Skip to content

Comments

Add aws-lc-fips@1.66.2.envoy module with FIPS validation#3667

Closed
Copilot wants to merge 2 commits intomainfrom
copilot/add-aws-lc-fips-module
Closed

Add aws-lc-fips@1.66.2.envoy module with FIPS validation#3667
Copilot wants to merge 2 commits intomainfrom
copilot/add-aws-lc-fips-module

Conversation

Copy link
Contributor

Copilot AI commented Jan 30, 2026

Adds AWS-LC FIPS module for Envoy's bzlmod migration (envoyproxy/envoy#42890). AWS-LC provides FIPS-validated cryptography for ppc64le where BoringSSL FIPS is unavailable.

FIPS Validation

Implements explicit runtime validation matching boringssl-fips:

genrule(
    name = "_aws_lc_validated",
    srcs = [":libcrypto_unvalidated.a", ":libssl_unvalidated.a", ":bssl"],
    cmd = """
        IS_FIPS=$$($$BSSL isfips || true)
        if [[ "$$IS_FIPS" != "1" ]]; then
            exit 1  # Build fails if FIPS not enabled
        fi
    """,
)

Build flow: compile → validate via bssl isfips → expose validated libraries

Module Configuration

  • Version: 1.66.2 (matches Envoy's current aws_lc dependency)
  • Build: CMake via rules_foreign_cc with FIPS=1, static linking, -fPIC
  • Dependencies: rules_foreign_cc@0.15.1, go-fips@1.24.12.envoy (required for FIPS build)
  • Targets: @aws-lc-fips//:crypto, @aws-lc-fips//:ssl

Known Limitation

AWS-LC lacks newer BoringSSL APIs (e.g., SSL_CREDENTIAL). This is expected - BoringSSL FIPS builds also lack these APIs. Code using these APIs requires conditional compilation when targeting FIPS providers.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/aws/aws-lc/releases
    • Triggering command: /usr/bin/curl curl -sL REDACTED (http block)
  • https://api.github.com/repos/aws/aws-lc/releases/latest
    • Triggering command: /usr/bin/curl curl -sL REDACTED (http block)
  • https://api.github.com/repos/google/boringssl/commits
    • Triggering command: /usr/bin/curl curl -sL REDACTED (http block)
  • https://api.github.com/search/code
    • Triggering command: /usr/bin/curl curl -sL REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Summary

Add aws-lc-fips module to the bazel-registry for use in Envoy's bzlmod migration (envoyproxy/envoy#42890).

Background

AWS-LC is a general-purpose cryptographic library maintained by AWS, based on BoringSSL. Envoy uses AWS-LC specifically for FIPS compliance on ppc64le, where BoringSSL FIPS is not available.

Current Envoy usage (from bazel/BUILD):

alias(
    name = "boringssl",
    actual = select({
        "//bazel:boringssl_fips_ppc": "@aws_lc//:ssl",
        "//bazel:boringssl_fips_not_ppc": "@boringssl_fips//:ssl",
        "//conditions:default": "@boringssl//:ssl",
    }),
)

Requirements

Create the following structure:

bazel-registry/modules/aws-lc-fips/
├── metadata.json
├── 1.66.2.envoy/
│   ├── MODULE.bazel
│   ├── source.json
│   ├── presubmit.yml
│   ├── patches/  (if needed)
│   └── overlay/
│       ├── BUILD.bazel
│       └── MODULE.bazel

Implementation Details

  1. Version: 1.66.2.envoy (matching current Envoy's aws_lc version from bazel/repository_locations.bzl)

  2. Source:

    • URL: https://github.com/aws/aws-lc/archive/v1.66.2.tar.gz
    • SHA256: d64a46b4f75fa5362da412f1e96ff5b77eed76b3a95685651f81a558c5c9e126
  3. Build approach: Use rules_foreign_cc with CMake, similar to the existing boringssl-fips module in this registry. Key cmake flags:

    • FIPS=1
    • CMAKE_BUILD_TYPE=Release
    • BUILD_SHARED_LIBS=0
    • CMAKE_C_FLAGS=-fPIC
    • CMAKE_CXX_FLAGS=-fPIC
    • BUILD_TESTING=OFF
  4. Dependencies (reference boringssl-fips module):

    • rules_foreign_cc
    • rules_cc
    • platforms
    • bazel_skylib
    • A Go toolchain (AWS-LC FIPS requires Go for the build)
  5. Targets to expose:

    • :crypto - libcrypto.a
    • :ssl - libssl.a (depends on crypto)

Reference implementations

  • boringssl-fips in this repo (bazel-registry/modules/boringssl-fips/0.20250107.0.envoy/) - for the cmake/foreign_cc pattern and overall structure
  • Envoy's current build files:
    • bazel/external/aws_lc.BUILD - current overlay BUILD file
    • bazel/external/aws_lc.genrule_cmd - cmake build flags and process
    • bazel/repository_locations.bzl - version and source info

Testing

The presubmit.yml should verify build targets similar to boringssl-fips:

build_targets:
- '@aws-lc-fips//:crypto'
- '@aws-lc-fips//:ssl'

This pull request was created from Copilot chat.


💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@netlify
Copy link

netlify bot commented Jan 30, 2026

Deploy Preview for nifty-bassi-e26446 ready!

Name Link
🔨 Latest commit 439e1b0
🔍 Latest deploy log https://app.netlify.com/projects/nifty-bassi-e26446/deploys/697cdede1e74340008443c34
😎 Deploy Preview https://deploy-preview-3667--nifty-bassi-e26446.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copilot AI changed the title [WIP] Add aws-lc-fips module to bazel-registry Add aws-lc-fips 1.66.2.envoy module to bazel-registry Jan 30, 2026
Copilot AI requested a review from phlax January 30, 2026 16:12
Signed-off-by: Ryan Northey <ryan@synca.io>
@phlax phlax force-pushed the copilot/add-aws-lc-fips-module branch from 6573220 to 8b87b82 Compare January 30, 2026 16:35
Co-authored-by: phlax <454682+phlax@users.noreply.github.com>
Copilot AI changed the title Add aws-lc-fips 1.66.2.envoy module to bazel-registry Add aws-lc-fips@1.66.2.envoy with explicit FIPS validation Jan 30, 2026
Copilot AI changed the title Add aws-lc-fips@1.66.2.envoy with explicit FIPS validation Add aws-lc-fips@1.66.2.envoy module with FIPS validation Jan 30, 2026
@phlax phlax closed this Jan 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants