Add DRA FIPS artifacts to package pipeline

.buildkite/pipeline.package.mbp.yml

@@ -28,6 +28,29 @@ steps:
       image: "${IMAGE_UBUNTU_X86_64}"
       machineType: "c2-standard-16"
 
+  - label: "Package FIPS x86_64 snapshot"
+    if: "build.env('VERSION_QUALIFIER') == null"
+    key: "package-fips-x86-64-snapshot"
+    command: ".buildkite/scripts/package.sh snapshot"
+    env:
+      FIPS: "true"
+    agents:
+      provider: "gcp"
+      image: "${IMAGE_UBUNTU_X86_64}"
+      machineType: "c2-standard-16"
+
+  - label: "Package FIPS x86_64 staging"
+    key: "package-fips-x86-64-staging"
+    command: |
+      source .buildkite/scripts/version_qualifier.sh
+      .buildkite/scripts/package.sh staging
+    env:
+      FIPS: "true"
+    agents:
+      provider: "gcp"
+      image: "${IMAGE_UBUNTU_X86_64}"
+      machineType: "c2-standard-16"
+
   - label: "Package aarch64 snapshot"
     if: "build.env('VERSION_QUALIFIER') == null"
     key: "package-arm-snapshot"
@@ -47,6 +70,29 @@ steps:
       imagePrefix: "${IMAGE_UBUNTU_ARM_64}"
       instanceType: "t4g.2xlarge"
 
+  - label: "Package FIPS aarch64 snapshot"
+    if: "build.env('VERSION_QUALIFIER') == null"
+    key: "package-fips-arm-snapshot"
+    command: ".buildkite/scripts/package.sh snapshot"
+    env:
+      FIPS: "true"
+    agents:
+      provider: "aws"
+      imagePrefix: "${IMAGE_UBUNTU_ARM_64}"
+      instanceType: "t4g.2xlarge"
+
+  - label: "Package FIPS aarch64 staging"
+    key: "package-fips-arm-staging"
+    command: |
+      source .buildkite/scripts/version_qualifier.sh
+      .buildkite/scripts/package.sh staging
+    env:
+      FIPS: "true"
+    agents:
+      provider: "aws"
+      imagePrefix: "${IMAGE_UBUNTU_ARM_64}"
+      instanceType: "t4g.2xlarge"
+
   - label: "DRA snapshot"
     if: "${FILE_EXISTS_IN_REPO} && build.env('VERSION_QUALIFIER') == null"
     key: "dra-snapshot"
@@ -58,8 +104,12 @@ steps:
     depends_on:
       - step: "package-x86-64-snapshot"
         allow_failure: false
+      - step: "package-fips-x86-64-snapshot"
+        allow_failure: false
       - step: "package-arm-snapshot"
         allow_failure: false
+      - step: "package-fips-arm-snapshot"
+        allow_failure: false
 
   - label: "DRA release staging"
     # we don't usually build staging from the main branch, but we exceptionally allow it for prereleases
@@ -76,5 +126,9 @@ steps:
     depends_on:
       - step: "package-x86-64-staging"
         allow_failure: false
+      - step: "package-fips-x86-64-staging"
+        allow_failure: false
       - step: "package-arm-staging"
         allow_failure: false
+      - step: "package-fips-arm-staging"
+        allow_failure: false

.buildkite/scripts/common.sh

@@ -51,6 +51,18 @@ with_go() {
     export PATH="${PATH}:$(go env GOPATH):$(go env GOPATH)/bin"
 }
 
+with_msft_go() {
+    echo "Setting up microsoft/go"
+    create_workspace
+    check_platform_architeture
+    MSFT_DOWNLOAD_URL=https://aka.ms/golang/release/latest/go$(cat .go-version)-1.${platform_type}-${arch_type}.tar.gz
+    retry 5 $(curl -sL -o - $MSFT_DOWNLOAD_URL | tar -xz -f - -C ${WORKSPACE})
+    export PATH="${PATH}:${WORKSPACE}/go/bin"
+    go version
+    which go
+    export PATH="${PATH}:$(go env GOPATH):$(go env GOPATH)/bin"
+}
+
 with_docker_compose() {
     echo "Setting up the Docker-compose environment..."
     create_workspace
@@ -160,4 +172,4 @@ cleanup() {
     echo "Deleting temporary files..."
     rm -rf ${WORKSPACE}/${TMP_FOLDER_TEMPLATE_BASE}.*
     echo "Done."
-}
+}

