Skip to content

go: use runtime FIPS instead of compile-time boringcrypto #315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sky1122 merged 9 commits into from
Jan 16, 2026
Merged

go: use runtime FIPS instead of compile-time boringcrypto #315

sky1122 merged 9 commits into from
Jan 16, 2026

Conversation

@sky1122
Copy link
Contributor

@sky1122 sky1122 commented Dec 22, 2025
edited
Loading

Issue number: #318

Description of changes:

This is the minimal change for switching boringcrypto to runtime GODEBUG=fips140=only. Will remove the gofips build in a separate PR and release.

FIPS compliance is now controlled at runtime via GODEBUG=fips140=only environment variable rather than compile-time GOEXPERIMENT=boringcrypto.

Testing done:
Testing with PR1, below showing the gofips point to regular go build.
original:

bash-5.1# grep -ao "GOEXPERIMENT=boringcrypto" /usr/fips/bin/aws-iam-authenticator
GOEXPERIMENT=boringcrypto
GOEXPERIMENT=boringcrypto
GOEXPERIMENT=boringcrypto
GOEXPERIMENT=boringcrypto
bash-5.1# exit
exit
[root@admin]# apiclient get os
{
  "os": {
    "arch": "x86_64",
    "build_id": "2f4223e5",
    "pretty_name": "Bottlerocket OS 1.45.0 (aws-k8s-1.33-fips)",
    "variant_id": "aws-k8s-1.33-fips",
    "version_id": "1.45.0"
  }
}

Build with this change:

bash-5.2# grep -ao "GOEXPERIMENT=boringcrypto" /usr/fips/bin/kubelet
bash-5.2# grep -ao "GOEXPERIMENT=boringcrypto" /usr/fips/bin/aws-iam-authenticator
bash-5.2# exit
exit
[root@admin]# apiclient get os
{
  "os": {
    "arch": "x86_64",
    "build_id": "55d04a85-dirty",
    "pretty_name": "Bottlerocket OS 1.53.0 (aws-k8s-1.33-fips)",
    "variant_id": "aws-k8s-1.33-fips",
    "version_id": "1.53.0"
  }
}

Testing with PR1, and showing the fips work with go runtime variale

  • Build bootstrap container that generates TLS certs on the node
  • Configure bootstrap container on Bottlerocket node
  • Deploy two registries with different cipher configurations
  • Test image pulls

detail in: https://gist.github.com/sky1122/2fe6925332e7d9443eb149d5f45df116
result show the pull from non-fips cypher registry fail

  • successful fips registry pull
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  9s    default-scheduler  Successfully assigned default/test-pull-fips to ip-192-168-74-83.us-west-2.compute.internal
  Normal  Pulling    9s    kubelet            Pulling image "localhost:5000/test:latest"
  Normal  Pulled     9s    kubelet            Successfully pulled image "localhost:5000/test:latest" in 71ms (71ms including waiting). Image size: 3861737 bytes.
  Normal  Created    9s    kubelet            Created container: test
  Normal  Started    9s    kubelet            Started container test
  • non-fips cypher registry pull
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  34s                default-scheduler  Successfully assigned default/test-pull-nonfips to ip-192-168-74-83.us-west-2.compute.internal
  Normal   Pulling    20s (x2 over 34s)  kubelet            Pulling image "localhost:5001/test:latest"
  Warning  Failed     20s (x2 over 34s)  kubelet            Failed to pull image "localhost:5001/test:latest": failed to pull and unpack image "localhost:5001/test:latest": failed to resolve image: failed to do request: Head "https://localhost:5001/v2/test/manifests/latest": remote error: tls: handshake failure
  Warning  Failed     20s (x2 over 34s)  kubelet            Error: ErrImagePull
  Normal   BackOff    7s (x2 over 33s)   kubelet            Back-off pulling image "localhost:5001/test:latest"
  Warning  Failed     7s (x2 over 33s)   kubelet            Error: ImagePullBackOff

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

bcressey
bcressey reviewed Jan 7, 2026
View reviewed changes
@sky1122 sky1122 requested a review from ginglis13 January 13, 2026 17:45
@sky1122 sky1122 force-pushed the fips branch 2 times, most recently from 6498996 to 53e2670 Compare January 13, 2026 18:31
ginglis13
ginglis13 reviewed Jan 14, 2026
View reviewed changes
bcressey
bcressey reviewed Jan 14, 2026
View reviewed changes
@sky1122
Copy link
Contributor Author

sky1122 commented Jan 15, 2026
edited
Loading

commit to father clean up the prepare stage and macro.

@sky1122 sky1122 marked this pull request as ready for review January 15, 2026 18:15
@sky1122 sky1122 requested review from bcressey and ginglis13 January 15, 2026 18:16
bcressey
bcressey approved these changes Jan 15, 2026
View reviewed changes
@sky1122
patches: delete aws-lc patches and renumbers
3685864 
Signed-off-by: Jingwei Wang <[email protected]>
@sky1122
configs: delete aws-lc CMake toolchain files
bd3184c 
Signed-off-by: Jingwei Wang <[email protected]>
@sky1122
helpers: delete aws-lc build scripts and prep-go cleanup
cc3d3d3 
Signed-off-by: Jingwei Wang <[email protected]>
@sky1122
hashes: delete aws-lc
cef665b 
Signed-off-by: Jingwei Wang <[email protected]>
@sky1122
patches: delete aws-lc Go compatibility patches
39d3fd0 
Signed-off-by: Jingwei Wang <[email protected]>
@sky1122
wrappers: remove musl Go tree selection
a1ada26 
Remove GOLIBC=musl handling from go and gofips wrappers since separate
musl Go trees are no longer needed without AWS-LC syso files.

Signed-off-by: Jingwei Wang <[email protected]>
@sky1122
Dockerfile: remove syso file integration from Go toolchains
d7ea7a8 
Remove AWS-LC syso file COPY statements and simplify musl Go tree
creation since syso files are no longer used.

Signed-off-by: Jingwei Wang <[email protected]>
@sky1122
Copy link
Contributor Author

sky1122 commented Jan 15, 2026

pushed to fix typo

@sky1122 sky1122 mentioned this pull request Jan 16, 2026
Merged
@sky1122 sky1122 merged commit 17cb3e1 into bottlerocket-os:develop Jan 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bcressey bcressey bcressey approved these changes

@ginglis13 ginglis13 ginglis13 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sky1122 @bcressey @ginglis13