Skip to content

Commit 17cb3e1

Browse files
sky1122sky1122
authored
Merge pull request #315 from sky1122/fips
go: use runtime FIPS instead of compile-time boringcrypto
2 parents a826fb8 + d7ea7a8 commit 17cb3e1

File tree

43 files changed

+6
-8026
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

43 files changed

+6
-8026
lines changed

Dockerfile

Lines changed: 1 addition & 142 deletions
Original file line numberDiff line numberDiff line change
@@ -365,13 +365,6 @@ COPY --from=sdk-rust /usr/libexec/llvm/ /usr/
365365

366366
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
367367

368-
# Merge the LLVM install with the rest of our toolchains and C libraries for
369-
# later use by the AWS-LC builds.
370-
FROM sdk-libc AS sdk-libc-llvm
371-
COPY --from=sdk-llvm / /
372-
373-
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
374-
375368
FROM sdk AS sdk-grub
376369

377370
USER root
@@ -497,7 +490,7 @@ RUN \
497490

498491
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
499492

500-
FROM sdk-libc-llvm AS sdk-go-prep
493+
FROM sdk-libc AS sdk-go-prep
501494

502495
# Set up the environment for building.
503496
ENV GOOS="linux"
@@ -513,8 +506,6 @@ ENV GOARM64="v8.0,crypto"
513506

514507
ENV GO111MODULE="auto"
515508

516-
ENV AWS_LC_FIPS_VER="3.0.0"
517-
518509
USER root
519510
RUN dnf -y install golang
520511

@@ -535,15 +526,8 @@ COPY ./hashes/go-${GOMAJOR} /home/builder/hashes-go
535526
COPY ./helpers/go/prep-go.sh ./
536527
COPY ./patches/go-${GOMAJOR} /home/builder/patches-go
537528

538-
COPY ./hashes/aws-lc /home/builder/hashes-aws-lc
539-
COPY ./patches/aws-lc /home/builder/patches-aws-lc
540-
541529
RUN ./prep-go.sh --go-version=${GO125VER}
542530

543-
WORKDIR /home/builder/aws-lc/build
544-
COPY ./configs/aws-lc/* .
545-
COPY ./helpers/aws-lc/* .
546-
547531
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
548532

549533
FROM sdk-go-prep AS sdk-go-1.24-prep
@@ -558,105 +542,12 @@ COPY ./hashes/go-${GOMAJOR} /home/builder/hashes-go
558542
COPY ./helpers/go/prep-go.sh ./
559543
COPY ./patches/go-${GOMAJOR} /home/builder/patches-go
560544

561-
COPY ./hashes/aws-lc /home/builder/hashes-aws-lc
562-
COPY ./patches/aws-lc /home/builder/patches-aws-lc
563-
564545
RUN ./prep-go.sh --go-version=${GO124VER}
565546

