Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: BoringCrypto support for ARM #39760

Open
sodul opened this issue Jun 22, 2020 · 6 comments
Open

crypto: BoringCrypto support for ARM #39760

sodul opened this issue Jun 22, 2020 · 6 comments

Comments

@sodul
Copy link

@sodul sodul commented Jun 22, 2020

With the industry switching away from the legacy x86 CPU architecture and to ARM (AWS, Apple) what are the plans to add support for the BoringCrypto Dev branch on ARM?

The upstream FIPS certification is only for Intel and POWER architectures so I suppose this should be updated to cover ARM which would take quite a while.

This is not an urgent request but considering this will likely happen eventually, a rough timeline could be useful for long term planning.

@ianlancetaylor ianlancetaylor changed the title BoringCrypto support for ARM crypto: BoringCrypto support for ARM Jun 22, 2020
@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Jun 22, 2020

@agl
Copy link
Contributor

@agl agl commented Jun 22, 2020

BoringSSL supports FIPS on ARM, but only in shared-library mode, which isn't really suitable for Go. Static linking support is complicated and would only be added if Google had a business case for it. However, no details nor timeline would be shared publicly about such internal matters I'm afraid.

So, if it happens to get built for other reasons, Go could use it. But we've no comment about if or when that might happen.

@groob
Copy link
Contributor

@groob groob commented Jun 23, 2020

Is this something Apple could potentially help with? macOS is a big user of BoringSSL these days. Watching the keynote yesterday, Apple is contributing changes to many FOSS projects to add ARM support (ex Blender).

@sodul
Copy link
Author

@sodul sodul commented Jun 24, 2020

Apple has their own crypto library with SecureTransport and I'm not aware of any FIPS effort at Apple, so I would be surprised if they did anything with BoringCrypto:
https://developer.apple.com/documentation/security/secure_transport

There would be a better chance of AWS contributing since they are pushing for ARM and they have dedicated FIPS endpoints:
https://aws.amazon.com/compliance/fips/

@upsampled
Copy link

@upsampled upsampled commented Jul 20, 2020

Deleted my original post after researching more:

  1. The FIPS go version shipping with RHEL is basically just the Boringcrypto branch just pointing to openssl. The code is hosted on https://pagure.io/go.
  2. The RHEL version is also not enabling may not be enabling OpenSSL support for ARM when building.
  3. As far as I know Boring's FIPS cert does not cover ARM currently, but OpenSSL's does.
@alittlec
Copy link

@alittlec alittlec commented Oct 12, 2020

Is there any progress on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.