.buildkite/scripts/package.sh

@@ -14,14 +14,22 @@ if [[ ${BUILDKITE_BRANCH} == "main" && ${TYPE} == "staging" && -z ${VERSION_QUAL
 fi
 
 PLATFORMS=""
-PACKAGES=""
 if [[ ${PLATFORM_TYPE} == "arm" || ${PLATFORM_TYPE} == "aarch64" ]]; then
     PLATFORMS="linux/arm64"
-    PACKAGES="docker"
 fi
 
 add_bin_path
-with_go
+
+if [[ -v FIPS && ${FIPS} == "true" ]]; then
+    with_msft_go
+    if [[ ${PLATFORM_TYPE} == "arm" || ${PLATFORM_TYPE} == "aarch64" ]]; then
+        PLATFORMS="linux/arm64"
+    else
+        PLATFORMS="linux/amd64"
+    fi
+else
+    with_go
+fi
 with_mage
 
 case "${TYPE}" in

.buildkite/scripts/test-release.sh

@@ -3,16 +3,16 @@
 set -euo pipefail
 
 FLEET_SERVER_VERSION=${1:?"Fleet Server version is needed"}
+FILE_PREFIX="build/distributions/fleet-server-${FLEET_SERVER_VERSION}-"
 
 PLATFORM_FILES=(darwin-aarch64.tar.gz darwin-x86_64.tar.gz linux-arm64.tar.gz linux-x86_64.tar.gz windows-x86_64.zip)
 if [ "$FIPS" = "true" ] ; then
-    PLATFORM_FILES=(linux-arm64-fips.tar.gz linux-x86_64-fips.tar.gz)
+    PLATFORM_FILES=(linux-arm64.tar.gz linux-x86_64.tar.gz)
+    FILE_PREFIX="build/distributions/fleet-server-fips-${FLEET_SERVER_VERSION}-"
 fi
 
 #make release
 
-FILE_PREFIX="build/distributions/fleet-server-${FLEET_SERVER_VERSION}-"
-
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 NO_COLOR='\033[0m'

Dockerfile.fips

@@ -38,8 +38,8 @@ RUN addgroup --gid 1000 fleet-server && \
 USER fleet-server
 
 COPY --chown=fleet-server:fleet-server --chmod=644 fleet-server.yml /etc/fleet-server.yml
-COPY --chown=fleet-server:fleet-server --chmod=555 --from=builder /go/src/github.com/elastic/fleet-server/build/binaries/fleet-server-${VERSION}-${TARGETOS:-linux}-*-fips/fleet-server /usr/bin/fleet-server
+COPY --chown=fleet-server:fleet-server --chmod=555 --from=builder /go/src/github.com/elastic/fleet-server/build/binaries/fleet-server-fips-${VERSION}-${TARGETOS:-linux}-*/fleet-server /usr/bin/fleet-server
 
-ENV GOFIPS=1
+ENV GODEBUG=fips140=on
 
 CMD [ "/usr/bin/fleet-server", "-c", "/etc/fleet-server.yml" ]

Makefile

@@ -9,9 +9,18 @@
 SHELL=/usr/bin/env bash
 GO_VERSION=$(shell cat '.go-version')
 DEFAULT_VERSION=$(shell awk '/const DefaultVersion/{print $$NF}' version/version.go | tr -d '"')
+
+# Set FIPS=true to force FIPS compliance when building
+FIPS?=
+
+ifeq "${FIPS}" "true"
+PLATFORMS ?= linux/amd64 linux/arm64
+else
+PLATFORMS ?= darwin/amd64 darwin/arm64 linux/amd64 linux/arm64 windows/amd64
+endif
+
 TARGET_ARCH_amd64=x86_64
 TARGET_ARCH_arm64=arm64
-PLATFORMS ?= darwin/amd64 darwin/arm64 linux/amd64 linux/arm64 windows/amd64
 BUILDMODE_linux_amd64=-buildmode=pie
 BUILDMODE_linux_arm64=-buildmode=pie
 BUILDMODE_windows_amd64=-buildmode=pie
@@ -51,6 +60,7 @@ else
 VERSION=${DEFAULT_VERSION}
 endif
 