566-
WORKDIR /home/builder/aws-lc/build
567-
COPY ./configs/aws-lc/* .
568-
COPY ./helpers/aws-lc/* .
569-
570-
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
571-
572-
FROM sdk-go-1.25-prep AS sdk-go-1.25-aws-lc-gnu-x86_64
573-
ENV ARCH="x86_64"
574-
ENV LIBC="gnu"
575-
ENV TARGET="${ARCH}-bottlerocket-linux-${LIBC}"
576-
RUN ./build-aws-lc.sh --arch="${ARCH}" --target="${TARGET}" --go-dir="${HOME}/sdk-go"
577-
578-
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
579-
580-
FROM sdk-go-1.25-prep AS sdk-go-1.25-aws-lc-gnu-aarch64
581-
COPY --chown=0:0 --from=sdk-go-1.25-aws-lc-gnu-x86_64 /etc/group /etc/group
582-
ENV ARCH="aarch64"
583-
ENV LIBC="gnu"
584-
ENV TARGET="${ARCH}-bottlerocket-linux-${LIBC}"
585-
RUN ./build-aws-lc.sh --arch="${ARCH}" --target="${TARGET}" --go-dir="${HOME}/sdk-go"
586-
587-
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
588-
589-
FROM sdk-go-1.25-prep AS sdk-go-1.25-aws-lc-musl-x86_64
590-
COPY --chown=0:0 --from=sdk-go-1.25-aws-lc-gnu-aarch64 /etc/group /etc/group
591-
ENV ARCH="x86_64"
592-
ENV LIBC="musl"
593-
ENV TARGET="${ARCH}-bottlerocket-linux-${LIBC}"
594-
RUN ./build-aws-lc.sh --arch="${ARCH}" --target="${TARGET}" --go-dir="${HOME}/sdk-go"
595-
596-
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
597-
598-
FROM sdk-go-1.25-prep AS sdk-go-1.25-aws-lc-musl-aarch64
599-
COPY --chown=0:0 --from=sdk-go-1.25-aws-lc-musl-x86_64 /etc/group /etc/group
600-
ENV ARCH="aarch64"
601-
ENV LIBC="musl"
602-
ENV TARGET="${ARCH}-bottlerocket-linux-${LIBC}"
603-
RUN ./build-aws-lc.sh --arch="${ARCH}" --target="${TARGET}" --go-dir="${HOME}/sdk-go"
604-
605-
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
606-
607-
FROM sdk-go-1.24-prep AS sdk-go-1.24-aws-lc-gnu-x86_64
608-
ENV ARCH="x86_64"
609-
ENV LIBC="gnu"
610-
ENV TARGET="${ARCH}-bottlerocket-linux-${LIBC}"
611-
RUN ./build-aws-lc.sh --arch="${ARCH}" --target="${TARGET}" --go-dir="${HOME}/sdk-go"
612-
613-
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
614-
615-
FROM sdk-go-1.24-prep AS sdk-go-1.24-aws-lc-gnu-aarch64
616-
COPY --chown=0:0 --from=sdk-go-1.24-aws-lc-gnu-x86_64 /etc/group /etc/group
617-
ENV ARCH="aarch64"
618-
ENV LIBC="gnu"
619-
ENV TARGET="${ARCH}-bottlerocket-linux-${LIBC}"
620-
RUN ./build-aws-lc.sh --arch="${ARCH}" --target="${TARGET}" --go-dir="${HOME}/sdk-go"
621-
622-
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
623-
624-
FROM sdk-go-1.24-prep AS sdk-go-1.24-aws-lc-musl-x86_64
625-
COPY --chown=0:0 --from=sdk-go-1.24-aws-lc-gnu-aarch64 /etc/group /etc/group
626-
ENV ARCH="x86_64"
627-
ENV LIBC="musl"
628-
ENV TARGET="${ARCH}-bottlerocket-linux-${LIBC}"
629-
RUN ./build-aws-lc.sh --arch="${ARCH}" --target="${TARGET}" --go-dir="${HOME}/sdk-go"
630-
631-
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
632-
633-
FROM sdk-go-1.24-prep AS sdk-go-1.24-aws-lc-musl-aarch64
634-
COPY --chown=0:0 --from=sdk-go-1.24-aws-lc-musl-x86_64 /etc/group /etc/group
635-
ENV ARCH="aarch64"
636-
ENV LIBC="musl"
637-
ENV TARGET="${ARCH}-bottlerocket-linux-${LIBC}"
638-
RUN ./build-aws-lc.sh --arch="${ARCH}" --target="${TARGET}" --go-dir="${HOME}/sdk-go"
639-
640547
# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
641548

642549
FROM sdk-go-1.25-prep AS sdk-go-1.25
643550

644-
COPY --from=sdk-go-1.25-aws-lc-gnu-x86_64 \
645-
/home/builder/aws-lc/build/goboringcrypto_linux_amd64.syso \
646-
/home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso
647-
648-
COPY --from=sdk-go-1.25-aws-lc-gnu-aarch64 \
649-
/home/builder/aws-lc/build/goboringcrypto_linux_arm64.syso \
650-
/home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso
651-
652-
COPY --from=sdk-go-1.25-aws-lc-musl-x86_64 \
653-
/home/builder/aws-lc/build/goboringcrypto_linux_amd64.syso \
654-
/home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_musl_amd64.syso
655-
656-
COPY --from=sdk-go-1.25-aws-lc-musl-aarch64 \
657-
/home/builder/aws-lc/build/goboringcrypto_linux_arm64.syso \
658-
/home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_musl_arm64.syso
659-
660551
COPY ./helpers/go/build-go.sh ./
661552

662553
# Build Go - finally!
@@ -666,22 +557,6 @@ RUN ./build-go.sh --go-version=${GO125VER}
666557

