Aws lc fips build fixes

[kpramesh2212]

Use of generative AI

I used generative AI to help fix the AWS-LC FIPS build. I am not a C++ developer, so this PR should be reviewed carefully before merging. I was able to compile Envoy successfully with the changes below, but I may not have fully understood all implications. Please review thoroughly.

---

Additional Description

This PR fixes several build failures encountered when building Envoy with --config=aws-lc-fips, particularly on aarch64 and in container/CI environments. These fixes address the build infrastructure issues that prevent the AWS-LC FIPS build from completing.

Note for native aarch64 builds: The build also requires BAZEL_USE_HOST_SYSROOT=True (set as an environment variable before building). This is an existing Envoy option documented in bazel/repo.bzl and is not changed in this PR.

---

Risk Level

Low – changes are limited to build configuration and external dependency setup, not runtime code.

---

Testing

Production build (successful):

bazel build -c opt //source/exe:envoy-static \
  --config=aws-lc-fips \
  --config=sizeopt \
  --define=no_debug_info=1 \
  --copt=-ffunction-sections \
  --copt=-fdata-sections \
  --linkopt=-Wl,--gc-sections \
  --linkopt=-Wl,-s \
  --strip=always \
  --fission=no \
  --jobs=63

Debug build (successful):

bazel build //source/exe:envoy-static --config=aws-lc-fips --spawn_strategy=standalone

Environment: Native aarch64 Linux build with BAZEL_USE_HOST_SYSROOT=True exported.

---

Docs Changes

None. Consider documenting BAZEL_USE_HOST_SYSROOT=True for native aarch64 AWS-LC FIPS builds in a follow-up.

---

Release Notes

build: Fix AWS-LC FIPS build for aarch64 and container environments (Go deps, tar extraction, sandbox)

---

Platform Specific Features

• Linux aarch64 (native build)
• Linux x86_64 (expected to work; not tested)

---

Fixes #43904

---

BUILD machine

NAME="Amazon Linux"
VERSION="2023"
ID="amzn"
ID_LIKE="fedora"
VERSION_ID="2023"
PLATFORM_ID="platform:al2023"
PRETTY_NAME="Amazon Linux 2023.3.20240312"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2023"
HOME_URL="https://aws.amazon.com/linux/amazon-linux-2023/"
DOCUMENTATION_URL="https://docs.aws.amazon.com/linux/"
SUPPORT_URL="https://aws.amazon.com/premiumsupport/"
BUG_REPORT_URL="https://github.com/amazonlinux/amazon-linux-2023"
VENDOR_NAME="AWS"
VENDOR_URL="https://aws.amazon.com/"
SUPPORT_END="2028-03-15"

---

EXPLANATION OF CHANGES (for review comments or PR description)

1. Go dependency resolution (bazel/dependency_imports.bzl)

   • Problem: com_github_spf13_afero and com_github_lyft_protoc_gen_star_v2
     import golang.org/x/text and golang.org/x/tools, but Gazelle didn't resolve
     them, causing "missing strict dependencies" errors.
   • Change: Added build_directives to tell Gazelle how to resolve these
     imports to @org_golang_x_text and @org_golang_x_tools. Also added
     org_golang_x_tools go_repository if it wasn't present.

2. Tar ownership (bazel/external/aws_lc.genrule_cmd)

   • Problem: The AWS-LC FIPS build downloads and extracts Clang, Go, Ninja,
     and CMake tarballs. These archives contain ownership metadata (uid 11827,
     gid 9000). In containers or sandboxes, those uid/gid don't exist, so tar
     fails with "Cannot change ownership: Invalid argument".
   • Change: Added --no-same-owner to all 5 tar commands so extracted files
     use the current user's uid/gid. Safe for build toolchains and works in
     restricted environments.

3. AWS-LC genrule sandbox (bazel/external/aws_lc.BUILD)

   • Problem: The AWS-LC genrule runs CMake, which writes files during
     configure. Bazel's sandbox makes the execroot read-only for some actions,
     causing "Read-only file system" when CMake runs configure_file.
   • Change: Added tags = ["no-sandbox"] to the AWS-LC genrule so it runs
     outside the sandbox. Only this genrule is affected; other build actions
     remain sandboxed.

4. Host sysroot (environment variable - not a code change)

   • Problem: On native aarch64, the hermetic sysroot may not have the
     expected libc layout, causing linker errors like "cannot find
     /lib/aarch64-linux-gnu/libc.so.6".
   • Change: Use BAZEL_USE_HOST_SYSROOT=True (existing Envoy option) to use
     the host's libc. Document this for native aarch64 builds.

---

SUMMARY TABLE

File	Change	Purpose
bazel/dependency_imports.bzl	build_directives	Fix Go "missing strict dependencies"
bazel/external/aws_lc.genrule_cmd	--no-same-owner on tar	Fix tar ownership errors in containers
bazel/external/aws_lc.BUILD	tags = ["no-sandbox"]	Fix CMake "Read-only file system"
Environment	BAZEL_USE_HOST_SYSROOT=True	Use host libc on native aarch64 (document)

================================================================================

[repokitteh-read-only]

Hi @kpramesh2212, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #43953 was opened by kpramesh2212.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).
envoyproxy/dependency-shepherds assignee is @RyanTheOptimist

🐱

Caused by: #43953 was opened by kpramesh2212.

see: more, trace.