+DOCKER_IMAGE?=docker.elastic.co/fleet-server/fleet-server
 DOCKER_PLATFORMS ?= linux/amd64 linux/arm64
 # defing the docker image tag used for stand-alone fleet-server images
 # only want to define the tag if none is specified, this allows an invocation like
@@ -61,11 +71,7 @@ DOCKER_IMAGE_TAG?=${VERSION}
 ifeq "${DEV}" "true"
 DOCKER_IMAGE_TAG:=${DOCKER_IMAGE_TAG}-dev
 endif
-ifeq "${FIPS}" "true"
-DOCKER_IMAGE_TAG:=${DOCKER_IMAGE_TAG}-fips
-endif
 endif
-DOCKER_IMAGE?=docker.elastic.co/fleet-server/fleet-server
 
 PLATFORM_TARGETS=$(addprefix release-, $(PLATFORMS))
 COVER_TARGETS=$(addprefix cover-, $(PLATFORMS))
@@ -87,17 +93,15 @@ GOBIN=$(shell go env GOPATH)/bin/
 
 OS_NAME:=$(shell uname -s)
 
-# Set FIPS=true to force FIPS compliance when building
-FIPS?=
 # NOTE: We are assuming that the only GOEXPIREMENT flag will be associated with FIPS
 GOFIPSEXPERIMENT?=
 FIPSSUFFIX=
 ifeq "${FIPS}" "true"
 BUILDER_IMAGE=fleet-server-fips-builder:${GO_VERSION}
+DOCKER_IMAGE:=docker.elastic.co/fleet-server/fleet-server-fips
 STANDALONE_DOCKERFILE=Dockerfile.fips
-PLATFORMS = linux/amd64 linux/arm64
 gobuildtags += requirefips
-GOFIPSEXPERIMENT=GOEXPERIMENT=systemcrypto
+GOFIPSEXPERIMENT=GOEXPERIMENT=systemcrypto CGO_ENABLED=1
 FIPSSUFFIX=-fips
 endif
 
@@ -148,7 +152,7 @@ $(COVER_TARGETS): cover-%: ## - Build a binary with the -cover flag for integrat
 	$(eval $@_GO_ARCH := $(lastword $(subst /, ,$(lastword $(subst cover-, ,$@)))))
 	$(eval $@_ARCH := $(TARGET_ARCH_$($@_GO_ARCH)))
 	$(eval $@_BUILDMODE:= $(BUILDMODE_$($@_OS)_$($@_GO_ARCH)))
-	GOOS=$($@_OS) GOARCH=$($@_GO_ARCH) ${GOFIPSEXPERIMENT} go build -tags=${GOBUILDTAGS} -cover -coverpkg=./... -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" $($@_BUILDMODE) -o build/cover/fleet-server-$(VERSION)-$($@_OS)-$($@_ARCH)$(FIPSSUFFIX)/fleet-server$(if $(filter windows,$($@_OS)),.exe,) .
+	GOOS=$($@_OS) GOARCH=$($@_GO_ARCH) ${GOFIPSEXPERIMENT} go build -tags=${GOBUILDTAGS} -cover -coverpkg=./... -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" $($@_BUILDMODE) -o build/cover/fleet-server$(FIPSSUFFIX)-$(VERSION)-$($@_OS)-$($@_ARCH)/fleet-server$(if $(filter windows,$($@_OS)),.exe,) .
 
