FIPS compliant builds #4318
FIPS compliant builds #4318
Conversation
michel-laterman
added
enhancement
|
This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
|
|
|
mergify
bot
added
the
backport-8.x
michel-laterman
force-pushed
the
msft-go
branch
from
4f546f4 to
618add2
Compare
| FIPS?= | ||
| ifeq "${FIPS}" "true" | ||
| BUILDER_IMAGE=fleet-server-fips-builder:${GO_VERSION} | ||
| PLATFORMS = linux/amd64 linux/arm64 |
There was a problem hiding this comment.
I'm working off an ARM macbook.
When I try to compile these targets in the image built by Dockerfile.fips (base stage) by running FIPS=true make docker-release, I get gcc: error: unrecognized command-line option '-m64' when it tries to compile for linux/amd64. (linux/arm64 compiles as expected if platforms are re-ordered)
However if I run the microsoft/golang base dockerfile with --platform=linux/amd64 I can compile for linux/amd64 with no issue, and I can compile for linux/arm64 if I add CC=x86_64-linux-gnu-gcc.
There was a problem hiding this comment.
This is all expected if the host gcc was only built to target the host machine architecture, which I think is typical for gcc. gcc -dumpmachine will tell you the target triple, it'd be weird if it were also x86_64-linux-gnu-gcc. Probably there is some series of command line options that can dump out the supported architectures.
The work arounds are the ones you've listed here:
- Run the container with --platform=linux/amd64 to have your ARM Mac emulate x86. This is the slowest option.
- Explicitly specify a cross toolchain. This is the fastest option because you don't have to emulate. You can likely select the correct toolchain conditionally, this is what https://github.com/elastic/beats/pull/40330/files did to avoid emulation by default.
The CI machines will never have to cross compile because you can always use one with the correct host architecture.
|
| @@ -0,0 +1,105 @@ | |||
| # FIPS support | |||
Add FIPS env flag to enable FIPS mode. FIPS=true will change the following: - PLATFORMS will default to linux/amd64 linux/arm64 - make local, make release-* - Binary will be build with -tags=fipsrequired and GOEXPERIMENT=systemcrypto - make build-releaser - chaingaurd microsoft go image will be used as base - make multipass - microsoft's go toolchain will be downloaded and installed to VM (cherry picked from commit f1c29b9) # Conflicts: # Makefile # dev-tools/multipass-cloud-init.yml
* FIPS compliant builds (#4318) Add FIPS env flag to enable FIPS mode. FIPS=true will change the following: - PLATFORMS will default to linux/amd64 linux/arm64 - make local, make release-* - Binary will be build with -tags=fipsrequired and GOEXPERIMENT=systemcrypto - make build-releaser - chaingaurd microsoft go image will be used as base - make multipass - microsoft's go toolchain will be downloaded and installed to VM (cherry picked from commit f1c29b9) # Conflicts: # Makefile # dev-tools/multipass-cloud-init.yml * Fix merge --------- Co-authored-by: Michel Laterman <82832767+michel-laterman@users.noreply.github.com> Co-authored-by: michel-laterman <michel.laterman@elastic.co>
What is the problem this PR solves?
Add ability to make FIPS compliant builds when
FIPS=trueis specified.How does this PR solve the problem?
Specifying
FIPS=truewill change the following:PLATFORMSwill default tolinux/amd64 linux/arm64make local,make release-*- Binary will be build with-tags=fipsrequiredandGOEXPERIMENT=systemcryptomake build-releaser- chaingaurd microsoft go image will be used as basemake multipass- microsoft's go toolchain will be downloaded and installed to VMHow to test this PR locally
Design Checklist
I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.Checklist
./changelog/fragmentsusing the changelog toolRelated issues