-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: mechanism to enable FIPS mode #70123
Comments
Related Issues and Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.) |
If changing the FIPS mode is not possible at runtime, it's a property fixed when building the binary, then IMO it would make sense to define Also, will FIPS mode affect the Go runtime behavior (or even other packages outside crypto)? If that's the case, then I would consider moving the |
The idea is that FIPS mode will be selected only at runtime, by the GODEBUG env var. I think you might have been confused by my poorly worded "Changing the GODEBUG at runtime is not supported", edited to "Changing the GODEBUG after the binary started is not supported". I just meant that you can't do
There is a bit of runtime support, but I think logically the package makes more sense under |
Isn't it going to cause confusion that, by default, when you set the |
In general, "FIPS 140 certified" is more of a spectrum than a binary state, and for example with the new FedRAMP rules a binary that's in FIPS mode would be acceptable even if it's an updated version of the one that underwent validation. Still, I agree that the build tag is confusing, also because people will end up assuming it does more than just set the default GODEBUG. Let's just drop it. Instead, we discussed with @rsc making the module version selection mechanism (which is out of scope for this proposal) also flip the GODEBUG default to |
The module details are a separate proposal, #70200. |
We've been discussing with @rolandshoemaker how to let applications enforce the use of NIST-approved algorithms implemented within the module, and for now we want to offer a coarse binary choice, and then add more fine-grained mechanisms in the future based on feedback. We propose adding a third documented
The last point includes wholly non-approved algorithms implemented by the standard library or (an updated version of) golang.org/x/crypto, as well as approved algorithms used with non-approved parameters (such as HMAC with too short a key). This is to be considered a best-effort mechanism, since we can't for example detect applications implementing non-approved crypto with math/big or third-party modules, of course. Here is a list of functions that would fail entirely:
Note that scrypt is missing because it has been successfully described as approved due to its use of PBKDF2. (Internally, we'll still let forks apply more fine-grained policy with a mechanism akin to #65265, but that's not part of this proposal.) |
Doesn't this preclude AES-GCM? |
It will require #69981, yes, or a special internal TLS mode we will probably not expose. That's FIPS 140-3 IG C.H for you. |
Why would someone chose |
Having a FIPS module laying around is not enough to comply with anything, you also have to use it for all cryptographic operations, and use only its approved "services" (a NIST-ism for algorithms and modes). It's ok to do that by just being very careful not to use anything that's not approved, but enforce mode offers better assurance of it. Go+BoringCrypto doesn't have that mode (aside from |
This mode I think is very important. Within the golang-fips/go fork we have a strict FIPS mode we operate in by default which essentially matches the description of |
Okay, in that case why would someone chose |
This proposal has been added to the active column of the proposals project |
There's the concept of non-security purposes. E.g. the AWS APIs use MD5 as a checksum. That's not a security purpose, so it's allowed, but it involves the use of non-approved cryptography, so requires operating in Ultimately, we'll want some finer-grained mechanism to make that coexist with the safety of |
We noticed I called enforce mode |
Does this need to distinguish |
It's worth noting that we believe this will have little effect on binary size, even though all binaries will be built with the ability to turn on FIPS mode. We're not going to be compiling in two different crypto trees. There will be a little extra code to support the dynamic selection between
To be clear, I think we would still want an |
Based on the discussion above, this proposal seems like a likely accept. The proposal is to add a
The default value of The A new package, |
Change https://go.dev/cl/629816 mentions this issue: |
Also re-sort the various lists. (All lists should be sorted.) The linked page https://go.dev/security/fips140 has yet to be written, but soon. For #70123. Change-Id: Ica5bbf5bd29e9136c2a49d3099d6e0e018c36145 Reviewed-on: https://go-review.googlesource.com/c/go/+/629816 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Russ Cox <rsc@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com>