667558
FROM sdk-go-1.24-prep AS sdk-go-1.24
668559

669-
COPY --from=sdk-go-1.24-aws-lc-gnu-x86_64 \
670-
/home/builder/aws-lc/build/goboringcrypto_linux_amd64.syso \
671-
/home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso
672-
673-
COPY --from=sdk-go-1.24-aws-lc-gnu-aarch64 \
674-
/home/builder/aws-lc/build/goboringcrypto_linux_arm64.syso \
675-
/home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso
676-
677-
COPY --from=sdk-go-1.24-aws-lc-musl-x86_64 \
678-
/home/builder/aws-lc/build/goboringcrypto_linux_amd64.syso \
679-
/home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_musl_amd64.syso
680-
681-
COPY --from=sdk-go-1.24-aws-lc-musl-aarch64 \
682-
/home/builder/aws-lc/build/goboringcrypto_linux_arm64.syso \
683-
/home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_musl_arm64.syso
684-
685560
COPY ./helpers/go/build-go.sh ./
686561

687562
# Build Go - finally!
@@ -1160,10 +1035,6 @@ COPY --chown=0:0 --from=sdk-go-1.25 \
11601035
/home/builder/sdk-go/licenses/ \
11611036
/usr/share/licenses/go-1.25/
11621037

1163-
COPY --chown=0:0 --from=sdk-go-1.25 \
1164-
/home/builder/aws-lc/LICENSE \
1165-
/usr/share/licenses/aws-lc/LICENSE
1166-
11671038
COPY --chown=0:0 --from=sdk-go-1.24 /home/builder/sdk-go/bin /usr/libexec/go-1.24/bin/
11681039
COPY --chown=0:0 --from=sdk-go-1.24 /home/builder/sdk-go/lib /usr/libexec/go-1.24/lib/
11691040
COPY --chown=0:0 --from=sdk-go-1.24 /home/builder/sdk-go/pkg /usr/libexec/go-1.24/pkg/
@@ -1174,18 +1045,6 @@ COPY --chown=0:0 --from=sdk-go-1.24 \
11741045
/home/builder/sdk-go/licenses/ \
11751046
/usr/share/licenses/go-1.24/
11761047

1177-
# Create Go trees for the different glibc and musl builds of the AWS-LC syso.
1178-
# Sync timestamps to avoid rebuilds of the Go standard library.
1179-
RUN \
1180-
for v in 1.24 1.25 ; do \
1181-
find /usr/libexec/go-${v} -type f -exec touch -r /usr/libexec/go-${v}/bin/go {} \+ && \
1182-
rsync -aq --link-dest=/usr/libexec/go-${v}/ /usr/libexec/go-${v}{,-musl}/ && \
1183-
rm /usr/libexec/go-${v}/src/crypto/internal/boring/syso/goboringcrypto_linux_musl_{arm,amd}64.syso && \
1184-
rm /usr/libexec/go-${v}-musl/src/crypto/internal/boring/syso/goboringcrypto_linux_{arm,amd}64.syso && \
1185-
mv /usr/libexec/go-${v}-musl/src/crypto/internal/boring/syso/goboringcrypto_linux_{musl_,}amd64.syso && \
1186-
mv /usr/libexec/go-${v}-musl/src/crypto/internal/boring/syso/goboringcrypto_linux_{musl_,}arm64.syso ; \
1187-
done
1188-
11891048
# "sdk-rust-tools" has our attribution generation and license scan tools.
11901049
COPY --chown=0:0 --from=sdk-rust-tools /usr/libexec/tools/ /usr/libexec/tools/
11911050
COPY --chown=0:0 --from=sdk-rust-tools /usr/share/licenses/bottlerocket-license-scan/ /usr/share/licenses/bottlerocket-license-scan/

configs/aws-lc/aarch64-bottlerocket-linux-gnu.toolchain.cmake

Lines changed: 0 additions & 13 deletions
This file was deleted.

configs/aws-lc/aarch64-bottlerocket-linux-musl.toolchain.cmake

Lines changed: 0 additions & 13 deletions
This file was deleted.

configs/aws-lc/x86_64-bottlerocket-linux-gnu.toolchain.cmake

Lines changed: 0 additions & 13 deletions
This file was deleted.

configs/aws-lc/x86_64-bottlerocket-linux-musl.toolchain.cmake

Lines changed: 0 additions & 13 deletions
This file was deleted.

hashes/aws-lc

Lines changed: 0 additions & 8 deletions
This file was deleted.

helpers/aws-lc/LICENSE

Lines changed: 0 additions & 28 deletions
This file was deleted.

helpers/aws-lc/build-aws-lc.sh

Lines changed: 0 additions & 65 deletions
This file was deleted.

0 commit comments

Comments
 (0)