 .PHONY: clean
 clean: ## - Clean up build artifacts
@@ -263,7 +267,7 @@ $(PLATFORM_TARGETS): release-%:
 	$(eval $@_GO_ARCH := $(lastword $(subst /, ,$(lastword $(subst release-, ,$@)))))
 	$(eval $@_ARCH := $(TARGET_ARCH_$($@_GO_ARCH)))
 	$(eval $@_BUILDMODE:= $(BUILDMODE_$($@_OS)_$($@_GO_ARCH)))
-	GOOS=$($@_OS) GOARCH=$($@_GO_ARCH) ${GOFIPSEXPERIMENT} go build -tags=${GOBUILDTAGS} -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" $($@_BUILDMODE) -o build/binaries/fleet-server-$(VERSION)-$($@_OS)-$($@_ARCH)$(FIPSSUFFIX)/fleet-server .
+	GOOS=$($@_OS) GOARCH=$($@_GO_ARCH) ${GOFIPSEXPERIMENT} go build -tags=${GOBUILDTAGS} -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" $($@_BUILDMODE) -o build/binaries/fleet-server$(FIPSSUFFIX)-$(VERSION)-$($@_OS)-$($@_ARCH)/fleet-server .
 	@$(MAKE) OS=$($@_OS) ARCH=$($@_ARCH) package-target
 
 .PHONY: build-docker
@@ -307,8 +311,8 @@ else ifeq ($(OS)-$(ARCH),darwin-arm64)
 	@tar -C build/binaries -zcf build/distributions/fleet-server-$(VERSION)-$(OS)-aarch64.tar.gz fleet-server-$(VERSION)-$(OS)-aarch64
 	@cd build/distributions && sha512sum fleet-server-$(VERSION)-$(OS)-aarch64.tar.gz > fleet-server-$(VERSION)-$(OS)-aarch64.tar.gz.sha512
 else
-	@tar -C build/binaries -zcf build/distributions/fleet-server-$(VERSION)-$(OS)-$(ARCH)$(FIPSSUFFIX).tar.gz fleet-server-$(VERSION)-$(OS)-$(ARCH)$(FIPSSUFFIX)
-	@cd build/distributions && sha512sum fleet-server-$(VERSION)-$(OS)-$(ARCH)$(FIPSSUFFIX).tar.gz > fleet-server-$(VERSION)-$(OS)-$(ARCH)$(FIPSSUFFIX).tar.gz.sha512
+	@tar -C build/binaries -zcf build/distributions/fleet-server$(FIPSSUFFIX)-$(VERSION)-$(OS)-$(ARCH).tar.gz fleet-server$(FIPSSUFFIX)-$(VERSION)-$(OS)-$(ARCH)
+	@cd build/distributions && sha512sum fleet-server$(FIPSSUFFIX)-$(VERSION)-$(OS)-$(ARCH).tar.gz > fleet-server$(FIPSSUFFIX)-$(VERSION)-$(OS)-$(ARCH).tar.gz.sha512
 endif
 
 build-releaser: ## - Build a Docker image to run make package including all build tools

dev-tools/e2e/Dockerfile

@@ -2,16 +2,16 @@ ARG ELASTIC_AGENT_IMAGE # e.g. docker.elastic.co/cloud-release/elastic-agent-clo
 
 FROM --platform=linux/amd64 ${ELASTIC_AGENT_IMAGE} as elastic_agent_amd64
 ARG STACK_VERSION # e.g. 8.5.0-SNAPSHOT
-ARG FLEET_SUFFIX # e.g. -linux-x86_64
+ARG FLEET_FIPS="" # should be -fips if a fips distribution will be used
 ARG VCS_REF_SHORT # e.g. abc123
-ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server-${STACK_VERSION}${FLEET_SUFFIX}/fleet-server \
+ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server${FLEET_FIPS}-${STACK_VERSION}-linux-x86_64/fleet-server \
              ./data/elastic-agent-${VCS_REF_SHORT}/components/fleet-server
 
 FROM --platform=linux/arm64 ${ELASTIC_AGENT_IMAGE} as elastic_agent_arm64
 ARG STACK_VERSION # e.g. 8.5.0-SNAPSHOT
-ARG FLEET_SUFFIX # e.g. -linux-x86_64
+ARG FLEET_FIPS="" # should be -fips if a fips distribution will be used
 ARG VCS_REF_SHORT # e.g. abc123
-ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server-${STACK_VERSION}${FLEET_SUFFIX}/fleet-server \
+ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server${FLEET_FIPS}-${STACK_VERSION}-linux-arm64/fleet-server \
              ./data/elastic-agent-${VCS_REF_SHORT}/components/fleet-server
 
