From 02be4bbc44da377015ab6b6edb4817424354af2b Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Mon, 30 Jan 2023 11:10:58 -0600 Subject: [PATCH 1/2] Simplify hack/Dockerfile_fips --- Dockerfile | 8 +++-- hack/Dockerfile_fips | 50 ++++++++++------------------- site/content/docs/reference/fips.md | 9 +++--- 3 files changed, 27 insertions(+), 40 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6faa3f242..75b49918b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -# Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 FROM golang:1.19.5 as build-env @@ -16,7 +16,11 @@ RUN \ --mount=type=cache,target=/cache/gocache \ --mount=type=cache,target=/cache/gomodcache \ mkdir out && \ - export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=linux GOARCH=amd64 && \ + export GOCACHE=/cache/gocache && \ + export GOMODCACHE=/cache/gomodcache && \ + export CGO_ENABLED=0 && \ + export GOOS=linux && \ + export GOARCH=amd64 && \ go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \ diff --git a/hack/Dockerfile_fips b/hack/Dockerfile_fips index acf63042f..702219780 100644 --- a/hack/Dockerfile_fips +++ b/hack/Dockerfile_fips @@ -3,13 +3,13 @@ # Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -# this dockerfile is used to produce a binary of Pinniped that uses -# only fips-allowable ciphers. Note that this is provided only as -# an example. Pinniped has no official support for fips and using +# This dockerfile is used to produce a binary of Pinniped that uses +# only FIPS-allowable ciphers. Note that this is provided only as +# an example. Pinniped has no official support for FIPS and using # a version built from this dockerfile may have unforseen consquences. # Please do not create issues in regards to problems encountered by # using this dockerfile. Using this dockerfile does not convey -# any type of fips certification. +# any type of FIPS certification. # Starting in 1.19, go-boringcrypto has been added to the main Go toolchain, # hidden behind a `GOEXPERIMENT=boringcrypto` env var. @@ -21,37 +21,21 @@ WORKDIR /work COPY . . ARG GOPROXY -# Build the executable binary (CGO_ENABLED=1 is required for go boring). -# Even though we need cgo to call the boring crypto C functions, these -# functions are statically linked into the binary. We also want to statically -# link any libc bits hence we pass "-linkmode=external -extldflags -static" -# to the ldflags directive. We do not pass "-s" to ldflags because we do -# not want to strip symbols - those are used to verify if we compiled correctly. -# We do not pass in GOCACHE (build cache) and GOMODCACHE (module cache) -# because there have been bugs in the Go compiler caching when using cgo -# (it will sometimes use cached artifiacts when it should not). Since we -# use gcc as the C compiler, the following warning is emitted: -# /boring/boringssl/build/../crypto/bio/socket_helper.c:55: warning: -# Using 'getaddrinfo' in statically linked applications requires at -# runtime the shared libraries from the glibc version used for linking -# This is referring to the code in -# https://github.com/google/boringssl/blob/af34f6460f0bf99dc267818f02b2936f60a30de7/crypto/bio/socket_helper.c#L55 -# which calls the getaddrinfo function. This function, even when statically linked, -# uses dlopen to dynamically fetch networking config. It is safe for us to ignore -# this warning because the go boring cypto code does not create netowrking connections: -# https://github.com/golang/go/blob/9d6ab825f6fe125f7ce630e103b887e580403802/src/crypto/internal/boring/goboringcrypto.h -# The osusergo and netgo tags are used to make sure that the Go implementations of these -# standard library packages are used instead of the libc based versions. -# We want to have no reliance on any C code other than the boring crypto bits. -# Setting GOOS=linux GOARCH=amd64 is a hard requirment for boring crypto: -# https://github.com/golang/go/blob/9d6ab825f6fe125f7ce630e103b887e580403802/misc/boring/README.md?plain=1#L95 -# Thus trying to compile the pinniped CLI with boring crypto is meaningless -# since we would not be able to ship windows and macOS binaries. +# Build the executable binary (CGO_ENABLED=0 means static linking) +# Pass in GOCACHE (build cache) and GOMODCACHE (module cache) so they +# can be re-used between image builds. RUN \ + --mount=type=cache,target=/cache/gocache \ + --mount=type=cache,target=/cache/gomodcache \ mkdir out && \ - export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 GOEXPERIMENT=boringcrypto && \ - go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ - go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ + export