Feature
I'd like to be able to run a build of Spin (via SpinKube) that has wasi-http configured to run in FIPS mode. This would mean that all https requests and responses (as well as new outbound requests) would use a NIST-certified crypto module.
This could just be a separate build of Spin or containerd-shim-spin, and wouldn't need to be dynamic per-request or per-VM.
Benefit
If I want to run SpinKube in a US Gov "FedRAMP Moderate" or higher environment, I need to be able to show auditors that any encryption-in-transit is done with a crypto module that's been NIST-certified as FIPS-140-2 or FIPS-140-3 compliant. As an example, the Golang 1.24+ crypto module 1.0.0 was recently validated, so any golang programs built with the appropriate flags are guaranteed to use the appropriate crypto implementation at runtime. Ideally users of Spin and SpinKube could rely on something similar for their WASI implementations, and the wasi-http components just get it for free, regardless of how they were compiled or what language was used.
This is a follow-on issue to bytecodealliance/wasmtime#13293, created at the request of @fibonacci1729. We chatted in the CNCF slack and he had a really promising proposal for how it could work.
Concrete Items
- A FIPS build of spin available as part of the release from main.
- A FIPS build of containerd-shim-spin available as part of the release from main.
- A docs page for spinkube.dev on how to run it with FIPS (including calling out the need for a FIPS OpenSSL hosting environment for the non-rust, dynamically-linked deps).
Feature
I'd like to be able to run a build of Spin (via SpinKube) that has wasi-http configured to run in FIPS mode. This would mean that all https requests and responses (as well as new outbound requests) would use a NIST-certified crypto module.
This could just be a separate build of Spin or containerd-shim-spin, and wouldn't need to be dynamic per-request or per-VM.
Benefit
If I want to run SpinKube in a US Gov "FedRAMP Moderate" or higher environment, I need to be able to show auditors that any encryption-in-transit is done with a crypto module that's been NIST-certified as FIPS-140-2 or FIPS-140-3 compliant. As an example, the Golang 1.24+ crypto module 1.0.0 was recently validated, so any golang programs built with the appropriate flags are guaranteed to use the appropriate crypto implementation at runtime. Ideally users of Spin and SpinKube could rely on something similar for their WASI implementations, and the wasi-http components just get it for free, regardless of how they were compiled or what language was used.
This is a follow-on issue to bytecodealliance/wasmtime#13293, created at the request of @fibonacci1729. We chatted in the CNCF slack and he had a really promising proposal for how it could work.
Concrete Items