 FROM elastic_agent_${TARGETARCH}

dev-tools/e2e/build.sh

@@ -24,19 +24,16 @@ VCS_REF=$(docker inspect -f '{{index .Config.Labels "org.label-schema.vcs-ref"}}
 
 CUSTOM_IMAGE_TAG=${STACK_VERSION}-e2e-${COMMIT}-$(date +%s)
 
-FLEET_SUFFIX="-linux-x86_64"
-if [[ "$GOARCH" == "arm64" ]]; then
-    FLEET_SUFFIX="-linux-arm64"
-fi
+FLEET_FIPS=""
 if [[ "$FIPS" == "true" ]]; then
-    FLEET_SUFFIX="${FLEET_SUFFIX}-fips"
+    FLEET_FIPS="-fips"
 fi
 
 docker build \
 	-f $REPO_ROOT/dev-tools/e2e/Dockerfile \
 	--build-arg ELASTIC_AGENT_IMAGE=$BASE_IMAGE \
 	--build-arg STACK_VERSION=${FLEET_VERSION} \
-	--build-arg FLEET_SUFFIX=${FLEET_SUFFIX} \
+	--build-arg FLEET_FIPS=${FLEET_FIPS} \
 	--build-arg VCS_REF_SHORT=${VCS_REF:0:6} \
 	--platform linux/$GOARCH \
 	-t ${CI_ELASTIC_AGENT_DOCKER_IMAGE}:${CUSTOM_IMAGE_TAG} \

docs/fips.md

@@ -36,7 +36,7 @@ The following make commands have different behaviour when FIPS is enabled:
 A Multipass VM created with `FIPS=true make multipass` is able to compile FIPS enabled golang programs, but is not able to run them.
 When you try to run one the following error occurs:
 ```
-GOFIPS=1 ./bin/fleet-server -c fleet-server.yml
+GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml
 panic: opensslcrypto: can't enable FIPS mode for OpenSSL 3.0.13 30 Jan 2024: openssl: FIPS mode not supported by any provider
 
 goroutine 1 [running]:
@@ -92,14 +92,14 @@ activate = 1
 default_properties = fips=yes
 ```
 
-4. Run the program with the `OPENSSL_CONF=openssl.cnf` and `GOFIPS=1` env vars, i.e.,
+4. Run the program with the `OPENSSL_CONF=openssl.cnf` and `GODEBUG=fips140=on` env vars, i.e.,
 ```
-OPENSSL_CONF=./openssl.cnf GOFIPS=1 ./bin/fleet-server -c fleet-server.yml
+OPENSSL_CONF=./openssl.cnf GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml
 23:48:47.871 INF Boot fleet-server args=["-c","fleet-server.yml"] commit=55104f6f ecs.version=1.6.0 exe=./bin/fleet-server pid=65037 ppid=5642 service.name=fleet-server service.type=fleet-server version=9.0.0
 i...
 ```
 
 ## Usage
 
-A FIPS enabled binary should be ran with the env var `GOFIPS=1` set.
+A FIPS enabled binary should be ran with the env var `GODEBUG=fips140=on` set.
 The system/image is required to have a FIPS compliant provider available.

testing/e2e/fips_test.go

@@ -39,7 +39,7 @@ func (suite *FIPSStandAlone) SetupSuite() {
 		arch = "x86_64"
 	}
 	// NOTE the path checked is hardcoded to linux as we currently only support linux for FIPS builds
-	path, err := filepath.Abs(filepath.Join("..", "..", "build", "cover", fmt.Sprintf("fleet-server-%s-SNAPSHOT-linux-%s-fips", version.DefaultVersion, arch), binaryName))
+	path, err := filepath.Abs(filepath.Join("..", "..", "build", "cover", fmt.Sprintf("fleet-server-fips-%s-SNAPSHOT-linux-%s", version.DefaultVersion, arch), binaryName))
 	suite.Require().NoError(err)
 	suite.binaryPath = path
 	_, err = os.Stat(suite.binaryPath)