GOCACHE=/cache/gocache && \ + export GOMODCACHE=/cache/gomodcache && \ + export CGO_ENABLED=0 && \ + export GOOS=linux && \ + export GOARCH=amd64 && \ + export GOEXPERIMENT=boringcrypto && \ + go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ + go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator diff --git a/site/content/docs/reference/fips.md b/site/content/docs/reference/fips.md index 2e012c812..b9eab7e89 100644 --- a/site/content/docs/reference/fips.md +++ b/site/content/docs/reference/fips.md @@ -9,14 +9,13 @@ menu: weight: 30 parent: reference --- -By default, the Pinniped supervisor and concierge use ciphers that -are not supported by FIPS 140-2. If you are deploying Pinniped in an -environment with FIPS compliance requirements, you will have to build -the binaries yourself using the `fips_strict` build tag and Golang's -`go-boringcrypto` fork. +By default, the Pinniped supervisor and concierge use ciphers that are not supported by FIPS 140-2. +If you are deploying Pinniped in an environment with FIPS compliance requirements, you will have to build +the binaries yourself using the `fips_strict` build tag and Golang's `go-boringcrypto` fork. The Pinniped team provides an [example Dockerfile](https://github.com/vmware-tanzu/pinniped/blob/main/hack/Dockerfile_fips) demonstrating how you can build Pinniped images in a FIPS compatible way. + However, we do not provide official support for FIPS configuration, and we may not respond to GitHub issues opened related to FIPS support. We provide this for informational purposes only. From 3d176d6a3ec800c0c65ba55394db9af2c23ae226 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Thu, 2 Feb 2023 19:32:21 -0600 Subject: [PATCH 2/2] Use tag boringcrypto instead of fips_strict --- cmd/pinniped-concierge-kube-cert-agent/main.go | 6 +++--- cmd/pinniped-server/main.go | 2 +- cmd/pinniped/main.go | 4 ++-- hack/Dockerfile_fips | 4 ++-- internal/crypto/fips/doc.go | 4 ++-- internal/crypto/fips/fips_strict.go | 4 ++-- internal/crypto/ptls/default.go | 6 +++--- internal/crypto/ptls/fips_strict.go | 4 ++-- internal/crypto/ptls/secure.go | 6 +++--- site/content/docs/reference/fips.md | 2 +- test/integration/securetls_fips_test.go | 6 +++--- test/testlib/securetls_preference_fips.go | 6 +++--- test/testlib/securetls_preference_nonfips.go | 6 +++--- 13 files changed, 30 insertions(+), 30 deletions(-) diff --git a/cmd/pinniped-concierge-kube-cert-agent/main.go b/cmd/pinniped-concierge-kube-cert-agent/main.go index af96c5f82..8213e6bfb 100644 --- a/cmd/pinniped-concierge-kube-cert-agent/main.go +++ b/cmd/pinniped-concierge-kube-cert-agent/main.go @@ -13,7 +13,7 @@ import ( "os" "time" - // This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode. + // This side effect import ensures that we use fipsonly crypto during TLS in boringcrypto mode. // // Commenting this out because it causes the runtime memory consumption of this binary to increase // from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS, @@ -25,8 +25,8 @@ import ( //nolint:godot // This is not sentence, it is a commented out line of import code. // _ "go.pinniped.dev/internal/crypto/ptls" - // This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode. - // Without this line, the binary will exit 133 upon startup in fips_strict mode. + // This side effect imports cgo so that runtime/cgo gets linked, when in boringcrypto mode. + // Without this line, the binary will exit 133 upon startup in boringcrypto mode. // It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled, // even though it shouldn't be used currently by this binary. _ "go.pinniped.dev/internal/crypto/fips" diff --git a/cmd/pinniped-server/main.go b/cmd/pinniped-server/main.go index df2917fbc..2cb3e30aa 100644 --- a/cmd/pinniped-server/main.go +++ b/cmd/pinniped-server/main.go @@ -15,7 +15,7 @@ import ( "k8s.io/apimachinery/pkg/util/sets" concierge "go.pinniped.dev/internal/concierge/server" - // this side effect import ensures that we use fipsonly crypto in fips_strict mode. + // this side effect import ensures that we use fipsonly crypto in boringcrypto mode. _ "go.pinniped.dev/internal/crypto/ptls" lua "go.pinniped.dev/internal/localuserauthenticator" "go.pinniped.dev/internal/plog" diff --git a/cmd/pinniped/main.go b/cmd/pinniped/main.go index b4825b1ea..dd57d7eaf 100644 --- a/cmd/pinniped/main.go +++ b/cmd/pinniped/main.