Change https://go.dev/cl/630115 mentions this issue: |
Sometimes we've used the 140 suffix (GOFIPS140, crypto/fips140) and sometimes not (crypto/internal/fips, cmd/go/internal/fips). Use it always, to avoid having to remember which is which. Also, there are other FIPS standards, like AES (FIPS 197), SHA-2 (FIPS 180), and so on, which have nothing to do with FIPS 140. Best to be clear. For #70123. Change-Id: I33b29dabd9e8b2703d2af25e428f88bc81c7c307 Reviewed-on: https://go-review.googlesource.com/c/go/+/630115 Reviewed-by: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Russ Cox <rsc@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
No change in consensus, so accepted. 🎉 The proposal is to add a
The default value of The A new package, |
Change https://go.dev/cl/631017 mentions this issue: |
This package holds only the Enabled() function. Updates #70123 Change-Id: If0e731724d9997001fa52002fa6ae72df4eb16ff Reviewed-on: https://go-review.googlesource.com/c/go/+/631017 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Change https://go.dev/cl/631018 mentions this issue: |
Running the test suite in this mode is definitely not an option. Testing this will probably look like a very long test that tries all functions. Filed #70514 to track the tests. For #70123 Change-Id: I6f67de83da37dd1e94e620b7f4f4f6aabe040c41 Reviewed-on: https://go-review.googlesource.com/c/go/+/631018 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
The description says:
The accepted summary says:
For clarity, is the description still accurate, that the |
Correct. The summary probably left "after the binary started" implied. |
As tracked in #69536 we are pursuing a FIPS 140-3 validation for the Go cryptography packages. This proposal is about the mechanism to selectively enable and disable FIPS mode.
All Linux binaries will be FIPS-capable, so there will be no need for a compile-time on-switch. We believe we can make the build-time overhead low enough that we can remove this entire layer of complexity, so there will be no need for a "FIPS build". Note however that the module will not be FIPS validated on all architectures1.
A run-time GODEBUG flag,
fips140
defaults tooff
but can be set toon
to operate the binary in FIPS mode. Primarily, this enables the slower and more complex RNG system, and the slow runtime self-tests. The GODEBUG can also be set toonly
to make any non-approved crypto return errors.2A build tag,Note thatfips140
, can be used to switch the GODEBUG default fromoff
toon
. It has no other effect. This allows building arbitrary programs so that they will run in FIPS mode by default.//go:debug
annotations can also be used to enable or disable the GODEBUG.If
fips140=on
is set (in any way) and the binary can't operate in FIPS mode (because it was not built for Linux or it was built for an architecture that was not validated, for example), the binary will immediately panic at runtime.A new package,
crypto/fips140
will be added with a single functionEnabled() bool
which can be used to check at runtime if the binary is operating in FIPS mode.Changing the GODEBUG after the binary started is not supported, it will not result in compliant FIPS operations, and may or may not cause the binary to panic. This is unlikely to change.
This proposal does not address how to select the FIPS module to compile against, which will require either a
go build
flag or a build tag. We are discussing this with @rsc. By default, binaries will build against the latest unvalidated version of the module3, but it will be possible to select both the latest In Process modules and the latest certified module. This will be transparent, although some newly introduced functionality may not be available when compiling against frozen versions of the module./cc @golang/security @cpu
Footnotes
The current tentative plan is to validate on some Linux OSes on some amd64, arm64, mips64, ppc64le, and s390x. If you need specific OEs validated, reach out to me ASAP. ↩
We're aware this is usually less granularity than required by production applications, which sometimes need to use non-approved crypto for non-security purposes, as allowed by FIPS 140-3. We'll share precise plans later, but in short this
only
mode will be implemented in terms of an internal API that can be used by downstream forks (without explicit backward compatibility guarantees) to enforce such a fine-grained policy. We don't plan to provide an exposed upstream mechanism at this time. ↩Running the latest unvalidated version in FIPS mode still makes sense in some settings, hopefully more and more over time. ↩
The text was updated successfully, but these errors were encountered: