Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS compliance #113

Closed
4 tasks done
Tracked by #111
mudler opened this issue Sep 12, 2022 · 5 comments
Closed
4 tasks done
Tracked by #111

FIPS compliance #113

mudler opened this issue Sep 12, 2022 · 5 comments
Labels
area/security enhancement New feature or request epic

Comments

@mudler
Copy link
Member

mudler commented Sep 12, 2022
edited
Loading

Plan:

  • Build a FIPS version of all packages
  • Build one special "hardened" flavor using these packages (not the whole matrix) (as part of every release)
    (rockylinux is a good candidate because is SELinux ready and we are going to need it in the future).
  • Make sure we run some of our tests on that flavor (NOTE: rockylinux doesn't boot in Qemu out of the box, needs some work, 🐧 rockylinux flavor #64 (comment))
@mudler mudler mentioned this issue Sep 12, 2022
Open
8 tasks
@mudler mudler added epic enhancement New feature or request area/security labels Nov 2, 2022
@jimmykarily
Copy link
Contributor

jimmykarily commented May 23, 2023
edited
Loading

Useful: https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md

~/workspace/kairos/kairos-agent (main)$ GOEXPERIMENT=boringcrypto go build 
~/workspace/kairos/kairos-agent (main)$ go tool nm ./kairos  | grep FIPS
  462b80 t BORINGSSL_FIPS_abort
  45ea80 t FIPS_mode_set
  45ea90 t FIPS_read_counter
  401a30 T _cgo_d8b1bdd8e714_Cfunc__goboringcrypto_FIPS_mode
  45ea70 t _goboringcrypto_FIPS_mode
  737500 T crypto/internal/boring._Cfunc__goboringcrypto_FIPS_mode.abi0
 1d22bf0 D crypto/internal/boring._cgo_d8b1bdd8e714_Cfunc__goboringcrypto_FIPS_mode
 1d249b0 D crypto/tls.defaultCipherSuitesFIPS
 1d24a30 D crypto/tls.defaultFIPSCurvePreferences

while:

~/workspace/kairos/kairos-agent (main)$ go build 
~/workspace/kairos/kairos-agent (main)$ go tool nm ./kairos  | grep FIPS

(empty output)

@mudler
Copy link
Member Author

mudler commented May 23, 2023

the subtle problem of FIPS is that requires cgo enabled

@mudler mudler mentioned this issue May 23, 2023
Closed
29 tasks
@jimmykarily
Copy link
Contributor

the subtle problem of FIPS is that requires cgo enabled

Does this mean we cannot cross compile anymore? This would require lots of changes in the release pipelines I assume.

@mudler
Copy link
Member Author

mudler commented May 26, 2023

the subtle problem of FIPS is that requires cgo enabled

Does this mean we cannot cross compile anymore? This would require lots of changes in the release pipelines I assume.

correct, at least, you can create static binaries still even with CGO enabled, however there are several limitations we have to watch out in that specific case.

@mudler mudler mentioned this issue May 26, 2023
Closed
29 tasks
@mudler
Copy link
Member Author

mudler commented Sep 5, 2023

Closing as we have full examples of BYOI to generate FIPS enabled images https://github.com/kairos-io/kairos/blob/master/examples/byoi/fedora-fips/

@mudler mudler closed this as completed Sep 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security enhancement New feature or request epic
Projects
🧙Issue tracking board
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mudler @jimmykarily