Skip to content

Clean-up legacy FIPS options #383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ghedo merged 1 commit into from
Sep 26, 2025
Merged

Clean-up legacy FIPS options #383

ghedo merged 1 commit into from
Sep 26, 2025

Conversation

@ghedo
Copy link
Member

@ghedo ghedo commented Sep 25, 2025

Per BoringSSL's FIPS policy, its main branch is the "update branch" for FedRAMP compliance's purposes.

This means that we can stop using a specific BoringSSL branch when enabling FIPS, as well as a number of hacks that allowed us to build more recent BoringSSL versions with an older pre-compiled FIPS modules.

In order to allow a smooth upgrade of internal projects, the fips-compat feature is reduced in scope and renamed to legacy-compat-deprecated so that we can incrementally upgrade internal BoringSSL forks. In practice this shouldn't really be something anyone else would need, since in order to work it requires a specific mix of BoringSSL version and backported patches.

@ghedo ghedo force-pushed the clean-fips branch 7 times, most recently from 0e113b9 to cf8e00d Compare September 25, 2025 15:10
@cjpatton cjpatton self-requested a review September 25, 2025 15:13
@ghedo ghedo added the v5 label Sep 26, 2025
@ghedo ghedo force-pushed the clean-fips branch 2 times, most recently from 1bd90e1 to b2afcde Compare September 26, 2025 12:49
@ghedo ghedo requested review from bwesterb, kornelski and nox September 26, 2025 12:54
@ghedo
Clean-up legacy FIPS options
8bc9d15 
Per BoringSSL's FIPS policy, its `main` branch is the "update branch"
for FedRAMP compliance's purposes.

This means that we can stop using a specific BoringSSL branch when
enabling FIPS, as well as a number of hacks that allowed us to build
more recent BoringSSL versions with an older pre-compiled FIPS modules.

This also required slightly updating the main BoringSSL submodule, as
the previous version had an issue when building with the FIPS option
enabled. This is turn required some changes to the PQ patch as well as
some APIs that don't seem to be exposed publicly, as well as changing
some paths in the other patches.

In order to allow a smooth upgrade of internal projects, the `fips-compat`
feature is reduced in scope and renamed to `legacy-compat-deprecated` so
that we can incrementally upgrade internal BoringSSL forks. In practice
this shouldn't really be something anyone else would need, since in
order to work it requires a specific mix of BoringSSL version and
backported patches.
bwesterb
bwesterb reviewed Sep 26, 2025
View reviewed changes
@ghedo ghedo merged commit 4cb7e26 into master Sep 26, 2025
25 checks passed
@ghedo ghedo mentioned this pull request Sep 30, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bwesterb bwesterb bwesterb approved these changes

@kornelski kornelski kornelski approved these changes

@cjpatton cjpatton Awaiting requested review from cjpatton

@nox nox Awaiting requested review from nox

Assignees

No one assigned

Labels

v5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ghedo @bwesterb @kornelski