Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rke2: build with goboring library #393009

Merged
merged 1 commit into from
Mar 25, 2025
Merged

rke2: build with goboring library #393009

merged 1 commit into from
Mar 25, 2025

Conversation

rorosen
Copy link
Contributor

@rorosen rorosen commented Mar 25, 2025

Use the FIPS Compatible boringcrypto Go compiler. This version of Go replaces the standard Go crypto libraries with the FIPS validated BoringCrypto module. Using a validated compiler is a requirement for FIPS 140-2 Enablement of the RKE2 package.

Motivation

FIPS 140-2 is a U.S. Federal Government security standard used to approve cryptographic modules. Upstream RKE2 is FIPS verified, however, the Nix package was built with the regular Go compiler and thus not FIPS compliant.

@zimbatm
@stefan-bordei

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@rorosen
rke2: build with goboring library
cf4a514 
Use the FIPS Compatible boringcrypto Go compiler. This version of Go
replaces the standard Go crypto libraries with the FIPS validated
BoringCrypto module. Using a validated compiler is a requirement for
FIPS 140-2 Enablement of the RKE2 package.
@github-actions github-actions bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Mar 25, 2025
@nix-owners nix-owners bot requested review from zimbatm and stefan-bordei March 25, 2025 08:30
@zimbatm zimbatm merged commit eef109e into NixOS:master Mar 25, 2025
25 of 29 checks passed
@rorosen rorosen deleted the rke2-goboring branch March 25, 2025 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zimbatm zimbatm

@stefan-bordei stefan-bordei

Assignees
No one assigned
Labels
10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rorosen @zimbatm