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package main @@ -9,7 +9,7 @@ import ( "github.com/pkg/browser" "go.pinniped.dev/cmd/pinniped/cmd" - // this side effect import ensures that we use fipsonly crypto in fips_strict mode. + // this side effect import ensures that we use fipsonly crypto in boringcrypto mode. _ "go.pinniped.dev/internal/crypto/ptls" ) diff --git a/hack/Dockerfile_fips b/hack/Dockerfile_fips index 702219780..a1921de68 100644 --- a/hack/Dockerfile_fips +++ b/hack/Dockerfile_fips @@ -34,8 +34,8 @@ RUN \ export GOOS=linux && \ export GOARCH=amd64 && \ export GOEXPERIMENT=boringcrypto && \ - go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ - go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ + go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ + go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator diff --git a/internal/crypto/fips/doc.go b/internal/crypto/fips/doc.go index e265bb858..82c328656 100644 --- a/internal/crypto/fips/doc.go +++ b/internal/crypto/fips/doc.go @@ -1,6 +1,6 @@ // Copyright 2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -// Package fips can be imported to enable fipsonly tls mode when compiling with fips_strict. -// It will also cause cgo to be explicitly imported when compiling with fips_strict. +// Package fips can be imported to enable fipsonly tls mode when compiling with boringcrypto. +// It will also cause cgo to be explicitly imported when compiling with boringcrypto. package fips diff --git a/internal/crypto/fips/fips_strict.go b/internal/crypto/fips/fips_strict.go index b0679c302..c0aa95b8b 100644 --- a/internal/crypto/fips/fips_strict.go +++ b/internal/crypto/fips/fips_strict.go @@ -1,8 +1,8 @@ // Copyright 2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto +// +build boringcrypto package fips diff --git a/internal/crypto/ptls/default.go b/internal/crypto/ptls/default.go index d929a4eba..99fecfdec 100644 --- a/internal/crypto/ptls/default.go +++ b/internal/crypto/ptls/default.go @@ -1,8 +1,8 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build !fips_strict -// +build !fips_strict +//go:build !boringcrypto +// +build !boringcrypto package ptls diff --git a/internal/crypto/ptls/fips_strict.go b/internal/crypto/ptls/fips_strict.go index 2db12fcf8..2b2ba2d55 100644 --- a/internal/crypto/ptls/fips_strict.go +++ b/internal/crypto/ptls/fips_strict.go @@ -4,8 +4,8 @@ // The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP // configs when Pinniped is built in fips-only mode. // All of these are the same because FIPs is already so limited. -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto +// +build boringcrypto package ptls diff --git a/internal/crypto/ptls/secure.go b/internal/crypto/ptls/secure.go index ddea08166..4dbe4eebc 100644 --- a/internal/crypto/ptls/secure.go +++ b/internal/crypto/ptls/secure.go @@ -1,8 +1,8 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build !fips_strict -// +build !fips_strict +//go:build !boringcrypto +// +build !boringcrypto package ptls diff --git a/site/content/docs/reference/fips.md b/site/content/docs/reference/fips.md index b9eab7e89..3621e354e 100644 --- a/site/content/docs/reference/fips.md +++ b/site/content/docs/reference/fips.md @@ -11,7 +11,7 @@ menu: --- By default, the Pinniped supervisor and concierge use ciphers that are not supported by FIPS 140-2. If you are deploying Pinniped in an environment with FIPS compliance requirements, you will have to build -the binaries yourself using the `fips_strict` build tag and Golang's `go-boringcrypto` fork. +the binaries yourself using `GOEXPERIMENT=boringcrypto`. The Pinniped team provides an [example Dockerfile](https://github.com/vmware-tanzu/pinniped/blob/main/hack/Dockerfile_fips) demonstrating how you can build Pinniped images in a FIPS compatible way. diff --git a/test/integration/securetls_fips_test.go b/test/integration/securetls_fips_test.go index 19cfea789..3b0b41625 100644 --- a/test/integration/securetls_fips_test.go +++ b/test/integration/securetls_fips_test.go @@ -1,8 +1,8 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto +// +build boringcrypto package integration diff --git a/test/testlib/securetls_preference_fips.go b/test/testlib/securetls_preference_fips.go index e61fc2051..2920ec4c7 100644 --- a/test/testlib/securetls_preference_fips.go +++ b/test/testlib/securetls_preference_fips.go @@ -1,8 +1,8 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto +// +build boringcrypto package testlib diff --git a/test/testlib/securetls_preference_nonfips.go b/test/testlib/securetls_preference_nonfips.go index 002d329d7..beb5659c4 100644 --- a/test/testlib/securetls_preference_nonfips.go +++ b/test/testlib/securetls_preference_nonfips.go @@ -1,8 +1,8 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build !fips_strict -// +build !fips_strict +//go:build !boringcrypto +// +build !boringcrypto package testlib