[paul-r-gall]

@kpramesh2212 please apply DCO and merge main.

See

envoy/CONTRIBUTING.md

Line 412 in 491b0af

## Fixing DCO

for intstructions on DCO.

[phlax]

thanks for working on this @kpramesh2212

[phlax]

i think this is wrong/unnecessary

[kpramesh2212]

@phlax I am working on this will update the PR once I fix it.

[kpramesh2212]

@phlax I have removed that tag and changed the AWS_LC cmd to get it compiling

[yanavlasov]

/wait

[yanavlasov]

I do not think you need this ifdef, since compiler will have no issue convert non const type to const. But not the other way around. I would just ad a comment that aws+lc needs non const input to X509_NAME_dup

[kpramesh2212]

@yanavlasov i have removed that block

[yanavlasov]

Does this change also fix a build error, or is it a runtime error? If it is a runtime error, can you move it into a separate PR to keep unrelated changes separate, please?

[kpramesh2212]

@yanavlasov Yes without that if block the build is failing

[ggreenway]

The preferred way to fix these types of build errors is to define something in aws_lc_compat.h for whatever is missing/different in aws-lc.

[kpramesh2212]

@ggreenway I have fixed this

[phlax]

this should be agnostic to arch - aws can be used eg on arm also if a fips build is required

also wondering if all this duplication is necessary

[phlax]

if this works for builds other than ppce, i think this repo is just misnamed - its not ppce-specific

iiuc - it should probably be called fips_cmake_src or similar to be consistent with how we have existing fips repos

[kpramesh2212]

@phlax I have addressed this comment

[kpramesh2212]

I have build envoy in both x86 and arm machines with AWS_LC and build is completing fine

[RyanTheOptimist]

Assigning to @phlax who understands this better and is already reviewing :)

[ggreenway]

/wait

[ggreenway]

Don't const-cast; just remove the the const on line 554

[kpramesh2212]

fixed this

[ggreenway]

The preferred way to fix these types of build errors is to define something in aws_lc_compat.h for whatever is missing/different in aws-lc.

[ggreenway]

remove const_cast same as above

[kpramesh2212]

fixed all of these

[kpramesh2212]

@phlax @ggreenway I have fixed all the review comments could you please take a look into this PR please

[kpramesh2212]

@phlax @ggreenway @yanavlasov

Hi! Just following up on this PR. I've incorporated all the requested changes from the previous review.

Whenever you get a chance, I'd appreciate a re-review. Thanks a lot for your help!

[phlax]

the main issue for us reviewing this is that its not supported, and therefore not tested

i think we can probably accomodate this but you will need to reduce the duplication and deps to do so

wrt duplication - also wondering if this cant reuse more existing code - but lets address above first and then consider that possibility

[phlax]

Suggested change

	""",
	""",
	target_compatible_with = select({
	"@platforms//cpu:x86_64": ["@platforms//:incompatible"],
	"@platforms//cpu:aarch64": ["@platforms//:incompatible"],
	"//conditions:default": [],
	}),

as these to platforms have already a prebuilt - i think this should be marked as incompatible with them

[phlax]

this is not correct - for x86 it shoudl use the toolchains_llvm platform - same for aarch64 below

[phlax]

this is definitely an improvement - i think this file still doesnt pass shellcheck tho (annoyingly its not currently tested by ci)

could you run

$ shellcheck -x bazel/external/aws_lc.genrule_cmd

and at least ensure that no new issues are added

[phlax]

fwiw we have removed these version checks from the boringssl fips build as we have adopted a slightly different policy for managing fips (see bazel/SSL.md)

[phlax]

are these go binaries that aws_lc produces - if not they dont want the aws_lc prefix - also wondering why you need to add go binaries for x86/arm when we already have them

[phlax]

as commented above we dont want these deps - its duplicating the toolchain

[phlax]

same with these deps - they are unnecessary

[phlax]

and these next two also should nto be prefixed with aws_lc

[kpramesh2212]

@phlax I have fixed all the comments

[kpramesh2212]

@phlax @ggreenway @yanavlasov I have fixed all the comments could you please take a look into this PR once you get a chance

[Medik-GH]

Thanks @kpramesh2212 for these changes! We have been wanting this functionality on our end for a while now. Is there anything I can do to help move this PR along? It seems like FIPS-140-2 is not going to be compliant in September this year so this change is urgently needed.

@phlax @ggreenway @yanavlasov

[phlax]

lgtm, thanks for iterating @kpramesh2212

will also need signoff from @ggreenway

[ggreenway]

/wait

[ggreenway]

Source changes LGTM

[kpramesh2212]

@phlax @ggreenway

Sorry the CI was failing I had to fix it could you please take on look at this change please https://github.com/envoyproxy/envoy/compare/dfd6fc3288ec93e2ef0dd31465c26dd991f700d0..7fbfa4e4a1d63d96d718033cbc1f29422d244d80