Add aws-lc-fips@1.66.2.envoy module with FIPS validation

[Copilot]

Adds AWS-LC FIPS module for Envoy's bzlmod migration (envoyproxy/envoy#42890). AWS-LC provides FIPS-validated cryptography for ppc64le where BoringSSL FIPS is unavailable.

FIPS Validation

Implements explicit runtime validation matching boringssl-fips:

genrule(
    name = "_aws_lc_validated",
    srcs = [":libcrypto_unvalidated.a", ":libssl_unvalidated.a", ":bssl"],
    cmd = """
        IS_FIPS=$$($$BSSL isfips || true)
        if [[ "$$IS_FIPS" != "1" ]]; then
            exit 1  # Build fails if FIPS not enabled
        fi
    """,
)

Build flow: compile → validate via bssl isfips → expose validated libraries

Module Configuration

• Version: 1.66.2 (matches Envoy's current aws_lc dependency)
• Build: CMake via rules_foreign_cc with FIPS=1, static linking, -fPIC
• Dependencies: rules_foreign_cc@0.15.1, go-fips@1.24.12.envoy (required for FIPS build)
• Targets: @aws-lc-fips//:crypto, @aws-lc-fips//:ssl

Known Limitation

AWS-LC lacks newer BoringSSL APIs (e.g., SSL_CREDENTIAL). This is expected - BoringSSL FIPS builds also lack these APIs. Code using these APIs requires conditional compilation when targeting FIPS providers.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/aws/aws-lc/releases
  • Triggering command: /usr/bin/curl curl -sL REDACTED (http block)
• https://api.github.com/repos/aws/aws-lc/releases/latest
  • Triggering command: /usr/bin/curl curl -sL REDACTED (http block)
• https://api.github.com/repos/google/boringssl/commits
  • Triggering command: /usr/bin/curl curl -sL REDACTED (http block)
• https://api.github.com/search/code
  • Triggering command: /usr/bin/curl curl -sL REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Summary

Add aws-lc-fips module to the bazel-registry for use in Envoy's bzlmod migration (envoyproxy/envoy#42890).

Background

AWS-LC is a general-purpose cryptographic library maintained by AWS, based on BoringSSL. Envoy uses AWS-LC specifically for FIPS compliance on ppc64le, where BoringSSL FIPS is not available.

Current Envoy usage (from bazel/BUILD):

alias(
    name = "boringssl",
    actual = select({
        "//bazel:boringssl_fips_ppc": "@aws_lc//:ssl",
        "//bazel:boringssl_fips_not_ppc": "@boringssl_fips//:ssl",
        "//conditions:default": "@boringssl//:ssl",
    }),
)

Requirements

Create the following structure:

bazel-registry/modules/aws-lc-fips/
├── metadata.json
├── 1.66.2.envoy/
│   ├── MODULE.bazel
│   ├── source.json
│   ├── presubmit.yml
│   ├── patches/  (if needed)
│   └── overlay/
│       ├── BUILD.bazel
│       └── MODULE.bazel

Implementation Details

1. Version: 1.66.2.envoy (matching current Envoy's aws_lc version from bazel/repository_locations.bzl)

2. Source:

   • URL: https://github.com/aws/aws-lc/archive/v1.66.2.tar.gz
   • SHA256: d64a46b4f75fa5362da412f1e96ff5b77eed76b3a95685651f81a558c5c9e126

3. Build approach: Use rules_foreign_cc with CMake, similar to the existing boringssl-fips module in this registry. Key cmake flags:

   • FIPS=1
   • CMAKE_BUILD_TYPE=Release
   • BUILD_SHARED_LIBS=0
   • CMAKE_C_FLAGS=-fPIC
   • CMAKE_CXX_FLAGS=-fPIC
   • BUILD_TESTING=OFF

4. Dependencies (reference boringssl-fips module):

   • rules_foreign_cc
   • rules_cc
   • platforms
   • bazel_skylib
   • A Go toolchain (AWS-LC FIPS requires Go for the build)

5. Targets to expose:

   • :crypto - libcrypto.a
   • :ssl - libssl.a (depends on crypto)

Reference implementations

• boringssl-fips in this repo (bazel-registry/modules/boringssl-fips/0.20250107.0.envoy/) - for the cmake/foreign_cc pattern and overall structure
• Envoy's current build files:
  • bazel/external/aws_lc.BUILD - current overlay BUILD file
  • bazel/external/aws_lc.genrule_cmd - cmake build flags and process
  • bazel/repository_locations.bzl - version and source info

Testing

The presubmit.yml should verify build targets similar to boringssl-fips:

build_targets:
- '@aws-lc-fips//:crypto'
- '@aws-lc-fips//:ssl'

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[netlify]

✅ Deploy Preview for nifty-bassi-e26446 ready!

Name	Link
🔨 Latest commit	439e1b0
🔍 Latest deploy log	https://app.netlify.com/projects/nifty-bassi-e26446/deploys/697cdede1e74340008443c34
😎 Deploy Preview	https://deploy-preview-3667--nifty-bassi-e26446.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.