go: use runtime FIPS instead of compile-time boringcrypto

- Removes AWS-LC syso file integration from Go toolchains
- Updates gofips wrapper to use standard go (no GOEXPERIMENT)
- Removes Go binary checks from check-fips macro (Rust only now)
- Simplifies musl Go tree creation (no syso file shuffling)

FIPS compliance is now controlled at runtime via GODEBUG=fips140=only
environment variable rather than compile-time GOEXPERIMENT=boringcrypto.

Signed-off-by: Jingwei Wang <jweiw@amazon.com>

Author: sky1122

Dockerfile

@@ -641,21 +641,7 @@ RUN ./build-aws-lc.sh --arch="${ARCH}" --target="${TARGET}" --go-dir="${HOME}/sd
 
 FROM sdk-go-1.25-prep AS sdk-go-1.25
 
-COPY --from=sdk-go-1.25-aws-lc-gnu-x86_64 \
-  /home/builder/aws-lc/build/goboringcrypto_linux_amd64.syso \
-  /home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso
-
-COPY --from=sdk-go-1.25-aws-lc-gnu-aarch64 \
-  /home/builder/aws-lc/build/goboringcrypto_linux_arm64.syso \
-  /home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso
-
-COPY --from=sdk-go-1.25-aws-lc-musl-x86_64 \
-  /home/builder/aws-lc/build/goboringcrypto_linux_amd64.syso \
-  /home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_musl_amd64.syso
-
-COPY --from=sdk-go-1.25-aws-lc-musl-aarch64 \
-  /home/builder/aws-lc/build/goboringcrypto_linux_arm64.syso \
-  /home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_musl_arm64.syso
+# FIPS/boringcrypto disabled - skipping aws-lc syso files
 
 COPY ./helpers/go/build-go.sh ./
 
@@ -666,21 +652,7 @@ RUN ./build-go.sh --go-version=${GO125VER}
 
 FROM sdk-go-1.24-prep AS sdk-go-1.24
 
-COPY --from=sdk-go-1.24-aws-lc-gnu-x86_64 \
-  /home/builder/aws-lc/build/goboringcrypto_linux_amd64.syso \
-  /home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso
-
-COPY --from=sdk-go-1.24-aws-lc-gnu-aarch64 \
-  /home/builder/aws-lc/build/goboringcrypto_linux_arm64.syso \
-  /home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso
-
-COPY --from=sdk-go-1.24-aws-lc-musl-x86_64 \
-  /home/builder/aws-lc/build/goboringcrypto_linux_amd64.syso \
-  /home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_musl_amd64.syso
-
-COPY --from=sdk-go-1.24-aws-lc-musl-aarch64 \
-  /home/builder/aws-lc/build/goboringcrypto_linux_arm64.syso \
-  /home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_musl_arm64.syso
+# FIPS/boringcrypto disabled - skipping aws-lc syso files
 
 COPY ./helpers/go/build-go.sh ./
 
@@ -1174,16 +1146,12 @@ COPY --chown=0:0 --from=sdk-go-1.24 \
   /home/builder/sdk-go/licenses/ \
   /usr/share/licenses/go-1.24/
 
-# Create Go trees for the different glibc and musl builds of the AWS-LC syso.
+# Create Go trees for musl builds (no boringcrypto syso files).
 # Sync timestamps to avoid rebuilds of the Go standard library.
 RUN \
   for v in 1.24 1.25 ; do \
     find /usr/libexec/go-${v} -type f -exec touch -r /usr/libexec/go-${v}/bin/go {} \+ && \
-    rsync -aq --link-dest=/usr/libexec/go-${v}/ /usr/libexec/go-${v}{,-musl}/ && \
-    rm /usr/libexec/go-${v}/src/crypto/internal/boring/syso/goboringcrypto_linux_musl_{arm,amd}64.syso && \
-    rm /usr/libexec/go-${v}-musl/src/crypto/internal/boring/syso/goboringcrypto_linux_{arm,amd}64.syso && \
-    mv /usr/libexec/go-${v}-musl/src/crypto/internal/boring/syso/goboringcrypto_linux_{musl_,}amd64.syso && \
-    mv /usr/libexec/go-${v}-musl/src/crypto/internal/boring/syso/goboringcrypto_linux_{musl_,}arm64.syso ; \
+    rsync -aq --link-dest=/usr/libexec/go-${v}/ /usr/libexec/go-${v}{,-musl}/ ; \
   done
 
 # "sdk-rust-tools" has our attribution generation and license scan tools.

macros/check-fips

@@ -25,49 +25,6 @@ if [ ! -d "${BUILDROOT_BINDIR}" ] && [ ! -d "${BUILDROOT_LIBEXECDIR}" ] ; then
   exit 0
 fi
 
-is_go_bin() {
-  local bin
-  bin="${1:?}"
-  go version "${bin}" 2>&1 | grep -Fqw -v 'not a Go executable'
-}
-
-uses_go_crypto_tls() {
-  local bin output
-  bin="${1:?}"
-  output="$("${STRINGS}" "${bin}")"
-  grep -Fqw -m1 'crypto/tls' <<<"${output}"
-}
-
-uses_go_boring_crypto() {
-  local bin output
-  bin="${1:?}"
-  output="$("${STRINGS}" "${bin}")"
-  grep -Fq -m1 'goboringcrypto' <<<"${output}"
-}
-
-check_go_bin() {
-  local b f
-  b="${1:?}"
-  f="${2:?}"
-  if uses_go_crypto_tls "${b}" ; then
-    if [ -s "${f}" ] ; then
-      echo "${b} uses Go crypto/tls and FIPS build found in ${f}"
-      (( found+=1 ))
-      if uses_go_boring_crypto "${b}" ; then
-        echo "${b} is built with FIPS crypto rather than standard crypto" >&2
-        (( miscompiled+=1 ))
-      fi
-      if ! uses_go_boring_crypto "${f}"; then
-        echo "${f} is built with standard crypto rather than FIPS crypto" >&2
-        (( miscompiled+=1 ))
-      fi
-    else
-      echo "${b} uses Go crypto/tls but no FIPS build found in ${f}" >&2
-      (( not_found+=1 ))
-    fi
-  fi
-}
-
 is_rust_bin() {
   local bin output
   bin="${1:?}"
@@ -131,9 +88,7 @@ miscompiled=0
 for b in $(find "${BUILDROOT_BINDIR}" "${BUILDROOT_LIBEXECDIR}" -type f -executable) ; do
   f="${b/${BUILDROOT_BINDIR}/${BUILDROOT_FIPS_BINDIR}}"
   f="${f/${BUILDROOT_LIBEXECDIR}/${BUILDROOT_FIPS_LIBEXECDIR}}"
-  if is_go_bin "${b}"; then
-    check_go_bin "${b}" "${f}"
-  elif is_rust_bin "${b}"; then
+  if is_rust_bin "${b}"; then
     check_rust_bin "${b}" "${f}"
   fi
 done