-by: Ryan Northey <ryan@synca.io> Signed-off-by: phlax <phlax@users.noreply.github.com>
Commit Message: support fips-compliant build for arm
Additional Description: related issue: #27620
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]