Skip to content

allow setting FIPS mode at runtime and build against frozen go/crypto #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

allow setting FIPS mode at runtime and build against frozen go/crypto #37

wants to merge 1 commit into from

Conversation

SimonTheLeg
Copy link
Contributor

@SimonTheLeg SimonTheLeg commented Apr 14, 2025
edited
Loading

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes internal-backlog number 34

Special notes for your reviewer:

A short explanation of how FIPS in Go 1.24 works in general (from here https://go.dev/doc/security/fips140):
Passing the GOFIPS140=v1.0.0 flag to go build ensures that a frozen version of the Go crypto lib from early 2025 is linked into the binary. This is important as this version is currently being certified for FIPS. Furthermore, the GODEBUG=fips140=only setting ensures that the program is going to panic or return an error if a fips incompliant crypto lib function is being called (e.g. crypto/sha1.Sum). Without it the program would just continue running.

Things that need to be discussed where we have some leeway:

Currently my implementation follows the motto: FIPS first, no FIPS possible

  1. Currently the binary on startup prints out in which mode it is running. While it is a bit more copy-paste effort for every operator, I think this is worth it as you then can easily tell in which mode the binary is running. Do you agree?
  2. I think we should allow the operator to be run in non-FIPS mode as well. Reason being is that if we ever encounter an issue with FIPS (for example invalid cipher panic), we can easily run in non-FIPS mode on dev temporarily to narrow down the issue. The implications of this choice are that we should add an option into our values in the helm chart (see this PR). Wdyt?

Update Apr 15th: Was decided to keep as proposed

Release note:

NONE

@SimonTheLeg SimonTheLeg marked this pull request as ready for review April 14, 2025 13:23
@SimonTheLeg SimonTheLeg force-pushed the enable-fips branch 6 times, most recently from 3c24b01 to 68a1b7f Compare April 15, 2025 09:31
reshnm
reshnm previously approved these changes Apr 15, 2025
View reviewed changes
@reshnm
Copy link
Contributor

reshnm commented Apr 15, 2025

/LGTM

@SimonTheLeg SimonTheLeg force-pushed the enable-fips branch 2 times, most recently from 00e8c98 to 89973d4 Compare April 29, 2025 10:41
@SimonTheLeg
chore: build fips compliant binaries
c7188d9 
On-behalf-of: SAP <[email protected]>
Signed-off-by: Simon Bein <[email protected]>
@SimonTheLeg SimonTheLeg changed the title chore: build fips compliant binaries allow for setting FIPS mode at runtime Apr 29, 2025
@SimonTheLeg SimonTheLeg changed the title allow for setting FIPS mode at runtime allow setting FIPS mode at runtime and built against frozen go/crypto Apr 29, 2025
@SimonTheLeg SimonTheLeg changed the title allow setting FIPS mode at runtime and built against frozen go/crypto allow setting FIPS mode at runtime and build against frozen go/crypto Apr 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reshnm reshnm reshnm left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@SimonTheLeg @reshnm